On 3/4/20 1:28 PM, Roman Danyliw via Datatracker wrote:
Roman Danyliw has entered the following ballot position for
draft-ietf-hip-dex-13: Discuss
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer tohttps://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-hip-dex/
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
(initial ballot now that this draft is deferred)
** Section 1.2. Thanks for the scoping provided by this applicability
statement. Given the reduced security that DEX will provide, IMO it needs a
bit more precision (and caution).
And I should point out it gives more security that has been provided
in these classes of devices in the past.
OLD
HIP DEX MUST only be used in communicating with such constrained
devices (e.g., class 0 and 1 devices as defined in section 3 in
[RFC7228]).
NEW
HIP DEX MUST only be used when one of the peers is a class 0 or 1 constrained
device as defined in Section 3 of [RFC7228]. HIP DEX MUST NOT be used if both
peers are class 2 constrained devices or have greater capability.
Done.
** Section 3.2.1, Per “Since collision-resistance is not possible with the
tools at hand, any reasonable function (e.g. FOLD) that takes the full value
of the HI into generating the HIT can be used, provided that collision
detection is part of the HIP-DEX deployment design. This is achieved here
through either an ACL or some other lookup process that externally binds the
HIT and HI.”, when exactly should this ACL lookup occur? Please provide
guidance in an explicit step in the appropriate packet processing section
(i.e., in Section 6.*) on when this should be.
I will look into this. It is during I2 and R2 processing as that is
when the recipient can trust that the HI is for the HIT.
There is also a ACL check for I1 and R1, but that is just to limit who
to talk to, not is the who claim valid.
Also the constrained device may not have ACL checking capability. No
way to update the ACL in a sensor, for example. In this case the
password authentication is required.
I will look at the places to make sure this is covered.
** Section 6.3. The input to CKDR-Extract seems underspecified:
-- Per the definition of IKM, when should these different inputs be used (at
least two appear to be specified)? References to Kij are made in this section
and in other parts of the document, but they aren’t input for CKDR-Extract()?
Will research this and see if more text is needed and how.
-- Per “where ‘CKDF-Extract’ is an octet string “ in the definition of “info”
in CKDR-Extract(), what encoding should be used to convert that into an octet
string? Is it ASCII, as in 067 075 068 070 045 069 120 116 114 097 099 116?
Will check this too.
** Section 9. Please add language to the effect that “production deployments
of this specification MUST NOT use the NULL-ENCRYPT HIP_CIPHER” (to mirror the
language already stated in Section 5.2.2 on the topic).
Good point. Will do.
** Section 9.2. This mandatory guidance to validate public keys is helpful.
Please provide guidance in an explicit step in the appropriate packet
processing section (i.e., in Section 6.*) on when this should be done.
I thought I did. Grumble. Will take care of this too.
Two “discuss discuss”-es with the caveat that I didn’t follow the WG
discussions.
** The following seems to indicate we don’t have everything we need to publish
a standards track document: -- Section 6. “It should be noted that many of the
packet processing rules are denoted here with "SHOULD" but may be updated to
"MUST" when further implementation experience provides better guidance.”
I did not want this, if I recall correctly. It was something of a
standard wording back when this was first done. At this point, I will
pull this. It is not uncommon that a standard goes out and then some
years later deployment teaches us things about what SHOULD and what MUST.
-- Section 9. “o The puzzle mechanism using CMAC explained in Section 4.1.1
may need further study regarding the level of difficulty in order to establish
best practices with current generation of constrained devices.”
If there isn’t sufficient implementation experience, why isn’t this document
experimental? What is the plan for getting better guidance? Is there a risk
in not having this clarity?
Actually this is another area that can be pulled now. Rene did
testing on the difficulty and I believe we captured his experiences.
I will look at this and clarify.
** Section 9.1. Thanks for this section. However, I’m not convinced that
SECP160R1 is needed. DEX is already selectively profiling RFC7401 (i.e., its
already choosing to exclude certain things) and there are “no production”
implementation of DEX. What is the rationale for keeping it?
In the workgroup I was asked to keep it in? To /harmonize/ with other
areas of constrained security? This is some years back though, and it
is another area where by this time, we have enough to drop it? I am
willing to, but I should ask on the HIPSEC list and see what private
replies I get.
