Re: [Hipsec] Mirja Kühlewind's No Objection on draft-ietf-hip-multihoming-11: (with COMMENT)

Tom Henderson <> Sun, 18 September 2016 16:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 26A8B12B139; Sun, 18 Sep 2016 09:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vaFwoKT1LIGN; Sun, 18 Sep 2016 09:40:14 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 60F9112B134; Sun, 18 Sep 2016 09:40:14 -0700 (PDT)
Received: from ( []) by (8.14.4+UW14.03/8.14.4+UW16.03) with ESMTP id u8IGe6TU029026 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 18 Sep 2016 09:40:06 -0700
Received: from (localhost []) by (8.14.4+UW14.03/8.14.4+UW16.03) with ESMTP id u8IGe3nx028266; Sun, 18 Sep 2016 09:40:03 -0700
Received: from localhost (Unknown UID 17623@localhost) by (8.14.4+UW14.03/8.14.4+Submit-local) with ESMTP id u8IGe23P028257; Sun, 18 Sep 2016 09:40:03 -0700
X-Auth-Received: from [] by via HTTP; Sun, 18 Sep 2016 09:40:02 PDT
Date: Sun, 18 Sep 2016 09:40:02 -0700 (PDT)
From: Tom Henderson <>
Message-ID: <>
User-Agent: Web Alpine 2.01 (LRH 1302 2010-07-20)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-1903409144-968076942-1474216802=:32623"
X-PMX-Version:, Antispam-Engine:, Antispam-Data: 2016.9.18.163317
Archived-At: <>
Subject: Re: [Hipsec] =?iso-8859-15?q?Mirja_K=FChlewind=27s_No_Objection_on_dr?= =?iso-8859-15?q?aft-ietf-hip-multihoming-11=3A_=28with_COMMENT=29?=
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 18 Sep 2016 16:40:16 -0000

Mirja, thank you for your comments; replies again are inline below.

On 09/13/2016 07:40 AM, Mirja Kuehlewind wrote:
> Mirja Kühlewind has entered the following ballot position for
> draft-ietf-hip-multihoming-11: No Objection
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> One big general comment:
> The split between this document and draft-ietf-hip-rfc5206-bis-13 (still)
> seems a little artificial. draft-ietf-hip-rfc5206-bis-13 describes some
> general parts that actually covers both use cases. I guess it would be at
> least nice to spell out clearly in this document which parts of
> draft-ietf-hip-rfc5206-bis-13 are required to read (section 4 and parts
> of section 5) if that's is somehow clearly separately.


> E.g. I believe the following should be in draft-ietf-hip-rfc5206-bis-13
> and not in this doc:
> "Hosts MUST NOT announce broadcast or multicast addresses in
>    LOCATOR_SETs. "
> I this is more relevant for the case described in this document but is
> true for the general case. draft-ietf-hip-rfc5206-bis-13 stated the
> following but that's not the same because it only describes the peer
> side:
> "  For
>    each locator listed in the LOCATOR_SET parameter, check that the
>    address therein is a legal unicast or anycast address.  That is, the
>    address MUST NOT be a broadcast or multicast address."
> What worries me more is that I believe that one would need to always read
> both documents to implement the peer functionality correctly. E.g. this
> documents says the following:
> "An Initiator MAY include one or more LOCATOR_SET parameters in the I2
>    packet, independent of whether or not there was a LOCATOR_SET
>    parameter in the R1.  These parameters MUST be protected by the I2
>    signature.  Even if the I2 packet contains LOCATOR_SET parameters,
>    the Responder MUST still send the R2 packet to the source address of
>    the I2."
> However, when I read draft-ietf-hip-rfc5206-bis-13, it is not clear that
> there are specifications in this document that are important for a
> correct implementation. 

In the above case, the rationale for placing that text in the multihoming draft is that the possible need to expose additional locators during the base exchange arises in a multihoming context.  I don't think that draft-ietf-hip-rfc5206-bis-13 implementations (without multihoming support) need to support inclusion in the base exchange.

