[Hipsec] HIP-DEX revised I-D before next IESG evaluation

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 14 July 2020 14:41 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC7E3A084D for <hipsec@ietfa.amsl.com>; Tue, 14 Jul 2020 07:41:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=eqTygo6A; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=sfqtvLcO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uWlMIJNzFs4W for <hipsec@ietfa.amsl.com>; Tue, 14 Jul 2020 07:41:50 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BBB63A0849 for <hipsec@ietf.org>; Tue, 14 Jul 2020 07:41:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12519; q=dns/txt; s=iport; t=1594737710; x=1595947310; h=from:to:cc:subject:date:message-id:mime-version; bh=yL2LIEsonmTiE9+azsWeEqQOXENAF2LweVBPa2tiu9Q=; b=eqTygo6A9TxP2RbR6zXcUWcUqC+XhyZ7lGCUwIyF3JS/BXTiC6/lIST5 RaflxFlFmUG6qenDT3WHUAN/h4RX1lIzCjg8HEfugRIVKMyTdEE5is5Am 1SlBKGtErPqGahUjMZmvdJ39W9X4FP8gOhEOLxeB5V2d9vtTnDvOWqmxP 8=;
IronPort-PHdr: =?us-ascii?q?9a23=3AqM5CoRKUnCoYa8ba9NmcpTVXNCE6p7X5OBIU4Z?= =?us-ascii?q?M7irVIN76u5InmIFeGvK8/jVLVU8Pc8f0Xw+bVsqW1X2sG7N7BtX0Za5VDWl?= =?us-ascii?q?cDjtlehA0vBsOJSCiZZP7nZiA3BoJOAVli+XzoMEVJFoD5fVKB6nG35CQZTx?= =?us-ascii?q?P4Mwc9L+/pG4nU2sKw0e36+5DabwhSwjSnZrYnJxStpgKXvc4T0oY=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DfCQCYww1f/4cNJK1gg3YvUQdvWC8?= =?us-ascii?q?shDODRgOhQ4RsgUKBEQNVAwgBAQEMAQEtAgQBAYRMGYFwAiQ4EwIDAQELAQE?= =?us-ascii?q?FAQEBAgEGBG2FWwELhXIWER0BATcBEQEGRAIEMCcEDieDBAGBfk0DLgGNV5B?= =?us-ascii?q?oAoE5iGF2gTKDAQEBBYU5GIIOCYE4gmqDVYYzGoFBP4EQASccgk2EQQSDTDO?= =?us-ascii?q?CLZIMPIZJnBgKgl2LAo5YAxUJmg6FJpFxnncCBAIEBQIOAQEFgWojgVdwFWU?= =?us-ascii?q?Bgj5QFwINkg+KVnQ3AgMDAQcBAQMJfI9QAQE?=
X-IronPort-AV: E=Sophos;i="5.75,350,1589241600"; d="scan'208,217";a="523707774"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 Jul 2020 14:41:49 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 06EEfmWs009935 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 14 Jul 2020 14:41:49 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 14 Jul 2020 09:41:48 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 14 Jul 2020 09:41:48 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 14 Jul 2020 09:41:48 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KCPn4HHpWlwsB7XLgzTNHM+NZPSNftO+leyQPGtaKZZpm/ax4G2fWc61Rm2hhRhyP4XRz/daXXSJztZ5tFEcs95iI4ubunpL2wn7YtlClh96dpRuEJKvxOvm0rM4v9o3p7T1NuFhTt+0rNwx4CP/cYrixs4zfv7gLgE65999zkFUZJozYbKJTk9RvGEugd4LXx+av2LyjyzhsTcWexx+deWEYVjfwSGwciGAeimp+Papds6m02ZVKFN1xrsWq9kTNzgYuR5Uv8RXf7CxEJt4dXQSO5ZhfbMUxH2lGr+BaM7NGJ3fsRcOeLJ+gQ7mq+x+Nq28wlNsRdGNCK74khO6IA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yL2LIEsonmTiE9+azsWeEqQOXENAF2LweVBPa2tiu9Q=; b=ga1mxXZ1MHlaUSErEJBXRlc1WsR6wuQe625bIn4okxUtNCBZh435YNV6Pq3s7dvJ3gutG0v14/CLE+hLeMVufmy07q/6UoFZ/nSpnG+JLJi6ISTthsgQzqb9tjUCk/LYkP9DGnXQhKyk2y00dUsSwbo5/0Kp30XsaznIYWL3XMa/rwfFptlyiRRFJdfVpdEdwAWzXqkoHHYV546HLYMgu4TVJgALB4K/C5bpFRuGh5xsrkLYfwuJAJO0jPKYzyK+oFKBNlgyGCAvnMbEmrXuEamm1INiugcNUsVDpQaqfLlX378JBSALt76sMrHBTkWdXE9SFzd3WTOPSeHt8kSWEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yL2LIEsonmTiE9+azsWeEqQOXENAF2LweVBPa2tiu9Q=; b=sfqtvLcOcF9u7u3+xYO1iLxkHiRitVI28wVlSnDquUq0eOtBVVxwAIJOashAtNej1uMISq1wM1weE0e4Uey+73qfIyqUV3Ax6IXbjdPA2Uc/JbXMqw0nQu2T2zGP42l7UbuH8hvtKahTf/PafW3aKfUQxya6o2KZq0CZXHDHR30=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (2603:10b6:3:10d::13) by DM6PR11MB3020.namprd11.prod.outlook.com (2603:10b6:5:69::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.24; Tue, 14 Jul 2020 14:40:33 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::a14c:59b6:47b0:f630]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::a14c:59b6:47b0:f630%7]) with mapi id 15.20.3174.025; Tue, 14 Jul 2020 14:40:33 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "hipsec@ietf.org" <hipsec@ietf.org>
