Re: [dtn-security] dtn-security Digest, Vol 9, Issue 4

"Burleigh, Scott C (313B)" <scott.c.burleigh@jpl.nasa.gov> Wed, 23 January 2013 19:05 UTC

Return-Path: <scott.c.burleigh@jpl.nasa.gov>
X-Original-To: dtn-security@ietfa.amsl.com
Delivered-To: dtn-security@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AFD121F8A4B for <dtn-security@ietfa.amsl.com>; Wed, 23 Jan 2013 11:05:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pfz9ZCGOu24N for <dtn-security@ietfa.amsl.com>; Wed, 23 Jan 2013 11:05:17 -0800 (PST)
Received: from mail.jpl.nasa.gov (smtp.jpl.nasa.gov [128.149.139.109]) by ietfa.amsl.com (Postfix) with ESMTP id 23D1D21F871C for <dtn-security@irtf.org>; Wed, 23 Jan 2013 11:05:17 -0800 (PST)
Received: from mail.jpl.nasa.gov (ap-ehub-sp02.jpl.nasa.gov [128.149.137.149]) by smtp.jpl.nasa.gov (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id r0NJ5E4h002199 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO) for <dtn-security@irtf.org>; Wed, 23 Jan 2013 11:05:15 -0800
Received: from AP-EMBX-SP40.RES.AD.JPL ([169.254.7.60]) by ap-ehub-sp02.RES.AD.JPL ([fe80::dd85:7b07:1e36:7e3c%15]) with mapi id 14.02.0318.001; Wed, 23 Jan 2013 11:05:15 -0800
From: "Burleigh, Scott C (313B)" <scott.c.burleigh@jpl.nasa.gov>
To: "dtn-security@irtf.org" <dtn-security@irtf.org>
Thread-Topic: [dtn-security] dtn-security Digest, Vol 9, Issue 4
Thread-Index: AQHN+ZPuFbqQaeuxFUeSJ76vVDa5BphXOFZQ
Date: Wed, 23 Jan 2013 19:05:13 +0000
Message-ID: <A5BEAD028815CB40A32A5669CF737C3B23570D7D@ap-embx-sp40.RES.AD.JPL>
References: <mailman.365.1358898563.3383.dtn-security@irtf.org> <CACbuvas_ZNu1-ob0Xk+6N6agq3dq+ctHcp78gNEKXPWZJOn5CQ@mail.gmail.com>
In-Reply-To: <CACbuvas_ZNu1-ob0Xk+6N6agq3dq+ctHcp78gNEKXPWZJOn5CQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [128.149.137.26]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Source-Sender: scott.c.burleigh@jpl.nasa.gov
X-AUTH: Authorized
Subject: Re: [dtn-security] dtn-security Digest, Vol 9, Issue 4
X-BeenThere: dtn-security@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The Delay-Tolerant Networking Research Group \(DTNRG\) - Security." <dtn-security.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/dtn-security>, <mailto:dtn-security-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/dtn-security>
List-Post: <mailto:dtn-security@irtf.org>
List-Help: <mailto:dtn-security-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2013 19:05:19 -0000

You're right, Angela, I definitely wouldn't want bundles to have to be encapsulated every time any security block was added.  The idea here would be that you only encapsulate bundle Q whose source is A and whose destination is Z if you know -- at the time you are forwarding Q -- that in order for Q to reach its destination safely it has got to traverse an additionally secured path segment from node X to node Y.  In this case you'd create a new bundle R whose source is X, whose destination is Y, and whose payload is Q, to which you would attach the required additional security blocks.

That is, you'd encapsulate under exactly those conditions under which, in 6257 as written, you would annotate your additional BSP extension blocks with security source and security destination other than the original source and final destination.  The reason to do this would be to delegate to Routing, in a straightforward and transparent manner, the job of ensuring that the bundle is forwarded to the security destination.

If a node just wants to add a signature to a bundle, the question is whether the node that will validate that signature (and therefore must know the corresponding key) is the final destination or some interim destination that the bundle MUST be routed through.  If the latter, then yes, you'd have to encapsulate, because you're constraining the routing system.  If the former -- and if the validating destination node doesn't care which node attached the signature -- then no.

