Re: [dtn] BPSec Last Call?
Amy Alford <aloomis@sarn.org> Tue, 15 August 2017 21:26 UTC
Return-Path: <aloomis@sarn.org>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95552132420 for <dtn@ietfa.amsl.com>; Tue, 15 Aug 2017 14:26:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sarn-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n9RP972q83OF for <dtn@ietfa.amsl.com>; Tue, 15 Aug 2017 14:26:33 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D011A13265F for <dtn@ietf.org>; Tue, 15 Aug 2017 14:26:32 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id s6so11367814qtc.1 for <dtn@ietf.org>; Tue, 15 Aug 2017 14:26:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sarn-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mSzh+cQCt0hXUCCwHdXRIfmd/f41T0WmKM1rAvMo+EA=; b=qsUmLzMALnTfqtDnXDEy4iryA2tOKu9TgMdyzz+HHZyQUWhCdrTeByfGvDdUsLogsA XNGGOmspY5yx5phery32mljNdoquu24A0IqnnbLhp6UO/nwOK8Rm2flcF6pbXQzrhfs0 3mJ4oJ+1Cbw/17GS4HpgrGvQYULFUVQUn1k7RcGZu0mRU3W577qG95MVBfNxXSJjNozI DhdNObETSH7QI2u8K/L/tx2i+OixDda/Rw9XsMZ7zIIZfsCrkEPJoUhiTJsBl8kb9ldO 3YrLWN4N79YCz/6eFEArWTYADbilGyZFBrhjdjjxmdV1rU8dOHfu8c03CB43RVns9vQF leXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mSzh+cQCt0hXUCCwHdXRIfmd/f41T0WmKM1rAvMo+EA=; b=R72FCLE4FuPQAicSDKWsERbc7LQYvgpWVojHTDn9fBYqbm1K7szaDOf3cnqN6vBo7j DnSMUNBCGchbu7JUKaX31tFuIh6RUgqQm9lOHW0+mLw04ZFBgOwoUNrniiD93LhJc6Ku tmqmeUNi5aLdL8L45DW5nyouTpHUoqD1YqErWdsUqpzX6OUN+h5ORLSys/U/iPvDhGm8 TStU+JNLgmPjDC4UpPQbZaR352JGTq4OJiHOPv82L36C0niaVcrmUM3kgbA/8LOetNwo 3o7IPE5517XO2uRI4DVG9lbp4jyEdeqazLpi697+iGGJ1DiBi/rnjUNtcDQZcdXw+o2r PI5g==
X-Gm-Message-State: AHYfb5jDv4nV61AQtVjXF+T+qj80jjJib4suEqmzw4PSWDPkLEIzBIKk ppe7kSjIfOWhsd4fCBVtfNjlhtQS7JjsCHY=
X-Received: by 10.237.37.45 with SMTP id v42mr42041404qtc.333.1502832391565; Tue, 15 Aug 2017 14:26:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.146.141 with HTTP; Tue, 15 Aug 2017 14:26:30 -0700 (PDT)
In-Reply-To: <1501170304841.79122@jhuapl.edu>
References: <4a67e1594a484b759c29489934a7af74@aplex01.dom1.jhuapl.edu> <1501170304841.79122@jhuapl.edu>
From: Amy Alford <aloomis@sarn.org>
Date: Tue, 15 Aug 2017 17:26:30 -0400
Message-ID: <CAB9rx+_f9hBZcXRjyi+7N6TARAfOKxZe+4rCH1B-Yk1pwQmD=g@mail.gmail.com>
To: "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>
Cc: "dtn@ietf.org" <dtn@ietf.org>
Content-Type: multipart/alternative; boundary="001a113e5f16db4fea0556d16ec4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/TpvAAltzVUcwMLtxxYHxSaOykuk>
Subject: Re: [dtn] BPSec Last Call?
