idnits 2.17.1 draft-birrane-dtn-adm-ionsec-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** There are 18 instances of too long lines in the document, the longest one being 4 characters in excess of 72. ** The abstract seems to contain references ([I-D.birrane-dtn-adm]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 2, 2018) is 2118 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Outdated reference: A later version (-06) exists of draft-birrane-dtn-adm-02 == Outdated reference: A later version (-08) exists of draft-birrane-dtn-amp-04 Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Delay-Tolerant Networking E. Birrane 3 Internet-Draft E. DiPietro 4 Intended status: Experimental D. Linko 5 Expires: January 3, 2019 Johns Hopkins Applied Physics Laboratory 6 July 2, 2018 8 ION Security Application Data Model 9 draft-birrane-dtn-adm-ionsec-00 11 Abstract 13 This document describes the Application Data Model (ADM) for ION 14 Security in compliance with the template provided by 15 [I-D.birrane-dtn-adm]. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on January 3, 2019. 34 Copyright Notice 36 Copyright (c) 2018 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Technical Notes . . . . . . . . . . . . . . . . . . . . . 2 53 1.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.3. Requirements Language . . . . . . . . . . . . . . . . . . 3 55 2. Structure and Design of this ADM . . . . . . . . . . . . . . 3 56 3. Naming and Identification . . . . . . . . . . . . . . . . . . 4 57 3.1. Namespace and Nicknames . . . . . . . . . . . . . . . . . 4 58 4. IONSEC ADM JSON Encoding . . . . . . . . . . . . . . . . . . 5 59 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 60 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 61 6.1. Informative References . . . . . . . . . . . . . . . . . 9 62 6.2. Normative References . . . . . . . . . . . . . . . . . . 9 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 65 1. Introduction 67 An Application Data Model (ADM) provides a guaranteed interface for 68 the management of an application or protocol in accordance with the 69 Asynchronous Management Architecture (AMA) defined in 70 [I-D.birrane-dtn-ama]. The ADM described in this document complies 71 with the ADM Template provided in [I-D.birrane-dtn-adm] as encoded 72 using the JSON syntax. 74 The IONSEC Admin ADM provides the set of information necessary to 75 configure and manage the ION security policy database on the local 76 computer that is running ION. This information includes both 77 authentication from Licklider Transmission Protocol (LTP) and Bundle 78 Protocol Security (BPSEC). 80 1.1. Technical Notes 82 o This document describes Version 0.0 of the IONSEC Admin ADM. 84 o The AMM Resource Identifier (ARI) for this ADM is NOT correctly 85 set. A sample ARI is used in this version of the specification 86 and MAY change in future versions of this ADM until an ARI 87 registry is established. This notice will be removed at that 88 time. 90 o Agent applications MAY choose to ignore the name, description, or 91 other annotative information associated with the component 92 definitions within this ADM where such items are only used to 93 provide human-readable information or are otherwise not necessary 94 to manage a device. 96 1.2. Scope 98 This ADM specifies those components of the Asynchronous Management 99 Model (AMM) common to the manqgement of any instance of an ION node. 101 Any Manager software implementing this ADM MUST perform the 102 responsibilities of an AMA Manager as outlined in 103 [I-D.birrane-dtn-adm] as they relate to the objects included in this 104 document. 106 Any Agent software implementing this ADM MUST perform the 107 responsibilities of an AMA Agent as outlined in [I-D.birrane-dtn-adm] 108 as they relate to the objects included in this document. 110 1.3. Requirements Language 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 114 document are to be interpreted as described in RFC 2119 [RFC2119]. 116 2. Structure and Design of this ADM 118 The IONSEC Admin ADM's structure is in accordance to 119 [I-D.birrane-dtn-adm]. This ADM contains metadata, table templates, 120 and controls. Table Templates are column templates that will be 121 followed by any instance of this table available in the network. 122 They may not be created dynamically within the network by Managers. 