You're right that encapsulation would eliminate non-destination nodes' ability to peer into the original bundle's payload.  Is that really a desirable feature?  I'm a little skeptical that we should rely on any node other than the final destination having access to the payload; certainly if the payload were encrypted this ought to be moot.  Maybe there's still some desire to be able to support deep packet/bundle inspection in firewall-like structures, but I'd think that anything as intrusive as that wouldn't be deterred by a bit of encapsulation.

If a node wanted to sign and then encrypt a bundle, there would need to be additional encapsulation if the node that must decrypt the bundle and/or the node that must validate the signature is other than the destination node.  Again, you'd have to encapsulate in order to cause the bundle to be routed in the manner in which you require it to be routed.

The same general principle would apply to extension security blocks.  If the bundle has to be routed to a specific node in order for extension blocks to be decrypted or validated -- and that node is different from the destination node and from node to which it must be routed for the purpose of decrypting/validating the payload -- then you'd have to encapsulate in order to cause the bundle to be routed in the manner in which you require it to be routed.

I think you could still encrypt different extension blocks with different keys without encapsulation, so long as the bundle's destination knew all of the keys.  Maybe you'd still want correlators to indicate which keys apply to which blocks, but I would think that would be managed by policy rather than by instructions carried in the bundle.  If not, though, then you're right, we wouldn't be able to get rid of correlators.

One thing that this concept does is force the forwarding node to actually know what it's doing.  It's no longer sufficient just to attach several security blocks and let the network try to figure out what you meant.  You have to have an actual plan for effecting all of the processing that you are going to require, because that plan will drive the order of encapsulation and security block attachment.  I see that as an advantage rather than a drawback, though.

Scott

-----Original Message-----
From: dtn-security-bounces@irtf.org [mailto:dtn-security-bounces@irtf.org] On Behalf Of Angela Hennessy
Sent: Wednesday, January 23, 2013 10:03 AM
To: dtn-security@irtf.org
Subject: Re: [dtn-security] dtn-security Digest, Vol 9, Issue 4

Hi Scott,

I like how this approach simplifies the routing and gets rid of the security src/dest and EID refs. I was a little confused though about how this would work with some of the combinations of security blocks:

If a node just wants to add a signature to a bundle, would this require the bundle to be encapsulated? One of the advantages of BSP is that non security-aware nodes can still access the payload by just ignoring the PIB block. Wouldn't we lose that feature if the bundle were encapsulated?

If a node wants to sign and then encrypt the bundle, does this require the bundle to be encapsulated twice?

How would we handle signing/encrypting extension blocks? Would this require a third encapsulation? Wouldn't we still need correlators in case multiple extension blocks are encrypted with the same key, or would we not allow different extension blocks to be encrypted with different keys?


