Re: [dtn] [EXT] RE: BPv7 node ID and node identity
"Sipos, Brian J." <Brian.Sipos@jhuapl.edu> Sat, 04 December 2021 14:41 UTC
Return-Path: <Brian.Sipos@jhuapl.edu>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D2723A0781 for <dtn@ietfa.amsl.com>; Sat, 4 Dec 2021 06:41:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3mYxbwRx1L7t for <dtn@ietfa.amsl.com>; Sat, 4 Dec 2021 06:41:19 -0800 (PST)
Received: from aplegw01.jhuapl.edu (aplegw01.jhuapl.edu [128.244.251.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D4D33A0780 for <dtn@ietf.org>; Sat, 4 Dec 2021 06:41:19 -0800 (PST)
Received: from pps.filterd (aplegw01.jhuapl.edu [127.0.0.1]) by aplegw01.jhuapl.edu (8.16.0.43/8.16.0.43) with SMTP id 1B4EfHJC180744; Sat, 4 Dec 2021 09:41:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=JHUAPLDec2018; bh=VCq9u+diAjwQ1CIaDNdazVOzsvRBE2CkOzpflvVbgaU=; b=RaOV0IeCxeJp1/QrtjWEdEbG1Ou/ZGuMWjEr1DGpbcAs/qbB2yJhY8wOdw8AY3LzlFUX Q6lnq8YugRICOScYM+4uifTZW35F0j7YnvRKlXvR3yeIN5KYN+Y/sGKF9qlOOqOcaBLj y8uoRIXLj99pCPE59cdtVy77pZ8kxrx3V/nX9NfJ3k8pE24c+Md1Zb9+FzbAgXIMCh8v QTbIgnv3TT4oigBujnjLwFLEJ9ZmCWBQTGlhlYvag3vadTBB9K41c+ls8brgDFgWFncg EKaQbEHs4DbN8QgewPX2E6kVI9Onp6yJ8kHBb0YKtYazQFDVzbBVUag1h/HLibnYaUxA Ig==
Received: from aplex22.dom1.jhuapl.edu (aplex22.dom1.jhuapl.edu [10.114.162.7]) by aplegw01.jhuapl.edu with ESMTP id 3cr28e83uu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 04 Dec 2021 09:41:17 -0500
Received: from APLEX21.dom1.jhuapl.edu (10.114.162.6) by APLEX22.dom1.jhuapl.edu (10.114.162.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.13; Sat, 4 Dec 2021 09:41:17 -0500
Received: from APLEX21.dom1.jhuapl.edu ([fe80::3c73:f90:20fa:eda1]) by APLEX21.dom1.jhuapl.edu ([fe80::3c73:f90:20fa:eda1%5]) with mapi id 15.02.0922.013; Sat, 4 Dec 2021 09:41:17 -0500
From: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>
To: "sburleig.sb@gmail.com" <sburleig.sb@gmail.com>, "dtn@ietf.org" <dtn@ietf.org>
CC: "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>
Thread-Topic: [EXT] RE: [dtn] BPv7 node ID and node identity
Thread-Index: AdfoZRH5c7X7tn4bRK2GW0Es9c3IbQAawIwAABJ+JYA=
Date: Sat, 04 Dec 2021 14:41:16 +0000
Message-ID: <0d09251bd73044f0a900d2ae116aa85b@jhuapl.edu>
References: <8bff83552a054f32b1895e7917468035@jhuapl.edu> <056e01d7e8a6$2beac3e0$83c04ba0$@gmail.com>
In-Reply-To: <056e01d7e8a6$2beac3e0$83c04ba0$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.162.27]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_02AA_01D7E8F3.14C809F0"
MIME-Version: 1.0
X-CrossPremisesHeadersFilteredBySendConnector: APLEX22.dom1.jhuapl.edu
X-OrganizationHeadersPreserved: APLEX22.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-12-04_04:2021-12-02, 2021-12-04 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/QJeadSPvr0zYnimdVmGQiYOlkjU>
Subject: Re: [dtn] [EXT] RE: BPv7 node ID and node identity
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2021 14:41:25 -0000
Scott, I agree that in concept "the identity of the node can be discerned ." but unfortunately there is neither a definition nor an algorithm included to do this discerning or some kind of normalization of the EID. And the problem is now this more lax use of Node ID is likely to cause issues with both BPSec source identifying and TCPCL/TLS authentication. It's not that the current mechanisms are broken in a simple sense, but that they no longer cover valid situations and will fail or be ambiguous in some cases. For TCPCL now, if I have a PKIX certificate which is issued to "ipn:100.0" (authorizing the key holder to act as that Node ID) then the current certificate profile's NODE-ID definition fails to handle the case where my CLA identifies itself as "ipn:100.1" (or with any other service number). Likewise the certificate could be issued to "ipn:100.1" and fail when the CLA identifies as "ipn:100.0". For BPSec and the default security contexts, there is a potential situation where I source a bundle, include in it a BIB with a BIB-HMAC-SHA2 context and security source of "ipn:100.1", then some security acceptor attempts to verify the MAC but has a keystore containing a key associated with "ipn:100.0". Should that verifier count this as integrity verified? The key does properly verify the MAC but how does the verifier associate this key with that security source in the BIB? It seems like there needs to be a concrete definition of node identity similar to the URI-ID comparison (of only the authority part) from RFC 6125 [2] and probably