summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6257.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc6257.txt')
-rw-r--r--doc/rfc/rfc6257.txt3363
1 files changed, 3363 insertions, 0 deletions
diff --git a/doc/rfc/rfc6257.txt b/doc/rfc/rfc6257.txt
new file mode 100644
index 0000000..50419af
--- /dev/null
+++ b/doc/rfc/rfc6257.txt
@@ -0,0 +1,3363 @@
+
+
+
+
+
+
+Internet Research Task Force (IRTF) S. Symington
+Request for Comments: 6257 The MITRE Corporation
+Category: Experimental S. Farrell
+ISSN: 2070-1721 Trinity College Dublin
+ H. Weiss
+ P. Lovell
+ SPARTA, Inc.
+ May 2011
+
+
+ Bundle Security Protocol Specification
+
+Abstract
+
+ This document defines the bundle security protocol, which provides
+ data integrity and confidentiality services for the Bundle Protocol.
+ Separate capabilities are provided to protect the bundle payload and
+ additional data that may be included within the bundle. We also
+ describe various security considerations including some policy
+ options.
+
+ This document is a product of the Delay-Tolerant Networking Research
+ Group and has been reviewed by that group. No objections to its
+ publication as an RFC were raised.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for examination, experimental implementation, and
+ evaluation.
+
+ This document defines an Experimental Protocol for the Internet
+ community. This document is a product of the Internet Research Task
+ Force (IRTF). The IRTF publishes the results of Internet-related
+ research and development activities. These results might not be
+ suitable for deployment. This RFC represents the consensus of the
+ Delay-Tolerant Networking Research Group of the Internet Research
+ Task Force (IRTF). Documents approved for publication by the IRSG
+ are not a candidate for any level of Internet Standard; see Section 2
+ of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6257.
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 1]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+Copyright Notice
+
+ Copyright (c) 2011 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 2]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+Table of Contents
+
+ 1. Introduction ....................................................4
+ 1.1. Related Documents ..........................................4
+ 1.2. Terminology ................................................5
+ 2. Security Blocks .................................................8
+ 2.1. Abstract Security Block ....................................9
+ 2.2. Bundle Authentication Block ...............................13
+ 2.3. Payload Integrity Block ...................................15
+ 2.4. Payload Confidentiality Block .............................16
+ 2.5. Extension Security Block ..................................20
+ 2.6. Parameters and Result Fields ..............................21
+ 2.7. Key Transport .............................................23
+ 2.8. PIB and PCB Combinations ..................................24
+ 3. Security Processing ............................................25
+ 3.1. Nodes as Policy Enforcement Points ........................26
+ 3.2. Processing Order of Security Blocks .......................26
+ 3.3. Security Regions ..........................................29
+ 3.4. Canonicalization of Bundles ...............................31
+ 3.5. Endpoint ID Confidentiality ...............................37
+ 3.6. Bundles Received from Other Nodes .........................38
+ 3.7. The At-Most-Once-Delivery Option ..........................39
+ 3.8. Bundle Fragmentation and Reassembly .......................40
+ 3.9. Reactive Fragmentation ....................................41
+ 3.10. Attack Model .............................................42
+ 4. Mandatory Ciphersuites .........................................42
+ 4.1. BAB-HMAC ..................................................42
+ 4.2. PIB-RSA-SHA256 ............................................43
+ 4.3. PCB-RSA-AES128-PAYLOAD-PIB-PCB ............................44
+ 4.4. ESB-RSA-AES128-EXT ........................................48
+ 5. Key Management .................................................51
+ 6. Default Security Policy ........................................51
+ 7. Security Considerations ........................................53
+ 8. Conformance ....................................................55
+ 9. IANA Considerations ............................................56
+ 9.1. Bundle Block Types ........................................56
+ 9.2. Ciphersuite Numbers .......................................56
+ 9.3. Ciphersuite Flags .........................................56
+ 9.4. Parameters and Results ....................................57
+ 10. References ....................................................58
+ 10.1. Normative References .....................................58
+ 10.2. Informative References ...................................59
+
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 3]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+1. Introduction
+
+ This document defines security features for the Bundle Protocol
+ [DTNBP] intended for use in delay-tolerant networks, in order to
+ provide Delay-Tolerant Networking (DTN) security services.
+
+ The Bundle Protocol is used in DTNs that overlay multiple networks,
+ some of which may be challenged by limitations such as intermittent
+ and possibly unpredictable loss of connectivity, long or variable
+ delay, asymmetric data rates, and high error rates. The purpose of
+ the Bundle Protocol is to support interoperability across such
+ stressed networks. The Bundle Protocol is layered on top of
+ underlay-network-specific convergence layers, on top of network-
+ specific lower layers, to enable an application in one network to
+ communicate with an application in another network, both of which are
+ spanned by the DTN.
+
+ Security will be important for the Bundle Protocol. The stressed
+ environment of the underlying networks over which the Bundle Protocol
+ will operate makes it important for the DTN to be protected from
+ unauthorized use, and this stressed environment poses unique
+ challenges for the mechanisms needed to secure the Bundle Protocol.
+ Furthermore, DTNs may very likely be deployed in environments where a
+ portion of the network might become compromised, posing the usual
+ security challenges related to confidentiality, integrity, and
+ availability.
+
+ Different security processing applies to the payload and extension
+ blocks that may accompany it in a bundle, and different rules apply
+ to various extension blocks.
+
+ This document describes both the base Bundle Security Protocol (BSP)
+ and a set of mandatory ciphersuites. A ciphersuite is a specific
+ collection of various cryptographic algorithms and implementation
+ rules that are used together to provide certain security services.
+
+ The Bundle Security Protocol applies, by definition, only to those
+ nodes that implement it, known as "security-aware" nodes. There MAY
+ be other nodes in the DTN that do not implement BSP. All nodes can
+ interoperate with the exception that BSP security operations can only
+ happen at security-aware nodes.
+
+1.1. Related Documents
+
+ This document is best read and understood within the context of the
+ following other DTN documents:
+
+
+
+
+
+Symington, et al. Experimental [Page 4]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ "Delay-Tolerant Networking Architecture" [DTNarch] defines the
+ architecture for delay-tolerant networks, but does not discuss
+ security at any length.
+
+ The DTN Bundle Protocol [DTNBP] defines the format and processing
+ of the blocks used to implement the Bundle Protocol, excluding the
+ security-specific blocks defined here.
+
+1.2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ [RFC2119].
+
+ We introduce the following terminology for purposes of clarity:
+
+ source - the bundle node from which a bundle originates
+
+ destination - the bundle node to which a bundle is ultimately
+ destined
+
+ forwarder - the bundle node that forwarded the bundle on its most
+ recent hop
+
+ intermediate receiver or "next hop" - the neighboring bundle node
+ to which a forwarder forwards a bundle.
+
+ path - the ordered sequence of nodes through which a bundle passes
+ on its way from source to destination
+
+ In the figure below, which is adapted from figure 1 in the Bundle
+ Protocol Specification [DTNBP], four bundle nodes (denoted BN1, BN2,
+ BN3, and BN4) reside above some transport layer(s). Three distinct
+ transport and network protocols (denoted T1/N1, T2/N2, and T3/N3) are
+ also shown.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 5]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ +---------v-| +->>>>>>>>>>v-+ +->>>>>>>>>>v-+ +-^---------+
+ | BN1 v | | ^ BN2 v | | ^ BN3 v | | ^ BN4 |
+ +---------v-+ +-^---------v-+ +-^---------v-+ +-^---------+
+ | T1 v | + ^ T1/T2 v | + ^ T2/T3 v | | ^ T3 |
+ +---------v-+ +-^---------v-+ +-^---------v + +-^---------+
+ | N1 v | | ^ N1/N2 v | | ^ N2/N3 v | | ^ N3 |
+ +---------v-+ +-^---------v + +-^---------v-+ +-^---------+
+ | >>>>>>>>^ >>>>>>>>>>^ >>>>>>>>^ |
+ +-----------+ +------------+ +-------------+ +-----------+
+ | | | |
+ |<-- An Internet --->| |<--- An Internet --->|
+ | | | |
+
+ BN = "Bundle Node" as defined in the Bundle Protocol Specification
+
+ Figure 1: Bundle Nodes Sit at the Application Layer
+ of the Internet Model
+
+ Bundle node BN1 originates a bundle that it forwards to BN2. BN2
+ forwards the bundle to BN3, and BN3 forwards the bundle to BN4. BN1
+ is the source of the bundle and BN4 is the destination of the bundle.
+ BN1 is the first forwarder, and BN2 is the first intermediate
+ receiver; BN2 then becomes the forwarder, and BN3 the intermediate
+ receiver; BN3 then becomes the last forwarder, and BN4 the last
+ intermediate receiver, as well as the destination.
+
+ If node BN2 originates a bundle (for example, a bundle status report
+ or a custodial signal), which is then forwarded on to BN3, and then
+ to BN4, then BN2 is the source of the bundle (as well as being the
+ first forwarder of the bundle) and BN4 is the destination of the
+ bundle (as well as being the final intermediate receiver).
+
+ We introduce the following security-specific DTN terminology:
+
+ security-source - a bundle node that adds a security block to a
+ bundle
+
+ security-destination - a bundle node that processes a security
+ block of a bundle
+
+ security path - the ordered sequence of security-aware nodes
+ through which a bundle passes on its way from the security-source
+ to the security-destination
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 6]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Referring to Figure 1 again:
+
+ If the bundle that originates at BN1 is given a security block by
+ BN1, then BN1 is the security-source of this bundle with respect to
+ that security block, as well as being the source of the bundle.
+
+ If the bundle that originates at BN1 is given a security block by
+ BN2, then BN2 is the security-source of this bundle with respect to
+ that security block, even though BN1 is the source.
+
+ If the bundle that originates at BN1 is given a security block by BN1
+ that is intended to be processed by BN3, then BN1 is the security-
+ source and BN3 is the security-destination with respect to this
+ security block. The security path for this block is BN1 to BN3.
+
+ A bundle MAY have multiple security blocks. The security-source of a
+ bundle, with respect to a given security block in the bundle, MAY be
+ the same as or different from the security-source of the bundle with
+ respect to a different security block in the bundle. Similarly, the
+ security-destination of a bundle, with respect to each of that
+ bundle's security blocks, MAY be the same or different. Therefore,
+ the security paths for various blocks MAY be, and often will be,
+ different.
+
+ If the bundle that originates at BN1 is given a security block by BN1
+ that is intended to be processed by BN3, and BN2 adds a security
+ block with security-destination BN4, the security paths for the two
+ blocks overlap but not completely. This problem is discussed further
+ in Section 3.3.
+
+ As required in [DTNBP], forwarding nodes MUST transmit blocks in a
+ bundle in the same order in which they were received. This
+ requirement applies to all DTN nodes, not just ones that implement
+ security processing. Blocks in a bundle MAY be added or deleted
+ according to the applicable specification, but those blocks that are
+ both received and transmitted MUST be transmitted in the same order
+ that they were received.
+
+ If a node is not security-aware, then it forwards the security blocks
+ in the bundle unchanged unless the bundle's block processing flags
+ specify otherwise. If a network has some nodes that are not
+ security-aware, then the block processing flags SHOULD be set such
+ that security blocks are not discarded at those nodes solely because
+ they cannot be processed there. Except for this, the non-security-
+ aware nodes are transparent relay points and are invisible as far as
+ security processing is concerned.
+
+
+
+
+
+Symington, et al. Experimental [Page 7]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ The block sequence also indicates the order in which certain
+ significant actions have affected the bundle, and therefore the
+ sequence in which actions MUST occur in order to produce the bundle
+ at its destination.
+
+2. Security Blocks
+
+ There are four types of security blocks that MAY be included in a
+ bundle. These are the Bundle Authentication Block (BAB), the Payload
+ Integrity Block (PIB), the Payload Confidentiality Block (PCB), and
+ the Extension Security Block (ESB).
+
+ The BAB is used to ensure the authenticity and integrity of the
+ bundle along a single hop from forwarder to intermediate receiver.
+ Since security blocks are only processed at security-aware nodes,
+ a "single hop" from a security-aware forwarder to the next
+ security-aware intermediate receiver might be more than one actual
+ hop. This situation is discussed further in Section 2.2.
+
+ The PIB is used to ensure the authenticity and integrity of the
+ payload from the PIB security-source, which creates the PIB, to
+ the PIB security-destination, which verifies the PIB
+ authenticator. The authentication information in the PIB MAY (if
+ the ciphersuite allows) be verified by any node in between the PIB
+ security-source and the PIB security-destination that has access
+ to the cryptographic keys and revocation status information
+ required to do so.
+
+ Since a BAB protects a bundle on a "hop-by-hop" basis and other
+ security blocks MAY be protecting over several hops or end-to-end,
+ whenever both are present, the BAB MUST form the "outer" layer of
+ protection -- that is, the BAB MUST always be calculated and added
+ to the bundle after all other security blocks have been calculated
+ and added to the bundle.
+
+ The PCB indicates that the payload has been encrypted, in whole or
+ in part, at the PCB security-source in order to protect the bundle
+ content while in transit to the PCB security-destination.
+
+ PIB and PCB protect the payload and are regarded as "payload-
+ related" for purposes of the security discussion in this document.
+ Other blocks are regarded as "non-payload" blocks. Of course, the
+ primary block is unique and has separate rules.
+
+ The ESB provides security for non-payload blocks in a bundle.
+ Therefore, ESB is not applied to PIBs or PCBs and, of course, is
+ not appropriate for either the payload block or primary block.
+
+
+
+
+Symington, et al. Experimental [Page 8]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Each of the security blocks uses the Canonical Bundle Block Format as
+ defined in the Bundle Protocol Specification. That is, each security
+ block is comprised of the following elements:
+
+ o Block-type code
+
+ o Block processing control flags
+
+ o Block EID-reference list (OPTIONAL)
+
+ o Block data length
+
+ o Block-type-specific data fields
+
+ Since the four security blocks have most fields in common, we can
+ shorten the description of the Block-type-specific data fields of
+ each security block if we first define an abstract security block
+ (ASB) and then specify each of the real blocks in terms of the fields
+ that are present/absent in an ASB. Note that no bundle ever contains
+ an actual ASB, which is simply a specification artifact.
