Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ietf-hip-dex-13: (with DISCUSS and COMMENT)
Robert Moskowitz <rgm@labs.htt-consult.com> Fri, 20 March 2020 18:31 UTC
Return-Path: <rgm@labs.htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03BC3A0DBD; Fri, 20 Mar 2020 11:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fDXU-A0iwCo4; Fri, 20 Mar 2020 11:31:43 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73F243A0DF4; Fri, 20 Mar 2020 11:31:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id A2E02621A0; Fri, 20 Mar 2020 14:31:41 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id c+39Nnr2G8js; Fri, 20 Mar 2020 14:31:20 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 55C126212E; Fri, 20 Mar 2020 14:31:20 -0400 (EDT)
From: Robert Moskowitz <rgm@labs.htt-consult.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
Cc: draft-ietf-hip-dex@ietf.org, hip-chairs@ietf.org, hipsec@ietf.org, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>
References: <158334389700.29463.11015652778464092751@ietfa.amsl.com> <2b32b723-65f1-12f1-9531-fc81528a207f@labs.htt-consult.com> <f905267c-3c81-2b6c-b6a8-bd52d6bb9cda@labs.htt-consult.com>
Message-ID: <4a14fab8-fbb2-0d86-8a7f-7635bc457af0@labs.htt-consult.com>
Date: Fri, 20 Mar 2020 14:31:13 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <f905267c-3c81-2b6c-b6a8-bd52d6bb9cda@labs.htt-consult.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/UABLJmtqYu-zvXP6l4vszkl3MME>
Subject: Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ietf-hip-dex-13: (with DISCUSS and COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 18:32:02 -0000
Ben, In ver 18 I have replaced "Perfect Forward Secrecy" with "Forward Secrecy". That seems to be a consensus on saag. Please let me know where you stand on my various responses. Thank you Bob On 3/18/20 11:50 AM, Robert Moskowitz wrote: > I have pushed out ver 17 > > I believe with this I have done my best at answering all the AD > questions/comments. > > At least one open item on the octet encoding. > > Please review this version and my responses to Roman and Ben and let's > collect the last set of changes to wrap this up. > > > > On 3/9/20 4:00 PM, Robert Moskowitz wrote: >> >> >> On 3/4/20 12:44 PM, Benjamin Kaduk via Datatracker wrote: >>> Benjamin Kaduk has entered the following ballot position for >>> draft-ietf-hip-dex-13: Discuss >>> >>> When responding, please keep the subject line intact and reply to all >>> email addresses included in the To and CC lines. (Feel free to cut this >>> introductory paragraph, however.) >>> >>> >>> Please refer to >>> https://www.ietf.org/iesg/statement/discuss-criteria.html >>> for more information about IESG DISCUSS and COMMENT positions. >>> >>> >>> The document, along with other ballot positions, can be found here: >>> https://datatracker.ietf.org/doc/draft-ietf-hip-dex/ >>> >>> >>> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> This is a placeholder discuss, intended to illustrate several key >>> omissions from the current document and as an indication that it is not >>> yet ready for full IESG Evaluation. In that vein, I will defer the >>> evaluation shortly, to attempt to short-circuit the current round of >>> evaluation while the draft improves. In particular, this is not >>> intended to be a complete review of the document. >>> >>> The FOLD scheme for compressing full host identities into ORCHIDs/HITs >>> is pretty problematic. The current text acknowledges that collisions >>> are possible and attempts to justify the scheme by pointing out that no >>> collision-free scheme is possible absent a cryptographic hash, which is >>> an appeal to authority ("we can't use a cryptographic hash on >>> constrained systems") that does not attempt to answer the question of >>> whether it is actually reasonable to use a mechanism that allows >>> collisions for this purpose (vs. just not being able to do anything). >>> Additionally, there is not any discussion of second-preimage >>> resistance, >>> which is the more important property here, in terms of an attacker >>> being >>> able to construct a collision with an existing HIT of an honest node. >> >> In my humble opinion, second-preimage attack defense will be the same >> as any attack against the HI -> HIT mapping function. >> >> The only place HITs are