The potentially challenged nature of BPv7 networks places unique constraints on the establishment and upkeep of security configuration and policy information. Importantly, policy expressions cannot always be negotiated in real-time between secure endpoints, as there might not exist connectivity between those endpoints.

BPSec, in particular, requires an expressive security policy to handle the processing of security operations in a bundle. This policy being made more complex by the fact that security operations can be applied block-by-block and not bundle-by-bundle, that these operations can use different security contexts, and that Bundle Protocol Agents (BPAs) have multiple roles of sources, verifiers, and acceptors.

This chapter outlines a policy model that can be used as a basis for developing security policy expressions and software implementations for BPv7 networks. This includes a discussion of the ways in which policy can be communicated in a network and common events and actions that should be considered.

After reading this chapter you will be able to:

12.1 Overview

The diversity of BPv7 network constraints, ...