draft-ietf-hip-cert-06.txt   draft-ietf-hip-cert-07.txt 
Host Identity Protocol Heer Host Identity Protocol Heer
Internet-Draft Distributed Systems Group, RWTH Internet-Draft Distributed Systems Group, RWTH
Intended status: Experimental Aachen University Intended status: Experimental Aachen University
Expires: May 23, 2011 Varjonen Expires: July 16, 2011 Varjonen
Helsinki Institute for Information Helsinki Institute for Information
Technology Technology
November 19, 2010 January 12, 2011
Host Identity Protocol Certificates Host Identity Protocol Certificates
draft-ietf-hip-cert-06 draft-ietf-hip-cert-07
Abstract Abstract
The CERT parameter is a container for X.509.v3 certificates and The CERT parameter is a container for X.509.v3 certificates and
Simple Public Key Infrastructure (SPKI) certificates. It is used for Simple Public Key Infrastructure (SPKI) certificates. It is used for
carrying these certificates in Host Identity Protocol (HIP) control carrying these certificates in Host Identity Protocol (HIP) control
packets. This document specifies the certificate parameter and the packets. This document specifies the certificate parameter and the
error signaling in case of a failed verification. Additionally, this error signaling in case of a failed verification. Additionally, this
document specifies the representations of Host Identity Tags in document specifies the representations of Host Identity Tags in
X.509.v3 and SPKI certificates. X.509.v3 and SPKI certificates.
skipping to change at page 2, line 9 skipping to change at page 2, line 9
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 23, 2011. This Internet-Draft will expire on July 16, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 6, line 7 skipping to change at page 6, line 7
RECOMMENDED to use the FQDN/NAI from the hosts HOST_ID parameter in RECOMMENDED to use the FQDN/NAI from the hosts HOST_ID parameter in
the DN if one exists. The full HIs are presented in the public key the DN if one exists. The full HIs are presented in the public key
entries of X.509.v3 certificates. entries of X.509.v3 certificates.
The following examples illustrate how HITs are presented as issuer The following examples illustrate how HITs are presented as issuer
and subject in the DN and in the X.509.v3 extension alternative and subject in the DN and in the X.509.v3 extension alternative
names. names.
Format of DN: Format of DN:
Issuer: CN=hit-of-issuer Issuer: CN=hit-of-issuer
Subject: CN=hit-of-issuer Subject: CN=hit-of-subject
Example DN: Example DN:
Issuer: CN=2001:14:6cf:fae7:bb79:bf78:7d64:c056 Issuer: CN=2001:14:6cf:fae7:bb79:bf78:7d64:c056
Subject: CN=2001:1c:5a14:26de:a07c:385b:de35:60e3 Subject: CN=2001:1c:5a14:26de:a07c:385b:de35:60e3
Format of X509v3 extensions: Format of X509v3 extensions:
X509v3 Issuer Alternative Name: X509v3 Issuer Alternative Name:
IP Address:hit-of-issuer IP Address:hit-of-issuer
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
IP Address:hit-of-subject IP Address:hit-of-subject
skipping to change at page 8, line 45 skipping to change at page 8, line 45
8. Security Considerations 8. Security Considerations
Certificate grouping allows the certificates to be sent in multiple Certificate grouping allows the certificates to be sent in multiple
consecutive packets. This might allow similar attacks as IP-layer consecutive packets. This might allow similar attacks as IP-layer
fragmentation allows, for example sending of fragments in wrong order fragmentation allows, for example sending of fragments in wrong order
and skipping some fragments to delay or stall packet processing by and skipping some fragments to delay or stall packet processing by
the victim in order to use resources (e.g. CPU or memory). Hence, the victim in order to use resources (e.g. CPU or memory). Hence,
hosts SHOULD implement mechanisms to discard certificate groups with hosts SHOULD implement mechanisms to discard certificate groups with
outstanding certificates if state space is scarce. outstanding certificates if state space is scarce.
It is NOT RECOMMENDED to use grouping or hash and URL encodings when
HIP aware middleboxes are anticipated to be present on the
communication path between peers because fetching remote certificates
require the middlebox to buffer the packets and to request remote
data. This makes these devices prone to denial of service (DoS)
attacks. Moreover, middleboxes and responders that request remote
certificates could be used as deflectors for distributed denial of
service attacks.
9. Acknowledgements 9. Acknowledgements
The authors would like to thank A. Keranen, D. Mattes, M. Komu and T. The authors would like to thank A. Keranen, D. Mattes, M. Komu and T.
