IETF Logo Mail Archive

Re: [dtn] BPSec optional Security Source

Mehmet Adalier <madalier@antarateknik.com> Tue, 05 January 2021 01:29 UTC

Return-Path: <madalier@antarateknik.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 469323A0CA2 for <dtn@ietfa.amsl.com>; Mon, 4 Jan 2021 17:29:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6pXp8oPiVCo for <dtn@ietfa.amsl.com>; Mon, 4 Jan 2021 17:29:49 -0800 (PST)
Received: from sonic315-13.consmr.mail.gq1.yahoo.com (sonic315-13.consmr.mail.gq1.yahoo.com [98.137.65.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E15913A0C9F for <dtn@ietf.org>; Mon, 4 Jan 2021 17:29:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1609810188; bh=V6RLae0K0sSVrOZi0+0aVNacw69AWp5fK3egee8JDv0=; h=Date:Subject:From:To:References:In-Reply-To:From:Subject; b=AVh6qQoo91Wn9MG+/e2k1+nGkMkKsIJG1otUnmwNbeINHMAiJYfelxfS/EUJjODw+QYRE08ERzrHvzQiKTpewGLvY9okTZx73vPhPnyTI0TLYu0txkoOgEnbgeR18pzTQcQiWXcFmY1CocZRDWXyH8jwmH64CKnS0ZI0Y/bJsWaCYZdoXuxvBje6RwspUAq7EEecc3F/qy5uT1KNMO2UL6/a3AGl3SSnZCW0IS6T55RsAPfGjnLnCQ4VSuDlzZ1CxI6IFh2OhNxyJHdhEVI9WGFlshrgnza6hCA2zH/nrbupMFxwSqrStTt/swK05w8BePGDQYz80u9Mq5KFvMeppA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1609810188; bh=h3gIFkYGUz1HvcNXlwKfsR/Sp6+k/XAVkFglB/EGC17=; h=Date:Subject:From:To:From:Subject; b=WaE4Tod4VaVFr8TxWpnq5hycYbza2ZIJoFTTZVKIC+ogQvEGun4BX8jZe14KyUv8LA8hrin2Y4fWautviK4FB2yGbYus6aUAjldhlo/CWvswsELKqasN35StsnwcHRjrhlcI9/6mEc4tF8KU+WLuGmpd1ls3R6q5E0auTzD25KiHwFjElUhMqhj36t7Dpltef2j+BkPYojnzLRxmnigNnuT9hOqC4NjIq0pH1sGLZNuhgDSeSUisJfvalcZlPIdt8w4NzMOB6/7gCoW+4RXV+j2Tk6CfcAoG6b2d8EnScTk4kVFnRQHHGU9qhMRgWRuo9YpuwNrIFGryk/VnOmS0JA==