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
** Section 3.0. Per “Thus, it is not expected that these parameters are
carried in every packet, but other methods are used to map the data packets to
the corresponding His”, what are these other methods?
This text is lifted right out of sec 3 of rfc7401. ESP SPIs are a
stated example further in that paragraph.
** Section 3.1. Per “There are two advantages of using a hashed encoding over
the actual variable-sized public key in protocols.”, perhaps as a reminder is
in order that in this document the HIT isn’t a hashed encoding but a compressed.
A case of lifting text from 7401 where it needs to be adjusted a bit.
I will make the change.
** Section 4.1. Per “Note that in some cases it may be possible to replace
this trigger packet by some other form of a trigger, in which case the
protocol starts with the Responder sending the R1 packet.”, how does this
additional trigger occur?
Some packet that has enough information for the receiver to deduce
that an I1 COULD have been sent and to then respond with an R1 to see
if the sender supports HIP.
None have been defined. This actually goes back to 5201. More of a
placeholder to allow others to make adjustments in their implementation.
** Section 4.1. Per “In such cases, another mechanism to convey the Initiator's
supported DH Groups (e.g., by using a default group) must be specified.”,
where/how would it be specified?
Again, nothing has been specified, but in a closed environment it was
thought that an ACL or other data store would contain enough
information, like the supported DH Groups to successfully trigger an
R1 without receiving an I1. This is more a placeholder for any
developer that is working on an alternative to using the I1 to note
all that must be done if something other than an I1 is used.
"If you are going to try and optimize this protocol, remember all that
you have to include" kind of thing.
** Section 4.1.2.1. Per “This strategy is based on a timeout that is set to a
value larger than the worst-case anticipated round-trip time (RTT ).”, how is
the worst case RTT computed?
IIRC, the implementers want this in. It goes back to 5201, sec 6.6.
Perhaps one that is still around (hint, Jeff or Tom) can comment.
** Section 5.3.2. Per “Responder sets the source HIT in the R2 packet based on
the destination HIT from the I1 packet”, shouldn’t this say “Responder sets the
source HIT in the _R1_ packet …”?
OOPS! Good catch. Fixed. Probably some poor job (by me!) in copying
and pasting text.
** Section 5.3.2. Per “Based on the deviating DH group ID in the HOST_ID
parameter, the Initiator then SHOULD abort …”, why not MUST abort?
A MUST costs a round trip. It is possible that the Initiator, based
on local policy, can make a decision to go with the received R1 rather
than restart the exchange. Thus we chose SHOULD here over MUST.
** Section 6.8. Step 5. Per “5. If any of the checks above fail, there is a
high probability of an ongoing man-in-the-middle or other security attack. The
system SHOULD act accordingly, based on its local policy.”, this guidance seems
underspecified. Could the text at least provide a recommendation of aborting
and logging?
Seems reasonable request. But this text goes back to 5201. Perhaps
some of the HIPv1 and/or v2 implementors can tell want they do here.
** Section 9. Per “The strength of the keys for the Pair-wise Key SA is based
on the quality of the random keying material. As either peer may be a sensor
or an actuator device, there is a natural concern about the quality of its
random number generator.”, this is helpful caution. What guidance can be given
to ameliorate the concern?
When we did IEEE 802.11i, we actually had an annex giving pseudo code
for gathering entropy by listening to the radio noise or how to build
an ring-occilator on your chip.
Is there any good IETF RFC recommendation on a good RND for
constrained devices? I would be happy to include copied text or a
reference.
** Editorial
-- Section 1.2. The sentence “Also, it is often the case that HIP DEX …” is
repeated twice.
Thanks. Fixed. I kept the 2nd one as the separate para. Reads
better in my opinion.
-- Section 4.1. s/the the/the/
fixed.
-- Section 6.3. Typo.
s/The HIP DEX KEYMAT process is based on the is the/
The HIP DEX KEYMAT process is based on the/
fixed.
-- Section 9.2. Editorial. Per “With the curves specified here, there is a
straightforward key extraction attack, which is a very serious problem the use
of static keys in HIP-DEX”, there appears to be some missing words – perhaps “…
with the use of static keys by HIP-DEX”.
thanks. Yes, I have added "with"
