IETF Logo Mail Archive

Re: [Hipsec] Building the first list of to Standards changes

Andrew McGregor <andrew@indranet.co.nz> Wed, 12 August 2009 10:48 UTC

Return-Path: <andrew@indranet.co.nz>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F1473A69CC for <hipsec@core3.amsl.com>; Wed, 12 Aug 2009 03:48:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.054
X-Spam-Level:
X-Spam-Status: No, score=-0.054 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J+okPnu3LjYW for <hipsec@core3.amsl.com>; Wed, 12 Aug 2009 03:48:04 -0700 (PDT)
Received: from mail.indranet.co.nz (unknown [203.97.93.68]) by core3.amsl.com (Postfix) with ESMTP id 38CC03A698C for <hipsec@ietf.org>; Wed, 12 Aug 2009 03:48:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by XServe-2.services.indranet.co.nz (Postfix) with ESMTP id 590269BAD4E; Sat, 8 Aug 2009 14:44:58 +1200 (NZST)
X-Virus-Scanned: amavisd-new at indranet.co.nz
Received: from XServe-2.services.indranet.co.nz ([127.0.0.1]) by localhost (XServe-2.acheron.indranet.co.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmdT1k1XetaT; Sat, 8 Aug 2009 14:44:57 +1200 (NZST)
Received: from [192.168.1.98] (203-167-186-239.dsl.clear.net.nz [203.167.186.239]) by XServe-2.services.indranet.co.nz (Postfix) with ESMTP id A90F89BAD46; Sat, 8 Aug 2009 14:44:50 +1200 (NZST)
Message-Id: <AB672F95-C236-4413-9B12-4CCCF860AE10@indranet.co.nz>
From: Andrew McGregor <andrew@indranet.co.nz>
To: Robert Moskowitz <rgm@htt-consult.com>
In-Reply-To: <4A72BA81.5050809@htt-consult.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sat, 08 Aug 2009 14:44:45 +1200
References: <4A72AF52.90603@htt-consult.com> <4A72BA81.5050809@htt-consult.com>
X-Mailer: Apple Mail (2.936)
Cc: hipsec@ietf.org
Subject: Re: [Hipsec] Building the first list of to Standards changes
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2009 10:48:05 -0000

On 31/07/2009, at 9:33 PM, Robert Moskowitz wrote:

> Andrew McGregor wrote:
>> Whole lot of responses inline...
>>
>> On 31/07/2009, at 10:46 AM, Robert Moskowitz wrote:
>>
>>> OK we have met and agreed to go out and succeed.
>>>
>>> In light of that, lets get our work items in order and someone set  
>>> up the tracking of who is working on what and what it is its status.
>>>
>>> Crypto Agility
>>> Add HI PK algorithms
>>
>> We use DNS formats for these, and so far the only RFCs published  
>> are RSA and DSA. There is a draft for ECC, there may be others.  
>> Code points are allocated by standards action. So this cannot  
>> progress until the DNS formats do.
>>
>>> Add HI hashes
>>
>> 5201 defines the RHASH which is used for all hash operations in the  
>> protocol to be the same as the hash used for ORCHIDS, see below.
>
> I would also want CBC-MAC, as hardware that implements CCM has CBC- 
> MAC. There is lots of wireless hardware that implements CCM...
>
> And there are those that will expect SHA-256.

For completeness, RIPEMD-160 and WHIRLPOOL?

CBC-MAC can't be used as a general hash function.  So, we can define a  
way to use CBC-MAC or CCM+ instead of HMAC, but we'll still need a  
hash at the same time for HIT generation and cookies.

>>> Add ESP cipher suites
>>
>> Straightforward, do you have a list of candidates?
>
> CCM, as this is in wireless hardware. GCM as this is in highspeed  
> wired hardware. Or those are the claims...

CCM and CCM+ since it's the latter in 802.15 hardware.

>>> Multiple HIs per host
>>> Multiple HITs per HI
>>
>> I think these can be done already. Current implementations may not  
>> support multiple HIs per host, but I see no reason in the protocol  
>> why this can not be done. Multiple HITs per HI can happen given  
>> that hash agility is per context; therefore the ORCHIDS  
>> corresponding to different hashes are astronomically unlikely to  
>> collide. Local policy dictates if any particular HIT is acceptable.
>>
>> However, the IESG note at the beginning of 5201 has this to say:
>>
>> This document doesn't currently define support for parameterized
>> (randomized) hashing in signatures, support for negotiation of a key
>> derivation function, or support for combined encryption modes.
>>
>> The first point will require a lot of thought, although the packet  
>> formats should be straightforward.
>
> OK. This is an important one I left off. Would the hash used for  
> making the HIT be the hash used in the HIP sigs? Or is this YAP to  
> add to things like HIP options and DNS RR?

Actually, I've done some more reading.  HIP refers to RFC 4034  
(Resource Records for the DNS Security Extensions) for signature  
formats.  Any future DNSSEC formats are similarly applicable.  There  
are no drafts specifying hashed variants for DNSSEC.  So, as DNSSEC  
adds algorithms, so can HIP.

>> The second point could be covered by redefining the DIFFIE_HELLMAN  
>> group id parameter to be an (algorithm, group) suite ID... this  
>> would even be backward compatible by reusing the existing values  
>> with the same processing definition. The third is merely more suite- 
>> ids for those modes.
>
> So would we have a list of key derivations and this is just one more  
> parameter?

No, it's expanding the definition of an existing codepoint space; all  
the existing codepoints are regarded as specifying standard DH key  
negotiation with some group, new ones have to specify a key  
negotiation algorithm as well as its necessary group (or whatever)  
parameter.

BTW, the combined encryption modes is yet more codepoints, with the  
minor complication that the HMAC TLV calculation definition should  
include specifying the use of the encryption algorithm's 'additional  
data' as an HMAC, rather than using the RHASH.  This amounts to  
replacing 'HIP-gl or HIP-lg integrity key retrieved from KEYMAT' in  
section 6.4 of RFC 5201 with something like 'HIP-gl or HIP-lg  
integrity key retrieved from KEYMAT, except that if the encryption  
algorithm in use is also to be used for message authentication, use  
the encryption key instead'.  Also I guess that HMAC should be renamed  
MAC everywhere.

>>> ESP operation with HIP
>>> Explain Binding Transport Mode End to End without creating a new  
>>> ESP mode
>>
>> This amounts to a wording change in 5202, all the text is already  
>> there. BEET is a recommended implementation detail for 5202 ESP  
>> processing and does not change the wire format or semantics, so  
>> there should be no problem here.
>>
>>> AH operation with HIP
>>>
>>> Compressing Transport checksums
>>> New HIP option?
>>
>> I'm not sure what you're suggesting. Compressing suites could be  
>> defined for ESP. Or are you suggesting compressing the HIP packets  
>> themselves?
>
> If you are going to allow for removal of the TCP and UDP checksums,  
> both parties would need to agree they are going to do this.

So, I suggest using suite-IDs for this; responder indicates prepared  
to use those suites, initiator can as usual take it or leave it.

v2.30.2 | Report a Bug | By Email | System Status