IETF Logo Mail Archive

Re: [dtn] BPSEC and COSE

Mehmet Adalier <madalier@antarateknik.com> Mon, 15 June 2020 17:30 UTC

Return-Path: <madalier@antarateknik.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F0833A0793 for <dtn@ietfa.amsl.com>; Mon, 15 Jun 2020 10:30:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKKZ7WXC_iDt for <dtn@ietfa.amsl.com>; Mon, 15 Jun 2020 10:30:37 -0700 (PDT)
Received: from sonic312-27.consmr.mail.bf2.yahoo.com (sonic312-27.consmr.mail.bf2.yahoo.com [74.6.128.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57A6A3A078F for <dtn@ietf.org>; Mon, 15 Jun 2020 10:30:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1592242231; bh=jlsxfrE46qnW6ll10MHiNl9TlzyhCJ1Mka8oSlzpizo=; h=Date:Subject:From:To:References:From:Subject; b=JfeA8MBTDruvdittEv0vjz/vU5pLaFflWh/knwND9xYCPuxW34v2NqP+csuQH0LEcFDcAbbxcmphjKUyHDqjxATuWv5dhqn29VwUco9gPVTli/A35JzvN4fDwlqBFYL66lPCxeEvVhqNbv+H5vnvN9ri1hYIow+ZJH3JFaDj8ZR4MUN7KZyXF3KzUSOFGUoQzqHoeOqGcMOaDFcbq1yRJwQ0D+AhT0o2QWubaVblbN38jEuQ4+Wb4ds066RKK/R6A0TBadHLhpt+G4B/fgGVoavlJS0Gdkf5Lj3yjUlOi02X0tuqrF7GoprWRgSeuVJIJTlfpMoWCXciS95de0Gv5w==
X-YMail-OSG: KQz94VkVM1nQ8zb0s6rzLOndvUxJiK7gYQfKtDdH_GvAPx63LIMwGvBL.yIrd53 ostJUIfcE_WOg2ltvjVvS6Xq7xJgrOYTYiK8DRU25g3joOtSMgM7Q7GL_LGvg.Q7ZGrR5cHxo.QD vUbtXAGRvj0x5AZtiF1phcUAQRKL.jguK.CDcCkb9_CWF6R5SxNiPNCV5fKoNwaLxoV0vhCb204b c6wR5THrClVe29OnyDGEYE7ec2ZNjcnP0Gssw3yR0Xxqzhe_InQdWjr1u5tHaJR12Rtt9ZKE1FwK h1mnQVaV6OX7qHh.qGYhZU_rrzIOt_D9J1MUB9bKFuvpnGXiyT1KmGPvPSKSwwTw_Umfeuy1dV8A iUDPRfLaJFr0CQMtvihIBtBbMaHrwMGvyftLsq16eHCzNXX2j2FEdFovfUawVfcyNH0ZArt_d0ha qkilKBEFZTetDNXDvMmq2pD4XiTs79l08cIKcJ9eF4BeN20eX7hz0j.ocOh5jX2xtzfrFQ6uwUtS S3Io45UBQfnlDxIs5QUThpPAoPgKqajTvlXN4c.J_ES_3ihd9HE83DzptdxXlUywNf5AaUcfXwCW mZh7v9AMocyEN_SEj0HInW4fLG9O7pm50mtDNfJVmY.YQJQiun6X1WY57o8V00wRbcG3J2EveUeq cnNcXrvqg95zx3ez3Ik2w_XS0vBwNnXVctOmCtde4Jer6USbTPbXYwtODQYiwB8BSc7G3Pj4MIk4 zU9v5EHzcm9_gGozZbwPswXLksR8lUMhoT0ZzGRKt1kvXSUBXx5X_TaiqSNQTr_SGRCg9fFZWkD2 YxK4ov5UjWOVux9SA4alvDCQJSRYJWAM2p31D.zL1xBH_lUIThli2B7.w3uoL49miyqxf4hFe8wD GJN43l4fJzAF2Xhm3f58EzoFJezBR5LTdezqyQ8n4KdOsIAEwo3SdPc6QtW0wvy2SOwfw39rZ_6i lZlgYNMkkGvkwb5zakDVp6Zdf3iyWfMD1Vu_pOpxoh8w2aBeyqAAsBYnz5vpSN5VqUjcubFo2lUp j_8oZgtjGkuwE7sxhgZ_lPuCELlcgKQEz4HAkRGNPcbePwZolmJosic6mwJ0KuW_7E.zW5whNeQA FNOABnm.yyTGF3mhasRdhzdmlm2kyGg_hhXJ303jc9lANF76Tx3.S3vUyFmNThKg2GFI8pXzJYEy DxpsxOYH4Ku1znWtkipzd0EixAmVtNs03wpoTeJ.NNPfesasaNVijWqy3mCfu3.IAbxqFEO9Dmwf xiHqUYf8ubKcDViitbEPvx9HP2pKn0fBOONjCMia8PNg7xU64YdnBtn9m30O9d4na5sFvZWCllTt jazDospgkq42aybq6k9S7Rb.pGgY_fz6n3GdUtCV7B3E0qYU4DBbLXwzCZJTvQaUbkPNsspkh0HH vF1ti3tVEyA--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.bf2.yahoo.com with HTTP; Mon, 15 Jun 2020 17:30:31 +0000
Received: by smtp418.mail.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 6c003ab3b43cef75253ce248cdb47d7c; Mon, 15 Jun 2020 17:30:25 +0000 (UTC)
User-Agent: Microsoft-MacOutlook/10.20.0.191208
Date: Mon, 15 Jun 2020 10:30:22 -0700
From: Mehmet Adalier <madalier@antarateknik.com>
To: Brian Sipos <BSipos@rkf-eng.com>, "Birrane, Edward J." <edward.birrane@jhuapl.edu>, "dtn@ietf.org" <dtn@ietf.org>
Message-ID: <9C55A9D8-7D44-40EF-B370-5FBE5A935B02@antarateknik.com>
Thread-Topic: [dtn] BPSEC and COSE
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3675061825_82947687"
References: <9C55A9D8-7D44-40EF-B370-5FBE5A935B02.ref@antarateknik.com>
X-Mailer: WebService/1.1.16119 hermes_yahoo Apache-HttpAsyncClient/4.1.4 (Java/11.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/Pht_yB7iqFfF3pbT7XWOyt89i5o>
Subject: Re: [dtn] BPSEC and COSE
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2020 17:30:39 -0000

