Re: [Hipsec] Eric Rescorla's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)

Miika Komu <miika.komu@ericsson.com> Wed, 07 November 2018 21:37 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE49124BE5 for <hipsec@ietfa.amsl.com>; Wed, 7 Nov 2018 13:37:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.771
X-Spam-Level:
X-Spam-Status: No, score=-4.771 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=MgNua2Gu; dkim=pass (1024-bit key) header.d=ericsson.com header.b=PfpK6G6+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ZFb_hfTfDNU for <hipsec@ietfa.amsl.com>; Wed, 7 Nov 2018 13:37:21 -0800 (PST)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08E4112F1AB for <hipsec@ietf.org>; Wed, 7 Nov 2018 13:37:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1541626636; x=1544218636; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=wumOS5FxLaLOHoRqDnCwVPyoXMBCJKnGfjzxwLmh/LQ=; b=MgNua2GuxOVswp4eFwCDh+pHcMaioMpm6GUMtlpS6lK2e1aOjcKMeyuyOtlO74yc kFGTmOPRXluQjOxus6buVJJx0aPwNt/oWpyrVyfp7Rt7ZeI+QK4e+F/ot5o8BmJr JSh+/nypNSN7FwzVTexIILdBB6gQ9USmILrVsw+qIpk=;
X-AuditID: c1b4fb3a-45fff70000002747-e4-5be35b0c7c23
Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id E6.EE.10055.C0B53EB5; Wed, 7 Nov 2018 22:37:16 +0100 (CET)
Received: from ESESSMR502.ericsson.se (153.88.183.110) by ESESBMB502.ericsson.se (153.88.183.115) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 7 Nov 2018 22:37:16 +0100
Received: from ESESSMB502.ericsson.se (153.88.183.163) by ESESSMR502.ericsson.se (153.88.183.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 7 Nov 2018 22:37:16 +0100
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB502.ericsson.se (153.88.183.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Wed, 7 Nov 2018 22:37:15 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wumOS5FxLaLOHoRqDnCwVPyoXMBCJKnGfjzxwLmh/LQ=; b=PfpK6G6+lObzJC/Q3KQ4b1Pv2W757SSuy5aOg94Xo+OSQ1KKWaJijhbzimkWhRPUKO48iztdiDZFQoRF7xHoFo5H9E1daqAQcwjg/iDPngRWepxxqRUhRVdjrxs4sKUvza5YqrakuygWwFpyh3DDkZVv34XDVQvKPbD4mLV1c6w=
Received: from AM6PR07MB4865.eurprd07.prod.outlook.com (20.177.118.22) by AM6PR07MB4677.eurprd07.prod.outlook.com (20.177.39.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.14; Wed, 7 Nov 2018 21:37:14 +0000
Received: from AM6PR07MB4865.eurprd07.prod.outlook.com ([fe80::f0ee:62a8:97ea:5279]) by AM6PR07MB4865.eurprd07.prod.outlook.com ([fe80::f0ee:62a8:97ea:5279%3]) with mapi id 15.20.1294.034; Wed, 7 Nov 2018 21:37:14 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>, The IESG <iesg@ietf.org>
