Re: [Hipsec] RFC5201-bis: Stephen Farrell's DISCUSS questions

Rene Hummen <Rene.Hummen@comsys.rwth-aachen.de> Mon, 21 July 2014 17:19 UTC

Return-Path: <Rene.Hummen@comsys.rwth-aachen.de>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B75A1A02DF for <hipsec@ietfa.amsl.com>; Mon, 21 Jul 2014 10:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wV55vjouCisS for <hipsec@ietfa.amsl.com>; Mon, 21 Jul 2014 10:19:40 -0700 (PDT)
Received: from mx-out-2.rwth-aachen.de (mx-out-2.rwth-aachen.de [134.130.5.187]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B7C01A026A for <hipsec@ietf.org>; Mon, 21 Jul 2014 10:19:40 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.01,702,1400018400"; d="p7s'?scan'208";a="252865566"
Received: from mail-i4.nets.rwth-aachen.de ([137.226.12.21]) by mx-2.rz.rwth-aachen.de with ESMTP; 21 Jul 2014 19:19:38 +0200
Received: from messenger.nets.rwth-aachen.de (messenger.nets.rwth-aachen.de [137.226.13.40]) by mail-i4.nets.rwth-aachen.de (Postfix) with ESMTP id 5AB5D13DAB9; Mon, 21 Jul 2014 19:19:38 +0200 (CEST)
Received: from MESSENGER.nets.rwth-aachen.de ([fe80::d4e:bb9d:9e0:bfee]) by MESSENGER.nets.rwth-aachen.de ([fe80::d4e:bb9d:9e0:bfee%12]) with mapi id 14.01.0218.012; Mon, 21 Jul 2014 19:19:37 +0200
From: Rene Hummen <Rene.Hummen@comsys.rwth-aachen.de>
To: HIP <hipsec@ietf.org>
Thread-Topic: [Hipsec] RFC5201-bis: Stephen Farrell's DISCUSS questions
Thread-Index: AQHPolWUup3xhMcaI0a14JumkyI3kpuqqbEA
Date: Mon, 21 Jul 2014 17:19:36 +0000
Message-ID: <98C8F7AB-D777-428D-B725-2F885EC3893F@comsys.rwth-aachen.de>
References: <53C8C557.3070202@tomh.org>
In-Reply-To: <53C8C557.3070202@tomh.org>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [137.226.12.29]
Content-Type: multipart/signed; boundary="Apple-Mail=_F96B9A5B-93C3-49A2-953C-652BE159729B"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/lc7GzldL89738vjptJV_EZKMy9c
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Hipsec] RFC5201-bis: Stephen Farrell's DISCUSS questions
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 17:19:44 -0000

Please, find my comments inline.

On 18 Jul 2014, at 08:57, Tom Henderson <tomh@tomh.org> wrote:
> I'm reposting several questions and comments from Stephen Farrell regarding RFC5201-bis, so that we can have some list discussion.  See below (quoted verbatim from:
> https://datatracker.ietf.org/doc/draft-ietf-hip-rfc5201-bis/ballot/)
> 
> The main issues below for discussion seem to be:
> 
> - what safeguards exist to reduce tracking of users?
> - questions about the choices of certain algorithms and modes and whether they are still current
> 
> I'll open some more issues in the tracker if we don't get to consensus quickly.
> 
> ----------------------------------------------------------------
> 
> 
> This review is based on the diff from 5201 [1]
> 
>   [1]
> 
> https://tools.ietf.org/rfcdiff?url1=rfc5201&url2=draft-ietf-hip-rfc5201-bis-14.txt
> 
> Work started on this in 2009 it appears and the backwards
> incompatible changes made to the BEX are roughly what I'd
> expect to have seen for good work done around that time.
> However, some things have changed since, that I don't see
> reflected in the changes made to the BEX, so I'd like to
> chat about those for a bit, in case they're still
> malleable. If it is really the case that the boat has
> sailed for such changes, then that's life, but I wonder
> has it? (I really don't know for HIP.)
> 
> I think the features in the changes to the BEX that one
> would consider noteworthy were that work done today are:
> 
> (1) Mandating some form of variability of, and
> confidentiality for, the (non-routable?) HIT to enhance
> privacy or at least mitigate trival passive tracking of
> activity across time and different connections. (Or maybe
> the "anonymous HI" mechanism achieves this, I wasn't
> sure? If it does, then why have any other?)

