IETF Logo Mail Archive

Re: [dtn] [EXTERNAL] Benjamin Kaduk's Discuss on draft-ietf-dtn-bpbis-22: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Wed, 26 February 2020 23:51 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 225143A0C29; Wed, 26 Feb 2020 15:51:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NMvQpYoESyFX; Wed, 26 Feb 2020 15:51:27 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 647E23A0C08; Wed, 26 Feb 2020 15:51:27 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 01QNpCT0022865 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 26 Feb 2020 18:51:14 -0500
Date: Wed, 26 Feb 2020 15:51:12 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Cc: "scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org" <scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-dtn-bpbis@ietf.org" <draft-ietf-dtn-bpbis@ietf.org>, "dtn-chairs@ietf.org" <dtn-chairs@ietf.org>, "dtn@ietf.org" <dtn@ietf.org>, "fred.l.templin@boeing.com" <fred.l.templin@boeing.com>
Message-ID: <20200226235112.GZ56312@kduck.mit.edu>
References: <158095903452.30594.18160625444164563541.idtracker@ietfa.amsl.com> <803a0379e44449a98c4a3900c2b2a78d@jpl.nasa.gov> <0d0c64c87a1ef89b6bada352182c831f66c279ed.camel@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0d0c64c87a1ef89b6bada352182c831f66c279ed.camel@ericsson.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/exM1cjmOGJbjJAOWZbKfkKkzFdM>
Subject: Re: [dtn] [EXTERNAL] Benjamin Kaduk's Discuss on draft-ietf-dtn-bpbis-22: (with DISCUSS and COMMENT)
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 23:51:31 -0000

Hi Magnus,

On Mon, Feb 10, 2020 at 11:07:24AM +0000, Magnus Westerlund wrote:
> Hi,
> 
> Some comments and suggestions below regarding the mandatory security and the
> relationship of DTN specifications. 
> 
> On Fri, 2020-02-07 at 04:46 +0000, Burleigh, Scott C (US 312B) wrote:
> > Thanks for the very close reading, Ben.  Responses in-line below.
> > 
> > -----Original Message-----
> > From: Benjamin Kaduk via Datatracker <noreply@ietf.org> 
> > Sent: Wednesday, February 5, 2020 7:17 PM
> > To: The IESG <iesg@ietf.org>
> > Cc: draft-ietf-dtn-bpbis@ietf.org; Fred Templin <fred.l.templin@boeing.com>; 
> > dtn-chairs@ietf.org; fred.l.templin@boeing.com; dtn@ietf.org
> > Subject: [EXTERNAL] Benjamin Kaduk's Discuss on draft-ietf-dtn-bpbis-22: (with
> > DISCUSS and COMMENT)
> > 
> > Benjamin Kaduk has entered the following ballot position for
> > draft-ietf-dtn-bpbis-22: Discuss
> > 
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> > 
> > I support Roman's Discuss.
> > 
> > (1) It's not clear to me that we should be defining new (near-)application-
> > layer protocols on the standards track without mandatory security
> > mechanisms.  Even draft-ietf-dtn-bpsec defines a "BPSec threat model" that is
> > largly the same as the RFC 3552 threat model, in which the network is
> > completely untrusted and to provide end-to-end communications we must supply
> > additional security mechanisms, yet BPSec is not required to implement or
> > use.  I could perhaps see room for allowing waypoint nodes that do not act as
> > endpoints to remain security-unaware, but the justification for security-
> > unaware endpoints seems quite lacking.
> > 
> > 	The consensus position of the WG, I believe, is that BP may in some
> > cases be deployed in closed, highly resource-constrained systems where the
> > overhead of implementing, much less using, the security mechanisms would be
> > considered both prohibitive and needless.  For such environments, making those
> > mechanisms mandatory might result in either non-adoption of the IETF standard
> > or adoption of a non-compliant implementation, both undesirable.
> > 	The specification can easily be revised to require the implementation of
> > BPsec, but I think that shouldn't be done until the WG has reached a revised
> > consensus.
> 
> Yes, I think this question is important to discuss in the WG. However, I think

Definitely; I don't want to have this just coming from the IESG.

> so far it has been quite clear that deploying without a security solution in
> place is generally a bad idea. So from my perspective BPSec needs to be at least
> a SHOULD with a very tightly worded escape clause. I thinka a MUST would be
> better. I will note that BPSec will need to have a default to implement crypto
> context. I think that is more relevant to profile in some specific deployement
> environments if resource constraints is the issue. 
> 
> Ben, what are your opinions on these two parts.
> 
> a) Having a SHOULD with a tightly worded escape clause or do think a MUST is
> required? 

Conceptually what I want is "MUST have some reasonable security story,
and bpsec is fine for most people".  But of course, "reasonable" is not a
useful word in a protocol spec, so we may end up with just the
SHOULD-with-narrow-escape-clause.  If we can think up a wording that is
closer to "deployment MUST provide security services that SHOULD be bpsec
absent other considerations", even better.

> b) Having a default MTI algorithm to implement, but making clear that specific
> usages of the protocol may use a profile targeted to their envirionment. However
> not having a common MTI can result in non-interoperable islands. I think BPSec-
> 19 made the need for a algorithm clear. The only addition I would add would be
> to point to a specific solution unless you have requirements that says that you
> should have another MTI. 

This sounds good to me.

> 
> Maybe what is missing in BPBis is a section making it clear what is actually
> required to be using BPv7. Becasue at a minimal a secure deployment needs:
> 
> Existing in WG drafts
> - BPv7
> - BPSec
> - Crypto Context (crypto algorithm specification)
> - Convergence layer(s)
> 
> Parts that are not yet adopted as WG items are:
> - Addressing and Routing mechanism 
> - Key-exchange
> 
> However, the WG has clearly shown a desire to work on these parts and some
> additional to make this a more usable protocol. The WG has discussed the
> following work for an upcoming WG recharter:
> 
> Bundle Protocol Additional Blocks
>    Bundle-in-Bundle Encapsulation (D)
>    Manifest block
> Neighbor Discovery (X)
> Naming and Addressing
>    Naming (X)
>    Addressing (X)
>    Registry of Service Identifiers
> Asynchronous Management
>    AMA Application Data
> Model (ADM) (D)
>    Asynchronous Management Protocol (D)
>    Asynchronous Management
> Protocol Agent ADM (D)
>    Various protocol components agent ADM (D)
> Security Key
> Management (D)
> Additional Convergence Layers (X)
> 
> Legend:
> D an active or recent draft exists on this topic
> X RFCs or draft from dtnrg exists on this topic
> 
> However, not all components need to be IETF defined. They will be defined by
> another body to fit well in their usage. And there will be more IETF defined
> componets if we let the WG work on them. However, not publishing the core
> components and framework becasue not all parts exists will delay the WG and have
> negative impact also on the deployment of the protocol. 
> 
> I think the right way for the DTN WG is to get these core specifications
> published now, even if there are "missing" components. In the future one can
> publsish an updated version of some of the RFCs to point to the relevant
> references. 

In general I don't mind publishing the core works even when not all the
pieces needed to deploy are in a ready-to-publish state, provided that the
missing pieces are clearly documented and there's a "stable API" boundary
between the parts that we expect to be able to achieve.  AFAICT we should
be able to meet these criteria, though perhaps there are some specifics
that remain to be documented (e.g., with respect to what a CLA and routing
service will provide).

-Ben

v2.23.0 | Report a Bug | By Email