CC: "hipsec@ietf.org" <hipsec@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>
Thread-Topic: Eric Rescorla's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)
Thread-Index: AQHT497tUmBXmn8MOU+Q++wdbIVom6VF/FUA
Date: Wed, 07 Nov 2018 21:37:14 +0000
Message-ID: <a657ffe0-3574-850e-3b8d-9b21f6f8825b@ericsson.com>
References: <152546246777.11589.13288594519409569524.idtracker@ietfa.amsl.com>
In-Reply-To: <152546246777.11589.13288594519409569524.idtracker@ietfa.amsl.com>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: AM6PR0202CA0044.eurprd02.prod.outlook.com (2603:10a6:20b:3a::21) To AM6PR07MB4865.eurprd07.prod.outlook.com (2603:10a6:20b:59::22)
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.176.1.83]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM6PR07MB4677; 6:jNHFgRHeO4Fdx5Wk0dbz4He7X9R76e/1CuCbHyozx7C6A4SjR1ldBeaJyX1sfkNb/7XkCBr4CkDoOZAv6EfRvISoYnz/J4AM+quKAim4EOZtcbH/dSvmYW5+14kB9NfjuFRjM9sLOXssLUMwy6oUavqhQ+KG0EbqjuPP9e1Xfy7GdHZnTRrqUG6aWxH890J6Eg1KDHgU+jBqBKhn1EDSNvH5ozlx+mXc+6ZIHeAlGT/k78CJLCNaDTdTe+bqD+ydL5QaJUCFhiLy+S1Glv5NsJZm3ma3uZObb4yMdw1QpYtGz7nwurf4kEyT/278diGa68HBFfnjJ9y//3PIX8v+16kMUaA7d5RIeAuReE/7kuoAv9+JR37lkuk3W4JU1L4cHPqO7JcH64ciFpfJLfaAC7VxagTpwvaGiwNp0zYs9t+ovl2AEz+rMgmorghIh/UOte7xvk7yo3JLA1CYg7gFvg==; 5:cCJQbfwayOG7IgMCXJfXed83J0u0aCC7NN88VJJCbwpsRSsTRe3VyUG6Q+ENuDwQi93EDb4vg3ErSR2k5jelh9Y6Bdg5qJ68klP37DVUmnZ2vizmR0AGdVt1Mxk9UjW8xMkpYQtbesldAn64u/ImiXQuL+yrsHGOrBfJFvSdi3s=; 7:bo2ozCiMZULObfDzrWfRdYsGMK8haVscCZMMFoIl+ZDsV+4HhagxWM42vVCRAzB/nJc6Ot7H2SoJ52suiT5gNXHpNLlMbLKVrTCk5ebHKiqbt+BEQoSwAbcvVa7XYMNtP0jPfCPe5SdjZHR776xlAQ==
x-ms-office365-filtering-correlation-id: 9735ca4f-221b-4cca-0446-08d644f92e8c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:AM6PR07MB4677;
x-ms-traffictypediagnostic: AM6PR07MB4677:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-microsoft-antispam-prvs: <AM6PR07MB46774F03BA1C9C6DCFBDB7FCFCC40@AM6PR07MB4677.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(158342451672863)(35073007944872);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(3231382)(944501410)(52105095)(10201501046)(93006095)(93001095)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123560045)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:AM6PR07MB4677; BCL:0; PCL:0; RULEID:; SRVR:AM6PR07MB4677;
x-forefront-prvs: 08497C3D99
