Re: [Hipsec] Eric Rescorla's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)

Miika Komu <miika.komu@ericsson.com> Wed, 23 January 2019 11:18 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E1F3130E57 for <hipsec@ietfa.amsl.com>; Wed, 23 Jan 2019 03:18:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.854
X-Spam-Level:
X-Spam-Status: No, score=-8.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=dETndc4U; dkim=pass (1024-bit key) header.d=ericsson.com header.b=V2rfZGKP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ha2dk7mWtI4y for <hipsec@ietfa.amsl.com>; Wed, 23 Jan 2019 03:18:17 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66C83130E59 for <hipsec@ietf.org>; Wed, 23 Jan 2019 03:18:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1548242292; x=1550834292; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=1wCF76rsqumlo+SOrMU6rzDUv9zlgedh3KVSewOlN0I=; b=dETndc4UbJYhaa2Q6BGnUOMh7KmCzoDSLImo2rIFY4qG6yy9zYIhW1RgTyZwfEMb H1gfYuR7iV3EMTpcDbDkB4Dvg8zasuyA3jgo4ohCHra9YMSndUvoYmDXgS6on2od 7XcUHdg5z2vy+hRZ0q+WVtauBLRxy26LsqavX8dSwpc=;
X-AuditID: c1b4fb25-209009e000005ff7-8f-5c484d7474c4
Received: from ESESBMB501.ericsson.se (Unknown_Domain [153.88.183.114]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 05.03.24567.47D484C5; Wed, 23 Jan 2019 12:18:12 +0100 (CET)
Received: from ESESBMB501.ericsson.se (153.88.183.168) by ESESBMB501.ericsson.se (153.88.183.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 23 Jan 2019 12:18:12 +0100
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB501.ericsson.se (153.88.183.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Wed, 23 Jan 2019 12:18:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1wCF76rsqumlo+SOrMU6rzDUv9zlgedh3KVSewOlN0I=; b=V2rfZGKP0n4Nw1k8h66Uhokdj+fo8tqhVw6qkLUcHgXBep1CaJmYqwMRxpoEqRqNGEBjyy/5du4H1aoApWPyxZUsu5e7jDeem1HWWkphB4+UMDVZYarGcKp/dyJBx56NEOOwGlAtYv4x71bxS5VxiXcaS7uuwEgpMy03U/zbQT0=
Received: from AM4PR0701MB2194.eurprd07.prod.outlook.com (10.167.132.155) by AM4PR0701MB2163.eurprd07.prod.outlook.com (10.167.132.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.5; Wed, 23 Jan 2019 11:18:11 +0000
Received: from AM4PR0701MB2194.eurprd07.prod.outlook.com ([fe80::a15f:7d17:876c:b965]) by AM4PR0701MB2194.eurprd07.prod.outlook.com ([fe80::a15f:7d17:876c:b965%12]) with mapi id 15.20.1558.016; Wed, 23 Jan 2019 11:18:11 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: Tom Henderson <tomh@tomh.org>, Eric Rescorla <ekr@rtfm.com>
CC: "mkomu@kapsi.fi" <mkomu@kapsi.fi>, "draft-ietf-hip-rfc4423-bis@ietf.org" <draft-ietf-hip-rfc4423-bis@ietf.org>, "hipsec@ietf.org" <hipsec@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, IESG <iesg@ietf.org>
