Re: [Hipsec] rfc5201-bis-04 review

[Ari Keranen <ari.keranen@nomadiclab.com>]

Hi,

Here's comments, suggestions, and questions of the rest of the rfc5201-bis-04 document. 

BTW, don't be scared of the amount of comments; I just tried to do a thorough review and weed out all the remaining errors, ambiguities, and style issues -- even the smaller ones.


5.1.  Payload Format

   | Next Header   | Header Length |0| Packet Type |  VER. | RES.|1|

s/  VER. /Version/
(if fits there, so no need to abbreviate?)


   document does not describe processing for Next Header values other
   than decimal 59, IPPROTO_NONE, the IPv6 'no next header' value.
   Future documents MAY do so. 

s/do so/define behavior for also other values/


   The Header Length field contains the length of the HIP Header and HIP
   parameters in 8-byte units, excluding the first 8 bytes. 

s/the length/the combined length/


  The HIP Version is four bits.  The current version is 2. 

s/Version is/Version field is/
s/current version/version defined in this document/


   For example, in the case
   that the forthcoming SHIM6 protocol happens to be compatible with
   this specification

Since SHIM6 is already an RFC, this text could be updated.


5.1.2.  HIP Controls

   The HIP Controls section conveys information about the structure of

s/section/field/


   The following fields have been defined:

s/fields/sub-fields/


      This control is set in packets R1 and/or
      I2.  The peer receiving an anonymous HI may choose to refuse it.

How about using anonymous HIs with other packets? Say, NOTIFYs or UPDATEs?


5.1.3.  HIP Fragmentation Support

   In IPv4 networks, HIP packets may encounter low MTUs along their
   routed path.  Since HIP does not provide a mechanism to use multiple
   IP datagrams for a single HIP packet

HIP over HIP does provide mechanism for this, so I'd change:
s/HIP does not/basic HIP, as defined in this document, does not/ (or something)


   HIP-aware NAT
   devices MUST perform any IPv4 reassembly/fragmentation.

Despite the warning in the next paragraph, this would potentially make all HIP-aware IPv4 NAT devices vulnerable for fragment-attacks. Could change the MUST into SHOULD? Also, could clarify that reassembly/fragmentation is a MUST/SHOULD for HIP packets, not for any random packet.


   it is strongly recommended that the separate document
   specifying the certificate usage in the HIP Base Exchange defines the
   usage of "Hash and URL" formats rather than including certificates in
   exchanges. 

This already exists in the CERT draft, so this text could be removed/re-worded. The reference to fragmentation DoS attack is still useful though.


5.2.  HIP Parameters

   The HIP Parameters are used to carry the public key associated with
   the sender's HIT, together with related security and other
   information.

Considering the amount of different things carried in HIP Parameters today, this section could start with a more generic description of the use of the parameters ("and other information" sounds a bit understatement). Can't come up with the right words for now, but would be good to have something that would explain that Parameters are used to carry the security stuff, but are also one of the main ways for extending HIP.


   | R1_COUNTER             | 128   | 12       | System Boot Counter   |

The data description does not seem to match other descriptions of R1_COUNTER.


   | HIP_CIPHER             | 579   | variable | HIP encryption        |
   |                        |       |          | algorithm             |

s/HIP encryption algorithm/List of HIP encryption algorithms/


   | ENCRYPTED              | 641   | variable | Encrypted part of I2  |
   |                        |       |          | packet                |

ENCRYPTED could be also in other packets than just I2, right?


   | CERT                   | 768   | variable | HI Certificate; used  |

Also this text regarding certificates should be updated.


   | ECHO_RESPONSE_SIGNED   | 961   | variable | Opaque data echoed    |
   |                        |       |          | back; under signature |

s/echoed back/echoed back by request/

Also "covered by signature", or "signed" could be better than "under signature" (also in ECHO_REQ_SIGNED).


   |  2048 -  4095 | Parameters related to HIP transport types         |

s/transport types/transport formats/
(to be consistent with the later text)


5.2.1.  TLV Format

   The type-field value also describes the order of these
   fields in the packet, except for type values from 2048 to 4095 which
   are reserved for new transport forms.

This is a bit strange exception. I wonder if it would make sense to make this consistent with the other ordered lists, i.e., have one parameter that lists the supported transport formats and then, depending on which format was chosen, the corresponding parameter(s) from this range are used (and others ignored). 

