1. The term "hop-by-hop" is ambiguous in a BP overlay, as nodes that are adjacent in the overlay may not be adjacent in physical connectivity. This condition is difficult or impossible to detect; therefore, hop-by-hop authentication is difficult or impossible to enforce.
2. Hop-by-hop authentication cannot be deployed in a network if adjacent nodes in the network have incompatible security capabilities.

• "[Delay-Tolerant Networking Architecture]" [RFC 4838] defines the architecture for DTN and identifies certain security assumptions made by existing Internet protocols that are not valid in DTN.
• "[Bundle Protocol Version 7]" [RFC 9171] defines the format and processing of bundles, the extension block format used to represent BPSec security blocks, and the canonical block structure used by this specification.
• "[Concise Binary Object Representation (CBOR)]" [RFC 8949] defines a data format that allows for small code size, fairly small message size, and extensibility without version negotiation. The block-type-specific data associated with BPSec security blocks is encoded in this data format.
• "[Bundle Security Protocol Specification]" [RFC 6257] introduces the concept of using BP extension blocks for security services in DTN. BPSec is a continuation and refinement of this document.

Bundle Destination:

the Bundle Protocol Agent (BPA) that receives a bundle and delivers the payload of the bundle to an Application Agent. Also, an endpoint comprising the node(s) at which the bundle is to be delivered. The bundle destination acts as the security acceptor for every security target in every security block in every bundle it receives.

Bundle Source:

the BPA that originates a bundle. Also, any node ID of the node of which the BPA is a component.

Cipher Suite:

a set of one or more algorithms providing integrity and/or confidentiality services. Cipher suites may define user parameters (e.g., secret keys to use), but they do not provide values for those parameters.

Forwarder:

any BPA that transmits a bundle in DTN. Also, any node ID of the node of which the BPA that sent the bundle on its most recent hop is a component.

Intermediate Receiver, Waypoint, or Next Hop:

any BPA that receives a bundle from a forwarder that is not the bundle destination. Also, any node ID of the node of which the BPA is a component.

Path:

the ordered sequence of nodes through which a bundle passes on its way from source to destination. The path is not necessarily known in advance by the bundle or any BPAs in DTN.

Security Acceptor:

a BPA that processes and dispositions one or more security blocks in a bundle. Security acceptors act as the endpoint of a security service represented in a security block. They remove the security blocks they act upon as part of processing and disposition. Also, any node ID of the node of which the BPA is a component.

Security Block:

a BPSec extension block in a bundle.

Security Context:

the set of assumptions, algorithms, configurations, and policies used to implement security services.

Security Operation:

the application of a given security service to a security target, notated as OP(security service, security target). For example, OP(bcb-confidentiality, payload). Every security operation in a bundle MUST be unique, meaning that a given security service can only be applied to a security target once in a bundle. A security operation is implemented by a security block.

Security Service:

a process that gives some protection to a security target. For example, this specification defines security services for plaintext integrity (bib-integrity) and authenticated plaintext confidentiality with additional authenticated data (bcb-confidentiality).

Security Source:

a BPA that adds a security block to a bundle. Also, any node ID of the node of which the BPA is a component.

Security Target:

the block within a bundle that receives a security service as part of a security operation.

Security Verifier:

a BPA that verifies the data integrity of one or more security blocks in a bundle. Unlike security acceptors, security verifiers do not act as the endpoint of a security service, and they do not remove verified security blocks. Also, any node ID of the node of which the BPA is a component.

• The BIB is used to ensure the integrity of its plaintext security target(s). The integrity information in the BIB MAY be verified by any node along the bundle path from the BIB security source to the bundle destination. Waypoints add or remove BIBs from bundles in accordance with their security policy. BIBs are never used for integrity protection of the ciphertext provided by a BCB. Because security policy at BPSec nodes may differ regarding integrity verification, BIBs do not guarantee hop-by-hop authentication, as discussed in Section 1.1.
• The BCB indicates that the security target or targets have been encrypted at the BCB security source in order to protect their content while in transit. As a matter of security policy, the BCB is decrypted by security acceptor nodes in the network, up to and including the bundle destination. BCBs additionally provide integrity-protection mechanisms for the ciphertext they generate.

