Re: [Hipsec] Need to close all draft-ietf-hip-dex-21 pending issues... before 2021-Jan-13...

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Mon, 18 January 2021 14:12 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B26C63A13B6; Mon, 18 Jan 2021 06:12:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=RhWRZJcL; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=dEJv2A9+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eebyhOtrePgW; Mon, 18 Jan 2021 06:12:29 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF7B13A13A1; Mon, 18 Jan 2021 06:12:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=40931; q=dns/txt; s=iport; t=1610979148; x=1612188748; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=FgNZL42L2db0L+KSTkbuPBT0Cr7IQQAbssQgS/7jzMo=; b=RhWRZJcLnVyeMVFQo5rW3FB+azxOZChpkQ+Ja0xGuvMSqH4+86oz/6jz a0rDkz5N16QabmJF/BPoBGYBh99K9HtJCFkTY0R+eJg28hqOC6guh8WTA F39PRa2c9bSNttpkIztfZCkDvepTbRt26yoDYKbJ5FDHAGIeV9TEhkJN/ Y=;
X-IPAS-Result: =?us-ascii?q?A0A/AABilgVgmIUNJK1GGQMaAQEBAQEBAQEBAQMBAQEBE?= =?us-ascii?q?gEBAQECAgEBAQGCD4EjMCkofVsvL4Q/g0gDjWAlA4ocjneBQoERA1QLAQEBD?= =?us-ascii?q?QEBJQgCBAEBhEoCF4FYAiU4EwIDAQEBAwIDAQEBAQUBAQECAQYEFAEBAQEBA?= =?us-ascii?q?QEBhjYMhXMBAQEEIx0BATcBDwIBBgIOAwECAQIhAQYDAgICHxEUAwYIAgQBD?= =?us-ascii?q?QWDJgGBflcDLgEOQJJrkGsCiiV2gTKDBQEBBoE3Ag5BgwUNC4IRAwaBOIJ2h?= =?us-ascii?q?AABgQqEF4EfJhuBQT+BEScMEIJWPoEEAYEWQgICAQEVgQwFAQwGATgJAQwag?= =?us-ascii?q?lI0giyBWAEQWQYVEToBA1MgAg0hIyUEJggRAQUaBAISEQUHBzmPWYJbAT+HN?= =?us-ascii?q?Iw4kGdYCoJ3iS+GfoYdhR4DH4MqkBCJQIVwJJN3ixyCeo8DAYQ1AgICAgQFA?= =?us-ascii?q?g4BAQaBbSEUVXBwFWUBggoBM1AXAg1XjUoMDAIJFG4BAYJKhRSFRHQCNQIGA?= =?us-ascii?q?QkBAQMJfIlbgWZfAQE?=
IronPort-PHdr: =?us-ascii?q?9a23=3AnwqkjBbqzUeTTQxcPT7SgBX/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el21QSZD4HS4ekCi/bK9qvnX3cd5YrHu3cHI9RAVB?= =?us-ascii?q?4A3MMRmQFoQMuIElbyI/OiaSsmVN9DW1lo8zDeUwBVFc/yakeUrii06jgfSR?= =?us-ascii?q?H2PxEzJvjpX4XVid+q0/z08JrWME1EgTOnauZ0KxO75QzaqsgRh95kLaA8r3?= =?us-ascii?q?mBonZBd+lMg21yIlfGlBfn7cD295lmoCk=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.79,356,1602547200"; d="scan'208,217";a="653341955"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Jan 2021 14:12:27 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 10IECQbu013670 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 18 Jan 2021 14:12:27 GMT
