[secdir] secdir review of draft-ietf-hip-bone

Chris Lonvick <clonvick@cisco.com> Fri, 11 June 2010 02:22 UTC

Return-Path: <clonvick@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5AD903A6844; Thu, 10 Jun 2010 19:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.645
X-Spam-Level:
X-Spam-Status: No, score=-8.645 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8GRRnu2w1qyg; Thu, 10 Jun 2010 19:22:35 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 6CB5C3A682D; Thu, 10 Jun 2010 19:22:35 -0700 (PDT)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiEFADg6EUyrR7Ht/2dsb2JhbACSaQGMDnGkT5oLhRgEg0s
X-IronPort-AV: E=Sophos;i="4.53,401,1272844800"; d="scan'208";a="210596193"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-5.cisco.com with ESMTP; 11 Jun 2010 02:22:37 +0000
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o5B2Mb79004249; Fri, 11 Jun 2010 02:22:37 GMT
Date: Thu, 10 Jun 2010 19:22:37 -0700 (PDT)
From: Chris Lonvick <clonvick@cisco.com>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-hip-bone.all@tools.ietf.org
Message-ID: <Pine.GSO.4.63.1006101826540.22501@sjc-cde-011.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: [secdir] secdir review of draft-ietf-hip-bone
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2010 02:22:36 -0000

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

I have not been keeping up with the discussions of this working group.  I 
read through this document and skimmed through RFC-5201.  I remain 
confused on a couple of topics.  If they are explained somewhere, please 
just give me a general pointer and don't bother explaining to me (as I 
will likely continue to not keep up with this WG. :-)

- Obviously a host can join two HIP instantitions.  What happens when the 
overlay identifiers conflict?  Must the overlay identifiers be globally 
unique or can they have local context?

- When a host joins a HIP instantiation, is this exclusive?  Can a host 
that has joined a HIP instantiation continue to directly communicate with 
IPv4 and IPv6 hosts or must it communicate through a gateway?  Here I'm 
thinking of a device that fires up IPsec - in my experience the policy is 
to encrypt all traffic to the gateway and then let the gateway forward 
traffic.  Is this what is envisioned for a client joining a HIP 
instatiation?

The only real security concern I have in the document is in section 6.1, 
where you RECOMMEND 32 bits of randomness be used in the OVERLAY_ID 
parameter.  I don't understand why this is recommended or what purpose it 
may have.  What I'm saying is that even if you have 2 HIP BONE instances 
throughout the Internet, there is a non-zero chance that the OVERLAY_ID 
parameters will be identical unless people intervene and choose the 
values.  The chances increase with more instances regardless of how many 
bits of randomness you may recommend - reference the "birthday attack". 
I'd suggest that you drop the recommendation for randomness and just 
recommend that people attempt to prevent a collision via any means 
possible.  Continuing to recommend some amount of randomness would give 
people a false sense that a collision may not occur.

Some nits from the document:
In Section 2 two things:
CURRENT:
    Node ID:  A value that uniquely identifies a node in an overlay
       network.  The value is not usually human-friendly, but for example
       a hash of a public key.
PERHAPS SHOULD BE:
    Node ID:  A value that uniquely identifies a node in an overlay
       network.  The value is not usually human-friendly.  As an example
       it may be a hash of a public key.

CURRENT:
    Valid locator:  A Locator (as defined in [RFC5206]; usually an IP
       address or an address and a port number) that a host is known to
       be reachable at, for example, because there is an active HIP
       association with the host.
PERHAPS SHOULD BE:
    Valid locator:  A Locator (as defined in [RFC5206]; usually an IP
       address, or an address and a port number) that a host is known to
       be reachable at because there is an active HIP association with the
       host.

>From that, what is a "HIP association"?  Perhaps you mean to say that the 
host is part of a HIP overlay network?  Just fyi, "HIP association" is 
used elsewhere in the text and in RFC-5201.  If it's important then you 
may want to define it here as well.

Regards,
Chris