[dtn-security] Re(2): Is there a "secure" reference implementation of the DTN stack?
Peter Lovell <plovell@mac.com> Sun, 28 June 2009 14:14 UTC
Received: from asmtpout018.mac.com (asmtpout018.mac.com [17.148.16.93]) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n5SEEwE1006771 for <dtn-security@maillists.intel-research.net>; Sun, 28 Jun 2009 07:14:58 -0700
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="ISO-8859-1"
Received: from [192.168.1.107] (pa-67-234-153-81.dhcp.embarqhsd.net [67.234.153.81]) by asmtp018.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KLY00M5QCU1IH80@asmtp018.mac.com> for dtn-security@maillists.intel-research.net; Sun, 28 Jun 2009 07:13:16 -0700 (PDT)
From: Peter Lovell <plovell@mac.com>
To: "Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com>
Date: Sun, 28 Jun 2009 10:13:13 -0400
Message-id: <20090628141313.1532044204@smtp.mac.com>
In-reply-to: <4A470CD7.4010502@LeonixSolutions.com>
References: <89E48AE60E64EF4E8EB32B0B7EC74920A1B0F5@EVS-EC1-NODE2.surrey.ac.uk> <4A12195A.6000207@LeonixSolutions.com> <3A5AA67A8B120B48825BFFCF5443856137E0B06196@NDJSSCC03.ndc.nasa.gov> <4A1DD73F.50000@bbn.com> <023601c9df2a$694fd5b0$3bef8110$@com> <4A2DF7FD.5020104@LeonixSolutions.com> <3A5AA67A8B120B48825BFFCF5443856137E3553C4B@NDJSSCC03.ndc.nasa.gov> <029d01c9e925$1e354880$5a9fd980$@com> <4A46C257.3040006@LeonixSolutions.com> <20090628050243.1566215671@smtp.mac.com> <4A46FBB2.3080205@LeonixSolutions.com> <20090628052255.640550503@smtp.mac.com> <4A470CD7.4010502@LeonixSolutions.com>
X-Mailer: CTM PowerMail version 5.6.5 build 4509 English (intel) <http://www.ctmdev.com>
Cc: dtn-security@maillists.intel-research.net
Subject: [dtn-security] Re(2): Is there a "secure" reference implementation of the DTN stack?
X-BeenThere: dtn-security@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <dtn-security.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-security>
List-Post: <mailto:dtn-security@maillists.intel-research.net>
List-Help: <mailto:dtn-security-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Sun, 28 Jun 2009 14:14:58 -0000
Hi Graham, threats such as the ones you describe are handled by the Bundle Security Protocol (BSP) code in the RI. Your application does not have to do encryption etc - that is part of BSP RI code. You *do* have to handle management of keys and that means that you have to write some code that the RI code will call. The thumbnail sketch is that the RI code needs protection applied to something (small, such as an ephemeral key) and your code needs to select an appropriate key and do it. There will be some sample code for this but it's not there yet. Each bundle can have HMAC to protect against changes and also against DOS injection attacks. This is standard already. In short, you'll find that the fundamental capabilities you need are already present but you have to supply the key-management code as appropriate for your key mechanism. Regards.....Peter On Sun, Jun 28, 2009, Graham Keellings (Leonix Solutions Pte Ltd) <Graham@LeonixSolutions.com> wrote: >That;'s the problem - I am not a security expert? > >I guess encryption would be provided by the application which uses DTN? > >What about add a MAC (or HMAC) for the link established stuff (or even >every bundle)? > >How to denying man in the middle attacks or spoofed bundles, DOS at the >network layer by injecting many fake packets? That sort of thing ... > >Thanks again for your help, Peter. > > > >Peter Lovell wrote: >> Hi Graham, >> >> >>> there is an agreed upon standard "reference implementation" of DTN 2.6 >>> and Oasys 1.3, but it lacks security features. >>> >> >> what security features do you find missing? The RI is not a turnkey >> solution but more of a "reference framework". >> >> I'm trying to help but am unsure of what's lacking. >> >> Regards.....Peter >> >> >> >> On Sun, Jun 28, 2009, Graham Keellings (Leonix Solutions Pte Ltd) >> <Graham@LeonixSolutions.com> wrote: >> >> >>> hi, Peter, >>> >>> there is an agreed upon standard "reference implementation" of DTN 2.6 >>> and Oasys 1.3, but it lacks security features. >>> >>> Now, let us say that someone wants a "secure" implementation - but >>> doesn't care about the details of "secure", just that it is generally >>> agreed to be "secure" (or (much) more so than the standard >>> implementation. Is there a reference build for that which can be >downloaded? >>> >>> My guess is that everyone's perception of "secure" differs and that even >>> for one person it is a matter of trade-offs, but I just though that I >>> would