Received: from xfe-rcd-004.cisco.com (173.37.227.252) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 18 Jan 2021 08:12:26 -0600
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.3; Mon, 18 Jan 2021 08:12:26 -0600
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 18 Jan 2021 08:12:26 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VbGqLYCYCd70mG0QX/5JoVKNOZKC+ZVN9EZcAubHLuMAUlUGrL6q/jICEtXk+uV+OD6hMZ9URSUSLekvQCUGmEl1+O0D3+rSzGiz2gLfbKb3ct0kKOYOzQbqoNevVyzIIxz46/dBTWFI3+O/pWFnN5HBbRp9n8y6lsLpFZ2UdGp9db2PRGutq53t9hl1qUlQiErcI00vNFSgsZNXLWQmSL2+enSwix1nA0vitHFHLH5HnOnHcP4lcQ+hUKI01A4/EHQ3Td9rTt2Q7JX+AfSDGe2RCuI/LXSrwgNyBxnafj93ls8hA7GVW6b4dk4EZMiU7PwXLsDHCA/I4W+eEsEddw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FgNZL42L2db0L+KSTkbuPBT0Cr7IQQAbssQgS/7jzMo=; b=hlgyoRnvySr+s/PqZvocttDnyBKr9eJ5nFPVv+mlAcmdfAznnFgSaOqrqxeW7gWmtgcqUOeLWt7vJiLL6WPDOqDmQ7RHB1GLi23ooDaeiSG5fXVaK25rLJQifxLYR/0LuBD94hr5bj/PUuFGpH8Dh6Xi2oQId7KP+Kh2wGvPtrtyoyzsr5ZsQ3qAoZYlJZtCzDlOa4EKWXxq06kCjOG549RN8gIoCF0OG0K/PyAq7tuWlaTG9i66OKPl4z/nDFGdcgjLVAO+RibH+/1EzNVkDape7YDhMUtvjlr1bdTbKIDaOLBC/08m6k5bnQF0SAiMIavxmUlcTx33kUlwU2RRFw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FgNZL42L2db0L+KSTkbuPBT0Cr7IQQAbssQgS/7jzMo=; b=dEJv2A9+6OQdY/datQrBs37Thtr7/3AS/IcZAhHfE3FAJT9m+UINAR57zsYL5AhBn0fVS5ISSUTSH3WheF4OlZKIrK1NmqNMUieKW/gPIND582Fsj0bi96lddjkFoScHD+SSCcHXjlk0zNmMUrbvUlVb3vfBfNa2s9mkJWc6vKI=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB5015.namprd11.prod.outlook.com (2603:10b6:510:39::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.9; Mon, 18 Jan 2021 14:12:24 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::7d4c:6b05:89aa:85b]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::7d4c:6b05:89aa:85b%3]) with mapi id 15.20.3763.014; Mon, 18 Jan 2021 14:12:24 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Robert Moskowitz <rgm@labs.htt-consult.com>, "hipsec@ietf.org" <hipsec@ietf.org>, "draft-ietf-hip-dex@ietf.org" <draft-ietf-hip-dex@ietf.org>, Miika Komu <miika.komu@ericsson.com>
CC: Roman Danyliw <rdd@cert.org>, Eric Rescorla <ekr@rtfm.com>, "Gonzalo Camarillo" <gonzalo.camarillo@ericsson.com>, "rene.hummen@belden.com" <rene.hummen@belden.com>, Benjamin Kaduk <kaduk@mit.edu>, Erik Kline <ek.ietf@gmail.com>, Adam Wiethuechter <adam.wiethuechter@axenterprize.com>
