IETF Logo Mail Archive

[dtn] AD evaluation of draft-ietf-dtn-bpbis-13

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 05 July 2019 14:06 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279E21200B2; Fri, 5 Jul 2019 07:06:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXyHHF0pMv6U; Fri, 5 Jul 2019 07:06:13 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50069.outbound.protection.outlook.com [40.107.5.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69D37120026; Fri, 5 Jul 2019 07:06:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S8dwlL3Pw6BISAcp/GZSKoopIcQWtuVvfZXqDcP1P+0=; b=EDhWyKmbsyO9j6xW76iRUPakEtd4UkEeaWmfcX7ZPUrXlDHjFKObianSSu2LnclV/SJ6MixCO9fbNu9Ld8NELY4X4PU5ncUFwG2x+DQ1uJEx1RJwuaKChlA7hy4YzYLkCHZ2i7h9PjRree6AOoNKZhe1tHhDEUWHAySn/F0BbrE=
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com (10.168.128.149) by HE1PR0701MB2698.eurprd07.prod.outlook.com (10.168.186.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.14; Fri, 5 Jul 2019 14:06:07 +0000
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::3418:2814:2ee2:a22b]) by HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::3418:2814:2ee2:a22b%4]) with mapi id 15.20.2073.004; Fri, 5 Jul 2019 14:06:07 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "dtn@ietf.org" <dtn@ietf.org>, "draft-ietf-dtn-bpbis@ietf.org" <draft-ietf-dtn-bpbis@ietf.org>
Thread-Topic: AD evaluation of draft-ietf-dtn-bpbis-13
Thread-Index: AdUzOQfkywWzmEnHT4iyH8+qUympAQ==
Date: Fri, 05 Jul 2019 14:06:07 +0000
Message-ID: <HE1PR0701MB25224DF64B2B60A0C655E1CE95F50@HE1PR0701MB2522.eurprd07.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [192.176.1.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a80de122-5950-49e9-ddc1-08d70151ed1a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:HE1PR0701MB2698;
x-ms-traffictypediagnostic: HE1PR0701MB2698:
x-microsoft-antispam-prvs: <HE1PR0701MB269829FFBE9926ED1FE776CC95F50@HE1PR0701MB2698.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 008960E8EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(376002)(366004)(396003)(136003)(189003)(199004)(51444003)(186003)(2501003)(102836004)(99286004)(8676002)(6436002)(6506007)(316002)(53936002)(478600001)(7736002)(9686003)(14454004)(74316002)(54896002)(110136005)(71190400001)(30864003)(68736007)(53946003)(6306002)(33656002)(55016002)(7696005)(99936001)(5660300002)(26005)(71200400001)(66066001)(81166006)(86362001)(66446008)(3846002)(790700001)(6116002)(450100002)(81156014)(25786009)(44832011)(14444005)(486006)(66476007)(66556008)(64756008)(66946007)(66616009)(256004)(73956011)(476003)(52536014)(8936002)(76116006)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2698; H:HE1PR0701MB2522.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: eA7Y5oYA8K3O2ZeBoxpejpR27k7ic6v9uaGWmDNuz3+XwiIFDLfWdJx2WBuZt53dsBohMDy1tLAvtrHfEUHJWLn2zHNOJAsNd++sYrNYvEySDcDXTUw9Pm0oVHAgfSTI4Y4gBfWoyeIkbJFRdYtjx2SYGymbeSr/5MEgdY1GDhVOPIUhSMeEjn9hyoKv6PuK+UcapiEMiNpjtBhmP3uA5utbj4uCAaBsUhtzy0wdr/JYMvzEcG9UEWhs0G2Bx06FYM8hGIAybaazTQVWvoWhBqWX3kHgyOjvh0p/X8gJt+0dDAJjKeJwAkDcKki+F9/FsIpxi+CHRunaa6+riX7ovDI4t0x2gIoloXIKDR+JIsOAv/B1XHE6CEGO/I2IaULuQtK1+MmDzqtXRCMqqclhkiyyrJBjFrLx0xLfNiX1ZvQ=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0013_01D5334B.8D635A00"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a80de122-5950-49e9-ddc1-08d70151ed1a
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2019 14:06:07.6804 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: magnus.westerlund@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2698
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/Ib6_NgSQJ_7Q_pKwIh54O_fMXWk>
Subject: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 14:06:17 -0000

Hi,

 

I have now reviewed this document. Consider that there are a number of
issues that likely need WG discussion I thought I should send out this,
despite that I have not yet reviewed the BPSEC document that appears to be
highly relevant and may result in additional changes needed in this
document. But BPSEC is next in a my review pile. 

