DTN Research Group S. Symington
Internet-Draft The MITRE Corporation
Expires: April 16, 2007 October 13, 2006
Delay-Tolerant Networking Retransmission Block
draft-symington-dtnrg-bundle-retrans-block-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 16, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document defines an optional extension block, called a
Retransmission Block, that may be used with the Bundle Protocol [2]
within the context of a Delay-Tolerant Network architecture [4]. The
Retransmission Block (RB) is designed to be inserted by a custodian
when re-forwarding a bundle, so as to mark the bundle as a legitimate
custody-based retransmission rather than an unauthorized bundle
duplicate. By providing a way for nodes that receive the re-
forwarded bundle to distinguish it from an unauthorized duplicate,
the RB enables those nodes whose local security policies do not
Symington Expires April 16, 2007 [Page 1]
�
Internet-Draft DTN Retransmission Block October 2006
permit them to forward replayed bundles to detect and delete
unauthorized bundle replays but forward authorized custody-based
bundle retransmissions. This document defines the format and
processing of this new Retransmission Block.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Background and Motivation . . . . . . . . . . . . . . . . . . 4
2.1. Replay Detection as Currently Provided in the Bundle
Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. The Denial-of-Service Threat . . . . . . . . . . . . . . . 4
2.3. Detecting Duplicates is Largely a Matter of Local
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4. Not All Duplicates are Bad . . . . . . . . . . . . . . . . 5
2.5. A Mechanism for Distinguishing Legitimate Replays from
Illegitimate Replays is Required . . . . . . . . . . . . . 6
3. The Treatment of Replays Must Be a Defined Aspect of
Security Policy . . . . . . . . . . . . . . . . . . . . . . . 7
4. Replays versus Loops . . . . . . . . . . . . . . . . . . . . . 8
5. Ramifications of Allowing Support for the Retransmission
Block to be Optional . . . . . . . . . . . . . . . . . . . . . 10
6. Retransmission Block Format . . . . . . . . . . . . . . . . . 12
7. Retransmission Block Processing . . . . . . . . . . . . . . . 13
7.1. Bundle Reception . . . . . . . . . . . . . . . . . . . . . 13
7.2. Replay Detection and Suppression . . . . . . . . . . . . . 13
7.3. Keeping Track of Bundles Received . . . . . . . . . . . . 13
7.4. Bundle Forwarding . . . . . . . . . . . . . . . . . . . . 14
7.5. Custodial Retransmission . . . . . . . . . . . . . . . . . 14
8. Security Considerations . . . . . . . . . . . . . . . . . . . 15
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
10.1. Normative References . . . . . . . . . . . . . . . . . . . 17
10.2. Informative References . . . . . . . . . . . . . . . . . . 17
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 18
Intellectual Property and Copyright Statements . . . . . . . . . . 19
Symington Expires April 16, 2007 [Page 2]
�
Internet-Draft DTN Retransmission Block October 2006
1. Introduction
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
The DTN bundle protocol [2] defines the bundle as its protocol data
unit. A bundle consists of a primary bundle block, which is defined
in the Bundle Protocol, followed by at least one other type of bundle
block. The Bundle Protocol defines a single other type of bundle
block, called a Bundle Payload block. This document defines an
additional, optional, bundle block called a Retransmission Block.
This block is designed to be inserted by a custodian node into a
bundle that the custodian is re-forwarding in response to a custody
transfer failure. The intent of this Retransmission Block is to mark
a re-forwarded bundle as such, so that when the bundle is received at
downstream nodes that detect it to be a duplicate of a previously-
received bundle, those nodes can understand it to be a legitimate
retransmission that should be preserved rather than an unauthorized
replay that may (according to local policy) be deleted.
The capabilities described in this document are OPTIONAL for
deployment with the Bundle Protocol. Bundle Protocol implementations
claiming to support Retransmission Blocks MUST be capable of:
-Generating a Retransmission Block and inserting it into a bundle,
-Logging the relevant fields of all bundles received until those
bundles expire,
-Receiving bundles containing a Retransmission Block and using the
information contained in this Retransmission Block (in conjunction
with the information from logged bundles) to make replay
suppression decisions,
-Deleting a Retransmission Block from a bundle
as defined in this document.
