[dtn-security] Re(2): Implementing Security Destinations in DTN2

Peter Lovell <plovell@mac.com> Sun, 23 September 2012 01:22 UTC

Return-Path: <plovell@mac.com>
X-Original-To: dtn-security@ietfa.amsl.com
Delivered-To: dtn-security@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1E5B21F8512 for <dtn-security@ietfa.amsl.com>; Sat, 22 Sep 2012 18:22:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WX8xCGq0h+5l for <dtn-security@ietfa.amsl.com>; Sat, 22 Sep 2012 18:22:18 -0700 (PDT)
Received: from st11p00mm-asmtp004.mac.com (st11p00mm-asmtpout004.mac.com [17.172.81.3]) by ietfa.amsl.com (Postfix) with ESMTP id C849621F84D5 for <dtn-security@irtf.org>; Sat, 22 Sep 2012 18:22:18 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from [192.168.1.98] (pool-96-255-127-40.washdc.fios.verizon.net [96.255.127.40]) by st11p00mm-asmtp004.mac.com (Oracle Communications Messaging Server 7u4-23.01(7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPSA id <0MAS005J53T20F80@st11p00mm-asmtp004.mac.com> for dtn-security@irtf.org; Sun, 23 Sep 2012 01:22:18 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7855, 1.0.431, 0.0.0000 definitions=2012-09-22_04:2012-09-21, 2012-09-22, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001 definitions=main-1209220381
From: Peter Lovell <plovell@mac.com>
To: ahennes1@math.umd.edu, Scott Burleigh <scott.c.burleigh@jpl.nasa.gov>
Date: Sat, 22 Sep 2012 21:22:12 -0400
Message-id: <20120923012212.319238544@smtp.mail.me.com>
In-reply-to: <6af37e4869b76826d4d2108e3eef82b3.squirrel@webmail.math.umd.edu>
References: <2665b4bca07d1e0d3d9de88844cc02e9.squirrel@webmail.math.umd.edu> <20120904172458.1767559740@smtp.mail.me.com> <A5BEAD028815CB40A32A5669CF737C3B0D72DE@ap-embx-sp20.RES.AD.JPL> <6af37e4869b76826d4d2108e3eef82b3.squirrel@webmail.math.umd.edu>
X-Mailer: CTM PowerMail version 6.1.3 build 4650 English (intel) <http://www.ctmdev.com>
Cc: dtn-security@irtf.org
Subject: [dtn-security] Re(2): Implementing Security Destinations in DTN2
X-BeenThere: dtn-security@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The Delay-Tolerant Networking Research Group \(DTNRG\) - Security." <dtn-security.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/dtn-security>, <mailto:dtn-security-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/dtn-security>
List-Post: <mailto:dtn-security@irtf.org>
List-Help: <mailto:dtn-security-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Sep 2012 01:22:20 -0000

Hi Scott and Angela,

I said some messages ago that I hadn't thought about this too much but expected it to "just work".

I've thought about it some more, and the more I do, the less attractive it is. The scenario I had in mind with my earlier comment is a suitable one but unfortunately it's about the only one.

Let me first set some context to help my description. Assume we have a DTN

  S  --  GA  -- I1  --  I2  --  GB  --  D
                    \        /          |
                     \- I3  --  GC  --  E


S and D are source and destination on controlled-access networks
E is a node on another controlled-access network, with a slow link to D
GA, GB and GC are gateway devices between those networks and an open network
I1, I2 and I3 are intermediate nodes in the open network

Assume also that there may be alternate, but similar, paths between S and D.

If GA's security rules require traffic to D to be protected across the open network, it will encrypt it using PCB with GB as security-dest. It will use GB as security-dest, rather than D, because it doesn't want the keys to be distributed any more widely than necessary. I realize that cool key-distribution schemes can ameliorate this problem but I'm imagining this to be a network subject to delays and/or bandwidth constraints, so GA and GB have been established with paired keys. GA also has a GA-GC keypair for sending bundles to E.

In this scenario, the bundle from S, gatewayed though GA must be sent via GB so it can be decrypted there and sent on its way. If node I1 finds that node I2 is slow/down/whatever, it might decide to route the bundle through I3. I3 does not know the details of the controlled-access networks but knows that GC can get it to D. So I3 sends it that way and the bundle arrives at D, still encrypted.

A good solution for this problem is for GA to specify GB as the [temporary] bundle-dest so that I1/I2/I3 will be forced to route it there. This obviously requires that GA save the real bundle-dest somewhere TBD so that GB can restore it. This will work even in the case of super-encryption, as the PCB nesting rules force the push/pop operations to be match correctly. So the idea works well for this case.

Thinking now about PIB, it seems to me that the public key needed to verify the bundle will not be very secret. In fact, I have yet to be convinced of any utility at all for a specific security-dest in the case of PIB. Any intermediate node should be able to verify the integrity of a bundle.

So now let's think about ESBs. For the reason mentioned above, an integrity check on an extension block seems to be a non-issue -- any node should be able to verify integrity. Which leaves the matter of confidentiality for an extension block. Now, I see the issue of confidentiality for an extension block as quite separate from that for the payload. Over the years we've discussed various scenarios where routing and search actions might be performed on metadata, so that some metadata would be available through keys that were known more widely than those for the payload. For example, metadata might indicate that the payload was a map covering certain coordinates. Another metadata items might specify the times for which the map was valid. And the map payload would indicate the various unit dispositions at that time. The "coordinates" key might have broad distribution, the "time" key be more restricted and the payload key the most closely-held.

