From nobody Thu May 1 15:30:08 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F0201A09D4 for ; Thu, 1 May 2014 15:30:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.652 X-Spam-Level: X-Spam-Status: No, score=-0.652 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mm8eWnsZ2451 for ; Thu, 1 May 2014 15:30:01 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 00DB71A09FD for ; Thu, 1 May 2014 15:30:01 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id D6E2062AC3 for ; Thu, 1 May 2014 22:29:56 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z3pnITfSSAcY for ; Thu, 1 May 2014 18:29:46 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 10FFE62AB8 for ; Thu, 1 May 2014 18:29:45 -0400 (EDT) Message-ID: <5362CAD9.1080609@htt-consult.com> Date: Thu, 01 May 2014 18:29:45 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hipsec@ietf.org References: <53613E91.7010808@htt-consult.com> In-Reply-To: <53613E91.7010808@htt-consult.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/XVP1ZogqPLP7YwliMhekEFhqAkU Subject: Re: [Hipsec] Unsticking HIP from 1st gear X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2014 22:30:03 -0000 On 04/30/2014 02:18 PM, Robert Moskowitz wrote: > Automotive analogy because right now I have been dragged back to my > automotive history to work on the "Connected Car" security... > > I am working on multiple HIP projects. Real vendors with real products > for real customers. In some cases things are separate, but in some > there will be function overlap. I am working on HIP at multiple layers: > > MAC layer: > > 802.15.9 directly passing the HIP datagrams and keying the 802.15.4 > security association. > EAP-HIP for running over 802.1X and PANA. Yoshi has said he is willing > in writing the draft. > > > Networking layer: > > Besides 5202-bis BEET mode for EAP, there are more calls for Tunnel mode. > > Transport layer: > > Alternative keying for things like DTLS-PSK or SRTP. > > Messaging/Session layer: > > Besides my work on SSE (Session Layer Security) there are a couple > other messaging environments that may create their own security > framework, but I am pushing SSE where I can. > > Authentication only: > > HIP for authentication within someother framework. This is still > rather vague and may end up elsewhere above. > > Anyway, HIP becomes an independed Key Management Protocol, needing a > well defined API (we did something like this at one point?) where > there can be many HIs for the different uses. Miika and I had an email exchange and looking into RFC 6317, this is really the UNIX Sockets API enhanced for HIP. So this is the wrong API. I am thinking about an API for HIP itself. If something wants keys via HIP, what does it provide and what does it get back. I am interested in what others think about this. I will provide what I think about it. > > Though I can't give information on individual projects, "No Wine > Before its Time", there are some real projects in coding now and more > at various levels of discussion. > > For those of you that have HIP web pages that are two years out of > date, PLEASE get them current. It is embarrassing to be on a call with > a consortium (last friday) to have one person saying, "I just checked > out the site for the X code base and it has not been updated for two > years." Please fix this. > > Anyone with a bit of time ( :) ) over the next week to help me flesh > out HIP as a security service and review the API RFC, please contact > me. I still can't spill too many beans, but more will be leaking out > in the coming months.... > > And I really hope we can get RFCs published by July. Meanwhile I also > have to finish up HIP DEX. Remaining stuff, I think, is only > explanatory. I believe Rene set me straight and we got it pretty much > nailed down in the latest draft. Though there is the question if > SLIMFIT should go into the DEX draft or be a separate document. > SLIMFIT with a bit more tweaking will fit into SMS packets without > need of the SMS header... > > Thank you for your time and efforts. > > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From nobody Fri May 2 07:42:31 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D9F81A6F54 for ; Fri, 2 May 2014 07:42:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.851 X-Spam-Level: X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yyhKz0DCaWUB for ; Fri, 2 May 2014 07:42:28 -0700 (PDT) Received: from mail.cs.hut.fi (mail.cs.hut.fi [130.233.192.7]) by ietfa.amsl.com (Postfix) with ESMTP id E45E01A08DE for ; Fri, 2 May 2014 07:42:27 -0700 (PDT) Received: from [127.0.0.1] (hutcs.cs.hut.fi [130.233.192.10]) by mail.cs.hut.fi (Postfix) with ESMTP id B522E30810F for ; Fri, 2 May 2014 17:42:23 +0300 (EEST) Message-ID: <5363AECF.4040107@cs.hut.fi> Date: Fri, 02 May 2014 17:42:23 +0300 From: Miika Komu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hip WG References: <53613E91.7010808@htt-consult.com> <5362CAD9.1080609@htt-consult.com> In-Reply-To: <5362CAD9.1080609@htt-consult.