Symington Expires April 16, 2007 [Page 3]
�
Internet-Draft DTN Retransmission Block October 2006
2. Background and Motivation
2.1. Replay Detection as Currently Provided in the Bundle Protocol
The Bundle Security Protocol defines an "at-most-once-delivery"
registration option that, when used by a node that is registering in
a particular endpoint, indicates that exactly one copy of each bundle
destined for that endpoint that is received at that node shall be
delivered at that node. If the at-most-once-delivery option is used
with a given endpoint ID registration, the registering node is
required to check all bundles that it receives with that destination
endpoint ID to determine if the bundle has already been delivered at
that node. If it has, the bundle must be discarded. This is a
limited form of replay detection because it requires a node to keep
track of only the bundles that have been delivered at that node; it
does not apply to bundles that the node receives for forwarding. It
is designed to protect applications from receiving duplicate bundles,
but it is not intended to protect the network from denial of service
attacks that can result from replayed bundles.
2.2. The Denial-of-Service Threat
As discussed in the DTN Security Overview [5], due to the resource-
scarcity that characterizes DTNs, unauthorized access and use of DTNs
is a serious concern. DTNs, by definition, may suffer from network
disconnections, limited bandwidth, limited battery power, and other
challenges, and the transmission of unauthorized bundles wastes
precious network resources. The DTN security protocol already
includes some mechanisms to protect against unauthorized use of the
DTN. For example, an attacker wanting to launch a denial of service
attack on a DTN by injecting a bogus bundle into the network or by
copying a legitimate bundle from the network, modifying it, and
injecting this modified copy into the network can be thwarted by the
use of the Bundle Authentication Block (BAB). Use of the BAB enables
each node that receives a bundle to check the validity of the
security result in the BAB to determine whether the bundle is
legitimate or not. Bogus or modified bundles will be detected at the
very first node at which they are received, and thus will be deleted
from the network at the earliest possible opportunity. Replayed
bundles, on the other hand, can not be detected by checking the
validity of the bundle's BAB because the value of the BAB will be
correct. Replayed bundles will only be deleted from the network when
they expire. Given the high latency typical in some DTNs, bundles
may be valid for days or weeks. For those networks in which waiting
for replayed bundles to expire is not an adequate form of protection
against the unauthorized use of the network posed by replayed
bundles, additional measures will be required to actively detect and
delete replayed bundles.
Symington Expires April 16, 2007 [Page 4]
�
Internet-Draft DTN Retransmission Block October 2006
2.3. Detecting Duplicates is Largely a Matter of Local Policy
Detecting duplicate bundles at any given node is largely a matter of
local security policy and enforcement. A node could be configured to
maintain a record of every bundle it receives, check every new bundle
received against the list of bundles that have already been received,
and delete any duplicates. A concern with this approach is the
potentially large amount of state that could accumulate and use up
storage at any given node. This state can be minimized by only
storing those parts of the bundle needed to identify it uniquely
(source EID, creation timestamp, and fragment offset-if present), and
keeping this information only until the time that the bundle expires
(creation timestamp added to lifetime). However, because bundles may
be valid for long periods in a DTN, the amount of storage that may be
required could still be substantial enough to pose a burden on the
node. If the amount of information that needs to be stored exceeds
the available storage, some duplicates could go undetected.
2.4. Not All Duplicates are Bad
Although detecting duplicates is a fairly straightforward local
matter, detecting which of these duplicates are unauthorized and
should therefore be deleted is more involved, and has protocol
implications. Simply being able to detect and delete duplicate
bundles is not sufficient in a DTN, because not all duplicate bundles
are unwanted replays. As discussed in the security overview, there
are instances within DTNs in which replayed messages are desirable
and in fact necessary. As a first example, in some instances, the
optimal path to a destination will involve routing loops, such that
the nodes on this loop will receive the same bundle for forwarding
more than once. As a second example, the DTN protocol includes a
custody-based retransmission mechanism that may result in a custodian
re-forwarding a bundle when the bundle's retransmission timer expires
or when the custodian receives a "failed" custody signal for the
bundle. These re-forwarded bundles are legitimate replays that are
required in order to enable custody transfer to operate correctly.
