IETF Logo Mail Archive

Re: [dtn] BPSec interop contexts

Brian Sipos <BSipos@rkf-eng.com> Wed, 09 December 2020 23:07 UTC

Return-Path: <BSipos@rkf-eng.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E8573A17EB for <dtn@ietfa.amsl.com>; Wed, 9 Dec 2020 15:07:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rkf-eng.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MW5aufA5JrSF for <dtn@ietfa.amsl.com>; Wed, 9 Dec 2020 15:07:57 -0800 (PST)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2044.outbound.protection.outlook.com [40.107.244.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D122D3A17E8 for <dtn@ietf.org>; Wed, 9 Dec 2020 15:07:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fDscZ9OKtIH7sGdK3C1sHwIj6vFoRpG86FD7sMwlxYhwE0EZ9cyFyicU3gT/layjqqCffCuYzUDbsWharkxcPPQyDV5VnGIaEGISfB3NK7hQGoGACd5I2/DTP0TknBb+ZkTPLse2lyyqGfamC3ZlQ90TB15obRMxsHZDLntTDj8fX38Ttsa1PKJtzv1jVIEtAeWfreva62RJ5GB0K4kPZXvANmXIWUysT2ZcFxcPzQUngOCHkDhaT2KfkpSRXa32CPjDr9/10unIcnY0b+v3QHjxSo0AqYyLoG5N9wspp71aM5vfX0Zp9RphcbFWyvjrNjtOf5e5/4SWgEATkOj6hw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ptgWlyaaWb/f2hdJsZX/dM4i/AUezLgVFgndUDGDGI4=; b=C4n/1KpPoOzAo+IZDRVtdjv5/38R7dxSLUnPhS5qpXKrstXh04BZD3UOQtrchTm11ESvkJAHU4o2K8RDqZibBefLLjEJfJ8BKcSOk0FModxWUZLaetEHyPA/bzXzjOu0c156CTNOrMr2S9k/HrnRwbl7cm/C/CnCXKdrCqmCFWUZayIanTPsKvmCV+BOPHwuZ1jOZSI3OfdBpwzySB0k+fCONuRMcTq6VIkNSo7l0dNv4GBRlHO3FYfCeVs2yoS88+7ADiTjp0DykVsnAEvaAxpfVZ5QkqMuIlJnj6rsoo3e552PRJTcAxXXsA5YeGrnhzDB8//lGDXEYog+wQeqCw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=rkf-eng.com; dmarc=pass action=none header.from=rkf-eng.com; dkim=pass header.d=rkf-eng.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rkf-eng.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ptgWlyaaWb/f2hdJsZX/dM4i/AUezLgVFgndUDGDGI4=; b=XR9MQKLOdMXYL/i8SWH7274ndY4rc3dLJohGmjiIHUTlHp5Z6X8UFxk27nkrw9uIYTucGerORUZSlwFHkChv251iEKJfBVkvzCeN/qn57D3rjb2ZLwaZPQ6HCvk/hdbEzY647EMkSGrwkqz0IlWGKTdMVycW+TDrqcJysA2qtUk=
Received: from MN2PR13MB3567.namprd13.prod.outlook.com (2603:10b6:208:168::10) by MN2PR13MB2909.namprd13.prod.outlook.com (2603:10b6:208:fa::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.9; Wed, 9 Dec 2020 23:07:53 +0000
Received: from MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::54f4:962e:10e5:a2e1]) by MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::54f4:962e:10e5:a2e1%7]) with mapi id 15.20.3654.010; Wed, 9 Dec 2020 23:07:53 +0000
From: Brian Sipos <BSipos@rkf-eng.com>
To: "Birrane, Edward J." <edward.birrane@jhuapl.edu>
CC: "dtn@ietf.org" <dtn@ietf.org>
Thread-Topic: BPSec interop contexts
Thread-Index: AQHWwnSVY9PKJ+JqQkiQsbGN9rMAPqnibVFQgAy/7lU=
Date: Wed, 09 Dec 2020 23:07:53 +0000
Message-ID: <MN2PR13MB3567820CB25639BB3A3D9D349FCC0@MN2PR13MB3567.namprd13.prod.outlook.com>
References: <MN2PR13MB3567A858102480D24C1B90419FFB0@MN2PR13MB3567.namprd13.prod.outlook.com>, <1afb3f67ecce43779b72eb7439b2c564@aplex01.dom1.jhuapl.edu>
In-Reply-To: <1afb3f67ecce43779b72eb7439b2c564@aplex01.dom1.jhuapl.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: jhuapl.edu; dkim=none (message not signed) header.d=none;jhuapl.edu; dmarc=none action=none header.from=rkf-eng.com;