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/A1nFmhXB12FtW61dVOr6YKpCPl8 Subject: Re: [Hipsec] Unsticking HIP from 1st gear X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2014 14:42:30 -0000 Hi, On 05/02/2014 01:29 AM, Robert Moskowitz wrote: > > On 04/30/2014 02:18 PM, Robert Moskowitz wrote: >> Automotive analogy because right now I have been dragged back to my >> automotive history to work on the "Connected Car" security... >> >> I am working on multiple HIP projects. Real vendors with real products >> for real customers. In some cases things are separate, but in some >> there will be function overlap. I am working on HIP at multiple layers: >> >> MAC layer: >> >> 802.15.9 directly passing the HIP datagrams and keying the 802.15.4 >> security association. >> EAP-HIP for running over 802.1X and PANA. Yoshi has said he is willing >> in writing the draft. >> >> >> Networking layer: >> >> Besides 5202-bis BEET mode for EAP, there are more calls for Tunnel mode. >> >> Transport layer: >> >> Alternative keying for things like DTLS-PSK or SRTP. >> >> Messaging/Session layer: >> >> Besides my work on SSE (Session Layer Security) there are a couple >> other messaging environments that may create their own security >> framework, but I am pushing SSE where I can. >> >> Authentication only: >> >> HIP for authentication within someother framework. This is still >> rather vague and may end up elsewhere above. >> >> Anyway, HIP becomes an independed Key Management Protocol, needing a >> well defined API (we did something like this at one point?) where >> there can be many HIs for the different uses. > > Miika and I had an email exchange and looking into RFC 6317, this is > really the UNIX Sockets API enhanced for HIP. So this is the wrong API. > > I am thinking about an API for HIP itself. If something wants keys via > HIP, what does it provide and what does it get back. > > I am interested in what others think about this. I will provide what I > think about it. early draft of RFC6317 did have an API for configuring user-specific identities (i.e. asymmetric keys), but this feature was dropped later. Or are you referring to symmetric key APIs, like PFKEY: http://www.ietf.org/rfc/rfc2367.txt Please note that it requires administrative privileges in practice. Or perhaps you're thinking about "application identity protocol" as we drafted in the following thesis? http://nordsecmob.aalto.fi/en/publications/theses_2012/gu-xin_thesis.pdf Check out also: https://www.usenix.org/legacy/event/sec05/tech/full_papers/yin/yin.pdf From nobody Sun May 4 08:40:24 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBC561A00D5 for ; Sun, 4 May 2014 08:40:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mt2qB0UJds5s for ; Sun, 4 May 2014 08:40:17 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 07A371A00AE for ; Sun, 4 May 2014 08:40:17 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id DAC0362ADB for ; Sun, 4 May 2014 15:40:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzXY3hGv9Ign for ; Sun, 4 May 2014 11:40:04 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id BC26E62C33 for ; Sun, 4 May 2014 11:40:03 -0400 (EDT) Message-ID: <53665F53.6010006@htt-consult.com> Date: Sun, 04 May 2014 11:40:03 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hip WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/bUSoJS1YHhXtsv8f5-Yjmd5Mq7s Subject: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 15:40:21 -0000 What population of HIs is needed for a 1%, 10%, 50% probability of a HIT collision? I had the math once (like back in '99 or '00) and can't find it (probably did not survive the Eudora to Thunderbird migration). Thought I actually had this in a very early draft, but could not find any such beast. Of course that would have been for HIPv1 HITs, not HIPv2. Any help on the math would be appreciated. Also does it change with PK algorithm or key length? (seems not to me). thanks From nobody Mon May 5 09:37:18 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A573B1A00D7 for ; Mon, 5 May 2014 09:37:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.267 X-Spam-Level: X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7b57CwnUCC8 for ; Mon, 5 May 2014 09:37:14 -0700 (PDT) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id 199421A03E6 for ; Mon, 5 May 2014 09:37:14 -0700 (PDT) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s45GaCxT025863; Mon, 5 May 2014 09:37:08 -0700 Received: from sc-owa01.marvell.com ([199.233.58.136]) by mx0b-0016f401.pphosted.com with ESMTP id 1kngkfn6dm-1 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 05 May 2014 09:37:08 -0700 Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA01.marvell.com ([10.93.76.21]) with mapi; Mon, 5 May 2014 09:37:07 -0700 From: Paul Lambert To: Robert Moskowitz , hip WG Date: Mon, 5 May 2014 09:38:29 -0700 Thread-Topic: [Hipsec] HIT collision probability Thread-Index: Ac9ogEDxIe6EDDSzTXKRLotfYLEZaw== Message-ID: References: <53665F53.6010006@htt-consult.com> In-Reply-To: <53665F53.6010006@htt-consult.