 

Also as this area is new, I read the architecture a long time ago so don't
hesitate to clarify if it appears that I am missing things. 

 

 

1. Section 4.1.5.1 and 10 :

 

As this document uses the "dtn" URI scheme and the "dtn" scheme was only
provisional registered by RFC 5050 I think this document should formally
register the DTN URI scheme and thus a new subsection in Section 10 is
needed. 

 

Also, maybe similar effort to move "ipn" to permeant is needed? 

 

2.       Section 4.1.6:

 

I think the format and definition of this field are insufficient. It is
lacking a reference or a normative description of what "Unix Epoch Time" in
an unsigned int format actually is. Is the intention here to simply measure
the number of seconds since the start of year 2000? Which Unix epoch time is
not due to leap seconds. And I become uncertain as UTC time scale is
something else than Unix Epoch time at least when it comes to leap seconds
handling. Due to that Unix Time have discontinuities in the time scale at
leap seconds I would recommend strongly against using it. Select UTC or TAI
depending on where you want the leap second handling pain to exist. 

 

Also, you specified only CBOR unsinged integer which is a representation
that can use 64-bit and thus not have the issues with 32-bit signed integer
seconds epochs that regular unix time has, but that should probably be made
explicit that it is expected to handle that. Even if the first wrap of this
unsigned 32-bit format will not occur until 2136. 

 

And please provide necessary normative references, not informative ones. 

 

 

3.       Section 4.2.2:

 

The Lifetime field appears problematic if the creating node doesn't have a
reliable clock and uses timestamp 0 for all bundles. I think that special
case needs to be discussed. Which it is later done, but there is missing
reference to that. 

 

4.       Section 4.2.2: Report-to EID

 

Is this field set by bundle creator and never changed? It is not clear and
appear to have implications on how this field should be treated. Primarily
considering integrity options over these fields. 

 

5.       Section 4.3.3.

Maximum Hop count upper limit? Can I insert a max UiNT64 here and expect
that to be acceptable? 

 

6.       Section  5.1:

   Under some circumstances, the requesting of status reports could
   result in an unacceptable increase in the bundle traffic in the
   network. For this reason, the generation of status reports MUST be
   disabled by default and enabled only when the risk of excessive
   network traffic is deemed acceptable.

 

I find the above paragraph rather unclear. First of all what are the
circumstances. Secondly, shouldn't the type of status report requested be
discussed. What I can see the different types results in at most 1, N-1 or N
times the number of sent bundles with the status report set depending on
type, where N is the number of nodes on the path including receiving
endpoint. 

 

So are there any recommendations to when it might be acceptable to request
status delivery. To me it appears the trace route like options, like
forwarding status report should only be used on a small number of bundles
sent for debuging or monitoring purposes. 

 

Use of the bundle deletion status report appear to have other motivations
for its use. I assume that this is fine for cases when it occurs for a small
fraction of the bundles for some reasons, but when you have real failures on
next hop links it appears that this may cause high volumes of deletion. Thus
a rate limitation makes sense. I assume that this is one of the not
specified reasons  the below paragraph indicates: 

 

   When the generation of status reports is enabled, the decision on
   whether or not to generate a requested status report is left to the
   discretion of the bundle protocol agent. Mechanisms that could
   assist in making such decisions, such as pre-placed agreements
   authorizing the generation of status reports under specified
   circumstances, are beyond the scope of this specification.

 

7.       Section 5.3:

 

   Step 1: If the bundle's destination endpoint is an endpoint of which
   the node is a member, the bundle delivery procedure defined in
   Section 5.7 MUST be followed and for the purposes of all subsequent
   processing of this bundle at this node the node's membership in the
   bundle's destination endpoint SHALL be disavowed.

 

I don't understand why and what implications the disavowing has for a local
bundle being dispatched from a member node part of the destination. 

 

8.       Section 5.4

 

   Step 3: If forwarding of the bundle is determined to be
   contraindicated for any of the reasons listed in Figure 4, then the
   Forwarding Contraindicated procedure defined in Section 5.4.1 MUST
   be followed; the remaining steps of Section 5 are skipped at this
   time.

 

Should that last Section 5 be Section 5.4?

 

9.       Section 6.1.1

What does Destination endpoint ID unintelligible actually mean? 

Same with Block unintelligible.

 

Are these the combination for corrupted blocks or EIDs? Are there a point of
separating out the case where the CRC indicate a corruption?

