Re: [Hipsec] Adam Roach's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
Miika Komu <miika.komu@ericsson.com> Sun, 06 January 2019 20:16 UTC
Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232BD130DF0 for <hipsec@ietfa.amsl.com>; Sun, 6 Jan 2019 12:16:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.365
X-Spam-Level:
X-Spam-Status: No, score=-4.365 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=cXvNXJyg; dkim=pass (1024-bit key) header.d=ericsson.com header.b=E5iHtQL6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRt9grtxudf4 for <hipsec@ietfa.amsl.com>; Sun, 6 Jan 2019 12:16:06 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB17A130DF2 for <hipsec@ietf.org>; Sun, 6 Jan 2019 12:16:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1546805759; x=1549397759; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=sGi+wXvMJ2petBjRDp1OdBfVCwN9mD/Ujbs2qk1e/ac=; b=cXvNXJygxIWF590G5jPpoVM0NddnA313wcN3qiZei/z6tqoW8cX4rx4koB1boItn lTTZ0ZUYz9BJq8pBaQJOkKnHNdyY3XBfefG3AD4UxkmhXs5fPvGvFeWQJnLwwx+z w32eML+VWfnGPZKje5WIwevWayAxDOOGZGJayrJ+sLE=;
X-AuditID: c1b4fb25-d89ff70000005ff7-3b-5c3261ff3add
Received: from ESESSMB502.ericsson.se (Unknown_Domain [153.88.183.120]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 9A.84.24567.FF1623C5; Sun, 6 Jan 2019 21:15:59 +0100 (CET)
Received: from ESESSMB501.ericsson.se (153.88.183.162) by ESESSMB502.ericsson.se (153.88.183.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sun, 6 Jan 2019 21:15:58 +0100
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Sun, 6 Jan 2019 21:15:58 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sGi+wXvMJ2petBjRDp1OdBfVCwN9mD/Ujbs2qk1e/ac=; b=E5iHtQL6/LRRKu7iHys+9OPqfxK0xgPG2bdvaThhpFknkrSpUX7X0B5L4lDOJBk1C97zJwqSMgynOIQlXE3DLNkKig5d9cwZWz9uRt6+r1wV2+5TyarE4ToSNP+TQjFPxuSAALNhgxwLvCQg/hbzPValwG8BW7pDGFZGz2XGelw=
Received: from DB6PR0701MB2952.eurprd07.prod.outlook.com (10.168.84.14) by DB6PR0701MB2887.eurprd07.prod.outlook.com (10.168.83.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.3; Sun, 6 Jan 2019 20:15:57 +0000
Received: from DB6PR0701MB2952.eurprd07.prod.outlook.com ([fe80::c0a7:ff82:2739:57cb]) by DB6PR0701MB2952.eurprd07.prod.outlook.com ([fe80::c0a7:ff82:2739:57cb%9]) with mapi id 15.20.1516.010; Sun, 6 Jan 2019 20:15:57 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: Adam Roach <adam@nostrum.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-hip-rfc4423-bis@ietf.org" <draft-ietf-hip-rfc4423-bis@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: Adam Roach's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
Thread-Index: AQHT5+5E3jU9E6Hb40+nOe+BCMJkk6WkKWWA
Date: Sun, 06 Jan 2019 20:15:57 +0000
Message-ID: <864b2f60-ea43-3451-a4fb-d6bc6a14b51e@ericsson.com>
References: <152590886238.10463.9438651181532889998.idtracker@ietfa.amsl.com>
In-Reply-To: <152590886238.10463.9438651181532889998.idtracker@ietfa.amsl.com>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: AM5PR06CA0015.eurprd06.prod.outlook.com (2603:10a6:206:2::28) To DB6PR0701MB2952.eurprd07.prod.outlook.com (2603:10a6:4:72::14)