Also:
s/order of these fields/order of these parameters/
s/transport forms/transport formats/


   If the parameter can exist multiple times in the packet, the
   type value may be the same in consecutive parameters. 

This could rather be formatted as a normative requirement (and then it would be also implicit for the responder). Something like:

   If the parameter can exist multiple times in the packet, the
   parameters with the same type MUST be consecutive in the packet.


5.2.2.  Defining New Parameters

       Implementations operating in a mode
       adhering to this specification MUST disable the sending of new
       critical parameters.

This sounds a bit strange. Should that be "MUST allow disabling"?


5.2.3.  R1_COUNTER

   The sender is supposed to increment this counter
   periodically.

s/is supposed to increment/increments/ or "SHOULD increment"


5.2.6.  DIFFIE_HELLMAN

   The 160-bit ECP
   group can be used when lower security is enough (e.g., web surfing)
   and when the equipment is not powerful enough (e.g., some PDAs).

Should mention which Group ID the 160-bit ECP is (I'd assume 10, but it's not explicit).

Also, some general recommendation on the order of proposed group IDs would be helpful so that implementations don't end up (unnecessarily) proposing the weakest groups by default.


5.2.7.  HIP_CIPHER

     Cipher ID      defines the cipher algorithm to be used for
                    encrypting parts of the HIP packet

Is HIP_CIPHER used anywhere else except in the ENCRYPTED parameter? If not, the explanation above could say that explicitly. That is, for example,
s/parts of the HIP packet/the contents of the ENCRYPTED parameter/


   NULL-ENCRYPTION is included
   for testing purposes.  NULL-ENCRYPTION SHOULD NOT be configurable via
   the UI.

There may be no UI for the implementation, so could say "by the user" instead of "via the UI".


5.2.8.  HOST_ID

    DI-type           type of the following Domain Identifier field
    Domain Identifier the identifier of the sender

The actual content of these fields is not clear from the text. Could at least move the DI-types table closer to the figure. Also, "DI Length" could simply say "length (in octets) of the Domain Identifier field"; the FQDN and NAI part just confuses here.


   If there is no Domain Identifier, i.e., the DI-type field is zero,
   the DI Length field is set to zero as well.

Should there be some normative text on when to have the domain identifier?


5.2.10.  DH_GROUP_LIST

   The information in the
   DH_GROUP_LIST allows the Responder to select the DH group preferred
   by itself and the Initiator.

s/and the Initiator/and supported by the Initiator/


5.2.13.  HIP_SIGNATURE

  The signature algorithms are defined in Section 5.2.8.

The algorithm identifier field side for HOST_ID (Section 5.2.8) is 16 bits whereas here it is 8 bits. Something wrong here? 

Could also reference to exact table with the algorithms since section 5.2.8 has 4 different tables.


Sections 5.2.15 and 5.2.16 (SEQ and ACK) 

Figures, and their Length descriptions are not consistent although, AFAIK, the format of the parameters is identical.


5.2.16.  ACK

   The Length field identifies the number of
   peer Update IDs that are present in the parameter.

This is a bit misleading. Could say something like "number of peer Update IDs can be inferred from the length by dividing it by 4"


5.2.17.  ENCRYPTED

     Encrypted      The data is encrypted using an encryption algorithm
       data         as defined in the HIP_CIPHER parameter.

s/an encryption algorithm as defined in/the encryption algorithm defined by/


5.2.18.  NOTIFICATION

     Padding        any Padding, if necessary, to make the parameter a
                    multiple of 8 bytes.

This is the first parameter to explicitly define padding after the figure (not consistent). Also, base text says that padding MUST be zero, but here it says "anything will do". Would suggest removing this altogether.


   Notification information can be error messages specifying why an SA

First occurrence of SA. Expand, and maybe add a reference too.


Overall, this section is fairly inconsistent with the use of different ways to refer to "Notify Message Type", some suggestions for change:

   The table below lists the Notification messages and their
   corresponding values.

s/Notification messages/Notify Message Types/

   Types in the range 0-16383 are intended for reporting errors and in

s/Types/Notify Message Types/

   An
   implementation that receives a NOTIFY packet with a NOTIFICATION
   error parameter in response to a request packet

s/NOTIFICATION error parameter/(something)/

   Notify payloads with status types MUST be ignored if not recognized.

s/Notify payloads with status types/Notification Data in NOTIFICATION parameters with status Notify Message Types/

     NOTIFICATION PARAMETER - ERROR TYPES     Value

s/NOTIFICATION PARAMETER - ERROR TYPES/Notify Message Types - Errors/
(or why not in all-caps, if that looks better)

     NOTIFY MESSAGES - STATUS TYPES           Value

s/NOTIFY MESSAGES - STATUS TYPES/Notify Message Types - Status/


     UNSUPPORTED_CRITICAL_PARAMETER_TYPE        1

       Sent if the parameter type has the "critical" bit set and the
       parameter type is not recognized.  Notification Data contains the
       two-octet parameter type.

