IETF Logo Mail Archive

Re: [dtn] AD review of draft-ietf-dtn-bpsec-default-sc-02

Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com> Thu, 08 April 2021 23:40 UTC

Return-Path: <zaheduzzaman.sarker@ericsson.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8006E3A21D1 for <dtn@ietfa.amsl.com>; Thu, 8 Apr 2021 16:40:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkK2Ri8mXnEm for <dtn@ietfa.amsl.com>; Thu, 8 Apr 2021 16:40:54 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20051.outbound.protection.outlook.com [40.107.2.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FF6D3A21CB for <dtn@ietf.org>; Thu, 8 Apr 2021 16:40:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jAeo39cHt97Pvc6Rmq4Tn4F/lV9HByva6RLdCDJjasRRKj6gFD17JG6eCLCedTorL8cWeVHID0L3Z/IT96d5iN/+W2xByMI24HJcN+ZAA7YjNqdbVoQsPp8N4+qheN5KRRyPDG3MeXuk2rKneCkwKKH4pUuniqo1H8UWvdMKLhVtT6+oWiRryM6lhvqF/NMVz1InU4nAImb6uBBt/uTJQBpm3qFeXI4co0MJyqQSHZPbAhXktS8xGQgyCQGYumxfHWHvZIcJ0Nj3qtnfmyEJtNkeS+3kzyyJzILiFC0XrFIf8p1uTwwuq+iyy4hpkExEkZMppbSXbz1RORwgCQ8vqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GZd54XQZ1TSw4zLLCedy7d+wvjmuvQBLXO8k/1jCTLY=; b=cXqE02d+bzNePD3HKJx7EoE5ndAH0erQBwSzdH5AzuMJof8Kw8sZKdyARC8mEiHCrav3j1BHtZBdQpFAJ7BmlVLMN1h3cguiYo145JxdO8GWPeNGPF8AfCFpZfDNCRQsqUVouSMMNYSoJqcIN6L+VYdnNGZl8/+zc6p4iMKMhob/xMMdD17rsaa8o/EpclFYCZodqjabABFJObCxQvLuaCWXDWNdlLY0ZOTKGtMOXrK9QVAjS2H7/l1lqTvvHofM3/XidXvWjy+2zR9JLJFCzozFVIkv3EQMq4EtNcVGi2pjZCJ9PiHC2arqPggC2NBcJwhEZj6xUiE2ukIqjqJdnQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GZd54XQZ1TSw4zLLCedy7d+wvjmuvQBLXO8k/1jCTLY=; b=Ah+X0Qa5NNg/mZoFYS4qzsV1csFri1JDuUnLwEM/nm5Muw+D1BmDoeMuylPTP04gaLsbxpB1EeEHJo/S3AWogYbEM2g/53HTIPf992gDElsVg6tHkmLr5uQ+SegFpc7av5a/TNVfccH6ZzimSzL0pDfGL+ZnLrwVFbC2E2pFVck=
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com (2603:10a6:7:98::23) by HE1PR07MB3113.eurprd07.prod.outlook.com (2603:10a6:7:2e::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.14; Thu, 8 Apr 2021 23:40:47 +0000
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::9496:1cb2:ad7f:1c14]) by HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::9496:1cb2:ad7f:1c14%5]) with mapi id 15.20.3999.032; Thu, 8 Apr 2021 23:40:46 +0000
From: Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>
To: Rick Taylor <rick@tropicalstormsoftware.com>, "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>, "dtn@ietf.org" <dtn@ietf.org>
CC: Magnus Westerlund <magnus.westerlund@ericsson.com>
Thread-Topic: AD review of draft-ietf-dtn-bpsec-default-sc-02
Thread-Index: AQHXH1vax7LWSJVgGEW7LhnHV51gYaqaUmZQgAOJLQCACcDOsIAD56AA
Date: Thu, 08 Apr 2021 23:40:46 +0000
Message-ID: <D0F15504-4889-4ADF-BD74-DFB82D1C4F6A@ericsson.com>
References: <EAF9AEEC-B28E-48AC-BE47-1DAD6FA3609B@ericsson.com> <7b1238eb22fa41cd826548c5a53f2e42@aplex01.dom1.jhuapl.edu> <1663F867-DB26-4B00-B341-EAE4AB84D39B@ericsson.com> <38A5475DE83986499AEACD2CFAFC3F9801F5A55580@tss-server1.home.tropicalstormsoftware.com>
In-Reply-To: <38A5475DE83986499AEACD2CFAFC3F9801F5A55580@tss-server1.home.tropicalstormsoftware.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21031401
authentication-results: tropicalstormsoftware.com; dkim=none (message not signed) header.d=none;tropicalstormsoftware.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [85.238.211.27]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 92d31d08-1b9f-483f-cda0-08d8fae7bbe5
