DTN Security Best Practices

Versions: 00                                                            
Delay-Tolerant Networking                                     E. Birrane
Internet-Draft                  Johns Hopkins Applied Physics Laboratory
Intended status: Experimental                          December 29, 2015
Expires: July 1, 2016

                      DTN Security Best Practices


   This document describes best practices associated with achieving a
   variety of security use cases with the set of DTN-related standards.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 1, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Birrane                   Expires July 1, 2016                  [Page 1]

Internet-Draft                    SECP                     December 2015

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.2.  Motivation for Application-Layer Security . . . . . . . .   2
     1.3.  Scope of Security Information . . . . . . . . . . . . . .   3
     1.4.  Classes of Security Information . . . . . . . . . . . . .   4
     1.5.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   2.  Protocol Overview . . . . . . . . . . . . . . . . . . . . . .   6
     2.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   6
     2.2.  Bundle Protocol Review  . . . . . . . . . . . . . . . . .   6
     2.3.  Bundle Protocol Security (BPSEC)  . . . . . . . . . . . .   6
     2.4.  Bundle-in-Bundle Encapsulation  . . . . . . . . . . . . .   7
   3.  Policy Considerations . . . . . . . . . . . . . . . . . . . .   8
   4.  Best Practices  . . . . . . . . . . . . . . . . . . . . . . .   9
     4.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   9
     4.2.  Bundle Source End-to-End Block Security . . . . . . . . .   9
     4.3.  Waypoint Block Security . . . . . . . . . . . . . . . . .  10
     4.4.  Security Destinations . . . . . . . . . . . . . . . . . .  10
     4.5.  Cascading Operations  . . . . . . . . . . . . . . . . . .  11
     4.6.  Hop by Hop Authentication . . . . . . . . . . . . . . . .  13
     4.7.  Path Verification . . . . . . . . . . . . . . . . . . . .  14
     4.8.  Parallel Authenticators/Decrypters  . . . . . . . . . . .  15
     4.9.  Primary Block Integrity . . . . . . . . . . . . . . . . .  16
     4.10. Primary Block Privacy . . . . . . . . . . . . . . . . . .  16
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  17
   6.  Informative References  . . . . . . . . . . . . . . . . . . .  17
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  17

1.  Introduction

1.1.  Overview

   This document outlines the motivation for an end-to-end, application
   layer security capability as the collaborative effect of individual
   capabilities.  Such a mix-and-match model of applying services allows
   for the more effective securing of a diverse set of disparate
   challenged internetworking scenarios.

   In the context of this document, security refers to providing for the
   end-to-end integrity and confidentiality of application data.

1.2.  Motivation for Application-Layer Security

   Path diversity in a packetized, wireless internetwork increases
   resiliency to loss of individual links.  However, packetization and
   multi-path, multi-hop communication severs the relationship between
   user data and a communications link; it is no longer sufficient to

Birrane                   Expires July 1, 2016                  [Page 2]

Internet-Draft                    SECP                     December 2015

   tightly control a single communication link to provide security for
   data exchange.  The packets that comprise user data, by definition,
   may traverse multiple links as they traverse the network and
   accumulate at some user destination.

   Securing link layers is not a sufficient mechanism for securing end-
   to-end data for two reasons, as follows.

   Impractical Coordination of Multiple Links:
        Every link and enclave participating in the message path must
        coordinate to ensure that a particular data exchange retains all
        necessary security services.  This is intractable when thousands
        of packets representing a single set of user data flow over
        multiple links and through multiple enclaves.

   Shared Security Access Over Shared Links:
        Different users of an internetwork may require different
        security considerations.  Since the concept of resource sharing
        drives the adoption of internetworking, multiple missions will
        want to use individual links to amortize the cost of resilient
        communications.  If security is restricted to links only, then
        every user sharing the link must use the same security services
        of the link.  In such a scenario, there is no mechanism to
        finely tune per-user security settings.

1.3.  Scope of Security Information

   At least three scopes of security exist in a packetized internetwork:
   Link, Enclave, and End-to-End. These are based, loosely and
   conceptually, on the Unix file permission concept of "User", "Group",
   and "Other".