X-YMail-OSG: ceUKZfsVM1kjmZ8vJE9s.MWbdpffIWmr1DFQ.KY6s1B3YfppdztI8NoR1IGMJJp bcSC6B0hMN_R5YDIiN32sWoAG0QVTRKvYX5_Ruj1iFMqlWLmBlOrakyfWrcjh86zFwkHn1yUsMOH mE92EtB7LUKI2xRZEYw8ICuQ23Njde9a9saNBokiQL0p6jh5xU6UpTyRY0ZBJjs_SM_a_KqZ7l8q Q_HmvsFzwoJaNSi9czwWfM2QNcQnB_QZuiFVRxqBaGOwoYHmtc5.4QMq7W6rYZqGWC7aJ0Yq9Q8L sZB78422a02foj5LGS2SnyX5I3StClqpT4MGg.hsQH8g6kb4ZS3vDXpH_pbklMmn0pR0LrCuPvXr 3BlTJlxG3ptkH2mNy.FbjbcM3ETsUJwjlKybqM__TrE9M6Qx..WCGU2Eu8Obx6iNap0RA5cgyJAV ba5J4NMubHCGdxB0p35oDM3VOTUVrLkiHwt53zfJONXqnyd9ph.mMfxPI7t5lH3FNT9v8xQmToRF _OX3.rdx1bUsD.mdaU7HaHv6jYYD2dLyYehyif8D07FlFJceNFLEXUBMNEOOFBG3JHozsp2jtbu0 n5AadGuEeMczH0fCNcR7K51TAjYs0o7VlOcW1WktQYpIcqyWRcYS_eTzvAd8gD_P.ZxYzSYPKb2D pkjit5QuFRz0exOXw1jG.YhmbJeOPYh4e2K0swj33lkkHIRZmnh9DLA4V3yD1n8t2Pj18QglQRgA _pFhww4zwJ7wMShNmjyx752ocyjfMnF8zCWHrk.JEq8e0UNlSW64Xa7xVz_y0v80ZPB.ON.erNPm L64g6YHstX1VWWe6MmvwysP4qenELJ0fsVIMRr_.wV0KQH8eAYiMpw930eD99PrFbSlder5ZGgiM YdnlNx8OfyYgnQD.tVkFP4TWR7OLAM2Gao3eXzDMKGSXiG6CrChnoi6GVkTo6bPjS0hqvuxamOAR VhH1YJ09XRcn1MMVBEKzetreHo6GMeqdHt6ieOlPjkp8IVbk8Wrf673SAd4WQXUGRzfa20COfxb6 cID2eSTeT2zjZIJgnBctyowt8um.oOmiP1KV12p1KFqUEifAHNz4NWiU_tvgACriiEYk6eSMT5BU MwKTOJ2h8hExHaUvpcUFHRXp.ch8bT70aFFJZtXKVaaHopXOvrsMXzzN06MMHd6rfNKIjrLgUpe5 SAALRSSjD7oS7Lf216KmcwcQ.2ush.OSZ6w517Dq7ZpyMP0EGxy_IaSnDoZ_Rl1tszGMUaA0Netx btk5RRrCr3ajSmOGKqI4U8g5ny4WhwLr4pdy.kjXfZWwcmQ9gtCjure2tf0TpecDG9MFS9oxSMSo 55_PZInkc2o68wTHH61ySqszVEoe576ro5JkU4ksin7VwyDWEFpaK2xEm67.roUgozxuYuwrC0kr E8sDDCU0QAgU_fqkD6a8V2OL1bgKq4FSwDAZCmlQbE1_2dOIXUYW2QDtZjXr6JWbUpK9_1pmkZQ. 0NmLlNFpuG8uHpClEAKof9EtWT7sNZQ6OxCYHVkarIswQvmrel.zFWemkLUCvN9oln_TcPFEADy_ wc8Ge_C1Cn6kwsUvyp.3KTcToyxl4_TQ.fvA0N3Y_axbwDSVYqzrr5hAdF_BDpkVayfvwgV3CRbh Ex4RVvetC2QzOTynl8gLVtAPh6nlxgTZeEeVr11Vv2i136sYnRIjcNyrxJLc.8poKkOBc9IFURjG AsnSN07yVwU75.FwDZW7y3xOEbIGy6rBa_Wo9miQ51whBPXAVWKWDAVKCraTtUbzcc71PUQfQGZG 9FK3pznz.6_k.tCiHDLlU.Zd9_K1h5w2TpSdzZUdfVBp7TS8_hRf5ziIaj93z2dfP617onPUPkMs MUZgzv5ZCRuB8ysmlKUyfvrR0Um_LINCWOIp13socO0P7aCYpNZqa8Ny_jjhiAHcFMf4SnoQ7bum DvRRNWbeRNr.6Lsrb81b8VYlMjbbDJ8ckaLh2u6H94ZSWXrZLjBTI1nAFt7cWfIV90KJ9siVQz9S