[secdir] secdir review of draft-ietf-hip-bone
Chris Lonvick <clonvick@cisco.com> Fri, 11 June 2010 02:22 UTC
Return-Path: <clonvick@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5AD903A6844; Thu, 10 Jun 2010 19:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.645
X-Spam-Level:
X-Spam-Status: No, score=-8.645 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8GRRnu2w1qyg; Thu, 10 Jun 2010 19:22:35 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 6CB5C3A682D; Thu, 10 Jun 2010 19:22:35 -0700 (PDT)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiEFADg6EUyrR7Ht/2dsb2JhbACSaQGMDnGkT5oLhRgEg0s
X-IronPort-AV: E=Sophos;i="4.53,401,1272844800"; d="scan'208";a="210596193"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-5.cisco.com with ESMTP; 11 Jun 2010 02:22:37 +0000
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o5B2Mb79004249; Fri, 11 Jun 2010 02:22:37 GMT
Date: Thu, 10 Jun 2010 19:22:37 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-hip-bone.all@tools.ietf.org
Message-ID: <Pine.GSO.4.63.1006101826540.22501@sjc-cde-011.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: [secdir] secdir review of draft-ietf-hip-bone
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2010 02:22:36 -0000
Hi,
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
I have not been keeping up with the discussions of this working group. I
read through this document and skimmed through RFC-5201. I remain
confused on a couple of topics. If they are explained somewhere, please
just give me a general pointer and don't bother explaining to me (as I
will likely continue to not keep up with this WG. :-)
- Obviously a host can join two HIP instantitions. What happens when the
overlay identifiers conflict? Must the overlay identifiers be globally
unique or can they have local context?
- When a host joins a HIP instantiation, is this exclusive? Can a host
that has joined a HIP instantiation continue to directly communicate with
IPv4 and IPv6 hosts or must it communicate through a gateway? Here I'm
thinking of a device that fires up IPsec - in my experience the policy is
to encrypt all traffic to the gateway and then let the gateway forward
traffic. Is this what is envisioned for a client joining a HIP
instatiation?
The only real security concern I have in the document is in section 6.1,
where you RECOMMEND 32 bits of randomness be used in the OVERLAY_ID
parameter. I don't understand why this is recommended or what purpose it
may have. What I'm saying is that even if you have 2 HIP BONE instances
throughout the Internet, there is a non-zero chance that the OVERLAY_ID
parameters will be identical unless people intervene and choose the
values. The chances increase with more instances regardless of how many
bits of randomness you may recommend - reference the "birthday attack".
I'd suggest that you drop the recommendation for randomness and just
recommend that people attempt to prevent a collision via any means
possible. Continuing to recommend some amount of randomness would give
people a false sense that a collision may not occur.
Some nits from the document:
In Section 2 two things:
CURRENT:
Node ID: A value that uniquely identifies a node in an overlay
network. The value is not usually human-friendly, but for example
a hash of a public key.
PERHAPS SHOULD BE:
Node ID: A value that uniquely identifies a node in an overlay
network. The value is not usually human-friendly. As an example
it may be a hash of a public key.
CURRENT:
Valid locator: A Locator (as defined in [RFC5206]; usually an IP
address or an address and a port number) that a host is known to
be reachable at, for example, because there is an active HIP
association with the host.
PERHAPS SHOULD BE:
Valid locator: A Locator (as defined in [RFC5206]; usually an IP
address, or an address and a port number) that a host is known to
be reachable at because there is an active HIP association with the
host.
>From that, what is a "HIP association"? Perhaps you mean to say that the
host is part of a HIP overlay network? Just fyi, "HIP association" is
used elsewhere in the text and in RFC-5201. If it's important then you
may want to define it here as well.
Regards,
Chris
- [secdir] secdir review of draft-ietf-hip-bone Chris Lonvick
- Re: [secdir] secdir review of draft-ietf-hip-bone Ari Keränen