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(346002)(136003)(366004)(396003)(51234002)(189003)(199004)(6436002)(3846002)(52116002)(36756003)(44832011)(99286004)(316002)(11346002)(4326008)(2616005)(81166006)(476003)(81156014)(54906003)(8936002)(68736007)(6246003)(14454004)(25786009)(6506007)(186003)(66066001)(386003)(6116002)(8676002)(102836004)(2900100001)(305945005)(106356001)(6486002)(966005)(7736002)(229853002)(31686004)(256004)(14444005)(53546011)(86362001)(71190400001)(71200400001)(2906002)(478600001)(105586002)(97736004)(486006)(446003)(76176011)(5660300001)(110136005)(53936002)(6306002)(31696002)(26005)(6512007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB4677; H:AM6PR07MB4865.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 2yqrikzSYGXMTHXV22V6jKEXsMjBA0OPUtPSHCBJrjK93ywBN03HtzbrOhEi62udKqU6VqzZR+ZGXzqszTG0FTWpuAXIylGrYra09j9rr8uN/rc94F+Ae+xLXFDaUkyKQ/zeNkVG5Fa6ds62/Uu1KxU1qvRQ3oKlT8iXZWw+JAW19k9fhDwXmr4DDwCFCrg58mQSItk10YvrlkZ2QNzwhl7K2zyNfz61wHkkoaaSvHT8e6aO3lBkFpJ8TiemJUI4LOjQSFcZSD7KwMe/NVhJxJJ2slAe+Ejl+Vdib5dVFiJpkSGfAvHEoO4fL5K8YWVTvw4LWgFZGU0wUKqoyifX4JW7KkpQXQzLX6Le5k3CfJI=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F438C9AC68ACC54A86B0B3B96B5C3C6F@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9735ca4f-221b-4cca-0446-08d644f92e8c
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Nov 2018 21:37:14.2490 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4677
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SfUhTURjGObt323W5Oi7FF3NQKwTFdIrBsuj7j1VqZn+ULsiVNxXnB7sm WlFKlGNmanPaNNDULM2hWJGahS5JzNSy0krBdOZnBokjZTpyuxb993vO8z7nPC8cihBVcD2o +KRUWp2kVEl4AtJw6hmz3VlhVkjfznvKsus0hOzhbC9f1nFdy5fpK3SE7M5yAbGPK6+qWuLI deYbRDgnSrA7hlbFp9Fq/z3Rgjj9i0p+ynJaenl1JpmJFhgtcqIAB8FMyXO+FgkoEe5AYOnK 5bHCguDN/CL5T7QUWpA9IsKVHOjOl9oNEucToHlqXMsXcMCm/0SwYhTBSGkz3x7hYR+oHR4k 7OyKg2HGOuC4l8BzCDqbNRy7sRGroLvpJ8kOJcLd4uo1DoTvQ0ZHmMTboM4yxbOzEO+Fut5W ku0UBqPNRVw7O+FjMGGedHRFWAw1j22OLIHd4et4GYddG0NVax/BshtMm21ceyHABgTDWTrE Gr7QMzi+xpthWG/ksyyG/rIcxAYGeKD7tsRljVBYnLrPY41OBMulY2vP+UB/dgPBVoqCnJk8 kj1PgMoJIz8fBZX817AEUavsDfUt/izK4WZPNDuxBQpzRvkljv1doMswTpYjbi1yY2iGSYwN DPSj1fHnGCY5yS+JTm1Eqz+n/Yk1uAm1T+43IUwhibNwR4RZIeIq05iMRBMCipC4CnMfjSlE whhlxkVanXxGfUFFMya0iSIl7sID52VRIhyrTKUTaDqFVv91OZSTRyY6JFw3PPuyLSsk7oi8 TRz+KqRivVe174/oMPJS1lbN0OGuiKuCW+3veWGf1d6G2ZPHsyJbr5ikfbaivIaZmo6hDJcC aWUsfXBlV+vr9BC3ucsrX3q03VbFh8jT9Ud/WX9fo9/VBX0MkO/08rVFPjjhOS0uPtt4O3Rh +t7ABhdjsPeIhGTilAE+hJpR/gE0LdseNQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/rmnJ3OL-YG0fnA-464LpNx8NWD4>
Subject: Re: [Hipsec] Eric Rescorla's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 21:37:23 -0000