x-originating-ip: [96.241.16.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8893ea5f-9d39-4879-f61b-08d89c97423e
x-ms-traffictypediagnostic: MN2PR13MB2909:
x-microsoft-antispam-prvs: <MN2PR13MB29094800BC4E60C2B2AB92A09FCC0@MN2PR13MB2909.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MWFHP7J3ZqXZ/R+4p2GWXEtTmyTK02vcNprrDvb0ccCvA6QgNvxIClqOGBmmPYqaSRLtRe9ZAqvQaTXnUyC/GkABaTmoXWOUa25XYIXunF5PgAvcTim4Dt++Xm2qJe7bx17dtbhV7+106WRS957dM8IMwSB4QYVf4RFO3sSntBZqhhtv2sbrKkdoLLyUHzsa7eHVAQO7HDKflLdNlxwF8/g0cL99RTHeSwweEiGxgB7+IC1dD4qhMXC8N4QVbYr62OnjPptu9qjVgZw3amqZoK3KZLA7I9r1+lNAmgrdIRbjcvHa3k8qkvYWiUHZnwTKjbq2a0ARPaZ5SYekIfVqVB8Csgy7ghuCFdviEUb4BFasJ3z2VWkfAlbLCed/WFtEw45daVypm0MsWJMu6lbpkQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR13MB3567.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(376002)(346002)(71200400001)(26005)(33656002)(508600001)(76116006)(66476007)(66556008)(64756008)(166002)(86362001)(66946007)(66446008)(52536014)(55016002)(8936002)(9686003)(7696005)(2906002)(4326008)(7116003)(3480700007)(5660300002)(19627405001)(8676002)(53546011)(6506007)(83380400001)(966005)(186003)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Ie04TRmju8A//e1jdPUh72FHCrkYTnvOC0jG8zoodL/KrW5wf2RRGHN/OWkIBXKVg6yPPMIgjhyQqHePve/hhDj1N+4dpzyyRg6VPZs8ajrTKjTEC5YFegmon7904QEIHggkhODAHgkLRbwqcPllf9JhBfuxGRX6C+w/IcmfX0RFWVGA9IoTA5tQD0MrVlWjIdi77rDtQvuRq5JmmIrS//EpXNz4cyeoLYDXAVndN6464SRzXV+hWfygEBQh999mSX5wh1hlpdXhnfX9fBJh3k9uhrCTal6nXUTPV3n2ephPrh3FBbSOyCtBZb4BEBOGFpe7hu5tlDJ+2fOTLeqRCOBVU2kEkYq3NSzWu9RSBqlvORAh6bRpSimQjM9fMeYz84WBdPCTgONa60sHGb8FDBxRgDKvMzYH/xDxa6uRrex1w0xBHSKv8Ljwapr0r1Dp57n9npt1QKZlLjZmsS/xEPrTaU9JW3XwZXBK0thHL5pERgnGuOBpjX9RPRjvk9Bg2BGZZhCEpADicSSI/f7ZrouL5lzFALDBT40+dBhK4yYRLaIBbjYKaSk44xQLwHEqqPl8I4TBaJ6wu7/TKH8E5bU1BxKjT7wvlWYYH6kB8rNz86hgINkJ0+4ZkdaEbbD0XZUgMxoT3r0oD6u25s5VIwcgH9FDhZ0RgvYn5/kudsiff5dkL1xbfeaZ/j1DPC1XwswlLHCXIyqK9ks9Fq9087Y+NCKMA5EksduAga4wIUXBm4b1A2oC9Vj6gA5vePxZfVDE8rLun7Mm/K9k7tyukTQNdDThajTwBEGS3uwXdvaGpmq4XENoV7IkmlR2PcfeL3s8a3k8sQKELxuB1oORBPDnmYVVNIyf3GtD0b07aFMnmz3/hQY1pc7BTpokLcNJPt8KiMRuDLZ9pqU1uFe87kK94GX3rDiYgbfLhKzCzBCVZ9/z6uQqDfkdznwz2fkQUqpb0ZiwkCfq27We8t/lysIwiaEYo5oYnCU6XVlfEz0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR13MB3567820CB25639BB3A3D9D349FCC0MN2PR13MB3567namp_"
MIME-Version: 1.0
X-OriginatorOrg: rkf-eng.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR13MB3567.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8893ea5f-9d39-4879-f61b-08d89c97423e
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2020 23:07:53.7432 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4ed8b15b-911f-42bc-8524-d89148858535
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Q9P1HLrPYUJxYZjKSqIz0hUQIYbF4XyKuV9ryy6aWAjSKzN8idd3d4TCHF3YUBvXKhtZw3NIde4flYCNeaaGYQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB2909
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/21Sa_oiiY9hT0hOhXaFBBgKglS8>
Subject: Re: [dtn] BPSec interop contexts
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2020 23:07:59 -0000

Ed,
Thanks for the extra info.

