Re: [secdir] Secdir review of draft-ietf-hip-rfc5203-bis-09
Julien Laganier <julien.ietf@gmail.com> Sun, 31 January 2016 17:52 UTC
Return-Path: <julien.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7BBF1B2B34; Sun, 31 Jan 2016 09:52:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ymsQGbRoFVBp; Sun, 31 Jan 2016 09:52:15 -0800 (PST)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14FB31B2B33; Sun, 31 Jan 2016 09:52:15 -0800 (PST)
Received: by mail-oi0-x22e.google.com with SMTP id r14so76265751oie.0; Sun, 31 Jan 2016 09:52:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=F4gnItYRGiw0ximKu+B/iA3ezw4xA5KOYv7Szn3z9A4=; b=O0HV8/4TyN6u/wow2V42u3lrLWRjzJhNNryTPsPu/Xa2IkvSPeTwQE74B0wliWUo0s NAwBWP58LZn4Qa3//8UoF7uo67TYAwzMaPDrBWBsUvVHVtDVSN3B1e05skbRiTerk5xq bJUvSNgn1OGTBao73BnpT76nAoEXjxe1I5JnK/IHS6LCLEsXwxP+HUZ0bmnP65rvKC3Q wV8KBX67U1mtS6TTYB4RxJc7C2TsTvxRjSw5knl8M0fps/ZehKsXp3U5TVGosbNN9MrS S4WpI5ziSdt3EqEh2mbZux1dgutJ0lgHL9u5rHwJ3GvJeN1L8O4O3SF7bR9SVqjkVv+k YKLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=F4gnItYRGiw0ximKu+B/iA3ezw4xA5KOYv7Szn3z9A4=; b=L37YyOB1rLCuuIkYs83lvBm60ySdn8a22WjaqCU3qiEGCJUuPnhH2FcrDVI3w6duo1 EPO2kHUqg5nct1QqiBXWDXkbT1Ji90CTGztI9UrPolUkepF0uMx4at+sUaQlTH6GLMLD GLpt7GutcewAPtteUlUrdeG4ZoYmubJpn3M+DvW5nruRaUAICVW4HBFZZKOt6rJ+5oEu P9cDR7eP0EFRGQQupEus9QrM4l9JtK5H7MjCyCAWSQwhnXqWZpoBDOYPDGZcuVf583De wwNusNXggtTDMA//LdSuSoqVqArZnHbFgwZef6k9FUNNTVxa+n2wC24gGo9pyxkJvKbj BVpg==
X-Gm-Message-State: AG10YOQyx3n0yadmLEKrsVdUYQJMaUfXJGM6qsrQ+DUB6dUji6K50W0HNijyJAJsp7tK99RlLdk+/c/fE2abSQ==
MIME-Version: 1.0
X-Received: by 10.202.76.193 with SMTP id z184mr12822843oia.92.1454262734515; Sun, 31 Jan 2016 09:52:14 -0800 (PST)
Received: by 10.157.26.28 with HTTP; Sun, 31 Jan 2016 09:52:14 -0800 (PST)
In-Reply-To: <000901d14157$7052a680$50f7f380$@nict.go.jp>
References: <000901d14157$7052a680$50f7f380$@nict.go.jp>
Date: Sun, 31 Jan 2016 09:52:14 -0800
Message-ID: <CAE_dhjshGS19So1b_wuXLV1u7+jqw329LqT7t_OBzZQrGH0EsQ@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Takeshi Takahashi <takeshi_takahashi@nict.go.jp>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/e6o5BSQ9VafnnxPszqKIdfpqOcY>
Cc: draft-ietf-hip-rfc5203-bis.all@ietf.org, The IESG <iesg@ietf.org>, hip-chairs@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-hip-rfc5203-bis-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2016 17:52:17 -0000
[resending with corrected typo in the recipient list. apologies for the noise] Takahashi san, Thank you for reviewing the document, and my apologies for the belated reply. Please find my answers to your comments/questions inlined below: On Mon, Dec 28, 2015 at 2:06 AM, Takeshi Takahashi <takeshi_takahashi@nict.go.jp> wrote: [...] > [overall feeling on this draft] > > ready, and good to proceed > > [overview] > > This draft updates RFC 5203 to cope with HIPv2 (RFC 7401). > RFC 5203 specifies a registration mechanism for HIPv1 (RFC 5201). > Likewiise, this draft specifies the mechanism for HIPv2. > > [questions] > > Below are simply clarification questions, and these do not block the further > process of this document. > I am not that familiar with HIP, so it would be helpful if you could provide > me some comments on them to deepen my understanding. > > 1. "If the requester has one or more suitable certificates, the host SHOULD > include them (or just the most suitable one)"(in section 3.3) > > I wonder whether it would be better to let the requester send only the most > suitable certificate. > The requester may send multiple certificates, but it would be helpful if the > requester sends only the most suitable certificate, I guess. (It is easy to > process from the standpoint of the receiver, isn't it?) > Would you explain why the draft encourages to send multiple certificates > rather than sending only the most suitable certificate? As the draft currently states, the suitability of certificates is likely to be application-specific, i.e., dependent on the specific service for which the requester seeks registration -- "How the suitability is determined and how the certificates are obtained is out of scope for this document." For example there may not be a strict ordering of certificates w.r.t. suitability to register, i.e., given two certificates A and B, there isn't necessarily one that is more suitable than the other. For example, a requester for a service may have certificates issued by two ISPs, such as a fixed wireline broadband ISP, and a mobile service provider. These may have brokered roaming agreements with various other parties to optimize topological closeness of the service registrar w.r.t. the requester's current access network. If the requester always include both certificates in its requests, this would avoid having to specify and implement complex certificate selection logic on the requester. > 2. "it SHOULD send the registration request without the CERT parameter to > test whether the registrar accepts the request based on the host's > identity." (in Section 3.3) > > In this situation, if a malicious