Thread-Topic: [Hipsec] Need to close all draft-ietf-hip-dex-21 pending issues... before 2021-Jan-13...
Thread-Index: AQHW6ocQR6j818zXLUeYvsVAsj8W+6otg5gA
Date: Mon, 18 Jan 2021 14:12:24 +0000
Message-ID: <41AFBFEA-7119-451B-BC54-46CBB41274CA@cisco.com>
References: <68AF0368-8CB8-4DF3-A33E-0AA28E61B5F5@cisco.com> <45191baf-ee46-89b8-fe84-742c5c17aadc@labs.htt-consult.com>
In-Reply-To: <45191baf-ee46-89b8-fe84-742c5c17aadc@labs.htt-consult.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: labs.htt-consult.com; dkim=none (message not signed) header.d=none;labs.htt-consult.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:7056:700a:2adb:f6f4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 56be328d-980b-4cef-cbd3-08d8bbbb1467
x-ms-traffictypediagnostic: PH0PR11MB5015:
x-microsoft-antispam-prvs: <PH0PR11MB5015115659E52A1CF9F7C830A9A40@PH0PR11MB5015.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: x4Wyb05LvPZgaH/nGUPcjeMew7X398w2oY92wFySM61De26vI4fSs/zOseeMqCWVvghvNg6SA3qRBxPpqSfq1fLA+zTwGW/aRFWjGIt2ql7Ao7JsZ+W2DNkma/kM8cvZ3GZeTugsLpAAn4WL7a1FAVrD8D1OaOsxUAFWBmOSx0EIX/dJP4pk0GQaWcJusX2oV+Fh9EgiIx37KkECWSj+xkDSkhxSjoh7jHZN+APt73TlVtnjeF/6fDBGyN5X2QFbCEMbQruKNsmPZ5nOM6vQE9paVZ1uKImRJ27p8BjSCRMycZgA9H2P3dh8rdFTkpC+4nEpVIdL96Tx+bkc5Qj3bKbeJD/xl+3iCvylbpsmMnHD4+NUQjwMWSc0Gi1WN/X6l+PRDTUeWEQBFRwL4g/bEeq/7+Ww19kzX/72oNja7dn6qVZHwwdKaNCRXuYUb5OUOsr9nWrn0xcle7kOXXV2EKDfEcw5s1tXXt8GsaqqE7XCFabUcz2TzF/m7CILm7TyzPt/UF8COygZzRHWeoShYA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(39860400002)(136003)(366004)(346002)(376002)(7416002)(8676002)(166002)(64756008)(6486002)(316002)(8936002)(2906002)(6512007)(478600001)(83380400001)(66476007)(36756003)(2616005)(53546011)(66946007)(186003)(66556008)(110136005)(86362001)(76116006)(16799955002)(5660300002)(4326008)(6506007)(54906003)(71200400001)(966005)(91956017)(66446008)(33656002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?WHVQclJ6RjNwNWtJaElocHRKaDZ0SWk5UmFwdWxjdWZGRWs0YVhkRWVrZGRv?= =?utf-8?B?N3RqZUUxMzlJeE51L3M0N2tmaEtJTUxNQ3lWckltSVBOTXVnV1F5YmExdHIv?= =?utf-8?B?dlJ0S1dNd1pqM1NNOVJmY3ZKejBiZ0dZcC91eWJPamFReS9oSkpSSHpEUlh0?= =?utf-8?B?SlVkNWltSVROYW5FLzdZakQ1MDBrNUhhaDdZazBaMGtZbUVKWm5lTjhqUDJy?