Re: [dtn] BPbis - mandatory BPsec
"Taylor, Rick" <rick.taylor@airbus.com> Wed, 29 July 2020 13:26 UTC
Return-Path: <rick.taylor@airbus.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 803C83A0B08 for <dtn@ietfa.amsl.com>; Wed, 29 Jul 2020 06:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=airbus.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EfNxYXtNlxyH for <dtn@ietfa.amsl.com>; Wed, 29 Jul 2020 06:26:09 -0700 (PDT)
Received: from mx1.myeers.net (mx1.myeers.net [87.190.7.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F9A03A0B0C for <dtn@ietf.org>; Wed, 29 Jul 2020 06:26:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=airbus.com; i=@airbus.com; l=5974; q=dns/txt; s=eers-ng2048; t=1596029166; x=1627565166; h=from:to:subject:date:message-id:references:in-reply-to: mime-version:content-transfer-encoding; bh=b0risPa9sqmNjuIPERLwQtXciiw88ZAfQqqcbkdzxxc=; b=ovTVty50qkOVbyY+I6RnqKnmo2FWb37pBnBnukTV53NE9dT5zxN5vk2r NJkUSMs90/6qHgbPrXXM1RMyxAG08clNuiGnwK/HXVo9Rg+GszrHmbAwG 6nVXwZ/NUzkTNHSTcnfguYjpEBjhpKh8I/kAMY7I0euHQBOjbOuOPt75y 0jvQuCYZjrJXfnkslaUCCYNwWj32f/3DRyr+cUb7OrgpRfPzoB6yQUPEQ HQY0batM+19jqsY/rkVwvj15NXbL5MVY7G+SXExDYgyXIQ5sNsXDeV9+4 f2blPb9UN+8V91Tm6fYxCjEfG4vhEVs5FTeAsyvW1D3u9p5fg77KzSunB g==;
X-IronPort-AV: E=Sophos;i="5.75,410,1589234400"; d="scan'208";a="169700810"
Received: from ec2-44-225-67-40.us-west-2.compute.amazonaws.com (HELO DE0-44HUB-P03.central.mail.corp) ([44.225.67.40]) by de0-03iro-p01-out.myeers.net with ESMTP/TLS/AES256-SHA; 29 Jul 2020 15:26:04 +0200
Received: from esa1e.demail.de.airbusds.corp (10.67.144.33) by DE0-44HUB-P03.central.mail.corp (44.225.67.42) with Microsoft SMTP Server id 15.0.1497.2; Wed, 29 Jul 2020 15:26:01 +0200
Received: from unknown (HELO CD1-4DDAG04-P01.cdmail.common.airbusds.corp) ([10.67.164.150]) by esa1i.demail.de.airbusds.corp with ESMTP; 29 Jul 2020 15:26:01 +0200
Received: from CD1-4BDAG04-P04.cdmail.common.airbusds.corp (10.67.164.149) by CD1-4DDAG04-P01.cdmail.common.airbusds.corp (10.67.164.150) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 29 Jul 2020 15:26:01 +0200
Received: from CD1-4BDAG04-P04.cdmail.common.airbusds.corp ([10.67.164.149]) by CD1-4BDAG04-P04.cdmail.common.airbusds.corp ([10.67.164.149]) with mapi id 15.00.1473.003; Wed, 29 Jul 2020 15:26:01 +0200
From: "Taylor, Rick" <rick.taylor@airbus.com>
To: "R. Atkinson" <rja.lists@gmail.com>, DTN WG <dtn@ietf.org>
Thread-Topic: [dtn] BPbis - mandatory BPsec
Thread-Index: AdZlQfyYScJX39unS4SzUmv6/KTwUwAV76oAAARf8vA=
Date: Wed, 29 Jul 2020 13:26:01 +0000
Message-ID: <4fc0e08e4d704dd39f9a21d0f9cc897b@CD1-4BDAG04-P04.cdmail.common.airbusds.corp>
References: <4da9776f577e4f09b5e8d248437e5f3a@jpl.nasa.gov> <EA340974-935B-4343-9E4B-4CC00040FB6A@gmail.com>
In-Reply-To: <EA340974-935B-4343-9E4B-4CC00040FB6A@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-bromium-msgid: 6c3ef6e1-167b-4df2-a323-e7e33cbb70b8
dlp-product: dlpe-windows
dlp-version: 11.3.2.8
dlp-reaction: no-action
x-titus_label: N
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiIyIsImlkIjoiMjUzNWQwZTctYTAyNy00YmU0LWFkOTUtOTJiMjYyYTlkNThhIiwicHJvcHMiOlt7Im4iOiJMQUJFTCIsInZhbHMiOlt7InZhbHVlIjoiTiJ9XX0seyJuIjoiRGVDIiwidmFscyI6W119LHsibiI6IkwxIiwidmFscyI6W119LHsibiI6IkwyIiwidmFscyI6W119LHsibiI6IkwzIiwidmFscyI6W119LHsibiI6IkNDQVYiLCJ2YWxzIjpbXX0seyJuIjoiTDQiLCJ2YWxzIjpbXX0seyJuIjoiRUNGIiwidmFscyI6W3sidmFsdWUiOiJZIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE5LjMuMjAwNy4yIiwiVHJ1c3RlZExhYmVsSGFzaCI6IitQSDFvNENMcU1QMjdGV2t1c0FEdFcxVjFmalZyaHBoSDhYZHJvY1hlRkRGMXFqRHpablNPQnN5eGRmd2Y4Mm8ifQ==
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-TM-SNTS-SMTP: F665FED6D1ACD86C3A5163DEFBEA5BE79569AB46A4EC9553095028CECB253D202000:8
X-GM-Security: forwarded
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/aEz33IBH3OJtBLSnTg1AjaAiHLs>
Subject: Re: [dtn] BPbis - mandatory BPsec
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 13:26:11 -0000