Thread-Topic: [Hipsec] Eric Rescorla's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
Thread-Index: AQHT5YLxe6LepMqB0kKL89VZqk/vXKVaTjGAgAGJ8ICASqy+AIAAZFmAgACkQ7KAEdPFAIAE7luA
Date: Wed, 23 Jan 2019 11:18:11 +0000
Message-ID: <e784b9c9-72af-f366-0ad8-69b67e2bca74@ericsson.com>
References: <152564286489.26793.2457846656783140871.idtracker@ietfa.amsl.com> <70e4c94f-0097-0b13-140c-db0a5732ab67@kapsi.fi> <CABcZeBPUvZW0qa5X+SGzAaDgJhArw5Q3NSnSj6cYhBce4cnzqw@mail.gmail.com> <f02e449f-75af-1329-c94c-f53bd2b4bd08@tomh.org> <CABcZeBPKCOq7hO85CRAd3XRiH4v=G7ohG7p8X5GDeENX9+8B8g@mail.gmail.com> <e3c01281-aa06-e949-723e-882899c91011@tomh.org> <CABcZeBP=rn2LAqWpXr_YKeaXb8DrV_Tkx=78-PXQGNhcZd-DuA@mail.gmail.com> <4068edc0-76c5-9931-1b52-8f147b24d854@tomh.org>
In-Reply-To: <4068edc0-76c5-9931-1b52-8f147b24d854@tomh.org>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: HE1PR0402CA0019.eurprd04.prod.outlook.com (2603:10a6:3:d0::29) To AM4PR0701MB2194.eurprd07.prod.outlook.com (2603:10a6:200:49::27)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0701MB2163; 6:iaIhV8rkLmsHT4SJakxNjLZAw2+e6L+PfF4QP0xLUF9g/dnUUZMFwDrJVJZm2LOqSB4bKpMoQZmJ3Jv3lAcofToyJkDcu+agblBjdLtRz9P7zA4JaGOWK21JLmSVn/jPJyTZWn9X5oVhzkwz+sUCJL4/n8frSEtGe1tfTmSqozceOrp8RxA0CD+ByapZ5oSGJ/Y+FWtBb36W6uoDetHsGQNEgzVW+j5daC32leaATuv0ghKtyAh+m1Z08x+Hjk6IUAazTEz713+IVbsB89NJE82CPIj/V4+ihgTIipPOnya4Q7FBddP7VeFGR04QV6NyHl2UzOH448yF43Dqwjxm26LTDB1gDxmGLaQcMDNbFgxBYs/ObtAzY74vaRFMB+df+Z1wZ98hfgOWAy5Rp19Ff4CUgti+gdg6Oj7QKmNcTMLA4k5uNihuRxJ5OjJPBTpdYb3O7nXwQaFK8CtCN4tdhQ==; 5:9uEYrtb7ljitWo5aRevxoU/TaGf5MidbbtUMmvikhcgacOCHYiNo95NlXjAf8pawO5WLEZGzlOVMNT/J06TJ24Ie4OagiNtsVm8cCqvgmPWBQwUVekCx4SkEaSbKqZiJtDgpwsMJy+g+bNIJp0thBQhHPJimFah8Dcpjb25lPIogR7NMQb+xdFkQ5SCZarFjX7TpdSYUf1Lq0HQcESYDjw==; 7:K83G+dlhoKX7PaEaVGIvFKsh8Qgi9BAQC4+cCtyekc8wKNcTjertBFHc3/cAVblIUX2b/rEc8rczyCm7zO6y8B0qz/kY8zvobGq9Hk7DtCe7h03b1oxxTO8zsin4Tl3EZnVH8VPtwq7VcIppLuyfxg==
x-ms-office365-filtering-correlation-id: 30a639a6-9989-4a97-18d2-08d68124758d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600110)(711020)(4605077)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM4PR0701MB2163;
x-ms-traffictypediagnostic: AM4PR0701MB2163:
x-microsoft-antispam-prvs: <AM4PR0701MB216374E2928DFEB6D694A5C5FC990@AM4PR0701MB2163.eurprd07.prod.outlook.com>
x-forefront-prvs: 0926B0E013
