Re: [Hipsec] RFC5201-bis: Stephen Farrell's DISCUSS questions

Tom Henderson <> Mon, 21 July 2014 22:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 545E51A0AAC for <>; Mon, 21 Jul 2014 15:51:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NCm9EpXzlhMN for <>; Mon, 21 Jul 2014 15:51:05 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 1B76A1A0AA9 for <>; Mon, 21 Jul 2014 15:51:04 -0700 (PDT)
Received: (qmail 3684 invoked by uid 0); 21 Jul 2014 22:51:00 -0000
Received: from unknown (HELO CMOut01) ( by with SMTP; 21 Jul 2014 22:51:00 -0000
Received: from ([]) by CMOut01 with id VAql1o00h2molgS01AqooZ; Mon, 21 Jul 2014 16:51:00 -0600
X-Authority-Analysis: v=2.1 cv=C4B6l2/+ c=1 sm=1 tr=0 a=K/474su/0lCI2gKrDs9DLw==:117 a=K/474su/0lCI2gKrDs9DLw==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=ZSdzdHkL1-cA:10 a=HvaABalQiiUA:10 a=q7J0aIbBmN8A:10 a=N659UExz7-8A:10 a=HYWc1YUsAAAA:8 a=IA_2sfgTpx8A:10 a=rREcAdlOb-AA:10 a=48vgC7mUAAAA:8 a=GkevJ1taCQ9oqFZXbagA:9 a=_UlVp8SAsUzCxsrD:21 a=YJ25PdBGDy3vB76o:21 a=pILNOxqGKmIA:10 a=YucXLVEyVCkA:10 a=uQ1u1nazGJsA:10 a=OuPSdZv8c7MA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=5PyZhPBbNMudPcbUoQqx8zb9fSnWL7o7kz4mE4QPE0k=; b=rDpbk1FP0230c72gTiawJQVAEP9VCyPI+UlCoZ+Sda+FBzc2hToB0bzZiSsLuancEQdkFst3ZzggHXuzvnaPcuNm80r81r5aZLSOkfL0qWQmequFMoVH0Tv5rJ/juuIi;
Received: from [] (port=34629 helo=[]) by with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <>) id 1X9MPt-0002xi-J5; Mon, 21 Jul 2014 16:50:45 -0600
Message-ID: <>
Date: Mon, 21 Jul 2014 15:50:42 -0700
From: Tom Henderson <>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Rene Hummen <>, HIP <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Identified-User: {} {sentby:smtp auth authed with}
Cc: Stephen Farrell <>
Subject: Re: [Hipsec] RFC5201-bis: Stephen Farrell's DISCUSS questions
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Jul 2014 22:51:07 -0000

Some more comments inline below:

On 07/21/2014 10:19 AM, Rene Hummen wrote:
> Please, find my comments inline.
> On 18 Jul 2014, at 08:57, Tom Henderson <> wrote:
>> I'm reposting several questions and comments from Stephen Farrell
>> regarding RFC5201-bis, so that we can have some list discussion.
>> See below (quoted verbatim from:
 >> The main issues below for discussion seem to be:
>> - what safeguards exist to reduce tracking of users? - questions
>> about the choices of certain algorithms and modes and whether they
>> are still current
>> I'll open some more issues in the tracker if we don't get to
>> consensus quickly.
>> ----------------------------------------------------------------
>> This review is based on the diff from 5201 [1]
>> [1]
Work started on this in 2009 it appears and the backwards
>> incompatible changes made to the BEX are roughly what I'd expect to
>> have seen for good work done around that time. However, some things
>> have changed since, that I don't see reflected in the changes made
>> to the BEX, so I'd like to chat about those for a bit, in case
>> they're still malleable. If it is really the case that the boat
>> has sailed for such changes, then that's life, but I wonder has it?
>> (I really don't know for HIP.)
>> I think the features in the changes to the BEX that one would
>> consider noteworthy were that work done today are:
>> (1) Mandating some form of variability of, and confidentiality for,
>> the (non-routable?) HIT to enhance privacy or at least mitigate
>> trival passive tracking of activity across time and different
>> connections. (Or maybe the "anonymous HI" mechanism achieves this,
>> I wasn't sure? If it does, then why have any other?)
> In my opinion, stable HITs are actually a desirable property for HIP.
> As a fixed-length and _verifiable_ representation of the HI, they can
> be used for access control purposes at end hosts as well as at
> middleboxes (as part of HIP’s middlebox friendliness). Moreover, HITs
> are used as stable identifiers in the HIP Certificate extension [1].
> In the end, user privacy with stable HITs/HIs appears to be as good
> or bad as it currently is with mutual certificate-based
> authentication, e.g., in case of TLS.
> As mentioned above, short-lived (anonymous) HIs can be used to
> prevent tracking of users across HIP sessions. Then, however, user
> authentication requires, e.g., application layer passwords much like
> current user->service authentication of TLS-protected data
> transmissions on the web.

I agree with Rene's comments above, except I might say that anonymous 
HIs should in theory provide no worse tracking exposure than current 
approaches that use semi-stable IP addresses, versus "preventing 
tracking of users" (HIP doesn't block tracking by other means).