vSQQXHQrNJC1QxBThXiv41frJ6EdhraMnf_hT.2I_aq8YX_dZ0lcV7T.tFtN4p0dqYDxzuOxEYTR N3Kyqwzze_iIDjffwpoA1iJvq4rKuzl86UnjZWdw2Q1McvwxDrjb4desHEXwtL5vD2GWnLGBa2u1 z9stk8DyopkvGZ0v0EIYvb1l5sRp.2oEkwSsDoT_rnUnQ0Iq0ERik_SSLk9lsbLwP53LatVwcGYy WLLUU43IQKUz6cpy0jJfMV11vgTZ_TyIDY1JFLaU9kJF0YSdg92VlTW3TJQTFji4eJIgajelqpzH 1fLWxxilaxnRbAKgI_MiFjmfKG_.2CGywHc_uV21y_pVDp5OUQQcE0eNf.2LULuKf7dSXCgOZViO 9FfwvBoXVJZ2ClQZA94GHDreIqwbev0ZqNHzS
Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.gq1.yahoo.com with HTTP; Tue, 5 Jan 2021 01:29:48 +0000
Received: by smtp401.mail.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID e310421ea15d2c1cf0401a8266c1af10; Tue, 05 Jan 2021 01:29:46 +0000 (UTC)
User-Agent: Microsoft-MacOutlook/10.20.0.191208
Date: Mon, 04 Jan 2021 17:29:41 -0800
From: Mehmet Adalier <madalier@antarateknik.com>
To: Adam Wiethuechter <adam.wiethuechter@axenterprize.com>, DTN WG <dtn@ietf.org>
Message-ID: <2B21611A-AF25-42EA-84E6-733A87B0A5E2@antarateknik.com>
Thread-Topic: [dtn] BPSec optional Security Source
References: <MN2PR13MB356798402CA7086AAEDDC0649FC50@MN2PR13MB3567.namprd13.prod.outlook.com> <82edb601dc6e4d86bef9c2a80b0dc9fc@aplex01.dom1.jhuapl.edu> <MN2PR13MB35670E69E788A5423B7F39E39FD20@MN2PR13MB3567.namprd13.prod.outlook.com> <AB61EC38-92F6-4186-A2AC-999EBB1511B7@gmail.com> <SN6PR13MB244605656A62C73F6269181588D20@SN6PR13MB2446.namprd13.prod.outlook.com>
In-Reply-To: <SN6PR13MB244605656A62C73F6269181588D20@SN6PR13MB2446.namprd13.prod.outlook.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3692626185_1574701799"
X-Mailer: WebService/1.1.17278 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Apache-HttpAsyncClient/4.1.4 (Java/11.0.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/i-VEU0sCyiPBoAjljT4SFju6_qQ>
Subject: Re: [dtn] BPSec optional Security Source
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 01:29:51 -0000

