Re: [Hipsec] A review of draft-ietf-hip-dex-02.txt

Robert Moskowitz <rgm@htt-consult.com> Sun, 23 October 2016 01:22 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C90A5129579 for <hipsec@ietfa.amsl.com>; Sat, 22 Oct 2016 18:22:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.631
X-Spam-Level:
X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0YPMpWEoEdi for <hipsec@ietfa.amsl.com>; Sat, 22 Oct 2016 18:22:55 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [50.253.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5665712945A for <hipsec@ietf.org>; Sat, 22 Oct 2016 18:22:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 9ED7862306; Sat, 22 Oct 2016 21:22:53 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 0xZsV+d7Wunh; Sat, 22 Oct 2016 21:22:39 -0400 (EDT)
Received: from lx120e.htt-consult.com (pool-71-246-64-145.bltmmd.east.verizon.net [71.246.64.145]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id CC94062310; Sat, 22 Oct 2016 21:22:37 -0400 (EDT)
To: =?UTF-8?Q?Ren=c3=a9_Hummen?= <hummen.committees@gmail.com>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
References: <20160321203627.12199.62928.idtracker@ietfa.amsl.com> <56F98E90.10601@ericsson.com> <CAEhFMcjosQF6CPa5cRWo6gtWHWyNFGR5PC4BxTLvZxCaXohckg@mail.gmail.com> <5756C81D.3080601@ericsson.com> <CAEhFMch1qp868EKLx8V9kxS0-qC-2Cp0C6w=Sct3YSesErzKFQ@mail.gmail.com> <1ade65d6-187e-20e0-fb9b-c3d5b73f42df@ericsson.com> <cc2d82b2-447c-3b16-5858-8cae5710b174@ericsson.com> <CANS20HNwQYuf5dsFKsj9wSrBRH3a2tXrQ=p0A5fVsL37oPVvRA@mail.gmail.com>
From: Robert Moskowitz <rgm@htt-consult.com>
Message-ID: <d450680b-f879-a1f8-cb27-05fc063b6807@htt-consult.com>
Date: Sat, 22 Oct 2016 21:22:31 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CANS20HNwQYuf5dsFKsj9wSrBRH3a2tXrQ=p0A5fVsL37oPVvRA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------6E6D59C01A5CF6E91BB4F845"
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/_FO3rZo0q_ZoiQH39ayoOGWRq7w>
Cc: hipsec@ietf.org, =?UTF-8?Q?Ren=c3=a9_Hummen?= <hummen.rwth@gmail.com>
Subject: Re: [Hipsec] A review of draft-ietf-hip-dex-02.txt
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Oct 2016 01:22:59 -0000

I am in agreement with Rene that this version meets the comments here 
that do not add new features.  As much as I would like to add new 
things, like a PAKE process, I would do that as separate document(s).  
In fact that is what I am doing with drafts like my fast-mobility.

So please start last call on this draft.

Bob

On 10/22/2016 04:22 AM, René Hummen wrote:
> Hi,
>
> I just uploaded draft version 04, where I addressed Miika's comments 
> as discussed in the previous emails.
>
> From my point of view, this document is ready to proceed.
>
> BR
> René
>
> 2016-10-21 9:13 GMT+02:00 Gonzalo Camarillo 
> <Gonzalo.Camarillo@ericsson.com <mailto:Gonzalo.Camarillo@ericsson.com>>:
>
>     Hi Rene,
>
>     do you intend to release a new version of the draft with this
>     addition?
>     What is the current status of the draft otherwise?
>
>     Thanks,
>
>     Gonzalo
>
>     On 26/09/2016 4:46 PM, Miika Komu wrote:
>     > Hi René,
>     >
>     > On 09/11/2016 11:06 PM, René Hummen wrote:
>     >> Hello Miika,
>     >>
>     >> going through your email again, I saw a total of four suggestions.
>     >>
>     >> Three of them refer to imprecisions in the text of RFC 7401
>     (which I
>     >> copy/pasted for HIP DEX). There, I understood that consistency
>     with RFC
>     >> 7401 has a higher priority than only fixing your comments for
>     HIP DEX,
>     >> but keeping the text as is for RFC 7401. This means, I will not
>     modify
>     >> the text in the HIP DEX draft. Is this also your intention?
>     >
>     > yes, 7401 takes precedence over my comments.
>     >
>     >> The last remaining issue is related to the UPDATE message and the
>     >> rekeying procedure (Section 6.10.). Here, I added the following
>     >> paragraph for clarification purposes:
>     >>
>     >>    [RFC7402] specifies the rekeying of an existing HIP SA using the
>     >>    UPDATE message.  This rekeying procedure can also be used
>     with HIP
>     >>    DEX.  However, where rekeying involves a new Diffie-Hellman key
>     >>    exchange, HIP DEX peers MUST establish a new connection in
>     order to
>     >>    create a new Pair-wise Key SA due to the use of static ECDH
>     key-pairs
>     >>    with HIP DEX.