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.4.1.140326 acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.96, 1.0.14, 0.0.0000 definitions=2014-05-05_02:2014-05-05,2014-05-05,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1405050263 Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/bUPw8kcmqN9iuRh1hMmgpE7nLLw Subject: Re: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 16:37:15 -0000 http://en.wikipedia.org/wiki/Birthday_problem On 5/4/14, 8:40 AM, "Robert Moskowitz" wrote: >What population of HIs is needed for a 1%, 10%, 50% probability of a HIT >collision? > >I had the math once (like back in '99 or '00) and can't find it >(probably did not survive the Eudora to Thunderbird migration). Thought >I actually had this in a very early draft, but could not find any such >beast. Of course that would have been for HIPv1 HITs, not HIPv2. > >Any help on the math would be appreciated. Also does it change with PK >algorithm or key length? (seems not to me). > > >thanks > > >_______________________________________________ >Hipsec mailing list >Hipsec@ietf.org >https://www.ietf.org/mailman/listinfo/hipsec From nobody Mon May 5 09:59:35 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6E581A03D8 for ; Mon, 5 May 2014 09:59:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6atIcrTBTLF for ; Mon, 5 May 2014 09:59:32 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id C33531A03D7 for ; Mon, 5 May 2014 09:59:31 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 3D12962A92; Mon, 5 May 2014 16:59:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SFs7yMjKbHl; Mon, 5 May 2014 12:59:18 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 742B863474; Mon, 5 May 2014 12:59:11 -0400 (EDT) Message-ID: <5367C35E.4060001@htt-consult.com> Date: Mon, 05 May 2014 12:59:10 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Paul Lambert , hip WG References: <53665F53.6010006@htt-consult.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/bOdeR7fzlfVXegHkRx-5RusuR8Q Subject: Re: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 16:59:34 -0000 On 05/05/2014 12:38 PM, Paul Lambert wrote: > http://en.wikipedia.org/wiki/Birthday_problem Thanks. I can see I will find the math I need for the HITv2 hash which is 128 - prefix - flag = 128 - 28 - 4 = 96 bits. > > > > > On 5/4/14, 8:40 AM, "Robert Moskowitz" wrote: > >> What population of HIs is needed for a 1%, 10%, 50% probability of a HIT >> collision? >> >> I had the math once (like back in '99 or '00) and can't find it >> (probably did not survive the Eudora to Thunderbird migration). Thought >> I actually had this in a very early draft, but could not find any such >> beast. Of course that would have been for HIPv1 HITs, not HIPv2. >> >> Any help on the math would be appreciated. Also does it change with PK >> algorithm or key length? (seems not to me). >> >> >> thanks >> >> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec > From nobody Mon May 5 10:38:53 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEC371A040F for ; Mon, 5 May 2014 10:38:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0R124VNs42b for ; Mon, 5 May 2014 10:38:49 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 1060B1A03EC for ; Mon, 5 May 2014 10:38:49 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 781E76346E; Mon, 5 May 2014 17:38:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JvKoGPsPHddb; Mon, 5 May 2014 13:38:35 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id E80596345F; Mon, 5 May 2014 13:38:34 -0400 (EDT) Message-ID: <5367CC9A.6020103@htt-consult.com> Date: Mon, 05 May 2014 13:38:34 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Paul Lambert , hip WG References: <53665F53.6010006@htt-consult.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/fQeqvsTe6xJBeJ-wr3LaHQZtTB4 Subject: Re: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 17:38:51 -0000 I found the c code at: http://en.wikipedia.org/wiki/Birthday_attack Of course, I don't do coding and have not done any compiling in years. So I have to figure out how to get this compiled so I can pump some numbers into it. On 05/05/2014 12:38 PM, Paul Lambert wrote: > http://en.wikipedia.org/wiki/Birthday_problem > > > > > On 5/4/14, 8:40 AM, "Robert Moskowitz" wrote: > >> What population of HIs is needed for a 1%, 10%, 50% probability of a HIT >> collision? >> >> I had the math once (like back in '99 or '00) and can't find it >> (probably did not survive the Eudora to Thunderbird migration). Thought >> I actually had this in a very early draft, but could not find any such >> beast. Of course that would have been for HIPv1 HITs, not HIPv2. >> >> Any help on the math would be appreciated. Also does it change with PK >> algorithm or key length? (seems not to me). >> >> >> thanks >> >> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec > From nobody Mon May 5 11:06:57 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 744371A03CE for ; Mon, 5 May 2014 11:06:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UcyLS6hBlW1W for ; Mon, 5 May 2014 11:06:53 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id BE9E61A03C9 for ; Mon, 5 May 2014 11:06:53 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 36DFA63456; Mon, 5 May 2014 18:06:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g2urHemBXXTn; Mon, 5 May 2014 14:06:39 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id A8DD762A7D; Mon, 5 May 2014 14:06:39 -0400 (EDT) Message-ID: <5367D32F.1010204@htt-consult.com> Date: Mon, 05 May 2014 14:06:39 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Paul Lambert , hip WG References: <53665F53.6010006@htt-consult.com> <5367CC9A.6020103@htt-consult.com> In-Reply-To: <5367CC9A.6020103@htt-consult.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/wmywHx6cKUpip7y8GOOVTo9_ElU Subject: Re: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 18:06:55 -0000 On 05/05/2014 01:38 PM, Robert Moskowitz wrote: > I found the c code at: http://en.wikipedia.org/wiki/Birthday_attack > > Of course, I don't do coding and have not done any compiling in years. > So I have to figure out how to get this compiled so I can pump some > numbers into it. I found a nice online compiler: http://www.compileonline.com/compile_cpp11_online.php It is producing the known values results, so I am probably good... > > On 05/05/2014 12:38 PM, Paul Lambert wrote: >> http://en.wikipedia.org/wiki/Birthday_problem >> >> >> >> >> On 5/4/14, 8:40 AM, "Robert Moskowitz" wrote: >> >>> What population of HIs is needed for a 1%, 10%, 50% probability of a >>> HIT >>> collision? >>> >>> I had the math once (like back in '99 or '00) and can't find it >>> (probably did not survive the Eudora to Thunderbird migration). Thought >>> I actually had this in a very early draft, but could not find any such >>> beast. Of course that would have been for HIPv1 HITs, not HIPv2. >>> >>> Any help on the math would be appreciated. Also does it change with PK >>> algorithm or key length? (seems not to me). >>> >>> >>> thanks >>> >>> >>> _______________________________________________ >>> Hipsec mailing list >>> Hipsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/hipsec >> > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From nobody Mon May 5 11:50:56 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A82E81A0458 for ; Mon, 5 May 2014 11:50:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.55 X-Spam-Level: X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKe_I_tGwSJQ for ; Mon, 5 May 2014 11:50:51 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 29FCE1A00E8 for ; Mon, 5 May 2014 11:50:42 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 7C8F26344D for ; Mon, 5 May 2014 18:50:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7JHTmpiZ-L9E for ; Mon, 5 May 2014 14:50:27 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id AFD77633BD for ; Mon, 5 May 2014 14:50:27 -0400 (EDT) Message-ID: <5367DD73.5000007@htt-consult.com> Date: Mon, 05 May 2014 14:50:27 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hip WG References: <53665F53.6010006@htt-consult.com> In-Reply-To: <53665F53.6010006@htt-consult.com> Content-Type: multipart/alternative; boundary="------------020501080006090709020804" Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/J7E0sVvRwV5XpTzwdnQRW7U7omE Subject: Re: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 18:50:54 -0000 This is a multi-part message in MIME format. --------------020501080006090709020804 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit On 05/04/2014 11:40 AM, Robert Moskowitz wrote: > What population of HIs is needed for a 1%, 10%, 50% probability of a > HIT collision? > > I had the math once (like back in '99 or '00) and can't find it > (probably did not survive the Eudora to Thunderbird migration). > Thought I actually had this in a very early draft, but could not find > any such beast. Of course that would have been for HIPv1 HITs, not HIPv2. > > Any help on the math would be appreciated. Also does it change with PK > algorithm or key length? (seems not to me). Using the code at: http://en.wikipedia.org/wiki/Birthday_attack and compiling and running it via: http://www.compileonline.com/compile_cpp11_online.php I get the following probablities for HIT collisions: First the population of HITs (96 bits of hash) is: 7.9?10^(2)^(8) Then the probablities of collision are: .01% 3.98076e+12 .1% 1.25911e+13 1% 3.99066e+13 10% 1.29209e+14 And thus if each person in the world (7B) had 5 endpoints with HITs on them, the probablity of a collision would be 10^-6 % (p=e-8, pop=3.98066e+10). --------------020501080006090709020804 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit
On 05/04/2014 11:40 AM, Robert Moskowitz wrote:
What population of HIs is needed for a 1%, 10%, 50% probability of a HIT collision?

