Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf-dtn-bpsec-18: (with DISCUSS and COMMENT)

"R. Atkinson" <rja.lists@gmail.com> Thu, 13 February 2020 22:16 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5648120822; Thu, 13 Feb 2020 14:16:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLceZnHK4Qiv; Thu, 13 Feb 2020 14:16:32 -0800 (PST)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44ED0120801; Thu, 13 Feb 2020 14:16:32 -0800 (PST)
Received: by mail-qt1-x831.google.com with SMTP id e21so5615642qtp.13; Thu, 13 Feb 2020 14:16:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=LA6zD5nU+dT991JTL9dlVEx9X3NSDH4XLPGveBv/PyA=; b=V+hC0hMP7mEVn1hbCDJTF0ZR2Uw/j/VIBkcutTJoxrDPlN/J7q6UvsdaHqsRUgDcSZ 35QrzZm2CF5quOSdsZ0jee+4bjSqJpyuapbbyoLJzZ240nfYjKm3zRjQgPobmkPN703f 7zEo9aOBiIQmd376hpeVHnX8R3sR3F+4EMZUASDpSW1S0FHPAjiho0dcCXCj4uoe6rV4 kdLdUKpkcIvzxjyJ4TgOKL7QRxRj5HuaHPWIB/QUQLTY1SuRdW9r+f06wSMmXkPkVCjd BJERjWkPu5fHic6Nc2Ape1zolHuHgNBLtQR1Fr4vGK55lzPDRmuppmYsa+1X7JAMkP66 S1WA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=LA6zD5nU+dT991JTL9dlVEx9X3NSDH4XLPGveBv/PyA=; b=KHN5qiKJHkdHqAfolQarMg6Ern205QmYjQihpuOpt0QGuA/FQm/VZ19CcpZgp+bWHL 9dczSH05HKJy33FpbsEq6fnslXLJy7YZHYgKblplWc766rW6dJa8+1jlT09MkjieEp4c IJweoGPvyJt+B9/sE59XDOrGlSKgUDb/Uj8O4GzlBGk8AfAitoUA4l4h6z1bKFGRuVc4 EedcwyhoJh+WLdqBjrhDlwJAcLiIuqgIyV+qdJotuNC/0UtVT7OZ+SD5i2vFPPv9TasD 5D9d6U8ii+C/0z1EidH/JnZF9AvUi7fAD3hm5EplLDpscLQYzgtRdUWL9pbs39G5ieqE pACQ==
X-Gm-Message-State: APjAAAUtH1nmeR3FtH1SN/VUicFkuLKLcX4dMS4Vh1XzfLlaSW/U6TM0 Y2DQ65swRHEMNGVbaIXwf8CdLkFe
X-Google-Smtp-Source: APXvYqzu6K+XjGrOb845kl9CcJVt/xzHf0A8+9t9WeYB6bmTxj9EThiTmHKoSGjiSM0fpdEnypNcew==
X-Received: by 2002:aed:3242:: with SMTP id y60mr217651qtd.254.1581632191196; Thu, 13 Feb 2020 14:16:31 -0800 (PST)
Received: from [10.30.20.11] (pool-72-83-171-38.washdc.east.verizon.net. [72.83.171.38]) by smtp.gmail.com with ESMTPSA id t29sm2020726qkm.27.2020.02.13.14.16.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Feb 2020 14:16:30 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: "R. Atkinson" <rja.lists@gmail.com>
In-Reply-To: <820D95D0-F645-4551-9AE8-D30E49A2DD0E@antarateknik.com>
Date: Thu, 13 Feb 2020 17:16:30 -0500
Cc: The IESG <iesg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8A9F9AE8-18B3-4218-B8F5-D248BA4DF221@gmail.com>
References: <158072863257.28637.8806505241822600245.idtracker@ietfa.amsl.com> <035730f96e28463a8141b026079bf3c3@aplex01.dom1.jhuapl.edu> <DE73788D-7E72-4246-B996-7F79AC805B87@kuehlewind.net> <820D95D0-F645-4551-9AE8-D30E49A2DD0E@antarateknik.com>
To: DTN WG <dtn@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/XdLSdKBJUA0qlL1fH34ZyKmH-Ws>
Subject: Re: [dtn] =?utf-8?q?Mirja_K=C3=BChlewind=27s_Discuss_on_draft-ietf-d?= =?utf-8?q?tn-bpsec-18=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2020 22:16:39 -0000

All,

I think it quite reasonable for the WG to define at least one "mandatory-to-implement" (i.e., NOT mandatory to use) set of security algorithms/modes for BPsec — and I think it quite reasonable for the IESG to require that the WG make such a choice.

