draft-ietf-hip-dex-12.txt   draft-ietf-hip-dex-13.txt 
HIP WG R. Moskowitz, Ed. HIP WG R. Moskowitz, Ed.
Internet-Draft HTT Consulting Internet-Draft HTT Consulting
Intended status: Standards Track R. Hummen Intended status: Standards Track R. Hummen
Expires: August 12, 2020 Hirschmann Automation and Control Expires: August 17, 2020 Hirschmann Automation and Control
M. Komu M. Komu
Ericsson Ericsson
February 9, 2020 February 14, 2020
HIP Diet EXchange (DEX) HIP Diet EXchange (DEX)
draft-ietf-hip-dex-12 draft-ietf-hip-dex-13
Abstract Abstract
This document specifies the Host Identity Protocol Diet EXchange (HIP This document specifies the Host Identity Protocol Diet EXchange (HIP
DEX), a variant of the Host Identity Protocol Version 2 (HIPv2). The DEX), a variant of the Host Identity Protocol Version 2 (HIPv2). The
HIP DEX protocol design aims at reducing the overhead of the employed HIP DEX protocol design aims at reducing the overhead of the employed
cryptographic primitives by omitting public-key signatures and hash cryptographic primitives by omitting public-key signatures and hash
functions. functions.
The HIP DEX protocol is primarily designed for computation or memory- The HIP DEX protocol is primarily designed for computation or memory-
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 12, 2020. This Internet-Draft will expire on August 17, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 11 skipping to change at page 3, line 11
5.3.1. I1 - the HIP Initiator Packet . . . . . . . . . . . . 24 5.3.1. I1 - the HIP Initiator Packet . . . . . . . . . . . . 24
5.3.2. R1 - the HIP Responder Packet . . . . . . . . . . . . 25 5.3.2. R1 - the HIP Responder Packet . . . . . . . . . . . . 25
5.3.3. I2 - the Second HIP Initiator Packet . . . . . . . . 27 5.3.3. I2 - the Second HIP Initiator Packet . . . . . . . . 27
5.3.4. R2 - the Second HIP Responder Packet . . . . . . . . 28 5.3.4. R2 - the Second HIP Responder Packet . . . . . . . . 28
5.4. ICMP Messages . . . . . . . . . . . . . . . . . . . . . . 29 5.4. ICMP Messages . . . . . . . . . . . . . . . . . . . . . . 29
6. Packet Processing . . . . . . . . . . . . . . . . . . . . . . 30 6. Packet Processing . . . . . . . . . . . . . . . . . . . . . . 30
6.1. Solving the Puzzle . . . . . . . . . . . . . . . . . . . 30 6.1. Solving the Puzzle . . . . . . . . . . . . . . . . . . . 30
6.2. HIP_MAC Calculation and Verification . . . . . . . . . . 30 6.2. HIP_MAC Calculation and Verification . . . . . . . . . . 30
6.2.1. CMAC Calculation . . . . . . . . . . . . . . . . . . 30 6.2.1. CMAC Calculation . . . . . . . . . . . . . . . . . . 30
6.3. HIP DEX KEYMAT Generation . . . . . . . . . . . . . . . . 32 6.3. HIP DEX KEYMAT Generation . . . . . . . . . . . . . . . . 32
6.4. Initiation of a HIP Diet EXchange . . . . . . . . . . . . 34 6.4. Initiation of a HIP Diet EXchange . . . . . . . . . . . . 35
6.5. Processing Incoming I1 Packets . . . . . . . . . . . . . 34 6.5. Processing Incoming I1 Packets . . . . . . . . . . . . . 35
6.6. Processing Incoming R1 Packets . . . . . . . . . . . . . 35 6.6. Processing Incoming R1 Packets . . . . . . . . . . . . . 36
6.7. Processing Incoming I2 Packets . . . . . . . . . . . . . 38 6.7. Processing Incoming I2 Packets . . . . . . . . . . . . . 39
6.8. Processing Incoming R2 Packets . . . . . . . . . . . . . 41 6.8. Processing Incoming R2 Packets . . . . . . . . . . . . . 42