ask if there is some consensus on what it means for DTN to be >>> "secure". >>> >>> Thanks very much for taking the time to reply. >>> >>> With best wishes, >>> >>> Graham >>> >>> >>> Peter Lovell wrote: >>> >>>> On Sun, Jun 28, 2009, Graham Keellings (Leonix Solutions Pte Ltd) >>>> <Graham@leonixsolutions.com> wrote: >>>> >>>> >>>> >>>>> Is there a "secure" reference implementation of the DTN stack available >>>>> for download? Is there even agreement of what a "secure" implementation >>>>> should be, or is it all a question of trade-offs? >>>>> >>>>> Thanks in advance for any help. >>>>> >>>>> Graham >>>>> >>>>> >>>> Hi Graham, >>>> >>>> I'm not sure what you're expecting when you refer to a "secure" >>>> reference implementation. Do you mean one with the security protocols, >>>> or one that had been hardened, or one that has been certified by some >>>> organization or other? >>>> >>>> If you can give a little more context we can help fill in what you need. >>>> >>>> Cheers.....Peter >>>> >>>> >>>> >>>> >>> -- >>> Technical Director >>> Leonix Solutions (Pte) Ltd >>> 18 Boon Lay Way >>> #09-95 TradeHub 21 >>> Singapore 609966 >>> Telephone:+65 6316 9968 >>> Fax: +65 6316 9208 >>> >>> >> >> >> >> > > >-- >Technical Director >Leonix Solutions (Pte) Ltd >18 Boon Lay Way >#09-95 TradeHub 21 >Singapore 609966 >Telephone:+65 6316 9968 >Fax: +65 6316 9208 >
- [dtn-security] Re(2): [dtn-interest] Bundle Secur… Peter Lovell
- Re: [dtn-security] [dtn-interest] Bundle Security… Hans Kruse
- [dtn-security] Bundle Security Protocol Implement… M.Bhutta
- Re: [dtn-security] Newbie seeking some security r… Armando Caro
- Re: [dtn-security] Newbie seeking some security r… Ivancic, William D. (GRC-RHN0)
- Re: [dtn-security] Newbie seeking some security r… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Newbie seeking some security r… Jason Redi
- Re: [dtn-security] Newbie seeking some security r… Armando Caro
- Re: [dtn-security] Newbie seeking some security r… Kristian Erik Hermansen
- Re: [dtn-security] Newbie seeking some security r… Ivancic, William D. (GRC-RHN0)
- Re: [dtn-security] Newbie seeking some security r… Stephen Farrell
- Re: [dtn-security] Newbie seeking some security r… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Newbie seeking some security r… Kristian Erik Hermansen
- [dtn-security] Newbie seeking some security relat… Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(many): Is there a "secure" refe… Peter Lovell
- Re: [dtn-security] Re(2): Re(2): Is there a "secu… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Is there a "secure" reference … Peter Lovell
- [dtn-security] Re(2): Re(2): Re(2): Is there a "s… Peter Lovell
- [dtn-security] Re(2): Re(2): Is there a "secure" … Peter Lovell
- Re: [dtn-security] Re(2): Is there a "secure" ref… Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Is there a "secure" referen… Peter Lovell
- Re: [dtn-security] Is there a "secure" reference … Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Is there a "secure" referen… Peter Lovell
- Re: [dtn-security] Is there a "secure" reference … Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Is there a "secure" reference impl… Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Newbie seeking some securit… Peter Lovell
- Re: [dtn-security] Newbie seeking some security r… Jason Redi
- Re: [dtn-security] Newbie seeking some security r… Stephen Farrell
- Re: [dtn-security] Newbie seeking some security r… Ivancic, William D. (GRC-RHN0)
- Re: [dtn-security] Newbie seeking some security r… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Encrypted IP headers Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Encrypted IP headers Peter Lovell
- Re: [dtn-security] Encrypted IP headers Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Re(2): How do you feel abou… Peter Lovell
- Re: [dtn-security] Re(2): How do you feel about B… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Re(2): Re(2): Re(2): Is there … Ivancic, William D. (GRC-RHN0)
- [dtn-security] Re(2): Re(2): Re(2): Is there a "s… Peter Lovell
- [dtn-security] Re(2): How do you feel about Bonjo… Peter Lovell
- Re: [dtn-security] How do you feel about Bonjour/… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] How do you feel about Bonjour/… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Re(2): Re(2): Is there a "secu… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] How do you feel about Bonjour/… Peter Lovell
- [dtn-security] How do you feel about Bonjour/Avah… Graham Keellings (Leonix Solutions Pte Ltd)