IETF Logo Mail Archive

Re: [dtn] BPSec optional Security Source

"Birrane, Edward J." <Edward.Birrane@jhuapl.edu> Mon, 04 January 2021 20:52 UTC

Return-Path: <Edward.Birrane@jhuapl.edu>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8D083A10A3 for <dtn@ietfa.amsl.com>; Mon, 4 Jan 2021 12:52:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-CK5Pfb7Sp4 for <dtn@ietfa.amsl.com>; Mon, 4 Jan 2021 12:52:58 -0800 (PST)
Received: from aplegw02.jhuapl.edu (aplegw02.jhuapl.edu [128.244.251.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E32C03A109A for <dtn@ietf.org>; Mon, 4 Jan 2021 12:52:57 -0800 (PST)
Received: from pps.filterd (aplegw02.jhuapl.edu [127.0.0.1]) by aplegw02.jhuapl.edu (8.16.0.42/8.16.0.42) with SMTP id 104KiRrj069582; Mon, 4 Jan 2021 15:52:56 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=JHUAPLDec2018; bh=ahbB+EEP4UTw+jULcDfZ1BP5Obi1oSU0M1/4V299KFo=; b=K1KJWkLpa0JHUKS1WFMsEXubym5pww2JZ9gPvPYLpT16r+7cAflJ34Qf9TSYfD+AO6ZG tlR9ppHcEC/MyUenSkD7oaaPBC5BV8TQuGs+OINuxogf7ZgpkPtNs5L0G/3e87hDAjVx HA4j0TqehXLZD1eoJX4x/Tncmd6Eh4S03OHIa1hwXf8d/k/p4A3ekqYmsN5MrgnHefzb AepST+kZYyOhZ0IcsEd/nLf/nEWf6cmpMymBisGwqdo+I73fwsqbF5jxhQ07flu/xAc4 PwdsXhuuC5T3j8/ewqtBY2R3tGhJLA7UVejuAxNlqOTIUJORyRWtQeaDnGf0DoG3RFEb 9A==
Received: from aplex02.dom1.jhuapl.edu (aplex02.dom1.jhuapl.edu [128.244.198.6]) by aplegw02.jhuapl.edu with ESMTP id 35tnx116d7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 04 Jan 2021 15:52:56 -0500
X-CrossPremisesHeadersFilteredBySendConnector: aplex02.dom1.jhuapl.edu
Received: from aplex01.dom1.jhuapl.edu (128.244.198.5) by aplex02.dom1.jhuapl.edu (128.244.198.6) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 4 Jan 2021 15:52:55 -0500
Received: from aplex01.dom1.jhuapl.edu ([fe80::19f5:dcc5:c696:1a50]) by aplex01.dom1.jhuapl.edu ([fe80::19f5:dcc5:c696:1a50%25]) with mapi id 15.00.1497.007; Mon, 4 Jan 2021 15:52:55 -0500
From: "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>
To: Brian Sipos <BSipos@rkf-eng.com>, "dtn@ietf.org" <dtn@ietf.org>
Thread-Topic: BPSec optional Security Source
Thread-Index: AQHW01upLGOFDaKOvUCMR9ZxC4e0MqoYC/kw
Date: Mon, 04 Jan 2021 20:52:55 +0000
Message-ID: <82edb601dc6e4d86bef9c2a80b0dc9fc@aplex01.dom1.jhuapl.edu>
References: <MN2PR13MB356798402CA7086AAEDDC0649FC50@MN2PR13MB3567.namprd13.prod.outlook.com>
In-Reply-To: <MN2PR13MB356798402CA7086AAEDDC0649FC50@MN2PR13MB3567.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [128.244.198.169]
Content-Type: multipart/alternative; boundary="_000_82edb601dc6e4d86bef9c2a80b0dc9fcaplex01dom1jhuapledu_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: aplex02.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2021-01-04_12:2021-01-04, 2021-01-04 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/E_FiSRFGVX2i1E-9yhQrQdNPaZw>
Subject: Re: [dtn] BPSec optional Security Source
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jan 2021 20:53:00 -0000

Brian,

  I agree that it is a little inefficient to include a security source EID in a security block when that EID is the exact same as the bundle source.  However, I would prefer to not have BPSec prohibit this duplication.

  BPSec states that if a security source EID is not present, then "the source MUST be inferred from other information, such as the bundle source, previous hop, or other values defined by security policy."

  What if local policy on a BPA requires that, absent an asserted security source EID, the security source EID should be inferred as being the previous hop? In such a case, omitting the security source because it was the same as the bundle source would result in undesired behavior.

  Omitting a security source EID should be done when the security source node "believes the network can infer the security source correctly" which is different than saying "whenever it is the same as the bundle source".  In many cases those two statements have the same practical result, but not in every case.

-Ed

---
Edward J. Birrane, III, Ph.D.
Embedded Applications Group Supervisor
Space Exploration Sector
Johns Hopkins Applied Physics Laboratory
(W) 443-778-7423 / (F) 443-228-3839


From: Brian Sipos <BSipos@rkf-eng.com>
Sent: Wednesday, December 16, 2020 11:55 AM
To: dtn@ietf.org; Birrane, Edward J. <Edward.Birrane@jhuapl.edu>
Subject: [EXT] BPSec optional Security Source

APL external email warning: Verify sender BSipos@rkf-eng.com<mailto:BSipos@rkf-eng.com> before clicking links or attachments



Ed,
My interpretation of the purpose of the ASB Security Source field is to indicate the EID only if it's different than the bundle's source, but there's no actual requirement that I can see in the spec about this. Does it seem like a reasonable statement to say something like "If the security source EID is the same as the bundle source EID, as identified in the primary block, the Security Source field SHALL NOT be included in the ASB." but rephrased as needed?
Thanks,
Brian S.

v2.23.0 | Report a Bug | By Email