Henderson for the fruitful conversations on the subject. D. Mattes Henderson for the fruitful conversations on the subject. D. Mattes
most notably contributed the non-HIP aware use case in Section 3. most notably contributed the non-HIP aware use case in Section 3.
10. References 10. References
10.1. Normative References 10.1. Normative References
skipping to change at page 10, line 23 skipping to change at page 10, line 10
Appendix A. SPKI certificate example Appendix A. SPKI certificate example
This section shows a SPKI certificate with encoded HITs. The example This section shows a SPKI certificate with encoded HITs. The example
has been indented for readability. has been indented for readability.
(sequence (sequence
(public_key (public_key
(rsa-pkcs1-sha1 (rsa-pkcs1-sha1
(e #010001#) (e #010001#)
(n |uV7M1dl7OcJCPnlJrX8MvQ8SmE6wne5idnp7VfDMolestu (n |yDwznOwX0w+zvQbpWoTnfWrUPLKW2NFrpXbsIcH/QBSLb
JqvB69z3UwlVuSr3VVaQvDSA+15BUweYkis/1+UVnSDdcS k1RKTZhLasFwvtSHAjqh220W8gRiQAGIqKplyrDEqSrJp
XUTz6AUTH1tPifoebYPp4s+9XG/vAh7I25pImjW4uL6Jvq OdIsHIQ8BQhJAyILWA1Sa6f5wAnWozDfgdXoKLNdT8ZNB
vI3WBE36wBt3Zmq12hpdA8jSIE1CRZYA8=| mzluPiw4ozc78p6MHElH75Hm3yHaWxT+s83M=|
)
) )
) )
) (cert
(cert (issuer
(issuer (hash hit 2001:15:2453:698a:9aa:253a:dcb5:981e)
(hash hit 2001:001e:d709:1980:5c6a:bb0c:7650:a027) )
) (subject
(subject (hash hit 2001:12:ccd6:4715:72a3:2ab1:77e4:4acc)
(hash hit 2001:001c:5a14:26de:a07c:385b:de35:60e3) )
(not-before "2011-01-12_13:43:09")
(not-after "2011-01-22_13:43:09")
) )
(not-before "2010-06-22_16:40:47") (signature
(not-after "2010-07-02_16:40:47") (hash sha1 |h5fC8HUMATTtK0cjYqIgeN3HCIMA|)
) |u8NTRutINI/AeeZgN6bngjvjYPtVahvY7MhGfenTpT7MCgBy
(signature NoZglqH5Cy2vH6LrQFYWx0MjWoYwHKimEuBKCNd4TK6hrCyAI
(hash sha1 |+UzjNn5+bXo3aMZQNGGtapKdlFAA|) CIDJAZ70TyKXgONwDNWPOmcc3lFmsih8ezkoBseFWHqRGISIm
|Fhioyxi0mpHa2aq2ofhotsauYyDuCa45mMAQ+yTEGOzcc1K+Prx MLdeaMciP4lVfxPY2AQKdMrBc=|
+O6kFecKxl+Cwz9qXEI6a/zfAnZqLj18yvszM1D/tH+W3RKl2LW
+lASsCDKXOi9ObNx+Dwzj3YlHABPxt4gGk0XVadEMXfCPDqiLF+
zMR9fW5/OaJ+vRwhKs=|
) )
) )
Appendix B. X.509.v3 certificate example Appendix B. X.509.v3 certificate example
This section shows a X.509.v3 certificate with encoded HITs. This section shows a X.509.v3 certificate with encoded HITs.
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
skipping to change at page 13, line 22 skipping to change at page 13, line 13
o Added reference to the IPv6 colon delimited presentation format. o Added reference to the IPv6 colon delimited presentation format.
o Small editorial changes. o Small editorial changes.
Changes from version 05 to 06: Changes from version 05 to 06:
o Editorial changes. o Editorial changes.
o Unified the example in Section 3. o Unified the example in Section 3.
Changes from version 06 to 07:
o Editorial changes.
o Removed a the second paragraph in section 8.
o Changed the example in Appendix A (Cert created without the
leading zeroes in HITs).
Authors' Addresses Authors' Addresses
Tobias Heer Tobias Heer
Distributed Systems Group, RWTH Aachen University Distributed Systems Group, RWTH Aachen University
Ahornstrasse 55 Ahornstrasse 55
Aachen Aachen
Germany Germany
Phone: +49 241 80 214 36 Phone: +49 241 80 214 36
Email: heer@cs.rwth-aachen.de Email: heer@cs.rwth-aachen.de
 End of changes. 11 change blocks. 
35 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/