[Hipsec] Antwort: Re: clarification on HIT Suite IDs

Tobias.Heer@Belden.com Mon, 29 September 2014 16:20 UTC

Return-Path: <prvs=33498266bc=Tobias.Heer@belden.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id A79BD1A8850 for <hipsec@ietfa.amsl.com>; Mon, 29 Sep 2014 09:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.386
X-Spam-Status: No, score=-2.386 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id zHcZ8evKfVQJ for <hipsec@ietfa.amsl.com>; Mon, 29 Sep 2014 09:20:26 -0700 (PDT)
Received: from mx1.belden.com (mx1.belden.com []) by ietfa.amsl.com (Postfix) with ESMTP id 562251A87E0 for <hipsec@ietf.org>; Mon, 29 Sep 2014 09:20:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=belden.com; s=beldencom; c=relaxed/simple; q=dns/txt; i=@belden.com; t=1412007624; x=1414599624; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=pGrKB5TjsOiRn3g1wHoNxEXQluYtHscf9/nA/Y71GZk=; b=iVpQYYtg/Ly9W1CsOsfHXwy1LxjnBRjjN2jmK1B8VqCOm50NCCDjzq3puYxA7j+s /cWNNTe7LFkd6jLAsFddXj5nbL3ZM3f/qkaBRBE+7gCFmscV2xLtncCDaVEFT18d 6EKF4Pj13UpawXvD8o7ez2RUhQDW6ys/46Ijw2nH3IE=;
X-AuditID: 0a01015a-b7f628e000000d19-05-542986c84f31
Received: from bdcnotes2.belden.com ( []) by mx1.belden.com (Service Ready) with SMTP id 40.81.03353.8C689245; Mon, 29 Sep 2014 12:20:24 -0400 (EDT)
In-Reply-To: <20140923112746.EA16C216C3B@bikeshed.isc.org>
References: <5420863E.1060608@tomh.org> <20140922212826.5048E216C3B@bikeshed.isc.org> <54210668.4050605@tomh.org> <20140923112746.EA16C216C3B@bikeshed.isc.org>
To: HIP <hipsec@ietf.org>
MIME-Version: 1.0
X-KeepSent: D6408C65:060C7582-C1257D62:005816DE; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3 September 15, 2011
From: Tobias.Heer@Belden.com
Message-ID: <OFD6408C65.060C7582-ONC1257D62.005816DE-C1257D62.0059BBB9@belden.com>
Date: Mon, 29 Sep 2014 18:20:23 +0200
X-MIMETrack: Serialize by Router on BDCNotes2/BeldenCDT(Release 9.0 HF625|September 19, 2013) at 09/29/2014 12:20:24 PM, Serialize complete at 09/29/2014 12:20:24 PM
Content-Type: multipart/alternative; boundary="=_alternative 0059BB41C1257D62_="
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLKsWRmVeSWpSXmKPExsXCxcjooXuiTTPEYOM8RYvbVzawWHz+0cVu MXXRZGaLL0enMVs03v3D5MDqsXPWXXaPJUt+Mnk8ePyO2WPPNY0AlqgGRpukxJKy4Mz0PH07 m8S8vPySxJJUhZTU4mRbJafUnJTUPAWXzOLknMTM3NQiXc9gf10LC1NLJYXMFFslIyWFgpzE 5NTc1LwSW6XEgoLUvBQlOy4FDGADVJaZp5Cal5yfkpmXbqsUGuKma6Fk5+IZ7JzQyppx5qlN wU/3inmHHjM2MC606mLk5JAQMJE4O+01O4QtJnHh3nq2LkYuDiGB+YwSy299ZgZJcApYSTxZ dpARLnHw/TYmkISIgKREz92lLCAJZoEWRonvF56AJXgFBCVOznzCAmILC9hK3P99kw1ihafE omWPWSFsM4mXly8ygthsAjIS2w7uheoNklh35gtYL4uAqsTbn0/BNksIrGSUOLdmAdhJzAIB EmeeHmSdwCgwC8m+WUhSELaOxIlVx5ghbG2JRVd+si9gZFnFyJdbYaiXBA54veT83E2MkCiO 2sH4tEXhEKMAB6MSD+8fXs0QIdbEsuLK3EOMEhzMSiK8dilAId6UxMqq1KL8+KLSnNTiQ4xB QHdOZJbiTs4HJpi8knhjAwMiOUrivF8/1QQLCaQDk0N2ampBahHMUCYOTpClXFIixcD4Ti1K LC3JiAclovhiYCqSamAMOMXW8Luo+dIuxmgF7rn74sLOnjRNz7NeGHvGuKukZRHDt83zJjk8 vuBv0GbfbPloUdTLWA/hgOJnYblPHa+Zl7mfYgzo6l7KUF1X5nOlyHbh2+MTlpd98/gW9GmT UdC0JwWS1zkO72xdprDvs732rGSX+L1JxZPKVmxzdV18a7OiEduMCy5KLMUZiYZazEXFiQD4 bRJyMAMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/quiFfxvvEW_ZJbldgNlOHfYyq1A
Cc: Hipsec <hipsec-bounces@ietf.org>, Francis Dupont <fdupont@isc.org>, julien.ietf@gmail.com
Subject: [Hipsec] Antwort: Re: clarification on HIT Suite IDs
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2014 16:20:28 -0000


