Re: [dtn] [EXT] I-D Action: draft-ietf-dtn-bpsec-cose-01.txt
"Sipos, Brian J." <Brian.Sipos@jhuapl.edu> Thu, 01 June 2023 18:01 UTC
Return-Path: <Brian.Sipos@jhuapl.edu>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DB17C151549 for <dtn@ietfa.amsl.com>; Thu, 1 Jun 2023 11:01:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQdBOUMct67s for <dtn@ietfa.amsl.com>; Thu, 1 Jun 2023 11:01:19 -0700 (PDT)
Received: from aplegw02.jhuapl.edu (aplegw02.jhuapl.edu [128.244.251.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A687C151068 for <dtn@ietf.org>; Thu, 1 Jun 2023 11:01:19 -0700 (PDT)
Received: from pps.filterd (aplegw02.jhuapl.edu [127.0.0.1]) by aplegw02.jhuapl.edu (8.17.1.19/8.17.1.19) with ESMTP id 351HiB8G017669 for <dtn@ietf.org>; Thu, 1 Jun 2023 14:01:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=JHUAPLDec2018; bh=t0tqVChy5akZfoobzZZmbxwBfDzCEILnV5eEBOwV8dQ=; b=m0DNWQQQDG5VLnMLOn7nkFgclS5ZLqJKw578o3UOBXg9Pgm870xEkpIRosI0Iu4XX5J3 Slshb05cVv9IJtqbROU8FY11S9gkatK5gc2nNZJNgs0L4y32griu218wwhUdiOpChlJw sWu0VeKXS5BajImhKw7P6WG5rtDm2nfYzU03nquuGjaMYPUoU3APRQVqiAaPaEAQU4S0 hUHAFtXlCcDpBUjsMdVHAEjvMDG2i6UfyNzrKGyO4EICMGU8t6++Jp2Ep/8Y1bOGZz6M 0GEO3GMScwcetBZ0aIfwqRwkQHFeZOLRx6S1dyIzSQMK8Hep52lAKi56QicsIEMRVcmN 5g==
Received: from aplex28.dom1.jhuapl.edu (aplex28.dom1.jhuapl.edu [10.114.162.13]) by aplegw02.jhuapl.edu (PPS) with ESMTPS id 3que2xn3ke-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dtn@ietf.org>; Thu, 01 Jun 2023 14:01:17 -0400
Received: from APLEX21.dom1.jhuapl.edu (10.114.162.6) by APLEX28.dom1.jhuapl.edu (10.114.162.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Thu, 1 Jun 2023 14:01:17 -0400
Received: from APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2]) by APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2%5]) with mapi id 15.02.1118.026; Thu, 1 Jun 2023 14:01:17 -0400
From: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>
To: "dtn@ietf.org" <dtn@ietf.org>
Thread-Topic: [EXT] [dtn] I-D Action: draft-ietf-dtn-bpsec-cose-01.txt
Thread-Index: AQHZlKrYI4STGImZH0yIVfEBtPB/2a92LgxA
Date: Thu, 01 Jun 2023 18:01:17 +0000
Message-ID: <4d353e4ec9b14448b9b97b6ddebdccdd@jhuapl.edu>
References: <168563894393.29306.11912319807626337411@ietfa.amsl.com>
In-Reply-To: <168563894393.29306.11912319807626337411@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.162.18]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_029D_01D99491.88041D00"
MIME-Version: 1.0
X-CrossPremisesHeadersFilteredBySendConnector: APLEX28.dom1.jhuapl.edu
X-OrganizationHeadersPreserved: APLEX28.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-01_08,2023-05-31_03,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/92jkszfFuE9XEe7kBKxIyMt2iDk>
Subject: Re: [dtn] [EXT] I-D Action: draft-ietf-dtn-bpsec-cose-01.txt
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2023 18:01:23 -0000
All, This last change to the BPSec COSE Context document addresses the only two open issues in the gitlab project. The substantive change is to modify the AAD parameter and definition to allow a single BPSec block to include any other combination of blocks in the bundle as AAD. In this way a single MAC or signature can verify the presence and/or contents of any number of blocks. This allows disparate use cases all the way between signing just the primary block (e.g. authenticate the bundle itself) to encrypting or signing the payload block while ensuring that a set of companion blocks (e.g. data labels, flow labels) are present and unchanged. One side effect that this kind of behavior brings to light is the fact that these kinds of restrictions are not visible to middleboxes (e.g. routers or gateways) without deep inspection of security blocks. Does it sound helpful to use block flags [1] to signal to handlers of the bundle that either: * The block cannot be modified (because it is covered by some security operation) * The block-type-specific data cannot be decoded (because it was encrypted, or potentially compressed/modified by some future block) This would not affect this COSE Context document; it would be a separate thing to discuss. I think there is value in informing middleboxes of this kind of information without requiring it to deeply inspect the bundle (decode any block-type-specific data) especially because some sources of this information require specific order of block processing to obtain and also requires the ability to handle not-yet-defined security contexts (or other future block types that impose these constraints). Thoughts and feedback are welcome, Brian S. [1] https://www.iana.org/assignments/bundle/bundle.xhtml#block-processing-control > -----Original Message----- > From: dtn <dtn-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org > Sent: Thursday, June 1, 2023 1:02 PM > To: i-d-announce@ietf.org > Cc: dtn@ietf.org > Subject: [EXT] [dtn] I-D Action: draft-ietf-dtn-bpsec-cose-01.txt > > APL external email warning: Verify sender dtn-bounces@ietf.org before > clicking links or attachments > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This Internet-Draft is a work item of the Delay/Disruption Tolerant > Networking (DTN) WG of the IETF. > > Title : DTN Bundle Protocol Security (BPSec) COSE Context > Author : Brian Sipos > Filename : draft-ietf-dtn-bpsec-cose-01.txt > Pages : 45 > Date : 2023-06-01 > > Abstract: > This document defines a security context suitable for using CBOR > Object Signing and Encryption (COSE) algorithms within Bundle > Protocol Security (BPSec) integrity and confidentiality blocks. A > profile for COSE, focused on asymmetric-keyed algorithms, and for > PKIX certificates are also defined for BPSec interoperation. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-dtn-bpsec-cose/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-dtn-bpsec-cose-01.html > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-dtn-bpsec-cose-01 > > Internet-Drafts are also available by rsync at > rsync.ietf.org::internet-drafts > > > _______________________________________________ > dtn mailing list > dtn@ietf.org > https://www.ietf.org/mailman/listinfo/dtn
- [dtn] I-D Action: draft-ietf-dtn-bpsec-cose-01.txt internet-drafts
- Re: [dtn] [EXT] I-D Action: draft-ietf-dtn-bpsec-… Sipos, Brian J.