 

10.   Section 7.2

 

So the service description appears very high level. How is the actual
interface working when it comes to dealing with that there is either
possibility to send, as well as rate control in the API. When can more data
be accepted and when is the convergence layer not ready. Also don't the
Bundle Agent need a signal when this side thinks it has delivered as a
signal of when the forwarding has completed? 

 

I was expecting this section to actually be explicit about what
functionalities the Bundle Agent really need from the convergence layer. 

 

11.   Section 9

 

I think this section needs to be more explicit about mandating
implementation support for BPSEC. The IETF do not publish a protocol today
that doesn't have a mandatory to implement security solutions for the
protocol's major properties. In this case communication security, i.e.
confidentiality, integrity and authentication of the data communicated is
very relevant. I have not yet read BPSEC so I may have additional concerns
about that issues are not handled in the combined protocol. I hope the BPSEC
has some discussion of the privacy properties of the protocol. 

 

12.   Section 9:

   Additionally, convergence-layer protocols that ensure authenticity

   of communication between adjacent nodes in BP network topology

   SHOULD be used where available, to minimize the ability of

   unauthenticated nodes to introduce inauthentic traffic into the

   network.

 

In this context wouldn't it be reasonable to also recommend using encryption
on the convergence layer to avoid eavsedropping on the part that is in clear
and prevent traffic analysis by third parties? 

 

13.   Section 9. 

 

   Note that the generation of bundle status reports is disabled by

   default because malicious initiation of bundle status reporting

   could result in the transmission of extremely large numbers of

   bundle, effecting a denial of service attack.

 

I think there is a clear lack of mitigations proposed for this issue. As I
mentioned in Issue 6 I think one both needs to consider amount of generated
traffic versus utility for the sender. Also I will have to read BPSec to
understand what integrity and source authentication there is of the request
for status reports. Next is the issue of rate limiting and prioritization of
status reports versus other bundles. Also due to the multi-hop store and
forward nature of this protocol the actual bottle neck may only occur
several hops towards the receiver. What can be said about dropping status
reports versus other bundles when there is a resource contention, either in
storage or in convergence layers capability of forwarding messages within
time. 

 

14.   Section 6

I fail to see any discussion of how the sender of a status report should set
the lifetime and max hop. Can it actually take that information from the
Bundle it is reporting on? 

 

15.   Section 10.

 

I think this section needs to be clearer. Several improvements that can be
made. 

 

*         I recommend individual sub-sections per registry operation

*         Can you be clearer in references to point to specific sections of
definitions that makes it simpler to find the relevant from the IANA
registry? 

 

More specific parts.

 

   This document defines the following additional Bundle Protocol block

   types, for which values are to be assigned from the Bundle

   Administrative Record Types namespace [RFC6255]:

 

First of all according to the registry, this registry is actually created by
RFC 7116. 

 

This and the observation that the things you attempt to register in this
registry you are actual called Bundle Block Types in your document. Thus, I
have to ask are you actually addressing the right registry, or is the issue
that you actually need per version specific registries for example Bundle
Block Types? If it is the later, then lets define new registries. Possibly
there should be a new major page for BPv7. Not having read all the old
documents, you likely have to consider which registries are version specific
and which are not. 

 

16. Section 10: 

 

For the new registry, do you have any requirements for registrations that
should be written out. And in addition any criteria you want the expert to
consider when approving or rejecting registries? And is this registry
version 7 specific or not? 

 

17.   Section 4.1.1:

 

The CRCs are lacking proper normative references. Needed for both 1 and 2.
Note that you have [CRC] that is currently unused. 

 

18.   Section 11.2:

[BPSEC] is a normative reference.

[RFC6255] is normatively referenced for their registration procedures. 

 

19.   Section 13, Section 4.2.2

 

This Section 13 item was something I wondered over:

 

     . Restructure primary block, making it immutable.  Add optional

        CRC.

 

Did I simply miss where that is said in the context of Section 4.2.2? 

 

20.   Optional CRCs

 

Why are the primary block CRC optional? I assume the intention with it is to
do a verification that the primarily block with the addressing information
hasn't become corrupted in the transmission between nodes, similar to the
checksums we have in other protocols. Under which conditions will not using
it be a reasonable idea? Are you expecting other mechanisms to cover for it,
or are you reasoning that having corrupted bundles being delivered to the
wrong places is not an issue? As the primarily block is the main addressing
part, I would think the considerations that went into discussion of the
(almost) always usage of the UDP checksum for IPv6 applies here. Also the
implications for corruptions and cost in some DTNs for stray data appears
quite high. 

 

 

Cheers

 

Magnus Westerlund

v2.23.0 | Report a Bug | By Email