But now I wonder about just what meaning we should attach to "security-dest" for an encryption ESB. In the scenario above, I would not expect that the ESB would ever be decrypted and the clear-text content be stored back in the bundle. Instead, it would be decrypted for immediate use but remain unchanged in the bundle.

I'm sure there are other planned uses for extension blocks and it would be a help if we can craft a few sample use cases so we can think more fruitfully about this problem. This would really help, because I'm imagining horror scenarios where various nodes add an ESB and push the bundle-dest and the bundle routing suddenly goes very, very bad. PCB is OK because there's only one payload, and onion-layering enforces nesting. That's not the case for ESBs so things could go bad.

To go back to Scott's comment - it does make sense if we can have some controls and sequencing on it. The push/pop scheme must have a single list and clearly-defined rules, and that means that PCB can't be allowed to do it on its own (unless it's forbidden to all others - not a good proposal).

Doing anything of this kind will certainly require changes to 5050. I have heard occasional rumblings that there might be a revision to it so let's think about what we might want/need, and be ready with well-considered proposals.

Regards.....Peter



On Thu, Sep 12, 2013, ahennes1@math.umd.edu <ahennes1@math.umd.edu> wrote:

>I think this push/pop idea makes the most sense of anything we've talked
>about. It seems like it would require some modification to the spec,
>however, and maybe a flag to set when the bundle-dest is being stored
>somewhere.
>
>
>Thanks,
>Angela
>
>> Actually ION exercises something like this push/pop mechanism, internally,
>> in route computation, and I suspect other implementations do it as well:
>> in the course of computing the route to the final destination, the
>> forwarder may select an interim endpoint to forward the bundle to and may
>> then re-enter route computation in order to figure out how to route the
>> bundle to that interim endpoint.  So long as all the routers along the
>> path follow the same strategy, there's no need to record the interim
>> endpoint in the bundle; it's an internal procedure.
>>
>> None of the ION forwarders currently pay attention to security
>> destinations when computing routes, so security destinations are never
>> chosen as interim endpoints, but that modification seems plausible.  You'd
>> want to be sure that the block citing a given security destination was
>> always removed as soon as the bundle arrives at that destination, though,
>> and we would want some sort of extension block ordering convention (or
>> whatever) for nesting security destinations in a standardized way.
>>
>> Scott
>>
>> -----Original Message-----
>> From: dtn-security-bounces@irtf.org [mailto:dtn-security-bounces@irtf.org]
>> On Behalf Of Peter Lovell
>> Sent: Tuesday, September 04, 2012 10:25 AM
>> To: ahennes1@math.umd.edu; dtn-security@irtf.org
>> Subject: Re: [dtn-security] Implementing Security Destinations in DTN2
>>
>>>We're working on adding support for defining security
>>>source/destinations in DTN2 (which could be different than the bundle
>>> src/dest).
>>>
>>>This raised the issue of whether or not we should route the bundle to
>>>the security destination (if defined), rather than the bundle
>>>destination. If we don't route the bundle through the security dest,
>>>then it may be discarded at the bundle dest if it did not pass through
>>>the security dest in transit.
>>>
>>>There are also some practical issues that are raised. There can be a
>>>security destination for PIB/PCB, and a (possibly different) security
>>>dest for ESB, and we'd have to decide which one to choose.
>>>
>>>Also, the routers in DTN2 access the bundle destination themselves, i.e.
>>>bundle->dest(). They would each have to be corrected to use some other
>>>value.
>>>
>>
>>
>> Hi Angela,
>>
>> a problem indeed!  We did discuss this during development of BSP ...
>>
>>>Specification of a security-destination other than the bundle-
>>>destination creates a routing requirement that the bundle somehow be
>>>directed to the security-destination node on its way to the final
>>>destination.  This requirement is presently private to the ciphersuite,
>>>since routing nodes are not required to implement security processing.
>>
>> At one point I suggested that addition of PCB should adjust the
>> bundle-dest to be the new security-dest, saving the previous bundle-dest
>> for later restoration. This would certainly cause the bundle to be
>> properly processed with regard to decryption. Although there might be
>> other side-effects, no-one proposed any, however the plan was not adopted.
>> The "nesting" characteristic of PCBs would mean that nodes were visited in
>> correct order in the case of super-encryption.
>>
>> I am not sure how this might interact with ESBs. I think that adopting the
>> same approach (use security-dest as bundle-dest, save bundle-dest for
>> later restoration) should work and produce a correct result. However I
>> will admit that I haven't pondered the ESB/PCB interaction very much. I
>> think it should "just work".
>>
>> There might be other ways to adjust routing to ensure that the bundle
>> visits the appropriate nodes. But those would require extensive changes to
>> both BP and routing schemes -- neither of which seem likely. So the
>> push/pop idea for bundle-dest seems to be the only realistic solution. Of
>> course, there needs to be an EID-ref maintained in an EID-list somewhere
>> so that dictionary compression/adjustment doesn't break things. That would
>> be something like the plan for the list in the ESB.
>>
>> Cheers.....Peter
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> dtn-security mailing list
>> dtn-security@irtf.org
>> https://www.irtf.org/mailman/listinfo/dtn-security
>>
>