Re: [Hipsec] A review of draft-ietf-hip-dex-02.txt

Gonzalo Camarillo <> Mon, 18 April 2016 12:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C52EC12DCF1 for <>; Mon, 18 Apr 2016 05:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.221
X-Spam-Status: No, score=-104.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IGMTWUUMWi_G for <>; Mon, 18 Apr 2016 05:56:23 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DEAEB12DC6D for <>; Mon, 18 Apr 2016 05:56:22 -0700 (PDT)
X-AuditID: c1b4fb2d-f79006d000006928-ca-5714d974bc31
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id 3D.4A.26920.479D4175; Mon, 18 Apr 2016 14:56:20 +0200 (CEST)
Received: from [] ( by ( with Microsoft SMTP Server id; Mon, 18 Apr 2016 14:55:34 +0200
References: <> <>
From: Gonzalo Camarillo <>
Message-ID: <>
Date: Mon, 18 Apr 2016 15:55:34 +0300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrLLMWRmVeSWpSXmKPExsUyM2K7lm7JTZFwg2t7tCymLprMbLFs9hwm i4Z1nxkdmD22Pv3C4rF7UhO7x5IlP5kCmKO4bFJSczLLUov07RK4Mr4u2cZasPU8Y8XdeXtY GxgPL2TsYuTkkBAwkbjU8YUJwhaTuHBvPVsXIxeHkMARRon1F7YwQzhrGCXur+5kBqkSFrCW mPrhJjuILSJgLPF7+WewSUICiRLnpv9hAbGZgWper70MZrMJWEhsuXUfzOYV0JY49aGBFcRm EVCVuH/qAdgcUYEYicYHp5ggagQlTs58AlbPKaAlMXVrNyPETAOJI4vmsELY8hLb385hhtir LbH8WQvLBEbBWUjaZyFpmYWkZQEj8ypG0eLU4uLcdCNjvdSizOTi4vw8vbzUkk2MwEA+uOW3 7g7G1a8dDzEKcDAq8fAmsIuEC7EmlhVX5h5ilOBgVhLhNbkOFOJNSaysSi3Kjy8qzUktPsQo zcGiJM6bE/kvTEggPbEkNTs1tSC1CCbLxMEp1cDYevL9ej8j+cLOhR6FKV3r580OORzxyJOv 5VNkTcWzWwte2ob+uFWj3RMitMs6j93N6UNcnn80p9/CJ5k6b3z1Jn2zT+B2V91aNXvKZfOX 8k6sSzU5jiXEzP49IaNJmsk8L+K1Z/PLZZtmdnEam5ieCNr9VdxPs5QrhP2/xsMpds8kZj1e zq/EUpyRaKjFXFScCAB3p63YYAIAAA==
Archived-At: <>
Subject: Re: [Hipsec] A review of draft-ietf-hip-dex-02.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Apr 2016 12:56:27 -0000

Rene, Bob,

could you please have a look at Miika's comments below?



On 28/03/2016 11:05 PM, Miika Komu wrote:
> Hi,
>> 1.1.  The HIP Diet EXchange (DEX)
>> Data packets start to flow after the 4th packet.  The 3rd and 4th HIP
>> packets may carry data payload in the future.  However, the details
>> of this may be defined later.
> Similarly as in RFC7401, data packets start to flow...
> (I guess you could also mention RFC6078 as another further work item)
>> An existing HIP association can be updated with the update mechanism
>> defined in [RFC7401].  Likewise, the association can be torn down
>> with the defined closing mechanism for HIPv2 if it is no longer
>> needed.  HIP DEX thereby omits the HIP_SIGNATURE parameters of the
>> original HIPv2 specification.
> Why "thereby"? I don't see the connection.
>> HIP DEX does not have the option to encrypt the Host Identity of the
>> Initiator in the 3rd packet.  The Responder's Host Identity also is
>> not protected.  Thus, contrary to HIPv2, there is no attempt at
>> anonymity.
> The anonymous bit still exists, so I suggest changing the wording:
> there is no attempt at anonymity -> such Responder anonymity is not
> preserved in HIP DEX.