On the other hand, there are also illegitimate replays. Some
illegitimate replays are introduced unintentionally by the routing
protocols; these replays are not needed in order to deliver the
bundle, but rather are the result of routing or forwarding mistakes.
Other illegitimate replays are more pernicious, being introduced
intentionally by malicious intruders. Ideally, a node would be able
to distinguish illegitimate replays from legitimate ones so that it
can know which duplicate bundles to delete and which to forward.
Symington Expires April 16, 2007 [Page 5]
�
Internet-Draft DTN Retransmission Block October 2006
2.5. A Mechanism for Distinguishing Legitimate Replays from
Illegitimate Replays is Required
When routing loops or custody transfer is being used in a DTN, replay
detection cannot be handled merely as a matter of locally detecting
and deleting duplicate bundles because there is no way for a local
node to independently distinguish legitimate replays from
illegitimate replays. Instead, a protocol mechanism is required to
assist the local duplicate suppression mechanism in making this
distinction.
As discussed in the DTN Security Overview, to accommodate intentional
replays that are part of the routing protocol but suppress replays
that are the result of routing protocol errors, replay detection
schemes may need to be specified and enforced as part of the bundle
routing algorithm used.
If the security requirements of a network are such that replays must
not be allowed, then that network must either not use a routing
protocol that allows routing loops or, if it does use a routing
protocol that allows loops, this routing protocol must also include a
mechanism for detecting and suppressing unintentional routing loops.
The details of such a mechanism would most likely be specific to the
routing protocol and as such they are not addressed in this document.
In addition, if the security requirements of a network are such that
replays must not be allowed, then that network must either not use
custody transfer of bundles or, if it does use custody transfer of
bundles, it must also include a mechanism for detecting and
suppressing duplicate bundles that are not the result of custodial
retransmissions. This paper defines the DTN Retransmission Block as
an optional Bundle Protocol block that can be used to mark bundles
that are the result of custodial retransmission, thereby enabling
these bundles to be distinguished from both unintentional replays and
replays that are the result of intentional, malicious attacks.
Symington Expires April 16, 2007 [Page 6]
�
Internet-Draft DTN Retransmission Block October 2006
3. The Treatment of Replays Must Be a Defined Aspect of Security Policy
An additional component of a DTN node's security policy should be
whether or not replays are allowed to be forwarded by that node. If
replay forwarding is not allowed, the node must implement mechanisms
to detect and delete replays. In the context of a node that does not
implement the optional Retransmission Block defined in this document
but at which replay forwarding is not allowed, all duplicate bundles
must be deleted, where duplicate bundles are defined as bundles that
have the same source EID, time stamp, and fragment offset (if
present). In the context of a node that does implement the optional
protocol extensions defined in this document, unauthorized replays
can be distinguished from legitimate replays such that only
unauthorized replays must be deleted. The processing steps with
regard to replay protection at an arbitrary node are defined as
follows:
If replays are allowed, then no additional requirements are levied
on that node.
If replays are not allowed and if the node supports the optional
Retransmission Block defined in this document, then the node MUST
delete all duplicate bundles that it receives that can not be
legitimate custodial retransmissions. A received duplicate bundle
can not be a legitimate custodial retransmission if it:
-Has the same custodian EID as the previously-received
duplicate, but it does not also have a Retransmission Block
that was inserted by that custodian, or
-Has the same custodian and Retransmission Block as the
previously-received duplicate.
If replays are not allowed and if the node does not support the
optional Retransmission Block defined in this document, then the
node MUST delete all duplicate bundles that it receives (at the
risk of also deleting all legitimate custodial retransmissions
that it receives).
