Re: [Hipsec] TRANSPORT_FORMAT_LIST issues in 5201-bis and 5202-bis
"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Thu, 27 June 2013 05:45 UTC
Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6799821F9C06 for <hipsec@ietfa.amsl.com>; Wed, 26 Jun 2013 22:45:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.299
X-Spam-Level:
X-Spam-Status: No, score=-106.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ps-go7rewWcI for <hipsec@ietfa.amsl.com>; Wed, 26 Jun 2013 22:45:16 -0700 (PDT)
Received: from slb-mbsout-02.boeing.com (slb-mbsout-02.boeing.com [130.76.64.129]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0F121F9349 for <hipsec@ietf.org>; Wed, 26 Jun 2013 22:45:16 -0700 (PDT)
Received: from slb-mbsout-02.boeing.com (localhost.localdomain [127.0.0.1]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with ESMTP id r5R5jEpC009598 for <hipsec@ietf.org>; Wed, 26 Jun 2013 22:45:15 -0700
Received: from XCH-NWHT-08.nw.nos.boeing.com (xch-nwht-08.nw.nos.boeing.com [130.247.25.112]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id r5R5jCTR009576 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Wed, 26 Jun 2013 22:45:13 -0700
Received: from XCH-NW-16V.nw.nos.boeing.com ([130.247.25.238]) by XCH-NWHT-08.nw.nos.boeing.com ([130.247.25.112]) with mapi; Wed, 26 Jun 2013 22:45:12 -0700
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: HIP <hipsec@ietf.org>, René Hummen <rene.hummen@comsys.rwth-aachen.de>
Date: Wed, 26 Jun 2013 22:45:12 -0700
Thread-Topic: [Hipsec] TRANSPORT_FORMAT_LIST issues in 5201-bis and 5202-bis
Thread-Index: Ac5yU8XZyQVwmdtnQDC2xZXitsrozQApBSGAAAAEIgA=
Message-ID: <758141CC3D829043A8C3164DD3D593EA2ED6C951B3@XCH-NW-16V.nw.nos.boeing.com>
References: <F42340E7-9106-4EC7-8C03-D93B311955CB@comsys.rwth-aachen.de> <758141CC3D829043A8C3164DD3D593EA2ED6C951B2@XCH-NW-16V.nw.nos.boeing.com>
In-Reply-To: <758141CC3D829043A8C3164DD3D593EA2ED6C951B2@XCH-NW-16V.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Subject: Re: [Hipsec] TRANSPORT_FORMAT_LIST issues in 5201-bis and 5202-bis
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 05:45:22 -0000
Rene, inline below... > > From: hipsec-bounces@ietf.org [mailto:hipsec-bounces@ietf.org] On > Behalf Of René Hummen > Sent: Wednesday, June 26, 2013 2:58 AM > To: hipsec@ietf.org WG > Subject: [Hipsec] TRANSPORT_FORMAT_LIST issues in 5201-bis and 5202-bis > > Hi, > > I just noticed an issue in 5201-bis and 5202-bis related to the > integration of the new TRANSPORT_FORMAT_LIST parameter. More precisely, > the specification in both documents is still incomplete. > > Regarding 5201-bis: > ---------------------------- > Section 6.7 [1] says: > "6. The responder expresses its supported HIP transport formats in the > TRANSPORT_FORMAT_LIST as described in Section 5.2.10. The Responder > MUST at least provide one payload transport format type." > > First, this text should refer to Section 5.2.11 as Section 5.2.10 > defines the HIT_SUITE_LIST parameter, whereas Section 5.2.11 specifies > the TRANSPORT_FORMAT_LIST parameter. I agree. > > Second, the text above implies that the TRANSPORT_FORMAT_LIST parameter > is mandatory in HIPv2 (which makes a lot of sense). However, it is > currently not mentioned in sections 5.3.2 [2] and 5.3.3 [3]. Here, the > parameter must be added to the packet overview as a mandatory > parameter. > > Furthermore, I suggest to add the following text to Section 5.3.2: > "The TRANSPORT_FORMAT_LIST parameter is an ordered list of the > Responder's preferred and supported transport format types. The list > allows the Initiator and the Responder to agree on a common type for > payload protection." > > ... and to Section 5.3.3: > "The TRANSPORT_FORMAT_LIST contains the single transport format > type selected by the Initiator. The chosen type MUST correspond to one > of the types offered by the Responder in the R1. Currently, the only > transport format defined is IPsec ESP [I-D.ietf-hip-rfc5202-bis]." I agree with all of the above suggestions. > > Note that the parameter is already discussed in the packet processing > instructions in the subsections of Section 6.6 [4, 5]. Do we also need > to define instructions in Section 6.9 [6] in order to tell implementors > what to do when receiving the TRANSPORT_FORMAT_LIST parameter in an I2 > message or do we leave that to documents such as 5202-bis? I think it would help to at least mention here that other documents such as 5202-bis will specify what to do about any specific transport selected (and to expect to have to process this parameter in the received I2). If there are no other comments, I will apply the above changes shortly. > > > Regarding 5202-bis: > ---------------------------- > There is currently no reference to the TRANSPORT_FORMAT_LIST parameter > in this document. Here, we need to specify the transform format type > for IPsec ESP. I suggest to add the following new section to the > document [7]: > "4.1.1 IPsec ESP Transport Format Type > The HIP handshake signals the TRANSPORT_FORMAT_LIST parameter in the R1 > and I2 messages. This parameter contains a list of the supported HIP > transport formats of the sending host in the order of preference. The > transport format type for IPsec ESP is X (TBD)." I agree with this (and also with your separate post to resolve the 'TBD'). > > Furthermore, I suggest to move the ESP_TRANSFORM negotiation to the I2 > and R2 in order to complete the transport format type negotiation > before starting the ESP transform negotiation. As I see it, this should > not negatively impact ESP SA setup as the KEYMAT index in the ESP_INFO > parameter is independent from the chosen ESP Suite ID. Or did I make a > mistake here? > Here, I think the impact may be that it is not aligned with other negotiations in which the responder provides the list for the initiator to choose from. By delaying it as you suggest, the initiator will be sending the list of acceptable transforms and the responder choosing. As is currently specified, the inclusion in R1 also adds clarity to the TRANSPORT_FORMAT_LIST in the sense that the responders clarifies to the initiator, e.g. "I accept ESP, and by ESP, I mean the suites defined in this ESP_TRANSFORM list", and the initiator can decide to proceed or not based on that information. The downside to the current text seems to be that some bytes may be wasted in starting the transform-specific negotiations for possibly unselected transforms. I don't know how much this would occur or be a problem in practice. - Tom
- [Hipsec] TRANSPORT_FORMAT_LIST issues in 5201-bis… René Hummen
- Re: [Hipsec] TRANSPORT_FORMAT_LIST issues in 5201… René Hummen
- Re: [Hipsec] TRANSPORT_FORMAT_LIST issues in 5201… Henderson, Thomas R
- Re: [Hipsec] TRANSPORT_FORMAT_LIST issues in 5201… René Hummen