Re: [Hipsec] The HIT prefix once again
Francis Dupont <Francis.Dupont@enst-bretagne.fr> Mon, 01 August 2005 16:59 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DzddH-0002PZ-JN; Mon, 01 Aug 2005 12:59:19 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DzddG-0002O4-0X for hipsec@megatron.ietf.org; Mon, 01 Aug 2005 12:59:18 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA23903 for <hipsec@ietf.org>; Mon, 1 Aug 2005 12:59:15 -0400 (EDT)
Received: from laposte.rennes.enst-bretagne.fr ([192.44.77.17]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Dze9Y-0002O0-GY for hipsec@ietf.org; Mon, 01 Aug 2005 13:32:42 -0400
Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id j71GweJ04796; Mon, 1 Aug 2005 18:58:40 +0200
Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.13.1/8.13.1) with ESMTP id j71Gwfo4009006; Mon, 1 Aug 2005 18:58:41 +0200 (CEST) (envelope-from dupont@givry.rennes.enst-bretagne.fr)
Message-Id: <200508011658.j71Gwfo4009006@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: [Hipsec] The HIT prefix once again
In-reply-to: Your message of Mon, 01 Aug 2005 15:52:43 +0200. <A48CA79D-6913-4265-A16F-CF35F2BD04F2@nomadiclab.com>
Date: Mon, 01 Aug 2005 18:58:41 +0200
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10d3e4e3c32e363f129e380e644649be
Cc: gabriel montenegro <gabriel_montenegro_2000@yahoo.com>, hipsec@ietf.org, Bob Hinden <bob.hinden@nokia.com>
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Sender: hipsec-bounces@lists.ietf.org
Errors-To: hipsec-bounces@lists.ietf.org
In your previous mail you wrote: I finally had time to read your draft, http://www.ietf.org/internet- drafts/draft-dupont-ipv6-cgpref-01.txt I think you need to have reference to a document that defines how GCIDs are supposed to be used; => the I-D (submitted some weeks after the cgpref one by Gabriel, holidays and deadlines...) is draft-dupont-mip6-privacyext-02.txt I didn't see any. Alone I don't see how you draft would make a compelling case. => there should be a reference to a HIP I-D too. However, going more to the technical level, we may want to share the exactly same name space. => this was I've believed. AFAICT, the HITs and CBIDs are formed as follows: HIT = prefix | encode(hash(public key)) CBID = prefix | encode(hash(any string)) where, in both cases, there prefix defines the 'encode' and 'hash' functions used. In the HIT case the public key must be understood from the context, and AFAICT in the CBID case the "any string" must also be understood from the context. => the 'any string' is in fact PublicKey | imprint_128 It also looks like that we can use the exactly same 'encode' and 'hash' functions, as the requirements for them are the same. => hash() is SHA-1 and encore() is to take the first 112 (128 - prefixlen) first bits. But I agree, this doesn't matter. Initially, we would apparently be just taking the low order bits of the hash as the encoding and use SHA1 as the hash function. Or do you have different requirements? => I've hear it is better to take first bits, at least this is true for pseudo-random numbers... Now, based on that we could share the exactly same name space, i.e., just have a single prefix. One potential complication is that it is much easier to generate arbitrary strings than even short public keys. However, based on my strawperson analysis, that doesn't matter since HIP, by default, expects the HIT to be a hash of a public key and does not accept anything else. Hence, the fact that arbitrary strings are easier to generate that public keys doesn't matter. => we can share the same space if it is always to recognize the case from the context, something which seems to be true. The biggest difference seems to be on our needs w.r.t the time frame for the assignment. I really think that a temporary assignment with the default of the assignment going back by, say, 2009, would be better. In that way that space does not keep assigned if the experimentation fails and it is not used. On the other hand, if any efforts using the space succeed and the space is being used, the space is there and can be used. => this should be part of the negociation. If it makes easier to get a shorter prefix why not? Hence, I think we can go for asking a single shared address space. My proposal is to go for a proposal that says: Assign a /5 provisionally for this use, with the next 3 bits reserved for the case that the existing hash algorithm fails, resulting in /8 which is the only part that gets assigned at this time. If the IPv6 WG feels that assigning a /5 or /8 is too much, then we just need to live with that and live with the lower security level. As I said during the f2f meeting, I am planning to write a short draft on this in the near future but would really appreciate help. => the cgpref I-D is very open but we should not try to defend it as itself, just to defend the idea and to get an IPv6 WG item about it. Thanks Francis.Dupont@enst-bretagne.fr _______________________________________________ Hipsec mailing list Hipsec@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hipsec
- [Hipsec] Type 1 and 2 HITs Julien Laganier
- [Hipsec] Re: Type 1 and 2 HITs Pekka Nikander
- RE: [Hipsec] Re: Type 1 and 2 HITs Henderson, Thomas R
- [Hipsec] The HIT prefix once again (was Re: Re: T… Pekka Nikander
- Re: [Hipsec] The HIT prefix once again (was Re: R… Francis Dupont
- Re: [Hipsec] The HIT prefix once again (was Re: R… Pekka Nikander
- Re: [Hipsec] The HIT prefix once again (was Re: R… Francis Dupont
- Re: [Hipsec] The HIT prefix once again Pekka Nikander
- Re: [Hipsec] The HIT prefix once again Francis Dupont
- Re: [Hipsec] The HIT prefix once again Bob Hinden
- [Hipsec] Type 1 and 2 HITs Petri Jokela