IETF Logo Mail Archive

Re: [Hipsec] Antwort: Re: clarification on HIT Suite IDs

Julien Laganier <julien.ietf@gmail.com> Mon, 29 September 2014 17:53 UTC

Return-Path: <julien.ietf@gmail.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AA451A8A76 for <hipsec@ietfa.amsl.com>; Mon, 29 Sep 2014 10:53:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SGECm4DI3g4P for <hipsec@ietfa.amsl.com>; Mon, 29 Sep 2014 10:53:56 -0700 (PDT)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2046A1A8A27 for <hipsec@ietf.org>; Mon, 29 Sep 2014 10:53:55 -0700 (PDT)
Received: by mail-lb0-f171.google.com with SMTP id l4so18239432lbv.2 for <hipsec@ietf.org>; Mon, 29 Sep 2014 10:53:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=e8HrmGO3i5tjojnQQyfFmNBvwHDcI8zTWyxpGVxm9Gg=; b=E5G93di2lytXijajGaF2pWd7QvNYD6jUA+dgCpH4bJIkk6873uFXWFX12DQ19q0alW Q1l9zBzMWubK5fPrmKjdC/j+MzHfvf2PNOX0hsjz/br2fMIxYCDUOz7TeEDrhLfCSK4w 8azZ5xmo3dPRi4mxjJUVRKvE16m/rT4r6YYeizS/AeUBJKqUcACrCM+q4YLsSfcOSS+s imdtSPUFp4ZMW0Jl9duXXHFex61LIDWTW35KbnBBgP7mfSE7wOoEFJS2RW8YVkZW6EUo d/jrfLMu7g5VTgkTzfUoT6lkJnJguBYDYhwqNxGYia5526L+vlQKmrrW+4cty7fLyxd7 HpoQ==
MIME-Version: 1.0
X-Received: by 10.112.161.70 with SMTP id xq6mr39498783lbb.49.1412013234416; Mon, 29 Sep 2014 10:53:54 -0700 (PDT)
Received: by 10.25.210.4 with HTTP; Mon, 29 Sep 2014 10:53:54 -0700 (PDT)
In-Reply-To: <542991A8.4020908@tomh.org>
References: <5420863E.1060608@tomh.org> <20140922212826.5048E216C3B@bikeshed.isc.org> <54210668.4050605@tomh.org> <20140923112746.EA16C216C3B@bikeshed.isc.org> <OFD6408C65.060C7582-ONC1257D62.005816DE-C1257D62.0059BBB9@belden.com> <542991A8.4020908@tomh.org>
Date: Mon, 29 Sep 2014 10:53:54 -0700
Message-ID: <CAE_dhjtRkfx+hZ512d1+CMCdpJJx8-ja4nwT=XAi_YC68L4LcA@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Tom Henderson <tomh@tomh.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/QxtXDLuHbA1j4PxeVwXyZPn2UZo
Cc: HIP <hipsec@ietf.org>, Francis Dupont <fdupont@isc.org>
Subject: Re: [Hipsec] Antwort: Re: clarification on HIT Suite IDs
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2014 17:53:59 -0000

Hi Tom,

FWIW your proposal looks good to me.

