Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal

[Derek Fawcus]

On Mon, Mar 07, 2016 at 02:35:07pm +0200, Gonzalo Camarillo wrote:
> First he will look into adding clarifications to the existing draft
> while still referencing the old RFC. If the group is not happy with the
> readability after the editorial pass (or our AD does not finally let us
> downref the old RFC), we can consider bringing material from the old RFC
> directly into the new one.

Sorry,  that I'm quite late in looking at these,  but have been doing
so recently...

I have to say that I find the it difficult to decode simply because
of having to refer to 3 (the draft, 5770, 5245) plus possibly the
STUN/TURN docs at once.

I'd certainly find it easier to comprehend if the text from 5770 was
incorporated (suitably modified to account for not doing STUN/TURN)
within the draft.  That way the references to the significant pieces
of 5245 text would be easier to nail down.

As it is,  I currently find it a bit like reading an Act of Parliament!

e.g. $3.8 Connectivity Checks
   refers to $4.6 of 5770 with some exceptions, $4.6 of 5770 refers to
$5.7 of 5245 and $7 of 5245,  where the exceptions (use of UPDATE instead
of STUN) have to be applied to that $7 referencing 5389,  so possibly
I don't have to read 5389, since hopefully it would just be packet formats.

> I would also like the group to comment on the following two proposals:
> 
> 1) the draft will allow implementers to use HIP native relays only. In
> addition, the use of STUN and TURN relays will be optional.

I'd suggest the draft be native only,  but say with an appendix referencing
5770 for use of STUN/TURN,  maybe indicating which bits of the 5770
to take heed of.

> 2) in addition to covering the base exchange, the draft will also cover
> the mobility readdressing exchange.

Not having read that recently,  I can't really comment.

DF

___
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec

[Hipsec] A review of draft-ietf-hip-dex-02.txt

[Miika Komu]

Hi,

> 1.1.  The HIP Diet EXchange (DEX)

> Data packets start to flow after the 4th packet.  The 3rd and 4th HIP
> packets may carry data payload in the future.  However, the details
> of this may be defined later.

Similarly as in RFC7401, data packets start to flow...

(I guess you could also mention RFC6078 as another further work item)

> An existing HIP association can be updated with the update mechanism
> defined in [RFC7401].  Likewise, the association can be torn down
> with the defined closing mechanism for HIPv2 if it is no longer
> needed.  HIP DEX thereby omits the HIP_SIGNATURE parameters of the
> original HIPv2 specification.

Why "thereby"? I don't see the connection.

> HIP DEX does not have the option to encrypt the Host Identity of the
> Initiator in the 3rd packet.  The Responder's Host Identity also is
> not protected.  Thus, contrary to HIPv2, there is no attempt at
> anonymity.

The anonymous bit still exists, so I suggest changing the wording:

there is no attempt at anonymity -> such Responder anonymity is not 
preserved in HIP DEX.


> 2.1.  Requirements Terminology

In section 6.3, you are introduce also -> notation, which was
not explained.

> 2.3.  Definitions

I suggest to add also the definitions of both MAC and CMAC because they
are used throughout the document. They are also used in this section.

> 3.1.  Host Identity Tag (HIT)

Just thinking aloud... should a DEX HIT have a different context ID?
Probably not.

> 4.1.  Creating a HIP Association

> The HIP Diet EXchange serves to manage the establishment of state
> between an Initiator and a Responder.  The first packet, I1,
> initiates the exchange, and the last three packets, R1, I2, and R2,
> constitute an authenticated Diffie-Hellman [DH76] key exchange for
> the Master Key SA generation.  This Master Key SA is used by the
> Initiator and the Responder to wrap secret keying material in the I2
> and R2 packets.  Based on the exchanged keying material, the peers
> then derive a Pair-wise Key SA if cryptographic keys are needed,
> e.g., for ESP-based protection of user data.

(Suggest replacing "user data" with e.g. "data plane" in the entire
document since you're talking about machines (sensors) that may not
have a user)

> In the I2 packet, the Initiator MUST display the solution to the
> received puzzle.  Without a correct solution, the I2 packet is
> discarded.  The I2 also contains a key wrap parameter that carries a
> secret keying material of the Initiator.  This keying material is
> only half the final session key.  The packet is authenticated by the
> sender (Initiator) via a MAC.

...half *of* the...

> The R2 packet acknowledges the receipt of the I2 packet and completes
> the handshake.  The R2 contains a key wrap parameter that carries the
> rest of the keying material of the Responder.  The packet is
> authenticated by the sender (Responder) via a MAC.

key wrap parameter -> parameter with encrypted contents

> 4.1.1.  HIP Puzzle Mechanism
>
> The puzzle mechanism enables a Responder to immediately reject an I2
> packet if it does not contain a valid puzzle solution.  To verify the
> puzzle solution, the Responder only has to compute a single CMAC
> operation.  After a successful puzzle verification, the Responder can
> securely create session-specific state and perform CPU-intensive
> operations such as a Diffie-Hellman key generation.  By varying the
> difficulty of the puzzle, the Responder can frustrate CPU or memory
> targeted DoS attacks.

...can frustrate *an Initiator*...

> Conceptually, the puzzle mechanism in HIP DEX is the same as in
> HIPv2.  Hence, this document refers to Sections 4.1.1 and 4.1.2 in
> [RFC7401] for more detailed information about the employed mechanism.
> Notably, the only difference between the puzzle mechanism in HIP DEX
> and HIPv2 is that HIP DEX uses CMAC instead of a hash function for
> solving and verifying a puzzle.  The implications of this change on
> the puzzle implementation are discussed in Section 6.1.

The other difference is mentioned in section 6.1:

"The only exceptions are that HIP DEX does not use pre-computation of
R1 packets and that RHASH is set to CMAC.  As a result, the pre-
computation step in in Section 6.3 of [RFC7401] is skipped in HIP DEX."

> 4.1.2.1.  HIP DEX Retransmission Mechanism

> The potentially high processing time of an I2 packet at a (resource-
> constrained) Responder may cause premature retransmissions if the
> time required for I2 transmission and processing exceeds the RTT-
> based retransmission timeout.  Thus, the Initiator should also take
> the processing time of the I2 packet at the Responder into account
> for retransmission purposes.  To this end, the Responder MAY notify
> the Initiator about the anticipated delay once the puzzle solution
> was successfully verified and if the remaining I2 packet processing
> incurs a high processing delay.  The Responder MAY therefore send a
> NOTIFY packet (see Section 5.3.6. in