6.9. Processing Incoming NOTIFY Packets . . . . . . . . . . . 42 6.9. Processing Incoming NOTIFY Packets . . . . . . . . . . . 43
6.10. Processing UPDATE, CLOSE, and CLOSE_ACK Packets . . . . . 43 6.10. Processing UPDATE, CLOSE, and CLOSE_ACK Packets . . . . . 44
6.11. Handling State Loss . . . . . . . . . . . . . . . . . . . 43 6.11. Handling State Loss . . . . . . . . . . . . . . . . . . . 44
7. HIP Policies . . . . . . . . . . . . . . . . . . . . . . . . 43 7. HIP Policies . . . . . . . . . . . . . . . . . . . . . . . . 44
8. Interoperability between HIP DEX and HIPv2 . . . . . . . . . 44 8. Interoperability between HIP DEX and HIPv2 . . . . . . . . . 45
9. Security Considerations . . . . . . . . . . . . . . . . . . . 44 9. Security Considerations . . . . . . . . . . . . . . . . . . . 45
9.1. SECP160R1 Considered Unsafe . . . . . . . . . . . . . . . 46 9.1. SECP160R1 Considered Unsafe . . . . . . . . . . . . . . . 47
9.2. Need to Validate Public Keys . . . . . . . . . . . . . . 46 9.2. Need to Validate Public Keys . . . . . . . . . . . . . . 47
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 48 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 48
12. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 48 12. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 49
12.1. Changes in draft-ietf-hip-dex-12 . . . . . . . . . . . . 48 12.1. Changes in draft-ietf-hip-dex-12 and 13 . . . . . . . . 49
12.2. Changes in draft-ietf-hip-dex-11 . . . . . . . . . . . . 48 12.2. Changes in draft-ietf-hip-dex-11 and 12 . . . . . . . . 49
12.3. Changes in draft-ietf-hip-dex-10 . . . . . . . . . . . . 48 12.3. Changes in draft-ietf-hip-dex-11 . . . . . . . . . . . . 49
12.4. Changes in draft-ietf-hip-dex-09 . . . . . . . . . . . . 48 12.4. Changes in draft-ietf-hip-dex-10 . . . . . . . . . . . . 49
12.5. Changes in draft-ietf-hip-dex-05 . . . . . . . . . . . . 49 12.5. Changes in draft-ietf-hip-dex-09 . . . . . . . . . . . . 49
12.6. Changes in draft-ietf-hip-dex-04 . . . . . . . . . . . . 49 12.6. Changes in draft-ietf-hip-dex-05 . . . . . . . . . . . . 50
12.7. Changes in draft-ietf-hip-dex-03 . . . . . . . . . . . . 49 12.7. Changes in draft-ietf-hip-dex-04 . . . . . . . . . . . . 50
12.8. Changes in draft-ietf-hip-dex-02 . . . . . . . . . . . . 49 12.8. Changes in draft-ietf-hip-dex-03 . . . . . . . . . . . . 50
12.9. Changes in draft-ietf-hip-dex-01 . . . . . . . . . . . . 49 12.9. Changes in draft-ietf-hip-dex-02 . . . . . . . . . . . . 50
12.10. Changes in draft-ietf-hip-dex-00 . . . . . . . . . . . . 49 12.10. Changes in draft-ietf-hip-dex-01 . . . . . . . . . . . . 50
12.11. Changes in draft-moskowitz-hip-rg-dex-06 . . . . . . . . 50 12.11. Changes in draft-ietf-hip-dex-00 . . . . . . . . . . . . 50
12.12. Changes in draft-moskowitz-hip-dex-00 . . . . . . . . . 50 12.12. Changes in draft-moskowitz-hip-rg-dex-06 . . . . . . . . 51
12.13. Changes in draft-moskowitz-hip-dex-01 . . . . . . . . . 50 12.13. Changes in draft-moskowitz-hip-dex-00 . . . . . . . . . 51
12.14. Changes in draft-moskowitz-hip-dex-02 . . . . . . . . . 51 12.14. Changes in draft-moskowitz-hip-dex-01 . . . . . . . . . 51
12.15. Changes in draft-moskowitz-hip-dex-03 . . . . . . . . . 51 12.15. Changes in draft-moskowitz-hip-dex-02 . . . . . . . . . 52
12.16. Changes in draft-moskowitz-hip-dex-04 . . . . . . . . . 51 12.16. Changes in draft-moskowitz-hip-dex-03 . . . . . . . . . 52