--julien

On Mon, Sep 29, 2014 at 10:06 AM, Tom Henderson <tomh@tomh.org> wrote:
> On 09/29/2014 09:20 AM, Tobias.Heer@Belden.com wrote:
>>
>> Hello,
>>
>> I'd like to confirm some of your statements. The thought was really to
>> show both options a) reuse of OGAs and b) what could happen if we need
>> more bits. However, the wording and the current set of IDs was chosen so
>> that it discourages the use of more IDs at the same time so the option
>> to take more bits from the OGA was really just a last resort. Nothing
>> anybody would really want.
>>
>> See my comments below.
>>
>>
>>
>>
>> Von: Francis Dupont <fdupont@isc.org>
>> An: Tom Henderson <tomh@tomh.org>,
>> Kopie: HIP <hipsec@ietf.org>, Francis Dupont <fdupont@isc.org>,
>> julien.ietf@gmail.com
>> Datum: 26.09.2014 12:39
>> Betreff: Re: [Hipsec] clarification on HIT Suite IDs
>> Gesendet von: "Hipsec" <hipsec-bounces@ietf.org>
>> ------------------------------------------------------------------------
>>
>>
>>
>> Tom Henderson writes:
>>  >        For the time being, the HIT Suite uses only four bits because
>>  >        these bits have to be carried in the HIT.  Using more bits for
>> the
>>  >        HIT Suite ID reduces the cryptographic strength of the HIT.
>>
>> => yes, there is a long discussion in RFC 7343 about this tradeoff.
>>
>>  > which implied to me that the HIT suite ID may in the future consume
>> more
>>  > bits presently allocated to hash.
>>
>> => the fact the problem could exist doesn't mean it will exist...
>>
>> TH=> This was just to cover all options. It is not a desired or intended
>> action.
>
>
> There is discussion of this in the IANA considerations section; perhaps this
> could be modified as follows:
>
> Old text:
>
>       If 16 Suite IDs prove insufficient and
>       more HIT Suite IDs are needed concurrently, more bits can be used
>       for the HIT Suite ID by using one HIT Suite ID (0) to indicate
>       that more bits should be used.  The HIT_SUITE_LIST parameter
>       already supports 8-bit HIT Suite IDs, should longer IDs be needed.
>       Possible extensions of the HIT Suite ID space to accommodate eight
>       bits and new HIT Suite IDs are defined through IETF Review.
>
> New text:
>
>       If 15 Suite IDs (the zero value is initially reserved) prove
>       to be insufficient and
>       more HIT Suite IDs are needed concurrently, more bits can be used
>       for the HIT Suite ID by using one HIT Suite ID (0) to indicate
>       that more bits should be used.  The HIT_SUITE_LIST parameter
>       already supports 8-bit HIT Suite IDs, should longer IDs be needed.
>       However, RFC 7343 does not presently support such an extension,
>       and the rollover approach described in Appendix E is suggested to
>       be tried first.
>       Possible extensions of the HIT Suite ID space to accommodate eight
>       bits and new HIT Suite IDs are defined through IETF Review.
>
>
>
>>
>>  > > So there is nothing very clear about what will happen if one will
>> need
>>  > > more than 15 HIT Suite-IDs... BTW according to appendix E I should
>> add
>>  > > "at the same time" (appendix E proposes to reuse values, making
>> unlikely
>>  > > to really need more than 15 values).
>>  >
>>  > I'm not sure where you are proposing to add the clause; can you point
>>  > out the sentence?
>>
>> => one will need more than 15 HIT Suite-IDs ->
>> one will need more than 15 HIT Suite-IDs at the same time
>>
>> TH=> Exactly. The intention is to reuse the HIT Suite IDs once they are
>> reasonably out of use. Appendix E describes this rollover.
>
>
> So for this proposal by Francis, we would change Appendix E text from:
>
>    Since
>    the 4-bit OGA field only permits 15 HIT Suites (the HIT Suite with ID
>    0 is reserved) to be used in parallel, phased-out HIT Suites must be
>    reused at some point.  In such a case, there will be a rollover of
>
> to:
>
>    Since
>    the 4-bit OGA field only permits 15 HIT Suites to be used at the
>    same time (the HIT Suite with ID 0 is reserved), phased-out HIT
>    Suites must be
>    reused at some point.  In such a case, there will be a rollover of
>
>>
>>  > > => no, the current choice makes more sense with the HIT Suite-IDs
>>  > > from OGAs. But it is a matter of taste for sure...
>>  >
>>  > Perhaps we could start by trying to resolve whether the plan should be
>>  > to reuse four-bit values if the space is eventually exceeded, or
>> whether
>>  > the HIT suite ID may grow in the future (and how that affects the
>>  > ORCHID).
>>
>> => clearly the current plan is the first (reuse 4 bit values).
>> The second is just a provision in the case the first fails.
>>
>> TH=> Yes. I can confirm this.
>>
>>  > Maybe we do not need to specify the plan in this draft; maybe
>>  > we could just avoid the problem for now and just keep value 0 reserved
>>  > and state that what to do when the HIT_SUITE_ID space is exhausted is
>>  > for further study, with deprecated value reuse and expansion of the HIT
>>  > Suite ID being two possibilities.
>>
>> => perhaps it was considered as too optimistic? BTW I have no idea
>> about the future need in new values in the HIT_SUITE_ID / OGA space
>> (but does somebody already have one?)
>>
>> TH=> I am fine with not specifying the extension of the ID but to leave
>> 0 as reserved instead.
>
>
> Julien suggested that if we consider non-zero bits as an error at the
> receiver, it may facilitate use of the four non-zero high-order bits in
> future extensions.
>
> in 5.2.10, it says:
>
>                     The four
>                     lower-order bits are reserved and set to 0 and
>                     ignored by the receiver.
>
> The proposal would be to change this to:
>
>                     The four
>                     lower-order bits are reserved and set to 0 by
>                     the sender.   The reception of an ID with
>                     the four lower-order bits not set to 0 should be
>                     considered as an error that MAY result in a
>                     NOTIFICATION of type UNSUPPORTED_HIT_SUITE.
>
> Any comments/concerns with this potential change?
>
>>
>>  > Another basic question I have is whether the table 11 in Appendix E
>>  > should be merged with the unlabeled table at the end of 5.2.10 (and
>>  > located in 5.2.10), and whether Appendix E text in general ought to be
>>  > brought forward in the draft to section 3.2 and/or 5.2.10.
>>
>> => it is a question for the hipsec mailing list (I subscribed to it
>> but from my personal e-mail).
>>
>> TH=> Moving the table to 5.2.10 is fine from my perspective.
>
>
> I tend to prefer this; I will work up a proposal for this.
>
> - Tom
>
>

v2.23.0 | Report a Bug | By Email