Re: [Hipsec] Antwort: Re: clarification on HIT Suite IDs
Rene Hummen <Rene.Hummen@comsys.rwth-aachen.de> Thu, 09 October 2014 16:55 UTC
Return-Path: <Rene.Hummen@comsys.rwth-aachen.de>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB2451AC7E7 for <hipsec@ietfa.amsl.com>; Thu, 9 Oct 2014 09:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.936
X-Spam-Level:
X-Spam-Status: No, score=-1.936 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edDUF1cHdxsu for <hipsec@ietfa.amsl.com>; Thu, 9 Oct 2014 09:55:21 -0700 (PDT)
Received: from mx-out-1.rwth-aachen.de (mx-out-1.rwth-aachen.de [134.130.5.186]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA1B81ABD35 for <hipsec@ietf.org>; Thu, 9 Oct 2014 09:55:20 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.04,686,1406584800"; d="p7s'?scan'208";a="353406208"
Received: from mail-i4.nets.rwth-aachen.de ([137.226.12.21]) by mx-1.rz.rwth-aachen.de with ESMTP; 09 Oct 2014 18:55:18 +0200
Received: from messenger.nets.rwth-aachen.de (messenger.nets.rwth-aachen.de [137.226.13.40]) by mail-i4.nets.rwth-aachen.de (Postfix) with ESMTP id A919413DAC2; Thu, 9 Oct 2014 18:55:18 +0200 (CEST)
Received: from MESSENGER.nets.rwth-aachen.de ([fe80::d4e:bb9d:9e0:bfee]) by MESSENGER.nets.rwth-aachen.de ([fe80::d4e:bb9d:9e0:bfee%12]) with mapi id 14.01.0218.012; Thu, 9 Oct 2014 18:55:18 +0200
From: Rene Hummen <Rene.Hummen@comsys.rwth-aachen.de>
To: Tom Henderson <tomh@tomh.org>
Thread-Topic: [Hipsec] Antwort: Re: clarification on HIT Suite IDs
Thread-Index: AQHP3AFN97ZF10cpAkSCBzb5VduNeZwYNfgAgAANKQCADvZwAIAAsH2A
Date: Thu, 09 Oct 2014 16:55:17 +0000
Message-ID: <3E6747D3-A24D-42DF-A7DA-3613B7DE90E4@comsys.rwth-aachen.de>
References: <5420863E.1060608@tomh.org> <20140922212826.5048E216C3B@bikeshed.isc.org> <54210668.4050605@tomh.org> <20140923112746.EA16C216C3B@bikeshed.isc.org> <OFD6408C65.060C7582-ONC1257D62.005816DE-C1257D62.0059BBB9@belden.com> <542991A8.4020908@tomh.org> <CAE_dhjtRkfx+hZ512d1+CMCdpJJx8-ja4nwT=XAi_YC68L4LcA@mail.gmail.com> <543629E6.8030802@tomh.org>
In-Reply-To: <543629E6.8030802@tomh.org>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [37.201.228.166]
Content-Type: multipart/signed; boundary="Apple-Mail=_77F1A03C-64B7-4270-8753-0352764CB1B3"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/AHtkBQFgNb7Sa7E-c-FIt_zjoTo
Cc: Julien Laganier <julien.ietf@gmail.com>, Francis Dupont <fdupont@isc.org>, HIP <hipsec@ietf.org>
Subject: Re: [Hipsec] Antwort: Re: clarification on HIT Suite IDs
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 16:55:25 -0000
Hi Tom, I am not sure if we there was an answer to this question before. Why don’t we simply use the four lower-order bits in the HIT_SUITE_LIST ID field to convey the HIT Suites ID? That would definitely make the mapping between HIT Suites IDs and OGA IDs much clearer as the 4-bit and the 8-bit values would be the same. Moreover, I thought we would skip the part about using larger HIT suite IDs _in the main protocol specification_. I like your added text in the IANA consideration though. My proposed changes are inline based on your provided diff: 31 @@ -3099,8 +3099,11 @@ 32 host. Each HIT Suite ID is one octet long. The four 33 higher-order bits of the ID field correspond to the 34 HIT Suite ID in the ORCHID OGA field. The four 35 - lower-order bits are reserved and set to 0 and 36 - ignored by the receiver. 37 + lower-order bits are reserved and set to 0 by 38 + the sender. The reception of an ID with the 39 + four lower-order bits not set to 0 should be 40 + considered as an error that MAY result in a 41 + NOTIFICATION of type UNSUPPORTED_HIT_SUITE. I think the “should” should be a “SHOULD”. Combined, with my above suggestion, we could rephrase your revised text as follows: “The reception of a HIT Suite ID with one of the four higher-order bits set to 1 SHOULD be considered as an error. This error MAY trigger a NOTIFICATION message of type UNSUPPORTED_HIT_SUITE." @@ -3115,13 +3118,55 @@ 46 the ID field. Future documents may define the use of the four lower- 47 order bits in the ID field. The above paragraph about extending the HIT Suite ID space from 4 to 8 bit could be removed from the main protocol specification. I don’t think there is anything weird about an 8-byte HIT Suite ID field alignment in the HIT_SUITE_LIST parameter (if we change the HIT Suite ID spec from, e.g., 0x10 to 0x01). 