>> 2.1.  Requirements Terminology
> In section 6.3, you are introduce also -> notation, which was
> not explained.
>> 2.3.  Definitions
> I suggest to add also the definitions of both MAC and CMAC because they
> are used throughout the document. They are also used in this section.
>> 3.1.  Host Identity Tag (HIT)
> Just thinking aloud... should a DEX HIT have a different context ID?
> Probably not.
>> 4.1.  Creating a HIP Association
>> The HIP Diet EXchange serves to manage the establishment of state
>> between an Initiator and a Responder.  The first packet, I1,
>> initiates the exchange, and the last three packets, R1, I2, and R2,
>> constitute an authenticated Diffie-Hellman [DH76] key exchange for
>> the Master Key SA generation.  This Master Key SA is used by the
>> Initiator and the Responder to wrap secret keying material in the I2
>> and R2 packets.  Based on the exchanged keying material, the peers
>> then derive a Pair-wise Key SA if cryptographic keys are needed,
>> e.g., for ESP-based protection of user data.
> (Suggest replacing "user data" with e.g. "data plane" in the entire
> document since you're talking about machines (sensors) that may not
> have a user)
>> In the I2 packet, the Initiator MUST display the solution to the
>> received puzzle.  Without a correct solution, the I2 packet is
>> discarded.  The I2 also contains a key wrap parameter that carries a
>> secret keying material of the Initiator.  This keying material is
>> only half the final session key.  The packet is authenticated by the
>> sender (Initiator) via a MAC.
> ...half *of* the...
>> The R2 packet acknowledges the receipt of the I2 packet and completes
>> the handshake.  The R2 contains a key wrap parameter that carries the
>> rest of the keying material of the Responder.  The packet is
>> authenticated by the sender (Responder) via a MAC.
> key wrap parameter -> parameter with encrypted contents
>> 4.1.1.  HIP Puzzle Mechanism
>> The puzzle mechanism enables a Responder to immediately reject an I2
>> packet if it does not contain a valid puzzle solution.  To verify the
>> puzzle solution, the Responder only has to compute a single CMAC
>> operation.  After a successful puzzle verification, the Responder can
>> securely create session-specific state and perform CPU-intensive
>> operations such as a Diffie-Hellman key generation.  By varying the
>> difficulty of the puzzle, the Responder can frustrate CPU or memory
>> targeted DoS attacks.
> ...can frustrate *an Initiator*...
>> Conceptually, the puzzle mechanism in HIP DEX is the same as in
>> HIPv2.  Hence, this document refers to Sections 4.1.1 and 4.1.2 in
>> [RFC7401] for more detailed information about the employed mechanism.
>> Notably, the only difference between the puzzle mechanism in HIP DEX
>> and HIPv2 is that HIP DEX uses CMAC instead of a hash function for
>> solving and verifying a puzzle.  The implications of this change on
>> the puzzle implementation are discussed in Section 6.1.
> The other difference is mentioned in section 6.1:
> "The only exceptions are that HIP DEX does not use pre-computation of
> R1 packets and that RHASH is set to CMAC.  As a result, the pre-
> computation step in in Section 6.3 of [RFC7401] is skipped in HIP DEX."
>>  HIP DEX Retransmission Mechanism
>> The potentially high processing time of an I2 packet at a (resource-
>> constrained) Responder may cause premature retransmissions if the
>> time required for I2 transmission and processing exceeds the RTT-
>> based retransmission timeout.  Thus, the Initiator should also take
>> the processing time of the I2 packet at the Responder into account
>> for retransmission purposes.  To this end, the Responder MAY notify
>> the Initiator about the anticipated delay once the puzzle solution
>> was successfully verified and if the remaining I2 packet processing
>> incurs a high processing delay.  The Responder MAY therefore send a
>> NOTIFY packet (see Section 5.3.6. in [RFC7401]) to the Initiator
>> before the Responder commences the ECDH operation.  The NOTIFY packet
>> serves as an acknowledgement for the I2 packet and consists of a
>> NOTIFICATION parameter with Notify Message Type I2_ACKNOWLEDGEMENT
>> (see Section 5.2.19. in [RFC7401]).  The NOTIFICATION parameter
>> contains the anticipated remaining processing time for the I2 packet
>> in milliseconds as two-octet Notification Data.  This processing time
>> can, e.g., be estimated by measuring the computation time of the ECDH
>> key derivation operation at Responder boot-up.  After the I2
>> processing has finished, the Responder sends the regular R2 packet.
