idnits 2.17.00 (12 Aug 2021) /tmp/idnits41702/draft-birrane-dtn-adm-ionsec-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The abstract seems to contain references ([I-D.birrane-dtn-adm]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 11, 2019) is 1160 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Outdated reference: A later version (-03) exists of draft-birrane-dtn-adm-02 == Outdated reference: A later version (-08) exists of draft-birrane-dtn-amp-04 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Delay-Tolerant Networking E. Birrane 3 Internet-Draft E. DiPietro 4 Intended status: Experimental D. Linko 5 Expires: September 12, 2019 Johns Hopkins Applied Physics Laboratory 6 March 11, 2019 8 ION Security Application Data Model 9 draft-birrane-dtn-adm-ionsec-01 11 Abstract 13 This document describes the Application Data Model (ADM) for ION 14 Security in compliance with the template provided by 15 [I-D.birrane-dtn-adm]. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on September 12, 2019. 34 Copyright Notice 36 Copyright (c) 2019 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Technical Notes . . . . . . . . . . . . . . . . . . . . . 2 53 1.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.3. Requirements Language . . . . . . . . . . . . . . . . . . 3 55 2. Structure and Design of this ADM . . . . . . . . . . . . . . 3 56 3. Naming and Identification . . . . . . . . . . . . . . . . . . 4 57 3.1. Namespace and Nicknames . . . . . . . . . . . . . . . . . 4 58 4. IONSEC ADM JSON Encoding . . . . . . . . . . . . . . . . . . 5 59 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 60 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 61 6.1. Informative References . . . . . . . . . . . . . . . . . 10 62 6.2. Normative References . . . . . . . . . . . . . . . . . . 10 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 65 1. Introduction 67 An Application Data Model (ADM) provides a guaranteed interface for 68 the management of an application or protocol in accordance with the 69 Asynchronous Management Architecture (AMA) defined in 70 [I-D.birrane-dtn-ama]. The ADM described in this document complies 71 with the ADM Template provided in [I-D.birrane-dtn-adm] as encoded 72 using the JSON syntax. 74 The IONSEC Admin ADM provides the set of information necessary to 75 configure and manage the ION security policy database on the local 76 computer that is running ION. This information includes both 77 authentication from Licklider Transmission Protocol (LTP) and Bundle 78 Protocol Security (BPSEC). 80 1.1. Technical Notes 82 o This document describes Version 0.0 of the IONSEC Admin ADM. 84 o The AMM Resource Identifier (ARI) for this ADM is NOT correctly 85 set. A sample ARI is used in this version of the specification 86 and MAY change in future versions of this ADM until an ARI 87 registry is established. This notice will be removed at that 88 time. 90 o Agent applications MAY choose to ignore the name, description, or 91 other annotative information associated with the component 92 definitions within this ADM where such items are only used to 93 provide human-readable information or are otherwise not necessary 94 to manage a device. 96 1.2. Scope 98 This ADM specifies those components of the Asynchronous Management 99 Model (AMM) common to the manqgement of any instance of an ION node. 101 Any Manager software implementing this ADM MUST perform the 102 responsibilities of an AMA Manager as outlined in 103 [I-D.birrane-dtn-adm] as they relate to the objects included in this 104 document. 106 Any Agent software implementing this ADM MUST perform the 107 responsibilities of an AMA Agent as outlined in [I-D.birrane-dtn-adm] 108 as they relate to the objects included in this document. 110 1.3. Requirements Language 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 114 document are to be interpreted as described in RFC 2119 [RFC2119]. 116 2. Structure and Design of this ADM 118 The IONSEC Admin ADM's structure is in accordance to 119 [I-D.birrane-dtn-adm]. This ADM contains metadata, table templates, 120 and controls. Table Templates are column templates that will be 121 followed by any instance of this table available in the network. 122 They may not be created dynamically within the network by Managers. 123 Controls are predefined and sometimes parameterized opcodes that can 124 be run on an Agent. Controls are preconfigured in Agents and 125 Managers as part of ADM support. There are no variables, report 126 templates, macros, edd, constants, or operators in this ADM at this 127 time. The contents of this ADM are derived from the main functions 128 and data that are needed to configure the security policy database on 129 the local computer that is running ION and includes both Bundle 130 Protocol Security and Licklider Transmission Protocol Authentication. 