Re: [Hipsec] clarification on HIT Suite IDs

[Julien Laganier <julien.ietf@gmail.com>]

Hi Tom,

Please see inline.

On Tue, Sep 23, 2014 at 10:39 AM, Tom Henderson <tomh@tomh.org> wrote:
> Hi Julien,
>
> I agree generally with your recommendations but I have a modified proposal
> (below):
>
> On 09/23/2014 07:49 AM, Julien Laganier wrote:
>
> <snip>
>>
>>
>> The statement about using more bits of the ORCHID to encode a HIT
>> suite ID seems to be factually incorrect, or at least it isn't
>> supported by the ORCHIDv2 generation scheme as published in RFC 7343.
>>
>> Since this document (5201-bis) doesn't seem to be the right place to
>> specify (future) ORCHID generation (a revision of ORCHIDv2 would), I'd
>> like to suggest that plans for future enhancements be removed from the
>> paragraph, and to only keep text necessary to ensure future
>> enhancements are not prevented. For this, reserving the value zero
>> seems to be enough. (and Appendix E already has a discussion of OGA ID
>> reuse for the purpose of ID space exhaustion).
>>
>> Accordingly, the paragraph would read:
>>
>>       The ID field in the HIT_SUITE_LIST is defined as eight-bit field as
>>       opposed to the four-bit HIT Suite ID and OGA field in the ORCHID.
>>       This difference is a measure to accommodate larger HIT Suite IDs if
>>       the 16 available values prove insufficient.  Hence, the
>>       current four-bit HIT Suite-IDs only use the four higher order bits
>> in
>>       the ID field.  Future documents may define the use of the four
>> lower-
>>       order bits in the ID field.
>
>
> What I think is still lacking in the draft is a clear distinction between
> the OGA ID and the HIT Suite ID, and perhaps some clearer wording that the
> ID field in the HIT_SUITE_LIST is not yet another parameter needing a
> registry.
>
> HIT Suite IDs are a combination of hash function, HMAC, and signature
> algorithm(s).  Francis stated that they are an extension of (or derived
> from) the OGA ID.  The HIT_SUITE_LIST IDs are specific eight-bit encodings
> of the HIT Suite ID values.

I may be lacking the background behind tying the OGA ID to the HIT
suite ID, but IMHO it makes little sense to tie an identifier for a
combination of hash, HMAC, and signature (the HIT Suite ID), with that
of the identifier for a hash function (the OGA ID), especially when
the ID space for the latter is of such a small size.

It implies that if we wanted to create a new HIT suite that just
changes the signature algorithm, because the hash function in use is
still perfectly good, we in effect burn one OGA ID in the small
15-number space for no extra hash agility w.r.t ORCHID. To me it seems
like a bad thing to do.

Why can't the HIP specification  creates a HIP registry for its OGA
ID, and allocate value 1, 2, and 3 to the OGA SHA256, SHA384 and SHA1
on one hand, and on the other hand define a HIP registry for the HIT
suite, and allocate ID 1, 2 and 3 as follows:

        HIT Suite
        RESERVED                                            0
        RSA,DSA/SHA-256/OGAID1                  1
        ECDSA/SHA-384/OGAID2                      2
        ECDSA_LOW/SHA-1/OGAID3               3

This decouples the burn rate for the HIT suites from that of the OGA
ID (small) space, thus making it possible to define in the future HIT
suite 4 with ECDSA/SHA-512 but still OGAID1....

> Accordingly, would you agree to a modification to your proposal, as follows?
>
>      The ID field in the HIT_SUITE_LIST is an eight-bit field that
>      encodes a HIT Suite ID value in its higher-order four bits,
>      leaving the lower-order four bits reserved.  The encoding is
>      a measure to allow for possibly larger HIT Suite IDs in the
>      future, although such expansion is outside the scope of this
>      document.  The lower-order four bits of the ID field are set
>      to zero by the sender and ignored by the receiver.
>
>      The HIT Suite IDs are an expansion of the OGA IDs that denote
>      which hash function corresponds to a given HIT.  The OGA ID
>      encodes, in four bits, the value of the HIT Suite ID that
>      corresponds to the hash function (and other algorithms) in use.
>      A registry for the OGA ID is not separately established since
>      the values are aligned with those of the HIT Suite ID.
>
>      The four-bit OGA ID field only permits 15 HIT Suite IDs
>      (the HIT Suite ID with value 0 is reserved) to be used at
>      the same time.  If 15 Suite IDs prove to be insufficient,
>      future documents will specify how additional values can
>      be accommodated.

If a receiver ignores the low order four bits of the suite ID field,
if in the future we decide to use the remaining low order four bits,
won't they be required to be used with the reserved value zero for the
4 high order bits?

That would limit the HIP Suite ID to a total of 31 legitimate values
instead of the full 255 available. Shouldn't we rather have a receiver
treat the low order bits not set to zero as an error instead?

--julien