Re: [dtn] [Acme] WGLC for ACME DTN Node ID
Brian Sipos <BSipos@rkf-eng.com> Thu, 22 April 2021 13:33 UTC
Return-Path: <BSipos@rkf-eng.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A8F93A02BE for <dtn@ietfa.amsl.com>; Thu, 22 Apr 2021 06:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rkf-eng.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ItmCXT6ZrACh for <dtn@ietfa.amsl.com>; Thu, 22 Apr 2021 06:33:14 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2073.outbound.protection.outlook.com [40.107.92.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BA843A0128 for <dtn@ietf.org>; Thu, 22 Apr 2021 06:33:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=giSZ+ineLg7DTT31vwisCbvCI6ro6Yi2+hgrQCEDlHXENU7EIN9qazBDf08YzaVhh3zHg/jbF6fhx3Pj5n+cpZC93eL0g6e9lqMHHjImEv2zkwex1OvucrOdxraKcn8P/xuaZLchJRpmp51QyWvmuqRz+lvNyjeNPulSzCC5K2DQM2s1gHt7qgYFcgcDJRt+V05mXNRmReHBpiVOIqPib66By7eQPYm7L9o0kJREznYGpnKFbA+3VSk73mUA0BvE3EwdOdNcGuJ5jI7gkX10niCRAi9jTKHQnI2UqqcOT20Y4jO3HuX/0HIMdZLpYZX8pcSDhDoNi/DZcxnCcXkSwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2Lsh6hZ1PgrzZrld307a9VKOQY/VAv+W/ah+iqXxRR0=; b=D6V2C+VdVJ4qgvZoYfIGD4PH01FY8M8losjl+vNhJKiO5jLx4Z+BunYQkOSuZCxe1tGjRqZ8h9e3nXhaFsiV6BL8uZ0wHlweUBSNrlAKZqD5SPWTWIUWIrWOvXoEvRe0kjOn2w9xraPozVcchZAPf9wlGldzHkJOlDBrjFrnPJ6QkoWAqsK/YvbpGq+P9zZTMxMjnuwSdr0X0EdzLzXuF04VUki8Dx13VeYyB9+vPh5OzW+MLYG0oX2z9AjtQfu1sHxFaoFXZTWY3aLXqcfKwRWfc0jMHfG3bF78ZhJUE+0dZ1mPKNLXKA8CYLlvbFJwklG7ytHjj1Je637BoBRvpA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=rkf-eng.com; dmarc=pass action=none header.from=rkf-eng.com; dkim=pass header.d=rkf-eng.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rkf-eng.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2Lsh6hZ1PgrzZrld307a9VKOQY/VAv+W/ah+iqXxRR0=; b=P+EvsESWzJ5nCuZUzblQXT8opMhYoU7HU5ERudeZmwuxadZdB4HPqoRh2nJ2ENNERDbYWHD/S/eKHo5jPWfUG15s35lzy1BnLdHpOVJo+jFp84KRX1288SVOVG4SgJGdB5o6kNOZvL8DMOSluQWJM/hYDbZW0wpwhohfVuYHnjE=
Received: from MN2PR13MB3567.namprd13.prod.outlook.com (2603:10b6:208:168::10) by MN2PR13MB3887.namprd13.prod.outlook.com (2603:10b6:208:1e7::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.15; Thu, 22 Apr 2021 13:33:10 +0000
Received: from MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::5db2:2ebc:2020:496f]) by MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::5db2:2ebc:2020:496f%5]) with mapi id 15.20.4065.023; Thu, 22 Apr 2021 13:33:10 +0000
From: Brian Sipos <BSipos@rkf-eng.com>
To: "dtn@ietf.org" <dtn@ietf.org>, "scott.c.burleigh@jpl.nasa.gov" <scott.c.burleigh@jpl.nasa.gov>
Thread-Topic: [Acme] WGLC for ACME DTN Node ID
Thread-Index: AQHXLT5BfSNCozHHr0WDM1PTxsWmz6q+A8EwgAKZ0gA=
Date: Thu, 22 Apr 2021 13:33:10 +0000
Message-ID: <5e46c6ac9c7bf5910042486fc50679ef1b779cb6.camel@rkf-eng.com>
References: <MN2PR13MB356786C244606E57E23EC3039F739@MN2PR13MB3567.namprd13.prod.outlook.com> <682c1567cf38421b9ed25653a5ab417c@jpl.nasa.gov>
In-Reply-To: <682c1567cf38421b9ed25653a5ab417c@jpl.nasa.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Evolution 3.40.0 (3.40.0-1.module_f34+11756+2e59385f)
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=rkf-eng.com;
x-originating-ip: [96.241.16.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c80f4f3c-f30c-4ae0-11a1-08d905932bd1
x-ms-traffictypediagnostic: MN2PR13MB3887:
x-microsoft-antispam-prvs: <MN2PR13MB3887E66BA32329F7C95E1B689F469@MN2PR13MB3887.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ALrLzAXNu8jBuMSQQwuBbNEmR2nm9iIqsTW1pwuGs/z4xElYtJgabTDgRTqXmZVRrp3hdvYxFealh4rkDs0HANdp2/UbM9Bxte3oqG0nIVDGGbs325Wi4JOqnPSfC23OUvN6GaeRXkCbZKZ4BuKbg4Ay60mt9FFNhJXq1Lb6r4Tb9sYnG6Bvp/Nbo+Tcm7uXLHxuDLA0dvnXPeYvCF16QTkwhVq1tiktpIUOo/hS1Ppj84d0qQ3ZFbybShfSgUyU22Scam+6hoJ9B+wBrsXimB2YgRG3T7xqn59Jl/8/9wyZ55I6NgggLShunE9fiKDVSLPvG0vfh+F04pumN2waD5+X1VmuTI+JR4qlCzJddbgEijvkB9aKTyiKA8d5kDSXVRBGESRvTtmcZ646jAmFg/ASyOeEdi6qhHOONWuCPj3z4+NHXIz+q9MOmvIhx8InnuuqS/sKP95Vh+NTJDiTUKaCX5aeW4WEKEE9mxWxS1oRdpBwmZolHssXSrWEGYPdCtDKEc4yu3Xpy+7zOO9jLR6jm+5n6sRb1C9TDjV9dH5Xio5WWq7iubcKd8jq5Iyg7LAvKp2dHZIVqoe36qwsPhPxyP5Eqsvn38PQyaJuqLKLiLISpcI1kMx7JNB+cALwZ2avU/RkT8JVX73+l5y2gwPKUTC9O662wSFDegoGRMI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR13MB3567.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39830400003)(396003)(136003)(346002)(366004)(376002)(6512007)(83380400001)(36756003)(6506007)(53546011)(66574015)(2906002)(66446008)(8676002)(66476007)(64756008)(8936002)(76116006)(66946007)(38100700002)(122000001)(66556008)(186003)(26005)(5660300002)(86362001)(966005)(316002)(71200400001)(478600001)(110136005)(2616005)(6486002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: QIo/6fRZ54MFS0FKAmJFTFdqGyVmMQ6ymRzoDbe6mtGBLbo5tgKmmpXxVp/EaB+Czw4aykYpWHjT3L2QdznFD6YYhOdRWNjanTxxX7MnwyBcezOeY9iBGaZ6jtR3rqJuphesm9bbvdrK7wmEBOYXCOC29OV/6M2jgOwyKvzz3FBi2Rfya6M3u0ZevUI5+8RjAKsd8PX28kUpwx6/VzTdSypvK8kyD7hJWUXGkWnN8iGdfiYbpfQ70JyXqcYExK7pAaBIr2TlQxQCdsWdNgPj2RMh8XsYlba6sdR+58WfcKjKwJ64X7/0nuPMd1BMxLGRW6wINroRN8Vt6pY51Cs+PzHHQfVrcIYDustaxvZeItzhWVFpf4msTyR5UYur/mBxhPD20RYNEqiukZt6ZOoHZXx90DbnBjf6BPjaa9LMfcNXrPcYvZQYYRq0wXtqnpr9paUWESClRb5irkyXhmJsZetaFRgByma1jCLsHA/RkTLChncQewz3tlEP52J7RWgs4V/sirPqccRihz0mXaVzm8DennWmIB5rCn8+JdLJiOIV1AeyjRYCle2rZKDE/cm2M7J9EB4fhYXg0rFdEifQx1Do9ORSxUbYsAv+wOvnu+DsUCw6rY4VR7Zy64/QoQsHOrcnoZlXt7zdWbvFwqBBdj1CRmP5TOtNNSbMBr4/kE6MVckZ52Giin9dUwQjR8uW7Cj4HK21T7VdlC0dljf2dVBIvrBcTe3GGd05YQe/PKJInyo7kGAmJ76DpyarW4ILVbhcWiJSaHeBPMbo2allVAI/h3oKOXD8/6lWUnEjPL6ENN90INaKLirpvbB6MhhXQxqDbVvRsLkFoNw3xNxJQZttDsZsQqltiFh+b3Luqx1LwRmxB+gtKMSbd/EfFmqHCsFgbi0FwWrPmcLGMHvCSe6/dJQOqGJwU2IvyXA5wLvMaM1Dx6vg8bnvoJGZGEo44FpoMZ7KTKBR9jDa8h1wWQC+mJeJhrTH96exVkKq61I4Xn++H3HAVE3AcGEau/rnGhi33ZvmpzPLhtwc0w+RYgtX+kwhyuzW4VdpdLmeI5QCNQK9AL3dddlIAVUUCbJH+vSfDxCz+tLwc8c1ZbzxvUG9sYgELYXBugj9Gx4BAV4VwB+6ETAlAkqKc9wvqIn6j8Fglq2uMnxOt0+Y5oGm7D/DGyO719VE9aXk30mR9ONZILYaYqatMCNGDiaX7LFJzrT9KXq/JYbj7nFZwIUiTN29aDIl1ap6/RZd5qch4ecSVl0EDTmWBFpimEtes4g3yx4ivhLsf8mWpmrASpOu2x/8iYwuu8L6lkYrt0hgLmE1aus6N9CBLYn2DkacurTR
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <988B4328A688374A8812C1E43F8AFCB9@namprd13.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rkf-eng.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR13MB3567.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c80f4f3c-f30c-4ae0-11a1-08d905932bd1
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Apr 2021 13:33:10.1719 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4ed8b15b-911f-42bc-8524-d89148858535
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: U7cvUrOI3WBho+iXf5EYXCd1dx9WSv5i5L9dQrPARxumTNhRyyXWXAVYvQoJEueZMSux8O9fH5YzJJPAUdSGNw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3887
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/5xB5obJp5EQd7x8a8_i8USrwbqY>
Subject: Re: [dtn] [Acme] WGLC for ACME DTN Node ID
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 13:33:19 -0000
Scott, Thanks for this feedback. On Tue, 2021-04-20 at 22:34 +0000, Burleigh, Scott C (US 312B) wrote: > Thanks, Brian. For what they’re worth, a couple of comments on this draft: > > I agree that the BP Node ID is a reasonable claim to validate via ACME, at > least over the Internet. In the most general case I am skeptical about using > the ACME workflow on a delay-tolerant network, as client/server conversations > may be incompatible with the potentially lengthy round trips of DTN > communications. One possible solution, given reliable contact plans, might be > the use of bundle delivery time estimation methods to compute RTTs per section > 3.2 . > The good news about ACME generally is that it is not