used in HIP unauthenticated is in the initial >> I1 - I2 part of the exchange. By the R2, everything is >> authenticated. All other HIP messages containing HITs are >> authenticated. >> >> So the attack is slipping in a HI-HIT mapping that is malicious. Per >> Roman's comments, I will be adding to the I2 and R2 processing to >> validate this mapping. >> >> HIP has always had to handle probabilistic collisions. DEX now >> requires checking for collisions as critical (via ACLs or other >> mechanisms). I will see to adding text. >> >> Operationally, the challenge is in those low level sensors that have >> no way to have an ACL set up for the servers/gateways that they are >> connected to. But this is true even for BEX. So inclusion of the >> password authentication is part of the critical behavior is ACL or >> similar HI-HIT mappings are not possible (sensors with no out-of-band >> update mechanism). We are always twisting ourselves in the >> chicken-and-egg problem with these devices. >> >>> In a related vein, Section 3.2.1 claims that the above concerns can be >>> remediated by deployment of a collision detection scheme, "achieved >>> here >>> through either an ACL or some other lookup process". This process is >>> vital to the security of the system as a whole, and it would be >>> irresponsible to publish this document without a precise specification >>> of what properties are needed in order to perform this process, as well >>> as a worked example that can be used absent other considerations. >> >> I will be adding this per Roman's comments. Most will be in the I2 >> and R2 processing. > > Done. See 7.1 > >> >> >>> Given that the applicability statement ("in communicating with such >>> constrained devices") implies that there is intent to have >>> full-featured >>> nodes that implement both HIP DEX and HIP BEX, I think we need >>> significantly more discussion of how such nodes avoid using DEX in >>> situations where it was not appropriate. That is, how is it known that >>> the peer should be using DEX vs. BEX? Yes, the HIT includes an >>> indication of whether the identity is for use with DEX vs. BEX, but >>> that >>> does not seem like quite the relevant property. Do we envision >>> scenarios where a node is positioned somewhat like a gateway, using DEX >>> on one interface and BEX to the broader internet? >> >> >> Yes to the gateway situation. Or the sensor has E2E DEX connection >> to the central server somewhere on the greater Internet. >> >> Perhaps text that limits DEX on non-constrained nodes for use with >> peers in the DEX ACL (or other equivalent control mechanism). > > See 7.1 and last sentence of 1.2 > >> >>> Using AES-CTR with the long-term static-static master key requires >>> careful tracking of counter (sequence) number to nonvolatile >>> storage. I >>> did not see discussion of the security consequences of inadvertent >>> counter reuse. >> >> I will look at this and see what I can add. > > See changes to 6.11 and last bullet point in Sec Considerations. > >> >>> I appreciate the design to limit use of the long-term static-static >>> master key to essentially just key-wrap operations, but this seems to >>> require the presence of a CSPRNG in order to obtain secure session >>> keys. >>> Expecting a strong CSPRNG on a node so constrained that DEX is >>> necessary >>> seems to be a questionable assumption, and I see no discussion of the >>> need for a good RNG. (Relying on the full-featured peer to contribute >>> good entropy to the key derivation is not an option, since DEX is >>> allowed to be used between two nodes that are both constrained.) >> >> The current text is: >> >> o The strength of the keys for the Pair-wise Key SA is based on the >> quality of the random keying material generated by the Initiator >> and the Responder. As either peer may be a sensor or an actuator >> device, there is a natural concern about the quality of its random >> number generator. >> >> Changed to: >> >> o The strength of the keys for both the Master and Pair-wise Key SAs >> is based on the quality of the random keying material generated by >> the Initiator and the Responder. As either peer may be a sensor >> or an actuator device, there is a natural concern about the >> quality of its random number generator. Thus at least a CSPRNG >> SHOULD be