[Sis-dtn] BPSec ICS RL changes
Lars Baumgaertner
Lars.Baumgaertner at esa.int
Thu Jun 26 09:31:07 UTC 2025
Hi everyone,
As discussed during the joint sec/dtn wg meeting at the last CCSDS spring meeting, here are the findings of Lukas (also in CC) and the proposed changes to the BPSec tests in the BPSec draft book.
All issues are in the attached file but for convenience also inline in the email here.
Proposed changes to the CCSDS BUNDLE PROTOCOL SECURITY SPECIFICATION red book draft CCSDS 734.5-R-2
Changes for the A2.2 REQUIREMENTS LIST
-----------------------------------------
Test: #24
Description: A BIB integrity value MUST NOT be checked if the security target associated with that value is also the security target of a BCB.
Reference: RFC 9172 Section 3.9
Issue: Test #24 is an implication. The description text should rather be a CAN NOT than a MUST NOT. It is also already covered by Test #50. The description text and reference text of test #50 tell why.
RFC 9172 Section 5.1.2: A BIB MUST NOT be processed if the security target of the BIB is also the security target of a BCB in the bundle. Given the order of operations mandated by this specification,
when both a BIB and a BCB share a security target, it means that the security target must have been encrypted after it was integrity signed; therefore, the BIB cannot be verified until the security target has been decrypted by processing the BCB.
Proposed Action: REMOVE Test 24
-----------------------------------------
Test: #25
Description: A BIB MUST NOT have a BCB as its security target.
Reference: RFC 9172 Section 3.9
Issue: Test is a subset of test #7. Test #7 description: A security target listed in the Security Targets field of a BIB MUST NOT reference a security block defined in RFC 9172 (e.g., a BIB or a BCB).
Proposed Action: REMOVE test #25
-----------------------------------------
Test: #32
Description: If processing a security operation fails, the target SHALL be processed according to the security policy.
Reference: RFC 9172 Section 5.1.1
Issue: Description is ambiguous with test #47. Difference only noticeable through section reference.
Proposed Action: CHANGE description
From: If processing a security operation fails, the target SHALL be processed according to the security policy.
To: If processing a BCB security operation fails, the target SHALL be processed according to the security policy.
-----------------------------------------
Test: #33
Description: If processing a security operation fails, a bundle status report indicating the failure MAY be generated.
Reference: RFC 9172 Section 5.1.1
Issue: Description is ambiguous with test #48. Difference only noticeable through section reference.
Proposed Action: CHANGE description
From: If processing a security operation fails, a bundle status report indicating the failure MAY be generated.
To: If processing a BCB security operation fails, a bundle status report indicating the failure MAY be generated.
-----------------------------------------
Test: #47
Description: If processing a security operation fails, the target SHALL be processed according to the security policy.
Reference: RFC 9172 5.1.2
Issue: Description text is ambiguous with test #32. Difference only noticeable through section reference.
Proposed Action: CHANGE description
From: If processing a security operation fails, the target SHALL be processed according to the security policy.
To: If processing a BIB security operation fails, the target SHALL be processed according to the security policy.
-----------------------------------------
Test: #48
Description: If processing a security operation fails, a bundle status report indicating the failure MAY be generated.
Reference: RFC 9172 Section 5.1.2
Issue: Description text is ambiguous with test #33. Difference only noticeable through section reference.
Proposed Action: CHANGE description
From: If processing a security operation fails, a bundle status report indicating the failure MAY be generated.
To: If processing a BIB security operation fails, a bundle status report indicating the failure MAY be generated.
-----------------------------------------
Test: #53
Description: If a the security target is the payload or primary block, the bundle MAY be discarded. This action can occur at any node that has the ability to verify an integrity signature, not just the bundle destination.
Reference: RFC 9172 Section 5.1.2
Issue: Apart from the wrong 'a' in the beginning, There is some descriptive text missing on the cause, saying why the action might be taken. This can only be acquired with the section reference.
Proposed Action: CHANGE description
From: If a the security target is the payload or primary block, the bundle MAY be discarded. This action can occur at any node that has the ability to verify an integrity signature, not just the bundle destination.
To: If the security policy of a node specifies that a node should have applied integrity to the payload or primary block, but no such BIB is present in the bundle, the bundle MAY be discarded. This action can occur at any node that has the ability to verify an integrity signature, not just the bundle destination.
-----------------------------------------
Test: #59
Description: If it is necessary for a node to fragment a bundle payload, and security services have been applied to that bundle, the fragmentation rules described in reference [2] MUST be followed.
Reference: RFC 9172 Section 5.2
Issue: Applying fragmentation can break existing integrity protection
Proposed Action: REMOVE test #59
Kind regards,
Lars
--
Lars Baumgaertner
Internal Research Fellow (OPS-GAE)
European Space Agency ESA/ESOC
Robert-Bosch-Str. 5, D-64293 Darmstadt
This message is intended only for the recipient(s) named above. It may contain proprietary information and/or protected content. Any unauthorised disclosure, use, retention or dissemination is prohibited. If you have received this e-mail in error, please notify the sender immediately. ESA applies appropriate organisational measures to protect personal data, in case of data privacy queries, please contact the ESA Data Protection Officer (dpo at esa.int).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20250626/bba473c0/attachment-0001.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ccsds_bpsec_redbook_draft_734.5-R-2_proposed_changes.txt
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20250626/bba473c0/attachment-0001.txt>
More information about the SIS-DTN
mailing list