Re: [dtn] BPbis - BPSec requirement
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 02 September 2020 08:05 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8EF73A0BF7 for <dtn@ietfa.amsl.com>; Wed, 2 Sep 2020 01:05:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aCypqert0w4 for <dtn@ietfa.amsl.com>; Wed, 2 Sep 2020 01:05:03 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50054.outbound.protection.outlook.com [40.107.5.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADC093A0C0D for <dtn@ietf.org>; Wed, 2 Sep 2020 01:05:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hYm7YhK7HzJmCE3O1muDLAJi9Rc5pR4LysAI6dmWeUYweUcdQi4rsWcldOBnUSx1HabeS0QZOGboPFxNsmVHzF9XCGpR23wLlUb7GOc889GeJ8hXJuvJbMdTEYUF7GN4Xr7+WM4CqIxUfg/rpr/Jx1jpwqh1F4jBHSt2Fk/uXfxoOLaZeTbYb3oNqNUViN1wmIGLW0GaKWWG86PfvkDfM0Me+Mz/0vVIOp4f0utKSOnrAd1dwPNTCw6ua0FSO0t4cn61DL4g8nH22LvDWCh00FIW47H7oUoVif4woxW673S9tSpFkztbqaROoLvpE08S/kmcTNKGeo/ga6wAoM6m8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7fC0vk3j83T9SiZf8SuieXXwdc6NRNXGNgl3pYZkXRk=; b=muSeDYOKMjn0s7NcLDKMrJ/Z6GhZuv4zimRmxSFWES07rh9GleW4nYGskA13diOWRH5mZ+yAXDemnOQkjFAZGrB4pXs1i8bVD/vRnqtVPSRX1o8AJnPI14PZFOfKm3QbdVb9hOpD23kasXSIaB4Mgl3YEfCg7SjLwjq62aAXLr9l7Zi2Pw0eKKK8k+R50w/30w6M7EO8+hc4dhlbL+MR8nXbRjcpPWIS1sR8T6fGzL9D9oyZ0m4SgzPcw320oK/fOWg8PNkwPRres5/980zQ02hVGbQVBXPZbWAxawuDkooCgpmB61D4KWHDJ+NpffowNtC79okfHXA2MPrG2xLrkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7fC0vk3j83T9SiZf8SuieXXwdc6NRNXGNgl3pYZkXRk=; b=S67vavtp5pzduaR/nNv3xwArqh1Z4sqqE8TIv8+XC1ZjGjiTm5FUq0vKZkTcett/NXB9hkHVM59i2rcM1/ZS+xK/DQFKbzab/tfy0V7fjR3d6maRDuyYLdz2hFewP2FCWn3o3vwYJjqqrUtRVF1C0W9jCoUmkNmBSwqYrZlg3Gk=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB2345.eurprd07.prod.outlook.com (2603:10a6:3:6c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.7; Wed, 2 Sep 2020 08:04:59 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::b56f:9a8e:3399:aaa3]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::b56f:9a8e:3399:aaa3%7]) with mapi id 15.20.3348.014; Wed, 2 Sep 2020 08:04:59 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "dtn@ietf.org" <dtn@ietf.org>, "adam.wiethuechter@axenterprize.com" <adam.wiethuechter@axenterprize.com>
Thread-Topic: [dtn] BPbis - BPSec requirement
Thread-Index: AdZkCmA3UPp4cISXQ0W3R8JTCdlwYwADRc3bAEVJO4ABJ2xPAAXNXJoA
Date: Wed, 02 Sep 2020 08:04:59 +0000
Message-ID: <d2f00c75308ca979fbcc3a61309f47e8a49d800a.camel@ericsson.com>
References: <38A5475DE83986499AEACD2CFAFC3F9801F585E9E8@tss-server1.home.tropicalstormsoftware.com> <MN2PR13MB3567A3CF5746A6B6B88392229F720@MN2PR13MB3567.namprd13.prod.outlook.com> <4911668186a1b454e02cad36f061bd8882c65ccb.camel@gmail.com> <CA+r8TqVGDBkQJtnNptQc_MXh49SY6i=5o7+b6wZqP0+haHh1eA@mail.gmail.com>
In-Reply-To: <CA+r8TqVGDBkQJtnNptQc_MXh49SY6i=5o7+b6wZqP0+haHh1eA@mail.gmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: df60f23b-4c57-4adc-28e8-08d84f16e374
x-ms-traffictypediagnostic: HE1PR0701MB2345:
x-microsoft-antispam-prvs: <HE1PR0701MB2345F92D6CE2116A3B03C185952F0@HE1PR0701MB2345.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jXU2z1xZX5WmkdZVXE9upjGFHT4KC3CfSvt0WLL2ndA7ilmNL73StEGx8aqj/wgM5qP9BFIJi/dcl+g2OQ4V+wHy+Z59pz3Q0XZ9K+Nj7TGxvfmtXSBsqaOX6cmPRFK6TdPOD5gaCVGGfH2/CToydE6J9j2oGh1Sp3pOeLwMiRMaJ0q1IXUpejFJxzHhBOLEn7egMFWniBCwfOTDN6JyrZGax6g9ABN6zaIRwQJ5ubdutS3CNgEx36n5RerwAm7UPfkmJYGRsWrq5qqEzhHtqhGia/Oo9Er0KEIzZ5KOyIYQWrewvL1GnehS7W+hddCkdg8up80MWai11k9yMolRt5DAGcOqE4O3yH3W9xlVh6lZWbASyFJfHPo/K0jHww/xceacbIzYhGels6KVsJHJHOKVDNvGSqkDA+GIjFgPGFzEkaQBBkZwPh7KGvCaCJtK8zK1iWgPoJxi0iauc8jXxQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(136003)(376002)(346002)(39860400002)(6486002)(316002)(478600001)(76116006)(66946007)(91956017)(110136005)(66556008)(66446008)(5660300002)(64756008)(66476007)(2616005)(44832011)(26005)(53546011)(6506007)(186003)(71200400001)(8676002)(66574015)(2906002)(83380400001)(8936002)(86362001)(36756003)(966005)(6512007)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: oITwXZpysF2laVOaXxGtFAO5jMxBhD5/tBVd0ii/uhtT/vMQ1PyNLYkAKQyrDkH9HyGrM2+4q92jBdQBS4uD9a4g49tsm6KgU93z8LDCF0lSBFX2nwK/6ciC+mt/3Cu7OLCcR+SSWB7mgVg7o59q5B4eGYXf5H1qe9ijIMAH8L5HWBSurdxILQrsR8V3tD8CBbX3vOgfbMF8yPKqZRyDXksfYPdZXOFpVzGshTUfEtnJJyn9bbmzfIzuDVSqxMBvM9i3vE6SYyJu8ia6Gi5nz6YCVIzRd99q0fq78OQWuHBgKViPO0H9NqRXX+CTbm3ORhcKolqGz6gtm5nxmTV6CJ7hRgcWnwSG1Thr7lO0Pr4hA5HYO7mUtdQ4LDbHhYuH28NSTk0V2JGtpHol4mIOKa48bMWfjyZzewGClVpedaWY0THRmtN8L79LCRxqOfty+EjcGUepvRzwF31CNrgiQVljJ24Nczb9UO+9G3m+1QR7v4UQsLsdlD266AX2DE0KgokrtbqtSJHfWO7zlZHSs50vjNz8sv3iB8r898eRfFS26gg8fNFFPwG7UAZjlDbbtOXqll3A/tOFR96E4orlNAqJbCu9IK7qRJlhbd0B1/iJohqRPrkSnZykU5KYM4BgD2k7aqZDxFaDfRRzOoviWQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C7B9D8FEC93AFF479CEE620B1A3CBBE8@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: df60f23b-4c57-4adc-28e8-08d84f16e374
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Sep 2020 08:04:59.5721 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b2ME0jAHpG98MyT8uDVXtSZBDo9c8ocSg2hfcHT33byPNISuh436Btz5mi/kWUG+vFHTOni3G/wqIjQBzXbiEZSllU/utQHebI/+KAUohfw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2345
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/8f833S-ivgZDOWs32tlQmBeOpoI>
Subject: Re: [dtn] BPbis - BPSec requirement
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 08:05:05 -0000
Hi, So looking at RFC 3365 which is the BCP that says strong security is required to provide a solution for Internet. https://datatracker.ietf.org/doc/rfc3365/ I will note that Section 7 is very clear that this is a MUST Implement and not MUST use. So from my perspective to capture the desires you have written and meet the requirements of the BCP then you should have text in BPbis that says that BPSec MUST be implemetned. Then it is up to the BP node to not use it if it knows that it will not needed to for this bundle to the target node. What is currently in BPBis is: 9. Security Considerations The bundle protocol security architecture and the available security services are specified in an accompanying document, the Bundle Security Protocol (BPsec) specification [BPSEC]. Whenever Bundle Protocol security services (as opposed to the security services