Network Working Group S. Burleigh Internet-DraftJet Propulsion Laboratory, California Institute of Technol Intended status: Experimental March 26, 2013 Expires: September 27, 2013 Bundle-in-Bundle Encapsulation draft-irtf-burleigh-bibe-00 Abstract This document describes Bundle-in-Bundle Encapsulation (BIBE), a Delay-Tolerant Networking (DTN) Bundle Protocol (BP) "convergence layer" protocol that tunnels BP "bundles" through encapsulating bundles. The services provided by the BIBE convergence-layer protocol adapter encapsulate an outbound BP "bundle" in a BIBE convergence-layer protocol data unit for transmission as the payload of a bundle. Security measures applied to the encapsulating bundle may augment those applied to the encapsulated bundle. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 27, 2013. Burleigh Expires September 27, 2013 [Page 1] Internet-Draft BIBE March 2013 Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. BIBE Design Elements . . . . . . . . . . . . . . . . . . . . 4 2.1. BIBE Protocol Data Unit . . . . . . . . . . . . . . . . . 4 2.2. BIBE Bundle Transmission Service . . . . . . . . . . . . 4 2.3. BIBE Bundle Delivery Service . . . . . . . . . . . . . . 5 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 6. Normative References . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction This document describes Bundle-in-Bundle Encapsulation (BIBE), a Delay-Tolerant Networking (DTN) Bundle Protocol (BP) [RFC5050] "convergence layer" protocol that tunnels BP "bundles" through encapsulating bundles. Conformance to the bundle-in-bundle encapsulation (BIBE) specification is OPTIONAL for BP nodes. Each BP node that conforms to the BIBE specification provides a BIBE convergence-layer adapter (CLA) that is implemented within the administrative element of the BP node's application agent. Like any convergence-layer adapter, the BIBE CLA provides: o A transmission service that sends an outbound bundle (from the bundle protocol agent) to all BP nodes in the minimum reception group of the endpoint identified by a specified endpoint ID. Burleigh Expires September 27, 2013 [Page 2] Internet-Draft BIBE March 2013 o A reception service that delivers to the bundle protocol agent an inbound bundle that was sent by a remote BP node via the BIBE convergence layer protocol. The BIBE CLA performs these services by: o Encapsulating outbound bundles in BIBE protocol data units, which take the form of Bundle Protocol administrative records as described later. o Requesting that the bundle protocol agent transmit bundles whose payloads are BIBE protocol data units. o Taking delivery of BIBE protocol data units that are the payloads of bundles received by the bundle protocol agent. o Delivering to the bundle protocol agent the bundles that are encapsulated in delivered BIBE protocol data units. Bundle-in-bundle encapsulation may have broad utility, but the principal motivating use case is the deployment of "cross domain solutions" in secure communications. Under some circumstances a bundle may arrive at a node that is on the frontier of a region of network topology in which augmented security is required, from which the bundle must egress at some other designated node. In that case, the bundle may be encapsulated within a bundle to which the requisite additional Bundle Security Protocol (BSP) [RFC6257] extension block(s) can be attached, whose source is the point of entry into the insecure region (the "security source") and whose destination is the point of egress from the insecure region (the "security destination"). Note that: o If the payload of the encapsulating bundle is protected by a Payload Confidentiality Block (PCB), then the source and destination of the encapsulated bundle are encrypted, providing a defense against traffic analysis that BSP alone cannot offer. o Bundles whose payloads are BIBE protocol data units may themselves be forwarded via a BIBE convergence-layer adapter, enabling nested bundle encapsulation to arbitrary depth as required by a given security policy. Burleigh Expires September 27, 2013 [Page 3] Internet-Draft BIBE March 2013 o Moreover, in the event that no single point of egress from an insecure region of network topology can be determined at the moment a bundle is to be encapsulated, multiple copies of the bundle may be encapsulated individually and forwarded to all candidate points of egress. o Finally, because the BIBE CLA (like any CLA) may conform to the Compressed Bundle Header Encoding (CBHE) specification [RFC6260], a bundle that is forwarded by BIBE and protected by multiple layers of encryption might be slightly smaller than a similarly protected bundle whose multiple PCBs have explicit security sources and destinations. This is because BSP extension block security sources and destinations are encoded as endpoint ID references, which are not subject to CBHE compression (and in fact make CBHE compression of the bundle impossible); retention of the complete "dictionary" in the bundle's primary block is mandatory. When a bundle is forwarded via a BIBE CLA, explicit security sources and destinations in the BSP extension blocks are unnecessary. Implicit security sources and destinations are asserted in the primary blocks of the encapsulating and encapsulated bundle(s), which may be compressed as described in the CBHE specification. Taken together, these capabilities provide flexibility in security that is comparable, and in some ways superior, to that offered by the explicit security sources and destinations of [RFC6257]. 2. BIBE Design Elements 2.1. BIBE Protocol Data Unit The BIBE protocol data unit is a Bundle Protocol administrative record constructed as follows: o Record type code is 7, i.e., bit pattern 0111. o The content of the administrative record consists of a single BP bundle. 2.2. BIBE Bundle Transmission Service When a BIBE convergence-layer adapter is requested by the bundle protocol agent to send a bundle to all bundle nodes in the minimum reception group of the endpoint identified by a specified endpoint ID: o If the BIBE CLA is CBHE-conformant and the destination endpoint ID is likewise CBHE-conformant, the CLA SHOULD encode the primary Burleigh Expires September 27, 2013 [Page 4] Internet-Draft BIBE March 2013 block of the bundle in the manner prescribed by the CBHE specification. o The CLA MUST place the possibly encoded bundle in the content of a new BIBE administrative record. o This new BIBE administrative record constitutes a BIBE convergence-layer protocol data unit which is to be conveyed from the BIBE CLA to a peer BIBE CLA at the destination node(s). o To accomplish conveyance of the BIBE convergence-layer protocol data unit to its peer CLA, the CLA MUST request that the bundle protocol agent transmit -- to the destination endpoint -- a bundle whose payload is the BIBE convergence-layer protocol data unit (i.e., the new BIBE administrative record). o Selection of the values of the parameters governing the bundle transmission requested by the CLA, other than the destination endpoint ID, is an implementation matter. The parameter values governing transmission of the encapsulated bundle MAY be consulted for this purpose. 2.3. BIBE Bundle Delivery Service When a BIBE CLA receives a BIBE convergence-layer protocol data unit from the bundle protocol agent (that is, upon delivery of the payload of a bundle whose transmission was requested by a BIBE CLA): o The BIBE convergence-layer protocol data unit constitutes a BIBE administrative record. o If the BIBE CLA is CBHE-conformant and the bundle that forms the content of that administrative record is CBHE-encoded, the CLA MUST decode the primary block of that bundle in the manner prescribed by the CBHE specification. o The CLA MUST deliver the possibly decoded bundle to the bundle protocol agent. Note that, upon delivery of a bundle from a BIBE CLA, the bundle prototol agent will perform the bundle reception procedures defined in section 5.6 of [RFC5050] as usual: the formerly encapsulated bundle may be forwarded, delivered, etc. 3. IANA Considerations The BIBE specification requires IANA registration of the new BIBE administrative record (type code 7) defined in section 2.1 above. Burleigh Expires September 27, 2013 [Page 5] Internet-Draft BIBE March 2013 4. Security Considerations The BIBE specification introduces no new security considerations. 5. Acknowledgments Although the BIBE specification diverges in some ways from the original Bundle-in-Bundle Encapsulation Internet Draft authored by Susan Symington, Bob Durst, and Keith Scott of The MITRE Corporation (draft-irtf-dtnrg-bundle-encapsulation-06, 2009), the influence of that earlier document is gratefully acknowledged. 6. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [RFC5050] Scott, K. and S. Burleigh, "Bundle Protocol Specification", RFC 5050, November 2007. [RFC6257] Symington, S., Farrell, S., Weiss, H., and P. Lovell, "Bundle Security Protocol Specification", RFC 6257, May 2011. [RFC6260] Burleigh, S., "Compressed Bundle Header Encoding (CBHE)", RFC 6260, May 2011. Author's Address Scott Burleigh Jet Propulsion Laboratory, California Institute of Technology 4800 Oak Grove Drive, m/s 301-490 Pasadena, CA 91109 USA Phone: +1 818 393 3353 Email: Scott.C.Burleigh@jpl.nasa.gov Burleigh Expires September 27, 2013 [Page 6]