Birrane                   Expires July 1, 2016                  [Page 3]

Internet-Draft                    SECP                     December 2015

   | Layer      | Responsibilities                                     |
   | Link       | - point-to-point data exchange protected from data   |
   |            | corruption.                                          |
   |            |                                                      |
   |            | - link-specific security mechanisms at both the      |
   |            | physical and data layers.                            |
   |            |                                                      |
   |            | - Ensures transmissions over the link are            |
   |            | authenticated and preserve the integrity and         |
   |            | confidentiality of the message.                      |
   |            |                                                      |
   |            |                                                      |
   |            |                                                      |
   | Enclave    | - Bound administrative and/or technical domains.     |
   |            |                                                      |
   |            | - Abstract link details when links within one        |
   |            | enclave behave differently than links in another.    |
   |            |                                                      |
   |            |                                                      |
   |            |                                                      |
   | End-to-End | - Ensure that application data is secured regardless |
   |            | of links or enclaves.                                |
   |            |                                                      |
   |            | - Remove assumptions based on a particular path of a |
   |            | packet in the network or other underlying security   |
   |            | mechanisms.                                          |

                          Logical Security Scopes

1.4.  Classes of Security Information

   Three types of security-related information are considered by this
   document: Security-Related Protocols, Node Security Policy, and
   Cipher Suite Support.

   Security-Related Protocols:
        Protocols identify the data models, model encodings, and control
        information associated with the communication and application of
        the data model across a network.

   Node Security Policy:
        Security policy describes how individual nodes within a network
        populate the data models associated with the protocols providing
        data security.  It is possible for multiple nodes in an
        internetwork to implement identical protocols but to use

Birrane                   Expires July 1, 2016                  [Page 4]

Internet-Draft                    SECP                     December 2015

        different features of those protocols based on local or group
        policy.  This policy may be derived from data directly or
        indirectly related to security and, therefore, policy drivers
        must be considered separately from security protocols.

   Cipher Suite Support:
        Separate from protocol features and the policy that determines
        what features to apply when, cipher suites generate the data
        that is carried by security protocols.  Since multiple cipher
        suites can be used to generate the data used to populate the
        data model of security-related protocols, cipher suite support
        must be considered separately from protocols.

1.5.  Scope

   This document addresses how to achieve a series of application-layer,
   end-to-end security functions via combinations of protocols,
   policies, and cipher suites.  This document does not provide the full
   specification for any single protocol, policy, or cipher suite.

   Specifically, this specification provides ways to achieve the
   following kinds of behavior in an internetwork supporting certain
   protocols and implementing certain policies and cipher suites.

   Decoupled Routing and Security.
        Original transmitters and forwarders of a bundle may wish to
        apply security settings based on some envisioned end point for a
        security service.  However, it is unlikely in a general
        internetworking deployment that a node will know the exact path
        taken by a bundle through an internetwork.  This is particularly
        the case when the internetwork spans multiple enclaves with
        different administrative policies.  Therefore, security services
        must be independent of individual message paths.

   Make Common Cases Simple and Efficient.
        There exists a common set of security services that are applied
        to bundles, namely the end-to-end integrity and confidentiality
        of message payloads.  While there exist many exotic permutations
        of security services for various internetworking use cases, this
        simple and common case must remain effective and efficient so as
        to not penalize simpler networks to accommodate complex
        networks, whenever possible.

   Provide Security Services Equally.
        Messages exchanged within a DTN may have multiple security
        services applied to different parts of them.  For example,
        security services applied to message headers separately from
        secondary headers or payloads.  To the extent possible, the

Birrane                   Expires July 1, 2016                  [Page 5]

Internet-Draft                    SECP                     December 2015

        implementation of security functions should be agnostic to the
        type of data being secured.

2.  Protocol Overview

2.1.  Overview

   This section provides a brief overview of the protocols considered by
   this best practice document.  This section covers only those
   significant functional aspects necessary to inform the discussion of
   how to combine functions for security services.  Protocols covered by
   this document include the Bundle Protocol (BP) [RFC5050], Bundle
   Protocol Security (BPSec) [BPSec], and Bundle-in-Bundle Encapsulation
   (BIBE) [BIBE].