> ( boot-up -> start-up procedures (it doesn't have to be a boot) )
>>  Simplified HIP State Diagram
>> The following diagram shows the major state transitions.  Transitions
>> based on received packets implicitly assume that the packets are
>> successfully authenticated or processed.
> Is the new NOTIFY illustrated also in the figure?
>> 5.2.1.  DH_GROUP_LIST
>> The DH_GROUP_LIST parameter contains the list of supported DH Group
>> IDs of a host.  It is defined in Section 5.2.6 of [RFC7401].  With
>> HIP DEX, the DH Group IDs are restricted to:
>> Group                              KDF              Value
>> NIST P-256 [RFC5903]               CKDF             7
>> NIST P-384 [RFC5903]               CKDF             8
>> NIST P-521 [RFC5903]               CKDF             9
>> SECP160R1  [SECG]                  CKDF             10
>> Curve25519 [RFC7748]               CKDF             11
>> Curve448   [RFC7748]               CKDF             12
>> The ECDH groups 7 - 9 are defined in [RFC5903] and [RFC6090].  ECDH
>> group 10 is covered in [SECG] and Appendix D of [RFC7401].  These
>> curves, when used with HIP MUST have a co-factor of 1.
> I suggest to change the "value" column title to "group id" or change the
> text
> as follows: "The ECDH groups with *values* 7 - 9..."
>> The ECDH groups 11 and 12 are defined in [RFC7748].  These curves
>> have cofactors of 8 and 4 (respectively).
> Same comment as previously.
>> 5.2.3.  HOST_ID
>> The HOST_ID parameter conveys the Host Identity (HI) along with
>> optional information about a host.  It is defined in Section 5.2.9 of
>> [RFC7401].
>> HIP DEX uses the public portion of a host's static ECDH key-pair as
>> the HI.  Correspondingly, HIP DEX limits the HI algorithms to the
>> following profile:
> I would add "*new* profile" since this is not part of RFC7401.
>> 5.2.4.  HIT_SUITE_LIST
>> The HIT_SUITE_LIST parameter contains a list of the supported HIT
>> suite IDs of the Responder.  Based on the HIT_SUITE_LIST, the
>> Initiator can determine which source HIT Suite IDs are supported by
>> the Responder.  The HIT_SUITE_LIST parameter is defined in
>> Section 5.2.10 of [RFC7401].
>> The following HIT Suite IDs are defined for HIP DEX, and the
>> relationship between the four-bit ID value used in the OGA ID field
>> and the eight-bit encoding within the HIT_SUITE_LIST ID field is
>> clarified:
> ...the following *new* HIT Suite IDs...
> clarified: -> defined as follows:
>> Note that the HIP DEX HIT Suite ID allows the peers to distinguish a
>> HIP DEX handshake from a HIPv2 handshake.  The Responder MUST respond
>> with a HIP DEX HIT suite ID when the HIT of the Initiator is a HIP
> The details are a bit unclear. Which packet are you talking about here?
> I mean the suite id is in R1 (and not in I1), so I guess you're
> referring that
> Responder must respond to I2 with an R2 that contains HIP DEX HITs?
> In general, I'd urge the authors to write a separate "Compatibility with
> HIP base exchange" section in the end of the document with the two
> (problematic) use cases:
> 1. Initiator=DEX, Responder=BEX
> 2. Initiator=BEX, Responder=DEX
> How what happens in each case? Can the Initiator still try to
> communicate (in case the Responder could potentially support both
> protocols) or should it just abort? When exactly each party knows and
> from which parameters both of the parties detect incompatibilities?