>     >>
>     >> Does this fix your issue?
>     >
>     > Yes. I assume you mean a new HIP association with connection.
>     >
>     >> BR
>     >> René
>     >>
>     >>
>     >>
>     >> On Tue, Jun 7, 2016 at 3:11 PM, Miika Komu
>     <miika.komu@ericsson.com <mailto:miika.komu@ericsson.com>
>     >> <mailto:miika.komu@ericsson.com
>     <mailto:miika.komu@ericsson.com>>> wrote:
>     >>
>     >>     Hi,
>     >>
>     >>     On 06/03/2016 02:20 PM, René Hummen wrote:
>     >>
>     >>         This is part 3 of 3.
>     >>
>     >>
>     >>     I am fine with your fixes. Some comments below.
>     >>
>     >>         On Mon, Mar 28, 2016 at 10:05 PM, Miika Komu
>     >>         <miika.komu@ericsson.com
>     <mailto:miika.komu@ericsson.com> <mailto:miika.komu@ericsson.com
>     <mailto:miika.komu@ericsson.com>>
>     >>         <mailto:miika.komu@ericsson.com
>     <mailto:miika.komu@ericsson.com>
>     >>         <mailto:miika.komu@ericsson.com
>     <mailto:miika.komu@ericsson.com>>>> wrote:
>     >>
>     >>     > [...]
>     >>
>     >>              > 6.2.1.  CMAC Calculation
>     >>              >
>     >>              > [...]
>     >>              >
>     >>              >
>     >>              > 5.  Set Checksum and Header Length fields in the HIP
>     >>         header to
>     >>              > original values.  Note that the Checksum and
>     Length fields
>     >>              > contain incorrect values after this step.
>     >>
>     >>             I guess also the values following HIP_MAC should be
>     restored
>     >>         since
>     >>             they were wiped in the step 2.
>     >>
>     >>
>     >>         I also found this description a bit imprecise, but it
>     is taken
>     >> from
>     >>         RFC7401. Step 2 already hints at the fact that parameters
>     >> following
>     >>         HIP_MAC may still be of interest:
>     >>         "Remove the HIP_MAC parameter, as well as all other
>     parameters
>     >>                 that follow it with greater Type value, saving the
>     >>         contents if
>     >>                 they will be needed later."
>     >>
>     >>         The question is whether we want to fix the description
>     for HIP
>     >>         DEX or to
>     >>         keep things as they are for consistency reasons. In the
>     former
>     >>         case, I
>     >>         would prefer to completely rewrite the verification
>     procedure to
>     >>         work on
>     >>         the received packet without removing any parameters.
>     However, we
>     >>         should
>     >>         then probably also post an errata to RFC7401. If there
>     are no
>     >> stong
>     >>         opinions about that, I would go for the latter option.
>     >>
>     >>
>     >>     Latter option works for me too.
>     >>
>     >>              > The CKDF-Extract function is the following
>     operation:
>     >>              >
>     >>              > CKDF-Extract(I, IKM, info) -> PRK
>     >>
>     >>             What does the arrow operator signify? I thought that it
>     >>         produces PRK,
>     >>             but PRK is actually defined below.
>     >>
>     >>
>     >>         The arrow is part of a basic mathematical function
>     definition.
>     >>         So yes,
>     >>         PRK is the output (domain), but we still need to give it a
>     >>         proper name.
>     >>         I changed the artwork to clearly point out the inputs and
>     >> outputs.
>     >>
>     >>
>     >>     Thanks, it is now better.
>     >>
>     >>         Please check this section again in the updated version
>     and get
>     >>         back to
>     >>         me if the above changes do not sufficiently help your
>     >> understanding.
>     >>
>     >>
>     >>     It is good now, thanks!
>     >>
>     >>              > L        length of output keying material in octets
>     >>              >          (<= 255*RHASH_len/8)
>     >>              > |        denotes the concatenation
>     >>              >
>     >>              > The output keying material OKM is calculated as
>     follows:
>     >>              >
>     >>              > N       = ceil(L/RHASH_len/8)
>     >>              > T       =  T(1) | T(2) | T(3) | ... | T(N)
>     >>              > OKM     =  first L octets of T
>     >>              >
>     >>              > where
>     >>              >
>     >>              > T(0) = empty string (zero length)
>     >>              > T(1) = CMAC(PRK, T(0) | info | 0x01)
>     >>              > T(2) = CMAC(PRK, T(1) | info | 0x02)
>     >>              > T(3) = CMAC(PRK, T(2) | info | 0x03)
>     >>              > ...