2.2.  Bundle Protocol Review

   The Bundle Protocol (BP) is a packetized, overlay, store-and-forward
   protocol proposed for the exchange of data in a variety of challenged
   internetworking scenarios.  A BP protocol data unit (PDU) is
   characterized as a series of variable-length blocks, with two special
   blocks required in the bundle and all other blocks optional.  The two
   required blocks are the primary block (which acts as a message
   header) and the payload block, which is a standard payload area.
   Additional blocks, called extension blocks and conceptually similar
   to secondary headers, may also be added to the bundle.  Extension
   blocks may be added at any time, and by any node, as the bundle
   traverses the internetwork.  Bundles are addressed using End Point
   Identifiers (EIDs), which identify an overlay destination (endpoint)
   in the internetwork.  The mapping between EIDs and nodes in the
   network is many-to-many, so a node may be associated with several
   EIDs, and one EID may be associated with multiple nodes to form a
   multi-cast address.

2.3.  Bundle Protocol Security (BPSEC)

   The security standard currently proposed for BP and DTN is the Bundle
   Protocol Security (BPSEC).  BPSec defines security services captured
   in extension blocks that may be applied to discrete portions of a
   bundle.  BPSec, as a protocol, operates at the "Group" and "World"
   layer, without reliance on link security mechanisms.  Policy
   decisions on how BPSec services should or should not be applied to a
   bundle may or may not choose to consider link layer mechanisms.

   BPSec provides two extension blocks that capture integrity and
   confidentiality services for other blocks within a bundle, as

Birrane                   Expires July 1, 2016                  [Page 6]

Internet-Draft                    SECP                     December 2015

   Block Integrity Blocks (BIB):
        BIBs provide an integrity signature over some other block in the
        bundle, such that a chance to the contents of the protected
        "target" block would be detected by comparing the signature
        captured in the BIB with a signature directly computed from the
        contents of the target block.

   Block Confidentiality Blocks (BCB):
        BCBs provide a confidentiality mechanism over some other block
        in the bundle.  A BCB captured annotative information as to how
        a protected, "target" block has been encrypted and the content
        of the target block is re-written with ciphertext.

   Note, BPSec does not specify the cipher suites used to populate the
   BIB and BCB blocks.  The selection of cipher suites and keys to
   generate necessary data is a matter of policy.

2.4.  Bundle-in-Bundle Encapsulation

   Typically, the payload of a bundle contains some user or application
   data (or a fragmented portion of such data).  The BIBE protocol
   provides a mechanism by which one bundle can be set as the payload of
   another bundle.  This introduces the terminology of encapsulated and
   encapsulating bundles, as follows.

   Encapsulated Bundle:
        An encapsulated bundle is a bundle that is serialized, in whole,
        as the payload of some other bundle.  Once encapsulated, the
        bundle is indistinguishable from a block of application payload
        on the wire and is not treated as a bundle until it is extracted
        at the destination if its encapsulating bundle.  At the
        encapsulating bundle destination, the encapsulated bundle is
        extracted and passed to the destination as if it had been
        delivered there directly.

   Encapsulating Bundle:
        An encapsulating bundle is a bundle which has, as its payload,
        an encapsulated bundle.  Any extension blocks or policy
        decisions made regarding this encapsulating bundle are separate
        from the encapsulated bundle.  The encapsulated bundle is
        treated solely as a payload until the encapsulating bundle
        reaches its destination, at which point the encapsulating bundle
        is discarded and the encapsulated bundle is reconstituted and
        given to the node for processing.

   The BIBE mechanism is used to create tunnels with the BP
   specification and is a useful way to maintain a separation between
   security and routing while allowing some way to introduce required

Birrane                   Expires July 1, 2016                  [Page 7]

Internet-Draft                    SECP                     December 2015

   security waypoints in a path.  Namely, while it is not possible, in
   the general case, to tell a single bundle to traverse multiple
   specific nodes from end to end, it is possible to establish multiple
   tunnels for the bundle to pass through using the BIBE mechanism.