The IETF has at least 30 years of experience that if at least one “mandatory-to-implement” security profile is NOT required/specified, then non-interoperability is the actual result.  In this case, non-interoperability would mean that two different systems who DO wish to use BPsec between themselves actually cannot use it — because of disjoint algorithms/modes having been implemented in the different implementations.

I’m not terribly particular about which algorithms/modes the WG picks, although choosing algorithms/modes readily available in open-source libraries (for example: the OpenSSL library) does simplify life for implementers.

Yours,

Ran

> On Feb 11, 2020, at 11:37, Mehmet Adalier <madalier@antarateknik.com> wrote:
> 
> While it is possible to find such a minimal requirement, I do not believe that one is required at the BPsec protocol level.
> I'd also like to recommend that the BPsec RFC does not specify a "minimum" interoperability context.
> 
> Depending on the use-case, interoperable contexts can be defined as other specifications. 
> 
> An example is appropriate CCSDS books which indicate interoperable contexts. . Another example is the International Communication System Interoperability Standards (ICSIS).
> 
> Mehmet
> 
> 
> On 2/11/20, 4:04 AM, "dtn on behalf of Mirja Kuehlewind" <dtn-bounces@ietf.org on behalf of ietf@kuehlewind.net> wrote:
> 
>    Hi Ed,
> 
>    Thanks for the new text section 9.1. Reading this text I would to confirm one more thing: I understand that the best choice for the security context can be very different, however, the point of interoperability is to have at least one available, that might not be optimal but it better than none. Having one common security context required would also simply mean that each implementation would need to support that and therefore it becomes much easier for people to reply BPSec if the provided one is suitable. Is it not possible to find such a minimal requirement?
> 
>    Mirja
> 
> 
> 
>> On 8. Feb 2020, at 01:23, Birrane, Edward J. <Edward.Birrane@jhuapl.edu> wrote:
>> 
>> Mirja,
>> 
>> Thank you for the review. I have updated a new version of BPSEC  (BPSEC20) which attempts to address your DISCUSS and COMMENTS below.
>> 
>> Specific comments are in-line below.  I have enumerated the Discuss items as **D# and the comment items as **C# to aid in referencing these points going forward.
>> 
>> -Ed
>> 
>> ---
>> Edward J. Birrane, III, Ph.D.
>> Embedded Applications Group Supervisor
>> Space Exploration Sector
>> Johns Hopkins Applied Physics Laboratory
>> (W) 443-778-7423 / (F) 443-228-3839
>> 
>> 
>> 
>>> -----Original Message-----
>>> From: Mirja Kühlewind via Datatracker <noreply@ietf.org>
>>> Sent: Monday, February 03, 2020 6:17 AM
>>> To: The IESG <iesg@ietf.org>
>>> Cc: draft-ietf-dtn-bpsec@ietf.org; Scott Burleigh
>>> <Scott.C.Burleigh@jpl.nasa.gov>ov>; dtn-chairs@ietf.org;
>>> Scott.C.Burleigh@jpl.nasa.gov; dtn@ietf.org
>>> Subject: [EXT] Mirja Kühlewind's Discuss on draft-ietf-dtn-bpsec-18: (with
>>> DISCUSS and COMMENT)
>>> 
>>> APL external email warning: Verify sender noreply@ietf.org before clicking
>>> links or attachments
>>> 
>>> Mirja Kühlewind has entered the following ballot position for
>>> draft-ietf-dtn-bpsec-18: Discuss
>>> 
>>> When responding, please keep the subject line intact and reply to all email
>>> addresses included in the To and CC lines. (Feel free to cut this introductory
>>> paragraph, however.)
>>> 
>>> 
>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>> 
>>> 
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-dtn-bpsec/
>>> 
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>> 
>>> Sec 1.2 says:
>>> "A sample security
>>>  context has been defined ([I-D.ietf-dtn-bpsec-interop-sc]) to support
>>>  interoperability testing and serve as an exemplar for how security
>>>  contexts should be defined for this specification."
>>> However I don't really understand how interoperability can be reached if
>>> there is not at least one security context that is mandatory to implement in
>>> this draft (especially as ietf-dtn-bpsec-interop-sc is expired for more than
>>> half a year already)...?
>> 
>> **D1: I have added a new Section 9.1 to BPSEC20 which describes the desired approach to BPSec and security contexts.  I have also updated ietf-dtn-bpsec-interop-sc which should be going into WG last call.
>> 
>>> 
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>> 
>>> Please use the updated disclaimer in rfc8174.
>>> 
>> 
>> **C1: Agreed. The disclaimer has been updated in BPSEC20.
>> 
>> -Ed
>> 
> 
>    _______________________________________________
>    dtn mailing list
>    dtn@ietf.org
>    https://www.ietf.org/mailman/listinfo/dtn
> 
> 
> 
> _______________________________________________
> dtn mailing list
> dtn@ietf.org
> https://www.ietf.org/mailman/listinfo/dtn