[dtn] AD review of draft-ietf-dtn-bpsec-10
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 24 July 2019 23:01 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CF6A1200FD; Wed, 24 Jul 2019 16:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vDZy224UVXUh; Wed, 24 Jul 2019 16:01:24 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130084.outbound.protection.outlook.com [40.107.13.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D8B312001B; Wed, 24 Jul 2019 16:01:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kGY0xrKu4TDYDILQdKaZZTW3BWw8baBKc1rLXA+3VphNzYkSQCiKUFO/UfahdN+U3663Ub5OcieBQex8Wa6dfvUDuVujkfm44aJ70qihTqvPdYe6ADxDJ/+aVXc+eG52J1m1uZDOHArgO8pEAOgOTWgQm6Ubi126UbD+iyF1Tac9vGAn/X8/GTZfkYSWq8lsA1TsBFHEfpkSr9i7ZEO9gRe7VIvifcBqqYVhRzL9pFFFhi5DuuOHpJawsiiEum3azSQ1BjO08O5ZV1xkQLkmRVSIe7q86ENG+czfbUoAHQZ1BM82bAhV/QPBNXYRaZKHQCv7WnaSzqWKUXigtJCB6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CZIHaJo9GjAZb4RG/CjRRwsqOD4bX5KqnkdLaBfTJ6c=; b=f11mlodszlK7toTVLdsUUKs3AoAnQHM512Ko4Hde9wTW1frOEAy89E5quX4359343gHtfnJB3qNKxZBixZo8BsrrDK2l+jBYJLdID2HxgqZA6xjs+METEWZnygGlX5bB80GTZPkli/CVOAgV9z4OtbbX5R5ZFx+df7DNvOdJbJjYeOo4PEFingm9zUCl0fGz+uaAZf0ARchDgDJyBnz+lLL1h+eg5roF97XSK4/yegy/OR9UXUK/5SW9ILpzAgQJUzPlpFtbOaKTf51Sjy4RJV4ONtHrVlFNH+lHo2NZ/ouPT24a9TImfTnSyORtlLyPaRpK3TL0O32dWm4m0t+oXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CZIHaJo9GjAZb4RG/CjRRwsqOD4bX5KqnkdLaBfTJ6c=; b=PshQ1S61rOZklwVE4E4RySPoTXlTXeacKSAuC8cebUdr7pflbAyjEo8wUo8al48EqLZby8Evaj28d29C7a+Lw2z2bd2uKWpjk+nw0HZoUoH4lPt8hevT5JQKedlCEs24PiK2F6fbkKH4sfweeT8ods7qM1ww34VcCFzEJeK7hps=
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com (10.168.128.149) by HE1PR0701MB2410.eurprd07.prod.outlook.com (10.168.128.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.10; Wed, 24 Jul 2019 23:01:21 +0000
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::b9ec:6368:2a23:30fb]) by HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::b9ec:6368:2a23:30fb%6]) with mapi id 15.20.2115.005; Wed, 24 Jul 2019 23:01:21 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "dtn@ietf.org" <dtn@ietf.org>, "draft-ietf-dtn-bpsec@ietf.org" <draft-ietf-dtn-bpsec@ietf.org>
Thread-Topic: AD review of draft-ietf-dtn-bpsec-10
Thread-Index: AdVCaDVgtsriZb2MRq2bQxmFSoSCwA==
Date: Wed, 24 Jul 2019 23:01:20 +0000
Message-ID: <HE1PR0701MB2522907507ED316584289CDF95C60@HE1PR0701MB2522.eurprd07.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [2001:67c:370:128:599e:9cb8:c00f:5a88]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 85b6356a-5e85-408e-d76b-08d7108ad7ff
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:HE1PR0701MB2410;
x-ms-traffictypediagnostic: HE1PR0701MB2410:
x-microsoft-antispam-prvs: <HE1PR0701MB241005453F90517858FA4EC795C60@HE1PR0701MB2410.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0108A997B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(396003)(376002)(366004)(39860400002)(199004)(189003)(15404003)(46003)(44832011)(478600001)(33656002)(7696005)(25786009)(476003)(99286004)(53936002)(316002)(7736002)(66946007)(66476007)(305945005)(6436002)(66446008)(64756008)(2501003)(81166006)(55016002)(71190400001)(5660300002)(52536014)(6506007)(81156014)(76116006)(71200400001)(450100002)(86362001)(8936002)(14444005)(186003)(14454004)(8676002)(68736007)(110136005)(102836004)(99936001)(2906002)(6116002)(74316002)(66616009)(256004)(66556008)(486006)(9686003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2410; H:HE1PR0701MB2522.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: FfKfpGftuN1WQzy+XFQ8y0QoRqJbFnXa7pW1XE3OCFuJE/dTUvTgeLP90v/wHZx5pyk4sk7RZtNN5WhXEsFCqpvhjIERU+Y+M0YsTRsFvCM/043mAXNCOrirfho1G3K6gcwuXHruOUUzFY6/33OxuWBTBnn9iIACvOIk3dQMY77N5Ud6B4+dzFn7IyAaB8oH1IjQbBF365J7nGlmrGzclmyq7mcBZfHGhdeVF1pmODk2t3x3qvhbgSvUCkG5476z7d4YlVMfyWVqJA+GISLrqHr/ZVWf6mtN3fd9S5TkEgNayjRryY75U789sQsfrJcg7G9TCP1stHxrvqYT/JcZxQfciFdkVw1ipu2gRLIwJiK+GX/sRWFMBD9GOPmzTBuygeEG9sCW+MB4cdbTMi3XMhNQLTXYBk27ftQ1sB10vZw=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0130_01D54252.05547430"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 85b6356a-5e85-408e-d76b-08d7108ad7ff
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2019 23:01:21.0074 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: magnus.westerlund@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2410
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/ElboLfIzs2hNQGW1qZe-lXQUffM>
Subject: [dtn] AD review of draft-ietf-dtn-bpsec-10
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 23:01:29 -0000