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 12.17. Changes in draft-moskowitz-hip-dex-04 . . . . . . . . . 52
13.1. Normative References . . . . . . . . . . . . . . . . . . 51 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 52
13.2. Informative References . . . . . . . . . . . . . . . . . 53 13.1. Normative References . . . . . . . . . . . . . . . . . . 52
13.2. Informative References . . . . . . . . . . . . . . . . . 54
Appendix A. Password-based two-factor authentication during the Appendix A. Password-based two-factor authentication during the
HIP DEX handshake . . . . . . . . . . . . . . . . . 55 HIP DEX handshake . . . . . . . . . . . . . . . . . 56
Appendix B. IESG Considerations . . . . . . . . . . . . . . . . 55 Appendix B. IESG Considerations . . . . . . . . . . . . . . . . 56
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58
1. Introduction 1. Introduction
This document specifies the Host Identity Protocol Diet EXchange (HIP This document specifies the Host Identity Protocol Diet EXchange (HIP
DEX). HIP DEX builds on the Base EXchange (BEX) of the Host Identity DEX). HIP DEX builds on the Base EXchange (BEX) of the Host Identity
Protocol Version 2 (HIPv2) [RFC7401]. HIP DEX preserves the protocol Protocol Version 2 (HIPv2) [RFC7401]. HIP DEX preserves the protocol
semantics as well as the general packet structure of HIPv2. Hence, semantics as well as the general packet structure of HIPv2. Hence,
it is recommended that [RFC7401] is well-understood before reading it is recommended that [RFC7401] is well-understood before reading
this document. this document.
skipping to change at page 8, line 36 skipping to change at page 8, line 36
HIT (Host Identity Tag): A shorthand for the HI in IPv6 format. It HIT (Host Identity Tag): A shorthand for the HI in IPv6 format. It
is generated by folding the HI (see Section 3). is generated by folding the HI (see Section 3).
Initiator: The host that initiates the HIP DEX handshake. This role Initiator: The host that initiates the HIP DEX handshake. This role
is typically forgotten once the handshake is completed. is typically forgotten once the handshake is completed.
KEYMAT: Keying material. That is, the bit string(s) used as KEYMAT: Keying material. That is, the bit string(s) used as
cryptographic keys. cryptographic keys.
Length of the Responder's HIT Hash Algorithm (RHASH_len): Length of the Responder's HIT Hash Algorithm (RHASH_len): The
The natural output length of RHASH in bits. natural output length of RHASH in bits.
Nonce #I: Nonce #I refers to the corresponding field in the PUZZLE Nonce #I: Nonce #I refers to the corresponding field in the PUZZLE
parameter (see section 5.2.4 in [RFC7401]. It is also referred to parameter (see section 5.2.4 in [RFC7401]. It is also referred to
as "random value #I" in this document. as "random value #I" in this document.
OGA (Orchid Generation Algorithm): Hash function used in generating OGA (Orchid Generation Algorithm): Hash function used in generating
the ORCHID. the ORCHID.
ORCHID (Overlay Routable Cryptographic Hash Identifiers): IPv6 ORCHID (Overlay Routable Cryptographic Hash Identifiers): IPv6
addresses intended to be used as endpoint identifiers at addresses intended to be used as endpoint identifiers at
skipping to change at page 14, line 17 skipping to change at page 14, line 17
[RFC7401] for more detailed information about the employed mechanism. [RFC7401] for more detailed information about the employed mechanism.