CC: "rgm@labs.htt-consult.com" <rgm@labs.htt-consult.com>, "rene.hummen@belden.com" <rene.hummen@belden.com>, "miika.komu@ericsson.com" <miika.komu@ericsson.com>, "gonzalo.camarillo@ericsson.com" <gonzalo.camarillo@ericsson.com>, Eric Rescorla <ekr@rtfm.com>, Roman Danyliw <rdd@cert.org>, Benjamin Kaduk <kaduk@mit.edu>
Thread-Topic: HIP-DEX revised I-D before next IESG evaluation
Thread-Index: AQHWWey60GUr6WfsukefmGjKIsuspw==
Date: Tue, 14 Jul 2020 14:40:33 +0000
Message-ID: <E0CA3568-D4B5-4B12-9D8B-1DE90E21BB3F@cisco.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:9d11:3ced:eb6c:1d34]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e3068378-47c8-4648-b60d-08d82803dd55
x-ms-traffictypediagnostic: DM6PR11MB3020:
x-microsoft-antispam-prvs: <DM6PR11MB3020AB54A0F9C91390C392B7A9610@DM6PR11MB3020.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6CQvwKxEI4T4TzZjBI5cuq8jeSu0WDsEXZIwh8v1i1rFyIw+Bggz6QrgT3zu+FGoIBKJDAId4fN/lN4REfmNstfia8Tz8uRTx+U/Kq0oUfhDnfgyUXan6zijzACoT48WnYmqmxBh1GGJhkmHEHIw8RGoXHArCW5lHktUSSR3w6dU4j00fK1eFPzAPyPs05lBdWlk1HabLF9t2mIYbQl2U9OltSXLDGeeqMBuu26qAmH59OfC49HITMVn9m0E033Rtzv0Xwj9NSCiTHFZBVBMJNUcODS6gaFo6k33zm6G07Ngq6IMc/0TOEA0KEBZG+KaLQaQgrvb5TQgeHrHbcesDQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR11MB1753.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(366004)(396003)(39860400002)(136003)(478600001)(33656002)(6916009)(8676002)(6512007)(316002)(76116006)(66476007)(66946007)(66556008)(66446008)(2616005)(86362001)(6506007)(64756008)(36756003)(4326008)(8936002)(6486002)(5660300002)(54906003)(2906002)(91956017)(71200400001)(186003)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: TgQz5L2KIK5RIrjd7Z6HDcmzbF08aN3/a1KQX0LIWtoCJwwvgBSsJx6rXfIs4HBA4wcUyNoTnFTdon5UR+DWPMGclWrW+YSvujyAMoN3kn1ZGbt1vB9hRyJJKx/QbGKjfAVki2HWgdU7tZ3MTyXDq2G6vGt5Pi2M12KXJFKo9EAiAZ0AjK4AdQKJHeFLnkgsOIXlLrQnSovxQKp0thMyJghHsgJ3TqHwBZDr0oQIfpiltADQTiB2Qdr9H8SqraPLIvbgqSckIBqeHbAO3no5c3GRTkx5I9e5GtuhM56WqbCjT2prTTCBIoL8jfbBsmATA/qMCo7P0Z+ixpoK2dXHpj7zF7pkgKdQu4REFG2/opyoz3rGIpV0zHQRAqxtOLBSXoM/8KHx4awEAufodQM2KGHXCGJtZkOJYqHgBAxwhBypuUAQhuNeHWiyewAr9hID93mRo/4NNb5GDuZtH7IvVBiSVcHLSOYit1e6AaP8aC112/Gf1CPKlwqKJs6yeKiD45vWJvxqMFj97Z81B+bZEDBKlBunBoYvPnvVRVTvwpQ=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_E0CA3568D4B54B129D8B1DE90E21BB3Fciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM5PR11MB1753.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e3068378-47c8-4648-b60d-08d82803dd55
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2020 14:40:33.5710 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1IG1jDG6Wvdxh0TFMIULg+UoUtZdnbixeizEHiLPs/qQbv3qvhz6FmDaELHY3hmuU9X7GiFTAi82ud2WWdNQtw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3020
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/DiQOmTeh0lrx1bOe8tzIE8ez8r4>
Subject: [Hipsec] HIP-DEX revised I-D before next IESG evaluation
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 14:41:52 -0000

