Re: [Hipsec] clarification on HIT Suite IDs
Julien Laganier <julien.ietf@gmail.com> Thu, 25 September 2014 14:47 UTC
Return-Path: <julien.ietf@gmail.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 732211A0137 for <hipsec@ietfa.amsl.com>; Thu, 25 Sep 2014 07:47:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVdXSP_WJJCO for <hipsec@ietfa.amsl.com>; Thu, 25 Sep 2014 07:47:00 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949C11A00F3 for <hipsec@ietf.org>; Thu, 25 Sep 2014 07:46:59 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id s18so12881003lam.28 for <hipsec@ietf.org>; Thu, 25 Sep 2014 07:46:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Y9qFcMMNHWW56BTERWswSq8F0PdhzFoFS7W07Vp83+k=; b=c3mcYRw2K1ODJ0pJjAdkl/6JM8pJ8EoVoDURH0DbUSDfNd+RECA47rftgbLtFb4pm2 aizzO0M0DVqYHObbYTUx2CwBPn1r2dff52UJvXbbX/TQrl0S88JO0wdF310GzMp8U9Wv fugAdSzxaIfVZtNmqRx7r27LDXGx7Q28fmgdL+Mh/uUy2vOazwko3UGesM8Td8ahBppO qB7F6282JnZt4GWrYWkzqa4U0Jm/kdqpQLJXazVYaowDDGHMlc4W4eRWg+EhWUd7LyO0 lklU5Jjd8koELoQoTCFh7igeb7srfK49SX1I1UdBkS/nXGfhIhfkLMZMadn9a4eEMKmG bqew==
MIME-Version: 1.0
X-Received: by 10.152.23.69 with SMTP id k5mr14087169laf.70.1411656417590; Thu, 25 Sep 2014 07:46:57 -0700 (PDT)
Received: by 10.25.210.4 with HTTP; Thu, 25 Sep 2014 07:46:57 -0700 (PDT)
In-Reply-To: <C29AEDB0-356C-43AD-9CF3-7564395B3CEE@comsys.rwth-aachen.de>
References: <5420863E.1060608@tomh.org> <20140922212826.5048E216C3B@bikeshed.isc.org> <54210668.4050605@tomh.org> <CAE_dhju-kOzE1PzTj_+wLfYS4_8kJhWqrxJ16sMC3W6b+sanxQ@mail.gmail.com> <5421B06F.5010301@tomh.org> <CAE_dhjs3TSrME8UPFAw6y_wTye5YvLNAuQ8_KQ4m0sSokULDDg@mail.gmail.com> <5421D003.5020701@tomh.org> <CAE_dhjsMi+1vKM0U0_veB8+FBLLgKqsxo=Vr_Q-1_4KU4AeWmw@mail.gmail.com> <C29AEDB0-356C-43AD-9CF3-7564395B3CEE@comsys.rwth-aachen.de>
Date: Thu, 25 Sep 2014 07:46:57 -0700
Message-ID: <CAE_dhjs-hYg0mAba3hMitS=LaUt2rgD7==X8_tKgcXxmdYaN8A@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Rene Hummen <Rene.Hummen@comsys.rwth-aachen.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/1cx2TsFzDikf7kXeWCtH_k44_lM
Cc: HIP <hipsec@ietf.org>, Francis Dupont <fdupont@isc.org>
Subject: Re: [Hipsec] clarification on HIT Suite IDs
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2014 14:47:01 -0000
On Thu, Sep 25, 2014 at 6:27 AM, Rene Hummen <Rene.Hummen@comsys.rwth-aachen.de> wrote: > > Separating the OGA ID from the HIT suite ID certainly has its advantages regarding the small OGA ID space. However, it also has implications on HIPv2 crypto-agility. For example, how should the Initiator select the destination HIT if it receives multiple Responder HITs from DNS but only supports ECDSA? I don't see how this (an initiator having to select a HIT out of a set of HITs generated with different OGA IDs) would be impacted by decoupling or not the OGA ID from the HIT suite ID. Irrespective of the decoupling, an initiator that receives a set of HITs for a responder has to select one for which it supports the OGA ID. > Plus, end-hosts would have to support multiple hash functions to cater to a situation where the HIP hash function does not match the hash function indicated by the OGA ID (which admittedly only is a minor issue for Internet hosts). This isn't a bug, it's a feature - hash agility. > So, I propose to _not_ make any major modifications at this point. I am not feeling strongly either way; from my perspective it is fine to worry about the need for more hash functions when the need arise which isn't the case now. (I was just trying to make sense of the seemingly contradictory decision to tie the burn rates of the small OGA ID space to the larger HIP suite ID space, where the HIP suite ID space is presumably made larger to increase future security, at the cost of shrinking the hash output which to me decreases security.) Regardless, I think that the text talking about using more bits of the ORCHIDs to encode a HIP suite ID should be removed as this is not supported by the ORCHID generation scheme (and would IMHO be a bad thing to do, but that is beyond the point.) --julien
- [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Ted Lemon
- Re: [Hipsec] clarification on HIT Suite IDs Rene Hummen
- Re: [Hipsec] clarification on HIT Suite IDs Gonzalo Camarillo
- Re: [Hipsec] clarification on HIT Suite IDs Rene Hummen
- Re: [Hipsec] clarification on HIT Suite IDs Rene Hummen
- Re: [Hipsec] clarification on HIT Suite IDs Gonzalo Camarillo
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Francis Dupont
- Re: [Hipsec] clarification on HIT Suite IDs Francis Dupont
- [Hipsec] Antwort: Re: clarification on HIT Suite … Tobias.Heer
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Tom Henderson
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Julien Laganier
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Miika Komu
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Tom Henderson
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Rene Hummen
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Tom Henderson
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Rene Hummen