Notably, the only differences between the puzzle mechanism in HIP DEX Notably, the only differences between the puzzle mechanism in HIP DEX
and HIPv2 are that HIP DEX does not employ pre-computation of R1 and HIPv2 are that HIP DEX does not employ pre-computation of R1
packets and uses CMAC instead of a hash function for solving and packets and uses CMAC instead of a hash function for solving and
verifying a puzzle. The implications of these changes on the puzzle verifying a puzzle. The implications of these changes on the puzzle
implementation are discussed in Section 6.1. implementation are discussed in Section 6.1.
4.1.2. HIP State Machine 4.1.2. HIP State Machine
The HIP DEX state machine has the same states as the HIPv2 state The HIP DEX state machine has the same states as the HIPv2 state
machine (see 4.4. in [RFC7401]). However, HIP DEX features a machine (see Section 4.4. in [RFC7401]). However, HIP DEX features a
retransmission strategy with an optional reception acknowledgement retransmission strategy with an optional reception acknowledgement
for the I2 packet. The goal of this additional acknowledgement is to for the I2 packet. The goal of this additional acknowledgement is to
reduce premature I2 retransmissions in case of devices with low reduce premature I2 retransmissions in case of devices with low
computation resources [HWZ13]. As a result, there are minor changes computation resources [HWZ13]. As a result, there are minor changes
regarding the transitions in the HIP DEX state machine. The regarding the transitions in the HIP DEX state machine. The
following section documents these differences compared to HIPv2. following section documents these differences compared to HIPv2.
4.1.2.1. HIP DEX Retransmission Mechanism 4.1.2.1. HIP DEX Retransmission Mechanism
For the retransmission of I1 and I2 packets, the Initiator adopts the For the retransmission of I1 and I2 packets, the Initiator adopts the
skipping to change at page 16, line 11 skipping to change at page 16, line 11
4.1.2.2. HIP State Processes 4.1.2.2. HIP State Processes
HIP DEX clarifies or introduces the following new transitions. HIP DEX clarifies or introduces the following new transitions.
System behavior in state I2-SENT, Table 1. System behavior in state I2-SENT, Table 1.
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| Trigger | Action | | Trigger | Action |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| Receive NOTIFY, | Set I2 retransmission timer to value in | | Receive NOTIFY, | Set I2 retransmission timer to value in |
| process | I2_ACKNOWLEDGEMENT Notification | | process | I2_ACKNOWLEDGEMENT Notification Data plus |
| | Data plus 1/2 RTT-based timeout value and | | | 1/2 RTT-based timeout value and stay at |
| | stay at I2-SENT | | | I2-SENT |
| | | | | |
| | | | | |
| | | | | |
| Timeout | Increment trial counter | | Timeout | Increment trial counter |
| | | | | |
| | | | | |
| | | | | |
| | If counter is less than I2_RETRIES_MAX, | | | If counter is less than I2_RETRIES_MAX, |
| | send I2, reset timer to RTT- | | | send I2, reset timer to RTT-based timeout, |
| | based timeout, and stay at I2-SENT | | | and stay at I2-SENT |
| | | | | |
| | | | | |
| | | | | |
| | If counter is greater than I2_RETRIES_MAX, | | | If counter is greater than I2_RETRIES_MAX, |
| | go to E-FAILED | | | go to E-FAILED |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
Table 1: I2-SENT - Waiting to finish the HIP Diet EXchange Table 1: I2-SENT - Waiting to finish the HIP Diet EXchange
4.1.2.3. Simplified HIP State Diagram 4.1.2.3. Simplified HIP State Diagram
skipping to change at page 20, line 7 skipping to change at page 20, line 7
o HIP_CIPHER is restricted to AES-128-CTR and NULL-ENCRYPT. o HIP_CIPHER is restricted to AES-128-CTR and NULL-ENCRYPT.
o HIT_SUITE_LIST is limited to the HIT suite ECDH/FOLD. o HIT_SUITE_LIST is limited to the HIT suite ECDH/FOLD.
o RHASH and RHASH_len are redefined to CMAC for the PUZZLE, o RHASH and RHASH_len are redefined to CMAC for the PUZZLE,
SOLUTION, and HIP_MAC parameters (see Section 6.1 and SOLUTION, and HIP_MAC parameters (see Section 6.1 and
Section 6.2). Section 6.2).
