IETF Logo Mail Archive

Re: [Hipsec] a state machine proposal for mm-03

Pekka Nikander <pekka.nikander@nomadiclab.com> Mon, 10 April 2006 04:24 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FSnxK-00063I-CP; Mon, 10 Apr 2006 00:24:50 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FSnxJ-00063D-Db for hipsec@ietf.org; Mon, 10 Apr 2006 00:24:49 -0400
Received: from n2.nomadiclab.com ([193.234.219.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FSnxI-0005od-UR for hipsec@ietf.org; Mon, 10 Apr 2006 00:24:49 -0400
Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id DCD0B212C63; Mon, 10 Apr 2006 07:24:47 +0300 (EEST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 4F1A3212C5F; Mon, 10 Apr 2006 07:24:45 +0300 (EEST)
In-Reply-To: <Pine.GSO.4.58.0604031851540.25408@kekkonen.cs.hut.fi>
References: <Pine.GSO.4.58.0604031851540.25408@kekkonen.cs.hut.fi>
Mime-Version: 1.0 (Apple Message framework v746.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <9AEF0EF5-18B0-4D1D-8722-37DB49721A94@nomadiclab.com>
Content-Transfer-Encoding: 7bit
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: [Hipsec] a state machine proposal for mm-03
Date: Mon, 10 Apr 2006 07:24:45 +0300
To: Miika Komu <miika@iki.fi>
X-Mailer: Apple Mail (2.746.3)
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Cc: hipsec@ietf.org
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Errors-To: hipsec-bounces@lists.ietf.org

> Note2: the state machine is simpler to design if we leave out the  
> peer initiated rekeying (section 3.2.1.2 in the draft). This way,  
> we can assume that the UPDATE exchange consists of three packets  
> and that each packet can be distinguished from each other by the  
> precence of LOCATOR, ECHO_REQUEST or ECHO_RESPONSE.

Unfortunately I don't have time to really consider this in detail,  
but my earlier understanding was that, at least in principle, you  
could make the mobility and re-keying state machines completely  
separate.

Anyway, from the overall architectural design point of view the idea  
was to use UPDATEs as a semi-reliable retransmission and  
acknowledgement sub-layer, on the top of which you can implement any  
state machine.  The UPDATE-layer would signal the state machine above  
about any eventual events where packets don't get acknowledged even  
after multiple retries.  Furthermore, the idea was that you could  
have multiple parallel state machines running at the same time.   
Their messages (payloads) would just be transmitted and acknowledged  
at once at the UPDATE layer, without needing any co-ordination  
between the above state machines.

Now, I agree that there might be problems if you want to synchronise  
these state machines, e.g., for privacy reasons.  However,  
fortunately or not, in the particular case of privacy you need to do  
also other tricks (such as having a changing HIT-blinding algorithm)  
that basically make the whole update mechanism half-unnecessary for  
the strong privacy case.

Some minor comments below, made without _proper_ understanding of the  
whole picture:

> Send UPDATE with LOCATOR:
>   - Triggered at the MN depending on changes in network attachments
>     and according to local policies
>   - Removed addresses are DEPRACATED (and not included in the
>     LOCATOR)
>   - All other addresses are UNVERIFIED (and included in the LOCATOR)

Why these need to be UNVERIFIED.  Maybe some of those have been  
verified earlier?

>   - Set preferred LOCATOR depending on local policies
>   - Send UPDATE with LOCATOR for the CN
>
> Receive HIP UPDATE:
> - Verify the HIP packet: HMAC, SIG, the presence, dependencies and
>   validity of the parameters.
>   - If the result is failure, goto DROP.
>   - If success, proceed based on presence of LOCATOR, ECHO_REQUEST or
>     ECHO_RESPONSE (only one of them can be contained in the packet)

I don't agree that only one of them can be included; see above.  You  
seem to be making unnecessary limitations.

> Received LOCATOR:
> - For each MN address in the received LOCATOR
>   - State is DEPRACATED or UNKNOWN

Why?  See above.

>     - Goto UNVERIFIED and send ECHO_REQUEST
>   - State is UNVERIFIED
>     - Resend ECHO_REQUEST and decrease retransmission timeout
>   - Any other state, DROP
>
> Received ECHO REQUEST:
> - For each MN address in the corresponding LOCATOR
>   - State is UNVERIFIED
>     - Goto ACTIVE and send ECHO_RESPONSE
>   - Any other state, DROP

I don't understand the logic here.  IMHO you should always answer  
with ECHO_RESPONSE when you get an ECHO_REQUEST on any of your  
addresses, independent of what you are doing with your peer's address  
verification.  Completely separate this out.

> Received ECHO_RESPONSE:
> - Goto DEPRACATED for all old addresses not present in LOCATOR

Hmm.  Sounds like a sensible place of doing that.  But there may be  
dragons around, beware.

> - For each MN address in the corresponding LOCATOR
>   - State is UNVERIFIED
>     - Otherwise goto ACTIVE

But you can't do that for other than the address that you just  
verified?  Are you saying that one ECHO pair is enough to make all  
addresses verified?  Definitely NOT!

>     - Change preferred LOCATOR when necessary
>   - Any other state, DROP
>
> Receive ESP:
> - For the ESP address
>   - State is UNVERIFIED
>     - Verify ESP validity. Goto DROP if failed
>     - Change preferred LOCATOR when necessary

Did we specify this?  May make sense sometimes, but again,  
beware....  ESP doesn't protect IP source...

>     - Process ESP if there are credits left, and decrease credits.
>     - Otherwise DROP
>   - State is ACTIVE
>     - Process ESP
>   - Any other state, DROP
>
<no other comments, must run>

--Pekka


_______________________________________________
Hipsec mailing list
Hipsec@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/hipsec

v2.23.0 | Report a Bug | By Email