IETF Logo Mail Archive

Re: [dtn] custody transfer I-D

"Burleigh, Scott C (312B)" <scott.c.burleigh@jpl.nasa.gov> Fri, 23 June 2017 13:55 UTC

Return-Path: <scott.c.burleigh@jpl.nasa.gov>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C145D12941D for <dtn@ietfa.amsl.com>; Fri, 23 Jun 2017 06:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GO7g6leQurEA for <dtn@ietfa.amsl.com>; Fri, 23 Jun 2017 06:55:36 -0700 (PDT)
Received: from mail.jpl.nasa.gov (sentrion3.jpl.nasa.gov [128.149.139.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A4FE128B88 for <dtn@ietf.org>; Fri, 23 Jun 2017 06:55:36 -0700 (PDT)
Received: from mail.jpl.nasa.gov (ap-ehub-sp02.jpl.nasa.gov [128.149.137.149]) by smtp.jpl.nasa.gov (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id v5NDtZN8005432 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256 bits) verified NO) for <dtn@ietf.org>; Fri, 23 Jun 2017 06:55:35 -0700
Received: from AP-EMBX-SP40.RES.AD.JPL ([169.254.7.235]) by ap-ehub-sp02.RES.AD.JPL ([fe80::dd85:7b07:1e36:7e3c%15]) with mapi id 14.03.0319.002; Fri, 23 Jun 2017 06:55:23 -0700
From: "Burleigh, Scott C (312B)" <scott.c.burleigh@jpl.nasa.gov>
To: "dtn@ietf.org" <dtn@ietf.org>
Thread-Topic: [dtn] custody transfer I-D
Thread-Index: AdLrr943GKSFsaKYTMi2c8y/+MQI0AAQYmuAAA5EkOD//5xDgP//otLw
Date: Fri, 23 Jun 2017 13:55:23 +0000
Message-ID: <A5BEAD028815CB40A32A5669CF737C3B8AF04154@ap-embx-sp40.RES.AD.JPL>
References: <A5BEAD028815CB40A32A5669CF737C3B8AF03E12@ap-embx-sp40.RES.AD.JPL> <1290964186.2627.1498177321503@mail.yahoo.com> <A5BEAD028815CB40A32A5669CF737C3B8AF03E6C@ap-embx-sp40.RES.AD.JPL> <1790492564.51223.1498180416006@mail.yahoo.com>
In-Reply-To: <1790492564.51223.1498180416006@mail.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [207.151.104.72]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Source-Sender: scott.c.burleigh@jpl.nasa.gov
X-AUTH: Authorized
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/Z0AmafB87K9e1jnuSb3hLkJFyaQ>
Subject: Re: [dtn] custody transfer I-D
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2017 13:55:39 -0000

Nope, nested encapsulation is definitely part of the concept, as noted in Section 1.  You make a good point, Lloyd.  In general I think I would rather rely on authentication than routing to ensure network security, but certainly this sort of thing has been an attack vector in the Internet.

-----Original Message-----
From: Lloyd Wood [mailto:lloyd.wood@yahoo.co.uk] 
Sent: Thursday, June 22, 2017 6:14 PM
To: Burleigh, Scott C (312B) <scott.c.burleigh@jpl.nasa.gov>; dtn@ietf.org
Subject: Re: [dtn] custody transfer I-D

Scott,

you can nest encapsulations recursively, not just once. BIBE in BE in BE... at each hop, a decap leads to a bundle specifying the next immediate custody destination. A route is, after all, just a concatenated series of next hops, or in this case of decapped bundles specifying new custody destinations, which the sender can specify by building bundle headers.

Incidentally, being able to do this kind of thing is a massive security concern, which is why source routing keeps getting rediscovered and then abandoned really quickly. Added fun with multicast destinations, too - see e.g. RFC5095 or RFC6554 section 5.

Are you going to say 'we can only tunnel once' or something, and actually expect people to obey that? Do try to think this through.

regards 

Lloyd Wood
http://sat-net.com/L.Wood/dtn

the perpetual motion machine is still broken, I see.
________________________________
From: "Burleigh, Scott C (312B)" <scott.c.burleigh@jpl.nasa.gov>
To: Lloyd Wood <lloyd.wood@yahoo.co.uk>; "dtn@ietf.org" <dtn@ietf.org> 
Sent: Friday, 23 June 2017, 10:38
Subject: Re: [dtn] custody transfer I-D



Thanks for crediting me with such a useful invention!  But actually no I haven't, since the sender doesn't specify the route that the bundle takes through the network -- it only specifies the next-hop proximate destination node, just as with any convergence-layer protocol.