I had the math once (like back in '99 or '00) and can't find it (probably did not survive the Eudora to Thunderbird migration). Thought I actually had this in a very early draft, but could not find any such beast.  Of course that would have been for HIPv1 HITs, not HIPv2.

Any help on the math would be appreciated.  Also does it change with PK algorithm or key length?  (seems not to me).

Using the code at: http://en.wikipedia.org/wiki/Birthday_attack
and compiling and running it via: http://www.compileonline.com/compile_cpp11_online.php

I get the following probablities for HIT collisions:

First the population of HITs (96 bits of hash) is: 7.9×10²⁸

Then the probablities of collision are:

.01%    3.98076e+12
.1%    1.25911e+13
1%    3.99066e+13
10%    1.29209e+14

And thus if each person in the world (7B) had 5 endpoints with HITs on them, the probablity
of a collision would be 10−6%   (p=e-8, pop=3.98066e+10).



--------------020501080006090709020804-- From nobody Mon May 5 12:32:45 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 070691A0179 for ; Mon, 5 May 2014 12:32:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qztf7jyR7ag4 for ; Mon, 5 May 2014 12:32:40 -0700 (PDT) Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id E62431A018F for ; Mon, 5 May 2014 12:32:39 -0700 (PDT) Received: by mail-ie0-f180.google.com with SMTP id as1so8657188iec.39 for ; Mon, 05 May 2014 12:32:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=LI1mbP0lw6UN8bQU4nCYZWrEgx9LAFknN3jgmPbxEy0=; b=eTN93GBjfFQhFM4irh17A179J4Q036XJCD5agZX+XFInmAh7NW3fMDRAWuLh1trhbr +j6vxW7NIMoDORXTW9NOAW+f4+CRCxaqq2l1gcbm1GqDZ1XEFD7Bm4O5nkDbh7QZm5VF RW+4YEEPEgzAQSrbPFu4NZNMIsZXJ7TP7uolBD3l04cWCtWQ/zou9NPKX6x0HQvKbk4s m9WoTH/y4O3EX2O0kC/f+tHwa5j/PbVf4AsAg9/CK8z4pxQCReAF+wSuKV22u5orkmPl g3uVeWEPNZD3H8+5K7D8dGDujD/+ciEPuMev3TT2RSXclgy/AgldETbKZ5EK4wNAuAvc /DUA== X-Received: by 10.42.106.15 with SMTP id x15mr5618272ico.67.1399318356316; Mon, 05 May 2014 12:32:36 -0700 (PDT) Received: from [192.168.1.103] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.3.110]) by mx.google.com with ESMTPSA id e6sm3927865igq.6.2014.05.05.12.32.34 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 05 May 2014 12:32:35 -0700 (PDT) Message-ID: <5367E74D.3020501@gmail.com> Date: Mon, 05 May 2014 15:32:29 -0400 From: Rene Struik User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Robert Moskowitz , hip WG References: <53665F53.6010006@htt-consult.com> <5367DD73.5000007@htt-consult.com> In-Reply-To: <5367DD73.5000007@htt-consult.com> Content-Type: multipart/alternative; boundary="------------040402080906010604060207" Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/ribSensE05M5LGLYlRf8b-hIzy4 Subject: Re: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 19:32:43 -0000 This is a multi-part message in MIME format. --------------040402080906010604060207 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Hi Bob: The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), which can be approximated as roughly e^{-k^2/(2n)}, where n is the size of the set one takes uniformly selected samples from and where k is the number of drawn samples. Rene On 5/5/2014 2:50 PM, Robert Moskowitz wrote: > > On 05/04/2014 11:40 AM, Robert Moskowitz wrote: >> What population of HIs is needed for a 1%, 10%, 50% probability of a >> HIT collision? >> >> I had the math once (like back in '99 or '00) and can't find it >> (probably did not survive the Eudora to Thunderbird migration). >> Thought I actually had this in a very early draft, but could not find >> any such beast. Of course that would have been for HIPv1 HITs, not >> HIPv2. >> >> Any help on the math would be appreciated. Also does it change with >> PK algorithm or key length? (seems not to me). > > Using the code at: http://en.wikipedia.org/wiki/Birthday_attack > and compiling and running it via: > http://www.compileonline.com/compile_cpp11_online.php > > I get the following probablities for HIT collisions: > > First the population of HITs (96 bits of hash) is: 7.9×10˛^(8) > > Then the probablities of collision are: > > .01% 3.98076e+12 > .1% 1.25911e+13 > 1% 3.99066e+13 > 10% 1.29209e+14 > > And thus if each person in the world (7B) had 5 endpoints with HITs on > them, the probablity > of a collision would be 10^-6 % (p=e-8, pop=3.98066e+10). > > > > > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 --------------040402080906010604060207 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Hi Bob:

The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), which can be approximated as roughly e^{-k^2/(2n)}, where n is the size of the set one takes uniformly selected samples from and where k is the number of drawn samples.

Rene

On 5/5/2014 2:50 PM, Robert Moskowitz wrote:

On 05/04/2014 11:40 AM, Robert Moskowitz wrote:
What population of HIs is needed for a 1%, 10%, 50% probability of a HIT collision?

I had the math once (like back in '99 or '00) and can't find it (probably did not survive the Eudora to Thunderbird migration). Thought I actually had this in a very early draft, but could not find any such beast.  Of course that would have been for HIPv1 HITs, not HIPv2.

Any help on the math would be appreciated.  Also does it change with PK algorithm or key length?  (seems not to me).

Using the code at: http://en.wikipedia.org/wiki/Birthday_attack
and compiling and running it via: http://www.compileonline.com/compile_cpp11_online.php

I get the following probablities for HIT collisions:

First the population of HITs (96 bits of hash) is: 7.9×10²⁸

Then the probablities of collision are:

.01%    3.98076e+12
.1%    1.25911e+13
1%    3.99066e+13
10%    1.29209e+14

And thus if each person in the world (7B) had 5 endpoints with HITs on them, the probablity
of a collision would be 10−6%   (p=e-8, pop=3.98066e+10).