Symington Expires April 16, 2007 [Page 7]
�
Internet-Draft DTN Retransmission Block October 2006
4. Replays versus Loops
The procedures for deleting all duplicate bundles that can not be
legitimate custodial retransmissions above will result in the
deletion of not only replays, but also of bundles that loop through
the network multiple times. If the looping is unintentional, due to
routing or forwarding errors, deletion of these bundles is desirable.
If the looping is intentional, however, then the deletion of a bundle
in such a loop is not desirable. For example, if a custodial node,
C, needs to free up disk space by temporarily transferring custody
and storage of a bundle to some sort of "auxiliary storage" node that
is not on the path to the bundle's destination until the path to the
destination becomes connected, then the path from the custodian C to
the auxiliary storage node and back would constitute an intentional
routing loop. In order to free up its storage space when sending the
bundle to auxiliary storage, custody of the bundle would be
transferred from node C to the auxiliary storage node. When the
bundle is sent back to node C from auxiliary storage, the auxiliary
storage node would be listed as the bundle's custodian. According to
the procedures for deleting duplicate bundles that can not be
legitimate custodial retransmissions described earlier in Section 3,
this bundle would not be deleted by node C because it does not have
the same custodian as it had when it was initially received by node
C. If for some reason this storing of the bundle at the auxiliary
storage node has to be performed a second time, however, then the
procedures above will not suffice to spare this bundle from deletion.
If node C receives the bundle from auxiliary storage and forwards it
back to auxiliary storage without taking custody of it, auxiliary
storage will delete this copy of the bundle, but it will still be
custodian of the bundle and will still have it in storage. This case
is not a problem. If, on the other hand, node C receives the bundle
from auxiliary storage and takes custody of the bundle before
forwarding it back to auxiliary storage, the auxiliary storage node
will delete this bundle (but the auxiliary storage node will not
still be custodian of the bundle and will not still have the bundle
in storage) because the auxiliary storage node has already received
this bundle with node C listed as its custodian and this bundle does
not contain a retransmission block because node C did not forward it
as a custodial retransmission.
There are several possible approaches that may be taken to address
this problem by attempting to process bundles that are in "desirable"
loops and discard bundles that are in "undesirable" loops, while
staying within the procedures defined above for deleting duplicate
bundles that can not be legitimate custodial retransmissions. For
example, custodial nodes that make use of auxiliary storage nodes
might be configured to accept duplicate bundles received from
Symington Expires April 16, 2007 [Page 8]
�
Internet-Draft DTN Retransmission Block October 2006
auxiliary storage nodes, and vice versa. Alternatively, a special
block might be defined to mark a bundle that a custodial node is
sending to an auxiliary storage node for storage and custody
transfer. As long as a bundle is marked such that it is intended for
auxiliary storage, it could be accepted and stored at the auxiliary
storage node, even if it is a duplicate of a previously-received
bundle. If the auxiliary storage node treats all subsequent
forwardings of a bundle after the first forwarding as though the
forwarding were the result of a custodial retransmission by inserting
a Retransmission Block into the bundle, bundles could be circulated
between custodians and their auxiliary storage nodes multiple times
without being summarily deleted. Using these solution approaches,
there would be no limit to the number of times a bundle could be
offloaded to auxiliary storage, if needed. A risk of implementing
these approaches, however, is that bundles that unintentionally loop
between a custodian and its auxiliary storage node may not be
discarded. Furthermore, these approaches assume that all intentional
loops can be known a priori, so that nodes can be configured to
accept duplicate bundles looping through them or that at least one
node in the loop can be configured to insert Retransmission Blocks
into the looping bundles to protect them from being discarded. These
approaches do not necessarily work for loops that arise
opportunistically, being unplanned but useful, unless there is a
mechanism within the loop for retransmission blocks to be inserted
into the looping bundle as appropriate.