= =?utf-8?B?OWd2WG1nYTN0R3ZDVS80bzNvTU01MzBRcnBBYklqWHQ0bGl1NElCb2p5YjRS?= =?utf-8?B?by8wL1ZEZkh1TGsyMVRKWFRvdUtBbjhadWpFMS9UTkwrSHlMQ0pmRzlROW1x?= =?utf-8?B?aEhlQU9VLzkwWWhROEpFSlIxRlJmSmFTc2N3K3l0YVhNcDlpSGpORXROTVVX?= =?utf-8?B?VXYzSUpwSFc1OVgrc3NEcjVnd2YxMFN0eDkvVlNhY1V4UkRubWk2dk1CODM3?= =?utf-8?B?YldrRUkrQ0ZiZjRZMk1hdmFNNFo0Tm12Wis1cFlERk5hSERxL3pCVG9Wbi9O?= =?utf-8?B?WkJDYjlJZkQwRmZ1M3hSSi9VOGZFSnlZRE5JY0I4K2JBSEhFVDJPZTQwT1Vn?= =?utf-8?B?cGZoclh5SlNlSFdFY1YwdWpBZWZRcEZ4WkoxYUxpdDBDN1VwVmtHYVJiUGND?= =?utf-8?B?MzlhUTBvVXpiSVdLNnl0Z3ZVWEw0dzNnSVpNM0Q0VFFoQlJ6eTRaUmRKT2xE?= =?utf-8?B?ZVIzdWEwT0pGaVkrK0Z2NC8ycTl1TnZDUkdHMjVTQmRpWkNHVUFvY0JTbmM3?= =?utf-8?B?NTNnRlpRYnJOTW9tNENXUzlMTWlQT21VTGpjS3BSVE96SklQVHRJUmh1dXhP?= =?utf-8?B?bVY5ZkpLTFZTWERFTzZ5R2NQV21wZFZTaERWc1h5K28zeTh3MkVUeG9RejFz?= =?utf-8?B?QVFCSE02alZLajdGV2hiS3VIbVltRmRrQy8xZVBMWVFpazY4T1FJREVmSHJL?= =?utf-8?B?dDRxWmNOTzNuMVlKd2QxUkV6Qmt3YXBhYVduZWMzSjBGTzk1UW8wYnBMQ0Qr?= =?utf-8?B?d0c5SlNreDU3dzF2ODRLR3VuckRpSzhaUGJLUGxpL21zbWVsNG55RVhZMCtJ?= =?utf-8?B?UmwwM0M1aDZ1bHZQZ1Jwd20vK0Y1cE1uNVR5OXpGRzExc3dST3l3WXpTY25U?= =?utf-8?B?ek10bm9jK3QzUGpnckJUb0NWWXY0SVd1RGE2bU5vd0ZLazREc3FwRkhhVFFT?= =?utf-8?B?YmpydlBZblhSTVhiQmpFeGxIanIvQzhZQ0FyeFZ0UVdGb2RkakFLSnhqdnpO?= =?utf-8?B?L3g4TURFNEVhRE9yNUx3NUhOdXVLVHIwVlVUM2NhUGNZdW5xait4cXlvY0Rs?= =?utf-8?B?VmJKeFlzcVR6cDRPbnhETWozODluSHJ3TWJ4RGxlMFFBZWl2UnJtMFBuVUhv?= =?utf-8?B?eVJYN2ZsS29iUG1KL3oyUndQODhWdDQ5Ulk1T2JQVzFMTE9WTkZhUndPMWZ1?= =?utf-8?Q?qyBRcIZl?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_41AFBFEA7119451BBC5446CBB41274CAciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 56be328d-980b-4cef-cbd3-08d8bbbb1467
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2021 14:12:24.7485 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +ASEwNkx9G8dvfpPuIxnrvD67SS4gnbSheiBMAzlTsCtwMYqSogVH8aHzeqU9bbt4YInnm39JYq2T2BKIrQUcg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5015
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/UVtrUWo3JGbLSQ7yhGTMr_EfkkU>
X-Mailman-Approved-At: Tue, 19 Jan 2021 12:24:34 -0800
Subject: Re: [Hipsec] Need to close all draft-ietf-hip-dex-21 pending issues... before 2021-Jan-13...
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jan 2021 14:12:36 -0000