+
+2.1. Abstract Security Block
+
+ Many of the fields below use the "SDNV" type defined in [DTNBP].
+ SDNV stands for Self-Delimiting Numeric Value.
+
+ An ASB consists of the following mandatory and optional fields:
+
+ o Block-type code (one byte) - as in all bundle protocol blocks
+ except the primary bundle block. The block-type codes for the
+ security blocks are:
+
+ BundleAuthenticationBlock - BAB: 0x02
+
+ PayloadIntegrityBlock - PIB: 0x03
+
+ PayloadConfidentialityBlock - PCB: 0x04
+
+ ExtensionSecurityBlock - ESB: 0x09
+
+ o Block processing control flags (SDNV) - defined as in all bundle
+ protocol blocks except the primary bundle block (as described in
+ the Bundle Protocol Specification [DTNBP]). SDNV encoding is
+ described in the Bundle Protocol. There are no general
+ constraints on the use of the block processing control flags, and
+ some specific requirements are discussed later.
+
+
+
+
+
+Symington, et al. Experimental [Page 9]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ o EID-references - composite field defined in [DTNBP] containing
+ references to one or two endpoint identifiers (EIDs). Presence of
+ the EID-reference field is indicated by the setting of the "Block
+ contains an EID-reference field" (EID_REF) bit of the block
+ processing control flags. If one or more references are present,
+ flags in the ciphersuite ID field, described below, specify which.
+
+ If no EID fields are present, then the composite field itself MUST
+ be omitted entirely and the EID_REF bit MUST be unset. A count
+ field of zero is not permitted.
+
+ o The possible EIDs are:
+
+ * (OPTIONAL) Security-source - specifies the security-source for
+ the block. If this is omitted, then the source of the bundle
+ is assumed to be the security-source unless otherwise
+ indicated.
+
+ * (OPTIONAL) Security-destination - specifies the security-
+ destination for the block. If this is omitted, then the
+ destination of the bundle is assumed to be the security-
+ destination unless otherwise indicated.
+
+ If two EIDs are present, security-source is first and security-
+ destination comes second.
+
+ o Block data length (SDNV) - as in all bundle protocol blocks except
+ the primary bundle block. SDNV encoding is described in the
+ Bundle Protocol.
+
+ o Block-type-specific data fields as follows:
+
+ * Ciphersuite ID (SDNV)
+
+ * Ciphersuite flags (SDNV)
+
+ * (OPTIONAL) Correlator - when more than one related block is
+ inserted, then this field MUST have the same value in each
+ related block instance. This is encoded as an SDNV. See the
+ note in Section 3.8 with regard to correlator values in bundle
+ fragments.
+
+ * (OPTIONAL) Ciphersuite-parameters - compound field of the next
+ two items
+
+ + Ciphersuite-parameters length - specifies the length of the
+ following Ciphersuite-parameters data field and is encoded
+ as an SDNV.
+
+
+
+Symington, et al. Experimental [Page 10]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ + Ciphersuite-parameters data - parameters to be used with the
+ ciphersuite in use, e.g., a key identifier or initialization
+ vector (IV). See Section 2.6 for a list of potential
+ parameters and their encoding rules. The particular set of
+ parameters that is included in this field is defined as part
+ of the ciphersuite specification.
+
+ * (OPTIONAL) Security-result - compound field of the next two
+ items
+
+ + Security-result length - contains the length of the next
+ field and is encoded as an SDNV.
+
+ + Security-result data - contains the results of the
+ appropriate ciphersuite-specific calculation (e.g., a
+ signature, Message Authentication Code (MAC), or ciphertext
+ block key).
+
+ Although the diagram hints at a 32-bit layout, this is purely for the
+ purpose of exposition. Except for the "type" field, all fields are
+ variable in length.
+
+ +----------------+----------------+----------------+----------------+
+ | type | flags (SDNV) | EID-ref list(comp) |
+ +----------------+----------------+----------------+----------------+
+ | length (SDNV) | ciphersuite (SDNV) |
+ +----------------+----------------+----------------+----------------+
+ | ciphersuite flags (SDNV) | correlator (SDNV) |
+ +----------------+----------------+----------------+----------------+
+ |params len(SDNV)| ciphersuite params data |
+ +----------------+----------------+----------------+----------------+
+ |res-len (SDNV) | security-result data |
+ +----------------+----------------+----------------+----------------+
+
+ Figure 2: Abstract Security Block Structure
+
+ Some ciphersuites are specified in Section 4, which also specifies
+ the rules that MUST be satisfied by ciphersuite specifications.
+ Additional ciphersuites MAY be defined in separate specifications.
+ Ciphersuite IDs not specified are reserved. Implementations of the
+ Bundle Security Protocol decide which ciphersuites to support,
+ subject to the requirements of Section 4. It is RECOMMENDED that
+ implementations that allow additional ciphersuites permit ciphersuite
+ ID values at least up to and including 127, and they MAY decline to
+ allow larger ID values.
+
+
+
+
+
+
+Symington, et al. Experimental [Page 11]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ The structure of the ciphersuite flags field is shown in Figure 3.
+ In each case, the presence of an optional field is indicated by
+ setting the value of the corresponding flag to one. A value of zero
+ indicates the corresponding optional field is missing. Presently,
+ there are five flags defined for the field; for convenience, these
+ are shown as they would be extracted from a single-byte SDNV. Future
+ additions may cause the field to grow to the left so, as with the
+ flags fields defined in [DTNBP], the description below numbers the
+ bit positions from the right rather than the standard RFC definition,
+ which numbers bits from the left.
+
+ src - bit 4 indicates whether the EID-reference field of the ASB
+ contains the optional reference to the security-source.
+
+ dest - bit 3 indicates whether the EID-reference field of the ASB
+ contains the optional reference to the security-destination.
+
+ parm - bit 2 indicates whether or not the ciphersuite-parameters
+ length and ciphersuite-parameters data fields are present.
+
+ corr - bit 1 indicates whether or not the ASB contains an optional
+ correlator.
+
+ res - bit 0 indicates whether or not the ASB contains the
+ security-result length and security-result data fields.
+
+ bits 5-6 are reserved for future use.
+
+ Bit Bit Bit Bit Bit Bit Bit
+ 6 5 4 3 2 1 0
+ +-----+-----+-----+-----+-----+-----+-----+
+ | reserved | src |dest |parm |corr |res |
+ +-----+-----+-----+-----+-----+-----+-----+
+
+ Figure 3: Ciphersuite Flags
+
+ A little bit more terminology: if the block is a PIB, when we refer
+ to the PIB-source, we mean the security-source for the PIB as
+ represented by the EID-reference in the EID-reference field.
+ Similarly, we may refer to the "PCB-dest", meaning the security-
+ destination of the PCB, again as represented by an EID reference.
+ For example, referring to Figure 1 again, if the bundle that
+ originates at BN1 is given a Payload Confidentiality Block (PCB) by
+ BN1 that is protected using a key held by BN3, and it is given a
+ Payload Integrity Block (PIB) by BN1, then BN1 is both the PCB-source
+ and the PIB-source of the bundle, and BN3 is the PCB-destination of
+ the bundle.
+
+
+
+
+Symington, et al. Experimental [Page 12]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ The correlator field is used to associate several related instances
+ of a security block. This can be used to place a BAB that contains
+ the ciphersuite information at the "front" of a (probably large)
+ bundle, and another correlated BAB that contains the security-result
+ at the "end" of the bundle. This allows even very memory-constrained
+ nodes to be able to process the bundle and verify the BAB. There are
+ similar use cases for multiple related instances of PIB and PCB as
+ will be seen below.
+
+ The ciphersuite specification MUST make it clear whether or not
+ multiple block instances are allowed, and if so, under what
+ conditions. Some ciphersuites can, of course, leave flexibility to
+ the implementation, whereas others might mandate a fixed number of
+ instances.
+
+ For convenience, we use the term "first block" to refer to the
+ initial block in a group of correlated blocks or to the single block
+ if there are no others in the set. Obviously, there can be several
+ unrelated groups in a bundle, each containing only one block or more
+ than one, and each having its own "first block".
+
+2.2. Bundle Authentication Block
+
+ In this section, we describe typical BAB field values for two
+ scenarios -- where a single instance of the BAB contains all the
+ information and where two related instances are used, one "up front",
+ which contains the ciphersuite, and another following the payload,
+ which contains the security-result (e.g., a MAC).
+
+ For the case where a single BAB is used:
+
+ The block-type code field value MUST be 0x02.
+
+ The block processing control flags value can be set to whatever
+ values are required by local policy. Ciphersuite designers should
+ carefully consider the effect of setting flags that either discard
+ the block or delete the bundle in the event that this block cannot
+ be processed.
+
+ The ciphersuite ID MUST be documented as a hop-by-hop
+ authentication-ciphersuite that requires one instance of the BAB.
+
+ The correlator field MUST NOT be present.
+
+ The ciphersuite-parameters field MAY be present, if so specified
+ in the ciphersuite specification.
+
+
+
+
+
+Symington, et al. Experimental [Page 13]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ An EID-reference to the security-source MAY be present. The
+ security-source can also be specified as part of key-information
+ described in Section 2.6 or another block such as the Previous-Hop
+ Insertion Block [PHIB]. The security-source might also be
+ inferred from some implementation-specific means such as the
+ convergence layer.
+
+ An EID-reference to the security-destination MAY be present and is
+ useful to ensure that the bundle has been forwarded to the correct
+ next-hop node.
+
+ The security-result MUST be present as it is effectively the
+ "output" from the ciphersuite calculation (e.g., the MAC or
+ signature) applied to the (relevant parts of the) bundle (as
+ specified in the ciphersuite definition).
+
+ For the case using two related BAB instances, the first instance is
+ as defined above, except the ciphersuite ID MUST be documented as a
+ hop-by-hop authentication ciphersuite that requires two instances of
+ the BAB. In addition, the correlator MUST be present and the
+ security-result length and security-result fields MUST be absent.
+ The second instance of the BAB MUST have the same correlator value
+ present and MUST contain security-result length and security-result
+ data fields. The other optional fields MUST NOT be present.
+ Typically, this second instance of a BAB will be the last block of
+ the bundle.
+
+ The details of key transport for BAB are specified by the particular
+ ciphersuite. In the absence of conflicting requirements, the
+ following should be noted by implementors:
+
+ o the key-information item in Section 2.6 is OPTIONAL, and if not
+ provided, then the key SHOULD be inferred from the source-
+ destination tuple, being the previous key used, a key created from
+ a key-derivation function, or a pre-shared key.
+
+ o if all the nodes are security-aware, the capabilities of the
+ underlying convergence layer might be useful for identifying the
+ security-source.
+
+ o depending upon the key mechanism used, bundles can be signed by
+ the sender, or authenticated for one or more recipients, or both.
+
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 14]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+2.3. Payload Integrity Block
+
+ A PIB is an ASB with the following additional restrictions:
+
+ The block-type code value MUST be 0x03.
+
+ The block processing control flags value can be set to whatever
+ values are required by local policy. Ciphersuite designers should
+ carefully consider the effect of setting flags that either discard
+ the block or delete the bundle in the event that this block cannot
+ be processed.
+
+ The ciphersuite ID MUST be documented as an end-to-end
+ authentication-ciphersuite or as an end-to-end error-detection-
+ ciphersuite.
+
+ The correlator MUST be present if the ciphersuite requires that
+ more than one related instance of a PIB be present in the bundle.
+ The correlator MUST NOT be present if the ciphersuite only
+ requires one instance of the PIB in the bundle.
+
+ The ciphersuite-parameters field MAY be present.
+
+ An EID-reference to the security-source MAY be present. The
+ security-source can also be specified as part of key-information
+ described in Section 2.6.
+
+ An EID-reference to the security-destination MAY be present.
+
+ The security-result is effectively the "output" from the
+ ciphersuite calculation (e.g., the MAC or signature) applied to
+ the (relevant parts of the) bundle. As in the case of the BAB,
+ this field MUST be present if the correlator is absent. If more
+ than one related instance of the PIB is required, then this is
+ handled in the same way as described for the BAB above.
+
+ The ciphersuite MAY process less than the entire original bundle
+ payload. This might be because it is defined to process some
+ subset of the bundle, or perhaps because the current payload is a
+ fragment of an original bundle. For whatever reason, if the
+ ciphersuite processes less than the complete, original bundle
+ payload, the ciphersuite-parameters of this block MUST specify
+ which bytes of the bundle payload are protected.
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 15]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ For some ciphersuites, (e.g., those using asymmetric keying to
+ produce signatures or those using symmetric keying with a group key),
+ the security information can be checked at any hop on the way to the
+ security-destination that has access to the required keying
+ information. This possibility is further discussed in Section 3.6.
+
+ The use of a generally available key is RECOMMENDED if custodial
+ transfer is employed and all nodes SHOULD verify the bundle before
+ accepting custody.
+
+ Most asymmetric PIB ciphersuites will use the PIB-source to indicate
+ who the signer is and will not require the PIB-dest field because the
+ key needed to verify the PIB authenticator will be a public key
+ associated with the PIB-source.
+
+2.4. Payload Confidentiality Block
+
+ A typical confidentiality ciphersuite will encrypt the payload using
+ a randomly generated bundle encrypting key (BEK) and will use a key-
+ information item in the PCB security-parameters to carry the BEK
+ encrypted with some long-term key encryption key (KEK) or well-known
+ public key. If neither the destination nor security-destination
+ resolves the key to use for decryption, the key-information item in
+ the ciphersuite-parameters field can also be used to indicate the
+ decryption key with which the BEK can be recovered. If the bundle
+ already contains PIBs and/or PCBs, these SHOULD also be encrypted
+ using this same BEK, as described just below for "super-encryption".
+ The encrypted block is encapsulated into a new PCB that replaces the
+ original block at the same place in the bundle.
+
+ It is strongly RECOMMENDED that a data integrity mechanism be used in
+ conjunction with confidentiality, and that encryption-only
+ ciphersuites NOT be used. AES-Galois/Counter Mode (AES-GCM)
+ satisfies this requirement. The "authentication tag" or "integrity
+ check value" is stored into the security-result rather than being
+ appended to the payload as is common in some protocols since, as
+ described below, it is important that there be no change in the size
+ of the payload.