Symington Expires April 16, 2007 [Page 9]
�
Internet-Draft DTN Retransmission Block October 2006
5. Ramifications of Allowing Support for the Retransmission Block to be
Optional
The objective of the DTN Retransmission Block is to make custodially-
retransmitted bundles distinguishable from unintentional and
malicious replays. Because support for the Retransmission Block is
optional, it may not be supported by all nodes in the DTN. Failure
to support the Retransmission Block at one or more nodes in the DTN
may result in the erroneous deletion of bundles that are legitimate
retransmissions because:
A node that does not support the Retransmission Block but that is
configured to suppress replays will delete all duplicate bundles,
whether or not they include Retransmission Blocks that mark them
as being legitimate retransmissions.
A custodial node that does not support the Retransmission Block
but that legitimately retransmits a bundle will not include a
Retransmission Block to mark the bundle as a legitimate
retransmission, so that when the bundle is received at a
downstream node that is configured to suppress replays, the bundle
will be deleted by that downstream node (even if that downstream
node supports the Retransmission Block).
A DTN cannot completely support both replay suppression and custodial
retransmission if some of its nodes do not support the Retransmission
Block. If all unintentional replays must be suppressed and custodial
retransmission must be supported, all nodes in the network must
support the Retransmission Block. If one or more nodes does not
support the Retransmission Block, then if these nodes are configured
to suppress replays, they will delete custodial retransmissions that
they receive and issue custodial retransmissions that are vulnerable
to being deleted downstream; if they are configured to forward
replays, then they will forward all replays, both intentional and
malicious ones.
Nodes that do not support the Retransmission Block cannot create,
recognize, or process a Retransmission Block. If the Retransmission
Block Processing Flags indicate that a bundle must be deleted if the
Retransmission Block cannot be processed, then all nodes that do not
support the Retransmission Block will delete all custodial
retransmissions, even if these nodes are not configured to suppress
replays. If the Retransmission Block Processing Flags indicate that
the Retransmission Block must be deleted if it cannot be processed,
then all nodes that do not support the Retransmission Block will
strip the Retransmission Block out of every custodial retransmission
that they forward, leaving these custodial retransmissions vulnerable
to downstream deletion by nodes that suppress replays (even if those
Symington Expires April 16, 2007 [Page 10]
�
Internet-Draft DTN Retransmission Block October 2006
downstream nodes support the Retransmission Block).
If not all nodes in the DTN support the Retransmission Block, then to
preserve support for custodial retransmission while maximizing replay
suppression, the security policies of the nodes and the Block
Processing Flags in the Retransmission Block should be configured as
follows:
-The "Discard bundle if block can't be processed" Block Processing
Flag SHOULD NOT be set,
-The "Discard block if it can't be processed" Block Processing
Flag SHOULD NOT be set,
-Nodes that support the Retransmission Block should be configured
to delete all replays that can not be custodial retransmissions,
-Nodes that do not support the Retransmission Block should be
configured to forward duplicates (so that they don't inadvertently
delete custodial retransmissions), and
-Nodes that do not support the Retransmission Block should be
configured not to take custody of bundles (to ensure that
custodial retransmissions will always include Retransmission
Blocks).
The above configuration ensures that custodial retransmissions will
not be erroneously deleted, and that all illegitimate replays that
are received at nodes that support the Retransmission Block will be
deleted. Only replays that are received at nodes that do not support
the Retransmission Block will be forwarded and allowed to remain in
the network. If these are forwarded to a node that supports the
Retransmission Block, however, they will be deleted at that node.
Therefore, a network configured in this way is vulnerable to a
denial-of-service attack only from replayed bundles that circulate
exclusively among nodes that do not support the Retransmission Block.
Symington Expires April 16, 2007 [Page 11]
�
Internet-Draft DTN Retransmission Block October 2006
6. Retransmission Block Format
The Retransmission Block (RB) is a new block that MAY be included in
a bundle. A RB uses the Canonical Bundle Block Format as defined in
the Bundle Protocol [2]. That is, it is comprised of the following
elements:
-Block-type code (one byte) - defined as in all bundle protocol
blocks except the primary bundle block (as described in the Bundle
Protocol). The block type code for the Retransmission Block is
0x07.