Ran, +1 (personal opinion, not chair) I think that text is excellent, and is an elegant way of capturing what I believe the best way forward is, namely: * If you do not want security, you do not have to use cryptography, but don't blame us if your secrets leak. * If you do want security, you MUST use BPSec, don't go inventing something else, it's hard to get right and we think we have got it right. Sorry for the top-post. Cheers, Rick Rick Taylor Product Design Authority, Mobile IP Node/PlexOS Principal Engineer (eXpert), Mobile Communications Airbus Defence and Space Celtic Springs Coedkernew Newport NP10 8FZ Phone: +44 (0) 1633 71 5637 rick.taylor@airbus.com www.airbusdefenceandspace.com THIS DOCUMENT IS NOT SUBJECT TO EXPORT CONTROL. -----Original Message----- From: dtn [mailto:dtn-bounces@ietf.org] On Behalf Of R. Atkinson Sent: Wednesday, July 29, 2020 2:17 PM To: DTN WG <dtn@ietf.org> Subject: Re: [dtn] BPbis - mandatory BPsec All, The usual and decades-long IETF practice is that “security is mandatory to implement, but optional to use”. If security is NOT mandatory to implement, then experience shows it is unlikely to be widely available for users (or sessions) who wish to use security. All that noted, I think Edward Birrane at JHU/APL had a possibly useful construct: % I agree that a BPA which does not source, verify, or accept security blocks % does not need to implement BPSec. I would invert that sentence, but (I think) keep the same intention. I propose adding the quoted two sentences just below to the Security Considerations: “A Bundle Protocol Agent (BPA) which sources, verifies, and/or accepts a Bundle MUST IMPLEMENT support for BPsec. Use of BPsec for a particular Bundle Protocol session is optional.” This means that any BPA which doesn’t provide any of those (source/verify/accept) services need not implement BPsec. For example, a pure forwarder would not need to implement BPsec. The text above tries to crisply differentiate implementation from actual use by any particular BP session, in part because long-standing IETF practice is to levy requirements on implementations but (generally) avoid specifying mandatory operational practices (e.g., RPF filtering for IP routes is a BCP but is not a hard requirement.) In the context of BP and DTN, it is easy to imagine deployments/environments where high-assurance link-layer communications security might be provided, thereby significantly reducing the potential value of BPsec for a given BP session. I think the text above will go a long way towards keeping the IETF Security Area happy and greatly reducing the chances of security-related objections during the approval process. I really think some form of “mandatory to implement” text for BPsec is important. Yours, Ran > On Jul 28, 2020, at 20:49, Burleigh, Scott C (US 312B) <scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org> wrote: > > Hi. At IETF-108 there was discussion on whether implementation of the BPsec security extensions should be mandatory in every BP node. Version 26 of the BPbis I-D (now posted) includes some revision to the first paragraph of section 9.0 to address this question. It would be helpful to discover the WG consensus on this matter. > > Please use this thread for your comments. > > Scott > _______________________________________________ > dtn mailing list > dtn@ietf.org > https://www.ietf.org/mailman/listinfo/dtn _______________________________________________ dtn mailing list dtn@ietf.org https://www.ietf.org/mailman/listinfo/dtn This email and its attachments may contain confidential and/or privileged information. If you have received them in error you must not use, copy or disclose their content to any person. Please notify the sender immediately and then delete this email from your system. This e-mail has been scanned for viruses, but it is the responsibility of the recipient to conduct their own security measures. Airbus Operations Limited is not liable for any loss or damage arising from the receipt or use of this e-mail. Airbus Operations Limited, a company registered in England and Wales, registration number, 3468788. Registered office: Pegasus House, Aerospace Avenue, Filton, Bristol, BS34 7PA, UK.
- [dtn] BPbis - mandatory BPsec Burleigh, Scott C (US 312B)
- Re: [dtn] BPbis - mandatory BPsec R. Atkinson
- Re: [dtn] BPbis - mandatory BPsec Taylor, Rick
- Re: [dtn] BPbis - mandatory BPsec Birrane, Edward J.
- Re: [dtn] BPbis - mandatory BPsec ronnybull
- [dtn] BPsec -22, Section 9.1 R. Atkinson
- [dtn] Fwd: BPsec -22, Section 9.1 R. Atkinson
- Re: [dtn] Fwd: BPsec -22, Section 9.1 Birrane, Edward J.