Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf-dtn-bpsec-18: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Sun, 23 February 2020 02:08 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 185633A09BF; Sat, 22 Feb 2020 18:08:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjlxeWonNeqr; Sat, 22 Feb 2020 18:08:12 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75C673A09BB; Sat, 22 Feb 2020 18:08:12 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 01N281s2014242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 22 Feb 2020 21:08:03 -0500
Date: Sat, 22 Feb 2020 18:08:00 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Cc: "rja.lists@gmail.com" <rja.lists@gmail.com>, "dtn@ietf.org" <dtn@ietf.org>, "Edward.Birrane@jhuapl.edu" <Edward.Birrane@jhuapl.edu>, "iesg@ietf.org" <iesg@ietf.org>, "rdd@cert.org" <rdd@cert.org>
Message-ID: <20200223020800.GX53538@kduck.mit.edu>
References: <158072863257.28637.8806505241822600245.idtracker@ietfa.amsl.com> <035730f96e28463a8141b026079bf3c3@aplex01.dom1.jhuapl.edu> <DE73788D-7E72-4246-B996-7F79AC805B87@kuehlewind.net> <820D95D0-F645-4551-9AE8-D30E49A2DD0E@antarateknik.com> <8A9F9AE8-18B3-4218-B8F5-D248BA4DF221@gmail.com> <b9f6e1d5c32541658059d09caa5af0fc@aplex01.dom1.jhuapl.edu> <5d83b0a4e94e1aba828699fa2b87f8ca6676269d.camel@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <5d83b0a4e94e1aba828699fa2b87f8ca6676269d.camel@ericsson.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/wEF4OmL9mPCUE8HHBs15NRivjaM>
Subject: Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf-dtn-bpsec-18: (with DISCUSS and COMMENT)
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Feb 2020 02:08:15 -0000
Going from memory (and not having read the other threads), I think it should be possible to write things such that automatic key exchange is not a normative dependency at this time (pending future update). -Ben On Mon, Feb 17, 2020 at 09:18:43AM +0000, Magnus Westerlund wrote: > Hi, > > Adding the Sec ADs to this discussion. To resolve the whole chain of security > related issues here. > > I don't see any major issue with the below plan except for how we handle the > fact that there will not be an automatic key-exchange available for DTN nodes > immediately and that this is only in the WG's plans. > > Is there anything better we can do than to promise to update either BPSec or the > interoperability security context document with the automatic key-exchange > solution when it is available? Or is the whole of the DTN work going to hang in > the RFC-editor queue until those components are available? I would really like > to avoid that. > > Cheers > > Magnus > > > On Mon, 2020-02-17 at 04:17 +0000, Birrane, Edward J. wrote: > > Ran, > > > > I do recall that you made this same point at one of the DTNWG meetings. > > > > It seems the desired way forward would be to > > > > 1. Take the current bpsec interoperability security contexts document (draft- > > ietf-dtn-bpsec-interop-sc) and make it a normative reference in bpsec. > > 2. State in the new section 9.1 of BpSec that the interop security contexts > > are mandatory-to-implement. > > 3. Put the interop security contexts into the review cycle (they are in WG > > last call at this point, I believe). > > > > Would this be a satisfactory outcome? > > > > -Ed > > > > > > Edward J. Birrane, III, Ph.D. > > Embedded Applications Group Supervisor > > Principal Staff, Space Exploration Sector > > Johns Hopkins Applied Physics Laboratory > > (W) 443-778-7423 / (F) 443-228-3839 > > > > -----Original Message----- > > From: dtn <dtn-bounces@ietf.org> On Behalf Of R. Atkinson > > Sent: Thursday, February 13, 2020 5:17 PM > > To: DTN WG <dtn@ietf.org> > > Cc: The IESG <iesg@ietf.org> > > Subject: [EXT] Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf-dtn-bpsec-18: > > (with DISCUSS and COMMENT) > > > > APL external email warning: Verify sender dtn-bounces@ietf.org before clicking > > links or attachments > > > > All, > > > > I think it quite reasonable for the WG to define at least one "mandatory-to- > > implement" (i.e., NOT mandatory to use) set of security algorithms/modes for > > BPsec — and I think it quite reasonable for the IESG to require that the WG > > make such a choice. > > > > The IETF has at least 30 years of experience that if at least one “mandatory- > > to-implement” security profile is NOT required/specified, then non- > > interoperability is the actual result. In this case, non-interoperability > > would mean that two different systems who DO wish to use BPsec between > > themselves actually cannot use it — because of disjoint algorithms/modes > > having been implemented in the different implementations. > > > > I’m not terribly particular about which algorithms/modes the WG picks, > > although choosing algorithms/modes readily available in open-source libraries > > (for example: the OpenSSL library) does simplify life for implementers. > > > > Yours, > > > > Ran > > > > > On Feb 11, 2020, at 11:37, Mehmet Adalier <madalier@antarateknik.com> wrote: > > > > > > While it is possible to find such a minimal requirement, I do not believe > > > that one is required at the BPsec protocol level. > > > I'd also like to recommend that the BPsec RFC does not specify a "minimum" > > > interoperability context. > > > > > > Depending on the use-case, interoperable contexts can be defined as other > > > specifications. > > > > > > An example is appropriate CCSDS books which indicate interoperable contexts. > > > . Another example is the International Communication System Interoperability > > > Standards (ICSIS). > > > > > > Mehmet > > > > > > > > > On 2/11/20, 4:04 AM, "dtn on behalf of Mirja Kuehlewind" < > > > dtn-bounces@ietf.org