Re: [dtn] AD review of draft-ietf-dtn-bpsec-10
Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 17 September 2019 20:38 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EC3A12010D; Tue, 17 Sep 2019 13:38:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oa4E4RTSKnbi; Tue, 17 Sep 2019 13:38:41 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50060.outbound.protection.outlook.com [40.107.5.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0330512013F; Tue, 17 Sep 2019 13:38:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KkBHrPCK9doCRwuscseuWkFCCPCgV+deTifv0awHurKtoKbsMUZmgwglDm4ae/e76NM0XsKTpaN7nZ1r+YINYZKRZSeIMk3V2YyDcqswmF35pGIe+QR3qc3eUhFXpiCXpzgF2+B51sRMG2vho6b7tQRB0XsXDHOuVKj2klmoAYwHqki5Hca4kiGtn5mt0W+DiOCPcGaYZGDGph3Q5Qab1RUvZhVfRM1Rrt0Iewp3p/09WDxNwpNsKJ6yPkXP5M14VT9IOEER3t+essducQj9RYvgGrAs9jjCD71Wfk992NrVLQIo2MBR8toJh9p55BrEaJgtsCLGw2tyV7Hk7togWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jrccx/C7LR1enh8DhXMztzJl30dCR68A4epGFe656gg=; b=lyCCnnlIqWdF5nnX/y5ytkRJ0t68nF583XJVYbCGCQYTvnPWIcIRSH4S9zv7dx6EhCAKSpXaAYvaLMSPYKscKfRVyKWmqcisXi1FXY/7HmJOofFQ9E6xVnEQhUQcsFyYNaGMxvRF/YOK734oR76RxhjEQyYR1dMBIQFklCdezOs/iBO8PkwV6SK7XICED6EzztDemqE4i/Eu6c7QVsdEwtmvol/nSuEdC/h92dlttlZNTEKjrrBvWLBJrj2dv6mOw8XN7ZCdgvEqugR2sxx6VaUxQsOYWi4MKUfLa47csjRQZWWTDxDmrTnxqjG+gr2wD0G4yPMiXmwcso2LiMdUJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jrccx/C7LR1enh8DhXMztzJl30dCR68A4epGFe656gg=; b=P2/b/YMgtp2SgP2OsERylmmIhCasog3VOCBLydCaLv0bk6+HriknWwFxqQWA96fjxgxTsuleYJJXB25K5gagv6kry+uYLdRELdgvuS4jzO+yGHDbX8YXYxf0Dlt+6VPH2aWz0WWY8N9sgs2xR9NXdij7R1d04qdQVm7NeoetPl4=
Received: from DB7PR07MB5736.eurprd07.prod.outlook.com (20.177.194.155) by DB7PR07MB5449.eurprd07.prod.outlook.com (20.178.45.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.15; Tue, 17 Sep 2019 20:38:38 +0000
Received: from DB7PR07MB5736.eurprd07.prod.outlook.com ([fe80::e48c:a942:9682:2ce4]) by DB7PR07MB5736.eurprd07.prod.outlook.com ([fe80::e48c:a942:9682:2ce4%7]) with mapi id 15.20.2284.009; Tue, 17 Sep 2019 20:38:38 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "draft-ietf-dtn-bpsec@ietf.org" <draft-ietf-dtn-bpsec@ietf.org>, "dtn@ietf.org" <dtn@ietf.org>
Thread-Topic: [dtn] AD review of draft-ietf-dtn-bpsec-10
Thread-Index: AdVCaDVgtsriZb2MRq2bQxmFSoSCwArL6w+A
Date: Tue, 17 Sep 2019 20:38:38 +0000
Message-ID: <4f41e7e9c66f4f5cc07f2e79b1670792c0dda4f1.camel@ericsson.com>
References: <HE1PR0701MB2522907507ED316584289CDF95C60@HE1PR0701MB2522.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB2522907507ED316584289CDF95C60@HE1PR0701MB2522.eurprd07.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [192.176.1.83]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f5ff68cb-2bfb-46d3-83f8-08d73baf04dd
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:DB7PR07MB5449;
x-ms-traffictypediagnostic: DB7PR07MB5449:
x-microsoft-antispam-prvs: <DB7PR07MB5449B82077E1A123CB242C29958F0@DB7PR07MB5449.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01630974C0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(376002)(396003)(346002)(136003)(199004)(189003)(15404003)(6436002)(6512007)(305945005)(99286004)(7736002)(44832011)(2616005)(36756003)(76176011)(110136005)(446003)(11346002)(316002)(2906002)(8936002)(81166006)(5660300002)(81156014)(229853002)(486006)(6486002)(8676002)(86362001)(66946007)(66616009)(66476007)(66556008)(64756008)(66446008)(26005)(99936001)(25786009)(2501003)(91956017)(76116006)(478600001)(66066001)(71190400001)(71200400001)(186003)(476003)(6506007)(6116002)(450100002)(14444005)(14454004)(118296001)(3846002)(6246003)(102836004)(256004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR07MB5449; H:DB7PR07MB5736.