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB6PR0701MB2887; 6:gi89xpUcEWR0Qxa5gtAfshLDOrPovrTArZ1VoiKB2VfrlJltslrw1KwEDNaEJSscq4AigCeY7+gkygS1k1Gs8hgWgj/uhnV3NM6qK9vdsjClJ7NmCC5sacKkjsrp+Ufi9Cr6hnUDcEB9x7UnooSNqb6JMIs2QuzxcX0NP4norm22Ee45IZI86xuGqI36RT6mzELq+rbOK6P90zhv1myi1IR/eODE+ZjTau/JxEc9L/OeTxRHApZVq0qHFxKx3qyPg60E0P7fxFs22MIdFBGl02FuUbr1TQNeA5x1asNVBuOr0fUBKn5sPzx3DsR/noqrYVYIs6wLsFIbDIenw2dlLtbUdUpADs/NRkVdHRk116cKRyowJdh+xE58j48wb8NjOakgLZ5wpsTGEoNXk7RL08tCrJlXAk+V8X8CMmyEtXrkiPFVfqoNIJwWfaMZ0fwY0qCaoI7zqpqxAlUa45lMmg==; 5:BD973cCQdp6CyI9OSGbRtP8+WI2Uui5MnT1JGtXu2J1TiMBMuuaUF5O+/J8J4gxSxguLAF0ENkqkx7DHl66O+uV4ZoUCvO/ILw+2SFpmLibD7bKuJ3pp/DYjOTjygQuRl/PjTQpbGfNym+4HdfkNlskDuTEaKJB28COSOAfh1aLRb2FRZY59+uT00B1hz3SV3K610TfNn3IuulJuJls6DQ==; 7:VrNc7kXbI7ExYgez1Ayz0Y8fj1VKE5OGqrKLk7uzrZeWKx1W30Ag3i9KgX4FoXj+p2I+daC0rktxSpCwZrxGTN5QgYg4PgJFe9xtdMhhjleJkZBg+JA9UHZM0tFB63Q86s0CQOMjNAf5ugR38bMWFA==
x-ms-office365-filtering-correlation-id: 4926e3c2-5cd1-4343-a041-08d67413c489
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600109)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:DB6PR0701MB2887;
x-ms-traffictypediagnostic: DB6PR0701MB2887:
x-microsoft-antispam-prvs: <DB6PR0701MB28876A80ECA34797197027AEFC880@DB6PR0701MB2887.eurprd07.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(93006095)(93001095)(3231475)(944501520)(52105112)(3002001)(10201501046)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123560045)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:DB6PR0701MB2887; BCL:0; PCL:0; RULEID:; SRVR:DB6PR0701MB2887;
x-forefront-prvs: 09090B6B69
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(136003)(39860400002)(366004)(346002)(189003)(199004)(3846002)(6116002)(25786009)(36756003)(4326008)(446003)(11346002)(2616005)(476003)(68736007)(5660300001)(2906002)(305945005)(7736002)(81166006)(8676002)(81156014)(8936002)(99286004)(54906003)(110136005)(316002)(66066001)(6306002)(6512007)(105586002)(106356001)(478600001)(229853002)(6486002)(6436002)(102836004)(76176011)(386003)(53546011)(6506007)(44832011)(186003)(486006)(256004)(14444005)(6346003)(26005)(31686004)(53936002)(14454004)(966005)(6246003)(31696002)(86362001)(71190400001)(71200400001)(52116002)(97736004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0701MB2887; H:DB6PR0701MB2952.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ST7EF6qIFVFZ4J6ggsc0zWTG0qtmN4szJ6vFcVc1LN0EEO3lw3ziYK12Kk/JWdN9q2uxC6TaLraTsnGVcuS6UGaXLe1KbLZ6Oz37+ezQZSgbHHNxfY1TDH+58986NCJ9CQmvDzXoh3kuzvlg+xpfHoKx9yDPC5OmLDjXukXHdJQW9k3pq7QmXC0yDq1GWtWKv+V1Xm6TPDys10UVnYUNYgJfCzJSPuNd9NTSrZaDypuOpx7Dks1656eAKWxEHeNQGaecyp4uQxg6JlHaelxIBgZ5//oGB0fmx7UI+TQIN3S4iiJAv6D1bxPoZVum9gE7
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <4821CBC405547040B0A6A77099694372@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4926e3c2-5cd1-4343-a041-08d67413c489
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jan 2019 20:15:56.5995 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0701MB2887
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRjHeXfOdo7LyetUfDItHRYkXlfBQLGCgn2xGxJlE515UGs62Zmi fQgl7YMmKprl8pZZoWmWRl6S8pZ5LS/kzCwxzwhTglKRvNW2M6Fvv+f9P///+zwvL01Iq4Ru dEKSntElqTUykZgsvdCS5vdXLVcFlmQQio6takrxpbeCUvRm51CK29VFhOLuZiFxTKisqfkj UBraOPKMIEIcEstoElIZXUBotDh+sG+KTH4Unvau/h6RgQrO5SA7GvBhWO6uonKQmJbiXgTc 9HNbsYpgstMo4osHAhhcybcqJC4gYDTvpk0pFsBoxQppCZNiE4K2xXALi7AP1M0YCQs742AY ujFAWAwE/oygKa/IanDCF2Gyr1/IN0VA2euvNoMc6vNaKAuT2BtMa71WluCjkLXOUfxlYVCV NWv12uFTUDbG5yDsAbXN29YcArvCNFcp4DfFUNPxgeDZBRbmt4WWgQCXIOirb6d4wRdGjBzi 2QtGfs7ZzB4wXplrO8+iwPgpkucwqClZIfigcQRr2QuinaCt9VzzlrSZtZDdcZ7v+UjAt+k7 tincodU0LypAcsN/wxrMFgIfhMb2AB6V0Lqg5Du8oDh3jjJYn8IRBko5sgoJ65ALy7AxiXHy Q/6MLuEyy2qT/JMYfRMy/5uuFxv7W9HE0vFuhGkks5dw0XKVVKhOZdMTuxHQhMxZojEFqaSS WHX6NUanjdKlaBi2G+2hSZmrZFPqqJLiOLWeucowyYxuRxXQdm4ZSOjXWdfjr/U9kanXTyR4 r9bJWwP3fU95k57IhITu+u0VGbE76rpKdvrlbP7sk7HKH4M9tzxTz5Y1vn9WKno62pD5yv4t x9qb6OgQh5PDuGEq675hycF9mJupXbzSv/zwcaV2o6Mwsa15pH1v+SUXpwCXoeDJmfxfHgdi uvRHNOWeMpKNVwf5EDpW/Q/LshDaMwMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/G3DwpKm-G8fL4QFSN0TEalWyo8s>