Signing the payload twice:

The two operations OP(bib-integrity, payload) and OP(bib-integrity, payload) are redundant and MUST NOT both be present in the same bundle at the same time.

Signing different blocks:

The two operations OP(bib-integrity, payload) and OP(bib-integrity, extension_block_1) are not redundant and both may be present in the same bundle at the same time. Similarly, the two operations OP(bib-integrity, extension_block_1) and OP(bib-integrity, extension_block_2) are also not redundant and may both be present in the bundle at the same time.

Different services on same block:

The two operations OP(bib-integrity, payload) and OP(bcb-confidentiality, payload) are not inherently redundant and may both be present in the bundle at the same time, pursuant to other processing rules in this specification.

Different services from different block types:

The notation OP(service, target) refers specifically to a security block, as the security block is the embodiment of a security service applied to a security target in a bundle. Were some Other Security Block (OSB) to be defined providing an integrity service, then the operations OP(bib-integrity, target) and OP(osb-integrity, target) MAY both be present in the same bundle if so allowed by the definition of the OSB, as discussed in Section 10.

• A security block may be removed from a bundle as part of security processing at a waypoint node with a new security block being added to the bundle by that node. In this case, conflicting security blocks never coexist in the bundle at the same time and the uniqueness requirement is not violated.
• A ciphertext integrity-protection mechanism (such as associated authenticated data) calculated by a cipher suite and transported in a BCB is considered part of the confidentiality service; therefore, it is unique from the plaintext integrity service provided by a BIB.
• The security blocks defined in this specification (BIB and BCB) are designed with the intention that the BPA adding these blocks is the authoritative source of the security service. If a BPA adds a BIB on a security target, then the BIB is expected to be the authoritative source of integrity for that security target. If a BPA adds a BCB to a security target, then the BCB is expected to be the authoritative source of confidentiality for that security target. More complex scenarios, such as having multiple nodes in a network sign the same security target, can be accommodated using the definition of custom security contexts (see Section 9) and/or the definition of OSBs (see Section 10).

• The security operations apply the same security service. For example, they are all integrity operations or all confidentiality operations.
• The security context parameters for the security operations are identical.
• The security source for the security operations is the same, meaning the set of operations are being added by the same node.
• No security operations have the same security target, as that would violate the need for security operations to be unique.
• None of the security operations conflict with security operations already present in the bundle.

• block type code
• block number
• block processing control flags
• cyclic redundancy check (CRC) type
• block-type-specific data
• CRC field (if present)

Security Targets:

This field identifies the block(s) targeted by the security operation(s) represented by this security block. Each target block is represented by its unique block number. This field SHALL be represented by a Concise Binary Object Representation (CBOR) array of data items. Each target within this CBOR array SHALL be represented by a CBOR unsigned integer. This array MUST have at least one entry and each entry MUST represent the block number of a block that exists in the bundle. There MUST NOT be duplicate entries in this array. The order of elements in this list has no semantic meaning outside of the context of this block. Within the block, the ordering of targets must match the ordering of results associated with these targets.

Security Context Id:

This field identifies the security context used to implement the security service represented by this block and applied to each security target. This field SHALL be represented by a CBOR unsigned integer. The values for this Id should come from the registry defined in Section 11.3.

Security Context Flags:

This field identifies which optional fields are present in the security block. This field SHALL be represented as a CBOR unsigned integer whose contents shall be interpreted as a bit field. Each bit in this bit field indicates the presence (bit set to 1) or absence (bit set to 0) of optional data in the security block. The association of bits to security block data is defined as follows.

Bit 0

(the least-significant bit, 0x01): "Security context parameters present" flag.

Bit >0

Reserved

Implementations MUST set reserved bits to 0 when writing this field and MUST ignore the values of reserved bits when reading this field. For unreserved bits, a value of 1 indicates that the associated security block field MUST be included in the security block. A value of 0 indicates that the associated security block field MUST NOT be in the security block.

