IETF Logo Mail Archive

Re: [dtn] BPbis - BPSec requirement

Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 02 September 2020 08:05 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8EF73A0BF7 for <dtn@ietfa.amsl.com>; Wed, 2 Sep 2020 01:05:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aCypqert0w4 for <dtn@ietfa.amsl.com>; Wed, 2 Sep 2020 01:05:03 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50054.outbound.protection.outlook.com [40.107.5.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADC093A0C0D for <dtn@ietf.org>; Wed, 2 Sep 2020 01:05:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hYm7YhK7HzJmCE3O1muDLAJi9Rc5pR4LysAI6dmWeUYweUcdQi4rsWcldOBnUSx1HabeS0QZOGboPFxNsmVHzF9XCGpR23wLlUb7GOc889GeJ8hXJuvJbMdTEYUF7GN4Xr7+WM4CqIxUfg/rpr/Jx1jpwqh1F4jBHSt2Fk/uXfxoOLaZeTbYb3oNqNUViN1wmIGLW0GaKWWG86PfvkDfM0Me+Mz/0vVIOp4f0utKSOnrAd1dwPNTCw6ua0FSO0t4cn61DL4g8nH22LvDWCh00FIW47H7oUoVif4woxW673S9tSpFkztbqaROoLvpE08S/kmcTNKGeo/ga6wAoM6m8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7fC0vk3j83T9SiZf8SuieXXwdc6NRNXGNgl3pYZkXRk=; b=muSeDYOKMjn0s7NcLDKMrJ/Z6GhZuv4zimRmxSFWES07rh9GleW4nYGskA13diOWRH5mZ+yAXDemnOQkjFAZGrB4pXs1i8bVD/vRnqtVPSRX1o8AJnPI14PZFOfKm3QbdVb9hOpD23kasXSIaB4Mgl3YEfCg7SjLwjq62aAXLr9l7Zi2Pw0eKKK8k+R50w/30w6M7EO8+hc4dhlbL+MR8nXbRjcpPWIS1sR8T6fGzL9D9oyZ0m4SgzPcw320oK/fOWg8PNkwPRres5/980zQ02hVGbQVBXPZbWAxawuDkooCgpmB61D4KWHDJ+NpffowNtC79okfHXA2MPrG2xLrkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7fC0vk3j83T9SiZf8SuieXXwdc6NRNXGNgl3pYZkXRk=; b=S67vavtp5pzduaR/nNv3xwArqh1Z4sqqE8TIv8+XC1ZjGjiTm5FUq0vKZkTcett/NXB9hkHVM59i2rcM1/ZS+xK/DQFKbzab/tfy0V7fjR3d6maRDuyYLdz2hFewP2FCWn3o3vwYJjqqrUtRVF1C0W9jCoUmkNmBSwqYrZlg3Gk=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB2345.eurprd07.prod.outlook.com (2603:10a6:3:6c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.7; Wed, 2 Sep 2020 08:04:59 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::b56f:9a8e:3399:aaa3]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::b56f:9a8e:3399:aaa3%7]) with mapi id 15.20.3348.014; Wed, 2 Sep 2020 08:04:59 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "dtn@ietf.org" <dtn@ietf.org>, "adam.wiethuechter@axenterprize.com" <adam.wiethuechter@axenterprize.com>
Thread-Topic: [dtn] BPbis - BPSec requirement
Thread-Index: AdZkCmA3UPp4cISXQ0W3R8JTCdlwYwADRc3bAEVJO4ABJ2xPAAXNXJoA
Date: Wed, 02 Sep 2020 08:04:59 +0000
Message-ID: <d2f00c75308ca979fbcc3a61309f47e8a49d800a.camel@ericsson.com>
References: <38A5475DE83986499AEACD2CFAFC3F9801F585E9E8@tss-server1.home.tropicalstormsoftware.com> <MN2PR13MB3567A3CF5746A6B6B88392229F720@MN2PR13MB3567.namprd13.prod.outlook.com> <4911668186a1b454e02cad36f061bd8882c65ccb.camel@gmail.com> <CA+r8TqVGDBkQJtnNptQc_MXh49SY6i=5o7+b6wZqP0+haHh1eA@mail.gmail.com>