> Consider also the opportunistic mode. Bits and pieces of this
> discussion was scattered here and there, but it would useful to recap
> this is one single section due to compatibility issues with RFC7401.
>> 5.2.5.  ENCRYPTED_KEY
>> [...]
>> The ENCRYPTED_KEY parameter encapsulates a random value that is later
>> used in the session key creation process (see Section 6.3).  This
>> random value MUST have a length of at least 64 bit.  The puzzle value
>> #I and the puzzle solution #J (see [RFC7401]) are used as the
>> initialization vector (IV) for the encryption process.  To this end,
>> the IV is computed as FOLD(I | J, 128).  The AES-CTR counter is a 16
>> bit value that is initialized to zero with the first use.
> The initialization vector is a explicit, separate field in RFC7401. Why
> I and J
> are implicitly reused here? To save bits?
> The AES-CTR counter pops out a bit suddenly here. Perhaps you could
> "bridge" it to the text in a bit more smoother way.
>> Once this encryption process is completed, the "encrypted value" data
>> field is ready for inclusion in the Parameter.  If necessary,
>> additional Padding for 8-byte alignment is then added according to
>> the rules of TLV Format in [RFC7401].
> The key could be also included in ENCRYPTED parameter, which can
> accommodate multiple parameters... unless it is very important to
> keep the IV implicit.
>> 5.3.  HIP Packets
>> [...]
>> In the future, an optional upper-layer payload MAY follow the HIP
>> header.  The Next Header field in the header indicates if there is
>> additional data following the HIP header.
> RFC6078 is also future work.
>> 5.3.1.  I1 - the HIP Initiator Packet
>> [...]
>> As a compression of the employed HIs, the Initiator's and the
>> Responder's HITs both determine the DH group ID that must be used in
>> order to successfully conclude the triggered handshake.  HITs,
>> however, only include the OGA ID identifying a HIP DEX HIT.  They do
>> not include information about the specific DH group ID of the
>> corresponding HI. [...]
> Something wrong here, the first sentence is contradicting with the
> second and third one.
>> 5.3.2.  R1 - the HIP Responder Packet
>> [...]
>> The R1 packet generation counter is used to determine the currently
>> valid generation of puzzles.  The value is increased periodically,
>> and it is RECOMMENDED that it is increased at least as often as
>> solutions to old puzzles are no longer accepted.
> Section 6.1 describes: "The only exceptions are that HIP DEX does not
> use pre-computation of R1 packets and that RHASH is set to CMAC.  As a
> result, the pre- computation step in in Section 6.3 of [RFC7401] is
> skipped in HIP DEX.
> I guess R1 packet generation counters are still meaningful for the
> Initiator (despite Responder does not pre-generate R1s)?
>> [...]
>> The HOST_ID parameter depends on the received DH_GROUP_LIST parameter
>> and the Responder HIT in the I1 packet.  Specifically, if the I1
>> contains a Responder HIT, the Responder verifies that this HIT
>> matches the required DH group based on the received DH_GROUP_LIST
>> parameter.
> "...included in the I1". Right?
>> 5.3.3.  I2 - the Second HIP Initiator Packet
>> [...]
>> The HIP_CIPHER contains the single encryption transform selected by
>> the Initiator that it uses to encrypt the ENCRYPTED and ENCRYPTED_KEY
>> parameters.  The chosen cipher MUST correspond to one of the ciphers
>> offered by the Responder in the R1.  All implementations MUST support
>> the AES-CTR transform [RFC3686].
>> [...]
>> The TRANSPORT_FORMAT_LIST parameter contains the single transport
>> format type selected by the Initiator.  The chosen type MUST
>> correspond to one of the types offered by the Responder in the R1
>> packet.  Currently, the only transport format defined is the ESP
>> transport format [RFC7402].
> Should all of the cipher suites and transport formats still be echoed
> to the Responder for security reasons? See also my next comment.
>> 5.3.4.  R2 - the Second HIP Responder Packet
>> [...]