In addition, HIP DEX introduces the following new parameter: In addition, HIP DEX introduces the following new parameter:
+------------------+-------------+----------+-----------------------+ +------------------+--------------+----------+----------------------+
| TLV | Type | Length | Data | | TLV | Type | Length | Data |
+------------------+-------------+----------+-----------------------+ +------------------+--------------+----------+----------------------+
| ENCRYPTED_KEY | TBD1 | variable | Encrypted container | | ENCRYPTED_KEY | TBD1 | variable | Encrypted container |
| | (suggested | | for the session key | | | (suggested | | for the session key |
| | value 643) | | exchange | | | value 643) | | exchange |
| | | | | | | | | |
| I_NONCE | TBD6 | variable | Nonce from Initator | | I_NONCE | TBD6 | variable | Nonce from Initator |
| | (suggested | | for Master | | | (suggested | | for Master Key |
| | value 644) | | Key | | | value 644) | | |
+------------------+-------------+----------+-----------------------+ +------------------+--------------+----------+----------------------+
5.2.1. DH_GROUP_LIST 5.2.1. DH_GROUP_LIST
The DH_GROUP_LIST parameter contains the list of supported DH Group The DH_GROUP_LIST parameter contains the list of supported DH Group
IDs of a host. It is defined in Section 5.2.6 of [RFC7401]. With IDs of a host. It is defined in Section 5.2.6 of [RFC7401]. With
HIP DEX, the DH Group IDs are restricted to: HIP DEX, the DH Group IDs are restricted to:
Group KDF Value Group KDF Value
NIST P-256 [RFC5903] CKDF 7 NIST P-256 [RFC5903] CKDF 7
skipping to change at page 32, line 40 skipping to change at page 32, line 40
components, CKDF-Extract and CKDF-Expand. The CKDF-Extract function components, CKDF-Extract and CKDF-Expand. The CKDF-Extract function
compresses a non-uniformly distributed key, such as the output of a compresses a non-uniformly distributed key, such as the output of a
Diffie-Hellman key derivation, to extract the key entropy into a Diffie-Hellman key derivation, to extract the key entropy into a
fixed length output. The CKDF-Expand function takes either the fixed length output. The CKDF-Expand function takes either the
output of the Extract function or directly uses a uniformly output of the Extract function or directly uses a uniformly
distributed key and expands the length of the key, repeatedly distributed key and expands the length of the key, repeatedly
distributing the key entropy, to produce the keys needed. distributing the key entropy, to produce the keys needed.
The key derivation for the Master Key SA employs always both the The key derivation for the Master Key SA employs always both the
Extract and Expand phases. The Pair-wise Key SA needs only the Extract and Expand phases. The Pair-wise Key SA needs only the
Extract phase when key is smaller or equal to 128 bits, but otherwise Extract phase when the key is smaller or equal to 128 bits, but
requires also the Expand phase. otherwise requires also the Expand phase.
The CKDF-Extract function is the following operation: The CKDF-Extract function is the following operation:
CKDF-Extract(I, IKM, info) -> PRK CKDF-Extract(I, IKM, info) -> PRK
Inputs: Inputs:
I Random #I, provided by the Responder, from the PUZZLE I Random #I, provided by the Responder, from the PUZZLE
parameter parameter
IKM Input keying material
the Diffie-Hellman derived key, concatenated with the
random I_NONCE value for the Master Key SA
the Diffie-Hellman derived key, concatenated with the
random values of the ENCRYPTED_KEY parameters in
the same order as the HITs with sort(HIT-I | HIT-R)
for the Pair-wise Key SA
info sort(HIT-I | HIT-R) | "CKDF-Extract"
where "CKDF-Extract" is an octet string
Output:
PRK a pseudorandom key (of RHASH_len/8 octets)
The pseudorandom key PRK is calculated as follows:
PRK = CMAC(I, IKM | info)
The CKDF-Expand function is the following operation: The CKDF-Expand function is the following operation:
CKDF-Expand(PRK, info, L) -> OKM CKDF-Expand(PRK, info, L) -> OKM
Inputs: Inputs:
PRK a pseudorandom key of at least RHASH_len/8 octets PRK a pseudorandom key of at least RHASH_len/8 octets
(either the output from the extract step or the (either the output from the extract step or the
concatenation of the random values of the concatenation of the random values of the
ENCRYPTED_KEY parameters in the same order as the ENCRYPTED_KEY parameters in the same order as the
skipping to change at page 47, line 16 skipping to change at page 48, line 16
For Curve25519 and Curve448, the contents of the public value are the For Curve25519 and Curve448, the contents of the public value are the
byte string inputs and outputs of the corresponding functions defined byte string inputs and outputs of the corresponding functions defined
in [RFC7748]: 32 bytes for EC25519 and 56 bytes for EC448. in [RFC7748]: 32 bytes for EC25519 and 56 bytes for EC448.
