| Delay-Tolerant Networking | E. Birrane |
| Internet-Draft | Johns Hopkins Applied Physics Laboratory |
| Intended status: Experimental | December 29, 2015 |
| Expires: July 1, 2016 |
DTN Security Best Practices
draft-birrane-dtn-sec-practices-00
This document describes best practices associated with achieving a variety of security use cases with the set of DTN-related standards.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 1, 2016.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document outlines the motivation for an end-to-end, application layer security capability as the collaborative effect of individual capabilities. Such a mix-and-match model of applying services allows for the more effective securing of a diverse set of disparate challenged internetworking scenarios.
In the context of this document, security refers to providing for the end-to-end integrity and confidentiality of application data.
Path diversity in a packetized, wireless internetwork increases resiliency to loss of individual links. However, packetization and multi-path, multi-hop communication severs the relationship between user data and a communications link; it is no longer sufficient to tightly control a single communication link to provide security for data exchange. The packets that comprise user data, by definition, may traverse multiple links as they traverse the network and accumulate at some user destination.
Securing link layers is not a sufficient mechanism for securing end-to-end data for two reasons, as follows.
At least three scopes of security exist in a packetized internetwork: Link, Enclave, and End-to-End. These are based, loosely and conceptually, on the Unix file permission concept of "User", "Group", and "Other".
| Layer | Responsibilities |
|---|---|
| Link | - point-to-point data exchange protected from data corruption. |
| - link-specific security mechanisms at both the physical and data layers. | |
| - Ensures transmissions over the link are authenticated and preserve the integrity and confidentiality of the message. | |
| Enclave | - Bound administrative and/or technical domains. |
| - Abstract link details when links within one enclave behave differently than links in another. | |
| End-to-End | - Ensure that application data is secured regardless of links or enclaves. |
| - Remove assumptions based on a particular path of a packet in the network or other underlying security mechanisms. |
Three types of security-related information are considered by this document: Security-Related Protocols, Node Security Policy, and Cipher Suite Support.
This document addresses how to achieve a series of application-layer, end-to-end security functions via combinations of protocols, policies, and cipher suites. This document does not provide the full specification for any single protocol, policy, or cipher suite.
Specifically, this specification provides ways to achieve the following kinds of behavior in an internetwork supporting certain protocols and implementing certain policies and cipher suites.
This section provides a brief overview of the protocols considered by this best practice document. This section covers only those significant functional aspects necessary to inform the discussion of how to combine functions for security services. Protocols covered by this document include the Bundle Protocol (BP) [RFC5050], Bundle Protocol Security (BPSec) [BPSec], and Bundle-in-Bundle Encapsulation (BIBE) [BIBE].
The Bundle Protocol (BP) is a packetized, overlay, store-and-forward protocol proposed for the exchange of data in a variety of challenged internetworking scenarios. A BP protocol data unit (PDU) is characterized as a series of variable-length blocks, with two special blocks required in the bundle and all other blocks optional. The two required blocks are the primary block (which acts as a message header) and the payload block, which is a standard payload area. Additional blocks, called extension blocks and conceptually similar to secondary headers, may also be added to the bundle. Extension blocks may be added at any time, and by any node, as the bundle traverses the internetwork. Bundles are addressed using End Point Identifiers (EIDs), which identify an overlay destination (endpoint) in the internetwork. The mapping between EIDs and nodes in the network is many-to-many, so a node may be associated with several EIDs, and one EID may be associated with multiple nodes to form a multi-cast address.
The security standard currently proposed for BP and DTN is the Bundle Protocol Security (BPSEC). BPSec defines security services captured in extension blocks that may be applied to discrete portions of a bundle. BPSec, as a protocol, operates at the "Group" and "World" layer, without reliance on link security mechanisms. Policy decisions on how BPSec services should or should not be applied to a bundle may or may not choose to consider link layer mechanisms.
BPSec provides two extension blocks that capture integrity and confidentiality services for other blocks within a bundle, as follows.
Note, BPSec does not specify the cipher suites used to populate the BIB and BCB blocks. The selection of cipher suites and keys to generate necessary data is a matter of policy.
Typically, the payload of a bundle contains some user or application data (or a fragmented portion of such data). The BIBE protocol provides a mechanism by which one bundle can be set as the payload of another bundle. This introduces the terminology of encapsulated and encapsulating bundles, as follows.
The BIBE mechanism is used to create tunnels with the BP specification and is a useful way to maintain a separation between security and routing while allowing some way to introduce required security waypoints in a path. Namely, while it is not possible, in the general case, to tell a single bundle to traverse multiple specific nodes from end to end, it is possible to establish multiple tunnels for the bundle to pass through using the BIBE mechanism.
Policies and configurations must be documented separately from both implementing protocols and best practices. Since the primary value of sharing policy and configuration information is to ensure the interoperability of multiple security services this information should be standardized whenever possible. Security policy documents should identify what security services are required in given network deployments and what actions should be taken when messages do not adhere to these expectations.
The following policy scenarios are strongly recommended for consideration in any such documentation relating to standards for DTN security.
Complex security activities are achieved through the combination of multiple discrete protocols rather than the creation of tightly-coupled, highly-purposed protocols. Given a set of loosely coupled, highly cohesive protocols, a set of best-practices can be provided to implement security operations.
This is the common case for block-level security services. In this case, a bundle source wishes to apply integrity and/or confidentiality to one or more blocks in a bundle and for these services to persist until the bundle reaches its destination.
