Re: [Hipsec] clarification on HIT Suite IDs
Julien Laganier <julien.ietf@gmail.com> Thu, 25 September 2014 04:21 UTC
Return-Path: <julien.ietf@gmail.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C6B01A19F7 for <hipsec@ietfa.amsl.com>; Wed, 24 Sep 2014 21:21:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDEiNe-t515q for <hipsec@ietfa.amsl.com>; Wed, 24 Sep 2014 21:21:36 -0700 (PDT)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92B6A1A19E2 for <hipsec@ietf.org>; Wed, 24 Sep 2014 21:21:35 -0700 (PDT)
Received: by mail-lb0-f178.google.com with SMTP id z12so9206621lbi.37 for <hipsec@ietf.org>; Wed, 24 Sep 2014 21:21:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Vlt38sbaV92b8/3WoEHLHXobFJseJq28u+g6cklhW50=; b=GCsFyDyi+O3yn+HTLjXFPloyL6ljhoVUZl4JwNADYZmTBqb5g5mJ2pfruQKdtA2cvc UyZYMtMyoAWatX9ozYdfJVwwtEPpESoVyM3UlyaZm6WDmT9psci/biYHFQiud5KwZILy 94ZvKaU1dowKub6xnhi58vHkK1/HimN9cMVe8OZN14Gd8LdkaLoUKeAbWMX9EGb4n5zP pN66DZu3Wtcgkza/K2JkmrYu74GDKyic9KUAyCr7YFLzfnAmd5z8kbVWY7DflFi1tGwT 4Y49X/6o6KJbX2lqtqbe/a8zEgP7iXC067d41O5HVBNlTTUucQJqobqZHv59DEoqlwoD n9Tg==
MIME-Version: 1.0
X-Received: by 10.112.126.194 with SMTP id na2mr9898401lbb.70.1411618893003; Wed, 24 Sep 2014 21:21:33 -0700 (PDT)
Received: by 10.25.210.4 with HTTP; Wed, 24 Sep 2014 21:21:32 -0700 (PDT)
In-Reply-To: <5421D003.5020701@tomh.org>
References: <5420863E.1060608@tomh.org> <20140922212826.5048E216C3B@bikeshed.isc.org> <54210668.4050605@tomh.org> <CAE_dhju-kOzE1PzTj_+wLfYS4_8kJhWqrxJ16sMC3W6b+sanxQ@mail.gmail.com> <5421B06F.5010301@tomh.org> <CAE_dhjs3TSrME8UPFAw6y_wTye5YvLNAuQ8_KQ4m0sSokULDDg@mail.gmail.com> <5421D003.5020701@tomh.org>
Date: Wed, 24 Sep 2014 21:21:32 -0700
Message-ID: <CAE_dhjsMi+1vKM0U0_veB8+FBLLgKqsxo=Vr_Q-1_4KU4AeWmw@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Tom Henderson <tomh@tomh.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/afqalZkjKjKgb0RHcKztml0Hip4
Cc: HIP <hipsec@ietf.org>, Francis Dupont <fdupont@isc.org>
Subject: Re: [Hipsec] clarification on HIT Suite IDs
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2014 04:21:37 -0000
Hi Tom, Please see inline On Tue, Sep 23, 2014 at 12:54 PM, Tom Henderson <tomh@tomh.org> wrote: > Julien, responses inline below. > <cutting thru a bit> >> I may be lacking the background behind tying the OGA ID to the HIT >> suite ID, but IMHO it makes little sense to tie an identifier for a >> combination of hash, HMAC, and signature (the HIT Suite ID), with that >> of the identifier for a hash function (the OGA ID), especially when >> the ID space for the latter is of such a small size. >> >> It implies that if we wanted to create a new HIT suite that just >> changes the signature algorithm, because the hash function in use is >> still perfectly good, we in effect burn one OGA ID in the small >> 15-number space for no extra hash agility w.r.t ORCHID. To me it seems >> like a bad thing to do. >> >> Why can't the HIP specification creates a HIP registry for its OGA >> ID, and allocate value 1, 2, and 3 to the OGA SHA256, SHA384 and SHA1 >> on one hand, and on the other hand define a HIP registry for the HIT >> suite, and allocate ID 1, 2 and 3 as follows: >> >> HIT Suite >> RESERVED 0 >> RSA,DSA/SHA-256/OGAID1 1 >> ECDSA/SHA-384/OGAID2 2 >> ECDSA_LOW/SHA-1/OGAID3 3 >> >> This decouples the burn rate for the HIT suites from that of the OGA >> ID (small) space, thus making it possible to define in the future HIT >> suite 4 with ECDSA/SHA-512 but still OGAID1.... > > > IMHO the above is better than what I proposed, if the WG is willing to make > this kind of a change at this point. > > Perhaps we should ask at this point for other WG