+
+ The payload is encrypted "in-place", that is, following encryption,
+ the payload block payload field contains ciphertext, not plaintext.
+ The payload block processing control flags are unmodified.
+
+ The "in-place" encryption of payload bytes is to allow bundle payload
+ fragmentation and reassembly, and custody transfer, to operate
+ without knowledge of whether or not encryption has occurred and, if
+ so, how many times.
+
+
+
+
+Symington, et al. Experimental [Page 16]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Fragmentation, reassembly, and custody transfer are adversely
+ affected by a change in size of the payload due to ambiguity about
+ what byte range of the original payload is actually in any particular
+ fragment. Ciphersuites SHOULD place any payload expansion, such as
+ authentication tags (integrity check values) and any padding
+ generated by a block-mode cipher, into an integrity check value item
+ in the security-result field (see Section 2.6) of the confidentiality
+ block.
+
+ Payload super-encryption is allowed, that is, encrypting a payload
+ that has already been encrypted, perhaps more than once.
+ Ciphersuites SHOULD define super-encryption such that, as well as re-
+ encrypting the payload, it also protects the parameters of earlier
+ encryption. Failure to do so may represent a vulnerability in some
+ circumstances.
+
+ Confidentiality is normally applied to the payload, and possibly to
+ additional blocks. It is RECOMMENDED to apply a Payload
+ Confidentiality ciphersuite to non-payload blocks only if these
+ SHOULD be super-encrypted with the payload. If super-encryption of
+ the block is not desired, then protection of the block SHOULD be done
+ using the Extension Security Block mechanism rather than PCB.
+
+ Multiple related PCB instances are required if both the payload and
+ PIBs and PCBs in the bundle are to be encrypted. These multiple PCB
+ instances require correlators to associate them with each other since
+ the key-information is provided only in the first PCB.
+
+ There are situations where more than one PCB instance is required but
+ the instances are not "related" in the sense that requires
+ correlators. One example is where a payload is encrypted for more
+ than one security-destination so as to be robust in the face of
+ routing uncertainties. In this scenario, the payload is encrypted
+ using a BEK. Several PCBs contain the BEK encrypted using different
+ KEKs, one for each destination. These multiple PCB instances are not
+ "related" and SHOULD NOT contain correlators.
+
+ The ciphersuite MAY apply different rules to confidentiality for non-
+ payload blocks.
+
+ A PCB is an ASB with the following additional restrictions:
+
+ The block-type code value MUST be 0x04.
+
+ The block processing control flags value can be set to whatever
+ values are required by local policy, except that a PCB "first
+ block" MUST have the "replicate in every fragment" flag set. This
+ flag SHOULD NOT be set otherwise. Ciphersuite designers should
+
+
+
+Symington, et al. Experimental [Page 17]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ carefully consider the effect of setting flags that either discard
+ the block or delete the bundle in the event that this block cannot
+ be processed.
+
+ The ciphersuite ID MUST be documented as a confidentiality
+ ciphersuite.
+
+ The correlator MUST be present if there is more than one related
+ PCB instance. The correlator MUST NOT be present if there are no
+ related PCB instances.
+
+ If a correlator is present, the key-information MUST be placed in
+ the PCB "first block".
+
+ Any additional bytes generated as a result of encryption and/or
+ authentication processing of the payload SHOULD be placed in an
+ "integrity check value" field (see Section 2.6) in the security-
+ result of the first PCB.
+
+ The ciphersuite-parameters field MAY be present.
+
+ An EID-reference to the security-source MAY be present. The
+ security-source can also be specified as part of key-information
+ described in Section 2.6.
+
+ An EID-reference to the security-destination MAY be present.
+
+ The security-result MAY be present and normally contains fields
+ such as an encrypted bundle encryption key, authentication tag, or
+ the encrypted versions of bundle blocks other than the payload
+ block.
+
+ The ciphersuite MAY process less than the entire original bundle
+ payload, either because the current payload is a fragment of the
+ original bundle or just because it is defined to process some subset.
+ For whatever reason, if the ciphersuite processes less than the
+ complete, original bundle payload, the "first" PCB MUST specify, as
+ part of the ciphersuite-parameters, which bytes of the bundle payload
+ are protected.
+
+ PCB ciphersuites MUST specify which blocks are to be encrypted. The
+ specification MAY be flexible and be dependent upon block type,
+ security policy, various data values, and other inputs, but it MUST
+ be deterministic. The determination of whether or not a block is to
+ be encrypted MUST NOT be ambiguous.
+
+
+
+
+
+
+Symington, et al. Experimental [Page 18]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ As was the case for the BAB and PIB, if the ciphersuite requires more
+ than one instance of the PCB, then the "first block" MUST contain any
+ optional fields (e.g., security-destination, etc.) that apply to all
+ instances with this correlator. These MUST be contained in the first
+ instance and MUST NOT be repeated in other correlated blocks. Fields
+ that are specific to a particular instance of the PCB MAY appear in
+ that PCB. For example, security-result fields MAY (and probably
+ will) be included in multiple related PCB instances, with each result
+ being specific to that particular block. Similarly, several PCBs
+ might each contain a ciphersuite-parameters field with an IV specific
+ to that PCB instance.
+
+ Put another way: when confidentiality will generate multiple blocks,
+ it MUST create a "first" PCB with the required ciphersuite ID,
+ parameters, etc., as specified above. Typically, this PCB will
+ appear early in the bundle. This "first" PCB contains the parameters
+ that apply to the payload and also to the other correlated PCBs. The
+ correlated PCBs follow the "first" PCB and MUST NOT repeat the
+ ciphersuite-parameters, security-source, or security-destination
+ fields from the first PCB. These correlated PCBs need not follow
+ immediately after the "first" PCB, and probably will not do so. Each
+ correlated block, encapsulating an encrypted PIB or PCB, is at the
+ same place in the bundle as the original PIB or PCB.
+
+ A ciphersuite MUST NOT mix payload data and a non-payload block in a
+ single PCB.
+
+ Even if a to-be-encrypted block has the "discard" flag set, whether
+ or not the PCB's "discard" flag is set is an implementation/policy
+ decision for the encrypting node. (The "discard" flag is more
+ properly called the "Discard if block can't be processed" flag.)
+
+ Any existing EID-list in the to-be-encapsulated original block
+ remains exactly as-is, and is copied to become the EID-list for the
+ replacing block. The encapsulation process MUST NOT replace or
+ remove the existing EID-list entries. This is critically important
+ for correct updating of entries at the security-destination.
+
+ At the security-destination, either the specific destination or the
+ bundle-destination, the processes described above are reversed. The
+ payload is decrypted "in-place" using the salt, IV, and key values in
+ the first PCB, including verification using the ICV. These values
+ are described in Section 2.6. Each correlated PCB is also processed
+ at the same destination, using the salt and key values from the first
+ PCB and the block-specific IV item. The encapsulated block item in
+ the security-result is decrypted and validated, using also the tag
+ that SHOULD have been appended to the ciphertext of the original
+ block data. Assuming the validation succeeds, the resultant
+
+
+
+Symington, et al. Experimental [Page 19]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ plaintext, which is the entire content of the original block,
+ replaces the PCB at the same place in the bundle. The block type
+ reverts to that of the original block prior to encapsulation, and the
+ other block-specific data fields also return to their original
+ values. Implementors are cautioned that this "replacement" process
+ requires delicate stitchery, as the EID-list contents in the
+ decapsulated block are invalid. As noted above, the EID-list
+ references in the original block were preserved in the "replacing"
+ PCB, and will have been updated as necessary as the bundle has toured
+ the DTN. The references from the PCB MUST replace the references
+ within the EID-list of the newly decapsulated block. Caveat
+ implementor.
+
+2.5. Extension Security Block
+
+ Extension security blocks provide protection for non-payload-related
+ portions of a bundle. ESBs MUST NOT be used for the primary block or
+ payload, including payload-related security blocks (PIBs and PCBs).
+
+ It is sometimes desirable to protect certain parts of a bundle in
+ ways other than those applied to the bundle payload. One such
+ example is bundle metadata that might specify the kind of data in the
+ payload but not the actual payload detail, as described in [DTNMD].
+
+ ESBs are typically used to apply confidentiality protection. While
+ it is possible to create an integrity-only ciphersuite, the block
+ protection is not transparent and makes access to the data more
+ difficult. For simplicity, this discussion describes the use of a
+ confidentiality ciphersuite.
+
+ The protection mechanisms in ESBs are similar to other security
+ blocks with two important differences:
+
+ o different key values are used (using the same key as that for
+ payload would defeat the purpose)
+
+ o the block is not encrypted or super-encrypted with the payload
+
+ A typical ESB ciphersuite will encrypt the extension block using a
+ randomly generated ephemeral key and will use the key-information
+ item in the security-parameters field to carry the key encrypted with
+ some long-term key encryption key (KEK) or well-known public key. If
+ neither the destination nor security-destination resolves the key to
+ use for decryption, the key-information item in the ciphersuite-
+ parameters field can be used also to indicate the decryption key with
+ which the BEK can be recovered.
+
+
+
+
+
+Symington, et al. Experimental [Page 20]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ It is strongly RECOMMENDED that a data integrity mechanism be used in
+ conjunction with confidentiality, and that encryption-only
+ ciphersuites NOT be used. AES-GCM satisfies this requirement.
+
+ The ESB is placed in the bundle in the same position as the block
+ being protected. That is, the entire original block is processed
+ (encrypted, etc.) and encapsulated in a "replacing" ESB-type block,
+ and this appears in the bundle at the same sequential position as the
+ original block. The processed data is placed in the security-result
+ field.
+
+ The process is reversed at the security-destination with the
+ recovered plaintext block replacing the ESB that had encapsulated it.
+ Processing of EID-list entries, if any, is described in Section 2.4,
+ and this MUST be followed in order to correctly recover EIDs.
+
+ An ESB is an ASB with the following additional restrictions:
+
+ The block type is 0x09.
+
+ Ciphersuite flags indicate which fields are present in this block.
+ Ciphersuite designers should carefully consider the effect of
+ setting flags that either discard the block or delete the bundle
+ in the event that this block cannot be processed.
+
+ EID-references MUST be stored in the EID-reference list.
+
+ The security-source MAY be present. The security-source can also
+ be specified as part of key-information described in Section 2.6.
+ If neither is present, then the bundle-source is used as the
+ security-source.
+
+ The security-destination MAY be present. If not present, then the
+ bundle-destination is used as the security-destination.
+
+ The security-parameters MAY optionally contain a block-type code
+ field to indicate the type of the encapsulated block. Since this
+ replicates a field in the encrypted portion of the block, it is a
+ slight security risk, and its use is therefore OPTIONAL.
+
+2.6. Parameters and Result Fields
+
+ Various ciphersuites include several items in the security-parameters
+ and/or security-result fields. Which items MAY appear is defined by
+ the particular ciphersuite description. A ciphersuite MAY support
+ several instances of the same type within a single block.
+
+
+
+
+
+Symington, et al. Experimental [Page 21]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Each item is represented as a type-length-value. Type is a single
+ byte indicating which item this is. Length is the count of data
+ bytes to follow, and is an SDNV-encoded integer. Value is the data
+ content of the item.
+
+ Item types are
+
+ 0: reserved
+
+ 1: initialization vector (IV)
+
+ 2: reserved
+
+ 3: key-information
+
+ 4: fragment-range (offset and length as a pair of SDNVs)
+
+ 5: integrity signature
+
+ 6: unassigned
+
+ 7: salt
+
+ 8: PCB integrity check value (ICV)
+
+ 9: reserved
+
+ 10: encapsulated block
+
+ 11: block type of encapsulated block
+
+ 12 - 191: reserved
+
+ 192 - 250: private use
+
+ 251 - 255: reserved
+
+ The following descriptions apply to the usage of these items for all
+ ciphersuites. Additional characteristics are noted in the discussion
+ for specific suites.
+
+ o initialization vector (IV): random value, typically eight to
+ sixteen bytes.
+
+ o key-information: key material encoded or protected by the key
+ management system and used to transport an ephemeral key protected
+ by a long-term key. This item is discussed further in
+ Section 2.7.
+
+
+
+Symington, et al. Experimental [Page 22]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ o fragment-range: pair of SDNV values (offset then length)
+ specifying the range of payload bytes to which a particular
+ operation applies. This is termed "fragment-range" since that is
+ its typical use, even though sometimes it describes a subset range
+ that is not a fragment. The offset value MUST be the offset
+ within the original bundle, which might not be the offset within
+ the current bundle if the current bundle is already a fragment.
+
+ o integrity signature: result of BAB or PIB digest or signing
+ operation. This item is discussed further in Section 2.7.
+
+ o salt: an IV-like value used by certain confidentiality suites.
+
+ o PCB integrity check value (ICV): output from certain
+ confidentiality ciphersuite operations to be used at the
+ destination to verify that the protected data has not been
+ modified.
+
+ o encapsulated block: result of confidentiality operation on certain
+ blocks, contains the ciphertext of the block and MAY also contain
+ an integrity check value appended to the ciphertext; MAY also
+ contain padding if required by the encryption mode; used for non-
+ payload blocks only.
+
+ o block type of encapsulated block: block-type code for a block that
+ has been encapsulated in ESB.
+
+2.7. Key Transport
+
+ This specification endeavors to maintain separation between the
+ security protocol and key management. However, these two interact in
+ the transfer of key-information, etc., from security-source to
+ security-destination. The intent of the separation is to facilitate
+ the use of a variety of key management systems without needing to
+ tailor a ciphersuite to each individually.
+
+ The key management process deals with such things as long-term keys,
+ specifiers for long-term keys, certificates for long-term keys, and
+ integrity signatures using long-term keys. The ciphersuite itself
+ SHOULD NOT require a knowledge of these, and separation is improved
+ if it treats these as opaque entities to be handled by the key
+ management process.
+
+ The key management process deals specifically with the content of two
+ of the items defined in Section 2.6: key-information (item type 3)
+ and integrity signature (item type 5). The ciphersuite MUST define
+ the details and format for these items. To facilitate
+
+
+
+
+Symington, et al. Experimental [Page 23]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ interoperability, it is strongly RECOMMENDED that the implementations
+ use the appropriate definitions from the Cryptographic Message Syntax
+ (CMS) [RFC5652] and related RFCs.