What if there are multiple unsupported critical parameter types? Should send multiple NOTIFICATIONs of this Message Type or would it be better to concatenate the types?


     INVALID_SYNTAX                             7

       Indicates that the HIP message received was invalid because some
       type, length, or value was out of range or because the request
       was rejected for policy reasons. 

Rejecting message with "invalid syntax" code due to policy reasons sounds strange. Isn't the type "BLOCKED_BY_POLICY" for that purpose? Could change that policy text to: "[...] or the message was otherwise malformed".


5.2.19.  ECHO_REQUEST_SIGNED

   A HIP
   packet can contain only one ECHO_REQUEST_SIGNED or
   ECHO_REQUEST_UNSIGNED parameter.  


s/can/MUST/ ?


5.2.20.  ECHO_REQUEST_UNSIGNED

   HIP packet can contain one or more ECHO_REQUEST_UNSIGNED parameters.
   It is possible that middleboxes add ECHO_REQUEST_UNSIGNED parameters
   in HIP packets passing by. 

This seems to contradict with the previous section (see above).


   The sender has to create the Opaque field
   so that it can later identify and remove the corresponding
   ECHO_RESPONSE_UNSIGNED parameter.

Does this apply also to middleboxes, i.e., is "sender" the sender of the packet or sender of the parameter?


5.3.1.  I1 - the HIP Initiator Packet

     IP ( HIP ( DH_GROUP_LIST ) )

This is not strictly consistent with the notation definition "X(y)   indicates that y is a parameter of X" (HIP stuff is not really a parameter of IP packet). I'm not entirely sure how to fix this though (or if it even needs to be fixed).


   The Initiator receives the Responder's HIT either from a DNS lookup
   of the Responder's FQDN, 

Add here a reference to 5205-bis.


5.3.2.  R1 - the HIP Responder Packet

   The Initiator's HIT MUST match the one received in the I1 packet. 

...if the R1 is sent due to I1. 


   Re-using Diffie-Hellman public keys opens up the potential security
   risk of more than one Initiator ending up with the same keying

s/public keys/public values/ ?
(same in next paragraph)


   If a future version of this protocol is considered, we strongly
   recommend that these issues be studied again.

Has anyone looked into this?


   The signature is calculated over the whole HIP envelope

"HIP envelope" is not defined anywhere (but used many times after this occurrence too). Perhaps add it to the definitions part.


5.3.3.  I2 - the Second HIP Initiator Packet

   The HITs used MUST match the ones used previously.

This is ambiguous. Should that be "used in R1" or are there also other possibilities?



   The HIP_CIPHER contains the single encryption transform selected by
   the Initiator, that it uses to encrypt the ENCRYPTED parameter.

s/the ENCRYPTED parameter/ENCRYPTED parameters/
(The ENCRYPTED parameter is optional here, but may be sent later, right?)


5.3.5.  UPDATE - the HIP Update Packet

   An UPDATE that does not contain a SEQ parameter is
   simply an acknowledgment of a previous UPDATE and itself MUST NOT be
   acknowledged by a separate ACK.

What about UPDATE without ACK nor SEQ? Unreliable UPDATE or a protocol error?


5.3.7.  CLOSE - the HIP Association Closing Packet

   The receiver peer MUST validate the ECHO_RESPONSE_SIGNED and validate
   both the HIP_MAC and the signature if it has state for a HIP
   association,

The ECHO_RESPONSE_SIGNED is only in the CLOSE_ACK. I assume this is not just a typo, since there's not much to validate in the request, right? Also, could be more explicit about who the state is with.


5.3.8.  CLOSE_ACK - the HIP Closing Acknowledgment Packet

   The receiver peer MUST validate both the HMAC and the signature.

...and the contents of the ECHO_RESPONSE?


5.4.1.  Invalid Version

   pointing to the VER./RES. byte in the HIP header.

If you change the "VER." field (as suggested in the beginning of this mail), remember to change it also here.