49 - The following HIT Suites ID are defined: 50 + The following HIT Suites ID are defined, and the relationship between 51 + the four-bit ID value used in the OGA ID field, and the eight-bit 52 + encoding within the HIT_SUITE_LIST ID field, is clarified: 53 + 54 + HIT Suite Four-bit ID Eight-bit encoding 55 + RESERVED 0 0x00 56 + RSA,DSA/SHA-256 1 0x10 (REQUIRED) 57 + ECDSA/SHA-384 2 0x20 (RECOMMENDED) 58 + ECDSA_LOW/SHA-1 3 0x30 (RECOMMENDED) This could remain as in -19 because 4-bit and 8-bit values would not differ. 100 + The hash of the responder as defined in the HIT Suite determines the 101 + HMAC to be used for the HMAC parameter. The HMACs currently defined 102 + here are HMAC-SHA-256 [RFC4868], HMAC-SHA-384 [RFC4868], and HMAC- 103 + SHA-1 [RFC2404]. This appears to be a small editorial mistake: “HMAC parameter” -> “HIP_MAC and HIP_MAC_2 parameters”. To be precise, the hash function specifies the RHASH, which in turn determines the hash function to be used for HMAC. RHASH is also used as the key derivation function. 135 @@ -6019,13 +6075,17 @@ 136 HIT Suite ID reduces the cryptographic strength of the HIT. HIT 137 Suite IDs must be allocated carefully to avoid namespace 138 exhaustion. Moreover, deprecated IDs should be reused after an 139 - appropriate time span. If 16 Suite IDs prove insufficient and 140 - more HIT Suite IDs are needed concurrently, more bits can be used 141 - for the HIT Suite ID by using one HIT Suite ID (0) to indicate 142 - that more bits should be used. The HIT_SUITE_LIST parameter 143 - already supports 8-bit HIT Suite IDs, should longer IDs be needed. 144 - Possible extensions of the HIT Suite ID space to accommodate eight 145 - bits and new HIT Suite IDs are defined through IETF Review. 146 + appropriate time span. If 15 Suite IDs (the zero value is 147 + initially reserved) prove to be insufficient and more HIT Suite 148 + IDs are needed concurrently, more bits can be used for the HIT 149 + Suite ID by using one HIT Suite ID (0) to indicate that more bits 150 + should be used. The HIT_SUITE_LIST parameter already supports 151 + 8-bit HIT Suite IDs, should longer IDs be needed. However, RFC 152 + 7343 [RFC7343] does not presently support such an extension, and 153 + the rollover approach described in Appendix E is suggested to be 154 + tried first. Possible extensions of the HIT Suite ID space to 155 + accommodate eight bits and new HIT Suite IDs are defined through 156 + IETF Review. This nicely captures the intended procedure. BR René On 09 Oct 2014, at 08:23, Tom Henderson <tomh@tomh.org> wrote: > I've created a preview draft version 20 that makes the changes described in this post: > > http://www.ietf.org/mail-archive/web/hipsec/current/msg03975.html > > I also created a diff file between -19 and -20-pre and trimmed out the non-substantive parts. > > I attached both of these files to this ticket, for review: > http://trac.tools.ietf.org/wg/hip/trac/ticket/51 > > If there is WG consensus to request to make these changes, then I'll ask for guidance on what to do next (publish a new draft, or handle another way). > > - Tom > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec -- Dipl.-Inform. Rene Hummen, Ph.D. Student Chair of Communication and Distributed Systems RWTH Aachen University, Germany tel: +49 241 80 21426 web: http://www.comsys.rwth-aachen.de/team/rene-hummen/
- [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Ted Lemon
- Re: [Hipsec] clarification on HIT Suite IDs Rene Hummen
- Re: [Hipsec] clarification on HIT Suite IDs Gonzalo Camarillo
- Re: [Hipsec] clarification on HIT Suite IDs Rene Hummen
- Re: [Hipsec] clarification on HIT Suite IDs Rene Hummen
- Re: [Hipsec] clarification on HIT Suite IDs Gonzalo Camarillo
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Francis Dupont
- Re: [Hipsec] clarification on HIT Suite IDs Francis Dupont
- [Hipsec] Antwort: Re: clarification on HIT Suite … Tobias.Heer
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Tom Henderson
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Julien Laganier
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Miika Komu
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Tom Henderson
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Rene Hummen
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Tom Henderson
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Rene Hummen