+
+ Many situations will require several pieces of key-information.
+ Again, ciphersuites MUST define whether they accept these packed into
+ a single key-information item and/or separated into multiple
+ instances of key-information. For interoperability, it is
+ RECOMMENDED that ciphersuites accept these packed into a single key-
+ information item, and that they MAY additionally choose to accept
+ them sent as separate items.
+
+2.8. PIB and PCB Combinations
+
+ Given the above definitions, nodes are free to combine applications
+ of PIB and PCB in any way they wish -- the correlator value allows
+ for multiple applications of security services to be handled
+ separately. Since PIB and PCB apply to the payload and ESB to non-
+ payload blocks, combinations of ESB with PIB and/or PCB are not
+ considered.
+
+ There are some obvious security problems that could arise when
+ applying multiple services. For example, if we encrypted a payload
+ but left a PIB security-result containing a signature in the clear,
+ payload guesses could be confirmed.
+
+ We cannot, in general, prevent all such problems since we cannot
+ assume that every ciphersuite definition takes account of every other
+ ciphersuite definition. However, we can limit the potential for such
+ problems by requiring that any ciphersuite that applies to one
+ instance of a PIB or PCB MUST be applied to all instances with the
+ same correlator.
+
+ We now list the PIB and PCB combinations that we envisage as being
+ useful to support:
+
+ Encrypted tunnels - a single bundle MAY be encrypted many times en
+ route to its destination. Clearly, it has to be decrypted an
+ equal number of times, but we can imagine each encryption as
+ representing the entry into yet another layer of tunnel. This is
+ supported by using multiple instances of PCB, but with the payload
+ encrypted multiple times, "in-place". Depending upon the
+ ciphersuite definition, other blocks can and should be encrypted,
+ as discussed above and in Section 2.4 to ensure that parameters
+ are protected in the case of super-encryption.
+
+
+
+
+
+
+Symington, et al. Experimental [Page 24]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Multiple parallel authenticators - a single security-source might
+ wish to protect the integrity of a bundle in multiple ways. This
+ could be required if the bundle's path is unpredictable and if
+ various nodes might be involved as security-destinations.
+ Similarly, if the security-source cannot determine in advance
+ which algorithms to use, then using all might be reasonable. This
+ would result in uses of PIB that, presumably, all protect the
+ payload, and which cannot in general protect one another. Note
+ that this logic can also apply to a BAB, if the unpredictable
+ routing happens in the convergence layer, so we also envisage
+ support for multiple parallel uses of BAB.
+
+ Multiple sequential authenticators - if some security-destination
+ requires assurance about the route that bundles have taken, then
+ it might insist that each forwarding node add its own PIB. More
+ likely, however, would be that outbound "bastion" nodes would be
+ configured to sign bundles as a way of allowing the sending
+ "domain" to take accountability for the bundle. In this case, the
+ various PIBs will likely be layered, so that each protects the
+ earlier applications of PIB.
+
+ Authenticated and encrypted bundles - a single bundle MAY require
+ both authentication and confidentiality. Some specifications
+ first apply the authenticator and follow this by encrypting the
+ payload and authenticator. As noted previously in the case where
+ the authenticator is a signature, there are security reasons for
+ this ordering. (See the PCB-RSA-AES128-PAYLOAD-PIB-PCB
+ ciphersuite defined in Section 4.3.) Others apply the
+ authenticator after encryption, that is, to the ciphertext. This
+ ordering is generally RECOMMENDED and minimizes attacks that, in
+ some cases, can lead to recovery of the encryption key.
+
+ There are, no doubt, other valid ways to combine PIB and PCB
+ instances, but these are the "core" set supported in this
+ specification. Having said that, as will be seen, the mandatory
+ ciphersuites defined here are quite specific and restrictive in terms
+ of limiting the flexibility offered by the correlator mechanism.
+ This is primarily designed to keep this specification as simple as
+ possible, while at the same time supporting the above scenarios.
+
+3. Security Processing
+
+ This section describes the security aspects of bundle processing.
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 25]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+3.1. Nodes as Policy Enforcement Points
+
+ All nodes are REQUIRED to have and enforce their own configurable
+ security policies, whether these policies be explicit or default, as
+ defined in Section 6.
+
+ All nodes serve as Policy Enforcement Points (PEPs) insofar as they
+ enforce polices that MAY restrict the permissions of bundle nodes to
+ inject traffic into the network. Policies MAY apply to traffic that
+ originates at the current node, traffic that terminates at the
+ current node, and traffic that is to be forwarded by the current node
+ to other nodes. If a particular transmission request, originating
+ either locally or remotely, satisfies the node's policy or policies
+ and is therefore accepted, then an outbound bundle can be created and
+ dispatched. If not, then in its role as a PEP, the node will not
+ create or forward a bundle. Error handling for such cases is
+ currently considered out of scope for this document.
+
+ Policy enforcing code MAY override all other processing steps
+ described here and elsewhere in this document. For example, it is
+ valid to implement a node that always attempts to attach a PIB.
+ Similarly, it is also valid to implement a node that always rejects
+ all requests that imply the use of a PIB.
+
+ Nodes MUST consult their security policy to determine the criteria
+ that a received bundle ought to meet before it will be forwarded.
+ These criteria MUST include a determination of whether or not the
+ received bundle MUST include a valid BAB, PIB, PCB, or ESB. If the
+ bundle does not meet the node's policy criteria, then the bundle MUST
+ be discarded and processed no further; in this case, a bundle status
+ report indicating the failure MAY be generated.
+
+ The node's policy MAY call for the node to add or subtract some
+ security blocks. For example, it might require that the node attempt
+ to encrypt (parts of) the bundle for some security-destination or
+ that it add a PIB. If the node's policy requires a BAB to be added
+ to the bundle, it MUST be added last so that the calculation of its
+ security-result MAY take into consideration the values of all other
+ blocks in the bundle.
+
+3.2. Processing Order of Security Blocks
+
+ The processing order of security actions for a bundle is critically
+ important for the actions to complete successfully. In general, the
+ actions performed at the originating node MUST be executed in the
+ reverse sequence at the destination. There are variations and
+ exceptions, and these are noted below.
+
+
+
+
+Symington, et al. Experimental [Page 26]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ The sequence is maintained in the ordering of security blocks in the
+ bundle. It is for this reason that blocks MUST NOT be rearranged at
+ forwarding nodes, whether or not they support the security protocols.
+ The only blocks that participate in this ordering are the primary and
+ payload blocks, and the PIB and PCB security blocks themselves. All
+ other extension blocks, including ESBs, are ignored for purposes of
+ determining the processing order.
+
+ The security blocks are added to and removed from a bundle in a last-
+ in-first-out (LIFO) manner, with the top of the stack immediately
+ after the primary block. A newly created bundle has just the primary
+ and payload blocks, and the stack is empty. As security actions are
+ requested for the bundle, security blocks are pushed onto the stack
+ immediately after the primary block. The early actions have security
+ blocks close to the payload, later actions have blocks nearer to the
+ primary block. The actions deal with only those blocks in the bundle
+ at the time, so, for example, the first to be added processes only
+ the payload and primary blocks, the next might process the first if
+ it chooses and the payload and primary, and so on. The last block to
+ be added can process all the blocks.
+
+ When the bundle is received, this process is reversed and security
+ processing begins at the top of the stack, immediately after the
+ primary block. The security actions are performed, and the block is
+ popped from the stack. Processing continues with the next security
+ block until finally only the payload and primary blocks remain.
+
+ The simplicity of this description is undermined by various real-
+ world requirements. Nonetheless, it serves as a helpful initial
+ framework for understanding the bundle security process.
+
+ The first issue is a very common one and easy to handle. The bundle
+ may be sent indirectly to its destination, requiring several
+ forwarding hops to finally arrive there. Security processing happens
+ at each node, assuming that the node supports bundle security. For
+ the following discussion, we assume that a bundle is created and that
+ confidentiality, then payload integrity, and finally bundle
+ authentication are applied to it. The block sequence would therefore
+ be primary-BAB-PIB-PCB-payload. Traveling from source to destination
+ requires going through one intermediate node, so the trip consists of
+ two hops.
+
+ When the bundle is received at the intermediate node, the receive
+ processing validates the BAB and pops it from the stack. However,
+ the PIBs and PCBs have the final destination as their security-
+ destination, so these cannot be processed and removed. The
+ intermediate node then begins the send process with the four
+ remaining blocks in the bundle. The outbound processing adds any
+
+
+
+Symington, et al. Experimental [Page 27]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ security blocks required by local policy, and these are pushed on the
+ stack immediately after the primary block, ahead of the PIB. In this
+ example, the intermediate node adds a PIB as a signature that the
+ bundle has passed through the node.
+
+ The receive processing at the destination first handles the
+ intermediate node's PIB and pops it, next is the originator's PIB,
+ also popped, and finally the originator's confidentiality block that
+ allows the payload to be decrypted and the bundle handled for
+ delivery.
+
+ In practice, DTNs are likely to be more complex. The security policy
+ for a node specifies the security requirements for a bundle. The
+ policy will possibly cause one or more security operations to be
+ applied to the bundle at the current node, each with its own
+ security-destination. Application of policy at subsequent nodes
+ might cause additional security operations, each with a security-
+ destination. The list of security-destinations in the security
+ blocks (BAB, PIB and PCB, not ESB) creates a partial-ordering of
+ nodes that MUST be visited en route to the bundle-destination.
+
+ The bundle security scheme does not deal with security paths that
+ overlap partially but not completely. The security policy for a node
+ MUST avoid specifying, for a bundle, a security-destination that
+ causes a conflict with any existing security-destination in that
+ bundle. This is discussed further in Section 3.3.
+
+ The second issue relates to the reversibility of certain security
+ process actions. In general, the actions fall into two categories:
+ those that do not affect other parts of the bundle and those that are
+ fully reversible. Creating a bundle signature, for example, does not
+ change the bundle content except for the result. The encryption
+ performed as part of the confidentiality processing does change the
+ bundle, but the reverse processing at the destination restores the
+ original content.
+
+ The third category is the one where the bundle content has changed
+ slightly and in a non-destructive way, but there is no mechanism to
+ reverse the change. The simplest example is the addition of an EID-
+ reference to a security block. The addition of the reference causes
+ the text to be added to the bundle's dictionary. The text may also
+ be used by other references, so removal of the block and this
+ specific EID-reference does not cause removal of the text from the
+ dictionary. This shortcoming is of no impact to the "sequential" or
+ "wrapping" security schemes described above, but does cause failures
+ with "parallel" authentication mechanisms. Solutions for this
+
+
+
+
+
+Symington, et al. Experimental [Page 28]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ problem are implementation specific and typically involve multi-pass
+ processing such that blocks are added at one stage and the security-
+ results calculated at a later stage of the overall process.
+
+ Certain ciphersuites have sequence requirements for their correct
+ operation, most notably the bundle authentication ciphersuites.
+ Processing for bundle authentication is required to happen after all
+ other sending operations, and prior to any receive operations at the
+ next-hop node. Therefore, it follows that BABs MUST always be pushed
+ onto the stack after all others.
+
+ Although we describe the security block list as a stack, there are
+ some blocks that are placed after the payload and therefore are not
+ part of the stack. The BundleAuthentication ciphersuite #1 ("BA1")
+ requires a second, correlated block to contain the security-result,
+ and this block is placed after the payload, usually as the last block
+ in the bundle. We can apply the stack rules even to these blocks by
+ specifying that they be added to the end of the bundle at the same
+ time that their "owner" or "parent" block is pushed on the stack. In
+ fact, they form a stack beginning at the payload but growing in the
+ other direction. Also, not all blocks in the main stack have a
+ corresponding entry in the trailing stack. The only blocks that MUST
+ follow the payload are those mandated by ciphersuites as correlated
+ blocks for holding a security-result. No other blocks are required
+ to follow the payload block and it is NOT RECOMMENDED that they do
+ so.
+
+ ESBs are effectively placeholders for the blocks they encapsulate
+ and, since those do not form part of the processing sequence
+ described above, ESBs themselves do not either. ESBs MAY be
+ correlated, however, so the "no reordering" requirement applies to
+ them as well.
+
+3.3. Security Regions
+
+ Each security block has a security path, as described in the
+ discussion for Figure 1, and the paths for various blocks are often
+ different.
+
+ BABs are always for a single hop, and these restricted paths never
+ cause conflict.
+
+ The paths for PIBs and PCBs are often from bundle-source to bundle-
+ destination, to provide end-to-end protection. A bundle-source-to-
+ bundle-destination path likewise never causes a problem.
+
+ Another common scenario is for gateway-to-gateway protection of
+ traffic between two sub-networks ("tunnel-mode").
+
+
+
+Symington, et al. Experimental [Page 29]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Looking at Figure 1 and the simplified version shown in Figure 4, we
+ can regard BN2 and BN3 as gateways connecting the two sub-networks
+ labeled "An internet". As long as they provide security for the BN2-
+ BN3 path, all is well. Problems begin, for example, when BN2 adds
+ blocks with BN4 as the security-destination, and the originating node
+ BN1 has created blocks with BN3 as security-destination. We now have
+ two paths, and neither is a subset of the other.
+
+ This scenario should be prevented by node BN2's security policy being
+ aware of the already existing block with BN3 as the security-
+ destination. This policy SHOULD NOT specify a security-destination
+ that is further distant than any existing security-destination.
+
+ +---------v-| +->>>>>>>>>>v-+ +->>>>>>>>>>v-+ +-^---------+
+ | BN1 v | | ^ BN2 v | | ^ BN3 v | | ^ BN4 |
+ +---------v-+ +-^---------v-+ +-^---------v-+ +-^---------+
+ >>>>>>>>^ >>>>>>>>>>^ >>>>>>>>^
+
+ <------------- BN1 to BN3 path ------------>
+
+ <------------- BN2 to BN4 path ------------>
+
+ Figure 4: Overlapping Security Paths
+
+ Consider the case where the security concern is for data integrity,
+ so the blocks are PIBs. BN1 creates one ("PIa") along with the new
+ bundle, and BN2 pushes its own PIB "PIb" on the stack, with security-
+ destination BN4. When this bundle arrives at BN3, the bundle blocks
+ are
+
+ primary - PIb - PIa - payload
+
+ Block PIb is not destined for this node BN3, so it has to be
+ forwarded. This is the security-destination for block PIa so, after
+ validation, it should be removed from the bundle; however, that will
+ invalidate the PIb signature when the block is checked at the final
+ destination. The PIb signature includes the primary block, PIb
+ itself, PIa and the payload block, so PIa MUST remain in the bundle.