I'd like to confirm some of your statements. The thought was really to 
show both options a) reuse of OGAs and b) what could happen if we need 
more bits. However, the wording and the current set of IDs was chosen so 
that it discourages the use of more IDs at the same time so the option to 
take more bits from the OGA was really just a last resort. Nothing anybody 
would really want.

See my comments below.

Von:    Francis Dupont <fdupont@isc.org>
An:     Tom Henderson <tomh@tomh.org>, 
Kopie:  HIP <hipsec@ietf.org>, Francis Dupont <fdupont@isc.org>, 
Datum:  26.09.2014 12:39
Betreff:        Re: [Hipsec] clarification on HIT Suite IDs
Gesendet von:   "Hipsec" <hipsec-bounces@ietf.org>

Tom Henderson writes:
>        For the time being, the HIT Suite uses only four bits because
>        these bits have to be carried in the HIT.  Using more bits for 
>        HIT Suite ID reduces the cryptographic strength of the HIT.

=> yes, there is a long discussion in RFC 7343 about this tradeoff.

> which implied to me that the HIT suite ID may in the future consume more 

> bits presently allocated to hash.

=> the fact the problem could exist doesn't mean it will exist...

TH=> This was just to cover all options. It is not a desired or intended 

> > So there is nothing very clear about what will happen if one will need
> > more than 15 HIT Suite-IDs... BTW according to appendix E I should add
> > "at the same time" (appendix E proposes to reuse values, making 
> > to really need more than 15 values).
> I'm not sure where you are proposing to add the clause; can you point 
> out the sentence?

=> one will need more than 15 HIT Suite-IDs ->
one will need more than 15 HIT Suite-IDs at the same time

TH=> Exactly. The intention is to reuse the HIT Suite IDs once they are 
reasonably out of use. Appendix E describes this rollover.

> > => no, the current choice makes more sense with the HIT Suite-IDs
> > from OGAs. But it is a matter of taste for sure...
> Perhaps we could start by trying to resolve whether the plan should be 
> to reuse four-bit values if the space is eventually exceeded, or whether 

> the HIT suite ID may grow in the future (and how that affects the 

=> clearly the current plan is the first (reuse 4 bit values).
The second is just a provision in the case the first fails.

TH=> Yes. I can confirm this.

> Maybe we do not need to specify the plan in this draft; maybe 
> we could just avoid the problem for now and just keep value 0 reserved 
> and state that what to do when the HIT_SUITE_ID space is exhausted is 
> for further study, with deprecated value reuse and expansion of the HIT 
> Suite ID being two possibilities.

=> perhaps it was considered as too optimistic? BTW I have no idea
about the future need in new values in the HIT_SUITE_ID / OGA space
(but does somebody already have one?)

TH=> I am fine with not specifying the extension of the ID but to leave 0 
as reserved instead.

> Another basic question I have is whether the table 11 in Appendix E 
> should be merged with the unlabeled table at the end of 5.2.10 (and 
> located in 5.2.10), and whether Appendix E text in general ought to be 
> brought forward in the draft to section 3.2 and/or 5.2.10.

=> it is a question for the hipsec mailing list (I subscribed to it
but from my personal e-mail).

TH=> Moving the table to 5.2.10 is fine from my perspective. 

Best regards,


Privileged and/or Confidential information may be contained in this
message. If you are not the addressee of this message, you may not
copy, use or deliver this message to anyone. In such event, you
should destroy the message and kindly notify the sender by reply
e-mail. It is understood that opinions or conclusions that do not
relate to the official business of the company are neither given
nor endorsed by the company.
Thank You.