Re: [Hipsec] Eric Rescorla's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
Eric Rescorla <ekr@rtfm.com> Wed, 21 November 2018 19:37 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1CB130DDC for <hipsec@ietfa.amsl.com>; Wed, 21 Nov 2018 11:37:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.358
X-Spam-Level:
X-Spam-Status: No, score=-3.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hh_agKyHMDow for <hipsec@ietfa.amsl.com>; Wed, 21 Nov 2018 11:37:47 -0800 (PST)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 478EC130DC8 for <hipsec@ietf.org>; Wed, 21 Nov 2018 11:37:43 -0800 (PST)
Received: by mail-lj1-x244.google.com with SMTP id 83-v6so5854801ljf.10 for <hipsec@ietf.org>; Wed, 21 Nov 2018 11:37:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3LK142W7EP3l15nRJP3/XmTmgzFdMmYLA0VSDHcp3Lc=; b=yguk1960pp1C8Ch72ludNRhUwFrPVtYFIPMdKmQrb9H1D+HrLK5N2RBFOUDf/tpu3q PJj8I0R1j9QkFttfRu4VnwNzQ9sSqb2wM1zVTa9VuGhrjDlsC1oFBQ67vRBX1BpmSWIy SZOctMMtM1jNw7litXy8R5PN+S2johRfKjtyZWK4c00Pe4TYelGOX5FwLXoCPxSwQaAA wXYADsDihW1/T3HJzMEhKAgm5oa/pUIBWbBYi/lpnO4LXQO3gVrrCucxieK2bgh00D1E r/LQ6jJcd0RwHkTITwTGm++sXPNprpLW9NdQHWCvm/DFrdBMfxZIgbU0mke1S1NKYf5A BFvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3LK142W7EP3l15nRJP3/XmTmgzFdMmYLA0VSDHcp3Lc=; b=pC5u1LUV4PjTj5gObKyrx+7/VtGOz+1gGWuXAVLf/jeIGQodqURChoH9KYdDL/oupM QlMV4PQGGUOdO71UdU7tuoNzi9SrCpOZIpOlCHjxH01K9CcMfJIr6ZWD4qKrRFKW/EQ5 kJkmFK14vOgVezKCi9vpuNBbAAaOA9Vuhxej8DopxHefNXHtfTLgctBFvxFoM5/TLgmD /w5Ow3DtLwDv5RknPS/jrbMI56SSDtJpsQCbnbeTjDp2an79kulBcN6WHsf9EsQBz5/Y rzFGRpghaXjVTXzx5nYxQmBowCnYpytIOMwfnxxtuGSa7B37BMDnZFGEr5vIrHnNotRv CVjg==
X-Gm-Message-State: AA+aEWZ3XQ6GRUHOra5KfC4TMZG8wvPDzh6RBTbXDy3652XgJi2BCC+w c29hqukO5T364fvrV0BsVQXQ2JCa10LgSx2j412yQA==
X-Google-Smtp-Source: AFSGD/Uo+E220Osfj1uCqruCqfGi1XTJqIvgVCCS/KttbzZVmQlHx4ywtCU654ivTGPhakCXYanz9yM7akOsqX03YxA=
X-Received: by 2002:a2e:5418:: with SMTP id i24-v6mr5321430ljb.51.1542829061372; Wed, 21 Nov 2018 11:37:41 -0800 (PST)
MIME-Version: 1.0
References: <152564286489.26793.2457846656783140871.idtracker@ietfa.amsl.com> <70e4c94f-0097-0b13-140c-db0a5732ab67@kapsi.fi>
In-Reply-To: <70e4c94f-0097-0b13-140c-db0a5732ab67@kapsi.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 21 Nov 2018 11:37:03 -0800
Message-ID: <CABcZeBPUvZW0qa5X+SGzAaDgJhArw5Q3NSnSj6cYhBce4cnzqw@mail.gmail.com>
To: mkomu@kapsi.fi
Cc: IESG <iesg@ietf.org>, hipsec@ietf.org, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, draft-ietf-hip-rfc4423-bis@ietf.org, hip-chairs@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002711c2057b31e2d6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/cPwHg5QplfPEbbH1nJ33mLRWw9Q>
Subject: Re: [Hipsec] Eric Rescorla's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 19:37:50 -0000
On Tue, Nov 20, 2018 at 12:07 PM Miika Komu <mkomu@kapsi.fi> wrote: > Hi Eric, > > On 5/7/18 00:41, Eric Rescorla wrote: > > Eric Rescorla has entered the following ballot position for > > draft-ietf-hip-rfc4423-bis-19: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to > https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-hip-rfc4423-bis/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Rich version of this review at: > > https://mozphab-ietf.devsvcdev.mozaws.net/D3709 > > > > > > Maybe I'm missing something important, but I don't see in this > > document how you go from a HI (or HIT) to the corresponding IP > > locator. That seems pretty critical to making this work. Can you point > > me in the right direction? > > (I interpret "right" direction here as how to implement this in > practice; please let me know if you were asking for something else) > > Existing applications can utilize LSIs or HITs, for instance, via > /etc/hosts in Linux or if the developer/user uses them directly. > Mappings can be configured manually. A better way is to use ,e.g., DNS > to store the FQDN, HIs, IP address mappings: > > https://tools.ietf.org/html/rfc8005 > > An application can receive LSIs or HITs from DNS queries when a HI > record exists for a host. This can be implemented in the local resolver > library (e.g. glibc in Linux) supports it and sends the HI-to-IP address > mapping to the local HIP daemon. As an alternative implementation > technique, dynamic relinking of applications (i.e., LD_PRELOAD in Linux): > > https://tools.ietf.org/html/rfc6538#section-4.1 > > As yet another alternative, RFC5338 (section 3.2) suggests interposing > HIP-aware agents (think about HIP-capable DNS proxy like "dnsmasq" in > Linux) that translate HIs into LSIs and HITs to the application and > cache the IP address mapping to the HIP daemon: > > https://tools.ietf.org/html/rfc5338#section-3.2 > > That's all for existing applications. New HIP native applications could > use DNS library extensions for getaddrinfo() that would be implemented > e.g. in glibc in Linux: > > https://tools.ietf.org/html/rfc6317 > > All of the mentioned references are mentioned in the draft. Should I add > something more compressed along these lines of text or is this too > detailed? > Maybe I'm missing something, but it seems like this is not an interoperable state of affairs. > IMPORTANT > > S 11.3.1. > >> avoiding manual configurations. The three components are further > >> described