+ This is why security blocks are treated as a stack and add/remove
+ operations are permitted only at the top-of-stack.
+
+ The situation would be worse if the security concern is
+ confidentiality, and PCBs are employed, using the confidentiality
+ ciphersuite #3 ("PC3") described in Section 4.3. In this scenario,
+ BN1 would encrypt the bundle with BN3 as security-destination, BN2
+ would create an overlapping security path by super-encrypting the
+ payload and encapsulating the PC3 block for security-destination BN4.
+ BN3 forwards all the blocks without change. BN4 decrypts the payload
+
+
+
+Symington, et al. Experimental [Page 30]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ from its super-encryption and decapsulates the PC3 block, only to
+ find that it should have been processed earlier. Assuming that BN4
+ has no access to BN3's key store, BN4 has no way to decrypt the
+ bundle and recover the original content.
+
+ As mentioned above, authors of security policy need to use care to
+ ensure that their policies do not cause overlaps. These guidelines
+ should prove helpful.
+
+ The originator of a bundle can always specify the bundle-
+ destination as the security-destination and should be cautious
+ about doing otherwise.
+
+ In the "tunnel-mode" scenario where two sub-networks are connected
+ by a tunnel through a network, the gateways can each specify the
+ other as security-destination and should be cautious about doing
+ otherwise.
+
+ BAB is never a problem because it is always only a single hop.
+
+ PIB for a bundle without PCB will usually specify the bundle-
+ destination as security-destination.
+
+ PIB for a bundle containing a PCB should specify as its security-
+ destination the security-destination of the PCB (outermost PCB if
+ there are more than one).
+
+3.4. Canonicalization of Bundles
+
+ In order to verify a signature or MAC on a bundle, the exact same
+ bits, in the exact same order, MUST be input to the calculation upon
+ verification as were input upon initial computation of the original
+ signature or MAC value. Consequently, a node MUST NOT change the
+ encoding of any URI [RFC3986] in the dictionary field, e.g., changing
+ the DNS part of some HTTP URL from lower case to upper case. Because
+ bundles MAY be modified while in transit (either correctly or due to
+ implementation errors), a canonical form of any given bundle (that
+ contains a BAB or PIB) MUST be defined.
+
+ This section defines bundle canonicalization algorithms used in
+ Sections 4.1 and 4.2 ciphersuites. Other ciphersuites can use these
+ or define their own canonicalization procedures.
+
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 31]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+3.4.1. Strict Canonicalization
+
+ The first algorithm that can be used permits no changes at all to the
+ bundle between the security-source and the security-destination. It
+ is mainly intended for use in BAB ciphersuites. This algorithm
+ conceptually catenates all blocks in the order presented, but omits
+ all security-result data fields in blocks of this ciphersuite type.
+ That is, when a BAB ciphersuite specifies this algorithm, we omit all
+ BAB security-results for all BAB ciphersuites. When a PIB
+ ciphersuite specifies this algorithm, we omit all PIB security-
+ results for all PIB ciphersuites. All security-result length fields
+ are included, even though their corresponding security-result data
+ fields are omitted.
+
+ Notes:
+
+ o In the above, we specify that security-result data is omitted.
+ This means that no bytes of the security-result data are input.
+ We do not set the security-result length to zero. Rather, we
+ assume that the security-result length will be known to the module
+ that implements the ciphersuite before the security-result is
+ calculated, and require that this value be in the security-result
+ length field even though the security-result data itself will be
+ omitted.
+
+ o The 'res' bit of the ciphersuite ID, which indicates whether or
+ not the security-result length and security-result data field are
+ present, is part of the canonical form.
+
+ o The value of the block data length field, which indicates the
+ length of the block, is also part of the canonical form. Its
+ value indicates the length of the entire bundle when the bundle
+ includes the security-result data field.
+
+ o BABs are always added to bundles after PIBs, so when a PIB
+ ciphersuite specifies this strict canonicalization algorithm and
+ the PIB is received with a bundle that also includes one or more
+ BABs, application of strict canonicalization as part of the PIB
+ security-result verification process requires that all BABs in the
+ bundle be ignored entirely.
+
+3.4.2. Mutable Canonicalization
+
+ This algorithm is intended to protect parts of the bundle that SHOULD
+ NOT be changed in transit. Hence, it omits the mutable parts of the
+ bundle.
+
+
+
+
+
+Symington, et al. Experimental [Page 32]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ The basic approach is to define a canonical form of the primary block
+ and catenate it with the security (PIBs and PCBs only) and payload
+ blocks in the order that they will be transmitted. This algorithm
+ ignores all other blocks, including ESBs, because it cannot be
+ determined whether or not they will change as the bundle transits the
+ network. In short, this canonicalization protects the payload,
+ payload-related security blocks, and parts of the primary block.
+
+ Many fields in various blocks are stored as variable-length SDNVs.
+ These are canonicalized in unpacked form, as eight-byte fixed-width
+ fields in network byte order. The size of eight bytes is chosen
+ because implementations MAY handle larger values as invalid, as noted
+ in [DTNBP].
+
+ The canonical form of the primary block is shown in Figure 5.
+ Essentially, it de-references the dictionary block, adjusts lengths
+ where necessary, and ignores flags that MAY change in transit.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 33]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ +----------------+----------------+----------------+----------------+
+ | Version | Processing flags (incl. COS and SRR) |
+ +----------------+----------------+---------------------------------+
+ | Canonical primary block length |
+ +----------------+----------------+---------------------------------+
+ | Destination endpoint ID length |
+ +----------------+----------------+---------------------------------+
+ | |
+ | Destination endpoint ID |
+ | |
+ +----------------+----------------+---------------------------------+
+ | Source endpoint ID length |
+ +----------------+----------------+----------------+----------------+
+ | |
+ | Source endpoint ID |
+ | |
+ +----------------+----------------+---------------------------------+
+ | Report-to endpoint ID length |
+ +----------------+----------------+----------------+----------------+
+ | |
+ | Report-to endpoint ID |
+ | |
+ +----------------+----------------+----------------+----------------+
+ | |
+ + Creation Timestamp (2 x SDNV) +
+ | |
+ +---------------------------------+---------------------------------+
+ | Lifetime |
+ +----------------+----------------+----------------+----------------+
+
+ Figure 5: The Canonical Form of the Primary Bundle Block
+
+ The fields shown in Figure 5 are as follows:
+
+ The version value is the single-byte value in the primary block.
+
+ The processing flags value in the primary block is an SDNV, and
+ includes the class-of-service (COS) and status report request
+ (SRR) fields. For purposes of canonicalization, the SDNV is
+ unpacked into a fixed-width field, and some bits are masked out.
+ The unpacked field is ANDed with mask 0x0000 0000 0007 C1BE to set
+ to zero all reserved bits and the "bundle is a fragment" bit.
+
+ The canonical primary block length value is a four-byte value
+ containing the length (in bytes) of this structure, in network
+ byte order.
+
+
+
+
+
+Symington, et al. Experimental [Page 34]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ The destination endpoint ID length and value are the length (as a
+ four-byte value in network byte order) and value of the
+ destination endpoint ID from the primary bundle block. The URI is
+ simply copied from the relevant part(s) of the dictionary block
+ and is not itself canonicalized. Although the dictionary entries
+ contain "null-terminators", the null-terminators are not included
+ in the length or the canonicalization.
+
+ The source endpoint ID length and value are handled similarly to
+ the destination.
+
+ The report-to endpoint ID length and value are handled similarly
+ to the destination.
+
+ The creation timestamp (2 x SDNV) and lifetime (SDNV) are simply
+ copied from the primary block, with the SDNV values being
+ represented as eight-byte unpacked values.
+
+ Fragment offset and total application data unit length are
+ ignored, as is the case for the "bundle is a fragment" bit
+ mentioned above. If the payload data to be canonicalized is less
+ than the complete, original bundle payload, the offset and length
+ are specified in the security-parameters.
+
+ For non-primary blocks being included in the canonicalization, the
+ block processing control flags value used for canonicalization is the
+ unpacked SDNV value with reserved and mutable bits masked to zero.
+ The unpacked value is ANDed with mask 0x0000 0000 0000 0077 to zero
+ reserved bits and the "last block" flag. The "last block" flag is
+ ignored because BABs and other security blocks MAY be added for some
+ parts of the journey but not others, so the setting of this bit might
+ change from hop to hop.
+
+ Endpoint ID references in security blocks are canonicalized using the
+ de-referenced text form in place of the reference pair. The
+ reference count is not included, nor is the length of the endpoint ID
+ text.
+
+ The block-length is canonicalized as an eight-byte unpacked value in
+ network byte order. If the payload data to be canonicalized is less
+ than the complete, original bundle payload, this field contains the
+ size of the data being canonicalized (the "effective block") rather
+ that the actual size of the block.
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 35]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Payload blocks are generally canonicalized as-is, with the exception
+ that, in some instances, only a portion of the payload data is to be
+ protected. In such a case, only those bytes are included in the
+ canonical form, and additional ciphersuite-parameters are required to
+ specify which part of the payload is protected, as discussed further
+ below.
+
+ Security blocks are handled likewise, except that the ciphersuite
+ will likely specify that the "current" security block security-result
+ field not be considered part of the canonical form. This differs
+ from the strict canonicalization case since we might use the mutable
+ canonicalization algorithm to handle sequential signatures such that
+ signatures cover earlier ones.
+
+ ESBs MUST NOT be included in the canonicalization.
+
+ Notes:
+
+ o The canonical form of the bundle is not transmitted. It is simply
+ an artifact used as input to digesting.
+
+ o We omit the reserved flags because we cannot determine if they
+ will change in transit. The masks specified above will have to be
+ revised if additional flags are defined and they need to be
+ protected.
+
+ o Our URI encoding does not preserve the null-termination convention
+ from the dictionary field, nor do we separate the scheme and the
+ scheme-specific part (SSP) as is done there.
+
+ o The URI encoding will cause errors if any node rewrites the
+ dictionary content (e.g., changing the DNS part of an HTTP URL
+ from lower case to upper case). This could happen transparently
+ when a bundle is synched to disk using one set of software and
+ then read from disk and forwarded by a second set of software.
+ Because there are no general rules for canonicalizing URIs (or
+ IRIs), this problem may be an unavoidable source of integrity
+ failures.
+
+ o All SDNV fields here are canonicalized as eight-byte unpacked
+ values in network byte order. Length fields are canonicalized as
+ four-byte values in network byte order. Encoding does not need
+ optimization since the values are never sent over the network.
+
+ If a bundle is fragmented before the PIB is applied, then the PIB
+ applies to a fragment and not the entire bundle. However, the
+ protected fragment could be subsequently further fragmented, which
+ would leave the verifier unable to know which bytes were protected
+
+
+
+Symington, et al. Experimental [Page 36]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ by the PIB. Even in the absence of fragmentation, the same
+ situation applies if the ciphersuite is defined to allow
+ protection of less than the entire, original bundle payload.
+
+ For this reason, PIB ciphersuites that support applying a PIB to
+ less than the complete, original bundle payload MUST specify, as
+ part of the ciphersuite-parameters, which bytes of the bundle
+ payload are protected. When verification occurs, only the
+ specified range of the payload bytes are input to PIB
+ verification. It is valid for a ciphersuite to be specified so as
+ to only apply to entire bundles and not to fragments. A
+ ciphersuite MAY be specified to apply to only a portion of the
+ payload, regardless of whether the payload is a fragment or the
+ complete, original bundle payload.
+
+ The same fragmentation issue applies equally to PCB ciphersuites.
+ Ciphersuites that support applying confidentiality to fragments
+ MUST specify, as part of the ciphersuite-parameters, which bytes
+ of the bundle payload are protected. When decrypting a fragment,
+ only the specified bytes are processed. It is also valid for a
+ confidentiality ciphersuite to be specified so as to only apply to
+ entire bundles and not to fragments.
+
+ This definition of mutable canonicalization assumes that endpoint IDs
+ themselves are immutable and is unsuitable for use in environments
+ where that assumption might be violated.
+
+ The canonicalization applies to a specific bundle and not a specific
+ payload. If a bundle is forwarded in some way, the recipient is not
+ able to verify the original integrity signature since the source EID
+ will be different, and possibly other fields.
+
+ The solution for either of these issues is to define and use a PIB
+ ciphersuite having an alternate version of mutable canonicalization
+ any fields from the primary block.
+
+3.5. Endpoint ID Confidentiality
+
+ Every bundle MUST contain a primary block that contains the source
+ and destination endpoint IDs, and possibly other EIDs (in the
+ dictionary field), and that cannot be encrypted. If endpoint ID
+ confidentiality is required, then bundle-in-bundle encapsulation can
+ solve this problem in some instances.
+
+ Similarly, confidentiality requirements MAY also apply to other parts
+ of the primary block (e.g., the current-custodian), and that is
+ supported in the same manner.
+
+
+
+
+Symington, et al. Experimental [Page 37]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+3.6. Bundles Received from Other Nodes
+
+ Nodes implementing this specification SHALL consult their security
+ policy to determine whether or not a received bundle is required by
+ policy to include a BAB. If the bundle has no BAB, and one is not
+ required, then BAB processing on the received bundle is complete, and
+ the bundle is ready to be further processed for PIB/PCB/ESB handling
+ or delivery or forwarding.
+
+ If the bundle is required to have a BAB but does not, then the bundle
+ MUST be discarded and processed no further. If the bundle is
+ required to have a BAB but all of its BABs identify a node other than
+ the receiving node as the BAB security-destination, then the bundle
+ MUST be discarded and processed no further.
+
+ If the bundle is required to have a BAB, and has one or more BABs
+ that identify the receiving node as the BAB security-destination, or
+ for which there is no security-destination, then the value in the
+ security-result field(s) of the BAB(s) MUST be verified according to
+ the ciphersuite specification. If, for all such BABs in the bundle,
+ either the BAB security source cannot be determined or the security-
+ result value check fails, the bundle has failed to authenticate, and
+ the bundle MUST be discarded and processed no further. If any of the
+ BABs present verify, or if a BAB is not required, the bundle is ready
+ for further processing as determined by extension blocks and/or
+ policy.