Hi Eric,

apologies for the belated response, I am not working on HIP anymore, so 
it has been rather difficult to find time for this.

On 5/4/18 22:34, Eric Rescorla wrote:
> Eric Rescorla has entered the following ballot position for
> draft-ietf-hip-native-nat-traversal-28: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Rich version of this review at:
> https://mozphab-ietf.devsvcdev.mozaws.net/D3099
> 
> 
> I am very familiar with ICE and yet I found this document extremely
> hard to follow. The problem is that it cherry-picks pieces of ICE and
> I'm just not sure that it's a complete specification when put all
> together. I have noted a number of places where I actually am not sure
> how to implement something, and fixing those will resolve this
> DISCUSS, but IMO you really should totally rewrite this document
> either (a) as a variant of ICE or (b) as an entirely new document not
> with a pile of new text and then references out to ICE sections.

the expected receivers of the work are the implementers of RFC5770, so 
the draft follows the sectioning of the RFC5770 (which has two 
interoperable implementations).

If I understood your comment right, the variant of ICE (a) would follow 
the ICE document structure but then the document would not serve anymore 
HIP implementers so well. What comes to option (b), I think it would 
make the the document quite long if we replicated everything in the ICE 
specification (and possibly from the HIP specifications) in the draft.

> DETAIL
> S 4.2.
>>       request type SHOULD NOT create any state at the Control Relay Server.
>>    
>>       ICE guidelines [I-D.ietf-ice-rfc5245bis] for candidate gathering are
>>       followed here.  A number of host candidates (loopback, anycast and
>>       others) should be excluded as described in the ICE specification
>>       [I-D.ietf-ice-rfc5245bis].  Relayed candidates SHOULD be gathered in
> 
> If you're going to normatively cherry-pick ICE, you need to note
> specific sections, I think.


good catch, now that the ICE specification is finally an RFC, we can add 
a reference here and to a number of other places (which I had commented 
out because the section numbering in ICE was changing).

> S 4.6.2.
>>    
>>       A host may receive a connectivity check before it has received the
>>       candidates from its peer.  In such a case, the host MUST immediately
>>       generate a response, and then continue waiting for the candidates.  A
>>       host MUST NOT select a candidate pair until it has verified the pair
>>       using a connectivity check as defined in Section 4.6.1.
> 
> Are you supposed to put this on a TODO check list as with ICE?

I believe you refer to the triggered-check queue:

https://tools.ietf.org/html/rfc8445#section-6.1.4.1

I changed the text as follows:

A host may receive a connectivity check before it has

received the candidates from its peer. In such a case, the

host MUST immediately generate a response by placing it in the 
triggered-check queue, and then continue
waiting for the candidates.

> S 5.8.
>>    
>>    5.8.  RELAY_HMAC Parameter
>>    
>>       As specified in Legacy ICE-HIP [RFC5770], the RELAY_HMAC parameter
>>       value has the TLV type 65520.  It has the same semantics as RVS_HMAC
>>       [RFC8004].
> 
> What key is used for the HMAC?

clarified this as follows:

[..] It has the same semantics as RVS_HMAC as specified in section 4.2.1 
in [RFC8004].  Similarly as with RVS_HMAC, also RELAY_HMAC is is keyed 
with the HIP integrity key (HIP-lg or HIP-gl as specified in section 6.5 
in [RFC7401]), established during the relay registration procedure as 
described in Section 4.1.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> S 2.
>>       Server reflexive candidate:
>>          A translated transport address of a host as observed by a Control
>>          or Data Relay Server.
>>    
>>       Peer reflexive candidate:
>>          A translated transport address of a host as observed by its peer.
> 
> You should indicate which definitions are the same as ICE/STUN

these both are the same as in ICE. I have now added references to all of 
the terms to indicate their origin.

> S 3.
>>       connected to the public Internet.  To be contacted from behind a NAT,
>>       at least the Responder must be registered with a Control Relay Server
>>       reachable on the public Internet.  The Responder may have also
>>       registered to a Data Relay Server that can forward the data plane in
>>       case NAT traversal fails.  While, strictly speaking, the Initiator
>>       does not need any Relay Servers, it may act in the other role with
> 
> Why doesn't it need Relay Servers? This isn't true for ordinary ICE.

good catch. Actually, Control Relay Server is always needed to discover 
server reflexive candidates but Data Relay Server is kind of optional. I 
changed the text as follows:

While, strictly speaking, the Initiator does not need a Data Relay 
Server, [..]

> S 4.1.
>>       for that host and close the corresponding UDP port (unless other Data
>>       Relay Clients are still using it).
>>    
>>       The Data Relay Server SHOULD offer a different relayed address and
>>       port for each Data Relay Client because this can cause problems with
>>       stateful firewalls (see Section 6.5).
> 
> by "this" I think you mean "not doing so"

thanks, corrected.

> S 4.2.
>>       parameter discovered during the Control Relay Server registration as
>>       a server reflexive candidate.  In this case, no further candidate
>>       gathering is needed.
>>    
>>       A Data Relay Client MAY register only a single relayed candidate to
>>       be used with multiple other peers.  However, it is RECOMMENDED that a
> 
> Nit: this would be clearer if you said "that it uses with"

yes, thanks!

