[Hipsec] Benjamin Kaduk's No Objection on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Wed, 09 May 2018 15:02 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: hipsec@ietf.org
Delivered-To: hipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC711242F5; Wed, 9 May 2018 08:02:41 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk <kaduk@mit.edu>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-hip-native-nat-traversal@ietf.org, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, hip-chairs@ietf.org, gonzalo.camarillo@ericsson.com, hipsec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.80.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152587816145.3957.17385929656409014655.idtracker@ietfa.amsl.com>
Date: Wed, 09 May 2018 08:02:41 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/0B0vcQKqn-iB3Vakc4M6O9_y13A>
Subject: [Hipsec] Benjamin Kaduk's No Objection on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2018 15:02:41 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-hip-native-nat-traversal-28: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- This document does a poor job at convincing me that there is a need to re-specify ICE for use in HIP contexts as opposed to just using ICE directly, up until Appendix B. I'd suggest moving some of the key points into at least the Introduction and arguably the Abstract as well, to make it clear that this is not just needless duplication for ideological purity. I think there's some lingering terminology confusion (as a result of needing to align the new bits in Native HIP-ICE with those retained from RFC 5077, along with the move from 5245 to 5245bis. Specifically, while it's fine for this document to refer to "ICE offer" and "ICE answer", 5245bis itself does not talk of "offer" and "answer", which are now concepts only in SDP, IIUC. Things also seem a bit hazy about server reflexive vs. server relay candidates (though maybe here the confusion is just on my end) -- in regular ICE, a server reflexive candidate is obtained by a STUN client making a one-shot request of a STUN server to find out what address is being used on the other side of a NAT, and doesn't require any state on the STUN server. But in this document we have a SERVER_REFLEXIVE_CANDIDATE_ALLOCATION_FAILED Notify/error packet that implies that state is needed on the Data Relay Server for a reflexive candidate, text about "when the relay service is split between hosts, the server reflexive candidate [from Control SHOULD be used over the one from Data]", and also other discussion about needing to register new reflexive candidates to avoid collisions or in potential multihoming future work. Some section-by-section comments follow. Section 2 Responder: The Responder is the host that receives the I1 packet from the Initiator. Does this still hold if the message is misdelivered or an attacker is in the network? Section 3 [...] At this point, also the HIP signaling can be sent over the same address/port pair, and is demultiplexed from IPsec as described in the UDP encapsulation standard for IPsec [RFC3948]. "demultiplex" does not appear anywhere in RFC 3948; it might be worth using a few more words here to clarify what is going on. Section 4.1 A Control Relay Server MUST silently drop packets to a Control Relay Client that has not previously registered with the HIP relay. How does the relay know where they are targetted without the registration information? This applies both renewals of service registration but also to host movement, where especially the latter requires the Control Relay Client to learn its new server reflexive address candidate. This is kind of awkward wording; maybe: This applies to both renewals of service registration and to host movement. It is especially important for the case of host movement, as this is the mechanism that allows the Control Relay Client to learn its new server reflexive address candidate. Section 4.2 [...] A host SHOULD employ only a single server for gathering the candidates for a single HIP association; either one server providing both Control and Data Relay Server functionality, or one Control Relay Server and also Data Relay Server if the functionality is offered by another server. The second half of this sentence seems to contradict the SHOULD, so probably some rewording is in order. [...] If a relayed candidate is identical to a host candidate, the relayed candidate must be discarded. NAT64 considerations in [I-D.ietf-ice-rfc5245bis] apply as well. I don't think this has enough detail of reference to ICE -- a relayed candidate being identical to a host candidate is, IIUC, quite unexpected. This is even noted in 5245bis, at the bottom of page 20 (of the -20). Unlike ICE, this protocol only creates a single UDP flow between the two communicating hosts, so only a single component exists. Hence, the component ID value MUST always be set to 1. ICE or SDP? Section 4.5 In step 2, the Control Relay Server receives the I1 packet. If the destination HIT belongs to a registered Responder, the Control Relay Server processes the packet. Do HIP participants register specifically as Responder/Initiator, or is this just that the entity that is Responder in this exchange, has registered at the