[dtn] AD review of draft-ietf-dtn-bpsec-10
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 24 July 2019 23:01 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CF6A1200FD; Wed, 24 Jul 2019 16:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vDZy224UVXUh; Wed, 24 Jul 2019 16:01:24 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130084.outbound.protection.outlook.com [40.107.13.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D8B312001B; Wed, 24 Jul 2019 16:01:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kGY0xrKu4TDYDILQdKaZZTW3BWw8baBKc1rLXA+3VphNzYkSQCiKUFO/UfahdN+U3663Ub5OcieBQex8Wa6dfvUDuVujkfm44aJ70qihTqvPdYe6ADxDJ/+aVXc+eG52J1m1uZDOHArgO8pEAOgOTWgQm6Ubi126UbD+iyF1Tac9vGAn/X8/GTZfkYSWq8lsA1TsBFHEfpkSr9i7ZEO9gRe7VIvifcBqqYVhRzL9pFFFhi5DuuOHpJawsiiEum3azSQ1BjO08O5ZV1xkQLkmRVSIe7q86ENG+czfbUoAHQZ1BM82bAhV/QPBNXYRaZKHQCv7WnaSzqWKUXigtJCB6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CZIHaJo9GjAZb4RG/CjRRwsqOD4bX5KqnkdLaBfTJ6c=; b=f11mlodszlK7toTVLdsUUKs3AoAnQHM512Ko4Hde9wTW1frOEAy89E5quX4359343gHtfnJB3qNKxZBixZo8BsrrDK2l+jBYJLdID2HxgqZA6xjs+METEWZnygGlX5bB80GTZPkli/CVOAgV9z4OtbbX5R5ZFx+df7DNvOdJbJjYeOo4PEFingm9zUCl0fGz+uaAZf0ARchDgDJyBnz+lLL1h+eg5roF97XSK4/yegy/OR9UXUK/5SW9ILpzAgQJUzPlpFtbOaKTf51Sjy4RJV4ONtHrVlFNH+lHo2NZ/ouPT24a9TImfTnSyORtlLyPaRpK3TL0O32dWm4m0t+oXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CZIHaJo9GjAZb4RG/CjRRwsqOD4bX5KqnkdLaBfTJ6c=; b=PshQ1S61rOZklwVE4E4RySPoTXlTXeacKSAuC8cebUdr7pflbAyjEo8wUo8al48EqLZby8Evaj28d29C7a+Lw2z2bd2uKWpjk+nw0HZoUoH4lPt8hevT5JQKedlCEs24PiK2F6fbkKH4sfweeT8ods7qM1ww34VcCFzEJeK7hps=
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com (10.168.128.149) by HE1PR0701MB2410.eurprd07.prod.outlook.com (10.168.128.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.10; Wed, 24 Jul 2019 23:01:21 +0000
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::b9ec:6368:2a23:30fb]) by HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::b9ec:6368:2a23:30fb%6]) with mapi id 15.20.2115.005; Wed, 24 Jul 2019 23:01:21 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "dtn@ietf.org" <dtn@ietf.org>, "draft-ietf-dtn-bpsec@ietf.org" <draft-ietf-dtn-bpsec@ietf.org>
Thread-Topic: AD review of draft-ietf-dtn-bpsec-10
Thread-Index: AdVCaDVgtsriZb2MRq2bQxmFSoSCwA==
Date: Wed, 24 Jul 2019 23:01:20 +0000
Message-ID: <HE1PR0701MB2522907507ED316584289CDF95C60@HE1PR0701MB2522.eurprd07.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [2001:67c:370:128:599e:9cb8:c00f:5a88]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 85b6356a-5e85-408e-d76b-08d7108ad7ff
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:HE1PR0701MB2410;
x-ms-traffictypediagnostic: HE1PR0701MB2410:
x-microsoft-antispam-prvs: <HE1PR0701MB241005453F90517858FA4EC795C60@HE1PR0701MB2410.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0108A997B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(396003)(376002)(366004)(39860400002)(199004)(189003)(15404003)(46003)(44832011)(478600001)(33656002)(7696005)(25786009)(476003)(99286004)(53936002)(316002)(7736002)(66946007)(66476007)(305945005)(6436002)(66446008)(64756008)(2501003)(81166006)(55016002)(71190400001)(5660300002)(52536014)(6506007)(81156014)(76116006)(71200400001)(450100002)(86362001)(8936002)(14444005)(186003)(14454004)(8676002)(68736007)(110136005)(102836004)(99936001)(2906002)(6116002)(74316002)(66616009)(256004)(66556008)(486006)(9686003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2410; H:HE1PR0701MB2522.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: FfKfpGftuN1WQzy+XFQ8y0QoRqJbFnXa7pW1XE3OCFuJE/dTUvTgeLP90v/wHZx5pyk4sk7RZtNN5WhXEsFCqpvhjIERU+Y+M0YsTRsFvCM/043mAXNCOrirfho1G3K6gcwuXHruOUUzFY6/33OxuWBTBnn9iIACvOIk3dQMY77N5Ud6B4+dzFn7IyAaB8oH1IjQbBF365J7nGlmrGzclmyq7mcBZfHGhdeVF1pmODk2t3x3qvhbgSvUCkG5476z7d4YlVMfyWVqJA+GISLrqHr/ZVWf6mtN3fd9S5TkEgNayjRryY75U789sQsfrJcg7G9TCP1stHxrvqYT/JcZxQfciFdkVw1ipu2gRLIwJiK+GX/sRWFMBD9GOPmzTBuygeEG9sCW+MB4cdbTMi3XMhNQLTXYBk27ftQ1sB10vZw=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0130_01D54252.05547430"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 85b6356a-5e85-408e-d76b-08d7108ad7ff
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2019 23:01:21.0074 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: magnus.westerlund@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2410
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/ElboLfIzs2hNQGW1qZe-lXQUffM>
Subject: [dtn] AD review of draft-ietf-dtn-bpsec-10
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 23:01:29 -0000
Hi,
I have now done my AD review of draft-ietf-dtn-bpsec-10. I want to point out
that I am going to ask about the reasons behind certain choices in the
document. Note the intention here is not to change what your specified but
to understand the choices made.