+1 for Ran’s guidance. Our BPsec implementation requires that a Security Source EID is always present.

 

mehmet

 

From: dtn <dtn-bounces@ietf.org> on behalf of Adam Wiethuechter <adam.wiethuechter@axenterprize.com>
Date: Monday, January 4, 2021 at 3:25 PM
To: DTN WG <dtn@ietf.org>
Subject: Re: [dtn] BPSec optional Security Source

 

+1 to Ran's suggestion.

 

--------

73,

Adam T. Wiethuechter

Software Engineer; AX Enterprize, LLC

From: dtn <dtn-bounces@ietf.org> on behalf of R. Atkinson <rja.lists@gmail.com>
Sent: Monday, January 4, 2021 6:21 PM
To: DTN WG <dtn@ietf.org>
Subject: Re: [dtn] BPSec optional Security Source 

 

All,

For the sake of interoperability, maybe just say the “Security Source EID always must be present.”  It seems terribly optimistic to think the sender will have a priori knowledge of what downstream nodes plan to do.

Always including it might cost a few bytes, but doesn’t preclude a local policy at some node to look at other things, but including it always definitely helps with interoperability.

Postel’s Law:
        Be conservative in what you send and liberal in what you receive.

“Conservative” in this case means including the Security Source EID always - even if some downstream node did not require that datum some of the time.

Yours,

Ran

> On Jan 4, 2021, at 16:45, Brian Sipos <BSipos@rkf-eng.com> wrote:
> 
> Ed,
> Thanks for that clarification. Could this be added to the spec itself?
> Right now, as you mention, there is a requirement on the how the security acceptor handles that field but no requirement or expectation on the security source. It seems like that Security Source EID is expected to be present and it's a special case (based on network knowledge) that it would be absent. I mistakenly made the opposite assumption.
> e.g. The Security Source field SHOULD be present unless all security verifiers and acceptors are known to infer the correct implied security source.
> 
> Slightly related about terminology, that Security Source is defined as "This field identifies the Endpoint that inserted the security block in the bundle." But is the real situation that the source isn't an arbitrary endpoint but must always be a BP node (with a Node ID). Section 1.4 mentions that the security source has a Node ID and not a more general Endpoint ID.
> 
> Also, there are several places in the document where "security verifier" is used but that isn't present in Section 1.4 terminology listing. Can this be clarified? I assume a verifier is an acceptor which only performs read-only security operations related to a bundle. Maybe that's the wrong exact phrasing.
> From: Birrane, Edward J. <Edward.Birrane@jhuapl.edu>
> Sent: Monday, January 4, 2021 15:52
> To: Brian Sipos <BSipos@rkf-eng.com>; dtn@ietf.org <dtn@ietf.org>
> Subject: RE: BPSec optional Security Source
>  
> Brian,
>  
>   I agree that it is a little inefficient to include a security source EID in a security block when that EID is the exact same as the bundle source.  However, I would prefer to not have BPSec prohibit this duplication.
>  
>   BPSec states that if a security source EID is not present, then “the source MUST be inferred from other information, such as the bundle source, previous hop, or other values defined by security policy.”
>  
>   What if local policy on a BPA requires that, absent an asserted security source EID, the security source EID should be inferred as being the previous hop? In such a case, omitting the security source because it was the same as the bundle source would result in undesired behavior.
>  
>   Omitting a security source EID should be done when the security source node “believes the network can infer the security source correctly” which is different than saying “whenever it is the same as the bundle source”.  In many cases those two statements have the same practical result, but not in every case.
>  
> -Ed
>  
> ---
> Edward J. Birrane, III, Ph.D.
> Embedded Applications Group Supervisor
> Space Exploration Sector
> Johns Hopkins Applied Physics Laboratory
> (W) 443-778-7423 / (F) 443-228-3839
>  
>  
> From: Brian Sipos <BSipos@rkf-eng.com> 
> Sent: Wednesday, December 16, 2020 11:55 AM
> To: dtn@ietf.org; Birrane, Edward J. <Edward.Birrane@jhuapl.edu>
> Subject: [EXT] BPSec optional Security Source
>  
> APL external email warning: Verify sender BSipos@rkf-eng.com before clicking links or attachments
>  
> Ed,
> My interpretation of the purpose of the ASB Security Source field is to indicate the EID only if it's different than the bundle's source, but there's no actual requirement that I can see in the spec about this. Does it seem like a reasonable statement to say something like "If the security source EID is the same as the bundle source EID, as identified in the primary block, the Security Source field SHALL NOT be included in the ASB." but rephrased as needed?
> Thanks,
> Brian S.
> _______________________________________________
> dtn mailing list
> dtn@ietf.org
> https://www.ietf.org/mailman/listinfo/dtn

_______________________________________________
dtn mailing list
dtn@ietf.org
https://www.ietf.org/mailman/listinfo/dtn

_______________________________________________ dtn mailing list dtn@ietf.org https://www.ietf.org/mailman/listinfo/dtn

v2.23.0 | Report a Bug | By Email