Re: [dtn-security] Header Encryption

"Ivancic, William D. (GRC-RHN0)" <william.d.ivancic@nasa.gov> Fri, 17 July 2009 17:58 UTC

Received: from ndmsnpf03.ndc.nasa.gov (ndmsnpf03.ndc.nasa.gov [198.117.0.123]) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n6HHw5sf017865 for <dtn-security@maillists.intel-research.net>; Fri, 17 Jul 2009 10:58:05 -0700
Received: from ndjsppt02.ndc.nasa.gov (ndjsppt02.ndc.nasa.gov [198.117.1.101]) by ndmsnpf03.ndc.nasa.gov (Postfix) with ESMTP id 0D17B2D81B6; Fri, 17 Jul 2009 12:56:16 -0500 (CDT)
Received: from ndjshub05.ndc.nasa.gov (ndjshub05.ndc.nasa.gov [198.117.4.164]) by ndjsppt02.ndc.nasa.gov (8.14.3/8.14.3) with ESMTP id n6HHuFpc014187; Fri, 17 Jul 2009 12:56:15 -0500
Received: from NDJSSCC03.ndc.nasa.gov ([198.117.4.170]) by ndjshub05.ndc.nasa.gov ([198.117.4.164]) with mapi; Fri, 17 Jul 2009 12:56:15 -0500
From: "Ivancic, William D. (GRC-RHN0)" <william.d.ivancic@nasa.gov>
To: Sushil Chaudhari <schaudhari@mzeal.com>, "dtn-security@maillists.intel-research.net" <dtn-security@maillists.intel-research.net>
Date: Fri, 17 Jul 2009 12:56:06 -0500
Thread-Topic: [dtn-security] Header Encryption
Thread-Index: AcoG+CsYD4EuVayXRDWqqrNBJDf4twADvBGA
Message-ID: <3A5AA67A8B120B48825BFFCF5443856137E53771DB@NDJSSCC03.ndc.nasa.gov>
References: <20090717160140.13080.qmail@mzeal.com>
In-Reply-To: <20090717160140.13080.qmail@mzeal.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-07-17_12:2009-07-03, 2009-07-17, 2009-07-17 signatures=0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by maillists.intel-research.net id n6HHw5sf017865
Subject: Re: [dtn-security] Header Encryption
X-BeenThere: dtn-security@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <dtn-security.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-security>
List-Post: <mailto:dtn-security@maillists.intel-research.net>
List-Help: <mailto:dtn-security-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2009 17:58:06 -0000

DTN header compression can be done similar to IPsec tunnel mode via first doing bundle-in-bundle and then encrypting the internal bundle using PCB of the BSP.  Basically you set a DTNsec tunnel mode.  I haven't done it, but that would be how one would do it.

IPsec if independent of DTN security.  If you want IPsec "for linux" use the tools I pointed to a few days ago.

IPsec Tools which get you SETKEY
The "IP" command on newer builds also has static key configuration capability.

There are a about 4 IKEv2 implementations I am aware of.  My personal preference for what I needed was StrongSwan.

Have fun with security.  Remember - Security is the Ultimate Denial of Service and Security Breaks everything.

If you are trying to learn DTN, my recommendation is do it without security first.

/Will
>-----Original Message-----
>From: dtn-security-bounces@maillists.intel-research.net [mailto:dtn-
>security-bounces@maillists.intel-research.net] On Behalf Of Sushil
>Chaudhari
>Sent: Friday, July 17, 2009 12:02 PM
>To: dtn-security@maillists.intel-research.net
>Subject: Re: [dtn-security] Header Encryption
>
>Hi,
>
>We are using BSP and while observing bundles on Wireshark, the header
>seems to be unencrypted. Also as per draft-irtf-dtnrg-bundle-security-
>08, "every bundle must contain a primary block that contains the source
>and destination EID's that can not be encrypted"
>
>My question is,
>1.Do we have some method for header encryption?
>2.Does DTN2 can be used with IPSEC? if not do we need additional
>convergence layer for the support to IPSEC?
>
>Thanks..
>_______________________________________________
>dtn-security mailing list
>dtn-security@maillists.intel-research.net
>http://maillists.intel-research.net/mailman/listinfo/dtn-security