RE: [dtn-security] BSP questions

"Symington, Susan F." <susan@mitre.org> Tue, 06 February 2007 14:33 UTC

Received: from smtp-bedford.mitre.org (smtpproxy1.mitre.org [192.160.51.76]) by webbie.berkeley.intel-research.net (8.11.6/8.11.6) with ESMTP id l16EXDY29172 for <dtn-security@mailman.dtnrg.org>; Tue, 6 Feb 2007 06:33:13 -0800
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with SMTP id l16EXD3P007564 for <dtn-security@mailman.dtnrg.org>; Tue, 6 Feb 2007 09:33:13 -0500
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (Postfix) with ESMTP id 1D258BF00 for <dtn-security@mailman.dtnrg.org>; Tue, 6 Feb 2007 09:33:13 -0500 (EST)
Received: from IMCFE1.MITRE.ORG (imcfe1.mitre.org [129.83.29.3]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id l16EXA96007511; Tue, 6 Feb 2007 09:33:10 -0500
Received: from IMCSRV4.MITRE.ORG ([129.83.20.161]) by IMCFE1.MITRE.ORG with Microsoft SMTPSVC(6.0.3790.1830); Tue, 6 Feb 2007 09:33:10 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Subject: RE: [dtn-security] BSP questions
Date: Tue, 6 Feb 2007 09:33:09 -0500
Message-ID: <8E507634779E22488719233DB3DF9FF0014B1749@IMCSRV4.MITRE.ORG>
In-Reply-To: <20070206133129.1301477151@127.0.0.1>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dtn-security] BSP questions
thread-index: AcdJ81KBiy8/9+mPRo2uIw6LwaM7BAAB100Q
References: <20070206133129.1301477151@127.0.0.1>
From: "Symington, Susan F." <susan@mitre.org>
To: <dtn-security@mailman.dtnrg.org>
Cc: "Howard Weiss" <howard.weiss@sparta.com>
X-OriginalArrivalTime: 06 Feb 2007 14:33:10.0555 (UTC) FILETIME=[B9C346B0:01C749FB]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by webbie.berkeley.intel-research.net id l16EXDY29172
Sender: dtn-security-admin@mailman.dtnrg.org
Errors-To: dtn-security-admin@mailman.dtnrg.org
X-BeenThere: dtn-security@mailman.dtnrg.org
X-Mailman-Version: 2.0.13
Precedence: bulk
Reply-To: dtn-security@mailman.dtnrg.org
List-Unsubscribe: <http://mailman.dtnrg.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@mailman.dtnrg.org?subject=unsubscribe>
List-Id: DTN Security Discussion <dtn-security.mailman.dtnrg.org>
List-Post: <mailto:dtn-security@mailman.dtnrg.org>
List-Help: <mailto:dtn-security-request@mailman.dtnrg.org?subject=help>
List-Subscribe: <http://mailman.dtnrg.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@mailman.dtnrg.org?subject=subscribe>
List-Archive: <http://mailman.dtnrg.org/pipermail/dtn-security/>

I believe that the term "end-to-end" here was intended to mean from
security source to security destination, where the security source is
not necessarily the source of the bundle, and the security destination
is not necessarily the destination of the bundle. This
"end-to-endishness" is described in more detail in the Security
Overview document. An end-to-end ciphersuite is distinguished from a
"hop-by-hop" ciphersuite by the fact that the hop-by-hop ciphersuite is
only intended to be used between adjacent nodes and never across
multiple nodes. 

To avoid others having the same question as you, it seems we should add
some clarifying text to explain this, because the BSP is normative
whereas the Security Overview is not.

-susan
*****************************************************************
Susan Symington
The MITRE Corporation
susan@mitre.org
703-983-7209 (voice)
703-983-7142 (fax)
******************************************************************
 

>-----Original Message-----
>From: dtn-security-admin@mailman.dtnrg.org 
>[mailto:dtn-security-admin@mailman.dtnrg.org] On Behalf Of Peter
Lovell
>Sent: Tuesday, February 06, 2007 8:31 AM
>To: dtn-security@mailman.dtnrg.org
>Cc: Howard Weiss
>Subject: [dtn-security] BSP questions
>
>a question arising from doing the implementation ...
>
>Bundle security spec 2.3 description for PS includes the statement
>"The ciphersuite ID MUST be documented as an end-to-end
authentication-
>ciphersuite or as an end-to-end error-detection-ciphersuite."
>
>Is it the intent that PS is only ever end-to-end? It can never be
added
>at intermediate points such as a bastion gateway. Gateway-to-gateway
>would be done using encapsulation (tunneling), so the gateway would be
>the source for the encapsulated bundle. If this is the intent then
>several other issues no longer exist.
>
>Thanks.....Peter
>
>_______________________________________________
>dtn-security mailing list
>dtn-security@mailman.dtnrg.org
>http://mailman.dtnrg.org/mailman/listinfo/dtn-security
>