Thanks,
Angela



On Tue, Jan 22, 2013 at 6:49 PM,  <dtn-security-request@irtf.org> wrote:
> If you have received this digest without all the individual message 
> attachments you will need to update your digest options in your list 
> subscription.  To do so, go to
>
> https://www.irtf.org/mailman/listinfo/dtn-security
>
> Click the 'Unsubscribe or edit options' button, log in, and set "Get 
> MIME or Plain Text Digests?" to MIME.  You can set this option 
> globally for all the list digests you receive at this point.
>
>
>
> Send dtn-security mailing list submissions to
>         dtn-security@irtf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.irtf.org/mailman/listinfo/dtn-security
> or, via email, send a message with subject or body 'help' to
>         dtn-security-request@irtf.org
>
> You can reach the person managing the list at
>         dtn-security-owner@irtf.org
>
> When replying, please edit your Subject line so it is more specific 
> than "Re: Contents of dtn-security digest..."
>
> Today's Topics:
>
>    1. Re: FW: Re(19): Implementing Security Destinations inDTN2
>       (Eddy, Wesley M. (GRC-MS00)[MTI SYSTEMS, INC.])
>    2. Re: FW: Re(19): Implementing Security Destinations inDTN2
>       (Eddy, Wesley M. (GRC-MS00)[MTI SYSTEMS, INC.])
>
>
> ---------- Forwarded message ----------
> From: "Eddy, Wesley M. (GRC-MS00)[MTI SYSTEMS, INC.]" 
> <wesley.m.eddy@nasa.gov>
> To: "Burleigh, Scott C" <scott.c.burleigh@jpl.nasa.gov>ov>, 
> "dtn-security@irtf.org" <dtn-security@irtf.org>
> Cc:
> Date: Tue, 22 Jan 2013 17:19:48 -0600
> Subject: Re: [dtn-security] FW: Re(19): Implementing Security 
> Destinations inDTN2 It looks like basically a good idea to me.
>
> I recall sometime in 2006 or 2007ish pointing out that security destinations needed to work more like IPsec tunnel-mode endpoints in order to make the routing work correctly, and I think what you're proposing here accomplishes that in a better way.
>
> Though I think cycles would be better spent on KMP issues that are actually HARD, and *then* circling back to see what could be tweaked in the BSP, I definitely think this proposed change is something that would improve the BSP a bit in the meantime.
>
> I don't think it can be done in a way that's friendly to the existing codebase like Stephen suggests shooting for.
>
> ________________________________
> From: dtn-security-bounces@irtf.org [dtn-security-bounces@irtf.org] On 
> Behalf Of Burleigh, Scott C (313B) [scott.c.burleigh@jpl.nasa.gov]
> Sent: Tuesday, January 22, 2013 5:37 PM
> To: dtn-security@irtf.org
> Subject: [dtn-security] FW: Re(19): Implementing Security Destinations 
> inDTN2
>
> Hi.  Late last September, several of us spun off a sub-thread talking about how the processing of bundles with multiple security destinations could be handled in DTN implementations.  I won't try to recreate all of the arguments on all sides, but I think we did converge on agreement that the current BSP mechanism for complex, multi-destination security could be difficult to realize in coherent fashion across the network.  After puzzling over this for a while, I came up with a concept (below) that I think would be simpler, safer, and even more powerful than the current protocol design.  How do we all feel about this?  Would it be worthwhile for DTNRG to invest in a 6257bis RFC along these lines?
>
> Scott
> _____________________________________________
> From: Burleigh, Scott C (313B)
> Sent: Friday, November 16, 2012 5:05 PM
> To: 'Peter Lovell'; ahennes1@math.umd.edu
> Cc: Amy Alford; Cherita.Corbett@jhuapl.edu; Howard Weiss
> Subject: RE: Re(19): [dtn-security] Implementing Security Destinations 
> in DTN2
>
>
> Hi, Peter.  At the risk (I know) of getting a lot of people severely ticked off at me, I am going to offer a modest proposal for improving the Bundle Security Protocol, inspired by this thread.
> I propose to adopt a new design principle for Bundle Security Protocol: the routing element of a bundle protocol agent should never need to inspect a bundle's BSP extension blocks in order to select the node(s) to forward the bundle to.
> That is, BSP should provide security, not dictate routes.
> My rationale for proposing this principle is that I believe it would:
>
> Simplify BSP, thereby reducing the incidence of bugs and making Bundle Security significantly less expensive to implement and sustain.
> Broaden the scope of BSP deployment by eliminating its dependence on specific, BSP-aware routing implementations, thereby increasing the overall security of DTN.
> Reduce the cost of developing and improving routing implementations by removing any requirement that they be BSP-aware, and broaden the scope of deployment of non-BSP-aware routing implementations by enabling them to be used in environments requiring arbitrarily powerful security.  Thereby, improve DTN operational performance.
>
> Here's how I would apply this principle:
>