While there may be potential value in developing a separate spec/RFC for BPsec COSE context(s), please do not bind the BPsec protocol to COSE in any way. 

In my opinion, this proposed effort should not change the current draft BPsec RFC in any way.

 

mehmet

 

From: dtn <dtn-bounces@ietf.org> on behalf of Brian Sipos <BSipos@rkf-eng.com>
Date: Monday, June 15, 2020 at 9:42 AM
To: "Birrane, Edward J." <edward.birrane@jhuapl.edu>, "dtn@ietf.org" <dtn@ietf.org>
Subject: Re: [dtn] BPSEC and COSE

 

Ed,

Sounds good, I don't have the broader view of BPSEC target environments. I'll look forward to seeing the security context guidance document.

 

My initial feel would be to define:

One context for "COSE Integrity" with no parameters and a result ID for corresponding COSE structures COSE_Sign, COSE_Sign1, COSE_MAC, and COSE_MAC0.
One context for "COSE Confidentiality" with no parameters and a result ID for COSE structures COSE_Encrypt, and COSE_Encrypt0.
A simplified COSE profile to map block data into plaintext for the COSE algorithms.
A restricted set of algorithms available to use with a focus on symmetric keys and authenticating block headers, require AEAD encryption, etc.
 

I think between the definitions already in BPSEC and the framework of COSE the binding between the two should not be too complex.

From: Birrane, Edward J. <Edward.Birrane@jhuapl.edu>
Sent: Thursday, June 11, 2020 22:08
To: Brian Sipos <BSipos@rkf-eng.com>; dtn@ietf.org <dtn@ietf.org>
Subject: RE: BPSEC and COSE 

 

Brian,

 

The draft interop contexts were meant to be the minimum set of information to show that two implementations on BPSec could interoperate, with the expectation that other contexts would be defined for deployment. However, I see no harm with updating the interop contexts to be more useful. 

 

  COSE did come up in the WG discussions on BPSec and the selected path was what you describe as #1 below – there is good value in COSE (of course) and a COSE security context would cover many cases.   Tying BPSec to COSE (what you describe as #2 below) would break other use cases for no reason.

 

  If you would like to work a COSE security context we should discuss the right mapping to BPSec security results. I am currently working on policy and template information for security contexts that might inform this. I-D coming in time for a July meeting.

 

  I assume there is a July DTNWG (virtual) meeting?

 

-Ed

 

 

Edward J. Birrane, III, Ph.D.
Embedded Applications Group Supervisor
Principal Staff, Space Exploration Sector
Johns Hopkins Applied Physics Laboratory
(W) 443-778-7423 / (F) 443-228-3839

 

From: Brian Sipos <BSipos@rkf-eng.com> 
Sent: Thursday, June 11, 2020 9:50 PM
To: dtn@ietf.org
Cc: Birrane, Edward J. <Edward.Birrane@jhuapl.edu>
Subject: [EXT] BPSEC and COSE

 

APL external email warning: Verify sender BSipos@rkf-eng.com before clicking links or attachments

 

This is directed mostly at Ed, being the author of the BPSEC draft:

In reviewing use cases of BPSEC securing bundles between networks, for example internet gateways transporting bundles between sites, I ran into the fact that the current interoperability contexts [1] don't provide any parameterization of key material, etc. which would be absolutely necessary between networks.

 

I have some bit of background with COSE [2] and it seems to have some amount of existing library support, but most importantly has a number of parameterized signing and encryption algorithms [3] already specified (and others in the pipeline).

 

In looking at how COSE could be used with BPSEC, the only difference in structure that I see is that BPSEC assumes security data has a hard division between "paramters" and "results" while in COSE it's a mix of "headers" defining both parameters and results of an operation. COSE already has the concept of a "detached" payload, and already deals with CBOR encodings.

 

I see two paths for this type of integration:

Keep BPSEC as is and define a context for using COSE. Because of the COSE structure, no "parameters" would be used but each COSE top-level type (COSE_Sign, etc.) would be a "result" type. This preserves the current structure of BPSEC but complicates the processing of COSE contexts.
Request the BPSEC draft focus more on COSE as the primary mechanism for encoding security services. This would simplify BPSEC encoding at the expense of tethering it fully to COSE and any baggage that goes along with it.
Any thoughts on this topic? Is the focus on BPSEC on private networks with locally-defined, parameter-less security contexts? With the more general-purpose contexts a niche use?

If #1 is the way to go, I would start into a COSE context draft. The end goal is to use all of the good preexisting COSE algorithms and also get direct benefit of ongoing COSE work.

 

[1] https://datatracker.ietf.org/doc/html/draft-ietf-dtn-bpsec-interop-sc-01

[2] https://datatracker.ietf.org/doc/html/draft-ietf-dtn-bpsec-22

[3] https://www.iana.org/assignments/cose/cose.xhtml#algorithms

_______________________________________________ dtn mailing list dtn@ietf.org https://www.ietf.org/mailman/listinfo/dtn

v2.23.0 | Report a Bug | By Email