TD ;LR : more work to be done, deadline this Thursday 21st



Bob,



Thank you for the -23 (and Adam W for the footwork) and I understand that you are quite busy.



Here is the link to the diff between -21 and -23: https://www.ietf.org/rfcdiff?url2=draft-ietf-hip-dex-23&url1=draft-ietf-hip-dex-21 (i.e., the one used by July 2020 IESG evaluation and the latest one)



After the July 2020 IESG evaluation based on -21, there were a couple of points to be addressed (with some comments of mine as EVY>):

  *   Roman: “Section 6.3.  Per the definition of IKM, when should these two different derivations be used? "
     *   EVY> indeed, IKMm and IKMp are both defined but nothing is said which one to use in which case.
  *   Roman "discuss-discuss" (read this as request for reply and non-blocking) about " further implementation experience provides better guidance" in sections 6 and 9.
     *   EVY> this really pleads for experimental status
  *   Benjamin on FOLD collisions
     *   EVY> IMHO addressed in the new section 3.2.1
  *   Benjamin on ACL to counter FOLD collisions in section 3.2.1
     *   EVY> still light on the ACL but the above should clear it
  *   Benjamin "how is it known that the peer should be using DEX vs. BEX"
     *   EVY> partially addressed in section 1.2 but should be repeated in the security section
  *   Benjamin lack of discussion on the security consequences of inadvertent counter reuse in AES-CTR
  *   Benjamin "presence of a CSPRNG in order to obtain secure session keys"
  *   Benjamin "usage of CMAC instead of HMAC" about KEYMAT algorithm
     *   EVY> new reference to NIST papers seems to address this concern
  *   Ekr’s one about why forfeiting FS when some algorithm could do it in a reasonable time. In an email to authors and ADs, Eric R. wrote “it defines a set of parameters (the NIST curves) which are slower w/o FS than other parameters (X25519) are w/ FS. This fact calls into question the need to dispense with FS.”
     *   EVY> the additional section 1.2.1 and the reference to a paywall EfficientECC reference do not offer a conclusive motivation for an IETF standards w/o FS.



***Bottom line, the document is not yet ready to be approved.*** (even if big progress has been made)



As written in November (see below), the situation has lingered for too long and is blocking the HIP-NAT and rfc4423-bis documents.



*** Therefore, I request the authors for a revised I-D addressing the above (and noting again that a change to ‘experimental’ – as there are no deployed implementations – could probably fix all of them) before Thursday 21st of January midnight UTC else I will ask the HIPSEC WG to agree removing the HIP-DEX section from the architecture document. ***



All in all, there have been a couple of significant changes (I_NONCE, some deleted ciphers) since the IETF last call (see https://www.ietf.org/rfcdiff?url2=draft-ietf-hip-dex-23&url1=draft-ietf-hip-dex-21 ), so, another IETF Last Call is required but should not be a real problem.





-éric







From: Robert Moskowitz <rgm@labs.htt-consult.com>

Date: Thursday, 14 January 2021 at 16:08

To: Eric Vyncke <evyncke@cisco.com>om>, "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>rg>, "hipsec@ietf.org" <hipsec@ietf.org>rg>, "draft-ietf-hip-dex@ietf.org" <draft-ietf-hip-dex@ietf.org>rg>, Miika Komu <miika.komu@ericsson.com>

Cc: Roman Danyliw <rdd@cert.org>rg>, Eric Rescorla <ekr@rtfm.com>om>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>om>, "rene.hummen@belden.com" <rene.hummen@belden.com>om>, Benjamin Kaduk <kaduk@mit.edu>du>, Erik Kline <ek.ietf@gmail.com>

Subject: Re: [Hipsec] Need to close all draft-ietf-hip-dex-21 pending issues... before 2021-Jan-13...



I had hoped to get -23 out end of last week, and missed my cutoff.  I am now in IACR's Real World Crypto, where I have gotten a couple pointers for DRIP work.



I was waiting for two analyzes that I got Jan 4, and incorporating them in.  I believe these SHOULD address much of EKR's questions.



I will have a run of 1M DEX random HIs to HITs generated with no duplicates that I add in an Appendix along with the Python code.



I am adding a BEX/DEX crypto cost into 1.2, probably 1.2.1:



For an Initiator, BEX is:



2 PK sig varifications.

1 PK sig generation.

1 DH keypair generation.

1 DH secret derivation.



DEX is:



1 DH secret derivation.



I have cycles for these and a paper to reference, except ECDH keypair generation, on an 8 bit process and the numbers are big.  But I think that part belongs in an Appendix.