Security Source:

This field identifies the BPA that inserted the security block in the bundle. Also, any node ID of the node of which the BPA is a component. This field SHALL be represented by a CBOR array in accordance with the rules in [RFC 9171] for representing endpoint IDs (EIDs).

Security Context Parameters (Optional):

This field captures one or more security context parameters that should be used when processing the security service described by this security block. This field SHALL be represented by a CBOR array. Each entry in this array is a single security context parameter. A single parameter SHALL also be represented as a CBOR array comprising a 2-tuple of the Id and value of the parameter, as follows.

Parameter Id:

This field identifies which parameter is being specified. This field SHALL be represented as a CBOR unsigned integer. Parameter Ids are selected as described in Section 3.10.

Parameter Value:

This field captures the value associated with this parameter. This field SHALL be represented by the applicable CBOR representation of the parameter, in accordance with Section 3.10.

The logical layout of the parameters array is illustrated in Figure 1.

+----------------+----------------+     +----------------+
|  Parameter 1   |  Parameter 2   | ... |  Parameter N   |
+------+---------+------+---------+     +------+---------+
|  Id  |  Value  |  Id  |  Value  |     |  Id  |  Value  |
+------+---------+------+---------+     +------+---------+

Figure 1: Security Context Parameters

Security Results:

This field captures the results of applying a security service to the security targets of the security block. This field SHALL be represented as a CBOR array of target results. Each entry in this array represents the set of security results for a specific security target. The target results MUST be ordered identically to the Security Targets field of the security block. This means that the first set of target results in this array corresponds to the first entry in the Security Targets field of the security block, and so on. There MUST be one entry in this array for each entry in the Security Targets field of the security block.

The set of security results for a target is also represented as a CBOR array of individual results. An individual result is represented as a CBOR array comprising a 2-tuple of a result Id and a result value, defined as follows.

Result Id:

This field identifies which security result is being specified. Some security results capture the primary output of a cipher suite. Other security results contain additional annotative information from cipher suite processing. This field SHALL be represented as a CBOR unsigned integer. Security result Ids will be as specified in Section 3.10.

Result Value:

This field captures the value associated with the result. This field SHALL be represented by the applicable CBOR representation of the result value, in accordance with Section 3.10.

The logical layout of the security results array is illustrated in Figure 2. In this figure, there are N security targets for this security block. The first security target contains M results and the Nth security target contains K results.

+--------------------------+     +---------------------------+
|          Target 1        |     |         Target N          |
+----------+----+----------+     +---------------------------+
| Result 1 |    | Result M | ... | Result 1 |    |  Result K |
+----+-----+ .. +----+-----+     +---+------+ .. +----+------+
| Id |Value|    | Id |Value|     | Id |Value|    | Id | Value|
+----+-----+    +----+-----+     +----+-----+    +----+------+

Figure 2: Security Results

• The block type code value is as specified in Section 11.1.
• The block-type-specific data field follows the structure of the ASB.
• A security target listed in the Security Targets field MUST NOT reference a security block defined in this specification (e.g., a BIB or a BCB).
• The security context MUST utilize an authentication mechanism or an error detection mechanism.

• Designers SHOULD carefully consider the effect of setting flags that either discard the block or delete the bundle in the event that this block cannot be processed.
• Since OP(bib-integrity, target) is allowed only once in a bundle per target, it is RECOMMENDED that users wishing to support multiple integrity-protection mechanisms for the same target define a multi-result security context. Such a context could generate multiple security results for the same security target using different integrity-protection mechanisms or different configurations for the same integrity-protection mechanism.
• A BIB is used to verify the plaintext integrity of its security target. However, a single BIB MAY include security results for blocks other than its security target when doing so establishes a needed relationship between the BIB security target and other blocks in the bundle (such as the primary block).
• Security information MAY be checked at any hop on the way to the bundle destination that has access to the required keying information, in accordance with Section 3.9.

