Re: [dtn] BPbis - mandatory BPsec
ronnybull@gmail.com Wed, 29 July 2020 14:51 UTC
Return-Path: <ronnybull@gmail.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFA433A0B8C for <dtn@ietfa.amsl.com>; Wed, 29 Jul 2020 07:51:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tiaSgS52u1Mn for <dtn@ietfa.amsl.com>; Wed, 29 Jul 2020 07:51:01 -0700 (PDT)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DCCD3A0B98 for <dtn@ietf.org>; Wed, 29 Jul 2020 07:51:01 -0700 (PDT)
Received: by mail-qv1-xf35.google.com with SMTP id r19so2457836qvw.11 for <dtn@ietf.org>; Wed, 29 Jul 2020 07:51:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:date:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=JoFm+cNO9HlHiYA07kV0j4db2Wif3tTTIocd4Azvzjs=; b=HKfJWqOg9JZr1KcTTPgNeNfsjQhNokiOJgVj4ARrGVLI0lXOzP21Dv8lXQqr0zLpg2 u6WJjCt38Vo1y3lRYbWyHmyr79ZlaVmTVeocpf47sDWXp1TTXkMvyBZDnlPp7ihZboCY jEeTxTLWArm/Npwx7vuGymhsPErBQITN3N3OkgD5mw0Fp6CTTBFW0eB6AyDgEUz8xjm5 bVA1wbJVddtO7ZBOLbN5iT4nxhmmWjfz2ufQJWM0nuPQKkTBJ9DrokDoFRJAWDzRR+JX eUg2ncHEjGIAjGcdZwIlwgpyTyat3lqhuZ4NuSfwdQodV8tUD3XtMhEm5TNAP3DrbQmg imqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=JoFm+cNO9HlHiYA07kV0j4db2Wif3tTTIocd4Azvzjs=; b=BP12MTg9QowGuWi5LQQCkVK+MJUjAFmd0z+DMkP4IUdANoOYjjMFu4knyOTH+/+wZ/ ZdV68rIOq8GBz6fnWUMloLLP68gdt52aA+PzcHnVuYCKwGa/TTtMnXQOQ+pK+4Qbp/jF PYLXhqtLwPDuI+QDRfP+KO5nTWPmWPOUPDnhITM/WGX3zFXLq+txnvHyyyts4mdvM0K+ aFhpJm3ob5IZ3lXRcOI+eobrDJaQhr/mBK6/GFWv+kpgYzsHI7F9kAoaCjYQVOTZyvVZ Idpt4tTebCgCUEg9vBbsuwDk1NzAh3etxp9SFN3XbGR4UMNA1ZKs7y53JqYDd8Bfaqo4 Bvew==
X-Gm-Message-State: AOAM531T7S1/4FfnuxR9QCTHwUkYkAH1BQ+j//TTsMyOAZ3RjIEK9m33 GJVUqpZrSx1xQupDwqYjaBFuzoM3CMY=
X-Google-Smtp-Source: ABdhPJyckWWjVeyOKxs1raXiftu+33CZU+T5yzvKaYxQ7HV7iHAd83H4j2hOsCigls51whquc57Nhw==
X-Received: by 2002:a0c:e747:: with SMTP id g7mr31901699qvn.77.1596034259640; Wed, 29 Jul 2020 07:50:59 -0700 (PDT)
Received: from dank (cpe-69-207-100-241.rochester.res.rr.com. [69.207.100.241]) by smtp.gmail.com with ESMTPSA id b131sm1629618qkc.121.2020.07.29.07.50.58 for <dtn@ietf.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Jul 2020 07:50:59 -0700 (PDT)
Message-ID: <7346251025f862ceddcf53da571c4a88be261471.camel@gmail.com>
From: ronnybull@gmail.com
To: dtn@ietf.org
Date: Wed, 29 Jul 2020 10:50:57 -0400
In-Reply-To: <4fc0e08e4d704dd39f9a21d0f9cc897b@CD1-4BDAG04-P04.cdmail.common.airbusds.corp>
References: <4da9776f577e4f09b5e8d248437e5f3a@jpl.nasa.gov> <EA340974-935B-4343-9E4B-4CC00040FB6A@gmail.com> <4fc0e08e4d704dd39f9a21d0f9cc897b@CD1-4BDAG04-P04.cdmail.common.airbusds.corp>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.32.5
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/Ko0xK8ZoQKUs5mjdA89YgAGTg_M>
Subject: Re: [dtn] BPbis - mandatory BPsec
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 14:51:03 -0000
+1 to this Ronny On Wed, 2020-07-29 at 13:26 +0000, Taylor, Rick wrote: > > Ran, > > +1 (personal opinion, not chair) > > I think that text is excellent, and is an elegant way of capturing > what I believe the best way forward is, namely: > > * If you do not want security, you do not have to use cryptography, > but don't blame us if your secrets leak. > * If you do want security, you MUST use BPSec, don't go inventing > something else, it's hard to get right and we think we have got it > right. > > Sorry for the top-post. > > Cheers, > > Rick > > Rick Taylor > Product Design Authority, Mobile IP Node/PlexOS > Principal Engineer (eXpert), Mobile Communications > Airbus Defence and Space > Celtic Springs > Coedkernew > Newport > NP10 8FZ > > Phone: +44 (0) 1633 71 5637 > rick.taylor@airbus.com > www.airbusdefenceandspace.com > > > > THIS DOCUMENT IS NOT SUBJECT TO EXPORT CONTROL. > > -----Original Message----- > From: dtn [mailto:dtn-bounces@ietf.org] On Behalf Of R. Atkinson > Sent: Wednesday, July 29, 2020 2:17 PM > To: DTN WG <dtn@ietf.org> > Subject: Re: [dtn] BPbis - mandatory BPsec > > All, > > The usual and decades-long