Subject: Re: [Hipsec] Adam Roach's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jan 2019 20:16:08 -0000
Hi Adam, On 5/10/18 02:34, Adam Roach wrote: > Adam Roach has entered the following ballot position for > draft-ietf-hip-rfc4423-bis-19: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-hip-rfc4423-bis/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for everyone's work on updating RFC 4423. thanks for comments! > In general, I agree with Mirja's point that section 11 seems a bit disjoint > from the rest of the document, and would be better served as an appendix. It's > also somewhat jarring to have a document whose abstract talks about a "new > namespace" and a "new protocol layer," which goes on to describe conclusions > from twelve years of deployment experience. I would recommend re-working all > uses of the word "new" (which, in most cases, can be achieved by either > removing the word "new" from sentences, or replacing it with "HIP"). Agreed. I replaced "new" (namespace/layer) to "HI/additional" (depending on the context) throughout the document. > The remainder of my comments are editorial nits. > > --------------------------------------------------------------------------- > > §2.1: > >> +---------------+---------------------------------------------------+ >> | Term | Explanation | >> +---------------+---------------------------------------------------+ >> | Public key | The public key of an asymmetric cryptographic key | >> | | pair. Used as a publicly known identifier for | >> | | cryptographic identity authentication. Public is | >> | | a a relative term here, ranging from "known to | >> | | peers only" to "known to the world." | > > Nit: this text contains a doubled "a" ("...a a relative..."). thanks > --------------------------------------------------------------------------- > §2.2: > > Nit: The change in spacing in this table makes certain terms difficult to read > (e.g., "HIP base exchange HIP packet" appears to be a single term until the > table is closely examined.) Consider reverting to the spacing from RFC 4423. done > --------------------------------------------------------------------------- > > §3.1: > >> o The names should have a fixed length representation, for easy > > Nit: "fixed-length" is a compound adjective, and should be hyphenated. > cf. https://www.google.com/search?q=compound+adjective > >> (e.g the TCB). > > Nit: The conventional form would call for "(e.g., the TCB)" > cf. https://www.google.com/search?q="e.g."+punctuation+comma > >> o The names should be long lived, but replaceable at any time. This > > "long-lived" > >> designed, it can deliver all of the above stated requirements. > > "above-stated" fixed, thanks > --------------------------------------------------------------------------- > > §4: > >> In theory, any name that can claim to be 'statistically globally >> unique' may serve as a Host Identifier. In the HIP architecture, the >> public key of a private-public key pair has been chosen as the Host >> Identifier because it can be self managed and it is computationally > > "self-managed" fixed > --------------------------------------------------------------------------- > > §6.5: > >> The control plane between two hosts is terminated using a secure two >> message