Skip to content

NAME

bpsecrc - BP security policy management commands file

DESCRIPTION

BP security policy management commands are passed to bpsecadmin either in a file of text lines or interactively at bpsecadmin's command prompt (:). Commands are interpreted line-by line, with exactly one command per line. The formats and effects of the BP security policy management commands are described below.

A parameter identifed as an eid_expr is an "endpoint ID expression." For all commands, whenever the last character of an endpoint ID expression is the wild-card character '*', an applicable endpoint ID "matches" this EID expression if all characters of the endpoint ID expression prior to the last one are equal to the corresponding characters of that endpoint ID. Otherwise an applicable endpoint ID "matches" the EID expression only when all characters of the EID and EID expression are identical.

ION supports the proposed "streamlined" Bundle Security Protocol (currently posted as CCSDS Red Book 734.5-R-1) in place of the standard Bundle Security Protocol (RFC 6257). Since SBSP is not yet a published standard, ION's Bundle Protocol security mechanisms will not necessarily interoperate with those of other BP implementations. This is unfortunate but (we hope) temporary, as SBSP represents a major improvement in bundle security. It is possible that the SBSP specification will change somewhat between now and the time SBSP is published as a CCSDS standard and eventually an RFC, and ION will be revised as necessary to conform to those changes, but in the meantime we believe that the advantages of SBSP make it more suitable than RFC 6257 as a foundation for the development and deployment of secure DTN applications.

COMMANDS

  • ?

    The help command. This will display a listing of the commands and their formats. It is the same as the h command.

  • #

    Comment line. Lines beginning with # are not interpreted.

  • e { 1 | 0 }

    Echo control. Setting echo to 1 causes all output printed by bpsecadmin to be logged as well as sent to stdout. Setting echo to 0 disables this behavior.

  • v

    Version number. Prints out the version of ION currently installed. HINT: combine with e 1 command to log the version number at startup.

  • a bspbibrule source_eid_expr destination_eid_expr block_type_number { '' | ciphersuite_name key_name }

    The add bspbibrule command. This command adds a rule specifying the manner in which Block Integrity Block (BIB) validation will be applied to blocks of type block_type_number for all bundles sourced at any node whose administrative endpoint ID matches source_eid_expr and destined for any node whose administrative endpoint ID ID matches destination_eid_expr.

    If a zero-length string ('') is indicated instead of a ciphersuite_name then BIB validation is disabled for this source/destination EID expression pair: blocks of the type indicated by block_type_number in all bundles sourced at nodes with matching administrative endpoint IDs and destined for nodes with matching administrative endpoint IDs will be immediately deemed valid. Otherwise, a block of the indicated type that is attached to a bundle sourced at a node with matching administrative endpoint ID and destined for a node with matching administrative endpoint ID will only be deemed valid if the bundle contains a corresponding BIB computed via the ciphersuite named by ciphersuite_name using a key value that is identical to the current value of the key named key_name in the local security policy database.

  • c bspbibrule source_eid_expr destination_eid_expr block_type_number { '' | ciphersuite_name key_name }

    The change bspbibrule command. This command changes the ciphersuite name and/or key name for the BIB rule pertaining to the source/destination EID expression pair identified by source_eid_expr and destination_eid_expr and the block identified by block_type_number. Note that the _eid_expr_s must exactly match those of the rule that is to be modified, including any terminating wild-card character.

  • d bspbibrule source_eid_expr destination_eid_expr block_type_number

    The delete bspbibrule command. This command deletes the BIB rule pertaining to the source/destination EID expression pair identified by sender_eid_expr and receiver_eid_expr and the block identified by block_type_number. Note that the _eid_expr_s must exactly match those of the rule that is to be deleted, including any terminating wild-card character.

  • i bspbibrule source_eid_expr destination_eid_expr block_type_number

    This command will print information (the ciphersuite and key names) about the BIB rule pertaining to source_eid_expr, destination_eid_expr, and block_type_number.

  • l bspbibrule

    This command lists all BIB rules in the security policy database.

  • a bspbcbrule source_eid_expr destination_eid_expr block_type_number { '' | ciphersuite_name key_name }

    The add bspbcbrule command. This command adds a rule specifying the manner in which Block Confidentiality Block (BCB) encryption will be applied to blocks of type block_type_number for all bundles sourced at any node whose administrative endpoint ID matches source_eid_expr and destined for any node whose administrative endpoint ID ID matches destination_eid_expr.

    If a zero-length string ('') is indicated instead of a ciphersuite_name then BCB encryption is disabled for this source/destination EID expression pair: blocks of the type indicated by block_type_number in all bundles sourced at nodes with matching administrative endpoint IDs and destined for nodes with matching administrative endpoint IDs will be sent in plain text. Otherwise, a block of the indicated type that is attached to a bundle sourced at a node with matching administrative endpoint ID and destined for a node with matching administrative endpoint ID can only be deemed decrypted if the bundle contains a corresponding BCB computed via the ciphersuite named by ciphersuite_name using a key value that is identical to the current value of the key named key_name in the local security policy database.

  • c bspbcbrule source_eid_expr destination_eid_expr block_type_number { '' | ciphersuite_name key_name }

    The change bspbcbrule command. This command changes the ciphersuite name and/or key name for the BCB rule pertaining to the source/destination EID expression pair identified by source_eid_expr and destination_eid_expr and the block identified by block_type_number. Note that the _eid_expr_s must exactly match those of the rule that is to be modified, including any terminating wild-card character.

  • d bspbcbrule source_eid_expr destination_eid_expr block_type_number

    The delete bspbcbrule command. This command deletes the BCB rule pertaining to the source/destination EID expression pair identified by sender_eid_expr and receiver_eid_expr and the block identified by block_type_number. Note that the _eid_expr_s must exactly match those of the rule that is to be deleted, including any terminating wild-card character.

  • i bspbcbrule source_eid_expr destination_eid_expr block_type_number

    This command will print information (the ciphersuite and key names) about the BCB rule pertaining to source_eid_expr, destination_eid_expr, and block_type_number.

  • l bspbcbrule

    This command lists all BCB rules in the security policy database.

  • x [ { ~ | sender_eid_expr } [ { ~ | receiver_eid_expr} [ { ~ | bib | bcb } ] ] ]

    This command will clear all rules for the indicated type of bundle security block between the indicated security source and security destination. If block type is omitted it defaults to ~ signifying "all SBSP blocks". If both block type and security destination are omitted, security destination defaults to ~ signifying "all SBSP security destinations". If all three command-line parameters are omitted, then security source defaults to ~ signifying "all SBSP security sources".

  • h

    The help command. This will display a listing of the commands and their formats. It is the same as the ? command.

SEE ALSO

bpsecadmin(1)