123 Controls are predefined and sometimes parameterized opcodes that can 124 be run on an Agent. Controls are preconfigured in Agents and 125 Managers as part of ADM support. There are no variables, report 126 templates, macros, edd, constants, or operators in this ADM at this 127 time. The contents of this ADM are derived from the main functions 128 and data that are needed to configure the security policy database on 129 the local computer that is running ION and includes both Bundle 130 Protocol Security and Licklider Transmission Protocol Authentication. 132 All ADMs have metadata that includes the name, namespace, and version 133 of the ADM as well as the name of the organization that is issuing 134 that particular ADM. This is important for identification purposes 135 of the ADMs and to ensure version control. 137 The controls that were chosen to be expressed in this document are 138 related to adding, deleting, and modifying security keys. The 139 controls also deal with LTP segment authentication and LTP segment 140 signing rules. The table templates expressed in this document show 141 all of the keys and rules that are in the security policy database. 143 3. Naming and Identification 145 This section outlines the namespaces used to uniquely identify ADM 146 objects in this specification. 148 3.1. Namespace and Nicknames 150 In accordance with [I-D.birrane-dtn-adm], every ADM is assigned a 151 moderated Namespace. In accordance with [I-D.birrane-dtn-amp], these 152 namespaces may be enumerated for compactness. The namespace and ADM 153 identification for these objects is defined as follows. 155 +-----------------+---------------------+ 156 | Identifier | Value | 157 +-----------------+---------------------+ 158 | Namespace | DTN/ION/ionsecadmin | 159 | | | 160 | ADM Enumeration | 8 | 161 +-----------------+---------------------+ 163 Table 1: Namespace Information 165 Given the above ADM enumeration, in accordance with 166 [I-D.birrane-dtn-amp], the following AMP nicknames are defined. 168 +----------+------------------------------+ 169 | Nickname | Collection | 170 +----------+------------------------------+ 171 | 160 | DTN/ION/ionsecadmin/Const | 172 | | | 173 | 161 | DTN/ION/ionsecadmin/Ctrl | 174 | | | 175 | 162 | DTN/ION/ionsecadmin/Edd | 176 | | | 177 | 163 | DTN/ION/ionsecadmin/Mac | 178 | | | 179 | 164 | DTN/ION/ionsecadmin/Oper | 180 | | | 181 | 165 | DTN/ION/ionsecadmin/Rptt | 182 | | | 183 | 167 | DTN/ION/ionsecadmin/Tblt | 184 | | | 185 | 169 | DTN/ION/ionsecadmin/Var | 186 | | | 187 | 170 | DTN/ION/ionsecadmin/Mdat | 188 | | | 189 | 171-179 | DTN/ION/ionsecadmin/Reserved | 190 +----------+------------------------------+ 192 Table 2: IONSEC ADM Nicknames 194 4. IONSEC ADM JSON Encoding 196 The following is the JSON encoding of the IONsec Admin ADM: 198 { 199 "Mdat": [ 200 { 201 "name": "name", 202 "type": "STR", 203 "value": "ionsec_admin", 204 "description": "The human-readable name of the ADM." 205 }, 206 { 207 "name": "namespace", 208 "type": "STR", 209 "value": "DTN/ION/ionsecadmin/", 210 "description": "The namespace of the ADM." 211 }, 212 { 213 "name": "version", 214 "type": "STR", 215 "value": "V0.0", 216 "description": "The version of the ADM." 217 }, 218 { 219 "name": "organization", 220 "type": "STR", 221 "value": "JHUAPL", 222 "description": "The name of the issuing organization of the ADM." 223 } 224 ], 226 "Tblt": [ 227 { 228 "name": "keys", 229 "columns": [{"type":"STR","name":"key_name"}], 230 "description": "This table lists all key names in the security policy 231 database." 232 }, 233 { 234 "name": "ltp_rx_rules", 235 "columns": [ 236 {"type":"UINT","name":"ltp_engine_id"}, 237 {"type":"UINT","name":"ciphersuite_nbr"}, 238 {"type":"STR","name":"key_name"} 239 ], 240 "description": "This table lists all LTP segment authentication rules 241 in the security policy database." 242 }, 243 { 244 "name": "ltp_tx_rules", 245 "columns": [ 246 {"type":"UINT","name":"ltp_engine_id"}, 247 {"type":"UINT","name":"ciphersuite_nbr"}, 248 {"type":"STR","name":"key_name"} 249 ], 250 "description": "This table lists all LTP segment signing rules in the 251 security policy database." 252 } 253 ], 255 "Ctrl": [ 256 { 257 "name": "key_add", 258 "parmspec": [ 259 {"type":"STR","name":"key_name"}, 260 {"type":"BYTESTR","name":"key_value"} 261 ], 262 "description": "This control adds a named key value to the security 263 policy database. The content of file_name is taken as the value 264 of the key.Named keys can be referenced by other elements of the 265 security policy database." 266 }, 267 { 268 "name": "key_change", 269 "parmspec": [ 270 {"type":"STR","name":"key_name"}, 271 {"type":"BYTESTR","name":"key_value"} 272 ], 273 "description": "This control changes the value of the named key, 274 obtaining the new key value from the content of file_name." 275 }, 276 { 277 "name": "key_del", 278 "parmspec": [{"type":"STR","name":"key_name"}], 279 "description": "This control deletes the key identified by name." 280 }, 281 { 282 "name": "ltp_rx_rule_add", 283 "parmspec": [ 284 {"type":"UINT","name":"ltp_engine_id"}, 285 {"type":"UINT","name":"ciphersuite_nbr"}, 286 {"type":"STR","name":"key_name"} 287 ], 288 "description": "This control adds a rule specifying the manner in 289 which LTP segment authentication will be applied to LTP segments 290 recieved from the indicated LTP engine. A segment from the 291 indicated LTP engine will only be deemed authentic if it contains 292 an authentication extension computed via the ciphersuite identified 293 by ciphersuite_nbr using the applicable key value. If 294 ciphersuite_nbr is 255 then the applicable key value is a 295 hard-coded constant and key_name must be omitted; otherwise key_name 296 is required and the applicable key value is the current value of the 297 key named key_name in the local security policy database. Valid 298 values of ciphersuite_nbr are: 0: HMAC-SHA1-80 1: RSA-SHA256 255: 299 NULL" 300 }, 301 { 302 "name": "ltp_rx_rule_change", 303 "parmspec": [ 304 {"type":"UINT","name":"ltp_engine_id"}, 305 {"type":"UINT","name":"ciphersuite_nbr"}, 306 {"type":"STR","name":"key_name"} 307 ], 308 "description": "This control changes the parameters of the LTP segment 309 authentication rule for the indicated LTP engine." 310 }, 311 { 312 "name": "ltp_rx_rule_del", 313 "parmspec": [{"type":"UINT","name":"ltp_engine_id"}], 314 "description": "This control deletes the LTP segment authentication 315 rule for the indicated LTP engine." 316 }, 317 { 318 "name": "ltp_tx_rule_add", 319 "parmspec": [ 320 {"type":"UINT","name":"ltp_engine_id"}, 321 {"type":"UINT","name":"ciphersuite_nbr"}, 322 {"type":"STR","name":"key_name"} 323 ], 324 "description": "This control adds a rule specifying the manner in 325 which LTP segments transmitted to the indicated LTP engine must 326 be signed. Signing a segment destined for the indicated LTP engine 327 entails computing an authentication extension via the ciphersuite 328 identified by ciphersuite_nbr using the applicable key value. If 329 ciphersuite_nbr is 255 then the applicable key value is a 330 hard-coded constant and key_name must be omitted; otherwise key_name 331 is required and the applicable key value is the current value of 332 the key named key_name in the local security policy database. 333 Valid values of ciphersuite_nbr are: 0:HMAC_SHA1-80 1: 334 RSA_SHA256 255: NULL" 335 }, 336 { 337 "name": "ltp_tx_rule_change", 338 "parmspec": [ 339 {"type":"UINT","name":"ltp_engine_id"}, 340 {"type":"UINT","name":"ciphersuite_nbr"}, 341 {"type":"STR","name":"key_name"} 342 ], 343 "description": "This control changes the parameters of the LTP segment 344 signing rule for the indicated LTP engine." 345 }, 346 { 347 "name": "ltp_tx_rule_del", 348 "parmspec": [{"type":"UINT","name":"ltp_engine_id"}], 349 "description": "This control deletes the LTP segment signing rule for 350 the indicated LTP engine." 351 }, 352 { 353 "name": "list_keys", 354 "description": "This control lists the names of keys available in the 355 key policy database." 356 }, 357 { 358 "name": "list_ltp_rx_rules", 359 "description": "This control lists all LTP segment authentication 360 rules in the security policy database." 361 }, 362 { 363 "name": "list_ltp_tx_rules", 364 "description": "This control lists all LTP segment signing rules in 365 the security policy database." 366 } 367 ] 368 } 370 5. IANA Considerations 372 At this time, this protocol has no fields registered by IANA. 374 6. References 376 6.1. Informative References 378 [I-D.birrane-dtn-ama] 379 Birrane, E., "Asynchronous Management Architecture", 380 draft-birrane-dtn-ama-07 (work in progress), June 2018. 382 6.2. Normative References 384 [I-D.birrane-dtn-adm] 385 Birrane, E., DiPietro, E., and D. Linko, "AMA Application 386 Data Model", draft-birrane-dtn-adm-02 (work in progress), 387 June 2018. 389 [I-D.birrane-dtn-amp] 390 Birrane, E., "Asynchronous Management Protocol", draft- 391 birrane-dtn-amp-04 (work in progress), June 2018. 393 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 394 Requirement Levels", BCP 14, RFC 2119, 395 DOI 10.17487/RFC2119, March 1997, 396 . 398 Authors' Addresses 400 Edward J. Birrane 401 Johns Hopkins Applied Physics Laboratory 403 Email: Edward.Birrane@jhuapl.edu 404 Evana DiPietro 405 Johns Hopkins Applied Physics Laboratory 407 Email: Evana.DiPietro@jhuapl.edu 409 David Linko 410 Johns Hopkins Applied Physics Laboratory 412 Email: David.Linko@jhuapl.edu