>> The Responder repeats the DH_GROUP_LIST, HIP_CIPHER, HIT_SUITE_LIST,
>> and TRANSPORT_FORMAT_LIST parameters in the R2 packet.  These
>> parameters MUST be the same as included in the R1 packet. The
>> parameter are re-included here because the R2 packet is MACed and
>> thus cannot be altered by an attacker.  For verification purposes,
>> the Initiator re-evaluates the selected suites and compares the
>> results against the chosen ones.  If the re-evaluated suites do not
>> match the chosen ones, the Initiator acts based on its local policy.
> Ok, so now the full list of parameters is included, so forget about my
> previous comment.
>> 6.1.  Solving the Puzzle
>> The procedures for solving and verifying a puzzle in HIP DEX are
>> strongly based on the corresponding procedures in HIPv2.  The only
>> exceptions are that HIP DEX does not use pre-computation of R1
>> packets and that RHASH is set to CMAC.  As a result, the pre-
>> computation step in in Section 6.3 of [RFC7401] is skipped in HIP
>> DEX.
> in in -> in
>> 6.2.1.  CMAC Calculation
>> [...]
>> 5.  Set Checksum and Header Length fields in the HIP header to
>> original values.  Note that the Checksum and Length fields
>> contain incorrect values after this step.
> I guess also the values following HIP_MAC should be restored since
> they were wiped in the step 2.
>> 6.3.  HIP DEX KEYMAT Generation
> (this section was a bit hard to understand)
>> The HIP DEX KEYMAT process is used to derive the keys for the Master
>> Key SA as well as for the Pair-wise Key SA.  The keys for the Master
>> Key SA are based from the Diffie-Hellman derived key, Kij, produced
> from -> on
>> The keys of the Pair-wise Key SA are not directly used in the HIP DEX
>> handshake. [...]
> used -> exposed in plaintext?
>> Some payload protection mechanisms have their own
>> Key Derivation Function, and if so this mechanism SHOULD be used.
> this -> such
>> The HIP DEX KEYMAT process consists of two components, CKDF-Extract
>> and CKDF-Expand.  The Extract function compresses a non-uniformly
>> distributed key, as is the output of a Diffie-Hellman key derivation,
> as is -> such as
>> The key derivation for the Master Key SA employs both the Extract and
>> Expand phases, whereas the Pair-wise Key SA MAY need both the Extract
>> and Expand phases if the key is longer than 128 bits.  Otherwise, it
>> only requires the Expand phase.
> Suggest:
> The key derivation for the Master Key SA employs always both the
> Extract and Expand phases. The Pair-wise Key SA needs only the Extract
> phase when key is smaller or equal to 128 bits, but otherwise requires
> also the Expand phase.
>> The CKDF-Extract function is the following operation:
>> CKDF-Extract(I, IKM, info) -> PRK
> What does the arrow operator signify? I thought that it produces PRK,
> but PRK is actually defined below.
>> where
>> I          Random #I from the PUZZLE parameter
>> IKM        Input keying material, i.e., either the Diffie-Hellman
>>            derived key or the concatenation of the random values
>>            of the ENCRYPTED_KEY parameters in the same order as
>>            the HITs with sort(HIT-I | HIT-R)
> So how to choose between the D-H key and ENCRYPTED_KEY? Use always the
> KEY if present, otherwise D-H?
>> info       sort(HIT-I | HIT-R) | "CKDF-Extract"
> Is "CKDF-Extract" an octet string?
>> PRK        a pseudorandom key (of RHASH_len/8 octets)
>> |          denotes the concatenation
>> The pseudorandom key PRK is calculated as follows:
>> PRK     = CMAC(I, IKM | info)
> Based on this, I don't really know how to extract key material (the
> arrow notation is confusing).
>> The CKDF-Expand function is the following operation:
>> CKDF-Expand(PRK, info, L) -> OKM
> What does the arrow mean?
> Maybe name "info" as "info2" because it is different variable.
>> where
>> PRK      a pseudorandom key of at least RHASH_len/8 octets
>>          (either the output from the extract step or the
>>          concatenation of the random values of the
>>          ENCRYPTED_KEY parameters in the same order as the
>>          HITs with sort(HIT-I | HIT-R))
> How to choose between the extract output vs encrypted key?