> Eliminate security sources and security destinations from all BSP blocks.  The security source of a BSP block would always be the bundle's source.  The security destination of a BSP block would always be the bundle's destination.
> Add a new Administrative Record type for Bundle-in-Bundle encapsulation.
> When additional security must be applied to a bundle on some segment of its end-to-end path, encapsulate the bundle in a Bundle-in-Bundle Encapsulation Administrative Record that is the payload of a new bundle whose source is the security source of the path segment and whose destination is the security destination of the path segment.  Apply the additional bundle transmission security measures to the encapsulating bundle: encrypt its payload (the Administrative Record, containing the encapsulated bundle), encrypt extension blocks as copied from the encapsulated bundle, etc.  Then forward the encapsulating bundle.
> When route service uncertainty forces a bundle to be routed over multiple parallel additionally secured segments of its end-to-end path, encapsulate it as above but within multiple different encapsulating bundles, one for each of the parallel segments, and forward all of them.
> At the destination of a bundle, apply all relevant bundle reception security measures and then, if the payload is an encapsulation Administrative Record, extract the encapsulated bundle from the Administrative Record and simply forward it.
>
> I believe this would have the following impacts on DTN security:
>
> No EID references in BSP, simplifying canonicalization.
> PCBs only encrypt payloads, never PIBs or PCBs (encrypting the 
> encapsulated bundle encrypts all three at once), so no correlators in BSP.  (Except for BABs, no bundle ever has more than one occurrence of any type of BSP block.  And there will never be more than two BABs, one immediately following the primary block and one that is the final block in the bundle, so that correlation is structural.) No delicate "replacement" process for unraveling PCB nesting at the destination.
> No possible confusion about the correct order of application of BSP blocks.
> No possible conflict among security destinations of different BSP blocks.
> Security paths can never overlap.
> Any routing implementation can always accommodate any security regime: 
> routes that must be followed to ensure security are encoded into routing information at the forwarding node, not into the bundle.  (A little like the late binding principle.) Any routing environment can always be made arbitrarily secure - no need to require specially BSP-aware routing elements.
> Ciphersuite design is simplified, so a wider array of useful ciphersuites can be developed without imposing bug-prone complexity.  Minimizes possible security problems.
>
> As an example of how I think this could work, see the attached diagram:
>
> Node A is sending a bundle to node K.  Nodes A, B, J, and K are within the low-risk "W" security region; nodes C and G are gateways between region W and the more hazardous region X; node D is another node in X; nodes E and F are gateways between region X and even more hazardous region Y; nodes H and I are gateways between X and hazardous region Z.
> At A the bundle is simply forwarded to B.
> At B the routing element realizes that the bundle has to traverse region X in order to get to K, so it forwards the bundle to C.
> The routing element at C encapsulates the bundle in an Admin Record, creates a new bundle destined for G (the egress from region X) whose source is C and whose payload is that Admin Record, encrypts the payload, attaches a PCB, and forwards the bundle to D.
> D realizes that the bundle has to traverse region Y in order to get to G, so it forwards the bundle to E.
> E encapsulates the bundle in an Admin Record, creates a new bundle destined for F (the egress from region Y) whose source is E and whose payload is that Admin Record, encrypts the payload, attaches a PCB, and forwards the bundle to F.
> The bundle protocol agent at F receives the bundle, decrypts it, and passes the payload (an Admin Record) to the application agent.  The administrative element of the application agent at F receives the Admin Record, extracts the encapsulated bundle destined for G, and queues it to be forwarded.  The routing element at F sees this bundle and forwards it to G.
> The bundle protocol agent at G receives the bundle, decrypts it, and passes the payload (an Admin Record) to the application agent.  The administrative element of the application agent at G receives the Admin Record, extracts the encapsulated bundle destined for K, and queues it to be forwarded.  The routing element at G sees this bundle, realizes that the bundle has to traverse region Z in order to get to K, and therefore forwards the bundle to H.
> H encapsulates the bundle in an Admin Record, creates a new bundle destined for I (the egress from region Z) whose source is H and whose payload is that Admin Record, encrypts the payload, attaches a PCB, and forwards the bundle to I.