used. >> >>> The default KEYMAT algorithm uses the "CKDF" (CMAC-based KDF) >>> construction, analogous to HKDF (RFC 5869). However, the paper >>> motivating 5869's design choices does not seem to justify the usage of >>> CMAC instead of HMAC, since the proof requires a PRF* but CMAC (with >>> AES) is only a PRP. Absent some detailed justification or prior art it >>> does not seem prudent to use such a novel construction for >>> security-critical functionality. >> >> The CKDF design comes from NIST SP800-108. I had extensive >> discussions with NIST and the 5869 authors at the DEX design time. >> These points were discussed and considered that CKDF is a prudent >> design. >> >> >>> ---------------------------------------------------------------------- >>> COMMENT: >>> ---------------------------------------------------------------------- >>> >>> Some additional comments (also incomplete), since they were already >>> written. >>> It would be reasonable to ignore for now any that don't make sense or >>> are on parts of the text likely to change as a result of the >>> higher-level discussion. >>> >>> Abstract >>> >>> My preference is to just use "forward secrecy" rather than "perfect >>> forward secrecy", as perfection is hard to attain. >> >> I am all for that! My Jewish Orthodox background makes me cringe at >> the use of PFS. No such thing in this world (btw, I also cringe at >> the common use of "awesome")... >> >> If there is consensus to drop PFS from all IETF standards, I will >> replace "perfect forward secrecy" with "forward secrecy" and PFS with >> just the full verbiage as FS does not seem to be meaningful. > > It is too late in IETF usage to change. We live with it. > >> >> >>> Section 1.1 >>> >>> HIP DEX operationally is very similar to HIP BEX. Moreover, the >>> employed model is also fairly equivalent to 802.11-2007 >>> [IEEE.802-11.2007] Master Key and Pair-wise Transient Key, but >>> handled in a single exchange. >>> >>> 802.11 security does not exactly have a shiny track record... >> >> You want to see the "smoking gun" document on WEP design from Nov >> '94? I have it. >> >> The point is the Master key and Pair-wise key design. Not >> necessarily how they were constructed. I also published the initial >> paper on the attack on WPA-PSK. >> >>> HIP DEX does not have the option to encrypt the Host Identity of >>> the >>> Initiator in the I2 packet. The Responder's Host Identity also is >>> not protected. Thus, contrary to HIPv2, HIP DEX does not >>> provide for >>> end-point anonymity and any signaling (i.e., HOST_ID parameter >>> contained with an ENCRYPTED parameter) that indicates such >>> anonymity >>> should be ignored. >>> >>> What would you do if you didn't ignore such signalling? Drop the >>> connection as being with a misbehaving peer? >> >> Probably more like a ill thought-out implementation. Right now I am >> of the opinion of leaving this as is. But I can be convinced to add >> a drop connection. >> >>> As in [RFC7401], data packets start to flow after the R2 >>> packet. The >>> I2 and R2 packets may carry a data payload in the future. The >>> details of this may be defined later. >>> >>> I'm not sure what value is added by mentioning the possibility of data >>> payload in I2/R2. >> >> This is carried over from 5201. There were ideas pointing how the >> 3-way TCP setup can become a 5-way HIP - TCPinESP setup. A few other >> were discussed in HIPRG, but no one has proposed to actually use this >> feature. It stays for some future thinker to tinker with. >> >> >>> An existing HIP association can be updated with the update >>> mechanism >>> defined in [RFC7401]. Likewise, the association can be torn down >>> with the defined closing mechanism for HIPv2 if it is no longer >>> needed. In doing so, HIP DEX omits the HIP_SIGNATURE parameters of >>> the original HIPv2 specification. >>> >>> I think the intent here is more along the lines of "HIP DEX does so >>> even >>> in the absence of the HIP_SIGNATURE that is used in standard HIPv2". >>> (I also note that there's some subtle semantic mismatch between DEX as >>> "diet exchange" and its used to indicate continuing lack of security >>> functionality throughout the extent of the association, after the >>> exchange is completed.) >> >> Changed to: >> >> An existing HIP association can