HIP and IKE -- was -- Re: [Hipsec] Moving the base spec forward
yogesh.swami@acm.org (Yogesh Prem Swami) Mon, 13 September 2004 14:14 UTC
From: yogesh.swami@acm.org
Date: Mon, 13 Sep 2004 14:14:00 +0000
Subject: HIP and IKE -- was -- Re: [Hipsec] Moving the base spec forward
In-Reply-To: <23ADD52E-057C-11D9-A8F6-000D9331AFB0@nomadiclab.com>
References: <20040911232318.87825.qmail@web81205.mail.yahoo.com> <23ADD52E-057C-11D9-A8F6-000D9331AFB0@nomadiclab.com>
Message-ID: <4145F262.8090805@acm.org>
X-Date: Mon Sep 13 14:14:00 2004
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA6864CF482FA156CE4B2953B Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Pekka- I split the e-mail into different parts. I guess, it's too late in the game, so I am not going to "fight" too much here, but see inline: ext Pekka Nikander wrote: > Good questions and comments, we need more like this. > >> I sent a big part of these comments to the authors directly, but >> may be it's useful to discuss this on the mailing list as well. > > > [I'll answer to that next, after this one, cc:ing the relevant > parts to the list.] > >> * Motivation for not using IKE (+MobIKE). > > > The original motivation was that IKEv1 is not so well defined. > To put it bluntly, it was clunky. > When I say IKE, I mean IKEv2. My bad. :-) IMO, it's important to consider IKEv2 for a variety of reasons. The biggest reason is that it will improve the usability of HIP. It's a lot harder, practically speaking, to convince people to buy/build a new product such as HIP when their older products (IKEv2) can already achieve something similar. I think we should learn the right lessons from IPv6 deployment. Also, the more number of key exchange protocols you have, the more fragments of secure, but isolated, networks you will have in future. It's not hard to envision cases where one organization only supports IKE (because they already spent like crazy on PKI), while the other one only has HIP. > The situation is slightly different now. It might be possible > to reuse IKEv2 for HIP. However, it has been an explicit design > goal to make the HIP base exchange as simple as possible while > still retaining the overall architectural goals, including DoS > protection. From that point of view, IKEv2 is too complex. > The basic IKEv2 is no more complex than HIP exchange, IMO. But, I agree that in case of DoS, there is a possibility of message explosion, but that's different from complexity (i.e., to me, ping-ponging a few messages only in case of DoS is not complexity, but a good design choice.) In addition, the security properties of IKEv2 is well understood. Hugo's paper has a provably secure analysis of SIGMA, on which IKE is based. This is not the case with HIP key exchange. (In SIGMA both sides provide a proof of possession of the ephemeral key by the HMAC. In HIP only Responder provides this proof in R2. This can have different, and unintended consequences... Haven't analyzed it yet, though.) > One bigger issue is relationship to middlex boxes, though. HIP > has been designed to be middle box friendly, explicitly keeping > fields that middle boxes might inspect, including SPIs, in clear > text. IKE favours confidentiality and secrecy here, HIP doesn't. > My preferred approach for middle boxes (some prefer evil-boxes) is to let the protocol break in its presence. Clearly, I'm in a minority here! :-) But I see your point. Although, I won't keep the SPI in clear, I can still live with it. Without SPI encryption, USER_ID encryption alone looses a few of its of benefits. >> The draft needs to motivate the need for a new key exchange >> protocol. > > > Actually, that is the task of the architecture draft. If it doesn't, > or does the job poorly, please indicate which parts of the architecture > draft you would like to see improved. (-06 is malformated, I'm > in the process of issuing -07. -05 may be easier to read, if you > can find it.) Well, I didn't find any discussion in draft-moskowitz-hip-arch-06.txt on why someone will choose a "low policy granularity" based key-exchange (i.e., present HIP) when another one already exists. Also, I am not clear why HIP has lower policy granularity. Isn't policy based on the USER_ID (e-mail. FQDN etc.) -- which HIP already has? Do you mean fancy ways of authenticating hosts, by policy granularity? I must be missing something here. > >> IMO, however, IKE (+MOBIKE) with public-key encryption (which can >> be obtained from DNNSec) can achieve almost everything that this >> draft achieves. > > > Yes it can, with the possible exception of different approach to > DoS protection. However, it is considerably more complex than the > HIP base exchange. You mention complexity a couple of times in your e-mail. To me it seems like the biggest complexity is reinventing a new key exchange. :-) I general, I won't reinvent the wheel if tweaking the existing ones meets my requirements. Depending upon other protocols is a good design principle, IMO. Not saying we should not have HIP key exchange. But do add some text on why? IESG might as well ask the same question. More in next e-mail. Thanks Yogesh [[Blanket Disclaimer: All opinions are solely mine, and doesn't represent the opinions of my employer.]] --------------enigA6864CF482FA156CE4B2953B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iQEVAwUBQUXyaHkjMhOId4nzAQKYmgf/d7wWotwhZksMsa5eCBW9j4euq51X2qdx jiyYxHH0BDWrk4Bg9JLfq/poEl0v2z1GNeDStX9b0C7MXwiXdhcSmxKmlXICm0pl SOR3CuWb0RoZO+pL6rj7XWc4zQJ9PuOUA9tsK4uVjOXQmsEuWO5GWNb5SkQ6tJtH MCB/Y2Zq8CyeB5MSUgccbCEKolKy5M8fltbfHQmHoXtLavUNGDnI1SoxiXuD0Tof v8ChG5lmRTO1XGlzraGYR5itaPpMeRextYzf6yHj08Cnsoki/i4CmYprSYBrJRvB 8n/8OLyrAr0KCfJBCiwtxWde/jfOlwEFOPtikzz8BZGC1K6HSzVo3Q== =64HB -----END PGP SIGNATURE----- --------------enigA6864CF482FA156CE4B2953B--
- [Hipsec] Moving the base spec forward Pekka Nikander
- [Hipsec] Re: Moving the base spec forward Gonzalo Camarillo
- [Hipsec] Moving the base spec forward Yogesh Prem Swami
- [Hipsec] Moving the base spec forward Yogesh Prem Swami
- [Hipsec] Moving the base spec forward Pekka Nikander
- [Hipsec] Moving the base spec forward Pekka Nikander
- [Hipsec] Moving the base spec forward Miika Komu
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami
- Protocol type for HIP -- was -- Re: [Hipsec] Movi… Yogesh Prem Swami
- Cookie mechanism -- was -- Re: [Hipsec] Moving th… Yogesh Prem Swami
- Last e-mail in this thread -- was -- Re: [Hipsec]… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- Cookie mechanism -- was -- Re: [Hipsec] Moving th… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Jari Arkko
- Protocol type for HIP -- was -- Re: [Hipsec] Movi… Pekka Nikander
- Protocol type for HIP -- was -- Re: [Hipsec] Movi… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- Protocol type for HIP -- was -- Re: [Hipsec] Movi… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Petri Jokela
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Miika Komu
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Miika Komu
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Miika Komu
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami