180 likes | 351 Views
Security Analysis of Delay-Tolerant Network Architectures and the Bundle Protocol Specification for Space-Based Networks . William D. Ivancic NASA Glenn Research Center william.d.ivancic@nasa.gov 216-433-3494. What is Delay Tolerant Network (DTN).
E N D
Security Analysis of Delay-Tolerant Network Architectures and the Bundle Protocol Specification for Space-Based Networks William D. Ivancic NASA Glenn Research Center william.d.ivancic@nasa.gov 216-433-3494
What is Delay Tolerant Network (DTN) • Its origins are from NASA JPL’s experiences with high delay, store-and-forward networks for deep space, and their experience gained with the development of the CCSDS File Delivery Protocol (CFDP) • Added Layering to split CFDP into transport and bundles • Enables file transfer, messaging, and streaming • Bundle Protocol (BP) sits at (or just below) the application layer of some number of constituent internets, forming a store-and-forward overlay network. • Key Capabilities • Custody-based retransmission, a willingness to take responsibility for forwarding a received bundle • Ability to cope with intermittent connectivity • Ability to take advantage of scheduled, predicted, and opportunistic connectivity • Late binding enabling a bundle to move closer to its endpoint without complete knowledge
Convergence Layers • Successful end-to-end transmission of Bundles depends on the operation of underlying protocols, known as “convergence layers” • TCP, UPD, LTP, Bluetooth, CCSDS TM, Flash Drive, etc... • Extremely different characteristics (e.g. addressing, security, routing) • Result is DTN only has naming, but no real addressing • Make aggregation an interesting problem. • Enables DTN to operate over heterogeneous networks • DTN can be viewed as an application layer gateway and/or network protocol bridge • An overlay network inherits all of the good and all of the bad of the underlying networks upon which it resides (i.e. convergence layers)
Convergence Layers DTN Bundle Agent CCSDS Telemetry Space Datalink Protocol DTN Bundle Agent Bluetooth DTN Bundle Agent DTN Bundle Agent IP Internet USB Storage DTN Bundle Agent
DTN Working Groups • Internet Research Task Force (IRTF) DTN Research Group DTNRG • RFC-4838 describes the Architecture • RFC-5050 is the Bundle Protocol Specification • Additional security specifications have been provided via the Bundle Security Specification • Licklider Transport Protocol (LTP) Security Extensions describe security mechanisms for the LTP link-layer protocol. LTP is specifically applicable to long delay, disrupted point-to-point Space links • CCSDS Space Internetworking Services DTN Working Group • Is RFC-5050 is a feasible solution for a store-and-forward networking protocol for space environments? • If not, enhance RFC5050 or define a new protocol.
Network Security • Bulk Encryption • For point-to-point links (not recommended for multi-hop systems due to complexity of managing each link) • Only needs keys, not policy • Inflexible but relatively simple for point-to-point single hop communication. • Adds complexity and hardware if one wishes to extend the point-to-point link through a routable network • Network Security • Packet-based or bundle-based systems • Designed for end-to-end security where communication is over multiple hops • Extremely flexible • With flexibly comes complexity • Requires Certificates (keys) andpolicy (whom or what can communicate with whom or what over what protocols)!
Certificates and Policy • Key and policy management and distribution are difficult over connected networks. • Disconnected networks are even more difficult – particularly since one must assume they cannot reach a server to validate credentials and certificates in a timely manner. • This is a major research area • For space-based networks, certificate and policy management is likely to occur using the network management system. • Cross Enterprise Security and International Interoperability • “Rules of Engagement” • Not technical “What can I do?”, but “What am I permitted to do?” • One needs to know this up front to design a secure network in a cost effective manner • Likely to fall under International Traffic in Arms Regulations (ITAR). • This is a difficult, critical area that must be addressed internationally.
Practical Exploitations • Denial of Service • Often done at the transport layer • Store-and-forward systems can be exploited by exhaust resources (e.g. storage, CPU, power, etc...) • Protections • Bundle Security Protocol (BSP) Bundle Authentication Block (BAB) • Licklider Transport Protocol (LTP) security specification defines security extensions intended to help thwart DoS attacks • Code Implementation Exploits • It is often possible to exploit code implementations. The nature of the bundle protocol adds additional potential vulnerabilities that should be addressed. • Many variable-length fields, text-field parsing, and other bundle-processing operations, there may be risk due to implementation bugs (e.g. buffer overflows) that don't exist with fixed-width fields and binary formats. • Possibly attacks on a host, CPU and/or memory by sending maliciously-crafted bundles and administrative records.