> Maybe you should rename this as "PRK2" in order to distinguish the
> variable from the Extract phase.
>> info     sort(HIT-I | HIT-R) | "CKDF-Expand"
> Is "CKDF-Expand" an octet string?
>> L        length of output keying material in octets
>>          (<= 255*RHASH_len/8)
>> |        denotes the concatenation
>> The output keying material OKM is calculated as follows:
>> N       =  ceil(L/RHASH_len/8)
>> T       =  T(1) | T(2) | T(3) | ... | T(N)
>> OKM     =  first L octets of T
>> where
>> T(0) = empty string (zero length)
>> T(1) = CMAC(PRK, T(0) | info | 0x01)
>> T(2) = CMAC(PRK, T(1) | info | 0x02)
>> T(3) = CMAC(PRK, T(2) | info | 0x03)
>> ...
> The Expand was a bit more clear, but still didn't understand how to get
> to the
> Expanded key material due the arrow notation.
>> (where the constant concatenated to the end of each T(n) is a
>> single octet.)
> Is there a max value?
>> The initial keys are drawn sequentially in the order that is
>> determined by the numeric comparison of the two HITs, with the
>> comparison method described in the previous paragraph.  HOST_g
>> denotes the host with the greater HIT value, and HOST_l the host with
>> the lower HIT value.
> This is just for Master keys, right?
>> The number of bits drawn for a given algorithm is the "natural" size
>> of the keys.  For the mandatory algorithms, the following sizes
>> apply:
>> AES  128 or 256 bits
> I would clarify that this depends on the negotiated HIP_CIPHER.
>> 6.5.  Processing Incoming I1 Packets
>> 5.  If the received Responder's HIT in the I1 packet is not NULL, the
>> Responder's in the R1 packet HIT MUST match the destination HIT
> ...the Responder's HIT in the R1 packet MUST match...
>> 6.6.  Processing Incoming R1 Packets
>> [...]
>> 1.   A system receiving an R1 MUST first check to see if it has sent
>> an I1 packet to the originator of the R1 packet (i.e., it has a
>> HIP association that is in state I1-SENT and that is associated
>> with the HITs in the R1).  Unless the I1 packet was sent in
>> opportunistic mode (see Section 4.1.8 of [RFC7401]), the IP
>> addresses in the received R1 packet SHOULD be ignored by the R1
>> processing and, when looking up the right HIP association, the
> right -> correct
>> 8.   The R1 packet may have the A-bit set - in this case, the system
>> MAY choose to refuse it by dropping the R1 packet and returning
>> to state UNASSOCIATED.  The system SHOULD consider dropping the
>> R1 packet only if it used a NULL HIT in the I1 packet.
> I didn't understand the logic in the last sentence.
>> Note that step 4 from the original processing rules of HIPv2
>> (signature verification) has been removed in the above processing
>> rules for HIP DEX.  Moreover, step 7 of the HIPv2 processing rules
>> has been adapted to account for the fact that HIP DEX uses ECDH
>> public keys as HIs.
> Step 7 in the *original* processing rules, what is the ordinal in DEX?
> It is not 7.
>> 6.7.  Processing Incoming I2 Packets
>> [...]
>> 5.   If the system's state machine is in the I2-SENT state, the
>> system MUST make a comparison between its local and sender's
>> HITs (similarly as in Section 6.3).  If the local HIT is smaller
>> than the sender's HIT, it should drop the I2 packet, use the
>> peer Diffie-Hellman key, ENCRYPTED_KEY keying material and nonce
>> #I from the R1 packet received earlier, and get the local
>> Diffie-Hellman key, ENCRYPTED_KEY keying material, and nonce #J
>> from the I2 packet sent to the peer earlier.  Otherwise, the
>> system should process the received I2 packet and drop any
>> previously derived Diffie-Hellman keying material Kij and
>> ENCRYPTED_KEY keying material it might have generated upon
>> sending the I2 packet previously.  The peer Diffie-Hellman key,
>> ENCRYPTED_KEY, and the nonce #J are taken from the just arrived
>> I2 packet.  The local Diffie-Hellman key, ENCRYPTED_KEY keying
>> material, and the nonce #I are the ones that were sent earlier
>> in the R1 packet.
