Re: [Hipsec] a state machine proposal for mm-03
Pekka Nikander <pekka.nikander@nomadiclab.com> Mon, 10 April 2006 04:24 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FSnxK-00063I-CP; Mon, 10 Apr 2006 00:24:50 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FSnxJ-00063D-Db for hipsec@ietf.org; Mon, 10 Apr 2006 00:24:49 -0400
Received: from n2.nomadiclab.com ([193.234.219.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FSnxI-0005od-UR for hipsec@ietf.org; Mon, 10 Apr 2006 00:24:49 -0400
Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id DCD0B212C63; Mon, 10 Apr 2006 07:24:47 +0300 (EEST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 4F1A3212C5F; Mon, 10 Apr 2006 07:24:45 +0300 (EEST)
In-Reply-To: <Pine.GSO.4.58.0604031851540.25408@kekkonen.cs.hut.fi>
References: <Pine.GSO.4.58.0604031851540.25408@kekkonen.cs.hut.fi>
Mime-Version: 1.0 (Apple Message framework v746.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <9AEF0EF5-18B0-4D1D-8722-37DB49721A94@nomadiclab.com>
Content-Transfer-Encoding: 7bit
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: [Hipsec] a state machine proposal for mm-03
Date: Mon, 10 Apr 2006 07:24:45 +0300
To: Miika Komu <miika@iki.fi>
X-Mailer: Apple Mail (2.746.3)
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Cc: hipsec@ietf.org
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Errors-To: hipsec-bounces@lists.ietf.org
> Note2: the state machine is simpler to design if we leave out the > peer initiated rekeying (section 3.2.1.2 in the draft). This way, > we can assume that the UPDATE exchange consists of three packets > and that each packet can be distinguished from each other by the > precence of LOCATOR, ECHO_REQUEST or ECHO_RESPONSE. Unfortunately I don't have time to really consider this in detail, but my earlier understanding was that, at least in principle, you could make the mobility and re-keying state machines completely separate. Anyway, from the overall architectural design point of view the idea was to use UPDATEs as a semi-reliable retransmission and acknowledgement sub-layer, on the top of which you can implement any state machine. The UPDATE-layer would signal the state machine above about any eventual events where packets don't get acknowledged even after multiple retries. Furthermore, the idea was that you could have multiple parallel state machines running at the same time. Their messages (payloads) would just be transmitted and acknowledged at once at the UPDATE layer, without needing any co-ordination between the above state machines. Now, I agree that there might be problems if you want to synchronise these state machines, e.g., for privacy reasons. However, fortunately or not, in the particular case of privacy you need to do also other tricks (such as having a changing HIT-blinding algorithm) that basically make the whole update mechanism half-unnecessary for the strong privacy case. Some minor comments below, made without _proper_ understanding of the whole picture: > Send UPDATE with LOCATOR: > - Triggered at the MN depending on changes in network attachments > and according to local policies > - Removed addresses are DEPRACATED (and not included in the > LOCATOR) > - All other addresses are UNVERIFIED (and included in the LOCATOR) Why these need to be UNVERIFIED. Maybe some of those have been verified earlier? > - Set preferred LOCATOR depending on local policies > - Send UPDATE with LOCATOR for the CN > > Receive HIP UPDATE: > - Verify the HIP packet: HMAC, SIG, the presence, dependencies and > validity of the parameters. > - If the result is failure, goto DROP. > - If success, proceed based on presence of LOCATOR, ECHO_REQUEST or > ECHO_RESPONSE (only one of them can be contained in the packet) I don't agree that only one of them can be included; see above. You seem to be making unnecessary limitations. > Received LOCATOR: > - For each MN address in the received LOCATOR > - State is DEPRACATED or UNKNOWN Why? See above. > - Goto UNVERIFIED and send ECHO_REQUEST > - State is UNVERIFIED > - Resend ECHO_REQUEST and decrease retransmission timeout > - Any other state, DROP > > Received ECHO REQUEST: > - For each MN address in the corresponding LOCATOR > - State is UNVERIFIED > - Goto ACTIVE and send ECHO_RESPONSE > - Any other state, DROP I don't understand the logic here. IMHO you should always answer with ECHO_RESPONSE when you get an ECHO_REQUEST on any of your addresses, independent of what you are doing with your peer's address verification. Completely separate this out. > Received ECHO_RESPONSE: > - Goto DEPRACATED for all old addresses not present in LOCATOR Hmm. Sounds like a sensible place of doing that. But there may be dragons around, beware. > - For each MN address in the corresponding LOCATOR > - State is UNVERIFIED > - Otherwise goto ACTIVE But you can't do that for other than the address that you just verified? Are you saying that one ECHO pair is enough to make all addresses verified? Definitely NOT! > - Change preferred LOCATOR when necessary > - Any other state, DROP > > Receive ESP: > - For the ESP address > - State is UNVERIFIED > - Verify ESP validity. Goto DROP if failed > - Change preferred LOCATOR when necessary Did we specify this? May make sense sometimes, but again, beware.... ESP doesn't protect IP source... > - Process ESP if there are credits left, and decrease credits. > - Otherwise DROP > - State is ACTIVE > - Process ESP > - Any other state, DROP > <no other comments, must run> --Pekka _______________________________________________ Hipsec mailing list Hipsec@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hipsec
- [Hipsec] a state machine proposal for mm-03 Miika Komu
- Re: [Hipsec] a state machine proposal for mm-03 Pekka Nikander
- Re: [Hipsec] a state machine proposal for mm-03 Miika Komu
- Re: [Hipsec] a state machine proposal for mm-03 Pekka Nikander
- RE: [Hipsec] a state machine proposal for mm-03 Henderson, Thomas R
- Re: [Hipsec] a state machine proposal for mm-03 Miika Komu
- RE: [Hipsec] a state machine proposal for mm-03 Miika Komu