opinions on whether the > above decoupling is acceptable? Yes we should. But does silence implies consent? :) >>> Accordingly, would you agree to a modification to your proposal, as >>> follows? >>> >>> The ID field in the HIT_SUITE_LIST is an eight-bit field that >>> encodes a HIT Suite ID value in its higher-order four bits, >>> leaving the lower-order four bits reserved. The encoding is >>> a measure to allow for possibly larger HIT Suite IDs in the >>> future, although such expansion is outside the scope of this >>> document. The lower-order four bits of the ID field are set >>> to zero by the sender and ignored by the receiver. >>> >>> The HIT Suite IDs are an expansion of the OGA IDs that denote >>> which hash function corresponds to a given HIT. The OGA ID >>> encodes, in four bits, the value of the HIT Suite ID that >>> corresponds to the hash function (and other algorithms) in use. >>> A registry for the OGA ID is not separately established since >>> the values are aligned with those of the HIT Suite ID. >>> >>> The four-bit OGA ID field only permits 15 HIT Suite IDs >>> (the HIT Suite ID with value 0 is reserved) to be used at >>> the same time. If 15 Suite IDs prove to be insufficient, >>> future documents will specify how additional values can >>> be accommodated. >> >> >> If a receiver ignores the low order four bits of the suite ID field, >> if in the future we decide to use the remaining low order four bits, >> won't they be required to be used with the reserved value zero for the >> 4 high order bits? >> >> That would limit the HIP Suite ID to a total of 31 legitimate values >> instead of the full 255 available. Shouldn't we rather have a receiver >> treat the low order bits not set to zero as an error instead? > > > I just suggested that handling based on the traditional way of specifying > reserved bits (be liberal in what you accept...). But I agree with you that > there is a difference here with respect to the existing non-reserved values, > so thank you for catching this. I propose to amend the above by deleting > "and ignored by the receiver". We could go further by explicitly stating a > response if the bits are set, or just leave it as an implicit "Parameter > Problem" case just as if a value outside of 1,2 or 3 were received. Having the receiver reply with a "parameter problem" when it receives a Suite ID value outside of the set of values it understands sounds good. For now that is 1, 2, and 3, but can be amended in the future. --julien
- [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Tom Henderson
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Ted Lemon
- Re: [Hipsec] clarification on HIT Suite IDs Rene Hummen
- Re: [Hipsec] clarification on HIT Suite IDs Gonzalo Camarillo
- Re: [Hipsec] clarification on HIT Suite IDs Rene Hummen
- Re: [Hipsec] clarification on HIT Suite IDs Rene Hummen
- Re: [Hipsec] clarification on HIT Suite IDs Gonzalo Camarillo
- Re: [Hipsec] clarification on HIT Suite IDs Julien Laganier
- Re: [Hipsec] clarification on HIT Suite IDs Francis Dupont
- Re: [Hipsec] clarification on HIT Suite IDs Francis Dupont
- [Hipsec] Antwort: Re: clarification on HIT Suite … Tobias.Heer
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Tom Henderson
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Julien Laganier
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Miika Komu
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Tom Henderson
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Rene Hummen
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Tom Henderson
- Re: [Hipsec] Antwort: Re: clarification on HIT Su… Rene Hummen