-----Original Message-----
From: Lloyd Wood [mailto:lloyd.wood@yahoo.co.uk] 
Sent: Thursday, June 22, 2017 5:22 PM
To: Burleigh, Scott C (312B) <scott.c.burleigh@jpl.nasa.gov>; dtn@ietf.org
Subject: Re: [dtn] custody transfer I-D

Hi Scott,

You've just reinvented source routing, with added tunnelling overhead for each specified relay/custodian.

https://en.wikipedia.org/wiki/Source_routing

Congratulations! 
Lloyd Wood
http://sat-net.com/L.Wood/dtn


________________________________
From: "Burleigh, Scott C (312B)" <scott.c.burleigh@jpl.nasa.gov>
To: "dtn@ietf.org" <dtn@ietf.org> 
Sent: Friday, 23 June 2017, 10:05
Subject: [dtn] custody transfer I-D




Hi.  A few minutes ago I posted an Internet Draft (https://datatracker.ietf.org/doc/draft-burleigh-dtn-bibect/) presenting an idea I had a couple of months ago for cleanly breaking the Custody Transfer procedures out of BP and into a separate document.

In a nutshell, I suggest that we standardize the Bundle-in-Bundle Encapsulation (BIBE) convergence-layer protocol and build Custody Transfer into it, making BIBE a reliable CL.

I am confident that this sounds insane to most people who are reading this email.  But I think I can actually make a fairly strong case for it.

I’ve been claiming for some time that reliable convergence-layer protocols (TCP, LTP) are the best way to provide end-to-end delivery reliability in DTN.  Custody transfer is not as good because (a) there are no partial NAKs, so the only option on any data loss, no matter how small, is to re-send the entire bundle (which may be hundreds of megabytes); (b) there are no negative ACKs that indicate data loss (custody refusal actually indicates successful data arrival, just at an incapable forwarding point), so recovery from data loss happens only when a timer expires at the current custodian; (c) but it is in the general case impossible to set the timeout value for that timer because no node is ever required to take custody.  You never know (in the general case) who the next custodian will be, so you have no idea what the round-trip time to the next custodian is.

At the same time, Keith Scott has been saying that some important use cases need custody transfer instead of reliable CLAs because no suitable reliable convergence-layer protocol exists: the forward path is unidirectional, the return path is very different, and delay-tolerant hop-by-hop forwarding is needed in one or both.

Suppose we are both exactly right.  Let’s make custodial retransmission a property of a (now reliable) convergence-layer protocol that performs delay-tolerant hop-by-hop forwarding, because the CL’s protocol data units are bundles.  Like BIBE.

In the specification I just posted, BIBE CT works in much the same way that CT works in RFC 5050, only a little simpler.  The outbound bundle forms the payload of an encapsulating bundle destined for the next custodian, which might – but would not have to – be the next BP node on the end-to-end path.  On arrival of the encapsulating bundle at the destination node, the CLA at that node extracts the payload (the original bundle) and decides whether or not to accept custody.  It sends a custody signal back to the sending CLA, either accepting or refusing custody, and on acceptance it passes the payload bundle up to the BPA for processing as usual (forwarding, delivery, etc.).  The sending CLA receives and processes custody signals, destroys its copy of the cited original bundle upon custody acceptance, and re-encapsulates and re-transmits the original bundle upon either custody refusal or timer expiration prior to receipt of a responding custody signal.

I think this formulation offers a lot of advantages:
·        The problem of custodial bundle fragmentation by a non-custodial forwarding node goes away: no node other than the next custodian ever sees the encapsulated bundle, therefore cannot fragment it.  The encapsulating (BIBE) bundle might get fragmented, absolutely, but it gets reassembled at the destination (the next custodian) before any CT processing occurs.  So all of the complexity of fragmentary custody transfer disappears.
·        Custody transfer suddenly becomes compatible with multi-point delivery.  If you use bundle multicast as prototyped in ION, then each copy of the bundle that is forwarded through the multicast tree is (naturally) conveyed using a point-to-point convergence-layer transfer – which could easily be a BIBE transfer with CT requested.
·        Looking out a little further, knowing the identity of the next custodian means that CT can take advantage of bundle delivery time estimation mechanisms (which we prototyped a few years ago) to compute custodial retransmission timeout intervals.  So CT becomes more accurate and efficient as well.
·        The relationship of CT to the rest of BP becomes an extremely clean and simple interface, which can easily be added on to any BP implementation.  Implementation of CT becomes simple and self-contained.
·        Building CT into BIBE gives us a single CL protocol that can provide cross-domain security solutions, provide reliable disruption-tolerant forwarding over unidirectional links, or both.  And yet the protocol is extremely simple, only 13 pages.

It’s radical, but I don’t think it’s wrong.

Scott
_______________________________________________
dtn mailing list
dtn@ietf.org
https://www.ietf.org/mailman/listinfo/dtn

v2.23.0 | Report a Bug | By Email