Re: [Hipsec] Spencer Dawkins' No Objection on draft-ietf-hip-dex-06: (with COMMENT)

Miika Komu <> Wed, 19 June 2019 12:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D09841205F1; Wed, 19 Jun 2019 05:14:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KWbfPVHxYaju; Wed, 19 Jun 2019 05:14:08 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fe09::61e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2755912047D; Wed, 19 Jun 2019 05:14:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=o7Kpj2u7nLsmkkY2wiADaH5flUitbGijXbX2XnGlMi8=; b=cWWPKy8nRNMf8j1nxjC2ZQJ9oBA1xz9bVeZegvtHcR1Y3tsfWWsdxqvAqD7rMhJ+9AdImEvQ951gZqKwNunXc3Q73tARp+VVvewFSy1U8uw6Z5o7/EpjaNqpvNPJgE+lsu10AsKurOxc7f9H7Ii2OLat+Oy8Z5Ob7X362HI83Cs=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.12; Wed, 19 Jun 2019 12:14:05 +0000
Received: from ([fe80::cfa:bf2f:4673:766]) by ([fe80::cfa:bf2f:4673:766%4]) with mapi id 15.20.2008.007; Wed, 19 Jun 2019 12:14:05 +0000
From: Miika Komu <>
To: "" <>, "" <>
CC: "" <>, "" <>, "" <>
Thread-Topic: [Hipsec] Spencer Dawkins' No Objection on draft-ietf-hip-dex-06: (with COMMENT)
Thread-Index: AQHT8Wc4FFWPP87M/E2KPx4iMJUVTKalTioA
Date: Wed, 19 Jun 2019 12:14:05 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: fi-FI, en-US
Content-Language: en-US
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6ef11aa6-2116-4959-1063-08d6f4af9fbb
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR0702MB3772;
x-ms-traffictypediagnostic: HE1PR0702MB3772:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0073BFEF03
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(396003)(346002)(366004)(136003)(189003)(199004)(36756003)(66946007)(81166006)(73956011)(2616005)(50226002)(44832011)(76116006)(14454004)(229853002)(8936002)(486006)(186003)(86362001)(476003)(26005)(2906002)(118296001)(25786009)(6512007)(11346002)(446003)(66556008)(64756008)(66446008)(66476007)(6306002)(53936002)(110136005)(54906003)(6486002)(68736007)(6436002)(316002)(76176011)(4326008)(5660300002)(6506007)(71190400001)(71200400001)(99286004)(3846002)(66066001)(6246003)(6116002)(256004)(14444005)(7736002)(305945005)(8676002)(2501003)(102836004)(478600001)(81156014)(966005)(99106002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0702MB3772;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: dV2CwabA1K7aVbavenWCJpVy6JBg0PTUk69e+q2MHdZzTpJUMRBpxnqEgOEacyqIY+6WiLkgxFCPpiyCqq9+mp98x2F4VvKAAJWtexZ1mu9TBMakkRSLInkw4WI6HXsqy5oNi0l+ZZJNgOlhkWBNorumMljgDpfohED5ZOPFAgssDu1IirOqVonLGzmB3uQtmSHk/pVZdS9uxXB84NGImntONaO0SyweHRIKaFE1FiNibaEW1wu0mHE07RYIQoxzt2Ep+yVuC1BnZRruzdTHLTYqVAcSykOAdn8ghVhTFyVaLWJPZ6JchOvmGpXo3yogNX/bFZyl37mr3oEEXLuu+h4wBUEofrHTKIDp1p2931SCtTjNMmWL/yH0HNNGyqftaS3i/Qz1Fp9imZaqCt6mKpKnYNuuWgcs3GmKxuHBl6M=
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6ef11aa6-2116-4959-1063-08d6f4af9fbb
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2019 12:14:05.4195 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3772
Archived-At: <>
Subject: Re: [Hipsec] Spencer Dawkins' No Objection on draft-ietf-hip-dex-06: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Jun 2019 12:14:19 -0000


ma, 2018-05-21 kello 17:52 -0700, Spencer Dawkins kirjoitti:
> Spencer Dawkins has entered the following ballot position for
> draft-ietf-hip-dex-06: No Objection
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut
> this
> introductory paragraph, however.)
> Please refer to 
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> -------------------------------------------------------------------
> ---
> -------------------------------------------------------------------
> ---
> I'm not an expert on what people expect about security, but I'm
> wondering if
> there's a little too much distance between this text in the Abstract,
>   This document specifies the Host Identity Protocol Diet EXchange
> (HIP
>    DEX), a variant of the Host Identity Protocol Version 2
> (HIPv2).  The
>    HIP DEX protocol design aims at reducing the overhead of the
> employed
>    cryptographic primitives by omitting public-key signatures and
> hash
>    functions.  In doing so, the main goal is to still deliver similar
>    security properties to HIPv2.
> and this text in the Introduction,
>   The main differences between HIP BEX and HIP DEX are:
> (snip)
>   2.  HIP DEX forfeits the HIPv2 Perfect Forward Secrecy property of
>        HIPv2 due to the removal of the ephemeral Diffie-Hellman key
>        agreement.
> Would the average reader consider "no PFS" to be similar to PFS?
> (Please note that I'm not questioning the choice made in DIX, only
> the way that
> choice is described in the Abstract)

I agree that "similar" is very ambiguous. I have removed the sentence
"In doing so, the main goal is to still deliver similar security
properties to HIPv2" from the abstract (as suggested offline by Eric
Vyncke). I hope this resolves your comment?