Focusing on the security scope (i.e. the AAD for BIB and BCB) the current draft makes the default scope parameter value zero, meaning no context is included in AAD. It seems like better policy to make the default scope 7 (all bits set) and allow the inclusion of an explicit parameter if the scope is desired to be reduced. Does this seem sensible?

Also related to scope, is there actually any benefit to include the security block context (as written, just the first three block fields) as AAD?
COSE makes a similar, but more fine-grained, distinction between "protected" and "unprotected" headers and the consensus of the COSE WG was to include the algorithm identifier in the protected header, which for BPSec is analogous to the Context ID. Is there a reason to include canonical block fields but not the Context ID?

________________________________
From: Birrane, Edward J. <Edward.Birrane@jhuapl.edu>
Sent: Tuesday, December 1, 2020 11:05
To: Brian Sipos <BSipos@rkf-eng.com>
Cc: dtn@ietf.org <dtn@ietf.org>
Subject: RE: BPSec interop contexts


Brian,



  Great questions! Answers inline below prefaced with [EJB].



Edward J. Birrane, III, Ph.D.
Embedded Applications Group Supervisor
Principal Staff, Space Exploration Sector
Johns Hopkins Applied Physics Laboratory
(W) 443-778-7423<tel:(443)%20778-7423> / (F) 443-228-3839<tel:(443)%20228-3839>



  1.  For the document subsection breakdown, there is some differences between [1] and the outline in [2]. Which one of these would you consider as the best current template for other contexts regarding terminology (e.g., "scope" vs. "interface")?

[EJB] The scot [2] is in its very early stages. The best current template is the default security context [1].   We will be updating the scot as we get more experience writing security context documents, so I wouldn’t consider it to be very informative just yet.

  1.  For the interop contexts of [1] I think having AAD for both BIB and BCB are valuable to avoid replay issues. There are now security parameters to control what goes into the AAD with several options. There isn't currently any recommendation on the use of scope flags or any "Security Considerations" subsections discussing the implications of these flags. Do you anticipate that users will want to exclude AAD scope in actual use cases (and accept the replay-attack risk)?

[EJB] I think having a security considerations section in a security context document that describes when/how to use different context parameters is valuable.

[EJB] We could envision scenarios where a user would exclude AAD. Consider a case where a network adds a block to a bundle carrying idempotent network statistics. In this case, the bundle is carrying a block of information about the network, not about the bundle itself. If that block is received multiple times in multiple bundles it won’t result in an error and there is no need to cryptographically bind that block to a particular bundle.

  1.  During example implementation for [3], I defined an "augmented target block" for BCB use which is just the target block with its block-type-specific-data as an empty byte string. In this way the structure of the canonical block is preserved, it's serializable as normal, and avoids having a special canonicalization of the block. But this also includes extraneous fields like the original CRC value (if present). The target block AAD used by [1] defines a different encoding of just the first three fields of the canonical block, which seems like a better alternative. Can we find a consistent name for these "first three fields of a canonical block"?

[EJB] I can’t think of one.  I was going to suggest “block header” but that would also include the CRC field.

Thanks for any feedback.



[1] https://tools.ietf.org/html/draft-ietf-dtn-bpsec-interop-sc-02<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-dtn-bpsec-interop-sc-02&data=04%7C01%7CBSipos%40rkf-eng.com%7Cb0360c1882d045bf835c08d89612de41%7C4ed8b15b911f42bc8524d89148858535%7C1%7C0%7C637424355073385730%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3lB%2BRSbXBOBfi9EsJ4FZ355pmC%2FiAC0L8NGzQd%2BrHkw%3D&reserved=0>

[2] https://tools.ietf.org/html/draft-birrane-dtn-scot-00<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-birrane-dtn-scot-00&data=04%7C01%7CBSipos%40rkf-eng.com%7Cb0360c1882d045bf835c08d89612de41%7C4ed8b15b911f42bc8524d89148858535%7C1%7C0%7C637424355073385730%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Gt6O6JmilHjDgnd%2Bt3a7nBTNWmytRrYcgc2GkUGHCQs%3D&reserved=0>

[3] https://tools.ietf.org/html/draft-bsipos-dtn-bpsec-cose-03<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-bsipos-dtn-bpsec-cose-03&data=04%7C01%7CBSipos%40rkf-eng.com%7Cb0360c1882d045bf835c08d89612de41%7C4ed8b15b911f42bc8524d89148858535%7C1%7C0%7C637424355073395736%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IWQpn0u1kaByCDNFZmbbJ7PYfktPU6dAsc%2B%2FHBfmxl8%3D&reserved=0>

v2.23.0 | Report a Bug | By Email