x-ms-traffictypediagnostic: HE1PR07MB3113:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR07MB3113BF0D70B6186E909A85639F749@HE1PR07MB3113.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Mnxc7g6Ed7hV9c0clPFfTgNTdAfB9KCNVeeVnq8S3dtRpsP56L017C4CeoYq1ptijhzq4+rTflBYU4SJwi++c93H3jMPQlRULNkH5o+91eUrh7YK1iUX3mBvZpHAG+8EuxUH5BVPh3T6SZqYTCIVYEq0dT3iV3Xm3zd1yQ3Jph86hl3Bn32l7OrqJ2ailCioobRhRCiKih0/UsBskNkA6tS5UHQTx4n77rYsVdCNGl6TtgRU0OmmqxB+wEuYSw3y6ydIL7b/0WOegtWc/KnYHrHkD16tSSUgm7PnwOk//Mz8Ffuii3AXNtHvfhyz1vDk15K1tocWGl9Z3AmtDdMJWD1jI++UWcppwho1YdDAQMvdO3tPQXVs9HG8rJVrbg2hqvy7XKXIKsgqMYsDOit0kENMeR0W5UHzxqsaJJFjF8MWKZLZFFTi5d76xpMATBLIkIQo7jKUJw0w71c3khCI3lgN8PkFZsSTy5xbxuOhwv6Way1Iiz/it/cXUM8I8PnGZ6eVmaraBVyvmQGkxvi4youB/5oELiV3WsjWpQFkZ2oq0YXm2zEWt2mpB/DmPzRTe22vMdLLTPallMxwfD+K9Xm34qYUI6kjyE88gV1evWvPN6bcxqXwghSzqB38TDZiPJXToORe6q8FF0PpOf6/WLQkg/TAe3zdzgnpiOxI3gD0vTD/k22Cj8G62TpCNaPGITbubtxxSEaH9I/QhHGOI3eG2Ns5O+IF2lM398fyKJJDd5Rc6dMcG2/NV9e7bcBcduco16l5POosebLAjb/LcQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4187.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(376002)(396003)(136003)(39860400002)(4326008)(44832011)(76116006)(83380400001)(33656002)(5660300002)(966005)(8676002)(186003)(2906002)(8936002)(478600001)(26005)(107886003)(36756003)(6506007)(2616005)(53546011)(6512007)(316002)(86362001)(110136005)(38100700001)(6486002)(64756008)(66556008)(66446008)(66946007)(66476007)(71200400001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: L7Mgu4bAOz1gl2hR+Y8c3kHDIuEY+203I49vgIIRtvCzpAS0QYNj6XCuP9UfjfuBLNxl6fP8dIkA8zMkhBS3kkxi7YfWM7JgFVoVbmhXplOSIjO5iq6j39wUrkl0pFXu7s0133TCU8NV0Zl7fq60uYYsp+eMfl+NF/J4RwHGubrwre7zHMba9VGHjdqEW9/MXk7N5T2ZQ6uLw0xA6dC0/0c8FHbPfGE3TFr78PhKB9LIwvfW3yuFGqqjwFV4Sa8i4BRPHqOkhmxKID2MjOWrLED196eZNg7LGXlnNb04Vxu/k2qmB+L6Ue1mIgTse9wA9uX+TdHIKvn93wcLtNmBeiIhJDmmZ+XhvhXn3jSrb81IKrtJgZ1SlfASLl6ZbeksSYI+sA88w5l73FlLmfUROnyBuZz1atkH1YY/QYcWXzUCfqf9F3SanSt/pLGnipNH/ag3mMWkmUIaQ5t3+aZkZLfqQlbvqvT4ioCrsqzqspLmcFcChb9/8pWPZ/e5MGZ/fSA1wk2Rc5X0b6JjBrgm0euQjolYqiPQk/t04sOuCOQTCTBYGn0cuf2paYBh8YZadAyvmci5pdOjgOKIz79+kBbaH/1QP3SHLn19a+WHyYjVPYuuJeviwIxmi6qMfOZ135Aq+4GVDhBasRLe0rSu3MFs+v+0STrN+E+1Bc06Wak0fnCKcAoXnsDXkJrcTnG6on7qEHiqtF6QJdJ3sklgiAD4Av2nCgo+LklyYWkv7gHWY/yu6DPcJLbmKFprbcbpMl6sPZXFP/0gUo9+kfjIZiipIQdRj+J/NQdSGIPc0GSxuQJx1kQnf+s8uclisE9URxkWJvWS5dUajtPexQvTaNcx7oiPcVxf7IhE6/1y/WtqxhCYlwPJvmH5+2nJgi+Hug0xf19vb74cWOEmDr35cgRCEhSZwofNS71U92oW/WRNhOFbTkG18nVrDrXJ8KfqtlHsK34bnnHWYRxrUpFkpCAtHYoKPfq1jbQqjBe8C5St+cPaM1QhSoSWqfWiAkShDASyv62My+Z/qsrErrYqtOg3Lu+ZxW4l0Mp7l1GW3OklvAjv74VAcS9rUo/EMTZ8SEHn/e8Z1GZWjRbcstprOm52tD2K7efBBwVqeBvVrsK18VLlDwBjxOzk9PCcAOnD256AaCb5UKzsTEKtQr9FZ23dhVt3qA01nJ82vsvNjQkYm16ZgWJuJwoLY7SvBo3LJrX5TIlEVJ0OE1EODAIDVutEG1lULEPuoTy7CF55sYB5EL60zdWzX/w7D744VN8yI5bFg4NdcOI4lnYlsTy9VlFC2J+Y/QEllW7saNcs2EHYTbOG5BzNBL4h6KQW/q1f
Content-Type: text/plain; charset="utf-8"
Content-ID: <FC4092130627A54AAB06A0DCD46E9736@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4187.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 92d31d08-1b9f-483f-cda0-08d8fae7bbe5
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2021 23:40:46.8095 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: efgIxIlxWgL1/kz4+Sy5jMNBSK1crvKg2X0CGQDfLq23AHDIF85ciov63pTngnIWw4rhAULqoc0K1qOILGC+/vul0x6okKE2q/bDl/zIXQPRzmCaoTGjSaBqzDz/f4Mu
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3113
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/hlx2x6WJuHmPKku_5JbeN3jLBj0>
Subject: Re: [dtn] AD review of draft-ietf-dtn-bpsec-default-sc-02
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Apr 2021 23:41:00 -0000

