Re: [Hipsec] RFC5201-bis: Stephen Farrell's DISCUSS questions

Tobias.Heer@Belden.com Tue, 02 September 2014 17:22 UTC

Return-Path: <prvs=2322ab9efc=Tobias.Heer@belden.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1A41A6F92 for <hipsec@ietfa.amsl.com>; Tue, 2 Sep 2014 10:22:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.268
X-Spam-Level:
X-Spam-Status: No, score=-2.268 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bOC8VGQkbIkv for <hipsec@ietfa.amsl.com>; Tue, 2 Sep 2014 10:22:45 -0700 (PDT)
Received: from mx1.belden.com (mx1.belden.com [12.161.118.90]) by ietfa.amsl.com (Postfix) with ESMTP id B98CD1A068E for <hipsec@ietf.org>; Tue, 2 Sep 2014 10:22:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=belden.com; s=beldencom; c=relaxed/simple; q=dns/txt; i=@belden.com; t=1409678564; x=1412270564; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=SH2TQo+q6d4kstI9TefPQfEnUKVKIa75V6gNB+oUsCg=; b=gxu2X80g4rKNnBL0BGc0NxgMpMtXiSiYUkuECYXecVmwHXHOuu5sA8P6+o9LXHTH 1tVt48W+vRQErAePrb5DSHyNic6i57SPutPRPhPICLfGcxgAhU+vxXX2hj5gqk4I MNOeXqRYMBJHLe24YrfpHE529ytHVedeDDYzfWzt+Bk=;
X-AuditID: 0a01015a-b7f628e000000d19-49-5405fce32d8e
Received: from bdcnotes2.belden.com ( [10.1.1.72]) by mx1.belden.com (Service Ready) with SMTP id E5.AD.03353.3ECF5045; Tue, 2 Sep 2014 13:22:44 -0400 (EDT)
To: tomh@tomh.org, stephen.farrell@cs.tcd.ie, hipsec@ietf.org
MIME-Version: 1.0
X-KeepSent: E663CEC5:35AA808D-C1257D47:005B2906; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3 September 15, 2011
From: Tobias.Heer@Belden.com
Message-ID: <OFE663CEC5.35AA808D-ONC1257D47.005B2906-C1257D47.005F754B@belden.com>
Date: Tue, 02 Sep 2014 19:22:41 +0200
X-MIMETrack: Serialize by Router on BDCNotes2/BeldenCDT(Release 9.0 HF625|September 19, 2013) at 09/02/2014 01:22:43 PM, Serialize complete at 09/02/2014 01:22:43 PM
Content-Type: multipart/alternative; boundary="=_alternative 005F7509C1257D47_="
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrBIsWRmVeSWpSXmKPExsXCxcjoofvkD2uIwaMoi6mLJjNbTN97jd2i 8e4fJgdmj7XdV9k8liz5yeSx55pGAHNUA6NNUmJJWXBmep6+nU1iXl5+SWJJqkJKanGyrZJT ak5Kap6CS2Zxck5iZm5qka5nsL+uhYWppZJCZoqtkpGSQkFOYnJqbmpeia1SYkFBal6Kkh2X AgawASrLzFNIzUvOT8nMS7dVCg1x07VQsnPxDHZOaGXNWH3/BXvBIsOKz93bWRsYJ2l2MXJy SAiYSHy93M4GYYtJXLi3Hsjm4hASmM8osf3dLHaQhIiAo8Tlfe+YQWxeAUGJkzOfsIDYwgJu Ers6e5khmj0lGn42MELYZhIvL18Es9kEZCS2HdzLBNEbJDH7wkewehYBFYmF7ceYQZZJCKxk lGg/MhNsGbNAgMT8jsPsExh5ZyHZNwtJCsLWkTix6hgzhK0tsejKT/YFjCyrGPlyKwz1ksBh qpecn7uJERJbUTsYn7YoHGIU4GBU4uH9w8IaIsSaWFZcmXuIUYKDWUmE1/krUIg3JbGyKrUo P76oNCe1+BBjENCdE5mluJPzgXGfVxJvbGBAJEdJnPfrp5pgIYF0YExnp6YWpBbBDGXi4ARZ yiUlUgyMytSixNKSjHhQ+ogvBiYQqQbG+MthPM93qVrOuvYnfMr3NQaRV3yDfy/63Gc4LaqI Sy4hs1XM8tSfEF7jAnvtn3+6y2qNl7ZcfbLHWXzy7kUxs2QOv/S5++bkMd7uaeJqjxvS5m2q EMrZwv1ni+zU57O413u8jjD9qS9/4o7+Qz5WsT6W/U9X7tPSvMtcdePwAskL2T/WrtpspcRS nJFoqMVcVJwIAAzI9fv7AgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/jps8gSk-sEyyg25ZmMoocpXpJ_I
Subject: Re: [Hipsec] RFC5201-bis: Stephen Farrell's DISCUSS questions
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 17:24:13 -0000

Hello,

I am sorry for the late response...

>>
>>> (3) Continuing to support the 1536 MODP DHE group but not
>>> supporting the 2048 equivalent seems a bit odd, as does not having
>>> a code point for the 4096 but group. Similarly, making the 1536 bit
>>> group the MTI (in 5.2.7) is odd as is the assertion that "web
>>> surfing" can use a lower security level.
>>
>> I am not aware of the criteria that were used for choosing the DHE
>> groups. Can someone else comment on this?
> 
> I don't recall offhand, other than that we went through a round of
> review with CFRG back in 2012 and we ended up modifying our crypto
> selections based on the feedback received.  Bob and Tobias have been the
> caretakers of the crypto selections in HIPv2 in general, so I defer to
> them.

Ok, so let's wait to hear from Bob/Tobias on this one.

I tried to reconstruct the approach that we took from the mailing list 
archives. This dates back to 2010 so I don't remember every detail. We use 
established algorithms that similar protocols used and discussed the 
choices here on the list. Here is the discussion thread:

http://www.ietf.org/mail-archive/web/hipsec/current/msg03327.html

There was some counseling from CFRG as well if I am not mistaken. However, 
if there is the need for a different set of algorithms or if there is 
consensus that more algorithms are required, there is no reason not to add 
another one. 

The sentence with the web-surfing is a carry over from RFC5201. I think we 
should change it to a more generic statement along the lines of the 
mailing list post from 2010:
Group 10 is meant for devices with low computation capabilities and should 
be used only if long-term
confidentiality is not required.

BR,

Tobias


-- 
Dr. Tobias Heer | Head of Embedded Software Development - Functions | 
Hirschmann Automation and Control GmbH
Stuttgarter Str. 45-51 | 72654 Neckartenzlingen | Germany
Phone: +49 7127 14 - 1280 | Mobile: +49 171 441 49 22 | Fax: +49 7127 14 - 
1600
tobias.heer@belden.com | www.beldensolutions.com | 
www.blog.beldensolutions.com

Hirschmann Automation and Control GmbH, Neckartenzlingen
Register Court: Stuttgart, Trade Register No.: HRB 225927
VAT No.: DE 814 212 604
Managing Director: Christoph Gusenleitner, Henk Derksen, Wolfgang Schenk, 
Johannes Pfeffer



DISCLAIMER:
Privileged and/or Confidential information may be contained in this
message. If you are not the addressee of this message, you may not
copy, use or deliver this message to anyone. In such event, you
should destroy the message and kindly notify the sender by reply
e-mail. It is understood that opinions or conclusions that do not
relate to the official business of the company are neither given
nor endorsed by the company.
Thank You.