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(136003)(346002)(366004)(396003)(189003)(199004)(14444005)(256004)(31696002)(6512007)(86362001)(2906002)(106356001)(36756003)(31686004)(68736007)(6246003)(4326008)(305945005)(7736002)(105586002)(53936002)(966005)(14454004)(93886005)(81166006)(8676002)(81156014)(8936002)(25786009)(478600001)(26005)(6306002)(186003)(6116002)(76176011)(3846002)(102836004)(44832011)(486006)(229853002)(110136005)(476003)(71190400001)(54906003)(386003)(71200400001)(11346002)(446003)(2616005)(97736004)(316002)(66066001)(6436002)(6486002)(99286004)(52116002)(6506007)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0701MB2163; H:AM4PR0701MB2194.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ljM5ADJVCZ11gJhDK06609F0hXBejy34GlN4q0kJUOv2Q1nqNdqkIdAqbMC5pUMv7N7P+JlEKZub0HlJVTWAMl3Nh5BQo76vesq/RUgJGd2NOFWQb/w2+B5cm41S++SqoV9P0oPoox375s9RnzHurT7KrygQSJuLbxnxrZkWGy4r8RfJtKpB9+IUkTDxF0ozkENWJuyMuWEU+GTMxM1sofiU52N/kKwDoSeRvZYPyH77Cq+3WEQQOTsy/YPxDpQCU4qSzkybnlcmXBrcXubULPv+I59IAsDPkHbGJotVWlEdpls2O0BL/0BBfKSW3g1I1gsfR+DdoYYItlhjKu3Of/C5ZiDK8IXZWZLcgZlRjbwkYrSczA+4KYOQ1DMUGVKl4IB7rp1bZUBpWyOkhA579C/XSDeuKMfLAPdpgkwtdDA=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E2D20730E484194B89EEA3C1D3F85D09@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 30a639a6-9989-4a97-18d2-08d68124758d
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2019 11:18:10.7468 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0701MB2163
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SfyzUYRzHPfd8z33R5euQz5Q116SuolPs/lCxVW42q/RPdJuufHMWzr4n S1Nh8sddSZPF1RJdxW2NZGXcNJf1G8XC/Dg7jvyKZaS4yN33bP33+jzvz/v9eZ7PHhIL6rm+ ZHJaBs2kyVOEzq5E2alXzJ6MGKls78DYLslg6wOepGqqnSdpva7mSUoqi7Gk1HobS74VjnAl uYNWTgRPqtP94Ug7261YWjxSgKWG7h3HiXjX8EQ6JTmTZoIPnnFVWDoaOOkvQy6NGj7jHFQk ViMXEqj9MD54z1mNXEkB1Ypg5d4iYotfCBqH3hFsoePAjcIuu0JQRRjan9Q5PKUcGFnUY7b4 juB531NkS3amRKAf6ME29qIOgWlBw7U1YcqEoHuhk7AJnhQN9R9LOGzTebB+yXVmOR5MfRV2 M0EFwEDDuJ35a0F6g9kxehJDjnWJZxNcqHDQDa1ybYwoP6h+sWI3YMoH+izlHPatFOgMHZhl b5gYWeGyXIZgeR6x3njQTN4i2PPd0NZjQSz7Q9uM2ZHjB53lGvsygMrnQXPZa0doDIyNFzgM /Qg008x6UO19DY9lJVTPVzkGbIGWORMuQiHa/+6qReQa74SaxmAWpdDSu4nt8Ic7GjNPa1+F B3wosxAPEVePvFW06mxqUsi+IJpJPqdSKdOC0uiMOrT2l1rqlwMaUNd0pBFRJBJu4NeESmUC rjxTlZVqREBioRf/yNejMgE/UZ51mWaUCczFFFplRJtJQujDtwo8ZAIqSZ5BX6DpdJpZVzmk i28Oirni5v9DPFxaOwvbpaIOsdPPiLD3htXZ3KminK2FxpltA9Fx1oq/7gs4yk09Hph4+pmo 5kSI4q1S62GwtHTcfZM6+ui3p/Kqi/tQ+IQl9vDsteTY4mZz3FwUnFSEbVQ/zos8xgwPBzbl aRVL+Q3Bnyqzs0N7b/YnRPceaCIynYSESiEXizCjkv8DIlXNk0cDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/puoVyqonA4kgKsNaUlKsVb5PnSU>
Subject: Re: [Hipsec] Eric Rescorla's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 11:18:19 -0000

Hi,

On 1/20/19 07:59, Tom Henderson wrote:
> On 1/8/19 3:44 PM, Eric Rescorla wrote:
>>
>>
>> On Tue, Jan 8, 2019 at 9:50 AM Tom Henderson <tomh@tomh.org 
>> <mailto:tomh@tomh.org>> wrote:
>>
>>     On 1/8/19 5:57 AM, Eric Rescorla wrote:
>>
>>      >     The second preimage attack resistance is 96 bits, plus
>>     whatever work
>>      >     is needed to generate the keys.