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 21:26:37 -0000
I'll kick off the discussion of BPsec. These comments are lightly edited from a version I sent Ed before the working group meeting. I'm not sure what the standard is to be ready for last call. My comments are pretty minor; the general approach of minimizing the constraints on implementations (leaving it to later specifications to design ciphersuites that work for different DTN use cases) makes sense. I also appreciate the simplification. Implementing BSP in DTN2 left me frustrated with the complexity that could accrue as intermediate nodes could repeatedly add security blocks, extension blocks, and fragment the bundle. 1) Is it really useful to make requirements about how security results or security parameters are stored in the security blocks? I’m tempted to argue that this spec should provide the requirements that allow two implementations which support disjoint sets of ciphersuites to interoperate (to the extent that they can interoperate). Specifying how ciphersuite numbers are represented and defining processing order is necessary (an implementation needs these to determine whether or not it can process received data). Separating out security parameters vs results and specifying a key/value format for them is not (If I don't support the ciphersuite, it's not going to help me in any way to be able to locate individual parameters). 2) I think “MUST” is being overused. I've included a laundry list of cases below. ------------------- Section 7. “BPAs in the network MUST understand what security operations they should apply to bundles.” “If a waypoint has been configured to add a security operation to a bundle, and the received bundle already has the security operation applied, then the receiver MUST understand what to do.“ “understand” is a very fuzzy word. I’d argue that an implementation that completely fails to consider what to do in these cases still meets the requirement, in the sense that it shows some deterministic behavior in response to these conditions (If I wanted to be argumentative, I’d argue that showing non-deterministic behavior in these cases also constitutes understanding what to do.). Section 2.3 “Therefore, security blocks MUST have their processing flags set such that the block will be treated appropriately by non-security-aware waypoints” Since “appropriately” is left to the implementer, this doesn’t constrain anything. Section 2.4: “The security services defined in this specification MUST provide a mechanism for identifying what cipher suite has been used to populate a security block.” Isn’t this MUST referring to what you, the author, are required to do, not what an implementer is required to do? The implementer MUST use the mechanism you’ve defined to do this. Section 3.4: “This target MUST be uniquely and unambiguously identifiable when processing a security block.” Same as the last one. You go on to define a mechanism by which they must do this, so this isn’t a constraint. Section 4 uses a few MUSTS that are not requirements of this spec. They are expressing how crypto works, not a spec requirement. I don’t know whether those are traditionally MUSTs in RFCs. In general, I’d look at each MUST/SHALL and consider whether it’s a requirement for an interoperable implementation. ------------------------------------ 3) Section 8.2.1 points out that a bundle may persist in the network long enough that an attacker can decrypt it before it reaches the destination. How much does it matter whether the attacker retrieves the information before or after the recipient? I see the expected transmission time as a lower bound on the length of time the information is sensitive for. 4) Is the requirement about preserving payload length necessary when fragmentation can only occur after adding security blocks that target the payload? Offsets within the payload are unambiguous, because they must refer to the size of the payload post-encryption. 5) Since no integrity block can be processed until reassembly happens, there is a potential for a malicious node to send large numbers of garbage fragments to a node such that the fragments never reassemble. There isn’t any magic solution to this. It looks like linux defines a timeout for fragments to prevent this (once memory used for fragmentation exceeds some level, the IP stack begins discarding all new fragments received until fragments timing out reduce memory usage to some specified value). That won’t work for DTN, since there is no sane timeout. 6) The end of 8.2.2 makes assertions about the security of sign+encrypt. It is too strong a statement to say that the attacker cannot produce a modified bundle /because/ he cannot decrypt. There are strong encryption schemes in which an attacker can modify the ciphertext to produce a new ciphertext which decrypts to a related plaintext (malleability). Does anyone on the list know what strength of encryption scheme is required to guarantee the signature can't be substituted? I think you can show IND-CCA2 covers this, but someone must know this off the top of their head. - Amy Alford On Thu, Jul 27, 2017 at 11:45 AM, Birrane, Edward J. < Edward.Birrane@jhuapl.edu> wrote: > Oops! Thanks Outlook.... > > > Let's try that again. > > > DTNWG, > > > At the last DTNWG meeting we discussed whether BPSec draft 05 ( > https://tools.ietf.org/html/draft-ietf-dtn-bpsec-05) is ready for last > call. > > > If you have read the draft and have comments on the current > implementation, I ask that we use this thread to discuss them. > > > If you have not read the draft, but are interested in the security > specification, I ask that you use this thread as a signal to read -05 and > provide comments in this thread. > > > If you feel that the document is ready for last call, I ask that you use > this thread to indicate that. > > > -Ed > > > --- > Edward J. Birrane, III, Ph.D. > Embedded Applications Group Supervisor > Space Exploration Sector > Johns Hopkins Applied Physics Laboratory > (W) 443-778-7423 <(443)%20778-7423> / (F) 443-228-3839 <(443)%20228-3839> > ------------------------------ > *From:* Birrane, Edward J. > *Sent:* Thursday, July 27, 2017 11:42 AM > *To:* dtn@ietf.org > *Subject:* BPSec Last Call? > > > DTNWG, > > > At the last DTNWG meeting we discussed whether > > > > --- > Edward J. Birrane, III, Ph.D. > Embedded Applications Group Supervisor > Space Exploration Sector > Johns Hopkins Applied Physics Laboratory > (W) 443-778-7423 <(443)%20778-7423> / (F) 443-228-3839 <(443)%20228-3839> > > _______________________________________________ > dtn mailing list > dtn@ietf.org > https://www.ietf.org/mailman/listinfo/dtn > >
- [dtn] BPSec Last Call? Birrane, Edward J.
- Re: [dtn] BPSec Last Call? Birrane, Edward J.
- Re: [dtn] BPSec Last Call? Amy Alford
- Re: [dtn] BPSec Last Call? lloyd.wood