be updated with the update mechanism >> defined in [RFC7401]. Likewise, the association can be torn down >> with the defined closing mechanism for HIPv2 if it is no longer >> needed. In doing so, HIP DEX does so even in the absence of the >> HIP_SIGNATURE that is used in standard HIPv2. >> >> >>> Finally, HIP DEX is designed as an end-to-end authentication and >>> key >>> establishment protocol. As such, it can be used in combination >>> with >>> >>> Don't we have a LAKE WG now? How does DEX compare to what they are >>> working on? >> >> I looked some more at LAKE. They are proposing to use ephemeral DH >> as part of the exchange. That goes counter to sec 1.2 of HIP-DEX. If >> they come up with an approach that performs "acceptably", then I will >> be looking at it. >> >>> Section 1.2 >>> >>> In lieu of detailed comments, allow me to propose a rewrite of the >>> whole >>> section: >>> >>> % HIP DEX achieves its lightweight nature in large part due to the >>> % intentional removal of Forward Secrecy (FS) from the key >>> exchange. Current >>> % mechanisms to achieve FS use an authenticated ephemeral >>> Diffie-Hellman >>> % exchange (e.g., SIGMA or PAKE). HIP DEX targets usage on devices >>> where >>> % even the most lightweight ECDH exchange is prohibitively expensive >>> for >>> % recurring (ephemeral) use. For example, experience with the 8-bit >>> % 8051-based ZWAWVE ZW0500 microprocessor has shown that EC25519 >>> keypair >>> % generation exceeds 10 seconds and consumes significant energy (i.e., >>> % battery resources). Even the ECDH multiplication for the HIP DEX >>> % static-static key exchange takes 8-9 seconds, again with measurable >>> % energy consumption. This resource consumption is tolerable as a >>> % one-time event during provisioning, but would render the protocol >>> % unsuitable for use on these devices if it was required to be a >>> % recurring part of the protocol. For devices constrained in this >>> % manner, a FS-enabled protocol will likely provide little gain. The >>> % resulting "FS" key, likely produced during device provisioning, would >>> % typically end up being used for the remainder of the device's >>> % lifetime. With such a usage pattern, the inherent benefit of >>> % ephemeral keys is not realized. The security properties of such >>> usage >>> % are very similar to those of using a statically provisioned symmetric >>> % pre-shared key, in that there remains a single PSK in static storage >>> % that is susceptible to exfiltration/compromise, and compromise of >>> that >>> % key in effect compromises the entire protocol for that node. HIP DEX >>> % achieves marginally better security properties by computing the >>> % effective long-term PSK from a DH exchange, so that the provisioning >>> % service is not required to be part of the risk surface due to also >>> % possessing the PSK. >>> % >>> % Due to the substantially reduced security guarantees of HIP DEX >>> % compared to HIP BEX, HIP DEX MUST only be used when at least one of >>> % the two endpoints is a class 0 or 1 constrained device defined in >>> % Section 3 of [RFC7228]). HIP DEX MUST NOT be used when both >>> endpoints >>> % are class 2 devices or unconstrained. >> >> I have accepted your text with one typo and some formatting. Of >> course this text uses FS rather than PFS so that is a mis-match for now. >> >> 1.2. Applicability >> >> HIP DEX achieves its lightweight nature in large part due to the >> intentional removal of Forward Secrecy (FS) from the key exchange. >> Current mechanisms to achieve FS use an authenticated ephemeral >> Diffie-Hellman exchange (e.g., SIGMA or PAKE). HIP DEX targets usage >> on devices where even the most lightweight ECDH exchange is >> prohibitively expensive for recurring (ephemeral) use. For example, >> experience with the 8-bit 8051-based ZWAVE ZW0500 microprocessor has >> shown that EC25519 keypair generation exceeds 10 seconds and consumes >> significant energy (i.e., battery resources). Even the ECDH >> multiplication for the HIP DEX static-static key exchange takes 8-9 >> seconds, again with measurable energy consumption. This resource >> consumption is tolerable as a one-time event during provisioning, but >> would render the protocol unsuitable for use on these devices if it >> was required to be a recurring part