draft-ietf-dtn-bpsec-11.txt   draft-ietf-dtn-bpsec-12.txt 
Delay-Tolerant Networking E. Birrane Delay-Tolerant Networking E. Birrane
Internet-Draft K. McKeever Internet-Draft K. McKeever
Intended status: Standards Track JHU/APL Intended status: Standards Track JHU/APL
Expires: March 12, 2020 September 9, 2019 Expires: March 21, 2020 September 18, 2019
Bundle Protocol Security Specification Bundle Protocol Security Specification
draft-ietf-dtn-bpsec-11 draft-ietf-dtn-bpsec-12
Abstract Abstract
This document defines a security protocol providing end to end data This document defines a security protocol providing end to end data
integrity and confidentiality services for the Bundle Protocol. integrity and confidentiality services for the Bundle Protocol.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 31 skipping to change at page 1, line 31
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 12, 2020. This Internet-Draft will expire on March 21, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
3. Security Blocks . . . . . . . . . . . . . . . . . . . . . . . 9 3. Security Blocks . . . . . . . . . . . . . . . . . . . . . . . 9
3.1. Block Definitions . . . . . . . . . . . . . . . . . . . . 9 3.1. Block Definitions . . . . . . . . . . . . . . . . . . . . 9
3.2. Uniqueness . . . . . . . . . . . . . . . . . . . . . . . 10 3.2. Uniqueness . . . . . . . . . . . . . . . . . . . . . . . 10
3.3. Target Multiplicity . . . . . . . . . . . . . . . . . . . 11 3.3. Target Multiplicity . . . . . . . . . . . . . . . . . . . 11
3.4. Target Identification . . . . . . . . . . . . . . . . . . 11 3.4. Target Identification . . . . . . . . . . . . . . . . . . 11
3.5. Block Representation . . . . . . . . . . . . . . . . . . 12 3.5. Block Representation . . . . . . . . . . . . . . . . . . 12
3.6. Abstract Security Block . . . . . . . . . . . . . . . . . 12 3.6. Abstract Security Block . . . . . . . . . . . . . . . . . 12
3.7. Block Integrity Block . . . . . . . . . . . . . . . . . . 15 3.7. Block Integrity Block . . . . . . . . . . . . . . . . . . 15
3.8. Block Confidentiality Block . . . . . . . . . . . . . . . 16 3.8. Block Confidentiality Block . . . . . . . . . . . . . . . 16
3.9. Block Interactions . . . . . . . . . . . . . . . . . . . 17 3.9. Block Interactions . . . . . . . . . . . . . . . . . . . 17
3.10. Parameter and Result Identification . . . . . . . . . . . 18 3.10. Parameter and Result Identification . . . . . . . . . . . 19
3.11. BSP Block Examples . . . . . . . . . . . . . . . . . . . 19 3.11. BSP Block Examples . . . . . . . . . . . . . . . . . . . 19
3.11.1. Example 1: Constructing a Bundle with Security . . . 19 3.11.1. Example 1: Constructing a Bundle with Security . . . 19
3.11.2. Example 2: Adding More Security At A New Node . . . 20 3.11.2. Example 2: Adding More Security At A New Node . . . 20
4. Canonical Forms . . . . . . . . . . . . . . . . . . . . . . . 22 4. Canonical Forms . . . . . . . . . . . . . . . . . . . . . . . 22
5. Security Processing . . . . . . . . . . . . . . . . . . . . . 22 5. Security Processing . . . . . . . . . . . . . . . . . . . . . 23
5.1. Bundles Received from Other Nodes . . . . . . . . . . . . 23 5.1. Bundles Received from Other Nodes . . . . . . . . . . . . 23
5.1.1. Receiving BCBs . . . . . . . . . . . . . . . . . . . 23 5.1.1. Receiving BCBs . . . . . . . . . . . . . . . . . . . 23
5.1.2. Receiving BIBs . . . . . . . . . . . . . . . . . . . 24 5.1.2. Receiving BIBs . . . . . . . . . . . . . . . . . . . 24
5.2. Bundle Fragmentation and Reassembly . . . . . . . . . . . 25 5.2. Bundle Fragmentation and Reassembly . . . . . . . . . . . 25
6. Key Management . . . . . . . . . . . . . . . . . . . . . . . 25 6. Key Management . . . . . . . . . . . . . . . . . . . . . . . 25
7. Security Policy Considerations . . . . . . . . . . . . . . . 25 7. Security Policy Considerations . . . . . . . . . . . . . . . 25
8. Security Considerations . . . . . . . . . . . . . . . . . . . 27 8. Security Considerations . . . . . . . . . . . . . . . . . . . 27
8.1. Attacker Capabilities and Objectives . . . . . . . . . . 27 8.1. Attacker Capabilities and Objectives . . . . . . . . . . 27
8.2. Attacker Behaviors and BPSec Mitigations . . . . . . . . 28 8.2. Attacker Behaviors and BPSec Mitigations . . . . . . . . 28
8.2.1. Eavesdropping Attacks . . . . . . . . . . . . . . . . 28 8.2.1. Eavesdropping Attacks . . . . . . . . . . . . . . . . 28
8.2.2. Modification Attacks . . . . . . . . . . . . . . . . 29 8.2.2. Modification Attacks . . . . . . . . . . . . . . . . 29
8.2.3. Topology Attacks . . . . . . . . . . . . . . . . . . 30 8.2.3. Topology Attacks . . . . . . . . . . . . . . . . . . 30
8.2.4. Message Injection . . . . . . . . . . . . . . . . . . 30 8.2.4. Message Injection . . . . . . . . . . . . . . . . . . 30
9. Security Context Considerations . . . . . . . . . . . . . . . 31 9. Security Context Considerations . . . . . . . . . . . . . . . 31
9.1. Identification and Configuration . . . . . . . . . . . . 31 9.1. Identification and Configuration . . . . . . . . . . . . 31
9.2. Authorship . . . . . . . . . . . . . . . . . . . . . . . 31 9.2. Authorship . . . . . . . . . . . . . . . . . . . . . . . 32
10. Defining Other Security Blocks . . . . . . . . . . . . . . . 33 10. Defining Other Security Blocks . . . . . . . . . . . . . . . 33