+
+ BABs received in a bundle MUST be stripped before the bundle is
+ forwarded. New BABs MAY be added as required by policy. This MAY
+ require correcting the "last block" field of the to-be-forwarded
+ bundle.
+
+ Further processing of the bundle MUST take place in the order
+ indicated by the various blocks from the primary block to the payload
+ block, except as defined by an applicable specification.
+
+ If the bundle has a PCB and the receiving node is the PCB-destination
+ for the bundle (either because the node is listed as the bundle's
+ PCB-destination or because the node is listed as the bundle-
+ destination and there is no PCB-dest), the node MUST decrypt the
+ relevant parts of the bundle in accordance with the ciphersuite
+ specification. The PCB SHALL be deleted. If the relevant parts of
+ the bundle cannot be decrypted (i.e., the decryption key cannot be
+ deduced or decryption fails), then the bundle MUST be discarded and
+ processed no further; in this case, a bundle deletion status report
+ (see the Bundle Protocol Specification [DTNBP]) indicating the
+ decryption failure MAY be generated. If the PCB security-result
+
+
+
+
+Symington, et al. Experimental [Page 38]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ included the ciphertext of a block other than the payload block, the
+ recovered plaintext block MUST be placed in the bundle at the
+ location from which the PCB was deleted.
+
+ If the bundle has one or more PIBs for which the receiving node is
+ the bundle's PIB-destination (either because the node is listed in
+ the bundle's PIB-destination or because the node is listed as the
+ bundle-destination and there is no PIB-dest), the node MUST verify
+ the value in the PIB security-result field(s) in accordance with the
+ ciphersuite specification. If all the checks fail, the bundle has
+ failed to authenticate and the bundle SHALL be processed according to
+ the security policy. A bundle status report indicating the failure
+ MAY be generated. Otherwise, if the PIB verifies, the bundle is
+ ready to be processed for either delivery or forwarding. Before
+ forwarding the bundle, the node SHOULD remove the PIB from the
+ bundle, subject to the requirements of Section 3.2, unless it is
+ likely that some downstream node will also be able to verify the PIB.
+
+ If the bundle has a PIB and the receiving node is not the bundle's
+ PIB-dest, the receiving node MAY attempt to verify the value in the
+ security-result field. If it is able to check and the check fails,
+ the node SHALL discard the bundle and it MAY send a bundle status
+ report indicating the failure.
+
+ If the bundle has an ESB and the receiving node is the ESB-
+ destination for the bundle (either because the node is listed as the
+ bundle's ESB-destination or because the node is listed as the bundle-
+ destination and there is no ESB-destination), the node MUST decrypt
+ and/or decapsulate the encapsulated block in accordance with the
+ ciphersuite specification. The decapsulated block replaces the ESB
+ in the bundle block sequence, and the ESB is thereby deleted. If the
+ content cannot be decrypted (i.e., the decryption key cannot be
+ deduced or decryption fails), then the bundle MAY be discarded and
+ processed no further unless the security policy specifies otherwise.
+ In this case, a bundle deletion status report (see the Bundle
+ Protocol Specification [DTNBP]) indicating the decryption failure MAY
+ be generated.
+
+3.7. The At-Most-Once-Delivery Option
+
+ An application MAY request (in an implementation-specific manner)
+ that a node be registered as a member of an endpoint and that
+ received bundles destined for that endpoint be delivered to that
+ application.
+
+ An option for use in such cases is known as "at-most-once-delivery".
+ If this option is chosen, the application indicates that it wants the
+ node to check for duplicate bundles, discard duplicates, and deliver
+
+
+
+Symington, et al. Experimental [Page 39]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ at most one copy of each received bundle to the application. If this
+ option is not chosen, the application indicates that it wants the
+ node to deliver all received bundle copies to the application. If
+ this option is chosen, the node SHALL deliver at most one copy of
+ each received bundle to the application. If the option is not
+ chosen, the node SHOULD, subject to policy, deliver all bundles.
+
+ To enforce this, the node MUST look at the source/timestamp pair
+ value of each complete (reassembled, if necessary) bundle received
+ and determine if this pair, which uniquely identifies a bundle, has
+ been previously received. If it has, then the bundle is a duplicate.
+ If it has not, then the bundle is not a duplicate. The source/
+ timestamp pair SHALL be added to the list of pair values already
+ received by that node.
+
+ Each node implementation MAY decide how long to maintain a table of
+ pair value state.
+
+3.8. Bundle Fragmentation and Reassembly
+
+ If it is necessary for a node to fragment a bundle and security
+ services have been applied to that bundle, the fragmentation rules
+ described in [DTNBP] MUST be followed. As defined there and repeated
+ here for completeness, only the payload MAY be fragmented; security
+ blocks, like all extension blocks, can never be fragmented. In
+ addition, the following security-specific processing is REQUIRED:
+
+ The security policy requirements for a bundle MUST be applied
+ individually to all the bundles resulting from a fragmentation event.
+
+ If the original bundle contained a PIB, then each of the PIB
+ instances MUST be included in some fragment.
+
+ If the original bundle contained one or more PCBs, then any PCB
+ instances containing a key-information item MUST have the "replicate
+ in every fragment" flag set, and thereby be replicated in every
+ fragment. This is to ensure that the canonical block-sequence can be
+ recovered during reassembly.
+
+ If the original bundle contained one or more correlated PCBs not
+ containing a key-information item, then each of these MUST be
+ included in some fragment, but SHOULD NOT be sent more than once.
+ They MUST be placed in a fragment in accordance with the
+ fragmentation rules described in [DTNBP].
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 40]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Note: various fragments MAY have additional security blocks added at
+ this or later stages, and it is possible that correlators will
+ collide. In order to facilitate uniqueness, ciphersuites SHOULD
+ include the fragment-offset of the fragment as a high-order component
+ of the correlator.
+
+3.9. Reactive Fragmentation
+
+ When a partial bundle has been received, the receiving node SHALL
+ consult its security policy to determine if it MAY fragment the
+ bundle, converting the received portion into a bundle fragment for
+ further forwarding. Whether or not reactive fragmentation is
+ permitted SHALL depend on the security policy and the ciphersuite
+ used to calculate the BAB authentication information, if required.
+ (Some BAB ciphersuites, i.e., the mandatory BAB-HMAC (Hashed Message
+ Authentication Code) ciphersuite defined in Section 4.1, do not
+ accommodate reactive fragmentation because the security-result in the
+ BAB requires that the entire bundle be signed. It is conceivable,
+ however, that a BAB ciphersuite could be defined such that multiple
+ security-results are calculated, each on a different segment of a
+ bundle, and that these security-results could be interspersed between
+ bundle payload segments such that reactive fragmentation could be
+ accommodated.)
+
+ If the bundle is reactively fragmented by the intermediate receiver
+ and the BAB-ciphersuite is of an appropriate type (e.g., with
+ multiple security-results embedded in the payload), the bundle MUST
+ be fragmented immediately after the last security-result value in the
+ partial payload that is received. Any data received after the last
+ security-result value MUST be dropped.
+
+ If a partial bundle is received at the intermediate receiver and is
+ reactively fragmented and forwarded, only the part of the bundle that
+ was not received MUST be retransmitted, though more of the bundle MAY
+ be retransmitted. Before retransmitting a portion of the bundle, it
+ SHALL be changed into a fragment and, if the original bundle included
+ a BAB, the fragmented bundle MUST also, and its BAB SHALL be
+ recalculated.
+
+ This specification does not define any ciphersuite that can handle
+ this reactive fragmentation case.
+
+ An interesting possibility is a ciphersuite definition such that the
+ transmission of a follow-up fragment would be accompanied by the
+ signature for the payload up to the restart point.
+
+
+
+
+
+
+Symington, et al. Experimental [Page 41]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+3.10. Attack Model
+
+ An evaluation of resilience to cryptographic attack necessarily
+ depends upon the algorithms chosen for bulk data protection and for
+ key transport. The mandatory ciphersuites described in the following
+ section use AES, RSA, and SHA algorithms in ways that are believed to
+ be reasonably secure against ciphertext-only, chosen-ciphertext,
+ known-plaintext, and chosen-plaintext attacks.
+
+ The design has carefully preserved the resilience of the algorithms
+ against attack. For example, if a message is encrypted, then any
+ message integrity signature is also encrypted so that guesses cannot
+ be confirmed.
+
+4. Mandatory Ciphersuites
+
+ This section defines the mandatory ciphersuites for this
+ specification. There is currently one mandatory ciphersuite for use
+ with each of the security block types BAB, PIB, PCB, and ESB. The
+ BAB ciphersuite is based on shared secrets using HMAC. The PIB
+ ciphersuite is based on digital signatures using RSA with SHA-256.
+ The PCB and ESB ciphersuites are based on using RSA for key transport
+ and AES for bulk encryption.
+
+ In all uses of CMS eContent in this specification, the relevant
+ eContentType to be used is id-data as specified in [RFC5652].
+
+ The ciphersuites use the mechanisms defined in Cryptographic Message
+ Syntax (CMS) [RFC5652] for packaging the keys, signatures, etc., for
+ transport in the appropriate security block. The data in the CMS
+ object is not the bundle data, as would be the typical usage for CMS.
+ Rather, the "message data" packaged by CMS is the ephemeral key,
+ message digest, etc., used in the core code of the ciphersuite.
+
+ In all cases where we use CMS, implementations SHOULD NOT include
+ additional attributes whether signed or unsigned, authenticated or
+ unauthenticated.
+
+4.1. BAB-HMAC
+
+ The BAB-HMAC ciphersuite has ciphersuite ID value 0x001.
+
+ BAB-HMAC uses the strict canonicalization algorithm in Section 3.4.1.
+
+ Strict canonicalization supports digesting of a fragment-bundle. It
+ does not permit the digesting of only a subset of the payload, but
+ only the complete contents of the payload of the current bundle,
+
+
+
+
+Symington, et al. Experimental [Page 42]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ which might be a fragment. The fragment-range item for security-
+ parameters is not used to indicate a fragment, as this information is
+ digested within the primary block.
+
+ The variant of HMAC to be used is HMAC-SHA1 as defined in [RFC2104].
+
+ This ciphersuite requires the use of two related instances of the
+ BAB. It involves placing the first BAB instance (as defined in
+ Section 2.2) just after the primary block. The second (correlated)
+ instance of the BAB MUST be placed after all other blocks (except
+ possibly other BAB blocks) in the bundle.
+
+ This means that, normally, the BAB will be the second and last blocks
+ of the bundle. If a forwarder wishes to apply more than one
+ correlated BAB pair, then this can be done. There is no requirement
+ that each application "wrap" the others, but the forwarder MUST
+ insert all the "up front" BABs, and their "at back" "partners"
+ (without any security-result), before canonicalizing.
+
+ Inserting more than one correlated BAB pair would be useful if the
+ bundle could be routed to more than one potential "next hop" or if
+ both an old and a new key were valid at sending time, with no
+ certainty about the situation that will obtain at reception time.
+
+ The security-result is the output of the HMAC-SHA1 calculation with
+ the input being the result of running the entire bundle through the
+ strict canonicalization algorithm. Both required BAB instances MUST
+ be included in the bundle before canonicalization.
+
+ Security-parameters are OPTIONAL with this scheme, but if used, then
+ the only field that can be present is key-information (see
+ Section 2.6).
+
+ In the absence of key-information, the receiver is expected to be
+ able to find the correct key based on the sending identity. The
+ sending identity MAY be known from the security-source field or the
+ content of a previous-hop block in the bundle. It MAY also be
+ determined using implementation-specific means such as the
+ convergence layer.
+
+4.2. PIB-RSA-SHA256
+
+ The PIB-RSA-SHA256 ciphersuite has ciphersuite ID value 0x02.
+
+ PIB-RSA-SHA256 uses the mutable canonicalization algorithm in
+ Section 3.4.2, with the security-result data field for only the
+ "current" block being excluded from the canonical form. The
+
+
+
+
+Symington, et al. Experimental [Page 43]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ resulting canonical form of the bundle is the input to the signing
+ process. This ciphersuite requires the use of a single instance of
+ the PIB.
+
+ Because the signature field in SignedData SignatureValue is a
+ security-result field, the entire key-information item MUST be placed
+ in the block's security-result field, rather than security-
+ parameters.
+
+ If the bundle being signed has been fragmented before signing, then
+ we have to specify which bytes were signed in case the signed bundle
+ is subsequently fragmented for a second time. If the bundle is a
+ fragment, then the ciphersuite-parameters MUST include a fragment-
+ range field, as described in Section 2.6, specifying the offset and
+ length of the signed fragment. If the entire bundle is signed, then
+ these numbers MUST be omitted.
+
+ Implementations MUST support the use of the "SignedData" type as
+ defined in [RFC5652], Section 5.1, with SignerInfo type
+ SignerIdentifier containing the issuer and serial number of a
+ suitable certificate. The data to be signed is the output of the
+ SHA256 mutable canonicalization process.
+
+ RSA is used with SHA256 as specified for the id-sha256 signature
+ scheme in [RFC4055], Section 5. The output of the signing process is
+ the SignatureValue field for the PIB.
+
+ "Commensurate strength" cryptography is generally held to be a good
+ idea. A combination of RSA with SHA-256 is reckoned to require a
+ 3076-bit RSA key according to this logic. Few implementations will
+ choose this length by default (and probably some just will not
+ support such long keys). Since this is an experimental protocol, we
+ expect that 1024- or 2048-bit RSA keys will be used in many cases,
+ and that this will be fine since we also expect that the hash
+ function "issues" will be resolved before any standard would be
+ derived from this protocol.
+
+4.3. PCB-RSA-AES128-PAYLOAD-PIB-PCB
+
+ The PCB-RSA-AES128-PAYLOAD-PIB-PCB ciphersuite has ciphersuite ID
+ value 0x003.
+
+ This scheme encrypts PIBs, PCBs, and the payload. The key size for
+ this ciphersuite is 128 bits.
+
+ Encryption is done using the AES algorithm in Galois/Counter Mode
+ (GCM) as described in [RFC5084]. Note: parts of the following
+ description are borrowed from [RFC4106].