_______________________________________________
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec



-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
--------------040402080906010604060207-- From nobody Mon May 5 13:19:36 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9B151A04C5 for ; Mon, 5 May 2014 13:19:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.55 X-Spam-Level: X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9P-qqgcUqc79 for ; Mon, 5 May 2014 13:19:31 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 2978D1A04AA for ; Mon, 5 May 2014 13:19:31 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 861C1633BD; Mon, 5 May 2014 20:19:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwZ5Hv69Lg3B; Mon, 5 May 2014 16:19:16 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id B626B62A5E; Mon, 5 May 2014 16:19:15 -0400 (EDT) Message-ID: <5367F243.5010003@htt-consult.com> Date: Mon, 05 May 2014 16:19:15 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Rene Struik , hip WG References: <53665F53.6010006@htt-consult.com> <5367DD73.5000007@htt-consult.com> <5367E74D.3020501@gmail.com> In-Reply-To: <5367E74D.3020501@gmail.com> Content-Type: multipart/alternative; boundary="------------020807040007080407090001" Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/xN-uUW1dUc7K8ieKZW75bl9pHVk Subject: Re: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 20:19:34 -0000 This is a multi-part message in MIME format. --------------020807040007080407090001 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit On 05/05/2014 03:32 PM, Rene Struik wrote: > Hi Bob: > > The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), > which can be approximated as roughly e^{-k^2/(2n)}, where n is the > size of the set one takes uniformly selected samples from and where k > is the number of drawn samples. I am doing something wrong in LibreCalc with the formula: =EXP(-(B6^2)/(2*C6)) Where B6 is the cell with K (3.86e+12) and C6 is n (2^96). I am getting an answer of 99%. > > Rene > > On 5/5/2014 2:50 PM, Robert Moskowitz wrote: >> >> On 05/04/2014 11:40 AM, Robert Moskowitz wrote: >>> What population of HIs is needed for a 1%, 10%, 50% probability of a >>> HIT collision? >>> >>> I had the math once (like back in '99 or '00) and can't find it >>> (probably did not survive the Eudora to Thunderbird migration). >>> Thought I actually had this in a very early draft, but could not >>> find any such beast. Of course that would have been for HIPv1 HITs, >>> not HIPv2. >>> >>> Any help on the math would be appreciated. Also does it change with >>> PK algorithm or key length? (seems not to me). >> >> Using the code at: http://en.wikipedia.org/wiki/Birthday_attack >> and compiling and running it via: >> http://www.compileonline.com/compile_cpp11_online.php >> >> I get the following probablities for HIT collisions: >> >> First the population of HITs (96 bits of hash) is: 7.9×10˛^(8) >> >> Then the probablities of collision are: >> >> .01% 3.98076e+12 >> .1% 1.25911e+13 >> 1% 3.99066e+13 >> 10% 1.29209e+14 >> >> And thus if each person in the world (7B) had 5 endpoints with HITs >> on them, the probablity >> of a collision would be 10^-6 % (p=e-8, pop=3.98066e+10). >> >> >> >> >> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec > > > -- > email:rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 --------------020807040007080407090001 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 05/05/2014 03:32 PM, Rene Struik wrote:
Hi Bob:

The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), which can be approximated as roughly e^{-k^2/(2n)}, where n is the size of the set one takes uniformly selected samples from and where k is the number of drawn samples.

I am doing something wrong in LibreCalc with the formula:

=EXP(-(B6^2)/(2*C6))

Where B6 is the cell with K (3.86e+12) and C6 is n (2^96).  I am getting an answer of 99%.



Rene

On 5/5/2014 2:50 PM, Robert Moskowitz wrote:

On 05/04/2014 11:40 AM, Robert Moskowitz wrote:
What population of HIs is needed for a 1%, 10%, 50% probability of a HIT collision?

I had the math once (like back in '99 or '00) and can't find it (probably did not survive the Eudora to Thunderbird migration). Thought I actually had this in a very early draft, but could not find any such beast.  Of course that would have been for HIPv1 HITs, not HIPv2.

Any help on the math would be appreciated.  Also does it change with PK algorithm or key length?  (seems not to me).

Using the code at: http://en.wikipedia.org/wiki/Birthday_attack
and compiling and running it via: http://www.compileonline.com/compile_cpp11_online.php

I get the following probablities for HIT collisions:

First the population of HITs (96 bits of hash) is: 7.9×10²⁸

Then the probablities of collision are:

.01%    3.98076e+12
.1%    1.25911e+13
1%    3.99066e+13
10%    1.29209e+14

And thus if each person in the world (7B) had 5 endpoints with HITs on them, the probablity
of a collision would be 10−6%   (p=e-8, pop=3.98066e+10).





