IETF Logo Mail Archive

Re: [Hipsec] clarification on HIT Suite IDs

Julien Laganier <julien.ietf@gmail.com> Thu, 25 September 2014 14:47 UTC

Return-Path: <julien.ietf@gmail.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 732211A0137 for <hipsec@ietfa.amsl.com>; Thu, 25 Sep 2014 07:47:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVdXSP_WJJCO for <hipsec@ietfa.amsl.com>; Thu, 25 Sep 2014 07:47:00 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949C11A00F3 for <hipsec@ietf.org>; Thu, 25 Sep 2014 07:46:59 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id s18so12881003lam.28 for <hipsec@ietf.org>; Thu, 25 Sep 2014 07:46:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Y9qFcMMNHWW56BTERWswSq8F0PdhzFoFS7W07Vp83+k=; b=c3mcYRw2K1ODJ0pJjAdkl/6JM8pJ8EoVoDURH0DbUSDfNd+RECA47rftgbLtFb4pm2 aizzO0M0DVqYHObbYTUx2CwBPn1r2dff52UJvXbbX/TQrl0S88JO0wdF310GzMp8U9Wv fugAdSzxaIfVZtNmqRx7r27LDXGx7Q28fmgdL+Mh/uUy2vOazwko3UGesM8Td8ahBppO qB7F6282JnZt4GWrYWkzqa4U0Jm/kdqpQLJXazVYaowDDGHMlc4W4eRWg+EhWUd7LyO0 lklU5Jjd8koELoQoTCFh7igeb7srfK49SX1I1UdBkS/nXGfhIhfkLMZMadn9a4eEMKmG bqew==
MIME-Version: 1.0
X-Received: by 10.152.23.69 with SMTP id k5mr14087169laf.70.1411656417590; Thu, 25 Sep 2014 07:46:57 -0700 (PDT)
Received: by 10.25.210.4 with HTTP; Thu, 25 Sep 2014 07:46:57 -0700 (PDT)
In-Reply-To: <C29AEDB0-356C-43AD-9CF3-7564395B3CEE@comsys.rwth-aachen.de>
References: <5420863E.1060608@tomh.org> <20140922212826.5048E216C3B@bikeshed.isc.org> <54210668.4050605@tomh.org> <CAE_dhju-kOzE1PzTj_+wLfYS4_8kJhWqrxJ16sMC3W6b+sanxQ@mail.gmail.com> <5421B06F.5010301@tomh.org> <CAE_dhjs3TSrME8UPFAw6y_wTye5YvLNAuQ8_KQ4m0sSokULDDg@mail.gmail.com> <5421D003.5020701@tomh.org> <CAE_dhjsMi+1vKM0U0_veB8+FBLLgKqsxo=Vr_Q-1_4KU4AeWmw@mail.gmail.com> <C29AEDB0-356C-43AD-9CF3-7564395B3CEE@comsys.rwth-aachen.de>
Date: Thu, 25 Sep 2014 07:46:57 -0700
Message-ID: <CAE_dhjs-hYg0mAba3hMitS=LaUt2rgD7==X8_tKgcXxmdYaN8A@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Rene Hummen <Rene.Hummen@comsys.rwth-aachen.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/1cx2TsFzDikf7kXeWCtH_k44_lM
Cc: HIP <hipsec@ietf.org>, Francis Dupont <fdupont@isc.org>
Subject: Re: [Hipsec] clarification on HIT Suite IDs
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2014 14:47:01 -0000

On Thu, Sep 25, 2014 at 6:27 AM, Rene Hummen
<Rene.Hummen@comsys.rwth-aachen.de> wrote:
>
> Separating the OGA ID from the HIT suite ID certainly has its advantages regarding the small OGA ID space. However, it also has implications on HIPv2 crypto-agility. For example, how should the Initiator select the destination HIT if it receives multiple Responder HITs from DNS but only supports ECDSA?

I don't see how this (an initiator having to select a HIT out of a set
of HITs generated with different OGA IDs) would be impacted by
decoupling or not the OGA ID from the HIT suite ID. Irrespective of
the decoupling, an initiator that receives a set of HITs for a
responder has to select one for which it supports the OGA ID.

> Plus, end-hosts would have to support multiple hash functions to cater to a situation where the HIP hash function does not match the hash function indicated by the OGA ID (which admittedly only is a minor issue for Internet hosts).

This isn't a bug, it's a feature - hash agility.

> So, I propose to _not_ make any major modifications at this point.

I am not feeling strongly either way; from my perspective it is fine
to worry about the need for more hash functions when the need arise
which isn't the case now.

(I was just trying to make sense of the seemingly contradictory
decision to tie the burn rates of the small OGA ID space to the larger
HIP suite ID space, where the HIP suite ID space is presumably made
larger to increase future security, at the cost of shrinking the hash
output which to me decreases security.)

Regardless, I think that the text talking about using more bits of the
ORCHIDs to encode a HIP suite ID should be removed as this is not
supported by the ORCHID generation scheme (and would IMHO be a bad
thing to do, but that is beyond the point.)

--julien

v2.23.0 | Report a Bug | By Email