Re: [Hipsec] I-D Action:draft-ietf-hip-over-hip-02.txt
Ari Keranen <ari.keranen@nomadiclab.com> Thu, 21 October 2010 11:47 UTC
Return-Path: <ari.keranen@nomadiclab.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0BD933A6452 for <hipsec@core3.amsl.com>; Thu, 21 Oct 2010 04:47:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Level:
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sD5dvMZaqwvX for <hipsec@core3.amsl.com>; Thu, 21 Oct 2010 04:47:23 -0700 (PDT)
Received: from gw.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id BD3A43A66B4 for <hipsec@ietf.org>; Thu, 21 Oct 2010 04:47:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by gw.nomadiclab.com (Postfix) with ESMTP id E58F34E6C1; Thu, 21 Oct 2010 14:48:53 +0300 (EEST)
X-Virus-Scanned: amavisd-new at nomadiclab.com
Received: from gw.nomadiclab.com ([127.0.0.1]) by localhost (inside.nomadiclab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJki94321dEE; Thu, 21 Oct 2010 14:48:53 +0300 (EEST)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by gw.nomadiclab.com (Postfix) with ESMTP id 4769D4E6BD; Thu, 21 Oct 2010 14:48:53 +0300 (EEST)
Message-ID: <4CC028A5.10408@nomadiclab.com>
Date: Thu, 21 Oct 2010 14:48:53 +0300
From: Ari Keranen <ari.keranen@nomadiclab.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100915 Lightning/1.0b1 Thunderbird/3.0.8
MIME-Version: 1.0
To: Tobias Heer <heer@cs.rwth-aachen.de>
References: <20101018121505.4D2D43A6D9E@core3.amsl.com> <4CBC3DAC.7020404@nomadiclab.com> <16D5B0B9-F299-4177-8769-364172361798@cs.rwth-aachen.de>
In-Reply-To: <16D5B0B9-F299-4177-8769-364172361798@cs.rwth-aachen.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: HIP WG <hipsec@ietf.org>
Subject: Re: [Hipsec] I-D Action:draft-ietf-hip-over-hip-02.txt
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2010 11:47:24 -0000
Hi Tobi, Thanks for the review! Comments inline. On 10/19/2010 05:07 PM, Tobias Heer wrote: > a) In my opinion, there is a good reason why HIP control messages are > not encrypted by default. I think this design was chosen to support > on-path elements so that they can understand what's going on. Sending > HIP control messages over encrypted channel obviously changes this > property. I think this should be stated somewhere. OK, I can add a comment about that. > b) Sending HIP control messages over an encrypted channel makes some > of the security measures that HIP uses unnecessary. The HMAC might > still be needed (because ESP without authentication is deemed > insecure). However, the public-key signature of the update seems > quite superfluous to me now because it is intended to help on-path > verification of packets - which the encryption prevents. Maybe the > draft should comment on this? The update signatures is mandatory > (according to RFC5201) so it might be an option not to touch it and > accept the wasted overhead (although I don't fancy that option). I would prefer not to modify the HIP protocol itself even if some of the features would become redundant. The idea of the ESP transport mode(s) was to work as a drop-in replacement for the regular (no encryption) mode. Regarding the signature, hosts that are on the encrypted path as one of the relaying elements (e.g., in a HIP BONE scenario) could still use it for verification since they terminate the ESP tunnels and thus see the decrypted HIP packets, right? > c) You discuss host mobility but do not mention multihoming is this > intended? I did not see any special behavior that would be needed for the multihoming case (beyond what is needed for the mobility cases), but you're right that making this more explicit makes sense. I changed the "Mobility" section's name into "Mobility and Multihoming" and we can add more details there if needed (see next question). > d) To me it is not entirely clear how mobility or multihoming would > work with the encrypted channels in place. You describe that it can > work if it is done before the connection breaks. Would both hosts set > up new SA pairs / TCP connections for all of their possible address > pairs in order to do the address verification? If yes, the address > verification during the update is rather useless for TCP because TCP > does its own handshake already. If no, how does it work? Am I missing > the point here? It seems there could be more details on this. The basic idea was "do as you used to do but once you're done (with mobility and/or multihoming actions) send HIP messages over the new SA". That is, in the TCP mode the TCP connection used for the HIP messages should survive just like any other TCP connection and in the ESP mode, once there is a new SA, it is used for the messages. So new SA pairs would be set for all pairs (as before) and there would be no new TCP connections or handshakes but the address verification works as it used to. Cheers, Ari
- [Hipsec] I-D Action:draft-ietf-hip-over-hip-02.txt Internet-Drafts
- Re: [Hipsec] I-D Action:draft-ietf-hip-over-hip-0… Ari Keranen
- Re: [Hipsec] I-D Action:draft-ietf-hip-over-hip-0… Tobias Heer
- Re: [Hipsec] I-D Action:draft-ietf-hip-over-hip-0… Ari Keranen