Re: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt
Pekka Nikander <pekka.nikander@nomadiclab.com> Sun, 04 June 2006 07:02 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FmmdH-0007a8-IY; Sun, 04 Jun 2006 03:02:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FmmdF-0007XZ-EK for int-area@ietf.org; Sun, 04 Jun 2006 03:02:41 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fmlvy-000774-8u for int-area@ietf.org; Sun, 04 Jun 2006 02:17:58 -0400
Received: from n2.nomadiclab.com ([193.234.219.2]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Fmlja-00067G-9g for int-area@ietf.org; Sun, 04 Jun 2006 02:05:12 -0400
Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 3DD75212C61; Sun, 4 Jun 2006 09:05:07 +0300 (EEST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id D9EB7212C5F; Sun, 4 Jun 2006 09:05:03 +0300 (EEST)
In-Reply-To: <271CF87FD652F34DBF877CB0CB5D16FC010F70F8@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
References: <271CF87FD652F34DBF877CB0CB5D16FC010F70F8@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
Mime-Version: 1.0 (Apple Message framework v750)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <D3FBD458-0EA1-4612-B284-767C60FF10D0@nomadiclab.com>
Content-Transfer-Encoding: 7bit
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt
Date: Sun, 04 Jun 2006 09:04:59 +0300
To: Dave Thaler <dthaler@windows.microsoft.com>
X-Mailer: Apple Mail (2.750)
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: -2.3 (--)
X-Scan-Signature: a2c12dacc0736f14d6b540e805505a86
Cc: Internet Area <int-area@ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
As we discuss in the draft, there are two reasons for making the hash as long as possible. First, a longer hash is more secure to brute force attacks made possible by advances in hardware. Some time ago Hugo Krawczyk recommended us to us use at least 96 bits of a hash. Second, the longer the hash the lower the probability of collisions. Of course, being secure against brute force attacks is a two-edged sword. From an architectural point of view, ORCHIDs should be considered as a medium-term (10-20 years) transition mechanism that allows legacy IPv6 applications to securely use HIP and other similar protocols. In the longer run, such a practise should be discouraged; we should encouraged people to update from the IPv6 API to some new API that makes the security properties more transparent. However, there is a long long way ahead before we get there, if ever. I just want to note that while there are socially-beneficial incentives for making the ORCHID hash as long as possible, there are also other, longer-term incentives for making it not too long. In my personal opinion, having ORCHIDs that are considered secure now and could be estimated to be secure for the next 20 years or so might be about the right size. Considering the second property, or collisions, I think it is important to experiment with completely flat name spaces. While I do see the value of having an organisation ID embedded in an identifier, I do also see the value of having completely opaque flat identifiers. Both have their pros and cons, especially if you consider privacy and privacy-related externalities, like price discrimination potential. --Pekka On Jun 4, 2006, at 1:51, Dave Thaler wrote: > I think for this experiment a longer prefix is fine, > even /40 or /48 unless there's some strong reason it needs > to be shorter during the experiment. > > Personally, I'd eventually like to see something like a /8 > followed by an org id (like ULAs have). Since ULAs have 32 > bits for such an id, that's how I get /40 (or /48 if eventually > there were a /16 like ULAs use, followed by 32 bit org id). > This would solve some problems HIP doesn't solve today, > which were pointed out in the SHIM6 meeting in Dallas. > (e.g., PTR records for HITs aren't feasible today since > the reverse zone would be flat). > > The use of a long prefix for the present experiment could > be consistent with such an eventuality in the sense that > the hash would be truncated to about the same number of bits > (like 80 or 88). > > -Dave > >> -----Original Message----- >> From: Jari Arkko [mailto:jari.arkko@piuha.net] >> Sent: Friday, June 02, 2006 6:19 AM >> To: Internet Area >> Subject: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt >> >> Sometime ago we discussed the allocation of an IPv6 prefix >> for the purposes of legacy applications using HIP (the >> ORCHID proposal). The key question in that discussion was >> whether a /8 allocation is justified for this type of an >> experiment. Since then we've had some off-line discussions >> with the folks who commented on this topic, to come up >> with alternatives to solve this issue. The proposal that >> seemed to be acceptable is to allocate a longer prefix >> (e.g. /28) as an IETF experimental allocation through >> IANA. The implication is that the public key hash would >> be truncated to 100 bits, presumably still within >> an acceptable range. >> >> If you have an opinion about this matter, please send >> mail either here or on the HIP list before June 9th >> so that Julien can update his draft. >> >> Thanks, >> >> --Jari >> >> >> _______________________________________________ >> Int-area mailing list >> Int-area@lists.ietf.org >> https://www1.ietf.org/mailman/listinfo/int-area > > > _______________________________________________ > Int-area mailing list > Int-area@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/int-area > _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] Fwd: I-D ACTION:draft-laganier-ipv6-kh… Julien Laganier
- Re: [Int-area] Fwd: I-D ACTION:draft-laganier-ipv… Geoff Huston
- RE: [Int-area] Fwd: I-D ACTION:draft-laganier-ipv… Henderson, Thomas R
- RE: [Int-area] Fwd: I-D ACTION:draft-laganier-ipv… Geoff Huston
- Re: [Int-area] Fwd: I-D ACTION:draft-laganier-ipv… Julien Laganier
- [Int-area] Progress on draft-laganier-ipv6-khi-01… Jari Arkko
- RE: [Int-area] Progress on draft-laganier-ipv6-kh… Dave Thaler
- Re: [Int-area] Progress on draft-laganier-ipv6-kh… Pekka Nikander
- Re: [Int-area] Progress on draft-laganier-ipv6-kh… marcelo bagnulo braun
- Re: [Int-area] Progress on draft-laganier-ipv6-kh… Pekka Nikander
- Re: [Int-area] Progress on draft-laganier-ipv6-kh… Tim Shepard
- RE: [Int-area] Progress on draft-laganier-ipv6-kh… Henderson, Thomas R
- HIT and ACLs (was Re: [Int-area] Progress on draf… marcelo bagnulo braun
- RE: HIT and ACLs (was Re: [Int-area] Progress on … Henderson, Thomas R
- Re: HIT and ACLs (was Re: [Int-area] Progress on … Tim Shepard