Re: [Hipsec] The HIT prefix once again
Pekka Nikander <pekka.nikander@nomadiclab.com> Mon, 01 August 2005 13:53 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Dzaj2-0001Ba-JT; Mon, 01 Aug 2005 09:53:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Dzaj1-00019i-75 for hipsec@megatron.ietf.org; Mon, 01 Aug 2005 09:53:03 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA09536 for <hipsec@ietf.org>; Mon, 1 Aug 2005 09:53:01 -0400 (EDT)
Received: from n2.nomadiclab.com ([193.234.219.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1DzbFJ-0001bR-27 for hipsec@ietf.org; Mon, 01 Aug 2005 10:26:25 -0400
Received: from [127.0.0.1] (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 29EFA212C72; Mon, 1 Aug 2005 16:52:43 +0300 (EEST)
In-Reply-To: <200507310744.j6V7iWl6004438@givry.rennes.enst-bretagne.fr>
References: <200507310744.j6V7iWl6004438@givry.rennes.enst-bretagne.fr>
Mime-Version: 1.0 (Apple Message framework v733)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <A48CA79D-6913-4265-A16F-CF35F2BD04F2@nomadiclab.com>
Content-Transfer-Encoding: 7bit
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: [Hipsec] The HIT prefix once again
Date: Mon, 01 Aug 2005 15:52:43 +0200
To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
X-Mailer: Apple Mail (2.733)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e8a67952aa972b528dd04570d58ad8fe
Content-Transfer-Encoding: 7bit
Cc: gabriel montenegro <gabriel_montenegro_2000@yahoo.com>, hipsec@ietf.org, Bob Hinden <bob.hinden@nokia.com>
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Sender: hipsec-bounces@lists.ietf.org
Errors-To: hipsec-bounces@lists.ietf.org
Bob, Do you want me to put up a slide or two on this at the end of the IPv6 WG tomorrow? Or would it be better to have a more compelling draft (than the one by Francis) first? Francis, I finally had time to read your draft, http://www.ietf.org/internet- drafts/draft-dupont-ipv6-cgpref-01.txt I think you need to have reference to a document that defines how GCIDs are supposed to be used; I didn't see any. Alone I don't see how you draft would make a compelling case. However, going more to the technical level, we may want to share the exactly same name space. AFAICT, the HITs and CBIDs are formed as follows: HIT = prefix | encode(hash(public key)) CBID = prefix | encode(hash(any string)) where, in both cases, there prefix defines the 'encode' and 'hash' functions used. In the HIT case the public key must be understood from the context, and AFAICT in the CBID case the "any string" must also be understood from the context. It also looks like that we can use the exactly same 'encode' and 'hash' functions, as the requirements for them are the same. Initially, we would apparently be just taking the low order bits of the hash as the encoding and use SHA1 as the hash function. Or do you have different requirements? Now, based on that we could share the exactly same name space, i.e., just have a single prefix. One potential complication is that it is much easier to generate arbitrary strings than even short public keys. However, based on my strawperson analysis, that doesn't matter since HIP, by default, expects the HIT to be a hash of a public key and does not accept anything else. Hence, the fact that arbitrary strings are easier to generate that public keys doesn't matter. The biggest difference seems to be on our needs w.r.t the time frame for the assignment. I really think that a temporary assignment with the default of the assignment going back by, say, 2009, would be better. In that way that space does not keep assigned if the experimentation fails and it is not used. On the other hand, if any efforts using the space succeed and the space is being used, the space is there and can be used. Hence, I think we can go for asking a single shared address space. My proposal is to go for a proposal that says: Assign a /5 provisionally for this use, with the next 3 bits reserved for the case that the existing hash algorithm fails, resulting in /8 which is the only part that gets assigned at this time. If the IPv6 WG feels that assigning a /5 or /8 is too much, then we just need to live with that and live with the lower security level. As I said during the f2f meeting, I am planning to write a short draft on this in the near future but would really appreciate help. --Pekka _______________________________________________ Hipsec mailing list Hipsec@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hipsec
- [Hipsec] Type 1 and 2 HITs Julien Laganier
- [Hipsec] Re: Type 1 and 2 HITs Pekka Nikander
- RE: [Hipsec] Re: Type 1 and 2 HITs Henderson, Thomas R
- [Hipsec] The HIT prefix once again (was Re: Re: T… Pekka Nikander
- Re: [Hipsec] The HIT prefix once again (was Re: R… Francis Dupont
- Re: [Hipsec] The HIT prefix once again (was Re: R… Pekka Nikander
- Re: [Hipsec] The HIT prefix once again (was Re: R… Francis Dupont
- Re: [Hipsec] The HIT prefix once again Pekka Nikander
- Re: [Hipsec] The HIT prefix once again Francis Dupont
- Re: [Hipsec] The HIT prefix once again Bob Hinden
- [Hipsec] Type 1 and 2 HITs Petri Jokela