10. IANA Considerations 10. IANA Considerations
The following changes to the "Host Identity Protocol (HIP) The following changes to the "Host Identity Protocol (HIP)
Parameters" registries have been made: Parameters" registries have been made:
Parameter Type This document defines the new HIP parameters ENCRYPTED_KEY "ENCRYPTED_KEY" with type number TBD1 (suggested: 643)
(see Section 5.2.5) in the "Parameter Types" subregistry of the
ENCRYPTED_KEY "ENCRYPTED_KEY" with type number TBD1 (suggested: "Host Identity Protocol (HIP) Parameters" registry.
643) (see Section 5.2.5) in the "Parameter Types" subregistry
of the "Host Identity Protocol (HIP) Parameters" registry.
I_NONCE "I_NONCE" with type number TBD6 (suggested: 644) (see I_NONCE "I_NONCE" with type number TBD6 (suggested: 644) (see
Section 5.2.6) in the "Parameter Types" subregistry of the Section 5.2.6) in the "Parameter Types" subregistry of the "Host
"Host Identity Protocol (HIP) Parameters" registry. Identity Protocol (HIP) Parameters" registry.
HIT Suite ID This document defines the new HIT Suite "ECDH/FOLD" HIT Suite ID This document defines the new HIT Suite "ECDH/FOLD"
without four-bit ID of TBD2 (suggested: 4) and eight-bit encoding without four-bit ID of TBD2 (suggested: 4) and eight-bit encoding
of TBD3 (suggested: 0x40) (see Section 5.2.4) in the "HIT Suite of TBD3 (suggested: 0x40) (see Section 5.2.4) in the "HIT Suite
ID" subregistry of the "Host Identity Protocol (HIP) Parameters" ID" subregistry of the "Host Identity Protocol (HIP) Parameters"
registry. registry.
HIP Cipher ID This document defines the new HIP Cipher ID "AES- HIP Cipher ID This document defines the new HIP Cipher ID "AES-
128-CTR" with type number TBD4 (suggested: 5) (see Section 5.2.2) 128-CTR" with type number TBD4 (suggested: 5) (see Section 5.2.2)
in the "HIP Cipher ID" subregistry of the "Host Identity Protocol in the "HIP Cipher ID" subregistry of the "Host Identity Protocol
skipping to change at page 48, line 21 skipping to change at page 49, line 16
12. Changelog 12. Changelog
This section summarizes the changes made from draft-moskowitz-hip-rg- This section summarizes the changes made from draft-moskowitz-hip-rg-
dex-05, which was the first stable version of the draft. Note that dex-05, which was the first stable version of the draft. Note that
the draft was renamed after draft-moskowitz-hip-rg-dex-06. the draft was renamed after draft-moskowitz-hip-rg-dex-06.
The draft was then renamed from draft-moskowitz-hip-dex to draft- The draft was then renamed from draft-moskowitz-hip-dex to draft-
ietf-hip-dex. ietf-hip-dex.
