Re: [dtn-security] Updated SBSP Document

["Burleigh, Scott C (312G)" <scott.c.burleigh@jpl.nasa.gov>]

One more comment on one of these topics, also in-line.

From: Scott, Keith L. [mailto:kscott@mitre.org]
Sent: Monday, June 02, 2014 9:27 AM
To: Amy Alford; Burleigh, Scott C (312G)
Cc: dtn-security@irtf.org
Subject: RE: [dtn-security] Updated SBSP Document

Some comments in-line below.

                        --keith

From: dtn-security [mailto:dtn-security-bounces@irtf.org] On Behalf Of Amy Alford
Sent: Monday, June 02, 2014 11:33 AM
To: Burleigh, Scott C (312G)
Cc: dtn-security@irtf.org<mailto:dtn-security@irtf.org>
Subject: Re: [dtn-security] Updated SBSP Document

I'm also responding inline.

On Fri, May 30, 2014 at 3:17 PM, Burleigh, Scott C (312G) <scott.c.burleigh@jpl.nasa.gov<mailto:scott.c.burleigh@jpl.nasa.gov>> wrote:
A couple of remarks on David’s comments, in-line below.
Scott
From: dtn-security [mailto:dtn-security-bounces@irtf.org<mailto:dtn-security-bounces@irtf.org>] On Behalf Of Zoller, David A. (MSFC-EO50)[HOSC SERVICES CONTRACT]
Sent: Thursday, May 29, 2014 12:09 PM
To: Birrane, Edward J.; dtn-security@irtf.org<mailto:dtn-security@irtf.org>
Subject: Re: [dtn-security] Updated SBSP Document

Ed,

Good work - the SBSP spec continues to evolve nicely. I’ll kick off the discussions with my comments below.

Cheers,

DZ
[Page 12] 2.4 Bundle Authentication Block
The security-target MUST be the entire bundle, which MUST be
represented by a <block type><occurrence number> of <0x00><0x00>.
•         Per 3.4 Bundle Fragmentation and Reassembly, bundle authentication may be applied to bundle fragments as well as non-fragmented bundles.
•         If a bundle fragment is received that has a BAB, there is no way to determine if the BAB applies to the bundle fragment or if it applies to an entire bundle that was later fragmented by a non-security-aware BA.
o    I propose that a <block type><occurrence number> of <0x00><payload frag length> indicate that the BAB applies to a bundle fragment
•         If such a bundle fragment is further fragmented by a non-security-aware BA then the <payload frag length> can be used to determine that the original fragmented bundle must be reassembled before authentication is checked because it will not match the length field in the payload block.
o    Some discussion may be desirable in section 3.4 as well as 2.4 if accepted

>  When a BAB is attached to a bundle that is a fragment, the bundle that it applies to is always that fragment, never the bundle that carried the original payload (of which the current bundle’s payload is a fragment).  Since BABs are not end-to-end, the BAB for an original un-fragmented bundle will never be carried forward in any fragments generated from that bundle (see the last paragraph of 3.3.1), so there’s no ambiguity.  But this does bring up an important point: the block processing control flags of the BAB must always have the “replicate in every fragment” flag set to 0.
Maybe I'm misunderstanding here, but fragmentation can happen between a BAB source and a BAB dest if a non-security aware node is between the two.  Requiring the "DO_NOT_FRAGMENT" flag solves this.

BABs should be applied ‘point-to-point’ between bundle agents; there shouldn’t be an opportunity for a non-security-aware node to fragment a bundle with a BAB on it.  I’ll have to check the cross-product between encapsulation and BAB (i.e. whether you can encapsulate a bundle with a BAB on it (and then possibly fragment the encapsulating bundle) or not).  I suspect that the answer is ‘no’ (i.e. you check / remove the BAB immediately on receipt and before you encapsulate and/or fragment for transmission).


Ø There isn’t really any accepted spec to consult on encapsulation, but within the concept that I’ve been working with (https://datatracker.ietf.org/doc/draft-irtf-burleigh-bibe/) the encapsulation protocol is a convergence-layer adapter.  In that case, the entire, complete outbound bundle – including any BAB that was attached at the last moment before serialization for the CLA – would become the payload of the new encapsulating bundle.  The encapsulating bundle might or might not be security-aware, but that doesn’t matter.  The destination of the encapsulating bundle would extract the encapsulated bundle (the “outer” bundle’s payload) and simulate reception of that bundle, which would still have its BAB.  That bundle would, in effect, have traversed only a single hop (direct transmission between sender and receiver at the convergence layer), so there was no intervening non-security-aware forwarding node between the sending node that attached the BAB and the receiving node that would validate it.  So no opportunity for fragmentation, no problem.