provided by overlying application protocols or underlying convergence-layer protocols) are required, those services SHALL be provided by BPsec rather than by some other mechanism with the same or similar scope. Personally I think that is to weak to meet the the requirements of RFC3365. Even if it is challenging to depoly the key-management aspects of the security solution I (personal opinion) don't quite see how any environment where BP is intended to used can be considered a trusted environment where BPSec would not be needed at least to provide integrity protection. So people really have issues with an implementation requirement on BPSec? Cheers Magnus On Mon, 2020-08-03 at 15:14 -0400, Wiethuechter, Adam wrote: > I also agree with Brian. > > On Tue, Jul 28, 2020 at 6:16 PM <ronnybull@gmail.com> wrote: > > I agree 100% with Brian. BPSec should be the "standard" for bundle- > > level encryption. > > > > Ronny > > > > On Tue, 2020-07-28 at 11:52 +0000, Brian Sipos wrote: > > > All, > > > My opinion is that BPSec should be required in the sense of: When > > > bundle-level security is needed, you must use BPSec instead of some > > > other mechanism with the same or similar scope. > > > This is the same type of qualified requirement used for TLS in > > > TCPCLv4. > > > This requirement steers implementations away from private > > > encodings/behaviors, which is desirable as Rick mentioned in the > > > Monday meeting. > > > > > > From: dtn <dtn-bounces@ietf.org> on behalf of Rick Taylor < > > > rick@tropicalstormsoftware.com> > > > Sent: Monday, July 27, 2020 09:05 > > > To: dtn@ietf.org <dtn@ietf.org> > > > Subject: [dtn] BPbis - BPSec requirement > > > > > > All, > > > > > > At IETF-108 there was discussion on whether BPbis should require > > > BPSec, and the chairs are interested in discovering the WG consensus > > > on this matter. > > > > > > Please use this thread for your comments. > > > > > > Cheers, > > > > > > Rick & Marc > > > _______________________________________________ > > > dtn mailing list > > > dtn@ietf.org > > > https://www.ietf.org/mailman/listinfo/dtn > > > > _______________________________________________ > > dtn mailing list > > dtn@ietf.org > > https://www.ietf.org/mailman/listinfo/dtn > > > _______________________________________________ > dtn mailing list > dtn@ietf.org > https://www.ietf.org/mailman/listinfo/dtn -- Cheers Magnus Westerlund ---------------------------------------------------------------------- Networks, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Torshamnsgatan 23 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [dtn] BPbis - BPSec requirement Rick Taylor
- Re: [dtn] BPbis - BPSec requirement Marc Blanchet
- Re: [dtn] BPbis - BPSec requirement Brian Sipos
- Re: [dtn] BPbis - BPSec requirement Burleigh, Scott C (US 312B)
- Re: [dtn] BPbis - BPSec requirement ronnybull
- Re: [dtn] BPbis - BPSec requirement Mehmet Adalier
- Re: [dtn] BPbis - BPSec requirement Birrane, Edward J.
- Re: [dtn] BPbis - BPSec requirement Wiethuechter, Adam
- Re: [dtn] BPbis - BPSec requirement Magnus Westerlund