[Hipsec] ORCHIDv2
Julien Laganier <julien.ietf@gmail.com> Mon, 11 July 2011 14:04 UTC
Return-Path: <julien.ietf@gmail.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E8C321F8BDF for <hipsec@ietfa.amsl.com>; Mon, 11 Jul 2011 07:04:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZgMJZR36zmPc for <hipsec@ietfa.amsl.com>; Mon, 11 Jul 2011 07:04:26 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4ECF021F8BD1 for <hipsec@ietf.org>; Mon, 11 Jul 2011 07:04:25 -0700 (PDT)
Received: by bwb17 with SMTP id 17so3817461bwb.31 for <hipsec@ietf.org>; Mon, 11 Jul 2011 07:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=R2VxQdLniJUI1kxFZFIbxgKr9mbS3Vuq4NtV7xy2d6o=; b=xLKVuJQaNIvw3LwUfzP31s+9XgH5/vG5L6bKCJamU6ujipPFpZEw9FYZQD9Lur0z/h 9BKmgCwtk8R0tZjKyiibmu2n3kRHjulk4WfRlGQAygbeV2Nuuybj6pj5E/5/NA0BtyAN NmNO6aouBypEvLTNciMojKpgHmlaZTLReNlxQ=
MIME-Version: 1.0
Received: by 10.204.127.156 with SMTP id g28mr2607778bks.114.1310393064937; Mon, 11 Jul 2011 07:04:24 -0700 (PDT)
Received: by 10.204.62.77 with HTTP; Mon, 11 Jul 2011 07:04:24 -0700 (PDT)
Date: Mon, 11 Jul 2011 07:04:24 -0700
Message-ID: <CAE_dhju_EYJse5Ec3_RB07ODd2pUV2Ey-yhX+JngL07QSgXtgA@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: HIP <hipsec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [Hipsec] ORCHIDv2
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2011 14:04:27 -0000
Folks, Unless someone objects I am going to update the ORCHIDv2 draft to reflect what we discussed earlier and is currently described in the HIP base spec, that is, that ORCHIDs now encode a 4 bits index called the Orchid Generation Algorithm -- see below. --julien Appendix E. HIT Suites and HIT Generation The HIT as an ORCHID [I-D.ietf-hip-rfc4843-bis] consists of three parts: A 28-bit prefix, a 4-bit encoding of the ORCHID generation algorithm (OGA) and the representation of the public key. The OGA is an index pointing to the specific algorithm by which the public key and the 96-bit hashed encoding is generated. The OGA is protocol specific and is to be interpreted as defined below for all protocols that use the same context ID as HIP. HIP groups sets of valid combinations of signature and hash algorithms into HIT Suites. These HIT suites are addressed by an index, which is transmitted in the OGA field of the ORCHID. The set of used HIT Suites will be extended to counter the progress in computation capabilities and vulnerabilities in the employed algorithms. The intended use of the HIT Suites is to introduce a new HIT Suite and phase out an old one before it becomes insecure. Since the 4-bit OGA field only permits 15 HIT Suites (the HIT Suite with ID 0 is reserved) to be used in parallel, phased-out HIT Suites must be reused at some point. In such a case, there will be a rollover of the HIT Suite ID and the next newly introduced HIT Suite will start with a lower HIT Suite index than the previously introduced one. The rollover effectively deprecates the reused HIT Suite. For a smooth transition, the HIT Suite should be deprecated a considerable time before the HIT Suite index is reused. Since the number of HIT Suites is tightly limited to 16, the HIT Suites must be assigned carefully. Hence, sets of suitable algorithms are grouped in a HIT Suite. The HIT Suite of the Responder's HIT determines the RHASH and the hash function to be used for the HMAC in HIP control packets as well as the signature algorithm family used for generating the HI. The list of HIT Suites is defined in Table 11. The following HIT Suites are defined for HIT generation. The input for each generation algorithm is the encoding of the HI as defined in Section 3.2. The output is 96 bits long and is directly used in the ORCHID.
- [Hipsec] ORCHIDv2 Julien Laganier