of the protocol. For devices >> constrained in this manner, a FS-enabled protocol will likely provide >> little gain. The resulting "FS" key, likely produced during device >> provisioning, would typically end up being used for the remainder of >> the device's lifetime. >> >> With such a usage pattern, the inherent benefit of ephemeral keys is >> not realized. The security properties of such usage are very similar >> to those of using a statically provisioned symmetric pre-shared key, >> in that there remains a single PSK in static storage that is >> susceptible to exfiltration/compromise, and compromise of that key in >> effect compromises the entire protocol for that node. HIP DEX >> achieves marginally better security properties by computing the >> effective long-term PSK from a DH exchange, so that the provisioning >> service is not required to be part of the risk surface due to also >> possessing the PSK. >> >> Due to the substantially reduced security guarantees of HIP DEX >> compared to HIP BEX, HIP DEX MUST only be used when at least one of >> the two endpoints is a class 0 or 1 constrained device defined in >> Section 3 of [RFC7228]). HIP DEX MUST NOT be used when both >> endpoints are class 2 devices or unconstrained. >> >> >>> Section 2.2 >>> >>> Ltrunc (M(x), K) denotes the lowest order K bits of the result of >>> the MAC function M on the input x. >>> >>> I'm not sure I'm going to interpret the "lowest order K bits" the same >>> way that everyone else will. I think "leftmost" or "first" are more >>> common terms for describing this sort of truncation. >> >> This text goes back to 5201. Implementors of 5201 did not have a >> problem with this, in fact probably one of them supplied the text. >> But I am open to change based on consensus. >> >>> Section 2.3 >>> >>> CMAC: The Cipher-based Message Authentication Code with the >>> 128-bit >>> Advanced Encryption Standard (AES) defined in RFC 4493 >>> [RFC4493]. >>> >>> I would suggest just using CMAC as the acronym and not trying to >>> overload it to also be AES-specific. >> >> Do you recommend I just reference SP800-38B? >> >>> HIT Suite: A HIT Suite groups all algorithms that are required to >>> generate and use an HI and its HIT. In particular, these >>> algorithms are: 1) ECDH and 2) FOLD. >>> >>> For DEX. For normal HIPv2 we wouldn't touch FOLD with a long pole. >> >> :) >> >> HIT Suite: A HIT Suite groups all algorithms that are required to >> generate and use an HI and its HIT. In particular for HIP DEX, >> these algorithms are: 1) ECDH and 2) FOLD. >> >> BTW, I once DID use a 10' pole to chase a family of raccoons out of >> my garage. Really, it WAS 10' long, I had just gotten it from the >> lumber yard. Came home and there were a bunch of beady eyes in the >> garage.. >> >>> HI (Host Identity): The static ECDH public key that represents the >>> identity of the host. In HIP DEX, a host proves ownership of >>> the >>> private key belonging to its HI by creating a HIP_MAC with the >>> derived ECDH key (see Section 3). >>> >>> This may sound pedantic, but this doesn't actually prove ownership of >>> the private key. Someone who knows the private key of the other party >>> and the public key of the host in question would be able to produce the >>> same MAC from the corresponding derived ECDH key. I think the most we >>> can say here is that a host authenticates itself as that host identity >>> [with that HIP_MAC]. There's the corresponding trust of the recipient >>> that its own private key remains secure and thus that no party other >>> than itself or the peer identity could have generated that message. >> >> I will think on this one. See what verbiage helps. > > So I need to reference the proper HIP_MAC. Initiator's private key in > I2 and Responder's in R2. > > HI (Host Identity): The static ECDH public key that represents the > identity of the host. In HIP DEX, a host proves ownership of the > private key belonging to its HI by creating a HIP_MAC with the > derived ECDH key (see Section 3) in the appropriate I2 or R2 > packet. > > >> >>> Initiator: The host that initiates the HIP DEX handshake. This >>> role >>> is typically forgotten once the handshake is completed. >>> >>> "typically"? Perhaps it's best to say that the role is not used or >>> needed after the handshake is