>>      >
>>      > I agree that this is in RFC 7343, but it doesn't seem to be stated
>>      > anywhere in this document, and  given that this text talks about
>>     both 64
>>      > bit and >= 100 bit hash functions, I'm not sure how to get it
>>     from this
>>      > text, which is in context quite confusing/
>>
>>     I agree that the text could be clarified; I will try to suggest
>>     something more.
>>
>>      >
>>      >     There isn't any mechanism defined to extend this, such as 
>> the CGA
>>      >     Hash Extension, but it seems to me that HIP could be extended
>>     in a
>>      >     similar way.  My recollection is that the WG had thought 96
>>     bits to
>>      >     be strong enough preimage resistance.
>>      >
>>      > Generally, we are targeting the 128-bit security level for new
>>     deployments
>>      >
>>
>>     Can you provide a reference for the 128-bit recommendation?
>>
>>
>> I don't believe there is a policy, but for instance, see:
>> https://tools.ietf.org/html/rfc7525#section-4.1
>>
>>     Also, how are legacy uses like SEND/CGA handling this new target (or
>>     are
>>     they just considered legacy at this point)?
>>
>>
>> As far as I understand it, they are legacy.
>>
>> -Ekr
>>
> 
> Eric and all,
> 
> In response to this thread, I propose below an additional paragraph to 
> the draft.
> 
> In section 3.1, it discusses requirements on the new namespace in
> general and mentions the desire to avoid collisions, but just lists a
> generic requirement to provide 'authentication services' because the
> cryptographic details are provided later.  As a result, I decided
> against describing second pre-image resistance here.
> 
> In section 4.3, the following paragraph currently concludes the section:
> 
>     In the HIP packets, the HITs identify the sender and recipient of a
>     packet.  Consequently, a HIT should be unique in the whole IP
>     universe as long as it is being used.  In the extremely rare case of
>     a single HIT mapping to more than one Host Identity, the Host
>     Identifiers (public keys) will make the final difference.  If there
>     is more than one public key for a given node, the HIT acts as a hint
>     for the correct public key to use.
> 
> I suggest to add a paragraph as follows:
> 
>     Although it may be rare for an accidental collision to cause a single
>     HIT mapping to more than one Host Identity, it may be the case that
>     an attacker succeeds to find, by brute force or algorithmic weakness,
>     a second Host Identity hashing to the same HIT.  This type of attack
>     is known as a preimage attack, and the resistance to finding a second
>     Host Identifier (public key) that hashes to the same HIT is called
>     second preimage resistance.  Second preimage resistance in HIP is
>     based on the hash algorithm strength and the length of the hash
>     output used.  Through HIPv2 [RFC 7401], this resistance is 96 bits
>     (less than the 128 bit width of an IPv6 address field due to the
>     presence of the ORCHID prefix [RFC7343]).  96 bits of resistance
>     was considered acceptable strength during the design of HIP, but may
>     eventually be considered insufficient for the threat model of an
>     envisioned deployment.  One possible mitigation would be to augment
>     the use of HITs in the deployment with the HIs themselves (and
>     mechanisms to securely bind the HIs to the HITs), so that the HI
>     becomes the final authority.  It also may be possible to increase
>     the difficulty of brute force attack by making the generation of the
>     HI more computationally difficult, such as the hash extension
>     approach of SEND CGAs [RFC 3972], although the HIP specifications
>     through HIPv2 do not provide such a mechanism.  Finally, deployments
>     that do not use ORCHIDs (such as certain types of overlay networks)
>     might also use the full 128-bit width of an IPv6 address field for
>     the HIT.

thanks! Eric, does this address your concerns?