3.  Policy Considerations

   Policies and configurations must be documented separately from both
   implementing protocols and best practices.  Since the primary value
   of sharing policy and configuration information is to ensure the
   interoperability of multiple security services this information
   should be standardized whenever possible.  Security policy documents
   should identify what security services are required in given network
   deployments and what actions should be taken when messages do not
   adhere to these expectations.

   The following policy scenarios are strongly recommended for
   consideration in any such documentation relating to standards for DTN

   Less Security Than Required:
        When the network requires a certain level of security, such as
        encrypted payloads or authenticated message exchange and a
        message is received without this information, the network must
        handle this in a uniform way.  Most policies require not
        forwarding the message, but the level of logging, error
        messaging, and updates to local configurations should be
        discussed as a matter of policy.

   More Security Than Required:
        Similarly, when messages are received that contain
        authentication, integrity, or confidentiality when they should
        not, a decision must be made as to whether these services will
        be honored by the network.

   Security Evaluation In Transit:
        Some security services may be evaluated at a node, even when the
        node is not the bundle destination or a security destination.
        For example, a node may choose to validate an integrity
        signature of a bundle block.  If an integrity check fails to
        validate, the intermediate node may choose to ignore the error,
        remove the offending block, or remove the entire bundle.

        Policy must determine how security blocks are distributed
        amongst the new bundle fragments, so as to allow received
        fragments to be validated at downstream nodes

Birrane                   Expires July 1, 2016                  [Page 8]

Internet-Draft                    SECP                     December 2015

   Block and Bundle Severability:
        Distinct from fragmentation, nodes must decide whether a
        security error associated with a block implies a larger security
        error associated with the bundle.  If blocks and bundles are
        considered severable, then an offending block may be omitted
        from the bundle.  Otherwise, a bundle should be discarded
        whenever any of its constituent blocks are discarded.

4.  Best Practices

4.1.  Overview

   Complex security activities are achieved through the combination of
   multiple discrete protocols rather than the creation of tightly-
   coupled, highly-purposed protocols.  Given a set of loosely coupled,
   highly cohesive protocols, a set of best-practices can be provided to
   implement security operations.

4.2.  Bundle Source End-to-End Block Security

4.2.1.  Need

   This is the common case for block-level security services.  In this
   case, a bundle source wishes to apply integrity and/or
   confidentiality to one or more blocks in a bundle and for these
   services to persist until the bundle reaches its destination.

4.2.2.  Recommended Practice

   This is the common case supported directly by BPSec without
   modification.  In this case, each block being protected will have an
   additional security block (BIB or BCB) added to the bundle.  The BIB
   and BCB blocks will contain all necessary security information based
   on cipher suites which must be selected in accordance with some
   policy at the node.  Once the BIB and BCB blocks are added to the
   bundle, the bundle may be sent through the network and no additional
   operations are necessary until the bundle reaches the destination, at
   which point BIBs and BCBs are verified and processed in accordance
   with the BPSec specification.

4.2.3.  Additional Policy Considerations

   Transmit Rules:
        The originating node must determine, by policy and
        configuration, what services are necessary based on the
        destination of the bundle.

   Key and Cipher Suite Selection:

Birrane                   Expires July 1, 2016                  [Page 9]

Internet-Draft                    SECP                     December 2015

        The originating node must determine which keys are used to
        configure which cipher suites will populate the necessary

4.3.  Waypoint Block Security

4.3.1.  Need

   Certain network configurations may require that security services be
   added to a bundle by a waypoint node rather than the originator of
   the bundle.  A motivating example of this need is a network where a
   bundle requires only integrity services within an enclave but
   requires confidentiality before the bundle leaves the enclave to
   route over a more public network.  In such cases, a gateway node at
   the border of the enclave and the public network may add
   confidentiality services to any bundle that does not already have
   such services before allowing the bundle to leave the enclave.

4.3.2.  Recommended Practice

   This is a minor extension to the case where the bundle source adds a
   security block.  In this case, BPSec blocks (BIB and BCB) are also
   added to the bundle, but the security source of these blocks is
   listed as the waypoint node adding the block, rather than the bundle
   source node.  The processing and behavior of the block is, otherwise,

4.3.3.  Additional Policy Considerations

   The policy considerations for a waypoint adding a security service
   are the same as when a bundle source adds a security service.