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: mOk9Bkytjwb4W8lju1bbtmdIBsTYa19Q52GNz0TBuokmnwe3LO6xBZm/TODtsuaYxTLcJKtAomXDflFw9U6t54yek4K19OEwuHF62qXjE+tA0F75DXB9Zn6TvLcLxb8u06PFRbuheN7rMc8hWJU989wCwx/+o61sgguAPgBZO1TDIXfmKI3RwkaS5yCAqXUMfGqLlNnI/8iRmlTQ2a3QNN2oBK3bEtUYly+WBJyh+21pxEycta70hroPsAHxtQw94hZgQmqZmSP57m8cG9AkiFcjw3EEXMBhqwGvVWAyCwUkCAMbahnTjJBiQrjD9fCN0VFAgnqRs6/3RnxUWv28uj78lfT2XPF3xyItNbEm6Tflzv1k2+riBuAo+KVEAN0iVFisnTcmS88newjwsoFk0mm8nXna0KcWyHrKohzF9ps=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-+QYXmNK9D0+65w1xhAPP"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5ff68cb-2bfb-46d3-83f8-08d73baf04dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2019 20:38:38.1767 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Gve4ybtIhfuHzC3UvGE81AAECmInzxsIP8BooPRd+mHAkfOncYMqEYhRKD63At6S3+MJcFW9+K+uajtr0EdDhOw1lxIQBz4N7qoQuzB79KQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5449
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/kSkTY4Y0HYQlryMnRRcskQ8dSBg>
Subject: Re: [dtn] AD review of draft-ietf-dtn-bpsec-10
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 20:38:44 -0000
Hi, So finnaly following up on the new revision. See inline for my comments and remarks. I think there are potentially two minor text changes and one question to answer. On Wed, 2019-07-24 at 23:01 +0000, Magnus Westerlund wrote: > Hi, > > I have now done my AD review of draft-ietf-dtn-bpsec-10. I want to > point out that I am going to ask about the reasons behind certain > choices in the document. Note the intention here is not to change > what your specified but to understand the choices made. > > 1. Section 1.2: > It is expected that separate documents will be standardized to > define > security contexts and cipher suites compatible with BPSec, to > include > those that should be used to assess interoperability and those fit > for operational use in various network scenarios. > > As the WG actually have one example specification for a security > context and cipher suits, it would be good to reference this so that > people realize that it exist and can be looked at in parallel. Fixed > > 2. Section 1.4: I am missing a term for the receiver / target either > if that is any holder of the security context or an intended bundle > receiver, in other words the peer to security source. > Fixed. > 3. Section 3.1: > > The BIB is used to ensure the integrity of its plain-text > security > target(s). The integrity information in the BIB MAY be > verified > by any node along the bundle path from the BIB security source > to > the bundle destination. Security-aware waypoints add or remove > BIBs from bundles in accordance with their security policy. > BIBs > are never used to sign the cipher- text provided by a BCB. > > This is only part of a conflict between the order between BIB and BCB > processing and the possibility for a node along the Bundle path to > verify the integrity of parts of the bundle. So my thoughts here is > that bundle sender has two security contexts. One with the receiver > that it will use to secure the BUNDLE Payload and other Blocks that > are of end-to-end nature and not needed on path. Then I will have > another security context that a set of the bundle forwarding nodes > share so that they can verify the bundle being sent. However, to my > understanding this is not possible as any BIB using the second > context can’t use encrypted payload block as its input. > > So although the documents talks about this, it appears to have > limited utility. Any comments about this limited utility? So this was resolved in discussion that the solution to this is the Bundle-in-bundle encapsulation. > > 4. Section 3.2: > Security operations in a bundle MUST be unique; the same security > service MUST NOT be applied to a security target more than once in > a > bundle. > > This uniqueness requirement, isn’t this missing a dependency on > security context? To me there appear that being able to use more than > one