Closed versus Open Networks • In general, space networks are closed networks. • Closed networks, in theory, eliminate many of the exploits such as DOS attacks from ever getting an opportunity to entering the system. • International Internetworking • Gray Area (sort of closed but not quite) • Security is based on trust and distrust • This is a “Rules of Engagement” Issue • Data at rest is generally less secure than data in motion • Luxury of “time” to decipher encrypted data
Architecture and Security • Rule of Thumb: The simpler the network architecture the better. • If one can better understand the flow of data, one can identify the potential places the network can be exploited. • One can then put security mechanisms in place to shore up any weakness. • Three sample architectures illustrate: • The complexity of the architecture goes down dramatically if one is willing to allow DTN to handle the security. • Reducing the number of encapsulations is highly beneficial. • The number of control loops is dramatically reduced. • Each security mechanism has to be able to function within the characteristics of the underlying transport protocol and tunneling mechanism • Each transport protocol has to be able to handle the idiosyncrasies of the embedded control loops. • Interactions between transport protocols and security mechanism can be quite subtle.
DTN over Encrypted Datalink using SLE-Transfer Services DTN Bundle Agent Internet or Intranet Application Datalink Encryptor Space Link Extension – Transfer Layer Application DTN Bundle Agent
Secure DTN using SLE-Transfer Services DTN Bundle Agent Internet or Intranet Application DTN Bundle Agent Implementing Security Space Link Extension – Transfer Layer Application
Secure DTN without the need for SLE-Transfer Services DTN Bundle Agent Internet or Intranet Application DTN Bundle Agent Implementing Security
Security issues with general DTN Protocols • RFC 5050, requires that all communicating bundle nodes share a common, simultaneous, synchronized, conception of Universal Time Coordinated (UTC) • Misbehaving time sources (intentional or unintentional) • From a security standpoint, it may not be possible, to accept time reference data from nodes operated by a different organization • Bundles from the future: Will your system accept bundles from the future (as these can consume storage and process for routing)? If so, how far into the future? • Long lifetime bundles: How long of a lifetime is allowed?
DTN Security Internet Drafts • Delay-Tolerant Networking Security Overview • Security requirements and mechanisms considered for delay tolerant networking security • Options for protecting such networks • Reasons why specific security mechanisms were (or were not) chosen for the relevant protocols. • Bundle Security Protocol Specification • This is a very complex document • Defines the bundle security protocol, which provides data integrity and confidentiality services. • Bundle Authentication Block (BAB) • Assures the authenticity and integrity of the bundle along a single hop from forwarder to intermediate receiver • Payload Integrity Block (PIB) • Assures the authenticity and integrity of the payload from the PIB security-source, which creates the PIB, to the PIB security-destination, which verifies the PIB • The ciphersuite MAY process less than the entire original bundle payload. • Payload Confidentiality Block (PCB) • Encrypts a payload at the PCB security-source in order to protect the bundle content while in transit to the PCB security-destination • Extensions Security Block (ESB) • Provides protection for non-payload-related portions of a bundle such as Metadata Extension Blocks
General Notes Concerning the Bundle Security Protocols • PIB and PCB protect the payload and are regarded as "payload-related". • Other blocks are regarded as "non-payload" blocks. • Bundles protected using PCB must be processed in order. • Great care must be taken to ensure that security zones do not overlap. • DTN Bundle-in-Bundle Encapsulation • One or more bundles can be placed inside of the payload of another bundle and then the payload of the encapsulating bundle can be encrypted (similar to IPsec tunnel mode) • Reliability-only Ciphersuites for the Bundle Protocol • Defines new ciphersuites for use within the existing BSP PIB to provide error-detection functions • Intended to protect only against errors and accidental modification
Network Management • Network Management is a Application • User for Monitoring network performance in order to both optimize performance and determine when something has failed either entirely or partially • Use to Configuring bundle agents • Configurations may include the following: distribution of contract graph routing information, configuration of radios (e.g. modulation, coding, data rates), security policy, security keys, and reporting. • If the network management system were compromised, it could lead to serious performance issues relative to the entire DTN network – even if only a single critical node where compromised. • For multi-hop DTNs where some bundle agents are only reachable via DTN technology, DTN protocols will be required to transmit network management information. • Point-to-Point connectivity may use a communication back channel
Operational Considerations for Space-Base DTNs • The usefulness of the BAB is questionable • There is already a strong trust relationship in order to establish communication at the physical layer • The added complexity, added key distribution and management and potential for lockout versus the risk of not authenticating your neighbor must be considered. • Policies are required that control and limit the use of system resources. • Require one to identify the source of the data and determine what organization that source belongs to. The PIB would likely be used here. • Common practice today is that the network is run by one group and the applications are run by another. • One should anticipate the key and policy management of applications will likely be performed and controlled by a different organization than the organization which controls key and policy for the communication network • Encrypting bundles may only be useful for bundles related to networking and not bundles related to application. • The application data should be protected by those responsible for the applications. Such an approach should make security management easier. • Applications are protected end-to-end • The network is protected at all points of the communication chain using a variety of tools