in the HIP experiment report [RFC6538]. > >> > >> Based on the interviews, Levae et al suggest further directions to > >> facilitate HIP deployment. Transitioning the HIP specifications > to > >> the standards track may help, but other measures could be taken. > As > > > > This confuses me, because we seem to be looking to advance some of the > > HIP specs (e.g., hip-dex) at PS > > Can you elaborate? And do you mean protocol stack by PS? > Proposed Standard. > > COMMENTS > > S 3.1. > >> were obtained. For 64 bits, this number is roughly 4 > billion. A > >> hash size of 64 bits may be too small to avoid collisions in a > >> large population; for example, there is a 1% chance of > collision > >> in a population of 640M. For 100 bits (or more), we would not > >> expect a collision until approximately 2**50 (1 quadrillion) > >> hashes were generated. > > > > It's not just a matter of collisions being hard, but also of being > > difficult to produce an HI with a given name. > > ...where name would be the hash (i.e. HIT). So I added: > > Besides accidental collisions, it is also worth noting that intentional > collisions are difficult to accomplish because generating a valid, > colliding hash along with its private-public key is computationally > challenging. > > Did I capture your thinking correctly? > Well, this isn't a collision; it's what's called a preimage. I.e., computing a public key with a given HIT. Anyway, as far as I can tell, in HIP being able to compute a preimage for HIT Y = H(K_X) is equivalent to breaking key K_X, so that means that that function must have reasonable strength. 2^64 is nowhere near enough and the typical expected security level of IETF protocols is 2^128, so that means that the full width of the IPv6 address has to be used. > S 4. > >> 'well known', some unpublished or 'anonymous'. A system may self- > >> assert its own identity, or may use a third-party authenticator > like > >> DNSSEC [RFC2535], PGP, or X.509 to 'notarize' the identity > assertion > >> to another namespace. It is expected that the Host Identifiers > will > >> initially be authenticated with DNSSEC and that all > implementations > >> will support DNSSEC as a minimal baseline. > > > > This wasn't a very good assumption when 4423 was published, and it > > seems even worse now, given the low rate of deployment of DNSSEC and > > the fact that we know many middleboxes break DNSSEC. > > Then I guess it would be fine to remove the last sentence? > Yes, I think that would be good to do. > > S 4.3. > >> packet. Consequently, a HIT should be unique in the whole IP > >> universe as long as it is being used. In the extremely rare case > of > >> a single HIT mapping to more than one Host Identity, the Host > >> Identifiers (public keys) will make the final difference. If > there > >> is more than one public key for a given node, the HIT acts as a > hint > >> for the correct public key to use. > > > > How do you handle second-preimage attacks on the hash? > > I guess you are referring to this: > > https://tools.ietf.org/html/rfc7343#section-5 > > (Please let me know if an explicit reference is needed) > No, I'm referring to the point I raised above. > > S 5.1. > >> At the server side, utilizing DNS is a better alternative than a > >> shared Host Identity to implement load balancing. A single FQDN > >> entry can be configured to refer to multiple Host Identities. > Each > >> of the FQDN entries can be associated with the related locators, > or a > >> single shared locator in the case the servers are using the same > HIP > >> rendezvous server Section 6.3 or HIP relay server Section 6.4. > > > > This is becoming a less common practice. How do you handle anycast, > > which is the modern practice? > > I added the following statement: > > "It is also worth noting that opportunistic mode is also required > > > in practice when anycast IP addresses would be utilized as locators:" > > Does this address your concern? > > Btw, opportunistic mode is further described in the following documents: > I'm not following how this solves the problem. It seems like you're still going to get badly suboptimal routing. -Ekr > Existing apps: > > https://tools.ietf.org/html/rfc6538#section-2.3.2 > https://tools.ietf.org/html/rfc5338#section-3.2 > > HIP native apps: > > https://tools.ietf.org/html/rfc6317#section-4.1.1 > > > S 7. > >> > >> The encapsulation format for the data plane used for carrying the > >> application-layer traffic can be dynamically negotiated during the > >> key exchange. For instance, HICCUPS extensions [RFC6078] define > one > >> way to transport application-layer datagrams directly over the HIP > >> control plane, protected by asymmetric key cryptography. Also, > S-RTP > > > > Nit: SRTP, no hyphen > > Thanks, fixed! >
- [Hipsec] Eric Rescorla's No Objection on draft-ie… Eric Rescorla
- Re: [Hipsec] Eric Rescorla's No Objection on draf… Eric Rescorla
- Re: [Hipsec] Eric Rescorla's No Objection on draf… Miika Komu
- Re: [Hipsec] Eric Rescorla's No Objection on draf… Eric Rescorla
- Re: [Hipsec] Eric Rescorla's No Objection on draf… Miika Komu
- Re: [Hipsec] Eric Rescorla's No Objection on draf… Eric Rescorla
- Re: [Hipsec] Eric Rescorla's No Objection on draf… Miika Komu