4.4.  Security Destinations

4.4.1.  Need

   There may be times when a bundle is requested to go through a
   specific waypoint node en-route to its destination.  From a security
   standpoint, this is typically done to ensure that some security
   result is achieved, for example ensuring that a bundle goes through a
   specific gateway for appending extra security services.

4.4.2.  Recommended Practice

   The current recommended practice for general networks to accomplish
   security-related destinations is to use the BIBE to wrap a bundle
   into an encapsulating bundle, and then use the security destination
   as the destination of the encapsulating bundle.  In this way, the

Birrane                   Expires July 1, 2016                 [Page 10]

Internet-Draft                    SECP                     December 2015

   routing mechanism used in the network is not coupled to the security
   system, and the encapsulated bundle is not burdened with tracking
   multiple intermediate destinations.

   This is the equivalent of creating a tunnel between the current node
   and the security destination.  If, at the security destination, a
   subsequent security destination is necessary, the process may be

4.4.3.  Additional Policy Considerations

   Security Destination Identification
        To require security destinations, there must be some mechanism
        by which security destinations are identified and some other
        mechanism to associate bundles with those security destinations.

   Extension Block Handling
        Care must be taken to process, correctly, extension blocks both
        in the encapsulated bundle and the encapsulating bundle.  There
        may exist extension blocks in the encapsulated bundle that wish
        to be processed at every hop taken by the bundle, even while it
        encapsulated.  In such situations it might be possible to carry
        these blocks in the encapsulating bundle and merge them back
        into the encapsulated bundle at the security destination.  Note,
        however, there is no standard for this.

4.5.  Cascading Operations

4.5.1.  Need

   Cascading operations are security services that are applied to the
   same data multiple times, such as is the case when performing super-
   encryption.  The BPSec standard does not allow the same security
   service to be applied to the same target data multiple times (for
   example, a payload cannot be encrypted twice with two BCBs).

   There are several reasons for wanting to replace or modify security
   services found in a bundle.  Policy may require a stronger security
   service before a bundle is allowed to leave an enclave.
   Alternatively, portions of the network may be configured with
   different cipher suite support rendering in-situ integrity checking
   impossible unless a new integrity signature in a supported cipher
   suite is added.  At times, encrypting parts of an existing BCB or BIB
   to hide cipher suite details may be required.

Birrane                   Expires July 1, 2016                 [Page 11]

Internet-Draft                    SECP                     December 2015

4.5.2.  Recommended Practice

   When cascading operations are to be applied from the current node to
   the bundle destination each of these practices can be applied
   directly to the bundle.  In cases where cascading operations are only
   to be applied from the current node to someplace other than the
   bundle destination then, first, Security Destination best practices
   must be applied.

   There are three recommended ways to satisfy this need in BP networks:
   Bundle encapsulation, Block encapsulation, and custom blocks.

   Bundle Encapsulation:
        There have been many proposals relating to how to stack security
        operations amongst blocks in a bundle.  However, each of these
        results in complex situations regarding the order in which
        operations are applied and how to preserve meaning in the
        presence of fragmentation.

        This approach maintains the BPSec restriction of one security
        service per target in a single bundle and use BIBE and
        encapsulation.  In such a scheme, the existing bundle becomes
        the encapsulated bundle.  The encapsulating bundle then applies
        whatever additional security services are necessary to its
        payload, thereby applying them to the encapsulated bundle.

   Block Encapsulation
        There is, currently, no standard for block encapsulation.
        However, the target block and its associated security blocks
        may, themselves, be packed into a single new block within the
        bundle and new security services may be added to that
        encapsulating block.

   Custom Security
        A set of custom security blocks can be defined by a particular
        network that operate orthogonally from the BPSec security
        blocks.  This proves fine-grained control over security in
        specific network deployments.  This method is only practical in
        closed, highly controlled networks where custom block definition
        and processing is both technically feasible and economical.