+
+
+
+Symington, et al. Experimental [Page 44]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ The choice of GCM avoids expansion of the payload, which causes
+ problems with fragmentation/reassembly and custody transfer. GCM
+ also includes authentication, essential in preventing attacks that
+ can alter the decrypted plaintext or even recover the encryption key.
+
+ GCM is a block cipher mode of operation providing both
+ confidentiality and data integrity. The GCM encryption operation has
+ four inputs: a secret key, an initialization vector (IV), a
+ plaintext, and an input for additional authenticated data (AAD),
+ which is not used here. It has two outputs, a ciphertext whose
+ length is identical to the plaintext, and an authentication tag, also
+ known as the integrity check value (ICV).
+
+ For consistency with the description in [RFC5084], we refer to the
+ GCM IV as a nonce. The same key and nonce combination MUST NOT be
+ used more than once. The nonce has the following layout:
+
+ +----------------+----------------+----------------+----------------+
+ | salt |
+ +----------------+----------------+----------------+----------------+
+ | |
+ | initialization vector |
+ | |
+ +----------------+----------------+----------------+----------------+
+
+ Figure 6: Nonce Format for PCB-RSA-AES128-PAYLOAD-PIB-PCB
+
+ The salt field is a four-octet value, usually chosen at random. It
+ MUST be the same for all PCBs that have the same correlator value.
+ The salt need not be kept secret.
+
+ The initialization vector (IV) is an eight-octet value, usually
+ chosen at random. It MUST be different for all PCBs that have the
+ same correlator value. The value need not be kept secret.
+
+ The key (bundle encryption key, BEK) is a 16-octet (128 bits) value,
+ usually chosen at random. The value MUST be kept secret, as
+ described below.
+
+ The integrity check value is a 16-octet value used to verify that the
+ protected data has not been altered. The value need not be kept
+ secret.
+
+ This ciphersuite requires the use of a single PCB instance to deal
+ with payload confidentiality. If the bundle already contains PIBs or
+ PCBs, then the ciphersuite will create additional correlated blocks
+ to protect these PIBs and PCBs. These "additional" blocks replace
+ the original blocks on a one-to-one basis, so the number of blocks
+
+
+
+Symington, et al. Experimental [Page 45]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ remains unchanged. All of these related blocks MUST have the same
+ correlator value. The term "first PCB" in this section refers to the
+ single PCB if there is only one or, if there are several, then to the
+ one containing the key-information. This MUST be the first of the
+ set.
+
+ First PCB - the first PCB MAY contain a correlator value, and MAY
+ specify security-source and/or security-destination in the EID-list.
+ If not specified, the bundle-source and bundle-destination,
+ respectively, are used for these values, as with other ciphersuites.
+ The block MUST contain security-parameters and security-result
+ fields. Each field MAY contain several items formatted as described
+ in Section 2.6.
+
+ Security-parameters
+
+ key-information
+
+ salt
+
+ IV (this instance applies only to payload)
+
+ fragment offset and length, if bundle is a fragment
+
+ Security-result
+
+ ICV
+
+ Subsequent PCBs MUST contain a correlator value to link them to the
+ first PCB. Security-source and security-destination are implied from
+ the first PCB; however, see the discussion in Section 2.4 concerning
+ EID-list entries. They MUST contain security-parameters and
+ security-result fields as follows:
+
+ Security-parameters
+
+ IV for this specific block
+
+ Security-result
+
+ encapsulated block
+
+ The security-parameters and security-result fields in the subsequent
+ PCBs MUST NOT contain any items other than these two. Items such as
+ key and salt are supplied in the first PCB and MUST NOT be repeated.
+
+
+
+
+
+
+Symington, et al. Experimental [Page 46]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Implementations MUST support use of "enveloped-data" type as defined
+ in [RFC5652], Section 6, with RecipientInfo type
+ KeyTransRecipientInfo containing the issuer and serial number of a
+ suitable certificate. They MAY support additional RecipientInfo
+ types. The "encryptedContent" field in EncryptedContentInfo contains
+ the encrypted BEK that protects the payload and certain security
+ blocks of the bundle.
+
+ The Integrity Check Value from the AES-GCM encryption of the payload
+ is placed in the security-result field of the first PCB.
+
+ If the bundle being encrypted is a fragment-bundle, we have to
+ specify which bytes are encrypted in case the bundle is subsequently
+ fragmented again. If the bundle is a fragment, the ciphersuite-
+ parameters MUST include a fragment-range field, as described in
+ Section 2.6, specifying the offset and length of the encrypted
+ fragment. Note that this is not the same pair of fields that appear
+ in the primary block as "offset and length". The "length" in this
+ case is the length of the fragment, not the original length. If the
+ bundle is not a fragment, then this field MUST be omitted.
+
+ The confidentiality processing for payload and other blocks is
+ different, mainly because the payload might be fragmented later at
+ some other node.
+
+ For the payload, only the bytes of the bundle payload field are
+ affected, being replaced by ciphertext. The salt, IV, and key values
+ specified in the first PCB are used to encrypt the payload, and the
+ resultant authentication tag (ICV) is placed in an ICV item in the
+ security-result field of that first PCB. The other bytes of the
+ payload block, such as type, flags, and length, are not modified.
+
+ For each PIB or PCB to be protected, the entire original block is
+ encapsulated in a "replacing" PCB. This replacing PCB is placed in
+ the outgoing bundle in the same position as the original block, PIB
+ or PCB. As mentioned above, this is one-to-one replacement, and
+ there is no consolidation of blocks or mixing of data in any way.
+
+ The encryption process uses AES-GCM with the salt and key values from
+ the first PCB, and an IV unique to this PCB. The process creates
+ ciphertext for the entire original block and an authentication tag
+ for validation at the security-destination. For this encapsulation
+ process, unlike the processing of the bundle payload, the
+ authentication tag is appended to the ciphertext for the block, and
+ the combination is stored into the encapsulated block item in the
+ security-result.
+
+
+
+
+
+Symington, et al. Experimental [Page 47]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ The replacing block, of course, also has the same correlator value as
+ the first PCB with which it is associated. It also contains the
+ block-specific IV in security-parameters, and the combination of
+ original-block-ciphertext and authentication tag, stored as an
+ encapsulated block item in the security-result.
+
+ If the payload was fragmented after encryption, then all those
+ fragments MUST be present and reassembled before decryption. This
+ process might be repeated several times at different destinations if
+ multiple fragmentation actions have occurred.
+
+ The size of the GCM counter field limits the payload size to 2^39 -
+ 256 bytes, about half a terabyte. A future revision of this
+ specification will address the issue of handling payloads in excess
+ of this size.
+
+4.4. ESB-RSA-AES128-EXT
+
+ The ESB-RSA-AES128-EXT ciphersuite has ciphersuite ID value 0x004.
+
+ This scheme encrypts non-payload-related blocks. It MUST NOT be used
+ to encrypt PIBs, PCBs, or primary or payload blocks. The key size
+ for this ciphersuite is 128 bits.
+
+ Encryption is done using the AES algorithm in Galois/Counter Mode
+ (GCM) as described in [RFC5084]. Note: parts of the following
+ description are borrowed from [RFC4106].
+
+ GCM is a block cipher mode of operation providing both
+ confidentiality and data origin authentication. The GCM
+ authenticated encryption operation has four inputs: a secret key, an
+ initialization vector (IV), a plaintext, and an input for additional
+ authenticated data (AAD), which is not used here. It has two
+ outputs, a ciphertext whose length is identical to the plaintext, and
+ an authentication tag, also known as the Integrity Check Value (ICV).
+
+ For consistency with the description in [RFC5084], we refer to the
+ GCM IV as a nonce. The same key and nonce combination MUST NOT be
+ used more than once. The nonce has the following layout:
+
+
+
+
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 48]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ +----------------+----------------+---------------------------------+
+ | salt |
+ +----------------+----------------+---------------------------------+
+ | |
+ | initialization vector |
+ | |
+ +----------------+----------------+---------------------------------+
+
+ Figure 7: Nonce Format for ESB-RSA-AES128-EXT
+
+ The salt field is a four-octet value, usually chosen at random. It
+ MUST be the same for all ESBs that have the same correlator value.
+ The salt need not be kept secret.
+
+ The initialization vector (IV) is an eight-octet value, usually
+ chosen at random. It MUST be different for all ESBs that have the
+ same correlator value. The value need not be kept secret.
+
+ The data encryption key is a 16-octet (128 bits) value, usually
+ chosen at random. The value MUST be kept secret, as described below.
+
+ The integrity check value is a 16-octet value used to verify that the
+ protected data has not been altered. The value need not be kept
+ secret.
+
+ This ciphersuite replaces each BP extension block to be protected
+ with a "replacing" ESB, and each can be individually specified.
+
+ If a number of related BP extension blocks are to be protected, they
+ can be grouped as a correlated set and protected using a single key.
+ These blocks replace the original blocks on a one-to-one basis, so
+ the number of blocks remains unchanged. All these related blocks
+ MUST have the same correlator value. The term "first ESB" in this
+ section refers to the single ESB if there is only one or, if there
+ are several, then to the one containing the key or key-identifier.
+ This MUST be the first of the set. If the blocks are individually
+ specified, then there is no correlated set and each block is its own
+ "first ESB".
+
+ First ESB - the first ESB MAY contain a correlator value, and MAY
+ specify security-source and/or security-destination in the EID-list.
+ If not specified, the bundle-source and bundle-destination,
+ respectively, are used for these values, as with other ciphersuites.
+ The block MUST contain security-parameters and security-result
+ fields. Each field MAY contain several items formatted as described
+ in Section 2.6.
+
+
+
+
+
+Symington, et al. Experimental [Page 49]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Security-parameters
+
+ key-information
+
+ salt
+
+ IV for this specific block
+
+ block type of encapsulated block (OPTIONAL)
+
+ Security-result
+
+ encapsulated block
+
+ Subsequent ESBs MUST contain a correlator value to link them to the
+ first ESB. Security-source and security-destination are implied from
+ the first ESB; however, see the discussion in Section 2.4 concerning
+ EID-list entries. Subsequent ESBs MUST contain security-parameters
+ and security-result fields as follows:
+
+ Security-parameters
+
+ IV for this specific block
+
+ block type of encapsulated block (OPTIONAL)
+
+ Security-result
+
+ encapsulated block
+
+ The security-parameters and security-result fields in the subsequent
+ ESBs MUST NOT contain any items other than those listed. Items such
+ as key-information and salt are supplied in the first ESB and MUST
+ NOT be repeated.
+
+ Implementations MUST support the use of "enveloped-data" type as
+ defined in [RFC5652], Section 6, with RecipientInfo type
+ KeyTransRecipientInfo containing the issuer and serial number of a
+ suitable certificate. They MAY support additional RecipientInfo
+ types. The "encryptedContent" field in EncryptedContentInfo contains
+ the encrypted BEK used to encrypt the content of the block being
+ protected.
+
+ For each block to be protected, the entire original block is
+ encapsulated in a "replacing" ESB. This replacing ESB is placed in
+ the outgoing bundle in the same position as the original block. As
+ mentioned above, this is one-to-one replacement, and there is no
+ consolidation of blocks or mixing of data in any way.
+
+
+
+Symington, et al. Experimental [Page 50]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ The encryption process uses AES-GCM with the salt and key values from
+ the first ESB and an IV unique to this ESB. The process creates
+ ciphertext for the entire original block, and an authentication tag
+ for validation at the security-destination. The authentication tag
+ is appended to the ciphertext for the block and the combination is
+ stored into the encapsulated block item in security-result.
+
+ The replacing block, of course, also has the same correlator value as
+ the first ESB with which it is associated. It also contains the
+ block-specific IV in security-parameters, and the combination of
+ original-block-ciphertext and authentication tag, stored as an
+ encapsulated block item in security-result.
+
+5. Key Management
+
+ Key management in delay-tolerant networks is recognized as a
+ difficult topic and is one that this specification does not attempt
+ to solve. However, solely in order to support implementation and
+ testing, implementations SHOULD support:
+
+ o The use of well-known RSA public keys for all ciphersuites.
+
+ o Long-term pre-shared-symmetric keys for the BAB-HMAC ciphersuite.
+
+ Since endpoint IDs are URIs and URIs can be placed in X.509 [RFC5280]
+ public key certificates (in the subjectAltName extension),
+ implementations SHOULD support this way of distributing public keys.
+ RFC 5280 does not insist that implementations include revocation
+ checking. In the context of a DTN, it is reasonably likely that some
+ nodes would not be able to use revocation checking services (either
+ Certificate Revocation Lists (CRLs) or the Online Certificate Status
+ Protocol (OCSP)) and deployments SHOULD take this into account when
+ planning any public key infrastructure to support this specification.
+
+6. Default Security Policy
+
+ Every node serves as a Policy Enforcement Point insofar as it
+ enforces some policy that controls the forwarding and delivery of
+ bundles via one or more convergence layer protocol implementation.
+ Consequently, every node SHALL have and operate according to its own
+ configurable security policy, whether the policy be explicit or
+ default. The policy SHALL specify:
+
+ Under what conditions received bundles SHALL be forwarded.
+
+ Under what conditions received bundles SHALL be required to
+ include valid BABs.
+
+
+
+
+Symington, et al. Experimental [Page 51]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Under what conditions the authentication information provided in a
+ bundle's BAB SHALL be deemed adequate to authenticate the bundle.
+
+ Under what conditions received bundles SHALL be required to have
+ valid PIBs and/or PCBs.
+
+ Under what conditions the authentication information provided in a
+ bundle's PIB SHALL be deemed adequate to authenticate the bundle.
+
+ Under what conditions a BAB SHALL be added to a received bundle
+ before that bundle is forwarded.
+
+ Under what conditions a PIB SHALL be added to a received bundle
+ before that bundle is forwarded.
+
+ Under what conditions a PCB SHALL be added to a received bundle
+ before that bundle is forwarded.
+
+ Under what conditions an ESB SHALL be applied to one or more
+ blocks in a received bundle before that bundle is forwarded.
+
+ The actions that SHALL be taken in the event that a received
+ bundle does not meet the receiving node's security policy
+ criteria.
