IETF Logo Mail Archive

Re: [dtn] Éric Vyncke's No Objection on draft-ietf-dtn-bpsec-18: (with COMMENT)

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 18 February 2020 21:18 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00A61200C7; Tue, 18 Feb 2020 13:18:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=N97IpFfX; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=ixPIDFJs
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96vX9_VAJZKB; Tue, 18 Feb 2020 13:18:23 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05BB4120819; Tue, 18 Feb 2020 13:18:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7012; q=dns/txt; s=iport; t=1582060703; x=1583270303; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=7TtHdfowhfRzRs/fqNEDIEHOrVd9PKa+k6CUyPNUrQ4=; b=N97IpFfXz0oMSTuhh++C5tiADHKt5uoMnpBVxF6IDuwal3FYLmQn9vIX Jfjn3EySvhnYHOKWcU3iEOBKQBKltXC4/0dL14KW7zavDyp1ia2pd7qu1 zc9Ww4pZ6ltxUA9kSeG7IxHuAIvC0bAgazsnCI85At8Ji8ecyYloFlFb7 I=;
X-IPAS-Result: A0CnBQC0U0xe/5JdJa1jAw4OAQEBAQEHAQERAQQEAQGBe4FUUAVsWCAECyqEFINGA4p6gjolmBGBQoEQA1QJAQEBDAEBIwoCBAEBhEACF4FsJDgTAgMBAQEDAgMBAQEBBQEBAQIBBQRthTcMhWYBAQEBAxIREQwBASUSAQsEAgEIEQQBAQMCJgICAjAVBQMIAgQBDQUigwQBgkoDLgEOokoCgTmIYnWBMoJ/AQEFgUNBgzsYggwDBoEOKowGHhqBQT+BEScMFIJMPoJkAgECAYEsARIBIQcQCgsMAg2CSTKCLI1aEi6CR58tCoI7h0+KWoQwHIJJiBuQQoNLiyKId5JHAgQCBAUCDgEBBYFpImdYEQhwFTsqAYJBUBgNjh0MF4NQhRSFBDt0AgGBJo0OgjIBAQ
IronPort-PHdr: 9a23:DQLZTRyk0c34EYrXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5YhSN/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A1RJKa5lQT1kAgMQSkRYnBZuIF1z9J/3nRyc7B89FElRi+iLzaBIHAsv1alzMr3H39iYcSkmtEw1zK6y1ApTVk8m8y+G1/dvUfhlMgz2+J7h1KUf+pgTKvc5QioxnYqo2xwCBpHxUM+hb3mJnI1uPknOert+95pti7zhdt7o6+shMXL+yf6MjUacZAQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.70,457,1574121600"; d="scan'208";a="418276644"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Feb 2020 21:18:21 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 01ILILxZ022483 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 18 Feb 2020 21:18:21 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 18 Feb 2020 15:18:20 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 18 Feb 2020 16:18:20 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 18 Feb 2020 15:18:19 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QgujL2R47Dxs8Q0J0fFzrdjXzh1xr3CcROKrvMYZFTRHOy4PgfZBabbDDU4gAtSnanJLZFsndXfe0bAvkODGVY3g19xOCdAG6ueWlPkZGuFqJqDk/eyhieopCRt63AHMmKfEqDo5/vfxgtxb5UuWhPF5B5aPVa5brQBtkxmd+FkAM3ei2HJciRUgXTpHLPuvNlutleEMqtScOfeNpN5aD26yzG9zYa90v4l/eOxCcAnO3awRXm0u8VVOzS+b53xiBPTwNelIEgJd9FcOEzguKwz9xDTCGj6U7SCseeDVR/7TFf2KD3yHAzbbNOgqGsImsCrXxlroLdQkVrKTyYyhuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7TtHdfowhfRzRs/fqNEDIEHOrVd9PKa+k6CUyPNUrQ4=; b=JANKNQdBt+Dim0FJpyZwLoqUOj6uD+Jgv6lNi65boX1LBSaIo+RAnDdrVzLeU++WE9TsS69oxCjwXOAKSsvJMOroSemD21RtIlaPJnVtTIl4rwVgWFRtHgBSnvn0a7FR9bczDiNeU389HtnkYH+1aU6ZwxwMINaliaIygAE//H1dLWZsXjgNRw+fLlclf3FlJmRD/Q16/pXkWeXySuqxDKidcVvCasdoSsyACjhLFqXgZEDgAwn6YqguYtMPUWPer/kx5w5ReOY2JrDzEpxEjuHnaq1rzYpvO0IDLTbsakDjZKBhah97T2dnUrSFJYULGjAr8Rukmjm/0oCPRbhINg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7TtHdfowhfRzRs/fqNEDIEHOrVd9PKa+k6CUyPNUrQ4=; b=ixPIDFJstgpKY5seq7z/ylY0JNhv+W5WLbxk+dPVqFYZw93DhxA/EflpzZ8r2CWSYOrtbmbdj+b6YrLp/R4C4Oip9uJcy+PQpEEX23oU9tWR5MBOgiZo/EAcHlDP2dZ5OGj9BcQYioGR86dnAI2ibMJdQGtXr0RQjeoZd07SDRg=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (10.175.88.141) by DM5PR11MB1417.namprd11.prod.outlook.com (10.168.103.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.25; Tue, 18 Feb 2020 21:18:18 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca%3]) with mapi id 15.20.2729.032; Tue, 18 Feb 2020 21:18:18 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-dtn-bpsec@ietf.org" <draft-ietf-dtn-bpsec@ietf.org>, Scott Burleigh <Scott.C.Burleigh@jpl.nasa.gov>, "dtn-chairs@ietf.org" <dtn-chairs@ietf.org>, "dtn@ietf.org" <dtn@ietf.org>
