[secdir] secdir review of draft-ietf-hip-bone
Chris Lonvick <clonvick@cisco.com> Fri, 11 June 2010 02:22 UTC
Return-Path: <clonvick@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5AD903A6844; Thu, 10 Jun 2010 19:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.645
X-Spam-Level:
X-Spam-Status: No, score=-8.645 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8GRRnu2w1qyg; Thu, 10 Jun 2010 19:22:35 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 6CB5C3A682D; Thu, 10 Jun 2010 19:22:35 -0700 (PDT)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiEFADg6EUyrR7Ht/2dsb2JhbACSaQGMDnGkT5oLhRgEg0s
X-IronPort-AV: E=Sophos;i="4.53,401,1272844800"; d="scan'208";a="210596193"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-5.cisco.com with ESMTP; 11 Jun 2010 02:22:37 +0000
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o5B2Mb79004249; Fri, 11 Jun 2010 02:22:37 GMT
Date: Thu, 10 Jun 2010 19:22:37 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-hip-bone.all@tools.ietf.org
Message-ID: <Pine.GSO.4.63.1006101826540.22501@sjc-cde-011.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: [secdir] secdir review of draft-ietf-hip-bone
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2010 02:22:36 -0000
Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I have not been keeping up with the discussions of this working group. I read through this document and skimmed through RFC-5201. I remain confused on a couple of topics. If they are explained somewhere, please just give me a general pointer and don't bother explaining to me (as I will likely continue to not keep up with this WG. :-) - Obviously a host can join two HIP instantitions. What happens when the overlay identifiers conflict? Must the overlay identifiers be globally unique or can they have local context? - When a host joins a HIP instantiation, is this exclusive? Can a host that has joined a HIP instantiation continue to directly communicate with IPv4 and IPv6 hosts or must it communicate through a gateway? Here I'm thinking of a device that fires up IPsec - in my experience the policy is to encrypt all traffic to the gateway and then let the gateway forward traffic. Is this what is envisioned for a client joining a HIP instatiation? The only real security concern I have in the document is in section 6.1, where you RECOMMEND 32 bits of randomness be used in the OVERLAY_ID parameter. I don't understand why this is recommended or what purpose it may have. What I'm saying is that even if you have 2 HIP BONE instances throughout the Internet, there is a non-zero chance that the OVERLAY_ID parameters will be identical unless people intervene and choose the values. The chances increase with more instances regardless of how many bits of randomness you may recommend - reference the "birthday attack". I'd suggest that you drop the recommendation for randomness and just recommend that people attempt to prevent a collision via any means possible. Continuing to recommend some amount of randomness would give people a false sense that a collision may not occur. Some nits from the document: In Section 2 two things: CURRENT: Node ID: A value that uniquely identifies a node in an overlay network. The value is not usually human-friendly, but for example a hash of a public key. PERHAPS SHOULD BE: Node ID: A value that uniquely identifies a node in an overlay network. The value is not usually human-friendly. As an example it may be a hash of a public key. CURRENT: Valid locator: A Locator (as defined in [RFC5206]; usually an IP address or an address and a port number) that a host is known to be reachable at, for example, because there is an active HIP association with the host. PERHAPS SHOULD BE: Valid locator: A Locator (as defined in [RFC5206]; usually an IP address, or an address and a port number) that a host is known to be reachable at because there is an active HIP association with the host. >From that, what is a "HIP association"? Perhaps you mean to say that the host is part of a HIP overlay network? Just fyi, "HIP association" is used elsewhere in the text and in RFC-5201. If it's important then you may want to define it here as well. Regards, Chris
- [secdir] secdir review of draft-ietf-hip-bone Chris Lonvick
- Re: [secdir] secdir review of draft-ietf-hip-bone Ari Keränen