HIP Diet EXchange (DEX)
draft-ietf-hip-dex-24
Yes
(Terry Manderson)
No Objection
(Alvaro Retana)
(Deborah Brungard)
(Martin Vigoureux)
(Mirja Kühlewind)
Note: This ballot was opened for revision 06 and is now closed.
Éric Vyncke
Yes
Comment
(2019-11-14 for -11)
Not sent
This document was deferred by Terry Manderson in May 2018. The authors have taken into account all COMMENTs from the 2018 ballot, changing several parts of the document based on those COMMENTs. The document went successfully through a new IETF last call so I am balloting the approval again in front of the 2019 IESG members. -éric
Warren Kumari
No Objection
Comment
(2018-05-08 for -06)
Unknown
Please also see Qin Wu's OpsDir review at: https://datatracker.ietf.org/doc/review-ietf-hip-dex-06-opsdir-lc-wu-2018-02-23/ I only have one (minor) comment -- I found the last sentence of the Abstract jarring / incomplete. I'd suggest: "The HIP DEX protocol design aims at reducing the overhead of the employed cryptographic primitives by omitting public-key signatures and hash functions, while still delivering similar security properties to HIPv2."
Terry Manderson Former IESG member
Yes
Yes
(for -06)
Unknown
Alvaro Retana Former IESG member
No Objection
No Objection
(for -06)
Unknown
Deborah Brungard Former IESG member
No Objection
No Objection
(for -06)
Unknown
Martin Vigoureux Former IESG member
No Objection
No Objection
(for -06)
Unknown
Mirja Kühlewind Former IESG member
No Objection
No Objection
(for -06)
Unknown
Spencer Dawkins Former IESG member
No Objection
No Objection
(2018-05-21 for -06)
Unknown
I'm not an expert on what people expect about security, but I'm wondering if there's a little too much distance between this text in the Abstract,
This document specifies the Host Identity Protocol Diet EXchange (HIP
DEX), a variant of the Host Identity Protocol Version 2 (HIPv2). The
HIP DEX protocol design aims at reducing the overhead of the employed
cryptographic primitives by omitting public-key signatures and hash
functions. In doing so, the main goal is to still deliver similar
security properties to HIPv2.
and this text in the Introduction,
The main differences between HIP BEX and HIP DEX are:
(snip)
2. HIP DEX forfeits the HIPv2 Perfect Forward Secrecy property of
HIPv2 due to the removal of the ephemeral Diffie-Hellman key
agreement.
Would the average reader consider "no PFS" to be similar to PFS?
(Please note that I'm not questioning the choice made in DIX, only the way that choice is described in the Abstract)
I'm curious about whether a couple of other differences named in the Introduction would also qualify as similar, but let's start with PFS.
I'm also curious about whether
1.1. The HIP Diet EXchange (DEX)
(snip)
HIP DEX does not have the option to encrypt the Host Identity of the
Initiator in the 3rd packet. The Responder's Host Identity also is
not protected. Thus, contrary to HIPv2, HIP DEX does not provide for
end-point anonymity and any signaling that indicates such anonymity
should be ignored.
qualifies as "similar", but I don't have a good sense of how much this matters in current and expected HIP deployments.
I'm hardly the smart one about this, but is
o HIP DEX lacks the Perfect Forward Secrecy (PFS) property of HIPv2.
Consequently, if an HI is compromised, all HIP connections
protected with that HI are compromised.
correct? I was expecting to see something like "if an HI is compromised, all previous HIP connections protected with that HI are compromised".
The version of this draft I'm reviewing has 57 occurrences of the word "should". I'm not seeing very many cases where the surrounding text explains why an implementation would not do what it SHOULD do, and I'm not seeing many cases where the surrounding text explains what the peer implementation should do, if the other endpoint doesn't do what it SHOULD do, although many of those cases might be captured in the state diagrams in the document.
In this text,
By eliminating the need for public-key signatures and the ephemeral
DH key agreement, HIP DEX reduces the computation, energy,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
transmission, and memory requirements for public-key cryptography
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(see [LN08]) in the HIPv2 protocol design. Moreover, by dropping the
cryptographic hash function, HIP DEX affords a more efficient
^^^^^^^^^^^^^^^^^^^^^^^^
protocol implementation than HIP BEX with respect to the
^^^^^^^^^^^^^^^^^^^^^^^
corresponding computation and memory requirements.
is "efficient" the right word, in the second sentence? This seems to mirror that "reducing requirements" effect from the first sentence - I'd assume that if you were comparing efficiencies, you'd be comparing two things with equivalent functionality.
I'm sure I'm not reading this correctly, but in this text
In the second case, the HIP DEX implementation (Responder) inspects
the Initiator's HIT on reception of an I1 packet. If the OGA ID
field of this HIT does not indicate the HIP DEX HIT Suite ID, the HIP
DEX implementation cancels the handshake and sends an ICMP packet
with type Parameter Problem, with the Pointer pointing to the source
HIT, to the Initiator. As an adversary could also send such an ICMP
packet in a man-in-the-middle attack with the aim to prevent the HIP
^^^^^^^^^^^^^^^^^
DEX handshake from completing, the Initiator SHOULD NOT react to an
ICMP message after sending the I1 until a reasonable delta time to
get the real Responder's R1 HIP packet.
I would have thought that this was a good plan to defend against an off-path attacker, because ICMP is helpfully unauthenticated, and if you were on-path (so, man-in-the-middle), you'd probably be doing things that were much more aggressive (like trying to impersonate the other end). Am I getting this wrong?