In-Reply-To: <CA+r8TqVGDBkQJtnNptQc_MXh49SY6i=5o7+b6wZqP0+haHh1eA@mail.gmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: df60f23b-4c57-4adc-28e8-08d84f16e374
x-ms-traffictypediagnostic: HE1PR0701MB2345:
x-microsoft-antispam-prvs: <HE1PR0701MB2345F92D6CE2116A3B03C185952F0@HE1PR0701MB2345.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jXU2z1xZX5WmkdZVXE9upjGFHT4KC3CfSvt0WLL2ndA7ilmNL73StEGx8aqj/wgM5qP9BFIJi/dcl+g2OQ4V+wHy+Z59pz3Q0XZ9K+Nj7TGxvfmtXSBsqaOX6cmPRFK6TdPOD5gaCVGGfH2/CToydE6J9j2oGh1Sp3pOeLwMiRMaJ0q1IXUpejFJxzHhBOLEn7egMFWniBCwfOTDN6JyrZGax6g9ABN6zaIRwQJ5ubdutS3CNgEx36n5RerwAm7UPfkmJYGRsWrq5qqEzhHtqhGia/Oo9Er0KEIzZ5KOyIYQWrewvL1GnehS7W+hddCkdg8up80MWai11k9yMolRt5DAGcOqE4O3yH3W9xlVh6lZWbASyFJfHPo/K0jHww/xceacbIzYhGels6KVsJHJHOKVDNvGSqkDA+GIjFgPGFzEkaQBBkZwPh7KGvCaCJtK8zK1iWgPoJxi0iauc8jXxQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(136003)(376002)(346002)(39860400002)(6486002)(316002)(478600001)(76116006)(66946007)(91956017)(110136005)(66556008)(66446008)(5660300002)(64756008)(66476007)(2616005)(44832011)(26005)(53546011)(6506007)(186003)(71200400001)(8676002)(66574015)(2906002)(83380400001)(8936002)(86362001)(36756003)(966005)(6512007)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: oITwXZpysF2laVOaXxGtFAO5jMxBhD5/tBVd0ii/uhtT/vMQ1PyNLYkAKQyrDkH9HyGrM2+4q92jBdQBS4uD9a4g49tsm6KgU93z8LDCF0lSBFX2nwK/6ciC+mt/3Cu7OLCcR+SSWB7mgVg7o59q5B4eGYXf5H1qe9ijIMAH8L5HWBSurdxILQrsR8V3tD8CBbX3vOgfbMF8yPKqZRyDXksfYPdZXOFpVzGshTUfEtnJJyn9bbmzfIzuDVSqxMBvM9i3vE6SYyJu8ia6Gi5nz6YCVIzRd99q0fq78OQWuHBgKViPO0H9NqRXX+CTbm3ORhcKolqGz6gtm5nxmTV6CJ7hRgcWnwSG1Thr7lO0Pr4hA5HYO7mUtdQ4LDbHhYuH28NSTk0V2JGtpHol4mIOKa48bMWfjyZzewGClVpedaWY0THRmtN8L79LCRxqOfty+EjcGUepvRzwF31CNrgiQVljJ24Nczb9UO+9G3m+1QR7v4UQsLsdlD266AX2DE0KgokrtbqtSJHfWO7zlZHSs50vjNz8sv3iB8r898eRfFS26gg8fNFFPwG7UAZjlDbbtOXqll3A/tOFR96E4orlNAqJbCu9IK7qRJlhbd0B1/iJohqRPrkSnZykU5KYM4BgD2k7aqZDxFaDfRRzOoviWQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C7B9D8FEC93AFF479CEE620B1A3CBBE8@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: df60f23b-4c57-4adc-28e8-08d84f16e374
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Sep 2020 08:04:59.5721 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b2ME0jAHpG98MyT8uDVXtSZBDo9c8ocSg2hfcHT33byPNISuh436Btz5mi/kWUG+vFHTOni3G/wqIjQBzXbiEZSllU/utQHebI/+KAUohfw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2345
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/8f833S-ivgZDOWs32tlQmBeOpoI>
Subject: Re: [dtn] BPbis - BPSec requirement
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 08:05:05 -0000