security context has some benefits, or is it making things to > complex, or are there other reasons? Same as 3. > > 5. Section 3.6: > Security Context Flags: > > What is the meaning of the Reserved bits? What should the sender and > receiver do with these bits. Can they be assigned in the future? > I think the changes made things clearer, but didn't fully resolve the question I have about if it intended that future extension may reserve any of the other bits? Which would imply a ignore values of for implementation undefined bits. If that is the intention please be explicit about that. > 6. Section 3.8: > The Security Context Id MUST utilize a confidentiality cipher > that > provides authenticated encryption with associated data (AEAD). > > Why is AEAD a requirement? If the requirement is that no > confidentiality without integrity, then that can be stated in an > other way than requiring AEAD. Discussed, no change needed. > > 7. Section 3: > > Looking at the BIB and how it is structured and how the signature is > created and stored with one signature per block implies that any on > path attacker can remove individual blocks without it being noticed. > So aren’t there a missing possibility to create a BIB that actually > ensures that if it validates a set of blocks was correctly provided? > I know that with the current mechanisms such a BIB could be stripped. > However, such a block could easily be required in a security policy > for a particular deployment. Was such aspects considered? This was discussed and no furhter changes required. > > 8. Section 3.9: > o When adding a BCB to a bundle, if some (or all) of the security > targets of the BCB match some (but not all) of the security > targets of a BIB, then a new BIB MUST be created and all > entries > relating to those BCB security targets MUST be moved from the > original BIB to the newly created BIB. > > This comment is linked to the pervious one. When reading this, I had > a hard time to understand what “moved” in the above text actually > meant. Finally I realized that you could actually move a signature > from one BIB to another. I think this could be made a bit clearer. Fixed. > > 9. Section 3.10: > Individual BPSec security context identifiers SHOULD use existing > registries of identifiers and CBOR encodings, such as those > defined > in [RFC8152], whenever possible. Contexts SHOULD define their own > identifiers and CBOR encodings when necessary. > > I find the above paragraph unclear. I think one part is what > “security context identifiers”. Fixed. > > 10. Section 5.1.1: > If the receiving node is > not the destination of the bundle, the node MUST decrypt the BCB > if > directed to do so as a matter of security policy. > > I think this is an example of the unclarity of who is to process a > particular security block, because I don’t understand how the node > will be able to do this. Addressed. > > Section 11: > > A registry of security context identifiers will be required. > > If you need a registry for security context identifiers then you need > to create it and defines its rules. The new registry looks reasonable. The comment I have is that as draft- ietf-dtn-bpsec-interop-sc is a example / template for future security context identifiers, then it is actually good to perform the registration with IANA in that document also, so that part of the process is not forgotten. Cheers Magnus Westerlund ---------------------------------------------------------------------- Network Architecture & Protocols, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Torshamnsgatan 23 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [dtn] AD review of draft-ietf-dtn-bpsec-10 Magnus Westerlund
- Re: [dtn] AD review of draft-ietf-dtn-bpsec-10 Magnus Westerlund
- Re: [dtn] AD review of draft-ietf-dtn-bpsec-10 Magnus Westerlund