6.1.  Processing Outgoing Application Data

   The exact format and method for transferring the data from the source

s/the data/the user data/
(this does not apply to HIP packets)


6.4.1.  HMAC Calculation

   6.  Set Checksum and Header Length field in the HIP header to
       original values.

This could be just an implementation issue, but unless the signatures and MACs are also restored, the length and checksum are invalid after this step. Is this step even needed?


6.5.  HIP KEYMAT Generation


      HIP-gl encryption key for HOST_g's outgoing HIP packets
      HIP-gl integrity (HMAC) key for HOST_g's outgoing HIP packets

It's a bit confusing to use the same "key name" twice (same for -lg). I assume "outgoing HIP packets" means the ENCRYPTED parameter? If so, could say it explicitly.


      HIP-lg encryption key (currently unused) for HOST_l's outgoing HIP
      packets

Why HOST_l's key is not used if either Initiator or Responder may end up being the HOST_l?


6.7.  Processing Incoming I1 Packets

   2.  If the Responder is in ESTABLISHED state, the Responder MAY
       respond to this with an R1 packet, prepare to drop existing SAs,

Should prepare to drop only the SAs one has with the I1's sender?


       Other than that, selecting the HIT is a
       local policy matter.

Shouldn't the Responder use the same as HIT the Initiator used for it? This would otherwise break section 6.8 step 3.


6.8.  Processing Incoming R1 Packets


   7.   The system MUST check that the DH Group ID in the DH parameter

s/DH parameter/DIFFIE_HELLMAN parameter/ 
(twice in this step)


6.9.  Processing Incoming I2 Packets


   Hellman key, decrypting the Initiator's Host Identity, verifying the

s/decrypting/possibly decrypting/
(if it's not within ENCRYPTED parameter; also in step 11)


   7.   If the system's state machine is in any other state than R2-
        SENT, the system SHOULD check that the echoed R1 generation
        counter in the I2 packet is within the acceptable range.

...if the counter is included


6.10.  Processing of Incoming R2 Packets

   If an R2 packet is received in state I2-SENT, it SHOULD be processed.

When would it be appropriate to *not* process the R2 in I2-SENT state? This looks like a MUST to me.


   2.  The system MUST verify that the HITs in use correspond to the
       HITs that were received in the R1 packet.

"..that caused the transition to the I1-SENT state" 
i.e., not just any R1


6.14.  Processing CLOSE Packets

   The HIP association is not discarded before the host moves from the
   UNASSOCIATED state.

s/from/to/?


6.15.  Processing CLOSE_ACK Packets

   A host can map CLOSE messages to CLOSE_ACK messages by using
   the included ECHO_RESPONSE_SIGNED in response to the sent
   ECHO_REQUEST_SIGNED in the CLOSE_ACK.

s/using/matching/
And the end of the sentence seems to be incorrect anyway (REQ is not in ACK). Could rephrase the whole sentence.


   The CLOSE_ACK contains the HIP_MAC and the SIGNATURE for

s/and the SIGNATURE/and SIGNATURE parameters/


7.  HIP Policies

   Initiators may use a different HI for different Responders to provide
   basic privacy.  Such implementations SHOULD keep state for mapping
   Initiator's HIT to Responder's HIT.  This access control list (ACL)
   SHOULD also include preferred transform and local lifetimes.

This sounds a bit ambiguous. Why is the mapping needed? What are the lifetimes? Why store the preferred transform?


   The value of K used in the HIP R1 packet can also vary by policy.  K
   should never be greater than 20, but for trusted partners it could be
   as low as 0.

s/should never/SHOULD NOT/
Also, why 20? Some rough number on "how much is 20" could be helpful. How about, say, 10 years from now, is 20 that big still then or should we comment something on adjusting the maximum value in the future? Or will it be HIP v3 by then? :)


10.  IANA Considerations

   This document also creates a set of new namespaces.  These are
   described below.

Do we create new namespaces for v2 or should we re-use the existing ones?


   HIP Version

At least this namespace we shouldn't redefine (but e.g., HIP Suite we should).


   Group ID

      New values either from the reserved or unassigned
      space are assigned through IETF Consensus.

What are these spaces? Is "0" the "reserved space"? Same with CIPHER_ID.


      Notify Message Type values 1-10 are used for informing about
      errors in packet structures, values 11-20 for informing about
      problems in parameters [...]

This text could be more helpful in the NOTIFICATION section.


That's all for now. More nits coming off-lists.


Cheers,
Ari