Hello Rick, 

Thanks for the pointers. I have skimmed through the IETF100 minutes but could not really find notes on key management discussion. I certainly found the decision behind separate sec context document. So, that was somewhat helpful to get the context.

Now, if the WG has a consensus that "this limitation is appropriate for now
    > for this default security context and the DTN WG is looking to determine
    > delay-tolerant key management strategies in the future." As mentioned by Edward in his response. 
I think the bpsec-default-sc document should describe the potential issues due to lack of proper key management and explain why this limitation is OK for default security context. Basically recording that the WG is aware of issues and has well thought decision for default security context.


BR
Zahed

On 2021-04-06, 16:08, "Rick Taylor" <rick@tropicalstormsoftware.com> wrote:

    Hi Zahed,

    Just as a bit of clarification to your point re Key Management.

    The working group has discussed key management a couple of times (IETF-100 in particular) and there is at least one proposed solution, however the rough consensus of the group is that this topic is tricky to get right in a couple of paragraphs in either BPSec or in this document (which we intend to be as short and simple as possible), and therefore it would be better to not attempt a lose definition before the WG has a firmer view on best practice, and have to update these documents.

    To that end, Key Management as a work item for the group is a firm proposal for the re-chartering, and there seems to be sufficient interest and excitement in the group to get it done.

    References: IETF-100 minutes and mailing list - I can't find a single obvious thread on the mailing list unfortunately.