-Block processing control flags (one byte) - defined as in all
bundle protocol blocks except the primary bundle block (as
described in the Bundle Protocol). The following block processing
control flag MUST NOT be set:
-Block must be replicated in every fragment
-Block data length (SDNV) - defined as in all bundle protocol
blocks except the primary bundle block. SDNV encoding is
described in the Bundle Protocol.
-Block-type-specific data fields as follows:
- EID Scheme Offset of retransmitting custodian - a 16-bit
unsigned integer; its value is the offset within the dictionary
byte array of the first character of the scheme name of the EID
of the retransmitting custodian that inserted this block.
-EID SSP Offset of retransmitting custodian - a 16-bit unsigned
integer; its value is the offset within the dictionary byte
array of the first character of the scheme-specific part of the
EID of the retransmitting custodian that inserted this block.
- Retransmission sequence number (one byte) - An unsigned
integer indicating the number of times this bundle has been
retransmitted by this custodian.
The structure of a Retransmission Block is as follows:
Retransmission Block Format:
+-----+------+-------+-------------+------+----------------+
|Type |Flags |Length |EID Scheme |EID SSP | Retransmission |
| | | | offset | offset | Sequence Num. |
+-----+------+-------+-------------+------+----------------+
Figure 1
Symington Expires April 16, 2007 [Page 12]
�
Internet-Draft DTN Retransmission Block October 2006
7. Retransmission Block Processing
The following are the processing steps that a bundle node must take
relative to generation, reception, and processing of Retransmission
Blocks.
7.1. Bundle Reception
According to the Bundle Protocol, if a node receives a bundle that it
currently has in custody as custodian, that node will send a "Failed"
custody signal for this bundle to the bundle's listed current
custodian, but receipt of this duplicate bundle will not cause the
bundle to be either delivered at that node or forwarded to another
node.
Upon receipt of a bundle that the node does not currently have in
custody, the node SHALL delete the bundle's Retransmission Block if
the endpoint ID referred to by the EID Scheme and EID SSP offsets in
the Retransmission Block is not the same as the endpoint ID referred
to by the Custodian scheme and Custodian SSP offsets in the Primary
Bundle Block. The node SHALL also delete all strings (scheme names
and scheme-specific parts-SSPs) in the bundle's dictionary to which
no endpoint ID references in the bundle currently refer (if any).
7.2. Replay Detection and Suppression
If a node's security policy indicates that replays are not allowed
and if a bundle is received such that the bundle's source EID,
timestamp, and fragment offset (if it has one) are identical to those
in a bundle that the node had previously received, then
-If the received bundle does not include a Retransmission Block
and its custodian EID is the same as it was in a previously-
received duplicate bundle, the bundle MUST be deleted.
-If the received bundle does include a Retransmission Block and
all the values in it are the same as all the values in the
Retransmission Block of the previously-received, duplicate bundle,
the bundle MUST be deleted.
7.3. Keeping Track of Bundles Received
If replays are not allowed at this node, and if a bundle will not be
deleted as a replay, the source EID, timestamp, fragment offset (if
any), custodian EID (if the bundle does not include a Retransmission
Block) and Retransmission Block (if any) of the received bundle MUST
be stored at this node for comparison with future received bundles.
Symington Expires April 16, 2007 [Page 13]
�
Internet-Draft DTN Retransmission Block October 2006
7.4. Bundle Forwarding
As part of the custody acceptance procedures, the accepting node MUST
delete the bundle's Retransmission Block (if it has one).
7.5. Custodial Retransmission
Upon deciding to re-forward a bundle as a result of custody transfer
failure, the re-forwarding custodian MUST:
- insert a Retransmission Block into the bundle if the bundle does
not already include one, or
- increment the retransmission sequence number in the
Retransmission Block if the bundle does already include one
In either case, the EID Scheme offset and the EID SSP offset in the
Retransmission Block must refer to the EID of the re-forwarding
custodian as it appears in the bundle.
