Re: [secdir] secdir review of draft-ietf-hip-bone

Ari Keränen <ari.keranen@ericsson.com> Tue, 15 June 2010 15:34 UTC

Return-Path: <ari.keranen@ericsson.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F9793A69A1; Tue, 15 Jun 2010 08:34:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.38
X-Spam-Level:
X-Spam-Status: No, score=-3.38 tagged_above=-999 required=5 tests=[AWL=0.505, BAYES_40=-0.185, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nSyyVJA3ZH-0; Tue, 15 Jun 2010 08:34:10 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by core3.amsl.com (Postfix) with ESMTP id 91BAF3A6988; Tue, 15 Jun 2010 08:34:06 -0700 (PDT)
X-AuditID: c1b4fb3d-b7b13ae0000071b2-97-4c179d71bc02
Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 92.10.29106.17D971C4; Tue, 15 Jun 2010 17:34:09 +0200 (CEST)
Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Jun 2010 17:34:09 +0200
Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Jun 2010 17:34:08 +0200
Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 846DD27BF; Tue, 15 Jun 2010 18:34:08 +0300 (EEST)
Message-ID: <4C179D70.1080807@ericsson.com>
Date: Tue, 15 Jun 2010 18:34:08 +0300
From: =?UTF-8?B?QXJpIEtlcsOkbmVu?= <ari.keranen@ericsson.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Chris Lonvick <clonvick@cisco.com>
References: <Pine.GSO.4.63.1006101826540.22501@sjc-cde-011.cisco.com>
In-Reply-To: <Pine.GSO.4.63.1006101826540.22501@sjc-cde-011.cisco.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 15 Jun 2010 15:34:09.0060 (UTC) FILETIME=[326E9640:01CB0CA0]
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Wed, 16 Jun 2010 06:28:17 -0700
Cc: "draft-ietf-hip-bone.all@tools.ietf.org" <draft-ietf-hip-bone.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-hip-bone
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 15:34:11 -0000

Hi Chris,

Thanks for the review! Comments inline.

On 06/11/2010 05:22 AM, Chris Lonvick wrote:
> I have not been keeping up with the discussions of this working group.  I 
> read through this document and skimmed through RFC-5201.  I remain 
> confused on a couple of topics.  If they are explained somewhere, please 
> just give me a general pointer and don't bother explaining to me (as I 
> will likely continue to not keep up with this WG. :-)
> 
> - Obviously a host can join two HIP instantitions.  What happens when the 
> overlay identifiers conflict?  Must the overlay identifiers be globally 
> unique or can they have local context?

The idea behind overlay identifiers is that they are statistically 
unique, i.e., the chance for two overlays picking up the same ID is 
really low. However, if this happens, a node that is already part of an 
overlay can not join the other overlay with the same ID. The exact 
behavior, error message signaling, etc. depends on the HIP BONE instance 
and the peer protocol that the instance is using (e.g., 
draft-ietf-hip-reload-instance and its peer protocol 
draft-ietf-p2psip-base).

So, the identifiers need not to be globally unique as long as a single 
node does not see the same ID more than once at the same time. That 
said, nothing prevents using a centralized entity giving out Overlay IDs 
that would not clash.

> - When a host joins a HIP instantiation, is this exclusive?  Can a host 
> that has joined a HIP instantiation continue to directly communicate with 
> IPv4 and IPv6 hosts or must it communicate through a gateway?  Here I'm 
> thinking of a device that fires up IPsec - in my experience the policy is 
> to encrypt all traffic to the gateway and then let the gateway forward 
> traffic.  Is this what is envisioned for a client joining a HIP 
> instatiation?

A host can continue using standard IPv4 and v6 connections despite being 
part of an overlay, but also a "default gateway" kind of scenario you 
mentioned is possible. Section 5.2 has some text about deciding whether 
messages should be sent via an overlay, but essentially, it's about 
local policy and configuration.

> The only real security concern I have in the document is in section 6.1, 
> where you RECOMMEND 32 bits of randomness be used in the OVERLAY_ID 
> parameter.  I don't understand why this is recommended or what purpose it 
> may have.  What I'm saying is that even if you have 2 HIP BONE instances 
> throughout the Internet, there is a non-zero chance that the OVERLAY_ID 
> parameters will be identical unless people intervene and choose the 
> values.  The chances increase with more instances regardless of how many 
> bits of randomness you may recommend - reference the "birthday attack". 
> I'd suggest that you drop the recommendation for randomness and just 
> recommend that people attempt to prevent a collision via any means 
> possible.  Continuing to recommend some amount of randomness would give 
> people a false sense that a collision may not occur.

OK. The idea here was to have a minimum amount of randomness to give 
sufficiently small chances for an ID clash. I'll rephrase that to 
recommended "any other means possible" instead.

> Some nits from the document:
> In Section 2 two things:
> CURRENT:
>     Node ID:  A value that uniquely identifies a node in an overlay
>        network.  The value is not usually human-friendly, but for example
>        a hash of a public key.
> PERHAPS SHOULD BE:
>     Node ID:  A value that uniquely identifies a node in an overlay
>        network.  The value is not usually human-friendly.  As an example
>        it may be a hash of a public key.

Makes sense, I'll fix this.

> CURRENT:
>     Valid locator:  A Locator (as defined in [RFC5206]; usually an IP
>        address or an address and a port number) that a host is known to
>        be reachable at, for example, because there is an active HIP
>        association with the host.
> PERHAPS SHOULD BE:
>     Valid locator:  A Locator (as defined in [RFC5206]; usually an IP
>        address, or an address and a port number) that a host is known to
>        be reachable at because there is an active HIP association with the
>        host.

A host could be known to be reachable even if there is no active HIP 
association, so I'd keep the original form for the definition giving the 
HIP association only as an example.

> From that, what is a "HIP association"?  Perhaps you mean to say that the 
> host is part of a HIP overlay network?  Just fyi, "HIP association" is 
> used elsewhere in the text and in RFC-5201.  If it's important then you 
> may want to define it here as well.

As RFC5201 defines it, HIP association is "an IP-layer communications 
context" (established using HIP). I'll add that to the terminology section.


Cheers,
Ari