In my opinion, stable HITs are actually a desirable property for HIP. As a fixed-length and _verifiable_ representation of the HI, they can be used for access control purposes at end hosts as well as at middleboxes (as part of HIP’s middlebox friendliness). Moreover, HITs are used as stable identifiers in the HIP Certificate extension [1].
In the end, user privacy with stable HITs/HIs appears to be as good or bad as it currently is with mutual certificate-based authentication, e.g., in case of TLS.

As mentioned above, short-lived (anonymous) HIs can be used to prevent tracking of users across HIP sessions. Then, however, user authentication requires, e.g., application layer passwords much like current user->service authentication of TLS-protected data transmissions on the web.

So, from my point of view, there is a case for stable as well as for anonymous (i.e., variable) HITs/HIs.

> (2) There is no support for newer elliptic curves or
> representations like 25519.

HIPv2 incorporates mechanisms to update the protocol with newer curves. Is there really the need to revise the document now or should we rather wait until the need for newer curves arises due to demand by certain applications/implementors?

As for the representation, HIPv2 appears to require “Octet-string format" [2]. Is there a need to add protocol agility regarding the encoding (i.e., a new ECC parameter field)?

> (3) Continuing to support the 1536 MODP DHE group but not
> supporting the 2048 equivalent seems a bit odd, as does
> not having a code point for the 4096 but group.
> Similarly, making the 1536 bit group the MTI (in 5.2.7)
> is odd as is the assertion that "web surfing" can use a
> lower security level.

I am not aware of the criteria that were used for choosing the DHE groups. Can someone else comment on this?

> (4) (5.2.8) Did the WG discuss deprecating the NULL
> encryption option? (Haven't you finished testing yet:-)

I think this has been addressed on the mailinglist.

> Also - there are no counter modes, is that wise?

HIP DEX defines AES-128-CTR for HIP_CIPHER [3]. However, I just realized that it does not specify its use for the ENCRYPTED parameter. Instead, the specification focuses on the special-purpose ENCRYPTED_KEY parameter. So, some work would be needed to carry this over to HIPv2.

> Finally,
> HIPv1's encryption codepoint 1 was for a 3DES option, but
> here you have 1 == NULL, yet you deprecate codepoint 3,
> which is confusing. Why is that?

Is this maybe a specification hiccup?

> (5) Requiring HMAC-SHA-1 in 6.4.1 seems a bit odd. If
> HMAC-SHA-256 is supported, then why not just use that?
> Is there are real benefit in the sha1 variant?

SHA-1 is only defined for use with ECDSA_LOW. Currently, the only defined curve for this profile is SECP160R1. Seeing that, e.g., CoAP, recommends secp256r1 [4] even for constrained devices, we could probably remove the ECDSA_LOW profile in HIPv2 altogether.

> Comment (2014-06-26)
> 
> - abstract: SIGMA-compliant is a bit of a mouthful for an
> abstract - how many readers do we really expect to get
> that?

I suggest to simply remove the “SIGMA-compliant” in the abstract. It’s mentioned again (with a reference) later on in the introduction [5].

> - 1.1: Saying the HI is the identity of the host seems a
> little overstated to me, but I guess that's accepted as
> a description for HIP, so not objecting, but it'd seem
> more natural to me to say that a HI is an identifier that
> a host can use. (Presumably load-balancing and mobility
> scenarios could mean that a private key could be on more
> than one host or one "host" might have >1 private key.)

I think the current description of the HI is more intuitive if not entirely precise. It doesn’t cover the mentioned (corner-)cases, but I personally prefer it the way it is right now.

> - section 3: 3110 doesn't seem like a great reference
> for RSA. Isn't there better?

I am not sure what this is referring to.

BR
René


[1] http://tools.ietf.org/html/rfc6253
[2] http://tools.ietf.org/html/draft-ietf-hip-rfc5201-bis-14#section-5.2.9
[3] http://tools.ietf.org/html/draft-moskowitz-hip-dex-01#section-5.2.4
[4] http://tools.ietf.org/html/rfc7252#section-9.1.3.2
[5] http://tools.ietf.org/html/draft-ietf-hip-rfc5201-bis-14#section-1.2



--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 21426
web: http://www.comsys.rwth-aachen.de/team/rene-hummen/