on behalf of ietf@kuehlewind.net> wrote: > > > > > > Hi Ed, > > > > > > Thanks for the new text section 9.1. Reading this text I would to confirm > > > one more thing: I understand that the best choice for the security context > > > can be very different, however, the point of interoperability is to have at > > > least one available, that might not be optimal but it better than none. > > > Having one common security context required would also simply mean that each > > > implementation would need to support that and therefore it becomes much > > > easier for people to reply BPSec if the provided one is suitable. Is it not > > > possible to find such a minimal requirement? > > > > > > Mirja > > > > > > > > > > > > > On 8. Feb 2020, at 01:23, Birrane, Edward J. <Edward.Birrane@jhuapl.edu> > > > > wrote: > > > > > > > > Mirja, > > > > > > > > Thank you for the review. I have updated a new version of BPSEC (BPSEC20) > > > > which attempts to address your DISCUSS and COMMENTS below. > > > > > > > > Specific comments are in-line below. I have enumerated the Discuss items > > > > as **D# and the comment items as **C# to aid in referencing these points > > > > going forward. > > > > > > > > -Ed > > > > > > > > --- > > > > Edward J. Birrane, III, Ph.D. > > > > Embedded Applications Group Supervisor Space Exploration Sector Johns > > > > Hopkins Applied Physics Laboratory > > > > (W) 443-778-7423 / (F) 443-228-3839 > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Mirja Kühlewind via Datatracker <noreply@ietf.org> > > > > > Sent: Monday, February 03, 2020 6:17 AM > > > > > To: The IESG <iesg@ietf.org> > > > > > Cc: draft-ietf-dtn-bpsec@ietf.org; Scott Burleigh > > > > > <Scott.C.Burleigh@jpl.nasa.gov>; dtn-chairs@ietf.org; > > > > > Scott.C.Burleigh@jpl.nasa.gov; dtn@ietf.org > > > > > Subject: [EXT] Mirja Kühlewind's Discuss on draft-ietf-dtn-bpsec-18: > > > > > (with DISCUSS and COMMENT) > > > > > > > > > > APL external email warning: Verify sender noreply@ietf.org before > > > > > clicking links or attachments > > > > > > > > > > Mirja Kühlewind has entered the following ballot position for > > > > > draft-ietf-dtn-bpsec-18: Discuss > > > > > > > > > > When responding, please keep the subject line intact and reply to > > > > > all email addresses included in the To and CC lines. (Feel free to > > > > > cut this introductory paragraph, however.) > > > > > > > > > > > > > > > Please refer to > > > > > https://www.ietf.org/iesg/statement/discuss-criteria.html > > > > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > > > > > > > > > > The document, along with other ballot positions, can be found here: > > > > > https://datatracker.ietf.org/doc/draft-ietf-dtn-bpsec/ > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > DISCUSS: > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > > > > > > Sec 1.2 says: > > > > > "A sample security > > > > > context has been defined ([I-D.ietf-dtn-bpsec-interop-sc]) to > > > > > support interoperability testing and serve as an exemplar for how > > > > > security contexts should be defined for this specification." > > > > > However I don't really understand how interoperability can be > > > > > reached if there is not at least one security context that is > > > > > mandatory to implement in this draft (especially as > > > > > ietf-dtn-bpsec-interop-sc is expired for more than half a year > > > > > already)...? > > > > > > > > **D1: I have added a new Section 9.1 to BPSEC20 which describes the > > > > desired approach to BPSec and security contexts. I have also updated > > > > ietf-dtn-bpsec-interop-sc which should be going into WG last call. > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > COMMENT: > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > > > > > > Please use the updated disclaimer in rfc8174. > > > > > > > > > > > > > **C1: Agreed. The disclaimer has been updated in BPSEC20. > > > > > > > > -Ed > > > > > > > > > > _______________________________________________ > > > dtn mailing list > > > dtn@ietf.org > > > https://www.ietf.org/mailman/listinfo/dtn > > > > > > > > > > > > _______________________________________________ > > > dtn mailing list > > > dtn@ietf.org > > > https://www.ietf.org/mailman/listinfo/dtn > > > > _______________________________________________ > > dtn mailing list > > dtn@ietf.org > > https://www.ietf.org/mailman/listinfo/dtn > > _______________________________________________ > > dtn mailing list > > dtn@ietf.org > > https://www.ietf.org/mailman/listinfo/dtn > -- > Cheers > > Magnus Westerlund > > > ---------------------------------------------------------------------- > Networks, Ericsson Research > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Torshamnsgatan 23 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ---------------------------------------------------------------------- > >
- [dtn] Mirja Kühlewind's Discuss on draft-ietf-dtn… Mirja Kühlewind via Datatracker
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Birrane, Edward J.
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Mirja Kuehlewind
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Mehmet Adalier
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… R. Atkinson
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Birrane, Edward J.
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Magnus Westerlund
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Mirja Kuehlewind
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Magnus Westerlund
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Mirja Kuehlewind
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Rick Taylor
- Re: [dtn] Mirja Kühlewind's Discuss on draft-ietf… Benjamin Kaduk