timing sensitive and doesn't make assumptions about the promptness of challenge results. Each challenge type can have time-based and timeout behavior, but the order/authorization/challenge workflow doesn't have any constraint on how long any step can take and it's all event driven (the ACME client controls most of the workflow). The current draft-ietf-acme-dtnnodeid-02 document does allow a client to hint to the ACME server how long of an RTT to expect, so this protocol should not break even for significantly long RTTs. But I also agree that this is more of an internet-side protocol and more focused on cross-domain authentication than intra-domain. Presumably if you had control of all nodes (with their naming) *and* the CA you would just issue certificates directly. > A minor point: the last paragraph of 1.1 observes that the Node ID is used > both for routing bundles among nodes and also for multiplexing services within > a single node. This is true of BP endpoint IDs, but not of Node IDs – aside > from the dispatching of administrative records as noted later in that > paragraph. > Yes, I will correct this. There was some churn in this section but now the document deals only with Node IDs and never EIDs generally. > The value of Lifetime in the Validation Response Bundle would appear to be > sensitive to misalignment between the system clocks of the server and client > nodes. A note to this effect might be helpful. > You are correct that the bundle lifetime logic does assume clock synchronization; I will add a comment about this and about how the ACME client's node takes into account a Bundle Age extension. For a request-response type of protocol like this, does it make sense to use the bundle lifetime logic that is here now? The total required time encoded as the request bundle's lifetime and then the response bundle encoding the remaining time. > Scott > > From: dtn <dtn-bounces@ietf.org> On Behalf Of Brian Sipos > Sent: Friday, April 9, 2021 2:30 PM > To: dtn@ietf.org > Subject: [EXTERNAL] [dtn] FW: [Acme] WGLC for ACME DTN Node ID > > All, > The ACME WG has begun last call on the draft DTN Node ID validation document > [1], which proposes to add a BPv7 Administrative Record type to be able to > validate ownership of a Node ID within a DTN. The ACME WG is reviewing this > document from the ACME perspective, but it would be good to also review from > DTN perspective. > > The validation workflow is nearly identical to that email validation [2], > which also relies on email routing and security (which itself relies on email- > domain and DNS security) to provide assurance that the email is routed to a > proper destination. I don't know, at this point, if there is any similar > mechanism to DKIM [3] but making a stronger requirement about BPSec signing of > the challenge and response bundle may be helpful; requiring a BIB sourced by > either the ACME server or a trusted router. > > [1] https://mailarchive.ietf.org/arch/msg/acme/ncn3LR_i8mPcAKx3qt33FgYuoK4/ > [2] https://tools.ietf.org/html/draft-ietf-acme-email-smime-13 > [3] https://www.rfc-editor.org/rfc/rfc6376.html >
- [dtn] FW: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [dtn] [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [dtn] [Acme] WGLC for ACME DTN Node ID Burleigh, Scott C (US 312B)
- Re: [dtn] [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [dtn] [Acme] WGLC for ACME DTN Node ID Burleigh, Scott C (US 312B)
- Re: [dtn] [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [dtn] [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [dtn] [Acme] WGLC for ACME DTN Node ID Burleigh, Scott C (US 312B)
- Re: [dtn] [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [dtn] [Acme] WGLC for ACME DTN Node ID Burleigh, Scott C (US 312B)