+
+ This specification does not address how security policies get
+ distributed to nodes. It only REQUIRES that nodes have and enforce
+ security policies.
+
+ If no security policy is specified at a given node, or if a security
+ policy is only partially specified, that node's default policy
+ regarding unspecified criteria SHALL consist of the following:
+
+ Bundles that are not well-formed do not meet the security policy
+ criteria.
+
+ The mandatory ciphersuites MUST be used.
+
+ All bundles received MUST have a BAB that MUST be verified to
+ contain a valid security-result. If the bundle does not have a
+ BAB, then the bundle MUST be discarded and processed no further; a
+ bundle status report indicating the authentication failure MAY be
+ generated.
+
+ No received bundles SHALL be required to have a PIB; if a received
+ bundle does have a PIB, however, the PIB can be ignored unless the
+ receiving node is the PIB-destination, in which case the PIB MUST
+ be verified.
+
+
+
+Symington, et al. Experimental [Page 52]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ No received bundles SHALL be required to have a PCB; if a received
+ bundle does have a PCB, however, the PCB can be ignored unless the
+ receiving node is the PCB-destination, in which case the PCB MUST
+ be processed. If processing a PCB yields a PIB, that PIB SHALL be
+ processed by the node according to the node's security policy.
+
+ A PIB SHALL NOT be added to a bundle before sourcing or forwarding
+ it.
+
+ A PCB SHALL NOT be added to a bundle before sourcing or forwarding
+ it.
+
+ A BAB MUST always be added to a bundle before that bundle is
+ forwarded.
+
+ If a destination node receives a bundle that has a PIB-destination
+ but the value in that PIB-destination is not the EID of the
+ destination node, the bundle SHALL be delivered at that
+ destination node.
+
+ If a destination node receives a bundle that has an ESB-
+ destination but the value in that ESB-destination is not the EID
+ of the destination node, the bundle SHALL be delivered at that
+ destination node.
+
+ If a received bundle does not satisfy the node's security policy
+ for any reason, then the bundle MUST be discarded and processed no
+ further; in this case, a bundle deletion status report (see the
+ Bundle Protocol Specification [DTNBP]) indicating the failure MAY
+ be generated.
+
+7. Security Considerations
+
+ The Bundle Security Protocol builds upon much work of others, in
+ particular, "Cryptographic Message Syntax (CMS)" [RFC5652] and
+ "Internet X.509 Public Key Infrastructure Certificate and Certificate
+ Revocation List (CRL) Profile" [RFC5280]. The security
+ considerations in these two documents apply here as well.
+
+ Several documents specifically consider the use of Galois/Counter
+ Mode (GCM) and of AES and are important to consider when building
+ ciphersuites. These are "The Use of Galois/Counter Mode (GCM) in
+ IPsec Encapsulating Security Payload (ESP)" [RFC4106] and "Using AES-
+ CCM and AES-GCM Authenticated Encryption in the Cryptographic Message
+ Syntax (CMS)" [RFC5084]. Although the BSP is not identical, many of
+ the security issues considered in these documents also apply here.
+
+
+
+
+
+Symington, et al. Experimental [Page 53]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Certain applications of DTN need to both sign and encrypt a message,
+ and there are security issues to consider with this.
+
+ If the intent is to provide an assurance that a message did, in fact,
+ come from a specific source and has not been changed, then it should
+ be signed first and then encrypted. A signature on an encrypted
+ message does not establish any relationship between the signer and
+ the original plaintext message.
+
+ On the other hand, if the intent is to reduce the threat of denial-
+ of-service attacks, then signing the encrypted message is
+ appropriate. A message that fails the signature check will not be
+ processed through the computationally intensive decryption pass. A
+ more extensive discussion of these points is in S/MIME 3.2 Message
+ Specification [RFC5751], especially in Section 3.6.
+
+ Additional details relating to these combinations can be found in
+ Section 2.8 where it is RECOMMENDED that the encrypt-then-sign
+ combination is usually appropriate for usage in a DTN.
+
+ In a DTN, encrypt-then-sign potentially allows intermediate nodes to
+ verify a signature (over the ciphertext) and thereby apply policy to
+ manage possibly scarce storage or other resources at intermediate
+ nodes in the path the bundle takes from source to destination EID.
+
+ An encrypt-then-sign scheme does not further expose identity in most
+ cases since the BP mandates that the source EID (which is commonly
+ expected to be the security-source) is already exposed in the primary
+ block of the bundle. Should exposure of either the source EID or the
+ signerInfo be considered an interesting vulnerability, then some form
+ of bundle-in-bundle encapsulation would be required as a mitigation.
+
+ If a BAB ciphersuite uses digital signatures but doesn't include the
+ security-destination (which for a BAB is the next host), then this
+ allows the bundle to be sent to some node other than the intended
+ adjacent node. Because the BAB will still authenticate, the
+ receiving node might erroneously accept and forward the bundle. When
+ asymmetric BAB ciphersuites are used, the security-destination field
+ SHOULD therefore be included in the BAB.
+
+ If a bundle's PIB-destination is not the same as its destination,
+ then some node other than the destination (the node identified as the
+ PIB-destination) is expected to validate the PIB security-result
+ while the bundle is en route. However, if for some reason the PIB is
+ not validated, there is no way for the destination to become aware of
+ this. Typically, a PIB-destination will remove the PIB from the
+ bundle after verifying the PIB and before forwarding it. However, if
+ there is a possibility that the PIB will also be verified at a
+
+
+
+Symington, et al. Experimental [Page 54]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ downstream node, the PIB-destination will leave the PIB in the
+ bundle. Therefore, if a destination receives a bundle with a PIB
+ that has a PIB-destination (which isn't the destination), this might,
+ but does not necessarily, indicate a possible problem.
+
+ If a bundle is fragmented after being forwarded by its PIB-source but
+ before being received by its PIB-destination, the payload in the
+ bundle MUST be reassembled before validating the PIB security-result
+ in order for the security-result to validate correctly. Therefore,
+ if the PIB-destination is not capable of performing payload
+ reassembly, its utility as a PIB-destination will be limited to
+ validating only those bundles that have not been fragmented since
+ being forwarded from the PIB-source. Similarly, if a bundle is
+ fragmented after being forwarded by its PIB-source but before being
+ received by its PIB-destination, all fragments MUST be received at
+ that PIB-destination in order for the bundle payload to be able to be
+ reassembled. If not all fragments are received at the PIB-
+ destination node, the bundle will not be able to be authenticated,
+ and will therefore never be forwarded by this PIB-destination node.
+
+ Specification of a security-destination other than the bundle-
+ destination creates a routing requirement that the bundle somehow be
+ directed to the security-destination node on its way to the final
+ destination. This requirement is presently private to the
+ ciphersuite, since routing nodes are not required to implement
+ security processing.
+
+ If a security target were to generate reports in the event that some
+ security validation step fails, then that might leak information
+ about the internal structure or policies of the DTN containing the
+ security target. This is sometimes considered bad security practice,
+ so it SHOULD only be done with care.
+
+8. Conformance
+
+ As indicated above, this document describes both BSP and
+ ciphersuites. A conformant implementation MUST implement both BSP
+ support and the four ciphersuites described in Section 4. It MAY
+ also support other ciphersuites.
+
+ Implementations that support BSP but not all four mandatory
+ ciphersuites MUST claim only "restricted compliance" with this
+ specification, even if they provide other ciphersuites.
+
+ All implementations are strongly RECOMMENDED to provide at least a
+ BAB ciphersuite. A relay node, for example, might not deal with end-
+ to-end confidentiality and data integrity, but it SHOULD exclude
+ unauthorized traffic and perform hop-by-hop bundle verification.
+
+
+
+Symington, et al. Experimental [Page 55]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+9. IANA Considerations
+
+ This protocol has fields that have been registered by IANA.
+
+9.1. Bundle Block Types
+
+ This specification allocates four codepoints from the existing
+ "Bundle Block Types" registry defined in [RFC6255].
+
+ Additional Entries for the Bundle Block-Type Codes Registry:
+ +-------+--------------------------------------+----------------+
+ | Value | Description | Reference |
+ +-------+--------------------------------------+----------------+
+ | 2 | Bundle Authentication Block | This document |
+ | 3 | Payload Integrity Block | This document |
+ | 4 | Payload Confidentiality Block | This document |
+ | 9 | Extension Security Block | This document |
+ +-------+--------------------------------------+----------------+
+
+9.2. Ciphersuite Numbers
+
+ This protocol has a ciphersuite number field and certain ciphersuites
+ are defined. An IANA registry has been set up as follows.
+
+ The registration policy for this registry is: Specification Required
+
+ The Value range is: Variable Length
+
+ Ciphersuite Numbers Registry:
+ +-------+--------------------------------------+----------------+
+ | Value | Description | Reference |
+ +-------+--------------------------------------+----------------+
+ | 0 | unassigned | This document |
+ | 1 | BAB-HMAC | This document |
+ | 2 | PIB-RSA-SHA256 | This document |
+ | 3 | PCB-RSA-AES128-PAYLOAD-PIB-PCB | This document |
+ | 4 | ESB-RSA-AES128-EXT | This document |
+ | >4 | Reserved | This document |
+ +-------+--------------------------------------+----------------+
+
+9.3. Ciphersuite Flags
+
+ This protocol has a ciphersuite flags field and certain flags are
+ defined. An IANA registry has been set up as follows.
+
+ The registration policy for this registry is: Specification Required
+
+ The Value range is: Variable Length
+
+
+
+Symington, et al. Experimental [Page 56]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ Ciphersuite Flags Registry:
+ +-----------------+----------------------------+----------------+
+ | Bit Position | Description | Reference |
+ | (right to left) | | |
+ +-----------------+----------------------------+----------------+
+ | 0 | Block contains result | This document |
+ | 1 | Block contains correlator | This document |
+ | 2 | Block contains parameters | This document |
+ | 3 | Destination EIDref present | This document |
+ | 4 | Source EIDref present | This document |
+ | >4 | Reserved | This document |
+ +-----------------+----------------------------+----------------+
+
+9.4. Parameters and Results
+
+ This protocol has fields for ciphersuite-parameters and results. The
+ field is a type-length-value triple and a registry is required for
+ the "type" sub-field. The values for "type" apply to both the
+ ciphersuite-parameters and the ciphersuite results fields. Certain
+ values are defined. An IANA registry has been set up as follows.
+
+ The registration policy for this registry is: Specification Required
+
+ The Value range is: 8-bit unsigned integer
+
+ Ciphersuite-Parameters and Results Type Registry:
+ +---------+------------------------------------+----------------+
+ | Value | Description | Reference |
+ +---------+------------------------------------+----------------+
+ | 0 | reserved | This document |
+ | 1 | initialization vector (IV) | This document |
+ | 2 | reserved | This document |
+ | 3 | key-information | This document |
+ | 4 | fragment-range (pair of SDNVs) | This document |
+ | 5 | integrity signature | This document |
+ | 6 | unassigned | This document |
+ | 7 | salt | This document |
+ | 8 | PCB integrity check value (ICV) | This document |
+ | 9 | reserved | This document |
+ | 10 | encapsulated block | This document |
+ | 11 | block type of encapsulated block | This document |
+ | 12-191 | reserved | This document |
+ | 192-250 | private use | This document |
+ | 251-255 | reserved | This document |
+ +-------+--------------------------------------+----------------+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 57]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+10. References
+
+10.1. Normative References
+
+ [DTNBP] Scott, K. and S. Burleigh, "Bundle Protocol
+ Specification", RFC 5050, November 2007.
+
+ [DTNMD] Symington, S., "Delay-Tolerant Networking Metadata
+ Extension Block", RFC 6258, May 2011.
+
+ [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
+ Hashing for Message Authentication", RFC 2104,
+ February 1997.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional
+ Algorithms and Identifiers for RSA Cryptography for use in
+ the Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile", RFC 4055,
+ June 2005.
+
+ [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
+ (GCM) in IPsec Encapsulating Security Payload (ESP)",
+ RFC 4106, June 2005.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 5280, May 2008.
+
+ [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
+ RFC 5652, September 2009.
+
+ [RFC6255] Blanchet, M., "Delay-Tolerant Networking (DTN) Bundle
+ Protocol IANA Registries", RFC 6255, May 2011.
+
+10.2. Informative References
+
+ [DTNarch] Cerf, V., Burleigh, S., Hooke, A., Torgerson, L., Durst,
+ R., Scott, K., Fall, K., and H. Weiss, "Delay-Tolerant
+ Networking Architecture", RFC 4838, April 2007.
+
+ [PHIB] Symington, S., "Delay-Tolerant Networking Previous-Hop
+ Insertion Block", RFC 6259, May 2011.
+
+
+
+
+
+Symington, et al. Experimental [Page 58]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifier (URI): Generic Syntax", STD 66,
+ RFC 3986, January 2005.
+
+ [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated
+ Encryption in the Cryptographic Message Syntax (CMS)",
+ RFC 5084, November 2007.
+
+ [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
+ Mail Extensions (S/MIME) Version 3.2 Message
+ Specification", RFC 5751, January 2010.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 59]
+
+RFC 6257 Bundle Security Protocol May 2011
+
+
+Authors' Addresses
+
+ Susan Flynn Symington
+ The MITRE Corporation
+ 7515 Colshire Drive
+ McLean, VA 22102
+ US
+
+ Phone: +1 (703) 983-7209
+ EMail: susan@mitre.org
+ URI: http://mitre.org/
+
+
+ Stephen Farrell
+ Trinity College Dublin
+ Distributed Systems Group
+ Department of Computer Science
+ Trinity College
+ Dublin 2
+ Ireland
+
+ Phone: +353-1-896-2354
+ EMail: stephen.farrell@cs.tcd.ie
+
+
+ Howard Weiss
+ SPARTA, Inc.
+ 7110 Samuel Morse Drive
+ Columbia, MD 21046
+ US
+
+ Phone: +1-443-430-8089
+ EMail: howard.weiss@sparta.com
+
+
+ Peter Lovell
+ SPARTA, Inc.
+ 7110 Samuel Morse Drive
+ Columbia, MD 21046
+ US
+
+ Phone: +1-443-430-8052
+ EMail: dtnbsp@gmail.com
+
+
+
+
+
+
+
+
+Symington, et al. Experimental [Page 60]
+