> The bundle protocol agent at I receives the bundle, decrypts it, and passes the payload (an Admin Record) to the application agent.  The administrative element of the application agent at I receives the Admin Record, extracts the encapsulated bundle destined for K, and queues it to be forwarded.  The routing element at I sees this bundle and forwards it to J.
> At J the bundle is simply forwarded to K.
> At K the bundle's payload is passed to the application.
>
> I think this approach would combine simplicity with quite a lot of operational power, making everything cheaper and safer.
> So, having now stirred the hornet's nest, I will beat a hasty retreat for a week while I am on vacation.  I'll try to follow up when I get back.
> Have a nice Thanksgiving, everybody.
> Scott
>
> -----Original Message-----
> From: Peter Lovell [mailto:plovell@mac.com]
> Sent: Monday, October 22, 2012 1:28 PM
> To: Burleigh, Scott C (313B); ahennes1@math.umd.edu
> Cc: Amy Alford; Cherita.Corbett@jhuapl.edu; Howard Weiss; Peter Lovell
> Subject: Re(19): [dtn-security] Implementing Security Destinations in 
> DTN2
>
> On Wed, Oct 24, 2012, Burleigh, Scott C (313B) <scott.c.burleigh@jpl.nasa.gov> wrote:
>
>> In view of which, I've now become a bigger fan of bundle-in-bundle 
>>tunneling than I've been in the past.
>
> Hi Scott,
>
> I agree. I'm also a big fan, for a bunch of reasons. However, as I mentioned to Angela, the current [i.e. latest, expired] draft seems a bit "funky" to me. There's no indication in the bundle that it's BiB and you need some special EID to perform the decapsulation. Maybe that's just like an assigned port in TCP but we don't yet have such a mechanism. The multiple-bundle thing is OK, I guess, but I don't see much use for it other than volume gateway-to-gateway traffic and I think that such heavy-duty tunnels could be specially optimized.
>
> I need to go back and review all the discussions about BiB -- we worked it quite a bit but the spec never gained enough consensus to move forward. I think it would be a good idea to revisit it now and get a solid draft that has wider support. Maybe the email discussions will help us get there.
>
> Thanks.....Peter
>
>
>
>
> ---------- Forwarded message ----------
> From: "Eddy, Wesley M. (GRC-MS00)[MTI SYSTEMS, INC.]" 
> <wesley.m.eddy@nasa.gov>
> To: "Burleigh, Scott C" <scott.c.burleigh@jpl.nasa.gov>ov>, 
> "dtn-security@irtf.org" <dtn-security@irtf.org>
> Cc:
> Date: Tue, 22 Jan 2013 17:47:47 -0600
> Subject: Re: [dtn-security] FW: Re(19): Implementing Security 
> Destinations inDTN2 Agreed; that makes sense.
>
> ________________________________
> From: Burleigh, Scott C (313B) [scott.c.burleigh@jpl.nasa.gov]
> Sent: Tuesday, January 22, 2013 6:35 PM
> To: Eddy, Wesley M. (GRC-MS00)[MTI SYSTEMS, INC.]; 
> dtn-security@irtf.org
> Subject: RE: [dtn-security] FW: Re(19): Implementing Security 
> Destinations inDTN2
>
> Wes, I agree that some code change would be entailed in implementing this proposal, but I think a large proportion of the code - the general flow of processing the extension blocks, the canonicalization, the ciphersuites, really almost everything that would have been implemented to handle the simple case of security source/destination being identical to bundle source/destination - would be preserved.  I suspect that much of what I was proposing here involves removing functionality that most developers haven't implemented yet anyway, because of the potential pitfalls.
>
>
>
> Scott
>
>
>
> From: Eddy, Wesley M. (GRC-MS00)[MTI SYSTEMS, INC.] 
> [mailto:wesley.m.eddy@nasa.gov]
> Sent: Tuesday, January 22, 2013 3:20 PM
> To: Burleigh, Scott C (313B); dtn-security@irtf.org
> Subject: RE: [dtn-security] FW: Re(19): Implementing Security 
> Destinations inDTN2
>
>
>
> It looks like basically a good idea to me.
>
>
>
> I recall sometime in 2006 or 2007ish pointing out that security destinations needed to work more like IPsec tunnel-mode endpoints in order to make the routing work correctly, and I think what you're proposing here accomplishes that in a better way.
>
>
>
> Though I think cycles would be better spent on KMP issues that are actually HARD, and *then* circling back to see what could be tweaked in the BSP, I definitely think this proposed change is something that would improve the BSP a bit in the meantime.
>
>
>
> I don't think it can be done in a way that's friendly to the existing codebase like Stephen suggests shooting for.
>
>
>
> ________________________________
>
> From: dtn-security-bounces@irtf.org [dtn-security-bounces@irtf.org] On 
> Behalf Of Burleigh, Scott C (313B) [scott.c.burleigh@jpl.nasa.gov]
> Sent: Tuesday, January 22, 2013 5:37 PM
> To: dtn-security@irtf.org
> Subject: [dtn-security] FW: Re(19): Implementing Security Destinations 
> inDTN2
>