_______________________________________________
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec



-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

--------------020807040007080407090001-- From nobody Mon May 5 13:24:14 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6DDA1A04E7 for ; Mon, 5 May 2014 13:24:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S71E9vAO0DWT for ; Mon, 5 May 2014 13:24:10 -0700 (PDT) Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) by ietfa.amsl.com (Postfix) with ESMTP id 662251A041F for ; Mon, 5 May 2014 13:24:10 -0700 (PDT) Received: by mail-ig0-f180.google.com with SMTP id c1so5307211igq.1 for ; Mon, 05 May 2014 13:24:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=WlvUmtlyeFYbmxMDlcTd+vyO++a1vRNgpSk6+Y4ddx0=; b=PLRi9d7TwK8n9ME3YSB8OMxeDqttMMNigHoeWC1HFyhv7vabjwOs6bir88g89w0vy4 c8O8B66HzGAxkpepDXwfAUbqAh1hj/r/y+H8StljjXNeEI1GOa6G1APOaaY9Adu1LR7c ZoFHU6mPRBgyKs5DGmdSTIw0F4O3BwVLicgXXbxwueG4Kpqp/+xSQkzM/obRTuLB2KLA 1dbNa1b2UZBS1Im/f6RtglpmhJUnMHN3pMcT5yuX9hHYwtsWc/y74b/Gi/oakVEzlnRX +IT2mOPfQ0nyheFkC6hT0P4EeuvOyqUT9o+78Emh5pj+fyzB2I5fF2vQ75GR9DBwJPwf NXjA== X-Received: by 10.50.25.136 with SMTP id c8mr26979031igg.26.1399321446848; Mon, 05 May 2014 13:24:06 -0700 (PDT) Received: from [192.168.1.103] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.3.110]) by mx.google.com with ESMTPSA id p11sm28142784igw.2.2014.05.05.13.24.04 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 05 May 2014 13:24:05 -0700 (PDT) Message-ID: <5367F35F.6020604@gmail.com> Date: Mon, 05 May 2014 16:23:59 -0400 From: Rene Struik User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Robert Moskowitz , hip WG References: <53665F53.6010006@htt-consult.com> <5367DD73.5000007@htt-consult.com> <5367E74D.3020501@gmail.com> <5367F243.5010003@htt-consult.com> In-Reply-To: <5367F243.5010003@htt-consult.com> Content-Type: multipart/alternative; boundary="------------000706090505010808030409" Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/jZOL_YVvkInN4pwXx08xnY01SjQ Subject: Re: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 20:24:13 -0000 This is a multi-part message in MIME format. --------------000706090505010808030409 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Hi Bob: Let me clarify, the quantity p(k,n) below is the probability that k randomly picked elements taken from an n-set are all different (i.e., no collision occurs). You may be looking for the probability of having at least one collision, which is 1 - p(k,n). I hope this helps. Rene On 5/5/2014 4:19 PM, Robert Moskowitz wrote: > > On 05/05/2014 03:32 PM, Rene Struik wrote: >> Hi Bob: >> >> The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), >> which can be approximated as roughly e^{-k^2/(2n)}, where n is the >> size of the set one takes uniformly selected samples from and where k >> is the number of drawn samples. > > I am doing something wrong in LibreCalc with the formula: > > =EXP(-(B6^2)/(2*C6)) > > Where B6 is the cell with K (3.86e+12) and C6 is n (2^96). I am > getting an answer of 99%. > > >> >> Rene >> >> On 5/5/2014 2:50 PM, Robert Moskowitz wrote: >>> >>> On 05/04/2014 11:40 AM, Robert Moskowitz wrote: >>>> What population of HIs is needed for a 1%, 10%, 50% probability of >>>> a HIT collision? >>>> >>>> I had the math once (like back in '99 or '00) and can't find it >>>> (probably did not survive the Eudora to Thunderbird migration). >>>> Thought I actually had this in a very early draft, but could not >>>> find any such beast. Of course that would have been for HIPv1 >>>> HITs, not HIPv2. >>>> >>>> Any help on the math would be appreciated. Also does it change >>>> with PK algorithm or key length? (seems not to me). >>> >>> Using the code at: http://en.wikipedia.org/wiki/Birthday_attack >>> and compiling and running it via: >>> http://www.compileonline.com/compile_cpp11_online.php >>> >>> I get the following probablities for HIT collisions: >>> >>> First the population of HITs (96 bits of hash) is: 7.9×10˛^(8) >>> >>> Then the probablities of collision are: >>> >>> .01% 3.98076e+12 >>> .1% 1.25911e+13 >>> 1% 3.99066e+13 >>> 10% 1.29209e+14 >>> >>> And thus if each person in the world (7B) had 5 endpoints with HITs >>> on them, the probablity >>> of a collision would be 10^-6 % (p=e-8, pop=3.98066e+10). >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Hipsec mailing list >>> Hipsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/hipsec >> >> >> -- >> email:rstruik.ext@gmail.com | Skype: rstruik >> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 > -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 --------------000706090505010808030409 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Hi Bob:

Let me clarify, the quantity p(k,n) below is the probability that k randomly picked elements taken from an n-set are all different (i.e., no collision occurs). You may be looking for the probability of having at least one collision, which is 1 - p(k,n).