• The block type code value is as specified in Section 11.1.
• The block processing control flags value can be set to whatever values are required by local policy with the following exceptions:
  • BCBs MUST have the "Block must be replicated in every fragment" flag set if one of the targets is the payload block. Having that BCB in each fragment indicates to a receiving node that the payload portion of each fragment represents ciphertext.
  • BCBs MUST NOT have the "Block must be removed from bundle if it can't be processed" flag set. Removing a BCB from a bundle without decrypting its security targets removes information from the bundle necessary for their later decryption.
• The block-type-specific data fields follow the structure of the ASB.
• A security target listed in the Security Targets field can reference the payload block, a non-security extension block, or a BIB. A BCB MUST NOT include another BCB as a security target. A BCB MUST NOT target the primary block. A BCB MUST NOT target a BIB unless it shares a security target with that BIB.
• Any security context used by a BCB MUST utilize a confidentiality cipher that provides authenticated encryption with associated data (AEAD).
• Additional information created by a cipher suite (such as an authentication tag) can be placed either in a security result field or in the generated ciphertext. The determination of where to place this information is a function of the cipher suite and security context used.

• It is RECOMMENDED that designers carefully consider the effect of setting flags that delete the bundle in the event that this block cannot be processed.
• The BCB block processing control flags can be set independently from the processing control flags of the security target(s). The setting of such flags should be an implementation/policy decision for the encrypting node.

• When adding a BCB to a bundle, if some (or all) of the security targets of the BCB match all of the security targets of an existing BIB, then the existing BIB MUST also be encrypted. This can be accomplished either by adding a new BCB that targets the existing BIB or by adding the BIB to the list of security targets for the BCB. Deciding which way to represent this situation is a matter of security policy.
• When adding a BCB to a bundle, if some (or all) of the security targets of the BCB match some (but not all) of the security targets of a BIB, then that BIB MUST be altered in the following way. Any security results in the BIB associated with the BCB security targets MUST be removed from the BIB and placed in a new BIB. This newly created BIB MUST then be encrypted. The encryption of the new BIB can be accomplished either by adding a new BCB that targets the new BIB or by adding the new BIB to the list of security targets for the BCB. Deciding which way to represent this situation is a matter of security policy.
• A BIB MUST NOT be added for a security target that is already the security target of a BCB as this would cause ambiguity in block processing order.
• A BIB integrity value MUST NOT be checked if the BIB is the security target of an existing BCB. In this case, the BIB data is encrypted.
• A BIB integrity value MUST NOT be checked if the security target associated with that value is also the security target of a BCB. In such a case, the security target data contains ciphertext as it has been encrypted.
• As mentioned in Section 3.7, a BIB MUST NOT have a BCB as its security target.

              Block in Bundle                ID
+==========================================+====+
|              Primary Block               | B1 |
+------------------------------------------+----+
|                    BIB                   | B2 |
|   OP(bib-integrity, targets = B1, B5, B6)|    |
+------------------------------------------+----+
|                    BCB                   | B3 |
|    OP(bcb-confidentiality, target = B4)  |    |
+------------------------------------------+----+
|       Extension Block (encrypted)        | B4 |
+------------------------------------------+----+
|              Extension Block             | B5 |
+------------------------------------------+----+
|               Payload Block              | B6 |
+------------------------------------------+----+

• An integrity signature applied to the canonical form of the primary block (B1), the canonical form of the block-type-specific data field of the second extension block (B5), and the canonical form of the payload block (B6). This is accomplished by a single BIB (B2) with multiple targets. A single BIB is used in this case because all three targets share a security source, security context, and security context parameters. Had this not been the case, multiple BIBs could have been added instead.
• Confidentiality for the first extension block (B4). This is accomplished by a BCB (B3). Once applied, the block-type-specific data field of extension block B4 is encrypted. The BCB MUST hold an authentication tag for the ciphertext either in the ciphertext that now populates the first extension block or as a security result in the BCB itself, depending on which security context is used to form the BCB. A plaintext integrity signature may also exist as a security result in the BCB if one is provided by the selected confidentiality security context.