This is the common case supported directly by BPSec without modification. In this case, each block being protected will have an additional security block (BIB or BCB) added to the bundle. The BIB and BCB blocks will contain all necessary security information based on cipher suites which must be selected in accordance with some policy at the node. Once the BIB and BCB blocks are added to the bundle, the bundle may be sent through the network and no additional operations are necessary until the bundle reaches the destination, at which point BIBs and BCBs are verified and processed in accordance with the BPSec specification.
Certain network configurations may require that security services be added to a bundle by a waypoint node rather than the originator of the bundle. A motivating example of this need is a network where a bundle requires only integrity services within an enclave but requires confidentiality before the bundle leaves the enclave to route over a more public network. In such cases, a gateway node at the border of the enclave and the public network may add confidentiality services to any bundle that does not already have such services before allowing the bundle to leave the enclave.
This is a minor extension to the case where the bundle source adds a security block. In this case, BPSec blocks (BIB and BCB) are also added to the bundle, but the security source of these blocks is listed as the waypoint node adding the block, rather than the bundle source node. The processing and behavior of the block is, otherwise, unchanged.
The policy considerations for a waypoint adding a security service are the same as when a bundle source adds a security service.
There may be times when a bundle is requested to go through a specific waypoint node en-route to its destination. From a security standpoint, this is typically done to ensure that some security result is achieved, for example ensuring that a bundle goes through a specific gateway for appending extra security services.
The current recommended practice for general networks to accomplish security-related destinations is to use the BIBE to wrap a bundle into an encapsulating bundle, and then use the security destination as the destination of the encapsulating bundle. In this way, the routing mechanism used in the network is not coupled to the security system, and the encapsulated bundle is not burdened with tracking multiple intermediate destinations.
This is the equivalent of creating a tunnel between the current node and the security destination. If, at the security destination, a subsequent security destination is necessary, the process may be repeated.
Cascading operations are security services that are applied to the same data multiple times, such as is the case when performing super-encryption. The BPSec standard does not allow the same security service to be applied to the same target data multiple times (for example, a payload cannot be encrypted twice with two BCBs).
There are several reasons for wanting to replace or modify security services found in a bundle. Policy may require a stronger security service before a bundle is allowed to leave an enclave. Alternatively, portions of the network may be configured with different cipher suite support rendering in-situ integrity checking impossible unless a new integrity signature in a supported cipher suite is added. At times, encrypting parts of an existing BCB or BIB to hide cipher suite details may be required.
When cascading operations are to be applied from the current node to the bundle destination each of these practices can be applied directly to the bundle. In cases where cascading operations are only to be applied from the current node to someplace other than the bundle destination then, first, Security Destination best practices must be applied.
There are three recommended ways to satisfy this need in BP networks: Bundle encapsulation, Block encapsulation, and custom blocks.
Hop by hop authentication ensures that a received bundle's last hop (i.e. most recent forwarder) matches what the bundle claims it's last hop to be. Checking each hop along a path in the network is one way to establish a chain of trust. More importantly, verifying the appropriateness of the node who sent a received bundle is a way of protecting networks against certain types of attacks. Specifically, the internals of a network can be protected against resource-consuming attacks if a gateway node can detect inappropriate traffic and prevent its ingest into the rest of the network.
There are three recommended ways to satisfy this need in BP networks: Reliable link layers, integrity on ephemeral blocks, and canonicalized whole-bundle signatures.
A common request in a secured internetwork is to provide a signed listing of each node traversed by a bundle on its way from sender to receiver.
There are three recommended practices for accomplishing this task: Per-Hop Extension Blocks, a Signed Log, and an Encrypted Log.
None.
Security in the context of multicasting presents challenging operational concepts for how to validate a received bundle that carries multiple integrity signatures. In this case, a bundle should validate a security service if any one of multiple security data items is verified.
It is recommended that a multi-case cipher suite specification be defined and used to generate multiple signatures (for integrity) or multiple ciphertexts (for confidentiality). This approach allows BPSec to operate without modification, as the cipher suite implementation both generates and verifies security results.
Multiple signatures would be stored directly in the BIB as part of cipher suite data. Such cipher suites could verify a signature if any 1 signature matched, if N of M signatures matched, or if all signatures match, based on policy.
Multiple encryptors could work by encrypted the plaintext multiple times to generate multiple ciphertexts which, in total, would replace the plain text in a specific block in the bundle. Additionally, the bundle source or other identifying information could be encrypted once per key and stored as additional authenticated data. On decryption, a node could determine the appropriate ciphertext to use by decrypting the bundle source from the additional authenticated data and then decrypting the ciphertext associated with that key.
It may be necessary to ensure that the primary block in a bundle has not changed since the bundle was first transmitted.
The BPSec allows the BIB to target the primary block, just as it can target any other block in a bundle. As such, this capability can be accomplished by inserting a BIB in the bundle whose target is the primary block.
None.
It may be necessary in certain cases to hide the contents of a primary block for portions of a bundle journey.
There are two recommended practices for accomplishing this task: Encapsulation and Custom Extension Blocks.
While there is no specific policy consideration, the concept of performing surgery on the primary block of a bundle in transit must be taken with great care.
This document has no fields registered by IANA.
| [BIBE] | Burleigh, S., "Bundle-in-Bundle Encapsulation", Internet-Draft draft-irtf-burleigh-bibe-00, March 2013. |
| [BPSec] | Birrane, E., Mayer, J. and D. Iannicca, "Bundle Protocol Security", Internet-Draft draft-ietf-dtn-bpsec-00, December 2015. |
| [RFC5050] | Scott, K. and S. Burleigh, "Bundle Protocol Specification", RFC 5050, DOI 10.17487/RFC5050, November 2007. |