1. Section 1.2:
It is expected that separate documents will be standardized to define
security contexts and cipher suites compatible with BPSec, to include
those that should be used to assess interoperability and those fit
for operational use in various network scenarios.
As the WG actually have one example specification for a security context and
cipher suits, it would be good to reference this so that people realize that
it exist and can be looked at in parallel.
2. Section 1.4: I am missing a term for the receiver / target either if
that is any holder of the security context or an intended bundle receiver,
in other words the peer to security source.
3. Section 3.1:
The BIB is used to ensure the integrity of its plain-text security
target(s). The integrity information in the BIB MAY be verified
by any node along the bundle path from the BIB security source to
the bundle destination. Security-aware waypoints add or remove
BIBs from bundles in accordance with their security policy. BIBs
are never used to sign the cipher- text provided by a BCB.
This is only part of a conflict between the order between BIB and BCB
processing and the possibility for a node along the Bundle path to verify
the integrity of parts of the bundle. So my thoughts here is that bundle
sender has two security contexts. One with the receiver that it will use to
secure the BUNDLE Payload and other Blocks that are of end-to-end nature and
not needed on path. Then I will have another security context that a set of
the bundle forwarding nodes share so that they can verify the bundle being
sent. However, to my understanding this is not possible as any BIB using the
second context can't use encrypted payload block as its input.
So although the documents talks about this, it appears to have limited
utility. Any comments about this limited utility?
4. Section 3.2:
Security operations in a bundle MUST be unique; the same security
service MUST NOT be applied to a security target more than once in a
bundle.
This uniqueness requirement, isn't this missing a dependency on security
context? To me there appear that being able to use more than one security
context has some benefits, or is it making things to complex, or are there
other reasons?
5. Section 3.6:
Security Context Flags:
What is the meaning of the Reserved bits? What should the sender and
receiver do with these bits. Can they be assigned in the future?
6. Section 3.8:
The Security Context Id MUST utilize a confidentiality cipher that
provides authenticated encryption with associated data (AEAD).
Why is AEAD a requirement? If the requirement is that no confidentiality
without integrity, then that can be stated in an other way than requiring
AEAD.
7. Section 3:
Looking at the BIB and how it is structured and how the signature is created
and stored with one signature per block implies that any on path attacker
can remove individual blocks without it being noticed. So aren't there a
missing possibility to create a BIB that actually ensures that if it
validates a set of blocks was correctly provided? I know that with the
current mechanisms such a BIB could be stripped. However, such a block could
easily be required in a security policy for a particular deployment. Was
such aspects considered?
8. Section 3.9:
o When adding a BCB to a bundle, if some (or all) of the security
targets of the BCB match some (but not all) of the security
targets of a BIB, then a new BIB MUST be created and all entries
relating to those BCB security targets MUST be moved from the
original BIB to the newly created BIB.
This comment is linked to the pervious one. When reading this, I had a hard
time to understand what "moved" in the above text actually meant. Finally I
realized that you could actually move a signature from one BIB to another. I
think this could be made a bit clearer.
9. Section 3.10:
Individual BPSec security context identifiers SHOULD use existing
registries of identifiers and CBOR encodings, such as those defined
in [RFC8152], whenever possible. Contexts SHOULD define their own
identifiers and CBOR encodings when necessary.
I find the above paragraph unclear. I think one part is what "security
context identifiers".
10. Section 5.1.1:
If the receiving node is
not the destination of the bundle, the node MUST decrypt the BCB if
directed to do so as a matter of security policy.
I think this is an example of the unclarity of who is to process a
particular security block, because I don't understand how the node will be
able to do this.
11. Section 11:
A registry of security context identifiers will be required.
If you need a registry for security context identifiers then you need to
create it and defines its rules.
Cheers
Magnus Westerlund
- [dtn] AD review of draft-ietf-dtn-bpsec-10 Magnus Westerlund
- Re: [dtn] AD review of draft-ietf-dtn-bpsec-10 Magnus Westerlund
- Re: [dtn] AD review of draft-ietf-dtn-bpsec-10 Magnus Westerlund