exchange as specified in base exchange specification > > "two-message" fixed > --------------------------------------------------------------------------- > > §7: > >> control plane, protected by asymmetric key cryptography. Also, S-RTP >> has been considered as the data encapsulation protocol [hip-srtp]. > > "SRTP" rather than "S-RTP". fixed > --------------------------------------------------------------------------- > > §8: > >> Besides this "native" NAT traversal mode for HIP, other NAT traversal >> mechanisms have been successfully utilized, such as Teredo >> [varjonen-split]. > > Please cite RFC 4380 for "Teredo." e.g.: > > Besides this "native" NAT traversal mode for HIP, other NAT traversal > mechanisms have been successfully utilized, such as Teredo [RFC4380], > as described in [varjonen-split]. changed this to: such as Teredo [RFC4380] (as described in further detail in [varjonen-split]). > --------------------------------------------------------------------------- > > §8: > >> can map to a single IP address on a NAT, simplifying connections on >> address poor NAT interfaces. The NAT can gain much of its knowledge > > "address-poor" fixed > --------------------------------------------------------------------------- > > §11.1: > >> Considering such human errors, a site >> employing location-independent identifiers as promoted by HIP may >> experience less problems while renumbering their network. > > "...experience fewer problems..." > >> o HITs (or LSIs) can be used in IP-based access control lists as a >> more secure replacement for IPv6 addresses. Besides security, HIT >> based access control has two other benefits. > > "HIT-based" > >> environments. For instance, the benefits of HIT based access > > "HIT-based" fixed > --------------------------------------------------------------------------- > > §11.2: > >> The key exchange introduces some extra latency (two round trips) in >> the initial transport layer connection establishment between two > > "transport-layer" fixed >> keys and Diffie-Hellman key derivation at the control plane, but this >> occurs only during the key exchange, its maintenance (handoffs, >> refreshing of key material) and tear down procedures of HIP > > "tear-down" fixed > --------------------------------------------------------------------------- > > §11.3.1: > >> Networks [henderson-vpls] to facilitate, e.g, supervisory control and > > "e.g.," fixed > --------------------------------------------------------------------------- > > §11.4: > >> A HI is a cryptographic public key. However, instead of using >> the keys directly, most protocols use a fixed size hash of the >> public key. > > "fixed-size" > >> HIP provides both stable and temporary Host Identifiers. >> Stable HIs are typically long lived, with a lifetime of years > > "long-lived" > >> network services. Additionally, the Host Identifiers, as >> public keys, are used in the built in key agreement protocol, > > "built-in" > >> HIP reduces dependency on IP addresses, making the so called > > "so-called" fixed > --------------------------------------------------------------------------- > > §12.1: > >> Other types of MitM attacks against HIP can be mounted using ICMP >> messages that can be used to signal about problems. As a overall > > "...an overall..." > >> be aborted after some retries). As a drawback, this leads to an >> 6-way base exchange which may seem bad at first. However, since this > > "...a 6-way..." fixed. Thanks!