12.1. Changes in draft-ietf-hip-dex-12 12.1. Changes in draft-ietf-hip-dex-12 and 13
o Nits from Jeff Ahrenholz (including some formatting issues)
12.2. Changes in draft-ietf-hip-dex-11 and 12
o Included more precise references to the IANA subregistries o Included more precise references to the IANA subregistries
o Addressed GEN-ART feedback from Francis Dupont o Addressed GEN-ART feedback from Francis Dupont
o Added reasoning for PFS in a separate section, and it is mentioned o Added reasoning for PFS in a separate section, and it is mentioned
also in the abstract and intro. also in the abstract and intro.
o Donald Eastlake's (secdir) nits addressed o Donald Eastlake's (secdir) nits addressed
o Resolved IANA nits from Amanda Baber. o Resolved IANA nits from Amanda Baber.
o New sections: "Why introduce folding" (Section 3.2.1), "SECP160R1 o New sections: "Why introduce folding" (Section 3.2.1), "SECP160R1
Considered Unsafe" (Section 9.2) and "I_NONCE" (Section 5.2.6) to Considered Unsafe" (Section 9.1), "Need to Validate Public Keys"
address Eric Rescorla's concerns. (Section 9.2), and "I_NONCE" (Section 5.2.6) to address Eric
Rescorla's concerns.
12.2. Changes in draft-ietf-hip-dex-11 12.3. Changes in draft-ietf-hip-dex-11
o Update IANA considerations as requested by Eric Envyncke o Update IANA considerations as requested by Eric Envyncke
12.3. Changes in draft-ietf-hip-dex-10 12.4. Changes in draft-ietf-hip-dex-10
o Explanations on why the document includes so many SHOULDs o Explanations on why the document includes so many SHOULDs
12.4. Changes in draft-ietf-hip-dex-09 12.5. Changes in draft-ietf-hip-dex-09
o Fixed values for o Fixed values for
* DH_GROUP_LIST * DH_GROUP_LIST
* HIT_SUITE_LIST * HIT_SUITE_LIST
to match [RFC7401]. to match [RFC7401].
12.5. Changes in draft-ietf-hip-dex-05 12.6. Changes in draft-ietf-hip-dex-05
o Clarified main differences between HIP BEX and HIP DEX in o Clarified main differences between HIP BEX and HIP DEX in
Section 1. Section 1.
o Addressed MitM attack in Section 8. o Addressed MitM attack in Section 8.
o Minor editorial changes. o Minor editorial changes.
12.6. Changes in draft-ietf-hip-dex-04 12.7. Changes in draft-ietf-hip-dex-04
o Added new paragraph on rekeying procedure with HIP DEX. o Added new paragraph on rekeying procedure with HIP DEX.
o Updated references. o Updated references.
o Editorial changes. o Editorial changes.
12.7. Changes in draft-ietf-hip-dex-03 12.8. Changes in draft-ietf-hip-dex-03
o Added new section on HIP DEX/HIPv2 interoperability o Added new section on HIP DEX/HIPv2 interoperability
o Added reference to RFC4493 for CMAC. o Added reference to RFC4493 for CMAC.
o Added reference to RFC5869 for CKDF. o Added reference to RFC5869 for CKDF.
o Added processing of NOTIFY message in I2-SENT of state diagram. o Added processing of NOTIFY message in I2-SENT of state diagram.
o Editorial changes. o Editorial changes.
12.8. Changes in draft-ietf-hip-dex-02 12.9. Changes in draft-ietf-hip-dex-02
o Author address change. o Author address change.
12.9. Changes in draft-ietf-hip-dex-01 12.10. Changes in draft-ietf-hip-dex-01
o Added the new ECDH groups of Curve25519 and Curve448 from RFC o Added the new ECDH groups of Curve25519 and Curve448 from RFC
7748. 7748.
12.10. Changes in draft-ietf-hip-dex-00 12.11. Changes in draft-ietf-hip-dex-00
o The Internet Draft was adopted by the HIP WG. o The Internet Draft was adopted by the HIP WG.
12.11. Changes in draft-moskowitz-hip-rg-dex-06 12.12. Changes in draft-moskowitz-hip-rg-dex-06
o A major change in the ENCRYPT parameter to use AES-CTR rather than o A major change in the ENCRYPT parameter to use AES-CTR rather than
AES-CBC. AES-CBC.
