Re: [Last-Call] Last Call: <draft-ietf-hip-dex-24.txt> (HIP Diet EXchange (DEX)) to Proposed Standard

Eric Rescorla <ekr@rtfm.com> Wed, 03 February 2021 18:52 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 808043A103A for <last-call@ietfa.amsl.com>; Wed, 3 Feb 2021 10:52:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGmbyPtnz4pg for <last-call@ietfa.amsl.com>; Wed, 3 Feb 2021 10:52:50 -0800 (PST)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10E1B3A1047 for <last-call@ietf.org>; Wed, 3 Feb 2021 10:52:50 -0800 (PST)
Received: by mail-lj1-x229.google.com with SMTP id f2so256742ljp.11 for <last-call@ietf.org>; Wed, 03 Feb 2021 10:52:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r1qVbkVw7fOBUquO8sJ7y6P9GAy1fXh4yvnuJneMu44=; b=WLJsnVGx3w8dIEf3+WpwhsdOQcFpNfh5PWRKTI9pwwgp6aAf2NxX294oJaMx4DDwfl MAGn1Uc5VNalkBUbpJXPQFhzY82Vq8vjnvtH10C1hFQBxalb0Uo0KRys451c//Np30ue NVg8giWVcL/757cvhQpvJC2vvm8k574uG5HZrQhD6iX9rIm7Nr6ZF7QwzfEqQt53nX34 zBpSZ+Xv0ezCUz2Uy/1mOQLG6m0EGtgHlX4kdUz3ZRC2mDUPsguWJXQKqj4urN+mmBfg kpC/q9jPHj5dE8O9ig3+sRozVbcFzb5OX2olEqGfm8V4lQubZChF3XFkDUQnUR8Hfns4 c6GA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r1qVbkVw7fOBUquO8sJ7y6P9GAy1fXh4yvnuJneMu44=; b=q37V/K25BOwlFqj2z0hfQ4X/WK0bcW+bVDhOI2eRQr5IphkNDpEiBHGdVP60WjeWMv NN0ydEm4QpsCXbUgPJFtgsMcXf5fCLEhhFllhFPdy4eFjVD/EVWpC1EBhY51oBuaglkZ zXYG4FpSd7IkiPDBpMxf6DC9XoaZxKksObzJKFSOTgXqjwIB+G9W7Kd3DvsY9vLl8NdD Q9Rg+bmvRJTPqodvAsJPLKuxAti7ymSGIbguGOAwEWue7373mmSQRY/VUIqVbvw/8XdK yQGcnUKXQ+r68LmLKYstEI1TB7Qszeurq1n5pHQ+yYCTrMO5Mwaw2EPpYdM/cwqc8npa iHfQ==
X-Gm-Message-State: AOAM533wP+cCI5KpnHw8dm6VN0nJnYOUxgTfaj10m4tjmJ4O8eWIYYPh jawFwl29LPSFQXUKqFJ4t9zzPcwMPsfZWtk2JJ4M3A==
X-Google-Smtp-Source: ABdhPJysuZ6GEjuMj1U7NRAgqnob/R6fdvxmzR6l7K4PzqAfvw/AI95xKPyooNCuKQE5jxKuFSYfAQm4YfTenJQqvTg=
X-Received: by 2002:a2e:9b83:: with SMTP id z3mr2507075lji.82.1612378367935; Wed, 03 Feb 2021 10:52:47 -0800 (PST)
MIME-Version: 1.0
References: <161115411446.925.13438084676436304288@ietfa.amsl.com> <29AAD2A6-3AE1-4356-A444-7BFC9291C8CB@cisco.com>
In-Reply-To: <29AAD2A6-3AE1-4356-A444-7BFC9291C8CB@cisco.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 3 Feb 2021 10:52:11 -0800
Message-ID: <CABcZeBN4jT-+cMW=bVQ8tkTLVQ-9vtHCtRfpKaShO67q2+UByQ@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: "last-call@ietf.org" <last-call@ietf.org>, IETF-Announce <ietf-announce@ietf.org>, "draft-ietf-hip-dex@ietf.org" <draft-ietf-hip-dex@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, "hipsec@ietf.org" <hipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dd5d1105ba731737"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/ATU2rfUkX6aPWSC4ZwhSedSJIds>
Subject: Re: [Last-Call] Last Call: <draft-ietf-hip-dex-24.txt> (HIP Diet EXchange (DEX)) to Proposed Standard
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2021 18:52:53 -0000

I do not believe this document should be published in the standards track.
We should be favoring FS where possible, and the evidence that it is
prohibitive in this case is scant at best.

