Re: [Hipsec] a state machine proposal for mm-03
Pekka Nikander <pekka.nikander@nomadiclab.com> Mon, 10 April 2006 15:15 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FSy7G-0005FR-G2; Mon, 10 Apr 2006 11:15:46 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FSy7F-0005ET-82 for hipsec@ietf.org; Mon, 10 Apr 2006 11:15:45 -0400
Received: from n2.nomadiclab.com ([193.234.219.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FSy7E-00061z-Op for hipsec@ietf.org; Mon, 10 Apr 2006 11:15:45 -0400
Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 28550212C63; Mon, 10 Apr 2006 18:15:43 +0300 (EEST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 9A7C4212C5F; Mon, 10 Apr 2006 18:15:41 +0300 (EEST)
In-Reply-To: <Pine.GSO.4.58.0604101247030.26662@kekkonen.cs.hut.fi>
References: <Pine.GSO.4.58.0604031851540.25408@kekkonen.cs.hut.fi> <9AEF0EF5-18B0-4D1D-8722-37DB49721A94@nomadiclab.com> <Pine.GSO.4.58.0604101247030.26662@kekkonen.cs.hut.fi>
Mime-Version: 1.0 (Apple Message framework v746.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <E414BDC9-FF23-4913-AC0F-091FB5930C03@nomadiclab.com>
Content-Transfer-Encoding: 7bit
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: [Hipsec] a state machine proposal for mm-03
Date: Mon, 10 Apr 2006 18:15:40 +0300
To: Miika Komu <miika@iki.fi>
X-Mailer: Apple Mail (2.746.3)
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5011df3e2a27abcc044eaa15befcaa87
Cc: hipsec@ietf.org
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Errors-To: hipsec-bounces@lists.ietf.org
Miika, I have a feeling that you are imposing the complexity on the design yourself. You seem to be making assumptions that seem unnecessary and complicating to me. For example, why do you attempt to have some kind of mirrored and identical state machines at both ends? I see no need for that. You also seem to try too hard or achieve a too strong consistency between the hosts. Try to think simple, and have address- based rather than host-based state machines. For example, a minimal implementation might do as follows: - When a host gets a new local address or deprecates an old one, it simply sends an update to its active peers (if it can) and lets the UPDATE layer to take care of ACKs and retransmission. If one peer does not get the info, let it be in that way, do not try any harder. If there is active communication with the peer, it will get the new address later on, or resort to using RVS. - When a host receives a new peer address, it simply enters it into its local database. Only if it needs to use it, e.g. due to that new address being the new preferred one or the old preferred one failing, initiate reachability check (with CBA). I'd rather keep those two "state machines" completely separate. It is a well known fact that when you combine multiple simple parallel state machines into a single one you get a complicated one; google e.g. for "state space explosion". Hence, in implementation terms, it is much better to implement several parallel state machines than a single big one. > "Note3: reusing the same state variables on both hosts. At the mobile > host (the sender of LOCATOR) it is related to the data structures of > the source IP. On the corresponding node (receiver of LOCATOR), it is > related to the destination IP." See above. That assumption is unnecessary and likely to complicate your design. > See my comment in the other email: > > * Mainly, no new features. In fact, I suggest removing one feature / > use-case (readdress with peer-initiated rekey) in favour of > simplifying state machine, interaction with middle-boxes and > interoperable implementations. Suggest removal of it from this > draft and > adding to a follow-up draft. See above. Decomposing your big state machine into several parallel ones is likely to simplify your design more than sufficiently. > I am proposing the "artificial" restrictions on the draft to make > it more > concrete and to support interoperable implementations in the very near > future. I think it is just too modular as it is now :) I think the reverse. In this case I think complete state-machine modularity is good; see the argumentation above. > In addition, I > think the explicit state machine for m&m could make a security > analysis of > the UPDATE easier in the future. I agree, but OTOH such a explicit complete state machine should be composed by an analysis tool that is able to automatically generate the compound state machine from the multiple parallel ones. > Received ECHO REQUEST: > - Goto ACTIVE and send echo response See above. There is no need to keep track what the other end thinks about the state of your addresses. That only complicates things. Furthermore, there is a strong theoretical result that says that it is _impossible_ to have complete synchrony between states in an asynchronous system. Google e.g. for "common knowledge" and "modal logic". > >>> Receive ESP: >>> - For the ESP address >>> - State is UNVERIFIED >>> - Verify ESP validity. Goto DROP if failed >>> - Change preferred LOCATOR when necessary >> >> Did we specify this? May make sense sometimes, but again, >> beware.... ESP doesn't protect IP source... > > This was the CBA optimization. Maybe it should be mentioned > explicitly. OK; I haven't been following the details of CBA. I thought it was being applied only for new preferred address candidates as _indicated_ by the peer (or necessitated by the previous peer address'es failure.) --Pekka _______________________________________________ Hipsec mailing list Hipsec@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hipsec
- [Hipsec] a state machine proposal for mm-03 Miika Komu
- Re: [Hipsec] a state machine proposal for mm-03 Pekka Nikander
- Re: [Hipsec] a state machine proposal for mm-03 Miika Komu
- Re: [Hipsec] a state machine proposal for mm-03 Pekka Nikander
- RE: [Hipsec] a state machine proposal for mm-03 Henderson, Thomas R
- Re: [Hipsec] a state machine proposal for mm-03 Miika Komu
- RE: [Hipsec] a state machine proposal for mm-03 Miika Komu