Proposed changes to the CCSDS BUNDLE PROTOCOL SECURITY SPECIFICATION red book draft CCSDS 734.5-R-2

Changes for the A2.2 REQUIREMENTS LIST


-----------------------------------------

Test: #24

Description: A BIB integrity value MUST NOT be checked if the security target associated with that value is also the security target of a BCB.

Reference: RFC 9172 Section 3.9

Issue: Test #24 is an implication. The description text should rather be a CAN NOT than a MUST NOT. It is also already covered by Test #50. The description text and reference text of Test #50 tell why.

RFC 9172 Section 5.1.2: A BIB MUST NOT be processed if the security target of the BIB is also the security target of a BCB in the bundle. Given the order of operations mandated by this specification,  
when both a BIB and a BCB share a security target, it means that the security target must have been encrypted after it was integrity signed; therefore, the BIB cannot be verified until the security target has been decrypted by processing the BCB.

Proposed Action: REMOVE Test 24

-----------------------------------------

Test: #25

Description: A BIB MUST NOT have a BCB as its security target.

Reference: RFC 9172 Section 3.9

Issue: Test is a subset of test #7. Test #7 description: A security target listed in the Security Targets field of a BIB MUST NOT reference a security block defined in RFC 9172 (e.g., a BIB or a BCB).

Proposed Action: REMOVE test #25

-----------------------------------------

Test: #32

Description: If processing a security operation fails, the target SHALL be processed according to the security policy.

Reference: RFC 9172 Section 5.1.1

Issue: Description is ambiguous with test #47. Difference only noticeable through section reference.

Proposed Action: CHANGE description
From: If processing a security operation fails, the target SHALL be processed according to the security policy.
To: If processing a BCB security operation fails, the target SHALL be processed according to the security policy.

-----------------------------------------

Test: #33

Description: If processing a security operation fails, a bundle status report indicating the failure MAY be generated.

Reference: RFC 9172 Section 5.1.1

Issue: Description is ambiguous with test #48. Difference only noticeable through section reference.

Proposed Action: CHANGE description
From: If processing a security operation fails, a bundle status report indicating the failure MAY be generated.
To: If processing a BCB security operation fails, a bundle status report indicating the failure MAY be generated.

-----------------------------------------
Test: #47

Description: If processing a security operation fails, the target SHALL be processed according to the security policy.

Reference: RFC 9172 5.1.2

Issue: Description text is ambiguous with test #32. Difference only noticeable through section reference.

Proposed Action: CHANGE description
From: If processing a security operation fails, the target SHALL be processed according to the security policy.
To: If processing a BIB security operation fails, the target SHALL be processed according to the security policy.

-----------------------------------------

Test: #48

Description: If processing a security operation fails, a bundle status report indicating the failure MAY be generated.

Reference: RFC 9172 Section 5.1.2

Issue: Description text is ambiguous with test #33. Difference only noticeable through section reference.

Proposed Action: CHANGE description
From: If processing a security operation fails, a bundle status report indicating the failure MAY be generated.
To: If processing a BIB security operation fails, a bundle status report indicating the failure MAY be generated.

-----------------------------------------

Test: #53

Description: If a the security target is the payload or primary block, the bundle MAY be discarded. This action can occur at any node that has the ability to verify an integrity signature, not just the bundle destination.

Reference: RFC 9172 Section 5.1.2

Issue: Apart from the wrong 'a' in the beginning, There is some descriptive text missing on the cause, saying why the action might be taken. This can only be acquired with the section reference.

Proposed Action: CHANGE description
From: If a the security target is the payload or primary block, the bundle MAY be discarded. This action can occur at any node that has the ability to verify an integrity signature, not just the bundle destination.
To: If the security policy of a node specifies that a node should have applied integrity to the payload or primary block, but no such BIB is present in the bundle, the bundle MAY be discarded. This action can occur at any node that has the ability to verify an integrity signature, not just the bundle destination.

-----------------------------------------

Test: #59

Description: If it is necessary for a node to fragment a bundle payload, and security services have been applied to that bundle, the fragmentation rules described in reference [2] MUST be followed.

Reference: RFC 9172 Section 5.2

Issue: Applying fragmentation can break existing integrity protection

Proposed Action: REMOVE test #59