4.5.3.  Additional Policy Considerations

   Security Service Identification:
        Nodes in the network must be able to identify appropriate
        security services and cipher suites to some understood

Birrane                   Expires July 1, 2016                 [Page 12]

Internet-Draft                    SECP                     December 2015

4.6.  Hop by Hop Authentication

4.6.1.  Need

   Hop by hop authentication ensures that a received bundle's last hop
   (i.e. most recent forwarder) matches what the bundle claims it's last
   hop to be.  Checking each hop along a path in the network is one way
   to establish a chain of trust.  More importantly, verifying the
   appropriateness of the node who sent a received bundle is a way of
   protecting networks against certain types of attacks.  Specifically,
   the internals of a network can be protected against resource-
   consuming attacks if a gateway node can detect inappropriate traffic
   and prevent its ingest into the rest of the network.

4.6.2.  Recommended Practice

   There are three recommended ways to satisfy this need in BP networks:
   Reliable link layers, integrity on ephemeral blocks, and
   canonicalized whole-bundle signatures.

   Reliable Link Layers:
        By definition, link-layer security secures the transmission
        between two points (a link) in a network.  Wherever hop-by-hop
        authentication is required, the network might simply require the
        use of a secure point-to-point link layer.  In such a case,
        there is no need for an application-layer mechanism for hop-by
        hop security.

   Ephemeral Block Integrity:
        Assuming that secure link layers are not guaranteed to be
        available, a second practice is to insert a short-lived
        (ephemeral) block into a bundle just prior to transmission that
        identifies the transmitter of the bundle, sign that block with a
        BPSec BIB, and then transmit the bundle.

        Such an ephemeral block is defined in the BP specification as a
        Prior Hop Notification (PHN) Block and can be used for this
        purpose.  Alternatively, a user may define their own block type
        which can hold any information they wish, to include a signature
        calculated over the entire bundle rather than an assertion of
        the previous bundle transmitter.

        When the bundle is received at the next hop, this ephemeral
        block can be verified to ensure that the node that signed the
        block is the same as the node referenced in the block.  At this
        point, the ephemeral block and its associated BIB are no longer
        necessary and can be either removed from the bundle or kept for
        historical accounting with the bundle.

Birrane                   Expires July 1, 2016                 [Page 13]

Internet-Draft                    SECP                     December 2015

   Canonicalized Whole-Bundle Signature:
        The signing of an ephemeral block such as the PHN does not
        provide a guarantee that the contents of the bundle remained
        unchanged across the hop. in the extreme case where the entire
        contents of the bundle must be authenticated at every hop in the
        bundle, a canonicalized form of the bundle must be generated and
        signed by the transmitting node and then check at the next hop
        of the bundle.

        The most straightforward way to achieve this is to use the BIBE
        to encapsulate the entire bundle as the payload of an
        encapsulating block, place a BIB on the encapsulating block
        payload, and then make the next hop the destination of the
        encapsulating block.

4.6.3.  Additional Policy Considerations

        By global policy or by next-hop, a transmitting node must have
        some way of determining that hop-by-hop authentication is
        necessary and that either a secure link layer, an ephemeral
        block, or some other method is needed to protect the

   Link Layer Identification:
        When using secure link layers, the BPA must have some mechanism
        of determining if the link layer selected for transmission has
        an appropriate security model.

4.7.  Path Verification

4.7.1.  Need

   A common request in a secured internetwork is to provide a signed
   listing of each node traversed by a bundle on its way from sender to

4.7.2.  Recommended Practice

   There are three recommended practices for accomplishing this task:
   Per-Hop Extension Blocks, a Signed Log, and an Encrypted Log.

   Per-Hop Extension Blocks:
        A new extension block can be added to the bundle at each node,
        and that new block can be integrity signed by BPSec.  In
        networks using the Previous Hop Notification (PHN) block, the
        PHNs can be signed and kept for each hop.

Birrane                   Expires July 1, 2016                 [Page 14]

Internet-Draft                    SECP                     December 2015

   Signed Log:
        A single extension block can be defined to act as a log book of
        visited nodes, such that each node visited by the bundle adds a
        new, signed data entry into the log.