also a normalized form of Node ID for things like a PKIX certificate or a keystore can contain the normal form of the Node ID which will then compare "properly" to any other non-normal forms on-the-wire. Again, I don't think this strictly breaks either current specification but it leaves them in a very fragile situation where all entities in the network must agree on a normal form that's not specified anywhere. And, especially in the security domain, leaves a door open to all kinds of ad-hoc mechanisms that will not interoperate (see the mess of PKIX wildcard certificates) or leave security holes. Brian S. [2] https://www.rfc-editor.org/rfc/rfc6125.html From: sburleig.sb@gmail.com <sburleig.sb@gmail.com> Sent: Friday, December 3, 2021 7:31 PM To: Sipos, Brian J. <Brian.Sipos@jhuapl.edu>; dtn@ietf.org Subject: [EXT] RE: [dtn] BPv7 node ID and node identity APL external email warning: Verify sender sburleig.sb@gmail.com <mailto:sburleig.sb@gmail.com> before clicking links or attachments Hi, Brian. A couple of answers, which may or may not be helpful: 1. This is a recent change, responding to objections that disallowing demuxes (for the dtn scheme) and non-zero service numbers (for the ipn scheme) in the source node ID was unnecessarily restrictive - the identity of the node could be accurately determined by inspection even if those rules were violated. The BPv7 specification has been revised to state that any endpoint ID from which the identity of the node can be discerned without consulting any other information source may serve as a node ID. This is sort of by definition - it's a string that identifies the node, so it's a node ID, even if it contains some additional information that identifies a particular endpoint in which that node is registered. (Nodes have in fact always been able to have multiple administrative endpoints, hence multiple node ID strings, i.e., one for the dtn scheme and another for the ipn scheme.) 2. It is not required that a node be identifiable only by a single EID. 3. The ID of an administrative endpoint of a node may always be used to identify the node; such endpoints implicitly exist so long as the node itself exists. (That is, if and only if a node exists it is registered in its administrative endpoint(s).) Other EIDs may serve as node IDs as well - in particular, they may be cited as the sources of bundles - but the identified endpoints are not guaranteed to be in existence at any particular moment. (Nodes may register and unregister in other singleton endpoints at will.) Scott From: dtn <dtn-bounces@ietf.org <mailto:dtn-bounces@ietf.org> > On Behalf Of Sipos, Brian J. Sent: Friday, December 3, 2021 12:55 PM To: dtn@ietf.org <mailto:dtn@ietf.org> Subject: [dtn] BPv7 node ID and node identity All, After re-reading some of the to-be-RFC 9171 I realize that I had been making an incorrect assumption for a long time: that the administrative endpoint ID of a node is the same as its node ID. I see now that more technically that EID can be the node ID but doesn't have to be. In that light I have some deeper questions about a node and its node ID: 1. Is it operational practice that the administrative EID is in fact the node ID? Early examples that I read led me to expect this. 2. Is it required that a node has only a single node ID at any point-in-time? In many parts of the document (and other documents and discussions) the phrasing is ". the node ID ." and not ". a node ID ." or similar phrasing. 3. Is it expected or required that a node ID be stable over time for a node? If not, there seem to be operational issues related to how peers can identify a node with a time-varying node ID. This is especially the case with respect to node authentication and how an authority may grant identifier use to a node. These questions are coming up in the context of the "Node ID Validation" document [1] and its assumptions that the answer to all the above questions are "yes." There are definitely parts of that document which are ambiguous or incorrect now that I see it with the perspective that a node ID is not equivalent to the administrative EID. Thanks for any clarification, Brian S. [1] https://www.ietf.org/archive/id/draft-ietf-acme-dtnnodeid-07.html
- [dtn] BPv7 node ID and node identity Sipos, Brian J.
- Re: [dtn] BPv7 node ID and node identity sburleig.sb
- Re: [dtn] [EXT] RE: BPv7 node ID and node identity Sipos, Brian J.
- Re: [dtn] [EXT] RE: BPv7 node ID and node identity Birrane, Edward J.