Hi,

So looking at RFC 3365 which is the BCP that says strong security is required to
provide a solution for Internet. https://datatracker.ietf.org/doc/rfc3365/

I will note that Section 7 is very clear that this is a MUST Implement and not
MUST use. 

So from my perspective to capture the desires you have written and meet the
requirements of the BCP then you should have text in BPbis that says that BPSec
MUST be implemetned. Then it is up to the BP node to not use it if it knows that
it will not needed to for this bundle to the target node. 

What is currently in BPBis is:

9. Security Considerations

   The bundle protocol security architecture and the available security
   services are specified in an accompanying document, the Bundle
   Security Protocol (BPsec) specification [BPSEC].  Whenever Bundle
   Protocol security services (as opposed to the security services
   provided by overlying application protocols or underlying
   convergence-layer protocols) are required, those services SHALL be
   provided by BPsec rather than by some other mechanism with the same
   or similar scope.

Personally I think that is to weak to meet the the requirements of RFC3365. Even
if it is challenging to depoly the key-management aspects of the security
solution I (personal opinion) don't quite see how any environment where BP is
intended to used can be considered a trusted environment where BPSec would not
be needed at least to provide integrity protection. 

So people really have issues with an implementation requirement on BPSec?

Cheers

Magnus




On Mon, 2020-08-03 at 15:14 -0400, Wiethuechter, Adam wrote:
> I also agree with Brian.
> 
> On Tue, Jul 28, 2020 at 6:16 PM <ronnybull@gmail.com> wrote:
> > I agree 100% with Brian.  BPSec should be the "standard" for bundle-
> > level encryption. 
> > 
> > Ronny
> > 
> > On Tue, 2020-07-28 at 11:52 +0000, Brian Sipos wrote:
> > > All,
> > > My opinion is that BPSec should be required in the sense of: When
> > > bundle-level security is needed, you must use BPSec instead of some
> > > other mechanism with the same or similar scope.
> > > This is the same type of qualified requirement used for TLS in
> > > TCPCLv4.
> > > This requirement steers implementations away from private
> > > encodings/behaviors, which is desirable as Rick mentioned in the
> > > Monday meeting.
> > > 
> > > From: dtn <dtn-bounces@ietf.org> on behalf of Rick Taylor <
> > > rick@tropicalstormsoftware.com>
> > > Sent: Monday, July 27, 2020 09:05
> > > To: dtn@ietf.org <dtn@ietf.org>
> > > Subject: [dtn] BPbis - BPSec requirement
> > >  
> > > All,
> > >  
> > > At IETF-108 there was discussion on whether BPbis should require
> > > BPSec, and the chairs are interested in discovering the WG consensus
> > > on this matter.
> > >  
> > > Please use this thread for your comments.
> > >  
> > > Cheers,
> > >  
> > > Rick & Marc
> > > _______________________________________________
> > > dtn mailing list
> > > dtn@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dtn
> > 
> > _______________________________________________
> > dtn mailing list
> > dtn@ietf.org
> > https://www.ietf.org/mailman/listinfo/dtn
> 
> 
> _______________________________________________
> dtn mailing list
> dtn@ietf.org
> https://www.ietf.org/mailman/listinfo/dtn
-- 
Cheers

Magnus Westerlund 


----------------------------------------------------------------------
Networks, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email