> Please replace "sender" with "peer" (or remote host) in this section
> for more symmetric terminology.
> get -> obtain
>> 11.  The implementation SHOULD also verify that the Initiator's HIT
>> in the I2 packet corresponds to the Host Identity sent in the I2
>> packet.  (Note: some middleboxes may not be able to make this
>> verification.)
> Why SHOULD? Why not MUST? I think we're talking about end-hosts here
> anyway.
>> Note that steps 11 (encrypted HOST_ID) and 15 (signature
>> verification) from the original processing rules of HIPv2 have been
>> removed in the above processing rules for HIP DEX.  Moreover, step 10
>> of the HIPv2 processing rules has been adapted to account for
>> optional extension of the retransmission mechanism.  Step 16 has been
>> added to the processing rules.
> this document.
>> 6.10.  Processing UPDATE, CLOSE, and CLOSE_ACK Packets
>> UPDATE, CLOSE, and CLOSE_ACK packets are handled similarly in HIP DEX
>> as in HIP BEX (see Sections 6.11, 6.12, 6.14, and 6.15 of [RFC7401]).
>> The only difference is the that the HIP_SIGNATURE is never present
>> and, therefore, is not required to be processed by the receiving
>> party.
> How does rekeying work with the extract and expand functions?
>> 6.11.  Handling State Loss
>> Implementors MAY choose to use non-volatile, secure storage for HIP
>> states in order for them to survive a system reboot.  If no secure
>> storage capabilities are available, the system SHOULD delete the
>> corresponding HIP state, including the keying material.  If the
>> implementation does drop the state (as RECOMMENDED), it MUST also
>> drop the peer's R1 generation counter value, unless a local policy
>> explicitly defines that the value of that particular host is stored.
>> An implementation MUST NOT store a peer's R1 generation counters by
>> default, but storing R1 generation counter values, if done, MUST be
>> configured by explicit HITs.
> MUST NOT -> SHOULD? Otherwise the part after this is kinda void.
>> 7.  HIP Policies
>> There are a number of variables that will influence the HIP exchanges
>> that each host must support.  All HIP DEX implementations SHOULD
>> provide for an ACL of Initiator's HI to Responder's HI.  This ACL
>> SHOULD also include preferred transform and local lifetimes.
>> Wildcards SHOULD also be supported for this ACL.
> Why ACLs are mandatory?
> ACL -> ACL consisting of
>> The value of #K used in the HIP R1 must be chosen with care.  Values
>> of #K that are too high will exclude clients with weak CPUs because
>> these devices cannot solve the puzzle within a reasonable amount of
>> time. #K should only be raised if a Responder is under high load,
>> i.e., it cannot process all incoming HIP handshakes any more.  If a
>> Responder is not under high load, #K SHOULD be 0.
>> 8.  Security Considerations
>> o  The HIP DEX HIT generation may present new attack opportunities.
> They cannot be used in ACLs. Maybe this could be mentioned. Can this
> be mitigated by always using full HIs?
> Some additional comments related to Appendix:
> I think you could reference the SLIMFIT extension from Rene Hummen in
> the appendix. And possibly mention the following related work
> extending DEX that was done in the context of Convince Celtic+
> project:
> P. Porambage, A. Braeken, P. Kumar, A. Gurtov and M. Ylianttila,
> "Efficient Key Establishment for Constrained IoT Devices with
> Collaborative HIP-Based Approach," 2015 IEEE Global Communications
> Conference (GLOBECOM), San Diego, CA, 2015, pp. 1-6.  doi:
> 10.1109/GLOCOM.2015.7417094
> The work includes also benchmarks on energy consumption.
> P.S. My review can be credited to Convince Celtic+.
> _______________________________________________
> Hipsec mailing list