So unlikely Friday.  But early the following week.











On 1/12/21 6:19 AM, Eric Vyncke (evyncke) wrote:

Two months after the email below, I sending a kind reminder to authors and WG.



With the -22, a lot of (if not all ) SEC ADs’ DISCUSS points should have been addressed.



As far as I can tell, the other remaining issue was Ekr’s one about why forfeiting FS when some algorithm could do it in a reasonable time. In an email to authors and ADs, Eric R. wrote “it defines a set of parameters (the NIST curves) which are slower w/o FS than other parameters (X25519) are w/ FS. This fact calls into question the need to dispense with FS.”



While 2 months ago I put a deadline for tomorrow, I (as the responsible AD) am flexible of course but we cannot linger anymore. I know that a -23 is in the work for weeks => let’s publish it in the coming days.



Else, next week we will need to either change the intended status to experimental or declare the document dead by lack of energy. The latter does not have my preference obviously.



Regards



-éric





From: Hipsec mailto:hipsec-bounces@ietf.org on behalf of "Eric Vyncke (evyncke)" mailto:evyncke=40cisco.com@dmarc.ietf.org

Date: Friday, 13 November 2020 at 15:32

To: mailto:hipsec@ietf.org mailto:hipsec@ietf.org, mailto:draft-ietf-hip-dex@ietf.org mailto:draft-ietf-hip-dex@ietf.org, Robert Moskowitz mailto:rgm@labs.htt-consult.com, Miika Komu mailto:miika.komu@ericsson.com

Cc: Roman Danyliw mailto:rdd@cert.org, Eric Rescorla mailto:ekr@rtfm.com, Gonzalo Camarillo mailto:gonzalo.camarillo@ericsson.com, mailto:rene.hummen@belden.com mailto:rene.hummen@belden.com, Benjamin Kaduk mailto:kaduk@mit.edu, Erik Kline mailto:ek.ietf@gmail.com

Subject: [Hipsec] Need to close all draft-ietf-hip-dex-21 pending issues... before 2021-Jan-13...



Dear HIP, dear authors,



This document was requested for publication [1] in February 2018 (2.5 years ago), then its IESG evaluation has been deferred, then I took over this document from Terry Manderson in March 2019, then it went again through IESG evaluation in July 2020 and there are still DISCUSS points to be addressed even after a couple of revised I-D...



Difficult not to observe that this document does not progress very fast.



Moreover, this document is a normative reference for rfc4423-bis waiting in the RFC editor queue since March 2019... So, also blocking the HIP-NAT document [2].



After discussion with the HIP chair, Gonzalo in cc, we have taken the following decision: if a revised I-D addressing remaining DISCUSS points + Ekr’s ones is not uploaded within 2 months (13th of January 2021), then I will request the HIP WG to accept the complete removal of section A.3.3 of the rfc4423-bis document (1 page about HIP-DEX in the appendix) + the reference to the HIP-DEX document [3]. This will allow the immediate publication of the rfc4423-bis and HIP-NAT documents.



The HIP DEX authors may also select to change the intended status of the document to ‘experimental’ (if the HIP WG agrees) as this may reduce the security requirements by the SEC AD and Ekr.



Gonzalo and I are still hoping to get a revised HIP-DEX shortly,



Regards



-éric



[1] https://datatracker.ietf.org/doc/draft-ietf-hip-dex/history/

[2] https://www.rfc-editor.org/cluster_info.php?cid=C386

[3] and possibly I will set the state of HIP-DEX as ‘dead’ on the datatracker





--

Robert Moskowitz

Owner

HTT Consulting

C:      248-219-2059

F:      248-968-2824

E:      mailto:rgm@labs.htt-consult.com



There's no limit to what can be accomplished if it doesn't matter who gets the credit