> Hi.  Late last September, several of us spun off a sub-thread talking about how the processing of bundles with multiple security destinations could be handled in DTN implementations.  I won't try to recreate all of the arguments on all sides, but I think we did converge on agreement that the current BSP mechanism for complex, multi-destination security could be difficult to realize in coherent fashion across the network.  After puzzling over this for a while, I came up with a concept (below) that I think would be simpler, safer, and even more powerful than the current protocol design.  How do we all feel about this?  Would it be worthwhile for DTNRG to invest in a 6257bis RFC along these lines?
>
>
>
> Scott
>
> _____________________________________________
> From: Burleigh, Scott C (313B)
> Sent: Friday, November 16, 2012 5:05 PM
> To: 'Peter Lovell'; ahennes1@math.umd.edu
> Cc: Amy Alford; Cherita.Corbett@jhuapl.edu; Howard Weiss
> Subject: RE: Re(19): [dtn-security] Implementing Security Destinations 
> in DTN2
>
>
>
>
>
> Hi, Peter.  At the risk (I know) of getting a lot of people severely ticked off at me, I am going to offer a modest proposal for improving the Bundle Security Protocol, inspired by this thread.
>
> I propose to adopt a new design principle for Bundle Security Protocol: the routing element of a bundle protocol agent should never need to inspect a bundle's BSP extension blocks in order to select the node(s) to forward the bundle to.
>
> That is, BSP should provide security, not dictate routes.
>
> My rationale for proposing this principle is that I believe it would:
>
> *         Simplify BSP, thereby reducing the incidence of bugs and making Bundle Security significantly less expensive to implement and sustain.
>
> *         Broaden the scope of BSP deployment by eliminating its dependence on specific, BSP-aware routing implementations, thereby increasing the overall security of DTN.
>
> *         Reduce the cost of developing and improving routing implementations by removing any requirement that they be BSP-aware, and broaden the scope of deployment of non-BSP-aware routing implementations by enabling them to be used in environments requiring arbitrarily powerful security.  Thereby, improve DTN operational performance.
>
> Here's how I would apply this principle:
>
> 1.       Eliminate security sources and security destinations from all BSP blocks.  The security source of a BSP block would always be the bundle's source.  The security destination of a BSP block would always be the bundle's destination.
>
> 2.       Add a new Administrative Record type for Bundle-in-Bundle encapsulation.
>
> 3.       When additional security must be applied to a bundle on some segment of its end-to-end path, encapsulate the bundle in a Bundle-in-Bundle Encapsulation Administrative Record that is the payload of a new bundle whose source is the security source of the path segment and whose destination is the security destination of the path segment.  Apply the additional bundle transmission security measures to the encapsulating bundle: encrypt its payload (the Administrative Record, containing the encapsulated bundle), encrypt extension blocks as copied from the encapsulated bundle, etc.  Then forward the encapsulating bundle.
>
> 4.       When route service uncertainty forces a bundle to be routed over multiple parallel additionally secured segments of its end-to-end path, encapsulate it as above but within multiple different encapsulating bundles, one for each of the parallel segments, and forward all of them.
>
> 5.       At the destination of a bundle, apply all relevant bundle reception security measures and then, if the payload is an encapsulation Administrative Record, extract the encapsulated bundle from the Administrative Record and simply forward it.
>
> I believe this would have the following impacts on DTN security:
>
> *         No EID references in BSP, simplifying canonicalization.
>
> *         PCBs only encrypt payloads, never PIBs or PCBs (encrypting the encapsulated bundle encrypts all three at once), so no correlators in BSP.  (Except for BABs, no bundle ever has more than one occurrence of any type of BSP block.  And there will never be more than two BABs, one immediately following the primary block and one that is the final block in the bundle, so that correlation is structural.)
>
> *         No delicate "replacement" process for unraveling PCB nesting at the destination.
>
> *         No possible confusion about the correct order of application of BSP blocks.
>
> *         No possible conflict among security destinations of different BSP blocks.
>
> *         Security paths can never overlap.
>
> *         Any routing implementation can always accommodate any security regime: routes that must be followed to ensure security are encoded into routing information at the forwarding node, not into the bundle.  (A little like the late binding principle.)
>
> *         Any routing environment can always be made arbitrarily secure - no need to require specially BSP-aware routing elements.
>
> *         Ciphersuite design is simplified, so a wider array of useful ciphersuites can be developed without imposing bug-prone complexity.  Minimizes possible security problems.