Thread-Topic: Éric Vyncke's No Objection on draft-ietf-dtn-bpsec-18: (with COMMENT)
Thread-Index: AQHV3N4hXOJou/82nUGMJombv/qKQagQdLbAgBEkMgA=
Date: Tue, 18 Feb 2020 21:18:18 +0000
Message-ID: <0D520171-9706-43AB-BBDA-65FA1192DAE1@cisco.com>
References: <158098746535.12238.7635413468192921667.idtracker@ietfa.amsl.com> <461cde20a45a43e383741946a6fecf30@aplex01.dom1.jhuapl.edu>
In-Reply-To: <461cde20a45a43e383741946a6fecf30@aplex01.dom1.jhuapl.edu>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c1:36:f842:aaed:6557:3770]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0996b5d7-be29-43f3-efd0-08d7b4b81366
x-ms-traffictypediagnostic: DM5PR11MB1417:
x-microsoft-antispam-prvs: <DM5PR11MB14170B87CFEBA0341F370901A9110@DM5PR11MB1417.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 031763BCAF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(39860400002)(346002)(366004)(136003)(199004)(189003)(5660300002)(8936002)(2906002)(2616005)(316002)(224303003)(4326008)(66574012)(81156014)(6486002)(81166006)(71200400001)(6506007)(478600001)(91956017)(36756003)(33656002)(6512007)(54906003)(66476007)(66446008)(66556008)(53546011)(64756008)(966005)(110136005)(66946007)(186003)(86362001)(76116006); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1417; H:DM5PR11MB1753.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: U5xFToW22ezV4BlY/u/cTGdjW0QIO46U/YLSpAhH2mpoM91/raNPn5tvUBxsHB9LWiM6g/F4/htK5HrFAPo3Y9XMGDL1+RAKVD3FWiHVrh9gr9/blJPbWmsbBf0bac20PeV/pmpgEUOOCXo8mEe5z0lSzMtWvCHB+w9edq+01dkHIIYnjzC1LlFY3jy0JbjqFT84prPQMO93mz9Y75e0uhmqKVdYtJgdNwGiGvm1Mt0kefZqQpLTDernN09wOVavfpKRHhuFR5igG0SyRl2o8nFmKVJxsfkTQopFls57EDm6v7GcSDphWuMvMHoWEyVAaiM8G6hvoNbBLPD5OaO+RzdDHyks1UROQ+TLZ8KUXIWCOi9n2rInW/cSpmd2SqcH74MAxwiM471zRUJczeqcmdnt6p7o3nkfV6ewkX7o1flu8gDbFXDrDqSYh7G+DfvNu44eiuX3PtFqzt1Nbu/rltspdYgOqc9QoqnT2OROnR5nazMGEa6woQkKJWkokSiwGmZw3cLhPTtXZym4+bWpCA==
x-ms-exchange-antispam-messagedata: YmmIJFY+gODco8klTrJFghw7BTLo8YkdR7dratKXB30T4VwoO8soFYyrwidVs6zX9BF+IS6e9LAx8Zj1+NUURMsAqa6Gm5FnLBEu/PDplrefNx0MUBtim036cOzGJTT03nDMA0HbZ9xinJE/Lgm7Z99UW00MqQvFPShYai6v46Y9fRwXUOd3+SQZIUYrqU+utbx65MdMupKyu60oFUEPng==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <E8EA6284106A1842B4FDF0A9A61FAE50@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0996b5d7-be29-43f3-efd0-08d7b4b81366
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2020 21:18:18.7630 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IRaO993FKRqjnYBvBlt1wWgGIdLX9x85nndkS8/kBB8Sw0L5BJ9qKI9hsTUZAraZjnQmBvrcjfulz2v3g6ycVw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1417
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/GbJVVxgAkPd3kV00_IO0AXLbunA>
Subject: Re: [dtn] Éric Vyncke's No Objection on draft-ietf-dtn-bpsec-18: (with COMMENT)
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 21:18:26 -0000

Edward,

Thank you for considering the non-blocking comments and, hopefully, improving the quality of the document. But, it seems to me that **C1 should really be addressed in the revised ID (and your text should be enough).

I still believe that **C3 should also be addressed in this document, this is a little too "hand waving" to me

Thank you again for the work done but I hope that the next I-D will address the above

Regards

-éric

PS: thank you for managing to type a "É" on your keyboard __

On 08/02/2020, 01:42, "Birrane, Edward J." <Edward.Birrane@jhuapl.edu> wrote:

    Éric,
    
      Thank you for the review of BPSEC.  I have updated a new BpSec (BpSec-20) and a new interop-sc (ietf-dtn-bpsec-interop-sc-01) which addresses some of your comments below. 
    
      Specific comments are in-line below.  I have enumerated the comment items as **C# to aid in referencing these points going forward.
    
    Edward J. Birrane, III, Ph.D.
    Embedded Applications Group Supervisor
    Principal Staff, Space Exploration Sector
    Johns Hopkins Applied Physics Laboratory
    (W) 443-778-7423 / (F) 443-228-3839
    
    
    -----Original Message-----
    From: Éric Vyncke via Datatracker <noreply@ietf.org> 
    Sent: Thursday, February 6, 2020 6:11 AM
    To: The IESG <iesg@ietf.org>
    Cc: draft-ietf-dtn-bpsec@ietf.org; Scott Burleigh <Scott.C.Burleigh@jpl.nasa.gov>; dtn-chairs@ietf.org; Scott.C.Burleigh@jpl.nasa.gov; dtn@ietf.org
    Subject: [EXT] Éric Vyncke's No Objection on draft-ietf-dtn-bpsec-18: (with COMMENT)
    
    APL external email warning: Verify sender noreply@ietf.org before clicking links or attachments 
    
    Éric Vyncke has entered the following ballot position for
    draft-ietf-dtn-bpsec-18: No Objection
    
    When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
    
    
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-dtn-bpsec/
    
    
    
    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    Thank you for the work put into this document.
    
    I hope that this helps to improve the document,
    
    Regards,
    
    -éric
    
    -- Section 2.3 --
    About
      "a waypoint node, representing a
       gateway to an insecure portion of the DTN, may receive the bundle and
       choose to apply a confidentiality service"
    how could the bundle destination could recover the plain text if there is no security association with the encrypting waypoint? Or is it simple hop-by-hop encryption ?
    
    **C1: The WG decision was to decouple routing and security. A gateway node may encrypt using a BCB and the bundle could get to the destination without going through a decrypting node. In cases where this is a practical problem, the WG recommends encapsulating the bundle into another bundle and addressing the encapsulating bundle to a waypoint known to be able to decrypt. It is not expected that this encryption is only hop-by-hop encryption. If a bundle with a BCB reaches a waypoint which can (and has policy to) decrypt, it is expected that the security context ID plus the values of any security context parameters are sufficient to allow the waypoint to decrypt. 
    
    -- Section 3.2 --
    Why not supporting multiple integrity-checks/signatures? After all, this would allow the support of more than 1 integrity check / signature algorithm?
    (Obvioulsy, this cannot be done for confidentility -- except if transmitting multiple copies). There are some text related to this in section 3.7.
    
    **C2: The WG approach was to - later - define a security context that carried these signatures as multiple security results in 1 BIB instead of multiple BIBs. 
    
    -- Section 8.2.4 --
    More details about anti-replay of a DTN message would be welcome. E.g., is the bundle age field used ?
    
    **C3: It is not clear that any additional analysis for that would change the normative portions of BPSec. There may be some additional analysis here using different extension blocks but that is still analysis ongoing within the WG.
    
    -- Section 9.2 --
    This section is a list of issues with BPsec but are there other WG items attempting to solve those issues ? draft-ietf-dtn-bpsec-interop-sc does not seem to cover those issues.
    
    **C4: It is envisioned  that the WG will provide multiple security contexts to cover multiple cases. The interop security contexts should  be going to WG last call, and we will draft a security context (1 or more) relating to security on the Internet for BPSec nodes that operate on the Internet.

v2.23.0 | Report a Bug | By Email