              Block in Bundle                ID
+==========================================+====+
|              Primary Block               | B1 |
+------------------------------------------+----+
|                    BIB                   | B2 |
|      OP(bib-integrity, target = B1)      |    |
+------------------------------------------+----+
|                    BIB (encrypted)       | B7 |
|      OP(bib-integrity, targets = B5, B6) |    |
+------------------------------------------+----+
|                    BCB                   | B8 |
|OP(bcb-confidentiality,targets = B5,B6,B7)|    |
+------------------------------------------+----+
|                    BCB                   | B3 |
|    OP(bcb-confidentiality, target = B4)  |    |
+------------------------------------------+----+
|       Extension Block (encrypted)        | B4 |
+------------------------------------------+----+
|       Extension Block (encrypted)        | B5 |
+------------------------------------------+----+
|         Payload Block (encrypted)        | B6 |
+------------------------------------------+----+

• Since the waypoint node wishes to encrypt the block-type-specific data field of blocks B5 and B6, it MUST also encrypt the block-type-specific data field of the BIBs providing plaintext integrity over those blocks. However, BIB B2 could not be encrypted in its entirety because it also held a signature for the primary block (B1). Therefore, a new BIB (B7) is created and security results associated with B5 and B6 are moved out of BIB B2 and into BIB B7.
• Now that there is no longer confusion about which plaintext integrity signatures must be encrypted, a BCB is added to the bundle with the security targets being the second extension block (B5) and the payload (B6) as well as the newly created BIB holding their plaintext integrity signatures (B7). A single new BCB is used in this case because all three targets share a security source, security context, and security context parameters. Had this not been the case, multiple BCBs could have been added instead.

• CBOR values from the primary block MUST be canonicalized using the rules for Deterministically Encoded CBOR, as specified in [RFC 8949].

• CBOR values from the non-primary block MUST be canonicalized using the rules for Deterministically Encoded CBOR, as specified in [RFC 8949].
• Only the block-type-specific data field may be provided to a cipher suite for encryption as part of a confidentiality security service. Other fields within a non-primary block MUST NOT be encrypted or decrypted and MUST NOT be included in the canonical form used by the cipher suite for encryption and decryption. An integrity-protection mechanism MAY be applied to these other fields as supported by the security context. For example, these fields might be treated as associated authenticated data.
• Reserved and unassigned flags in the block processing control flags field MUST be set to 0 in a canonical form as it is not known if those flags will change in transit.

• When BIBs and BCBs share a security target, BCBs MUST be evaluated first and BIBs second.

• If a bundle is received that contains combinations of security operations that are disallowed by this specification, the BPA must determine how to handle the bundle: the bundle may be discarded, the block affected by the security operation may be discarded, or one security operation may be favored over another.
• BPAs in the network must understand what security operations they should apply to bundles. This decision may be based on the source of the bundle, the destination of the bundle, or some other information related to the bundle.
• If a waypoint has been configured to add a security operation to a bundle, and the received bundle already has the security operation applied, then the receiver must understand what to do. The receiver may discard the bundle, discard the security target and associated BPSec blocks, replace the security operation, or take some other action.
• It is RECOMMENDED that security operations be applied to every block in a bundle and that the default behavior of a BPA be to use the security services defined in this specification. Designers should only deviate from the use of security operations when the deviation can be justified -- such as when doing so causes downstream errors when processing blocks whose contents must be inspected or changed at one or more hops along the path.
• BCB security contexts can alter the size of extension blocks and the payload block. Security policy SHOULD consider how changes to the size of a block could negatively effect bundle processing (e.g., calculating storage needs and scheduling transmission times).
• Adding a BIB to a security target that has already been encrypted by a BCB is not allowed. If this condition is likely to be encountered, there are (at least) three possible policies that could handle this situation.
  1. At the time of encryption, a security context can be selected that computes a plaintext integrity-protection mechanism that is included as a security context result field.
  2. The encrypted block may be replicated as a new block with a new block number and may be given integrity protection.
  3. An encapsulation scheme may be applied to encapsulate the security target (or the entire bundle) such that the encapsulating structure is, itself, no longer the security target of a BCB and may therefore be the security target of a BIB.
• Security policy SHOULD address whether cipher suites whose ciphertext is larger than the initial plaintext are permitted and, if so, for what types of blocks. Changing the size of a block may cause processing difficulties for networks that calculate block offsets into bundles or predict transmission times or storage availability as a function of bundle size. In other cases, changing the size of a payload as part of encryption has no significant impact.