The question I have is whether a "tracking considerations" paragraph 
ought to be added to the security considerations section, along the 
lines of:
- repeated use of stable HITs will likely increase tracking exposure, 
for better or worse (caveat emptor)
- use of anonymous HITs might eliminate additional tracking exposure, at 
the cost of requiring authentication mechanisms at higher layers

> So, from my point of view, there is a case for stable as well as for
> anonymous (i.e., variable) HITs/HIs.
>> (2) There is no support for newer elliptic curves or
>> representations like 25519.
> HIPv2 incorporates mechanisms to update the protocol with newer
> curves. Is there really the need to revise the document now or should
> we rather wait until the need for newer curves arises due to demand
> by certain applications/implementors?
> As for the representation, HIPv2 appears to require “Octet-string
> format" [2]. Is there a need to add protocol agility regarding the
> encoding (i.e., a new ECC parameter field)?
>> (3) Continuing to support the 1536 MODP DHE group but not
>> supporting the 2048 equivalent seems a bit odd, as does not having
>> a code point for the 4096 but group. Similarly, making the 1536 bit
>> group the MTI (in 5.2.7) is odd as is the assertion that "web
>> surfing" can use a lower security level.
> I am not aware of the criteria that were used for choosing the DHE
> groups. Can someone else comment on this?

I don't recall offhand, other than that we went through a round of 
review with CFRG back in 2012 and we ended up modifying our crypto 
selections based on the feedback received.  Bob and Tobias have been the 
caretakers of the crypto selections in HIPv2 in general, so I defer to them.

>> (4) (5.2.8) Did the WG discuss deprecating the NULL encryption
>> option? (Haven't you finished testing yet:-)
> I think this has been addressed on the mailinglist.

Stephen, I wonder whether saag discussion has died down now and there 
are any comments on my proposed resolution posted here?

>> Also - there are no counter modes, is that wise?
> HIP DEX defines AES-128-CTR for HIP_CIPHER [3]. However, I just
> realized that it does not specify its use for the ENCRYPTED
> parameter. Instead, the specification focuses on the special-purpose
> ENCRYPTED_KEY parameter. So, some work would be needed to carry this
> over to HIPv2.
>> Finally, HIPv1's encryption codepoint 1 was for a 3DES option, but
>> here you have 1 == NULL, yet you deprecate codepoint 3, which is
>> confusing. Why is that?
> Is this maybe a specification hiccup?

I introduced this "DEPRECATED" as part of comment resolutions back in 
2012 (someone in CFRG suggested to drop it), in this post:

However, HIP_CIPHER is a new parameter, so nothing really needs to be 
deprecated.  Perhaps "RESERVED" would have been better (or remap 
AES-256-CBC to value 3).

Any concern if I change DEPRECTED to RESERVED and add the comment that 
it is unused, such as:?

   Reserved     3    (unused value)

Or would it be better to just omit the line and skip from 2 to 4?

>> (5) Requiring HMAC-SHA-1 in 6.4.1 seems a bit odd. If HMAC-SHA-256
>> is supported, then why not just use that? Is there are real benefit
>> in the sha1 variant?
> SHA-1 is only defined for use with ECDSA_LOW. Currently, the only
> defined curve for this profile is SECP160R1. Seeing that, e.g., CoAP,
> recommends secp256r1 [4] even for constrained devices, we could
> probably remove the ECDSA_LOW profile in HIPv2 altogether.
>> Comment (2014-06-26)
>> - abstract: SIGMA-compliant is a bit of a mouthful for an abstract
>> - how many readers do we really expect to get that?
> I suggest to simply remove the “SIGMA-compliant” in the abstract.
> It’s mentioned again (with a reference) later on in the introduction
> [5].


>> - 1.1: Saying the HI is the identity of the host seems a little
>> overstated to me, but I guess that's accepted as a description for
>> HIP, so not objecting, but it'd seem more natural to me to say that
>> a HI is an identifier that a host can use. (Presumably
>> load-balancing and mobility scenarios could mean that a private key
>> could be on more than one host or one "host" might have >1 private
>> key.)
> I think the current description of the HI is more intuitive if not
> entirely precise. It doesn’t cover the mentioned (corner-)cases, but
> I personally prefer it the way it is right now.

I'm not sure what text you are referring to.  Section 1.1 says that "The 
HI is a public key and directly represents the Identity of a host. " but 
it doesn't say that the HI "is" the identity.

>> - section 3: 3110 doesn't seem like a great reference for RSA.
>> Isn't there better?
> I am not sure what this is referring to.

I think this refers to the first reference to RSA as an algorithm in 
general (in Section 3).  Later references use RFC3110 to refer to the 
specific encoding defined there, and I think that we need to preserve 
those references.  So I think Stephen's comment is to replace this 
reference in Section 3:

  HIP implementations MUST support the Rivest Shamir Adelman (RSA)
    [RFC3110] public key algorithm

with something else.  Any ideas of what to put there?  RFC3110 itself 
cites Schneier's Applied Cryptography book when referring to RSA.

- Tom