If a custodian decides to re-forward only a fragment of a bundle that
it had previously forwarded, the re-forwarded fragment will not be a
duplicate of any bundle that had previously been transmitted by this
custodian. Therefore, the re-forwarded fragment SHALL NOT include a
Retransmission Block.
Symington Expires April 16, 2007 [Page 14]
�
Internet-Draft DTN Retransmission Block October 2006
8. Security Considerations
Each node's local security policy will determine whether replays will
be detected and suppressed at that node or whether replays will be
forwarded indiscriminately. When deciding upon a node's security
policy, it is worth noting that in most networks, the Bundle
Authentication Block (BAB) must be used in conjunction with replay
detection and suppression. It does not make sense to detect and
suppress replayed bundles without first authenticating that those
bundles have not been modified. Without use of the BAB to
authenticate that a bundle has been forwarded in tact, a network is
vulnerable to denial of service attacks launched merely by the
injection of any spurious bundles into the network or the
modification of any authentic bundles. There seems little value in
protecting against denial-of-service attacks resulting from replayed
bundles if denial-of-service attacks resulting from such modified or
spurious bundles will be permitted. Therefore, in determining the
security policy of a node, it will usually be the case that nodes
that do not allow replays must also require received bundles to
include BABs.
Because the RB may be inserted at any custodian in the network and
deleted at any subsequent custodian, its integrity can't be protected
by an end-to-end Payload Security Block (PSB) [3]. Its integrity
must be protected by the BAB. If the integrity of the RB is not
protected by the BAB, then a malicious intruder could modify the RB
to inject many illegitimately replayed bundles, yet give the RB
values such that these bundles appear to be legitimate
retransmissions. As currently defined, protection for the RB will be
included when using the mandatory BAH-HMAC ciphersuite defined in the
Bundle Security Protocol, given that this ciphersuite uses the strict
canonicalisation algorithm.
If a node is compromised, this BAB doesn't help to protect against
replays, but then the network has a lot more vulnerabilities than
just a vulnerability to replays. If a node is compromised, any
bundle could be created and injected into the network. The RB
mechanism is no more vulnerable to misuse by a compromised node than
are any of the other security mechanisms.
Symington Expires April 16, 2007 [Page 15]
�
Internet-Draft DTN Retransmission Block October 2006
9. IANA Considerations
None at this time. If the bundle protocol becomes a standards track
protocol, then we may want to consider having IANA establish a
register of block types, of which the Retransmission Block would be
one.
Symington Expires April 16, 2007 [Page 16]
�
Internet-Draft DTN Retransmission Block October 2006
10. References
10.1. Normative References
[1] Bradner, S. and J. Reynolds, "Key words for use in RFCs to
Indicate Requirement Levels", RFC 2119, October 1997.
[2] Scott, K. and S. Burleigh, "Bundle Protocol Specification",
draft-irtf-dtnrg-bundle-spec-05.txt, work-in-progress,
April 2006.
[3] Symington, S., Farrell, S., and H. Weiss, "Bundle Security
Protocol Specification",
draft-irtf-dtnrg-bundle-security-01.txt, work-in-progress,
March 2006.
10.2. Informative References
[4] Cerf, V., Burleigh, S., Hooke, A., Torgerson, L., Durst, R.,
Scott, K., Fall, K., and H. Weiss, "Delay-Tolerant Network
Architecture", draft-irtf-dtnrg-arch-05.txt, work-in-progress,
March 2006.
[5] Farrell, S., Symington, S., and H. Weiss, "Delay-Tolerant
Network Security Overview",
draft-irtf-dtnrg-sec-overview-01.txt, work-in-progress,
March 2006.
Symington Expires April 16, 2007 [Page 17]
�
Internet-Draft DTN Retransmission Block October 2006
Author's Address
Susan Flynn Symington
The MITRE Corporation
7515 Colshire Drive
McLean, VA 22102
US
Phone: +1 (703) 983-7209
Email: susan@mitre.org
URI: http://mitre.org/
Symington Expires April 16, 2007 [Page 18]
�
Internet-Draft DTN Retransmission Block October 2006
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Symington Expires April 16, 2007 [Page 19]