>     >>
>     >>             The Expand was a bit more clear, but still didn't
>     understand
>     >>         how to
>     >>             get to the
>     >>             Expanded key material due the arrow notation.
>     >>
>     >>
>     >>         Ok, let's clarify this as several comments are related
>     to the
>     >> arrow
>     >>         notation. For the function definition we use the
>     mathematical
>     >> arrow
>     >>         notation (same as RFC 5869) and for the actual
>     opertation we
>     >> use the
>     >>         equals sign (same as RFC 5869). In the end, they denote
>     the same
>     >>         thing:
>     >>         "assign X to Y".
>     >>
>     >>
>     >>     Ok, this is what I guessed too.
>     >>
>     >>              > (where the constant concatenated to the end of each
>     >> T(n) is a
>     >>              > single octet.)
>     >>
>     >>             Is there a max value?
>     >>
>     >>
>     >>         I am not sure what you mean here. If you refer to the N
>     in T(N)
>     >>         then it
>     >>         is defined above as N = ceil(L/RHASH_len/8).
>     >>
>     >>
>     >>     Yes, I asked about the maximum value for N (which depends
>     on L), but
>     >>     never mind.
>     >>
>     >>              > 8.   The R1 packet may have the A-bit set - in
>     this case,
>     >>         the system
>     >>              > MAY choose to refuse it by dropping the R1
>     packet and
>     >>         returning
>     >>              > to state UNASSOCIATED.  The system SHOULD consider
>     >>         dropping the
>     >>              > R1 packet only if it used a NULL HIT in the I1
>     packet.
>     >>
>     >>             I didn't understand the logic in the last sentence.
>     >>
>     >>
>     >>         Someone must have had a reason for this recommendation,
>     but that
>     >>         someone
>     >>         wasn't me. This is text from RFC7401. Any suggestions
>     how to
>     >>         proceed?
>     >>
>     >>
>     >>     Fix similarly as the other RFC7401 issue in the beginning
>     of this
>     >> email.
>     >>
>     >>              > 6.7.  Processing Incoming I2 Packets
>     >>              >
>     >>              > [...]
>     >>              >
>     >>              > 5.   If the system's state machine is in the I2-SENT
>     >>         state, the
>     >>              > system MUST make a comparison between its local and
>     >> sender's
>     >>              > HITs (similarly as in Section 6.3).  If the
>     local HIT is
>     >>         smaller
>     >>              > than the sender's HIT, it should drop the I2 packet,
>     >> use the
>     >>              > peer Diffie-Hellman key, ENCRYPTED_KEY keying
>     material
>     >>         and nonce
>     >>              > #I from the R1 packet received earlier, and get
>     the local
>     >>              > Diffie-Hellman key, ENCRYPTED_KEY keying
>     material, and
>     >>         nonce #J
>     >>              > from the I2 packet sent to the peer earlier.
>     >> Otherwise, the
>     >>              > system should process the received I2 packet and
>     drop any
>     >>              > previously derived Diffie-Hellman keying
>     material Kij and
>     >>              > ENCRYPTED_KEY keying material it might have
>     generated upon
>     >>              > sending the I2 packet previously.  The peer
>     >>         Diffie-Hellman key,
>     >>              > ENCRYPTED_KEY, and the nonce #J are taken from
>     the just
>     >>         arrived
>     >>              > I2 packet.  The local Diffie-Hellman key,
>     ENCRYPTED_KEY
>     >>         keying
>     >>              > material, and the nonce #I are the ones that
>     were sent
>     >>         earlier
>     >>              > in the R1 packet.
>     >>
>     >>             Please replace "sender" with "peer" (or remote
>     host) in this
>     >>         section
>     >>             for more symmetric terminology.
>     >>
>     >>             get -> obtain
>     >>
>     >>
>     >>         I can make these changes if you insist, but I was going
>     for a
>     >>         minimal
>     >>         diff to RFC 7401.
>     >>
>     >>
>     >>     Not insisting.
>     >>
>     >>
>     >>              > 11.  The implementation SHOULD also verify that the
>     >>         Initiator's HIT
>     >>              > in the I2 packet corresponds to the Host
>     Identity sent in
>     >>         the I2
>     >>              > packet.  (Note: some middleboxes may not be able to
>     >> make this
>     >>              > verification.)
>     >>
>     >>             Why SHOULD? Why not MUST? I think we're talking about
>     >>         end-hosts here
>     >>             anyway.
>     >>
>     >>
>     >>         It is defined this way in RFC 7401. Do you really want to
>     >> change the
>     >>         packet processing behavior for HIP DEX only?