   Encrypted Log:
        This approach works similarly to a Signed Log, except that the
        extension block is encrypted with a BCB and only those nodes in
        the network with the appropriate keys can decrypt and modify the

4.7.3.  Additional Policy Considerations


4.8.  Parallel Authenticators/Decrypters

4.8.1.  Need

   Security in the context of multicasting presents challenging
   operational concepts for how to validate a received bundle that
   carries multiple integrity signatures.  In this case, a bundle should
   validate a security service if any one of multiple security data
   items is verified.

4.8.2.  Recommended Practice

   It is recommended that a multi-case cipher suite specification be
   defined and used to generate multiple signatures (for integrity) or
   multiple ciphertexts (for confidentiality).  This approach allows
   BPSec to operate without modification, as the cipher suite
   implementation both generates and verifies security results.

   Multiple signatures would be stored directly in the BIB as part of
   cipher suite data.  Such cipher suites could verify a signature if
   any 1 signature matched, if N of M signatures matched, or if all
   signatures match, based on policy.

   Multiple encryptors could work by encrypted the plaintext multiple
   times to generate multiple ciphertexts which, in total, would replace
   the plain text in a specific block in the bundle.  Additionally, the
   bundle source or other identifying information could be encrypted
   once per key and stored as additional authenticated data.  On
   decryption, a node could determine the appropriate ciphertext to use
   by decrypting the bundle source from the additional authenticated
   data and then decrypting the ciphertext associated with that key.

Birrane                   Expires July 1, 2016                 [Page 15]

Internet-Draft                    SECP                     December 2015

4.8.3.  Additional Policy Considerations

   Key Lists:
        Each node that encrypts, decrypts, or authenticates based on a
        multi-cast cipher suite would need to keep a list of each key

4.9.  Primary Block Integrity

4.9.1.  Need

   It may be necessary to ensure that the primary block in a bundle has
   not changed since the bundle was first transmitted.

4.9.2.  Recommended Practice

   The BPSec allows the BIB to target the primary block, just as it can
   target any other block in a bundle.  As such, this capability can be
   accomplished by inserting a BIB in the bundle whose target is the
   primary block.

4.9.3.  Additional Policy Considerations


4.10.  Primary Block Privacy

4.10.1.  Need

   It may be necessary in certain cases to hide the contents of a
   primary block for portions of a bundle journey.

4.10.2.  Recommended Practice

   There are two recommended practices for accomplishing this task:
   Encapsulation and Custom Extension Blocks.

        The most straightforward way to hide portions of the primary
        block is to use BIBE to encapsulate the entire bundle.  Then,
        the encapsulating block can have whatever primary block
        information is necessary to get the bundle through the portions
        of the network where the original primary block should be
        hidden.  In this case, the encapsulated bundle should be
        encrypted with a BCB from the encapsulating block.

   Custom Extension Block

Birrane                   Expires July 1, 2016                 [Page 16]

Internet-Draft                    SECP                     December 2015

        A custom extension block may be defined to hold the contents of
        the primary block.  A temporary primary block can be constructed
        at various points in the network as part of processing the
        custom extension block.  This temporary primary block would have
        only that information necessary to get the bundle to some next
        known node.

4.10.3.  Policy Considerations

   While there is no specific policy consideration, the concept of
   performing surgery on the primary block of a bundle in transit must
   be taken with great care.

5.  IANA Considerations

   This document has no fields registered by IANA.

6.  Informative References

   [BIBE]     Burleigh, S., "Bundle-in-Bundle Encapsulation", draft-
              irtf-burleigh-bibe-00 (work in progress), March 2013.

   [BPSec]    Birrane, E., Mayer, J., and D. Iannicca, "Bundle Protocol
              Security", draft-ietf-dtn-bpsec-00 (work in progress),
              December 2015.

   [RFC5050]  Scott, K. and S. Burleigh, "Bundle Protocol
              Specification", RFC 5050, DOI 10.17487/RFC5050, November
              2007, <http://www.rfc-editor.org/info/rfc5050>.

Author's Address

   Edward J. Birrane
   Johns Hopkins Applied Physics Laboratory

   Email: Edward.Birrane@jhuapl.edu

Birrane                   Expires July 1, 2016                 [Page 17]