Control Relay Server? [...] The RELAY_TO parameter is not integrity protected by the signature of the R1 to allow pre-created R1 packets at the Responder. This seems to allow an attacker to replay R1 packets and have the Relay transmit them to the Initiator. Are there cases where this presents an increase in attacker capabilities (e.g., when the Relay is allowed to send to the Initiator but the attacker is not)? (When would such pre-created R1 packets be useful?) Should step 7 explicitly duplicate the "validate REPLAY_HMAC" part of step 3? Section 4.6 The situation with the (non-)existence of aggressive nomination between 5245bis and MMUSIC-ICE probably merits further investigation. (That is, it may not be necessary to mention explicitly that regular nomination is used.) The Initiator MUST take the role of controlling host and the Responder acts as the controlled host. The roles MUST persist throughout the HIP associate lifetime (to be reused in the possibly mobility UPDATE procedures). In the case both communicating nodes are initiating the communications to each other using an I1 packet, the conflict is resolved as defined in section 6.7 in [RFC7401]: the host with the "larger" HIT changes to its Role to Responder. In such a case, the host changing its role to Responder MUST also switch to controlling role. The last clause seems to not match the earlier text about the Initiator being the controlling role. Section 4.6.1 In step 2, the Initiator sends a connectivity check, using the same address pair candidate as in the previous step, and the message traverses successfully the NAT boxes. The message includes the same parameters as in the previous step. It should be noted that the sequence identifier is locally assigned by the Responder, so it can be different than in the previous step. Step 2 is from Initiator to Responder, and the message in step 1 got dropped, so I'm quite confused at how the sequence identifier in step 2 could be assigned by the Responder as opposed to the Initiator. Step 4 could say whether the sequence number from step 1 is reused or a new one is allocated for the retransmission (even though it is clarified later as "SHOULD be sent with the same sequence identifier"). Section 4.7.2 [...] However, the Responder SHOULD NOT send any ESP to the Initiator's address before it has received data from the Initiator, as specified in Sections 4.4.3. and 6.9 of [RFC7401] and in Sections 3.2.9 and 5.4 of [RFC8046]. I don't see a Section 3.2.9 in RFC 8046. Since an I2 packet with UDP-ENCAPSULATION NAT traversal mode selected MUST NOT be sent via a Control Relay Server, the Responder SHOULD reject such I2 packets and reply with a NO_VALID_NAT_TRAVERSAL_MODE_PARAMETER NOTIFY packet (see Section 5.10). How does this mesh with a few paragraphs back, when the Responder MUST include the address it got by registering at a Control Relay Server in its R1 (only when it is including UDP-ENCAPSULATION NAT as one of its supported modes)? Section 4.7.3 [...] The Initiator may receive multiple R1 packets, with and without UDP encapsulation, from the Responder. However, after receiving a valid R1 and answering it with an I2, further R1 packets that are not retransmissions of the original R1 message MUST be ignored. We just said there may be multiple, so which one is "the" original R1 message? Should Section 4.8 repeat the earlier admonitions against a Relay Server forwarding traffic that does not involve a Client that has egistered with that Relay Server? Section 4.9 The relay still has to apply RELAY_HMAC; that's just not currently shown in the diagram, right? Section 5.6 The format of the REG_FROM, RELAY_FROM, and RELAY_TO parameters is shown in Figure 10. All parameters are identical except for the type. REG_FROM is the only parameter covered with the signature. I suggest "Of the three, only REG_FROM is covered by the signature." Section 6.1 The RFC 5770 text talks about TURN servers, but that's no longer applicable in this document (instead, Data Relay Servers are used to relay data in a similar usage). Also, the protection against DoS described in the last paragraph seems to only be partial protection, since incoming connections can still be affected by DoS, but outgoing ones are still possible. Section 6.2 This is the first mention of Opportunistic Mode at all in the document; it might be nice to refer to the section of 7401 where it's documented. Section 6.6 Is the invalid list of candidates sent *for* its peer or *to* its peer? Appendix B o Unlike in ICE, the addresses are not XOR-ed in Native ICE-HIP protocol in order to avoid middlebox tampering. This reads a bit oddly. Just to check: we don't need to do the XORing in Native ICE-HIP because the addresses are covered by an HMAC and the "tampering" wouldn't work? If so I'd suggest: o In ICE, addresses being conveyed across a NAT are XOR-ed to prevent middlebox tampering. Native ICE-HIP does not need to use XOR because such tampering is prevented at the HIP layer.
- [Hipsec] Benjamin Kaduk's No Objection on draft-i… Benjamin Kaduk
- Re: [Hipsec] Benjamin Kaduk's No Objection on dra… Miika Komu
- Re: [Hipsec] Benjamin Kaduk's No Objection on dra… Benjamin Kaduk
- Re: [Hipsec] Benjamin Kaduk's No Objection on dra… Miika Komu