    Cheers,

    Rick

    > -----Original Message-----
    > From: dtn [mailto:dtn-bounces@ietf.org] On Behalf Of Zaheduzzaman Sarker
    > Sent: 31 March 2021 08:07
    > To: Birrane, Edward J.; dtn@ietf.org
    > Cc: Magnus Westerlund
    > Subject: Re: [dtn] AD review of draft-ietf-dtn-bpsec-default-sc-02
    > 
    > Hi Edward,
    > 
    > Thanks for the update. The -03 version addresses most of the comments and
    > concerns.
    > 
    > See my further comments inline below with [ZS].
    > 
    > BR
    > Zahed
    > 
    > On 2021-03-29, 05:43, "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>
    > wrote:
    > 
    > 
    >     > * It would be good for the user of this document to capture the reason
    >     > behind selecting HMAC-SHA and AES-GCM in respective overview section
    >     > (section 3.1 and section 4.1).
    > 
    >     C3: Agreed. I have added reasons for selection in 3.1 and 4.1 in the -03
    > version.
    > 
    > [ZS] Thanks, this is a good addition.
    > 
    > In section 4.1 :
    > 
    > The BCB-AES-GCM security context shall have the security context
    > 	   identifier specified in Section 5.1.
    > 
    > is this "shall" should be a "MUST" as described in Section 3.1?
    > 
    > 
    >     > * Section 3.3.2 and Section 3.5 :
    >     > It seems like some sort of key-id might be required to resolve
    >     > this. The BPsec does not define any generic key-id and it is neither
    > defined
    >     > here. It might become an issue for interoperability.
    > 
    >     C5: Agreed this might become an issue for interoperability.  For example, if
    > the policies for requiring security operations differ on different nodes there
    > may be interop problems. Similarly, if the policies for key
    > generation/communication differ on different nodes, there may be interop
    > problems. The DTNWG consensus was this limitation is appropriate for now
    > for this default security context and the DTN WG is looking to determine
    > delay-tolerant key management strategies in the future.
    > 
    > [ZS] Ok,  is this consensus documented somewhere? Meeting notes or email
    > thread or whatever?
    > 
    > 
    > 
    >     > * Section 4.3.2 :
    >     >      Does this "security policy" refers to local security policy?
    > 
    >     C15: Yes.  Security policy at the source, verifier, or acceptor is meant to
    > imply the local security policy at the node.
    > 
    > [ZS] Ok, then clearly stating that helps. It was clearly mention in the other
    > place(s).
    > 
    > 
    >     > * Section 6.3
    >     >
    >     >      To me this security considerations for fragmentation belongs to BPsec
    > as
    >     > the main technical issues on fragmentation are described there.
    > 
    >     C17: I would support removing the fragmentation section from this
    > document and including it in some other broader-scoped document on DTN
    > security, though perhaps not the BPSec document itself because the issues
    > with fragmentation can extend beyond the insertion and handling of security
    > blocks.
    > 
    > [ZS] I don't think removing the fragmentation section from this document to
    > some other document actually helps. This is a very important aspect of the
    > security context and I think it is better to be decisive about it now. If moved
    > to BPSec then other documents , specially security context documentation,
    > can just refer to it. The question really is, where does it make more sense put
    > there it is in line with the context of the content of the document? Right now
    > I see that is BPsec.
    > 
    > 
    >     > I would also like to draw attention to the SECART review (Thanks to the
    >     > SECART team and Christian Huitema) proposing test vectors to mitigate
    >     > interoperability issue pointed out by the reviewer. This seems like a good
    >     > proposal to include in this specification.
    > 
    > 
    >     C18: Agreed and grateful for the review! As mentioned in my comments to
    > the SECART review and similar to C17 above, I think that example encodings
    > are a very useful concept, but would ultimately be useful at showing bundle
    > structure and security block structure. Rather than repeating such encodings
    > in all future security context documents, I propose the DTN WG consider the
    > best way to produce this broader-scope documentation.
    > 
    > [ZS] I see the test vectors related to the applicability of the this document
    > hence this need to be considered well. Failing to assure interoperability
    > actually undermine the intention of this document, hence any tools to help
    > achieving that goal is worth putting effort into. Also we need to make sure
    > the test vector is actually usable by more than one implementation.  I would
    > be happy if DTN WG comes up with a best way forward here.
    > 
    > 
    > 
    > _______________________________________________
    > dtn mailing list
    > dtn@ietf.org
    > https://www.ietf.org/mailman/listinfo/dtn

v2.23.0 | Report a Bug | By Email