132 All ADMs have metadata that includes the name, namespace, and version 133 of the ADM as well as the name of the organization that is issuing 134 that particular ADM. This is important for identification purposes 135 of the ADMs and to ensure version control. 137 The controls that were chosen to be expressed in this document are 138 related to adding, deleting, and modifying security keys. The 139 controls also deal with LTP segment authentication and LTP segment 140 signing rules. The table templates expressed in this document show 141 all of the keys and rules that are in the security policy database. 143 3. Naming and Identification 145 This section outlines the namespaces used to uniquely identify ADM 146 objects in this specification. 148 3.1. Namespace and Nicknames 150 In accordance with [I-D.birrane-dtn-adm], every ADM is assigned a 151 moderated Namespace. In accordance with [I-D.birrane-dtn-amp], these 152 namespaces may be enumerated for compactness. The namespace and ADM 153 identification for these objects is defined as follows. 155 +-----------------+---------------------+ 156 | Identifier | Value | 157 +-----------------+---------------------+ 158 | Namespace | DTN/ION/ionsecadmin | 159 | | | 160 | ADM Enumeration | 8 | 161 +-----------------+---------------------+ 163 Table 1: Namespace Information 165 Given the above ADM enumeration, in accordance with 166 [I-D.birrane-dtn-amp], the following AMP nicknames are defined. 168 +----------+------------------------------+ 169 | Nickname | Collection | 170 +----------+------------------------------+ 171 | 160 | DTN/ION/ionsecadmin/Const | 172 | | | 173 | 161 | DTN/ION/ionsecadmin/Ctrl | 174 | | | 175 | 162 | DTN/ION/ionsecadmin/Edd | 176 | | | 177 | 163 | DTN/ION/ionsecadmin/Mac | 178 | | | 179 | 164 | DTN/ION/ionsecadmin/Oper | 180 | | | 181 | 165 | DTN/ION/ionsecadmin/Rptt | 182 | | | 183 | 167 | DTN/ION/ionsecadmin/Tblt | 184 | | | 185 | 169 | DTN/ION/ionsecadmin/Var | 186 | | | 187 | 170 | DTN/ION/ionsecadmin/Mdat | 188 | | | 189 | 171-179 | DTN/ION/ionsecadmin/Reserved | 190 +----------+------------------------------+ 192 Table 2: IONSEC ADM Nicknames 194 4. IONSEC ADM JSON Encoding 196 The following is the JSON encoding of the IONsec Admin ADM: 198 { 199 "Mdat": [{ 200 "name": "name", 201 "type": "STR", 202 "value": "ionsec_admin", 203 "description": "The human-readable name of the ADM." 204 }, 205 { 206 "name": "namespace", 207 "type": "STR", 208 "value": "DTN/ION/ionsecadmin", 209 "description": "The namespace of the ADM." 210 }, 211 { 212 "name": "version", 213 "type": "STR", 214 "value": "v0.0", 215 "description": "The version of the ADM." 216 }, 217 { 218 "name": "organization", 219 "type": "STR", 220 "value": "JHUAPL", 221 "description": "The name of the issuing organization of the 222 ADM." 223 } 224 ], 226 "Tblt": [{ 227 "name": "ltp_rx_rules", 228 "columns": [{ 229 "type": "UINT", 230 "name": "ltp_engine_id" 231 }, { 232 "type": "UINT", 233 "name": "ciphersuite_nbr" 234 }, { 235 "type": "STR", 236 "name": "key_name" 237 }], 238 "description": "This table lists all LTP segment authentication 239 rules in the security policy database." 240 }, 241 { 242 "name": "ltp_tx_rules", 243 "columns": [{ 244 "type": "UINT", 245 "name": "ltp_engine_id" 246 }, { 247 "type": "UINT", 248 "name": "ciphersuite_nbr" 249 }, { 250 "type": "STR", 251 "name": "key_name" 252 }], 253 "description": "This table lists all LTP segment signing rules 254 in the security policy database." 255 } 256 ], 258 "Ctrl": [{ 259 "name": "key_add", 260 "parmspec": [{ 261 "type": "STR", 262 "name": "key_name" 264 }, { 265 "type": "BYTESTR", 266 "name": "key_value" 267 }], 268 "description": "This control adds a named key value to the 269 security policy database. The content of 270 file_name is taken as the value of the key. 271 Named keys can be referenced by other elements 272 of the security policy database." 273 }, 274 { 275 "name": "key_change", 276 "parmspec": [{ 277 "type": "STR", 278 "name": "key_name" 279 }, { 280 "type": "BYTESTR", 281 "name": "key_value" 282 }], 283 "description": "This control changes the value of the named key, 284 obtaining the new key value from the content of 285 file_name." 286 }, 287 { 288 "name": "key_del", 289 "parmspec": [{ 290 "type": "STR", 291 "name": "key_name" 292 }], 293 "description": "This control deletes the key identified by 294 name." 295 }, 296 { 297 "name": "ltp_rx_rule_add", 298 "parmspec": [{ 299 "type": "UINT", 300 "name": "ltp_engine_id" 301 }, { 302 "type": "UINT", 303 "name": "ciphersuite_nbr" 304 }, { 305 "type": "STR", 306 "name": "key_name" 307 }], 308 "description": "This control adds a rule specifying the manner 309 in which LTP segment authentication will be 310 applied to LTP segmentsrecieved from the 311 indicated LTP engine. A segment from the 312 indicated LTP engine will only be deemed 313 authentic if it contains an authentication 314 extension computed via the ciphersuite 315 identified by ciphersuite_nbr using the 316 applicable key value. If ciphersuite_nbr is 255 317 then the applicable key value is a hard-coded 318 constant and key_name must be omitted; otherwise 319 key_nameis required and the applicable key 320 value is the current value of the key named 321 key_name in the local security policy database. 322 Valid values of ciphersuite_nbr are: 0: 323 HMAC-SHA1-80 1: RSA-SHA256 255: NULL" 324 }, 325 { 326 "name": "ltp_rx_rule_change", 327 "parmspec": [{ 328 "type": "UINT", 329 "name": "ltp_engine_id" 330 }, { 331 "type": "UINT", 332 "name": "ciphersuite_nbr" 333 }, { 334 "type": "STR", 335 "name": "key_name" 336 }], 337 "description": "This control changes the parameters of the LTP 338 segment authentication rule for the indicated 339 LTP engine." 340 }, 341 { 342 "name": "ltp_rx_rule_del", 343 "parmspec": [{ 344 "type": "UINT", 345 "name": "ltp_engine_id" 346 }], 347 "description": "This control deletes the LTP segment 348 authentication rule for the indicated LTP 349 engine." 350 }, 351 { 352 "name": "ltp_tx_rule_add", 353 "parmspec": [{ 354 "type": "UINT", 355 "name": "ltp_engine_id" 356 }, { 357 "type": "UINT", 358 "name": "ciphersuite_nbr" 359 }, { 360 "type": "STR", 361 "name": "key_name" 362 }], 363 "description": "This control adds a rule specifying the manner 364 in which LTP segments transmitted to the 365 indicated LTP engine mustbe signed. Signing a 366 segment destined for the indicated LTP engine 367 entails computing an authentication extension 368 via the ciphersuite identified by 369 ciphersuite_nbr using the applicable key value. 370 If ciphersuite_nbr is 255 then the applicable 371 key value is a hard-coded constant and key_name 372 must be omitted; otherwise key_nameis required 373 and the applicable key value is the current 374 value of the key named key_name in the local 375 security policy database.Valid values of 376 ciphersuite_nbr are: 0:HMAC_SHA1-80 377 1: RSA_SHA256 255: NULL" 378 }, 379 { 380 "name": "ltp_tx_rule_change", 381 "parmspec": [{ 382 "type": "UINT", 383 "name": "ltp_engine_id" 384 }, { 385 "type": "UINT", 386 "name": "ciphersuite_nbr" 387 }, { 388 "type": "STR", 389 "name": "key_name" 390 }], 391 "description": "This control changes the parameters of the LTP 392 segment signing rule for the indicated LTP 393 engine." 394 }, 395 { 396 "name": "ltp_tx_rule_del", 397 "parmspec": [{ 398 "type": "UINT", 399 "name": "ltp_engine_id" 400 }], 401 "description": "This control deletes the LTP segment signing 402 rule for the indicated LTP engine." 403 }, 404 { 405 "name": "list_keys", 406 "description": "This control lists the names of keys available 407 in the key policy database." 409 }, 410 { 411 "name": "list_ltp_rx_rules", 412 "description": "This control lists all LTP segment 413 authentication rules in the security policy 414 database." 415 }, 416 { 417 "name": "list_ltp_tx_rules", 418 "description": "This control lists all LTP segment signing 419 rules in the security policy database." 420 } 421 ] 422 } 424 5. IANA Considerations 426 At this time, this protocol has no fields registered by IANA. 428 6. References 430 6.1. Informative References 432 [I-D.birrane-dtn-ama] 433 Birrane, E., "Asynchronous Management Architecture", 434 draft-birrane-dtn-ama-07 (work in progress), June 2018. 436 6.2. Normative References 438 [I-D.birrane-dtn-adm] 439 Birrane, E., DiPietro, E., and D. Linko, "AMA Application 440 Data Model", draft-birrane-dtn-adm-02 (work in progress), 441 June 2018. 443 [I-D.birrane-dtn-amp] 444 Birrane, E., "Asynchronous Management Protocol", draft- 445 birrane-dtn-amp-04 (work in progress), June 2018. 447 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 448 Requirement Levels", BCP 14, RFC 2119, 449 DOI 10.17487/RFC2119, March 1997, 450 . 452 Authors' Addresses 454 Edward J. Birrane 455 Johns Hopkins Applied Physics Laboratory 457 Email: Edward.Birrane@jhuapl.edu 459 Evana DiPietro 460 Johns Hopkins Applied Physics Laboratory 462 Email: Evana.DiPietro@jhuapl.edu 464 David Linko 465 Johns Hopkins Applied Physics Laboratory 467 Email: David.Linko@jhuapl.edu