• When the report-to address is verified as unchanged from the bundle source. This can occur by placing an appropriate BIB on the bundle primary block.
• When the block containing a status report with a security reason code is encrypted by a BCB.
• When a status report containing a security reason code is only sent for security issues relating to bundles and/or blocks associated with non-operational user data or test data.
• When a status report containing a security reason code is only sent for security issues associated with non-operational security contexts, or security contexts using non-operational configurations, such as test keys.

Missing security operation:

This reason code indicates that a bundle was missing one or more required security operations. This reason code is typically used by a security verifier or security acceptor.

Unknown security operation:

This reason code indicates that one or more security operations present in a bundle cannot be understood by the security verifier or security acceptor for the operation. For example, this reason code may be used if a security block references an unknown security context identifier or security context parameter. This reason code should not be used for security operations for which the node is not a security verifier or security acceptor; there is no requirement that all nodes in a network understand all security contexts, security context parameters, and security services for every bundle in a network.

Unexpected security operation:

This reason code indicates that a receiving node is neither a security verifier nor a security acceptor for at least one security operation in a bundle. This reason code should not be seen as an error condition: not every node is a security verifier or security acceptor for every security operation in every bundle. In certain networks, this reason code may be useful in identifying misconfigurations of security policy.

Failed security operation:

This reason code indicates that one or more security operations in a bundle failed to process as expected for reasons other than misconfiguration. This may occur when a security-source is unable to add a security block to a bundle. This may occur if the target of a security operation fails to verify using the defined security context at a security verifier. This may also occur if a security operation fails to be processed without error at a security acceptor.

Conflicting security operation:

This reason code indicates that two or more security operations in a bundle are not conformant with the BPSec specification and that security processing was unable to proceed because of a BPSec protocol violation.

Unprivileged Node:

Olive has not been provisioned within the secure environment and only has access to cryptographic material that has been publicly shared.

Legitimate Node:

Olive is within the secure environment; therefore, Olive has access to cryptographic material that has been provisioned to Olive (i.e., K_M) as well as material that has been publicly shared.

Privileged Node:

Olive is a privileged node within the secure environment; therefore, Olive has access to cryptographic material that has been provisioned to Olive, Alice, and/or Bob (i.e., K_M, K_A, and/or K_B) as well as material that has been publicly shared.

Data Lifetime:

Depending on the application environment, bundles may persist on the network for extended periods of time, perhaps even years. Cryptographic algorithms should be selected to ensure protection of data against attacks for a length of time reasonable for the application.

One-Way Traffic:

Depending on the application environment, it is possible that only a one-way connection may exist between two endpoints, or if a two-way connection does exist, the round-trip time may be extremely large. This may limit the utility of session key generation mechanisms, such as Diffie-Hellman, as a two-way handshake may not be feasible or reliable.

Opportunistic Access:

Depending on the application environment, a given endpoint may not be guaranteed to be accessible within a certain amount of time. This may make asymmetric cryptographic architectures that rely on a key distribution center or other trust center impractical under certain conditions.

Security Context Parameters:

Security contexts MUST define their parameter Ids, the data types of those parameters, and their CBOR encoding.

Security Results:

Security contexts MUST define their security result Ids, the data types of those results, and their CBOR encoding.

New Canonicalizations:

Security contexts may define new canonicalization algorithms as necessary.