>     >>
>     >>
>     >>     Fix similarly as the first RFC7401 issue in this email.
>     >>
>     >>              > 6.10.  Processing UPDATE, CLOSE, and CLOSE_ACK
>     Packets
>     >>
>     >>              > UPDATE, CLOSE, and CLOSE_ACK packets are handled
>     >>         similarly in HIP DEX
>     >>              > as in HIP BEX (see Sections 6.11, 6.12, 6.14,
>     and 6.15 of
>     >>         [RFC7401]).
>     >>              > The only difference is the that the HIP_SIGNATURE is
>     >>         never present
>     >>              > and, therefore, is not required to be processed
>     by the
>     >>         receiving
>     >>              > party.
>     >>
>     >>             How does rekeying work with the extract and expand
>     functions?
>     >>
>     >>
>     >>         Rekeying is not defined in this document, same as for RFC
>     >> 7401. That
>     >>         being said, the rekeying procedure with reuse of the KEYMAT
>     >> from RFC
>     >>         7402 directly translates to HIP DEX. For new KEYMAT,
>     the peers
>     >>         need to
>     >>         establish a new connection due to the use of static DH
>     keys.
>     >>
>     >>
>     >>     Maybe this should be explicitly stated in the draft.
>     >>
>     >>
>     >>
>     >>              > 7.  HIP Policies
>     >>
>     >>              > There are a number of variables that will
>     influence the
>     >>         HIP exchanges
>     >>              > that each host must support.  All HIP DEX
>     implementations
>     >>         SHOULD
>     >>              > provide for an ACL of Initiator's HI to
>     Responder's HI.
>     >>         This ACL
>     >>              > SHOULD also include preferred transform and local
>     >> lifetimes.
>     >>              > Wildcards SHOULD also be supported for this ACL.
>     >>
>     >>             Why ACLs are mandatory?
>     >>
>     >>
>     >>         It is not a MUST and considering that HIP DEX is primarly
>     >>         targeted at
>     >>         things, there is the need to do basic device authorizations
>     >>         (based on
>     >>         their identities) without a human in the loop. Of
>     course you are
>     >>         also
>     >>         allowed to use more suffisticated authorization mechanisms.
>     >>
>     >>
>     >>     Ok.
>     >>
>     >>             ACL -> ACL consisting of
>     >>
>     >>
>     >>         Changed to the following text that is closer to RFC 7401:
>     >>         "   All HIP DEX implementations SHOULD provide for an
>     Access
>     >>         Control List
>     >>             (ACL), representing for which hosts they accept HIP
>     diet
>     >>         exchanges,
>     >>             and the preferred transport format and local lifetimes.
>     >>         Wildcarding
>     >>             SHOULD be supported for such ACLs."
>     >>
>     >>              > 8.  Security Considerations
>     >>
>     >>              > o  The HIP DEX HIT generation may present new attack
>     >>         opportunities.
>     >>
>     >>             They cannot be used in ACLs. Maybe this could be
>     mentioned.
>     >>         Can this
>     >>             be mitigated by always using full HIs?
>     >>
>     >>
>     >>         I changed the bullet-point as follows:
>     >>         "The HIP DEX HIT generation may present new attack
>     opportunities.
>     >>                Hence, HIP DEX HITs should not be use as the
>     only means to
>     >>                identify a peer in an ACL. Instead, the use of the
>     >>         peer's HI is
>     >>                recommended."
>     >>
>     >>
>     >>     Ok.
>     >>
>     >>         Note that I added a new Section 8 "Interoperability
>     between HIP
>     >>         DEX and
>     >>         HIPv2" to satisfy your comment on HIP DEX and HIPv2
>     >> compatibility.
>     >>
>     >>
>     >>     Thanks!
>     >>
>     >>
>     >>     _______________________________________________
>     >>     Hipsec mailing list
>     >> Hipsec@ietf.org <mailto:Hipsec@ietf.org>
>     <mailto:Hipsec@ietf.org <mailto:Hipsec@ietf.org>>
>     >> https://www.ietf.org/mailman/listinfo/hipsec
>     <https://www.ietf.org/mailman/listinfo/hipsec>
>     >>     <https://www.ietf.org/mailman/listinfo/hipsec
>     <https://www.ietf.org/mailman/listinfo/hipsec>>
>     >>
>     >>
>     >
>
>     _______________________________________________
>     Hipsec mailing list
>     Hipsec@ietf.org <mailto:Hipsec@ietf.org>
>     https://www.ietf.org/mailman/listinfo/hipsec
>     <https://www.ietf.org/mailman/listinfo/hipsec>
>
>
>
>
> _______________________________________________
> Hipsec mailing list
> Hipsec@ietf.org
> https://www.ietf.org/mailman/listinfo/hipsec