I'm fine with moving this sentence: 

  "Hosts MUST NOT announce broadcast or multicast addresses in LOCATOR_SETs. "

to RFC 5206-bis, and I agree to write some introductory paragraph to this document that points to the necessary parts of 5206-bis to support.

> Smaller comments:
> 1) Regarding the following sentence:
> "In summary, whether and how a host decides to leverage additional
>    addresses in a load-balancing or fault-tolerant manner is outside the
>    scope of the specification."
> I agree that it is out of scope for this doc. But maybe it would be
> useful to provide pointers to existng work. The scheduling problem is
> well know and e.g. basically the same for MPTCP.

Can you or someone suggest specific RFCs to cite here?

> 2) Regarding the following recommendation:
> "Although the protocol may allow for configurations in which there is
>    an asymmetric number of SAs between the hosts (e.g., one host has two
>    interfaces and two inbound SAs, while the peer has one interface and
>    one inbound SA), it is RECOMMENDED that inbound and outbound SAs be
>    created pairwise between hosts.  When an ESP_INFO arrives to rekey a
>    particular outbound SA, the corresponding inbound SA should be also
>    rekeyed at that time."
> I believe I agree but why?

I believe that the reason for this was to try to keep the implementation simpler, and keep the inbound/outbound SA lifetimes consistent.  This recommendation removes the decision point in the implementation, when receiving a request to rekey, whether or not to rekey the corresponding SA.

There is less operational experience with multihoming extensions, which was one of the reasons to split RFC5206 originally (to complete mobility specification but perhaps allow multihoming specifications to evolve further over time).  It is possible to create lots of pairwise SAs between various locators, but it is not as clear when to do that versus when to try to reuse SAs across multiple locators.  For instance, when multihoming is used actively for load balancing, perhaps multiple SA pairs are favorable (to avoid anti-replay checks failing from reordered packets), but maybe in a fault tolerance situation, they are less needed.

I believe that the text in section 4.4 that you cite could have a pointer that section 4.11 later discusses this issue in more detail.

> 3) I (again) would find it easier to have section 4.9, 4.10, and 4.11
> before 4.2-4.8. However, I guess that's a matter of taste. Alternatively
> maybe have most of the text from 4.2-4.8 in a separate supersection first
> and call it 'usage scenarios' or something like this, while summerizing
> the protocol actions in one subsection in the 'protocol overview' section
> because it seems that the actions are actually quite similar for all use
> cases, no?

I think that 4.9-4.11 are more refinements or special cases than the subsections preceding them, so I would refrain from reordering them.  However, I'll take a stab at adding a 'master scenario overview' that could be used as a roadmap to the rest of the subsections.

> 4) Maybe indicate clearly what is recommendated in
> draft-ietf-hip-rfc5206-bis the following way:
> "[I-D.ietf-hip-rfc5206-bis]
>    recommends that a host should send a LOCATOR_SET whenever it
>    recognizes a change of its IP addresses in use on an active HIP
>    association, and assumes that the change is going to last at least
>    for a few seconds. "
> "[I-D.ietf-hip-rfc5206-bis]
>    recommends that "a host should send a LOCATOR_SET whenever it
>    recognizes a change of its IP addresses in use on an active HIP
>    association, and assumes that the change is going to last at least
>    for a few seconds. ""


> 5) How does a host know about this? Can you give examples?
> "The grouping should consider also whether middlebox
>    interaction requires sending the same LOCATOR_SET in separate UPDATEs
>    on different paths."

This comment arises from the consideration of (future) HIP-aware NATs that might perform parameter inspection.  I'm not sure that there are any solid ways to know about whether these exist, other than operational knowledge about the networks where HIP is deployed.

How about rephrasing such as this?

"If hosts are deployed in an operational environment in which HIP-aware NATs (that may perform parameter inspection) exist, and different NATs may exist on different paths, hosts may take that knowledge into consideration about how addresses are grouped, and may send the same LOCATOR_SET in separate UPDATEs on the different paths.  However, more detailed guidelines about how to operate in the presence of such HIP-aware NATs is a topic for further study."

The alternative might be to delete this topic entirely since it is a bit speculative.

- Tom