completed. >> >> I the HIP state machine, either peer can be the Initiator. Roles can >> be reversed. If one party looses state, it can then become the >> Initiator regardless of what role it had in the original exchange. >> >> This is the text used in 7401. >> >>> KEYMAT: Keying material. That is, the bit string(s) used as >>> cryptographic keys. >>> >>> I'm surprised we need an abbreviation for this. >> >> I got comments in early drafts of 5201-bis. Put it in. Take it >> out. So for now, I leave it in. >> >>> Length of the Responder's HIT Hash Algorithm (RHASH_len): The >>> natural output length of RHASH in bits. >>> >>> [this doesn't really fit the pattern of "definition"s] >> >> It is in 7401. If the AD says pull it. It goes. >> >> Though perhaps the definition is of RHASH_len? > > RHASH_len: The natural length of the RHASH Algorithm in bits. > > > But that really should be clear in its name. I am leaving this in > unless someone says to pull it. > >> >>> Responder: The host that responds to the Initiator in the HIP DEX >>> handshake. This role is typically forgotten once the >>> handshake is >>> completed. >>> >>> [same thing re "typically"] >> >> Same response. >> >>> Section 3 >>> >>> HIP DEX implementations MUST support the Elliptic Curve Diffie- >>> Hellman (ECDH) [RFC6090] key exchange for generating the HI as >>> defined in Section 5.2.3. No additional algorithms are >>> supported at >>> this time. >>> >>> It's kind of weird to see a "MUST" for "RFC6090 key exchange"; 6090 >>> discusses the general class of things but is not a specific key >>> exchange >>> algorithm (e.g., curve). >>> I'd also consider s/supported/defined/. >> >> Good point. Changed to: >> >> HIP DEX implementations use the Elliptic Curve Diffie-Hellman (ECDH) >> [RFC6090] key exchange for generating the HI as defined in >> Section 5.2.3. No alternative algorithms are defined at this time. >> >>> Due to the latter property, an attacker may be able to find a >>> collision with a HIT that is in use. Hence, policy decisions >>> such as >>> access control MUST NOT be based solely on the HIT. Instead, the HI >>> of a host SHOULD be considered. >>> >>> I don't think this is correct or a strong enough statement. In >>> particular, I don't think access control should be based on the HIT at >>> all, so strike "solely". Also, the "SHOULD" seems too week. I can >>> understand that "MUST use the HI" could be overly constraining, but >>> "access control decisions MUST be made on the actual identity of the >>> host, e.g., the full HI" should allow for sufficient flexibility. >> >> I will see how this changes with the ACL additions. > > See sec 71. and this text changed to: > > Due to the latter property, an attacker may be able to find a > collision with a HIT that is in use. Hence, policy decisions such as > access control MUST NOT be based solely on the HIT. Instead, the HI > of a host SHOULD be considered (see Section 7.1). > > >> >>> Carrying HIs and HITs in the header of user data packets would >>> increase the overhead of packets. Thus, it is not expected that >>> >>> s/and/or/? >> >> fixed. >> >>> association. When other user data packet formats are used, the >>> corresponding extensions need to define a replacement for the >>> ESP_TRANSFORM [RFC7402] parameter along with associated semantics, >>> but this procedure is outside the scope of this document. >>> >>> Why is ESP_TRANSFORM the most important parameter here, when we talk >>> about mapping a packet to the HIP association? I thought ESP_TRANSFORM >>> was literally about the encryption mechanics, not metadata around it. >> >> Again, this goes back to 5201. We are talking about ~20 years of >> discussions. >> >> We are discussing HIs and HITs, but that SPIs are used in everyday >> packets as the pointer to the HIs and HITs involved. I will think on >> this, but it is down the list on things to change that were inherited >> from 5201. >> >>> Section 3.2 >>> >>> ORCHID claims to provide statistical uniqueness and routability at some >>> overlay layer, neither of which this FOLD procedure provides, due to >>> easily-generatable second preimages. >>> >>> Section 3.2.1 >>> >>> Since collision-resistance is not possible with the tools at hand, >>> any reasonable function (e.g. FOLD) that takes the full value >>> of the >>> HI into