party knows the identity of the reqester, > the party can get the access right. > Is the identity protected so that no malicious party can get it? The Host Identity is the public component of a public-private key pair, and since completion of the HIP exchange's mutual peer authentication requires knowledge of the private component of the key pair, an attacker knowing the public component would not be able to be granted any service registration based on that knowledge. > 3. "Other documents will define specific values for registration types. See > Section 7 for more information" (Section 4.3) > > I looked at Section 7 to understaind the types and values of Reg Type, but I > guess the section does not define any on them. > Are the types and values completely the same as the ones defined by RFC > 5203? The registration types are defined by the documents defining the service for which registration is being sought, and recorded in the relevant IANA registry. This document does not change the list of services currently being registered with IANA: <http://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-11> > 4. "Insufficient resource" and "Invalid certificate" (in the table in > Section 7) > When a requester sends requests without sending CERT parameters, the > requester expects to be authenticated based on its identity. > But sometimes it fails. > In this case, which of the failor type will be used? "Insufficient > resources"? or "Invalid certificate"? or none of them? As the draft currently states: If the requester was not in the allowed list and the registrar requires the requester to authenticate, the registrar MUST check whether the packet also contains a CERT parameter. If the packet does not contain a CERT parameter, the registrar MUST reject the registrations requiring authentication with Failure Type 0 (Registration requires additional credentials). "Registration requires additional credentials" is allocated in the relevant IANA registry: <http://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-13> Thanks again for the review. With best regards, --julien On Mon, Dec 28, 2015 at 2:06 AM, Takeshi Takahashi <takeshi_takahashi@nict.go.jp> wrote: > Hello, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security area > directors. > Document editors and WG chairs should treat these comments just like any > other last call comments. > > [overall feeling on this draft] > > ready, and good to proceed > > [overview] > > This draft updates RFC 5203 to cope with HIPv2 (RFC 7401). > RFC 5203 specifies a registration mechanism for HIPv1 (RFC 5201). > Likewiise, this draft specifies the mechanism for HIPv2. > > [questions] > > Below are simply clarification questions, and these do not block the further > process of this document. > I am not that familiar with HIP, so it would be helpful if you could provide > me some comments on them to deepen my understanding. > > 1. "If the requester has one or more suitable certificates, the host SHOULD > include them (or just the most suitable one)"(in section 3.3) > > I wonder whether it would be better to let the requester send only the most > suitable certificate. > The requester may send multiple certificates, but it would be helpful if the > requester sends only the most suitable certificate, I guess. (It is easy to > process from the standpoint of the receiver, isn't it?) > Would you explain why the draft encourages to send multiple certificates > rather than sending only the most suitable certificate? > > 2. "it SHOULD send the registration request without the CERT parameter to > test whether the registrar accepts the request based on the host's > identity." (in Section 3.3) > > In this situation, if a malicious party knows the identity of the reqester, > the party can get the access right. > Is the identity protected so that no malicious party can get it? > > 3. "Other documents will define specific values for registration types. See > Section 7 for more information" (Section 4.3) > > I looked at Section 7 to understaind the types and values of Reg Type, but I > guess the section does not define any on them. > Are the types and values completely the same as the ones defined by RFC > 5203? > > 4. "Insufficient resource" and "Invalid certificate" (in the table in > Section 7) > When a requester sends requests without sending CERT parameters, the > requester expects to be authenticated based on its identity. > But sometimes it fails. > In this case, which of the failor type will be used? "Insufficient > resources"? or "Invalid certificate"? or none of them? > > Thank you for your kind contributions. > Take > > > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
- Re: [secdir] Secdir review of draft-ietf-hip-rfc5… Takeshi Takahashi
- [secdir] Secdir review of draft-ietf-hip-rfc5203-… Takeshi Takahashi
- [secdir] Secdir review of draft-ietf-hip-rfc5203-… Takeshi Takahashi
- Re: [secdir] Secdir review of draft-ietf-hip-rfc5… Julien Laganier
- Re: [secdir] Secdir review of draft-ietf-hip-rfc5… Julien Laganier