>
> As an example of how I think this could work, see the attached diagram:
>
> 1.       Node A is sending a bundle to node K.  Nodes A, B, J, and K are within the low-risk "W" security region; nodes C and G are gateways between region W and the more hazardous region X; node D is another node in X; nodes E and F are gateways between region X and even more hazardous region Y; nodes H and I are gateways between X and hazardous region Z.
>
> 2.       At A the bundle is simply forwarded to B.
>
> 3.       At B the routing element realizes that the bundle has to traverse region X in order to get to K, so it forwards the bundle to C.
>
> 4.       The routing element at C encapsulates the bundle in an Admin Record, creates a new bundle destined for G (the egress from region X) whose source is C and whose payload is that Admin Record, encrypts the payload, attaches a PCB, and forwards the bundle to D.
>
> 5.       D realizes that the bundle has to traverse region Y in order to get to G, so it forwards the bundle to E.
>
> 6.       E encapsulates the bundle in an Admin Record, creates a new bundle destined for F (the egress from region Y) whose source is E and whose payload is that Admin Record, encrypts the payload, attaches a PCB, and forwards the bundle to F.
>
> 7.       The bundle protocol agent at F receives the bundle, decrypts it, and passes the payload (an Admin Record) to the application agent.  The administrative element of the application agent at F receives the Admin Record, extracts the encapsulated bundle destined for G, and queues it to be forwarded.  The routing element at F sees this bundle and forwards it to G.
>
> 8.       The bundle protocol agent at G receives the bundle, decrypts it, and passes the payload (an Admin Record) to the application agent.  The administrative element of the application agent at G receives the Admin Record, extracts the encapsulated bundle destined for K, and queues it to be forwarded.  The routing element at G sees this bundle, realizes that the bundle has to traverse region Z in order to get to K, and therefore forwards the bundle to H.
>
> 9.       H encapsulates the bundle in an Admin Record, creates a new bundle destined for I (the egress from region Z) whose source is H and whose payload is that Admin Record, encrypts the payload, attaches a PCB, and forwards the bundle to I.
>
> 10.   The bundle protocol agent at I receives the bundle, decrypts it, and passes the payload (an Admin Record) to the application agent.  The administrative element of the application agent at I receives the Admin Record, extracts the encapsulated bundle destined for K, and queues it to be forwarded.  The routing element at I sees this bundle and forwards it to J.
>
> 11.   At J the bundle is simply forwarded to K.
>
> 12.   At K the bundle's payload is passed to the application.
>
> I think this approach would combine simplicity with quite a lot of operational power, making everything cheaper and safer.
>
> So, having now stirred the hornet's nest, I will beat a hasty retreat for a week while I am on vacation.  I'll try to follow up when I get back.
>
> Have a nice Thanksgiving, everybody.
>
> Scott
>
>
>
> -----Original Message-----
> From: Peter Lovell [mailto:plovell@mac.com]
> Sent: Monday, October 22, 2012 1:28 PM
> To: Burleigh, Scott C (313B); ahennes1@math.umd.edu
> Cc: Amy Alford; Cherita.Corbett@jhuapl.edu; Howard Weiss; Peter Lovell
> Subject: Re(19): [dtn-security] Implementing Security Destinations in 
> DTN2
>
>
>
> On Wed, Oct 24, 2012, Burleigh, Scott C (313B) <scott.c.burleigh@jpl.nasa.gov> wrote:
>
>
>
>> In view of which, I've now become a bigger fan of bundle-in-bundle
>
>>tunneling than I've been in the past.
>
>
>
> Hi Scott,
>
>
>
> I agree. I'm also a big fan, for a bunch of reasons. However, as I mentioned to Angela, the current [i.e. latest, expired] draft seems a bit "funky" to me. There's no indication in the bundle that it's BiB and you need some special EID to perform the decapsulation. Maybe that's just like an assigned port in TCP but we don't yet have such a mechanism. The multiple-bundle thing is OK, I guess, but I don't see much use for it other than volume gateway-to-gateway traffic and I think that such heavy-duty tunnels could be specially optimized.
>
>
>
> I need to go back and review all the discussions about BiB -- we worked it quite a bit but the spec never gained enough consensus to move forward. I think it would be a good idea to revisit it now and get a solid draft that has wider support. Maybe the email discussions will help us get there.
>
>
>
> Thanks.....Peter
>
>
>
>
>
>
> _______________________________________________
> dtn-security mailing list
> dtn-security@irtf.org
> https://www.irtf.org/mailman/listinfo/dtn-security
>
_______________________________________________
dtn-security mailing list
dtn-security@irtf.org
https://www.irtf.org/mailman/listinfo/dtn-security