To recap, the original rationale for this protocol was the one Bob made in
a recent message, namely that "the cost of FS is beyond what 8-bit CPUs are
reasonably able to handle." However, this claim was presented without any
actual requirements for what an acceptable cost was and the protocol as
sent by the WGLC to the IESG included a wide range of cryptographic
primitives (e.g., sec160k1  to P-384), some of which would be comparable if
not slower to a forward secure exchange with the best available algorithms
(i.e., X25519)  This implies one of three things:

1. The requirements are not known.
2. The requirements have quite a bit of headroom above a non-FS exchange
with the best available algorithms and potentially could accommodate FS.
3. The original protocol as submitted to the IESG did not in fact meet the
requirements.

The proper conclusion, in any case, is that we don't know whether we can
fit a FS exchange into the requirements and we won't until a proper
requirements analysis is done. Removing the NIST curves merely removes the
obvious inconsistency from the specification; it does not address the
question of whether we need to abandon FS. Until we have done so, this
protocol should not be standardized.

-Ekr

On Wed, Jan 20, 2021 at 7:10 AM Eric Vyncke (evyncke) <evyncke=
40cisco.com@dmarc.ietf.org> wrote:

> There have been several of *significant* changes  since the IETF last call
> in November 2019 on the -11 revision, so, as the responsible AD, I am
> asking the IETF community for 3rd review on the latest revision -24.
>
> The changes include at least: applicability statement, use of the FOLD
> function, I_NONCE, input keying material for master/pair-wise key
> generation, security section, some deleted DH groups and ciphers.
>
> For your convenience the diff between the two versions:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-hip-dex-24&url1=draft-ietf-hip-dex-11
>
> Thank you in advance for your valuable comments before the 3rd of February
> 2021,
>
> -éric vyncke
>
> PS: thank you for the previous reviewers, your comments have helped the
> authors to improve the document. Thank you as well to the authors for
> listening to those comments.
>
> -----Original Message-----
> From: <iesg-secretary@ietf.org> on behalf of The IESG <
> iesg-secretary@ietf.org>
> Reply-To: "last-call@ietf.org" <last-call@ietf.org>
> Date: Wednesday, 20 January 2021 at 15:48
> To: IETF-Announce <ietf-announce@ietf.org>
> Cc: Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>om>, "
> draft-ietf-hip-dex@ietf.org" <draft-ietf-hip-dex@ietf.org>rg>, Eric Vyncke <
> evyncke@cisco.com>gt;, "gonzalo.camarillo@ericsson.com" <
> gonzalo.camarillo@ericsson.com>gt;, "hip-chairs@ietf.org" <
> hip-chairs@ietf.org>gt;, "hipsec@ietf.org" <hipsec@ietf.org>
> Subject: Last Call: <draft-ietf-hip-dex-24.txt> (HIP Diet EXchange (DEX))
> to Proposed Standard
>
>
>     The IESG has received a request from the Host Identity Protocol WG
> (hip) to
>     consider the following document: - 'HIP Diet EXchange (DEX)'
>       <draft-ietf-hip-dex-24.txt> as Proposed Standard
>
>     The IESG plans to make a decision in the next few weeks, and solicits
> final
>     comments on this action. Please send substantive comments to the
>     last-call@ietf.org mailing lists by 2021-02-03. Exceptionally,
> comments may
>     be sent to iesg@ietf.org instead. In either case, please retain the
> beginning
>     of the Subject line to allow automated sorting.
>
>     Abstract
>
>
>        This document specifies the Host Identity Protocol Diet EXchange
> (HIP
>        DEX), a variant of the Host Identity Protocol Version 2 (HIPv2) and
>        specifically developed for use on low end processors.  The HIP DEX
>        protocol design aims at reducing the overhead of the employed
>        cryptographic primitives by omitting public-key signatures and
>        cryptographic hash functions.
>
>        The HIP DEX protocol is primarily designed for computation or
> memory-
>        constrained sensor/actuator devices.  Like HIPv2, it is expected to
>        be used together with a suitable security protocol such as the
>        Encapsulated Security Payload (ESP) for the protection of upper
> layer
>        protocol data.  Unlike HIPv2, HIP DEX does not support Forward
>        Secrecy (FS), and MUST only be used on devices where FS is
>        prohibitively expensive.  In addition, HIP DEX can also be used as a
>        keying mechanism for security primitives at the MAC layer, e.g., for
>        IEEE 802.15.4 networks.
>
>
>
>
>
>     The file can be obtained via
>     https://datatracker.ietf.org/doc/draft-ietf-hip-dex/
>
>
>
>     No IPR declarations have been submitted directly on this I-D.
>
>
>     The document contains these normative downward references.
>     See RFC 3967 for additional information:
>         rfc6261: Encrypted Signaling Transport Modes for the Host Identity
> Protocol (Experimental - IETF stream)
>
>
>
>
>
> --
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call
>