> S 4.2.
>>       gathering is needed.
>>    
>>       A Data Relay Client MAY register only a single relayed candidate to
>>       be used with multiple other peers.  However, it is RECOMMENDED that a
>>       Data Relay Client registers a new server reflexive candidate for each
>>       of its peer for the reasons described in Section 4.12.3.  The
> 
> This sentence feels like a bit of a non-sequiter. How do you
> "register" a srflx? Or should this say "relayed"

You're right, it should say "relayed".

> S 4.2.
>>       deployments in order to enable it by software configuration update if
>>       needed at some point.  A host SHOULD employ only a single server for
>>       gathering the candidates for a single HIP association; either one
>>       server providing both Control and Data Relay Server functionality, or
>>       one Control Relay Server and also Data Relay Server if the
>>       functionality is offered by another server.  When the relay service
> 
> How does this interact with mult-layered NAT?>

No different from ICE with separated STUN and TURN servers multi-layer 
NAT scenarios. Should we mention something about the issues related to 
some specific scenario?

> S 4.3.
>>       Servers (e.g. in the case of a single server, it would be 1).  A
>>       smaller value than 500 ms for the RTO MUST NOT be used.
>>    
>>    4.3.  NAT Traversal Mode Negotiation
>>    
>>       This section describes the usage of a new non-critical parameter
> 
> Can you name the type here please?

I changed this as follows:

This section describes the usage of a non-critical parameter type called 
NAT_TRAVERSAL_MODE with a new mode called ICE-HIP-UDP.

> S 5.6.
>>         Protocol   IANA assigned, Internet Protocol number.
>>                    17 for UDP, 0 for plain IP
>>         Reserved   reserved for future use; zero when sent, ignored
>>                    when received
>>         Address    an IPv6 address or an IPv4 address in "IPv4-Mapped
>>                    IPv6 address" format
> 
> Is there a concern about NATs rewriting these, as we had for XOR-
> MAPPED-ADDRESS

we don't necessarily need XORring in HIP, we can actually encrypt 
parameters. I have requested the WG if it is ok to switch to encrypted 
parameters - should be ok I believe.

The original reason to keep the locators (and many other HIP parameters) 
in plaintext was middlebox transparency but I guess in here we have a 
good reason to break it.

> S 5.7.
>>       | Reserved  | 0        | Reserved for future extensions             |
>>       | Preferred | 0 or 1   | Set to 1 for a Locator in R1 if the        |
>>       | (P) bit   |          | Responder can use it for the rest of the   |
>>       |           |          | base exchange, otherwise set to zero       |
>>       | Locator   | Variable | Locator lifetime in seconds                |
>>       | Lifetime  |          |                                            |
> 
> What is the purpose of this? It's not an ICE parameter.

In HIP, locators have a maximum lifetime after which they become 
deprecated (RFC8046). Should add something here?

> S 5.7.
>>       | Port      |          |                                            |
>>       | Transport | Variable | IANA assigned, transport layer Internet    |
>>       | Protocol  |          | Protocol number.  Currently only UDP (17)  |
>>       |           |          | is supported.                              |
>>       | Kind      | Variable | 0 for host, 1 for server reflexive, 2 for  |
>>       |           |          | peer reflexive or 3 for relayed address    |
> 
> Why do you need to send prflx candidates?

This is residual from RFC5770 from where it wasn't used either. I added 
a note here that kind 2 is currently unused.

> S 10.2.
>>       o  If the agent is using Diffserv Codepoint markings [RFC2475] in its
>>          media packets, it SHOULD apply those same markings to its
>>          connectivity checks.
>>    
>>       o  Unlike in ICE, the addresses are not XOR-ed in Native ICE-HIP
>>          protocol in order to avoid middlebox tampering.
> 
> I noted this earlier. Why?

See my earlier comment, I would change this to:

Unlike in ICE, the addresses are not XOR-ed in Native ICE-HIP 
 

protocol but rather encrypted to avoid middlebox tampering.