12.12. Changes in draft-moskowitz-hip-dex-00 12.13. Changes in draft-moskowitz-hip-dex-00
o Draft name change. HIPRG ended in IRTF, HIP DEX is now individual o Draft name change. HIPRG ended in IRTF, HIP DEX is now individual
submission. submission.
o Added the change section. o Added the change section.
o Added a Definitions section. o Added a Definitions section.
o Changed I2 and R2 packets to reflect use of AES-CTR for o Changed I2 and R2 packets to reflect use of AES-CTR for
ENCRYPTED_KEY parameter. ENCRYPTED_KEY parameter.
o Cleaned up KEYMAT Generation text. o Cleaned up KEYMAT Generation text.
o Added Appendix with C code for the ECDH shared secret generation o Added Appendix with C code for the ECDH shared secret generation
on an 8 bit processor. on an 8 bit processor.
12.13. Changes in draft-moskowitz-hip-dex-01 12.14. Changes in draft-moskowitz-hip-dex-01
o Numerous editorial changes. o Numerous editorial changes.
o New retransmission strategy. o New retransmission strategy.
o New HIT generation mechanism. o New HIT generation mechanism.
o Modified layout of ENCRYPTED_KEY parameter. o Modified layout of ENCRYPTED_KEY parameter.
o Clarify use puzzle difficulty of zero under normal network o Clarify use puzzle difficulty of zero under normal network
skipping to change at page 51, line 5 skipping to change at page 52, line 5
MUST). MUST).
o Align inclusion of TRANSPORT_FORMAT_LIST with HIPv2 (added to R1 o Align inclusion of TRANSPORT_FORMAT_LIST with HIPv2 (added to R1
and I2). and I2).
o HIP_CIPHER, HIT_SUITE_LIST, and TRANSPORT_FORMAT_LIST must now be o HIP_CIPHER, HIT_SUITE_LIST, and TRANSPORT_FORMAT_LIST must now be
echoed in R2 packet. echoed in R2 packet.
o Added new author. o Added new author.
12.14. Changes in draft-moskowitz-hip-dex-02 12.15. Changes in draft-moskowitz-hip-dex-02
o Introduced formal definition of FOLD function. o Introduced formal definition of FOLD function.
o Clarified use of CMAC for puzzle computation in section "Solving o Clarified use of CMAC for puzzle computation in section "Solving
the Puzzle". the Puzzle".
o Several editorial changes. o Several editorial changes.
12.15. Changes in draft-moskowitz-hip-dex-03 12.16. Changes in draft-moskowitz-hip-dex-03
o Addressed HI crypto agility. o Addressed HI crypto agility.
o Clarified purpose of secret exchanged via ENCRYPTED_KEY parameter. o Clarified purpose of secret exchanged via ENCRYPTED_KEY parameter.
o Extended the IV in the ENCRYPTED_KEY parameter. o Extended the IV in the ENCRYPTED_KEY parameter.
o Introduced forward-references to HIP DEX KEYMAT process and o Introduced forward-references to HIP DEX KEYMAT process and
improved KEYMAT section. improved KEYMAT section.
o Replaced Appendix A on "C code for ECC point multiplication" with o Replaced Appendix A on "C code for ECC point multiplication" with
short discussion in introduction. short discussion in introduction.
o Updated references. o Updated references.
o Further editorial changes. o Further editorial changes.
12.16. Changes in draft-moskowitz-hip-dex-04 12.17. Changes in draft-moskowitz-hip-dex-04
o Improved retransmission extension. o Improved retransmission extension.
o Updated and strongly revised packet processing rules. o Updated and strongly revised packet processing rules.
o Updated security considerations. o Updated security considerations.
o Updated IANA considerations. o Updated IANA considerations.
o Move the HI Algorithm for ECDH to a value of 11. o Move the HI Algorithm for ECDH to a value of 11.
 End of changes. 35 change blocks. 
89 lines changed or deleted 110 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/