Ciphertext Size:

Security contexts MUST state whether their associated cipher suites generate ciphertext (to include any authentication information) that is of a different size than the input plaintext.

If a security context does not wish to alter the size of the plaintext, it should place overflow bytes and authentication tags in security result fields.

Block Header Information:

Security contexts SHOULD include block header information that is considered to be immutable for the block. This information MAY include the block type code, block number, CRC type, and CRC field (if present or if missing and unlikely to be added later), and possibly certain block processing control flags. Designers should input these fields as additional data for integrity protection when these fields are expected to remain unchanged over the path the block will take from the security source to the security acceptor. Security contexts considering block header information MUST describe expected behavior when these fields fail their integrity verification.

Handling CRC Fields:

Security contexts may include algorithms that alter the contexts of their security target block, such as the case when encrypting the block-type-specific data of a target block as part of a BCB confidentiality service. Security context specifications SHOULD address how preexisting CRC type and CRC value fields be handled. For example, a BCB security context could remove the plaintext CRC value from its target upon encryption and replace or recalculate the value upon decryption.

• OSBs MUST NOT reuse any enumerations identified in this specification, to include the block type codes for BIB and BCB.
• An OSB definition MUST state whether it can be the target of a BIB or a BCB. The definition MUST also state whether the OSB can target a BIB or a BCB.
• An OSB definition MUST provide a deterministic processing order in the event that a bundle is received containing BIBs, BCBs, and OSBs. This processing order MUST NOT alter the BIB and BCB processing orders identified in this specification.
• An OSB definition MUST provide a canonicalization algorithm if the default algorithm for non-primary-block canonicalization cannot be used to generate a deterministic input for a cipher suite. This requirement can be waived if the OSB is defined so as to never be the security target of a BIB or a BCB.
• An OSB definition MUST NOT require any behavior of a BPSec BPA that is in conflict with the behavior identified in this specification. In particular, the security processing requirements imposed by this specification must be consistent across all BPSec BPAs in a network.
• The behavior of an OSB when dealing with fragmentation must be specified and MUST NOT lead to ambiguous processing states. In particular, an OSB definition should address how to receive and process an OSB in a bundle fragment that may or may not also contain its security target. An OSB definition should also address whether an OSB may be added to a bundle marked as a fragment.

[RFC2119]

S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.

[RFC3552]

E. Rescorla, and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003,
<https://www.rfc-editor.org/info/rfc3552>.

[RFC6255]

M. Blanchet, "Delay-Tolerant Networking Bundle Protocol IANA Registries", RFC 6255, DOI 10.17487/RFC6255, May 2011,
<https://www.rfc-editor.org/info/rfc6255>.

[RFC8174]

B. Leiba, "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.

[RFC8949]

C. Bormann, and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/info/rfc8949>.

[RFC9171]

S Burleigh, K Fall, and E Birrane, III, "Bundle Protocol Version 7", RFC 9171, DOI 10.17487/RFC9171, January 2022,
<https://www.rfc-editor.org/info/rfc9171>.

[RFC9173]

E Birrane, III, A. White, and S. Heiner, "Default Security Contexts for Bundle Protocol Security (BPSec)", RFC 9173, DOI 10.17487/RFC9173, January 2022,
<https://www.rfc-editor.org/info/rfc9173>.

[RFC4838]

V. Cerf, S. Burleigh, A. Hooke, L. Torgerson, R. Durst, K. Scott, K. Fall, and H. Weiss, "Delay-Tolerant Networking Architecture", RFC 4838, DOI 10.17487/RFC4838, April 2007,
<https://www.rfc-editor.org/info/rfc4838>.

[RFC6257]

S. Symington, S. Farrell, H. Weiss, and P. Lovell, "Bundle Security Protocol Specification", RFC 6257, DOI 10.17487/RFC6257, May 2011,
<https://www.rfc-editor.org/info/rfc6257>.

[RFC8126]

M. Cotton, B. Leiba, and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.

Edward J. Birrane, III

Kenneth McKeever