> I'm curious about whether a couple of other differences named in the
> Introduction would also qualify as similar, but let's start with PFS.
> I'm also curious about whether
> 1.1.  The HIP Diet EXchange (DEX)
> (snip)
>    HIP DEX does not have the option to encrypt the Host Identity of
> the
>    Initiator in the 3rd packet.  The Responder's Host Identity also
> is
>    not protected.  Thus, contrary to HIPv2, HIP DEX does not provide
> for
>    end-point anonymity and any signaling that indicates such
> anonymity
>    should be ignored.
> qualifies as "similar", but I don't have a good sense of how much
> this matters
> in current and expected HIP deployments.

the sentence has been removed from the abstract, I hope this point is
also moot now.

> I'm hardly the smart one about this, but is
>   o  HIP DEX lacks the Perfect Forward Secrecy (PFS) property of
> HIPv2.
>       Consequently, if an HI is compromised, all HIP connections
>       protected with that HI are compromised.
> correct? I was expecting to see something like "if an HI is
> compromised, all
> previous HIP connections protected with that HI are compromised".

you are correct, fixed.

> The version of this draft I'm reviewing has 57 occurrences of the
> word
> "should". I'm not seeing very many cases where the surrounding text
> explains
> why an implementation would not do what it SHOULD do, and I'm not
> seeing many
> cases where the surrounding text explains what the peer
> implementation should
> do, if the other endpoint doesn't do what it SHOULD do, although many
> of those
> cases might be captured in the state diagrams in the document.

many of the SHOULDs are inherited from the text in RFC7401. If you
really want to, I can do a side by side comparison and check which ones
are really new, and then improve the new ones? With my current
priorities at work, this will unfortunately take a lot of time. Another
way to resolve your comment is to add some general statement about the
SHOULDs in the specification.

> In this text,
>   By eliminating the need for public-key signatures and the ephemeral
>    DH key agreement, HIP DEX reduces the computation, energy,
>                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    transmission, and memory requirements for public-key cryptography
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    (see [LN08]) in the HIPv2 protocol design.  Moreover, by dropping
> the
>    cryptographic hash function, HIP DEX affords a more efficient
>                                         ^^^^^^^^^^^^^^^^^^^^^^^^
>    protocol implementation than HIP BEX with respect to the
>    ^^^^^^^^^^^^^^^^^^^^^^^
>    corresponding computation and memory requirements.
> is "efficient" the right word, in the second sentence? This seems to
> mirror
> that "reducing requirements" effect from the first sentence - I'd
> assume that
> if you were comparing efficiencies, you'd be comparing two things
> with
> equivalent functionality.

I removed the second sentence (I think it was a bit redundant anyways).
I hope this resolves your comment.

I also changed "computation" to "computational".

> I'm sure I'm not reading this correctly, but in this text
>   In the second case, the HIP DEX implementation (Responder) inspects
>    the Initiator's HIT on reception of an I1 packet.  If the OGA ID
>    field of this HIT does not indicate the HIP DEX HIT Suite ID, the
>    DEX implementation cancels the handshake and sends an ICMP packet
>    with type Parameter Problem, with the Pointer pointing to the
> source
>    HIT, to the Initiator.  As an adversary could also send such an
>    packet in a man-in-the-middle attack with the aim to prevent the
>                ^^^^^^^^^^^^^^^^^
>    DEX handshake from completing, the Initiator SHOULD NOT react to
> an
>    ICMP message after sending the I1 until a reasonable delta time to
>    get the real Responder's R1 HIP packet.
> I would have thought that this was a good plan to defend against an
> off-path
> attacker, because ICMP is helpfully unauthenticated, and if you were
> on-path
> (so, man-in-the-middle), you'd probably be doing things that were
> much more
> aggressive (like trying to impersonate the other end). Am I getting
> this wrong?

I agree, off-path attacker is more relevant here. Changed the text as

As an off-path adversary could also send such
   an ICMP packet with the aim to prevent the HIP DEX handshake from
   completing, the Initiator SHOULD NOT react to an ICMP message before
   retransmission counter reaches I1_RETRIES_MAX in its state machine
   (see Table 3 in [RFC7401]).