IETF practice is that “security is > mandatory to implement, but optional to use”. > > If security is NOT mandatory to implement, then experience shows it > is unlikely to be widely available for users (or sessions) who wish > to use security. > > All that noted, I think Edward Birrane at JHU/APL had a possibly > useful construct: > % I agree that a BPA which does not source, verify, or accept > security blocks % does not need to implement BPSec. > > I would invert that sentence, but (I think) keep the same > intention. I propose adding the quoted two sentences just below to > the Security Considerations: > > “A Bundle Protocol Agent (BPA) which sources, verifies, and/or > accepts a Bundle MUST IMPLEMENT support for BPsec. Use of BPsec for > a particular Bundle Protocol session is optional.” > > This means that any BPA which doesn’t provide any of those > (source/verify/accept) services need not implement BPsec. For > example, a pure forwarder would not need to implement BPsec. > > The text above tries to crisply differentiate implementation from > actual use by any particular BP session, in part because long- > standing IETF practice is to levy requirements on implementations but > (generally) avoid specifying mandatory operational practices (e.g., > RPF filtering for IP routes is a BCP but is not a hard > requirement.) > > In the context of BP and DTN, it is easy to imagine > deployments/environments where high-assurance link-layer > communications security might be provided, thereby significantly > reducing the potential value of BPsec for a given BP session. > > I think the text above will go a long way towards keeping the IETF > Security Area happy and greatly reducing the chances of security- > related objections during the approval process. > > I really think some form of “mandatory to implement” text for BPsec > is important. > > Yours, > > Ran > > > On Jul 28, 2020, at 20:49, Burleigh, Scott C (US 312B) < > > scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org> wrote: > > > > Hi. At IETF-108 there was discussion on whether implementation of > > the BPsec security extensions should be mandatory in every BP > > node. Version 26 of the BPbis I-D (now posted) includes some > > revision to the first paragraph of section 9.0 to address this > > question. It would be helpful to discover the WG consensus on this > > matter. > > > > Please use this thread for your comments. > > > > Scott > > _______________________________________________ > > dtn mailing list > > dtn@ietf.org > > https://www.ietf.org/mailman/listinfo/dtn > > _______________________________________________ > dtn mailing list > dtn@ietf.org > https://www.ietf.org/mailman/listinfo/dtn > This email and its attachments may contain confidential and/or > privileged information. If you have received them in error you must > not use, copy or disclose their content to any person. Please notify > the sender immediately and then delete this email from your > system. This e-mail has been scanned for viruses, but it is the > responsibility of the recipient to conduct their own security > measures. Airbus Operations Limited is not liable for any loss or > damage arising from the receipt or use of this e-mail. > > Airbus Operations Limited, a company registered in England and Wales, > registration number, 3468788. Registered office: Pegasus House, > Aerospace Avenue, Filton, Bristol, BS34 7PA, UK. > _______________________________________________ > dtn mailing list > dtn@ietf.org > https://www.ietf.org/mailman/listinfo/dtn
- [dtn] BPbis - mandatory BPsec Burleigh, Scott C (US 312B)
- Re: [dtn] BPbis - mandatory BPsec R. Atkinson
- Re: [dtn] BPbis - mandatory BPsec Taylor, Rick
- Re: [dtn] BPbis - mandatory BPsec Birrane, Edward J.
- Re: [dtn] BPbis - mandatory BPsec ronnybull
- [dtn] BPsec -22, Section 9.1 R. Atkinson
- [dtn] Fwd: BPsec -22, Section 9.1 R. Atkinson
- Re: [dtn] Fwd: BPsec -22, Section 9.1 Birrane, Edward J.