Hi, I have now done my AD review of draft-ietf-dtn-bpsec-10. I want to point out that I am going to ask about the reasons behind certain choices in the document. Note the intention here is not to change what your specified but to understand the choices made. 1. Section 1.2: It is expected that separate documents will be standardized to define security contexts and cipher suites compatible with BPSec, to include those that should be used to assess interoperability and those fit for operational use in various network scenarios. As the WG actually have one example specification for a security context and cipher suits, it would be good to reference this so that people realize that it exist and can be looked at in parallel. 2. Section 1.4: I am missing a term for the receiver / target either if that is any holder of the security context or an intended bundle receiver, in other words the peer to security source. 3. Section 3.1: The BIB is used to ensure the integrity of its plain-text security target(s). The integrity information in the BIB MAY be verified by any node along the bundle path from the BIB security source to the bundle destination. Security-aware waypoints add or remove BIBs from bundles in accordance with their security policy. BIBs are never used to sign the cipher- text provided by a BCB. This is only part of a conflict between the order between BIB and BCB processing and the possibility for a node along the Bundle path to verify the integrity of parts of the bundle. So my thoughts here is that bundle sender has two security contexts. One with the receiver that it will use to secure the BUNDLE Payload and other Blocks that are of end-to-end nature and not needed on path. Then I will have another security context that a set of the bundle forwarding nodes share so that they can verify the bundle being sent. However, to my understanding this is not possible as any BIB using the second context can't use encrypted payload block as its input. So although the documents talks about this, it appears to have limited utility. Any comments about this limited utility? 4. Section 3.2: Security operations in a bundle MUST be unique; the same security service MUST NOT be applied to a security target more than once in a bundle. This uniqueness requirement, isn't this missing a dependency on security context? To me there appear that being able to use more than one security context has some benefits, or is it making things to complex, or are there other reasons? 5. Section 3.6: Security Context Flags: What is the meaning of the Reserved bits? What should the sender and receiver do with these bits. Can they be assigned in the future? 6. Section 3.8: The Security Context Id MUST utilize a confidentiality cipher that provides authenticated encryption with associated data (AEAD). Why is AEAD a requirement? If the requirement is that no confidentiality without integrity, then that can be stated in an other way than requiring AEAD. 7. Section 3: Looking at the BIB and how it is structured and how the signature is created and stored with one signature per block implies that any on path attacker can remove individual blocks without it being noticed. So aren't there a missing possibility to create a BIB that actually ensures that if it validates a set of blocks was correctly provided? I know that with the current mechanisms such a BIB could be stripped. However, such a block could easily be required in a security policy for a particular deployment. Was such aspects considered? 8. Section 3.9: o When adding a BCB to a bundle, if some (or all) of the security targets of the BCB match some (but not all) of the security targets of a BIB, then a new BIB MUST be created and all entries relating to those BCB security targets MUST be moved from the original BIB to the newly created BIB. This comment is linked to the pervious one. When reading this, I had a hard time to understand what "moved" in the above text actually meant. Finally I realized that you could actually move a signature from one BIB to another. I think this could be made a bit clearer. 9. Section 3.10: Individual BPSec security context identifiers SHOULD use existing registries of identifiers and CBOR encodings, such as those defined in [RFC8152], whenever possible. Contexts SHOULD define their own identifiers and CBOR encodings when necessary. I find the above paragraph unclear. I think one part is what "security context identifiers". 10. Section 5.1.1: If the receiving node is not the destination of the bundle, the node MUST decrypt the BCB if directed to do so as a matter of security policy. I think this is an example of the unclarity of who is to process a particular security block, because I don't understand how the node will be able to do this. 11. Section 11: A registry of security context identifiers will be required. If you need a registry for security context identifiers then you need to create it and defines its rules. Cheers Magnus Westerlund
- [dtn] AD review of draft-ietf-dtn-bpsec-10 Magnus Westerlund
- Re: [dtn] AD review of draft-ietf-dtn-bpsec-10 Magnus Westerlund
- Re: [dtn] AD review of draft-ietf-dtn-bpsec-10 Magnus Westerlund