Dear WG, dear authors, dear SEC AD,

As you have noticed, I had to remove HIP-DEX from this week telechat: partially because there were too many IETF drafts to be reviewed by the IESG this week (Area Directors are human beings 😉 ) but also because of some previously raised issues (IETF Last Call of 2020, ...) are not yet addressed.

Eric Rescola (in copy) has still two unaddressed points see below. Those points appear serious to me and should be fixed in a revised I-D if the WG/authors want to keep the RFC status of “proposed standard”.

Lack of forward secrecy
===================

The following text in section 1.2 (applicability) appears not to be fully correct:
  “Since the resulting "FS" key, likely produced
   during device deployment, would typically end up being used for the
   remainder of the device's lifetime.  Since this key (or the
   information needed to regenerate it) persists for the device's
   lifetime, the key step of 'throw away old keys' in achieving forward
   secrecy does not occur, thus the forward secrecy would not be
   obtained in practice.”

Eric Rescola’s suggestion: “... It is actually straightforward to get FS even under conditions where you do not do a new DH exchange by hashing the existing keys forward, as is done in TLS 1.3...”. Was this possibility analyzed for HIP DEX ?

Eric also added the following:
“...t still does not provide PFS and yet provides parameter choices that clearly underperform a PFS exchange with state of the art algorithms, at least in terms of computation (P-384 versus X25519). Absent some clear statement of the performance boundaries (as with done in LAKE) ...” and indeed the Lightweight Authenticated Key Exchange (LAKE) WG appears to also work in a constrained environment.

“...However this document defines an array of algorithm choices, with the slower algorithms (P-384) being quite a bit slower than X25519, with the result that a PFS handshake with X25519 is probably as fast as a non-PFS handshake with P-384 if not faster (indeed almost as fast as one with P-256) which undercuts the argument that a non-PFS AKE is needed for performance. It's of course possible that there is some set of performance conditions in which non-PFS P-384 makes sense and which PFS X25519 does not, but this document does not provide analysis sufficient to draw that conclusion, and indeed the text in S 1.2, which focuses entirely on CPU, suggests the contrary....”

Missing FOLD analysis
==================

Eric Rescola: “... It still defines the unanalyzed FOLD algorithm without any real analysis demonstrating that it is secure in this context....”