generating the HIT can be used, provided that collision >>> detection is part of the HIP-DEX deployment design. This is >>> achieved >>> >>> This is not an argument that this is a reasonable thing to do; it's >>> merely an argument that it's a thing that can be done that has the same >>> claimed properties as the only type of thing that could be done. It >>> might be a bad idea to do the only type of thing that can be done, and >>> you have not convinced me otherwise. (See also the distinction between >>> collision-resistance and second-preimage-resistance alluded to in my >>> comment on the previous section.) >> >> Other changes may help, or not. We can rejoin this point after draft >> 14 (note I will be pushing out draft 13 today for the publish >> deadline for changes done so far). >> >>> here through either an ACL or some other lookup process that >>> externally binds the HIT and HI. >>> >>> Without at least one well-specified mechanism for actually doing this >>> and clear documentation of what precise properties such a mechanism >>> needs to provide, I think it's irresponsible to publish this document. >> >> In the works. > > sec 7.1 > >> >>> Section 4.1 >>> >>> By definition, the system initiating a HIP Diet EXchange is the >>> Initiator, and the peer is the Responder. This distinction is >>> typically forgotten once the handshake completes, and either party >>> can become the Initiator in future communications. >>> >>> ["typically" again] >> >> same response. >> >>> Diffie-Hellman Group IDs supported by the Initiator. Note that in >>> some cases it may be possible to replace this trigger packet by >>> some >>> other form of a trigger, in which case the protocol starts with the >>> Responder sending the R1 packet. In such cases, another >>> mechanism to >>> convey the Initiator's supported DH Groups (e.g., by using a >>> default >>> group) must be specified. >>> >>> This seems under-specified for a proposed standard and is probably >>> better off omitted entirely. >> >> This is carried over from 5201, which WAS experimental. So I can see >> it as reasonable to drop this as no one proposed another mechanism. > > dropped. > >> >> The Initiator first sends a trigger packet, I1, to the Responder. >> This packet contains the HIT of the Initiator and the HIT of the >> Responder, if it is known. Moreover, the I1 packet initializes the >> negotiation of the Diffie-Hellman group that is used for generating >> the Master Key SA. Therefore, the I1 packet contains a list of >> Diffie-Hellman Group IDs supported by the Initiator. >> >> >>> The second packet, R1, starts the actual authenticated >>> Diffie-Hellman >>> key exchange. It contains a puzzle - a cryptographic challenge >>> that >>> the Initiator must solve before continuing the exchange. The level >>> of difficulty of the puzzle can be adjusted based on level of trust >>> with the Initiator, current load, or other factors. In >>> addition, the >>> >>> The Initiator is unauthenticated at this point, so "level of trust" >>> seems to not really be defined... >> >> Changed to "knowledge of the". If the Responder "knows" that the >> Initiator is a sensor, using a smaller puzzle may be preferred. there >> is discussion about large puzzles being an attack on sensors. >> >>> Section 4.1.1 >>> >>> If an unconstrained (DoSing) attacker is competing with a constrained >>> honest initiator to solve puzzles during an attack, it seems like the >>> honest initiator is going to lose out pretty badly. >> >> You do what you can that makes some degree of sense. You just don't >> walk away from the problem. >> >>> Section 4.1.4 >>> >>> There are security considerations for serializing the HIP state to >>> nonvolatile storage! >> >> Do you want text about this in the Securities Considerations? >>
- [Hipsec] Benjamin Kaduk's Discuss on draft-ietf-h… Benjamin Kaduk via Datatracker
- Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ie… Robert Moskowitz
- Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ie… Robert Moskowitz
- Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ie… Robert Moskowitz
- Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ie… Robert Moskowitz
- Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ie… Robert Moskowitz
- Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ie… Robert Moskowitz