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
11.1. Bundle Block Types . . . . . . . . . . . . . . . . . . . 34 11.1. Bundle Block Types . . . . . . . . . . . . . . . . . . . 34
11.2. Security Context Identifiers . . . . . . . . . . . . . . 34 11.2. Security Context Identifiers . . . . . . . . . . . . . . 34
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
12.1. Normative References . . . . . . . . . . . . . . . . . . 35 12.1. Normative References . . . . . . . . . . . . . . . . . . 35
12.2. Informative References . . . . . . . . . . . . . . . . . 35 12.2. Informative References . . . . . . . . . . . . . . . . . 35
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 36 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36
skipping to change at page 13, line 27 skipping to change at page 13, line 27
field. Each bit in this bit field indicates the presence (bit field. Each bit in this bit field indicates the presence (bit
set to 1) or absence (bit set to 0) of optional data in the set to 1) or absence (bit set to 0) of optional data in the
security block. The association of bits to security block data security block. The association of bits to security block data
is defined as follows. is defined as follows.
Bit 1 (the least-significant bit, 0x01): Security Context Bit 1 (the least-significant bit, 0x01): Security Context
Parameters Present Flag. Parameters Present Flag.
Bit 2 (0x02): Security Source Present Flag. Bit 2 (0x02): Security Source Present Flag.
In this field, a value of 1 indicates that the associated Bit >2 Reserved
security block field MUST be included in the security block. A
value of 0 indicates that the associated security block field Implementations MUST set reserved bits to 0 when writing this
MUST NOT be in the security block. field and MUST ignore the values of reserved bits when reading
this field. For unreserved bits, a value of 1 indicates that
the associated security block field MUST be included in the
security block. A value of 0 indicates that the associated
security block field MUST NOT be in the security block.
Security Source (Optional): Security Source (Optional):
This field identifies the Endpoint that inserted the security This field identifies the Endpoint that inserted the security
block in the bundle. If the security source field is not block in the bundle. If the security source field is not
present then the source MUST be inferred from other present then the source MUST be inferred from other
information, such as the bundle source, previous hop, or other information, such as the bundle source, previous hop, or other
values defined by security policy. This field SHALL be values defined by security policy. This field SHALL be
represented by a CBOR array in accordance with represented by a CBOR array in accordance with
[I-D.ietf-dtn-bpbis] rules for representing Endpoint [I-D.ietf-dtn-bpbis] rules for representing Endpoint
Identifiers (EIDs). Identifiers (EIDs).
skipping to change at page 34, line 37 skipping to change at page 34, line 45
| Value | Description | Reference | | Value | Description | Reference |
+-------+-----------------------------+---------------+ +-------+-----------------------------+---------------+
| 2 | Block Integrity Block | This document | | 2 | Block Integrity Block | This document |
| 3 | Block Confidentiality Block | This document | | 3 | Block Confidentiality Block | This document |
+-------+-----------------------------+---------------+ +-------+-----------------------------+---------------+
Table 2 Table 2
11.2. Security Context Identifiers 11.2. Security Context Identifiers
BPSec has a Security Context Identifier field () for which IANA is BPSec has a Security Context Identifier field for which IANA is
requested to create and maintain a new registry named "BPSec Security requested to create and maintain a new registry named "BPSec Security
Context Identifiers". Initial values for this registry are given Context Identifiers". Initial values for this registry are given
below. below.
The registration policy for this registry is: Specification Required. The registration policy for this registry is: Specification Required.
The value range is: unsigned 16-bit integer. The value range is: unsigned 16-bit integer.
BPSec Security Context Identifier Registry BPSec Security Context Identifier Registry
+-------+--------------------+---------------------------------+ +-------+-------------+---------------+
| Value | Description | Reference | | Value | Description | Reference |
+-------+--------------------+---------------------------------+ +-------+-------------+---------------+
| 0 | Reserved | This document | | 0 | Reserved | This document |
| 1 | BIB-HMAC256-SHA256 | [I-D.ietf-dtn-bpsec-interop-sc] | +-------+-------------+---------------+
| 2 | BCB-AES-GCM-256 | [I-D.ietf-dtn-bpsec-interop-sc] |
+-------+--------------------+---------------------------------+
Table 3 Table 3
12. References 12. References
12.1. Normative References 12.1. Normative References
[I-D.ietf-dtn-bpbis] [I-D.ietf-dtn-bpbis]
Burleigh, S., Fall, K., and E. Birrane, "Bundle Protocol Burleigh, S., Fall, K., and E. Birrane, "Bundle Protocol
Version 7", draft-ietf-dtn-bpbis-14 (work in progress), Version 7", draft-ietf-dtn-bpbis-14 (work in progress),
 End of changes. 9 change blocks. 
18 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/