I hope this helps.

Rene

On 5/5/2014 4:19 PM, Robert Moskowitz wrote:

On 05/05/2014 03:32 PM, Rene Struik wrote:
Hi Bob:

The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), which can be approximated as roughly e^{-k^2/(2n)}, where n is the size of the set one takes uniformly selected samples from and where k is the number of drawn samples.

I am doing something wrong in LibreCalc with the formula:

=EXP(-(B6^2)/(2*C6))

Where B6 is the cell with K (3.86e+12) and C6 is n (2^96).  I am getting an answer of 99%.



Rene

On 5/5/2014 2:50 PM, Robert Moskowitz wrote:

On 05/04/2014 11:40 AM, Robert Moskowitz wrote:
What population of HIs is needed for a 1%, 10%, 50% probability of a HIT collision?

I had the math once (like back in '99 or '00) and can't find it (probably did not survive the Eudora to Thunderbird migration). Thought I actually had this in a very early draft, but could not find any such beast.  Of course that would have been for HIPv1 HITs, not HIPv2.

Any help on the math would be appreciated.  Also does it change with PK algorithm or key length?  (seems not to me).

Using the code at: http://en.wikipedia.org/wiki/Birthday_attack
and compiling and running it via: http://www.compileonline.com/compile_cpp11_online.php

I get the following probablities for HIT collisions:

First the population of HITs (96 bits of hash) is: 7.9×10²⁸

Then the probablities of collision are:

.01%    3.98076e+12
.1%    1.25911e+13
1%    3.99066e+13
10%    1.29209e+14

And thus if each person in the world (7B) had 5 endpoints with HITs on them, the probablity
of a collision would be 10−6%   (p=e-8, pop=3.98066e+10).





_______________________________________________
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec



-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363



-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
--------------000706090505010808030409-- From nobody Mon May 5 13:50:52 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A751A0601 for ; Mon, 5 May 2014 13:50:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.55 X-Spam-Level: X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sVDA8LZtPVIU for ; Mon, 5 May 2014 13:50:48 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id BE0FA1A0549 for ; Mon, 5 May 2014 13:50:47 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id D4A836347E; Mon, 5 May 2014 20:50:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PDwpyxz9iEW5; Mon, 5 May 2014 16:50:31 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 251F56345E; Mon, 5 May 2014 16:50:31 -0400 (EDT) Message-ID: <5367F996.4050005@htt-consult.com> Date: Mon, 05 May 2014 16:50:30 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Rene Struik , hip WG References: <53665F53.6010006@htt-consult.com> <5367DD73.5000007@htt-consult.com> <5367E74D.3020501@gmail.com> <5367F243.5010003@htt-consult.com> <5367F35F.6020604@gmail.com> In-Reply-To: <5367F35F.6020604@gmail.com> Content-Type: multipart/alternative; boundary="------------010800080900070208030805" Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/8sCM3ZH5yfhPLjoa_2FTsbRzPiY Subject: Re: [Hipsec] HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 20:50:51 -0000 This is a multi-part message in MIME format. --------------010800080900070208030805 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit On 05/05/2014 04:23 PM, Rene Struik wrote: > Hi Bob: > > Let me clarify, the quantity p(k,n) below is the probability that k > randomly picked elements taken from an n-set are all different (i.e., > no collision occurs). You may be looking for the probability of having > at least one collision, which is 1 - p(k,n). > > I hope this helps. that was it. I missed that smallish detail. thanks. > > Rene > > On 5/5/2014 4:19 PM, Robert Moskowitz wrote: >> >> On 05/05/2014 03:32 PM, Rene Struik wrote: >>> Hi Bob: >>> >>> The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), >>> which can be approximated as roughly e^{-k^2/(2n)}, where n is the >>> size of the set one takes uniformly selected samples from and where >>> k is the number of drawn samples. >> >> I am doing something wrong in LibreCalc with the formula: >> >> =EXP(-(B6^2)/(2*C6)) >> >> Where B6 is the cell with K (3.86e+12) and C6 is n (2^96). I am >> getting an answer of 99%. >> >> >>> >>> Rene >>> >>> On 5/5/2014 2:50 PM, Robert Moskowitz wrote: >>>> >>>> On 05/04/2014 11:40 AM, Robert Moskowitz wrote: >>>>> What population of HIs is needed for a 1%, 10%, 50% probability of >>>>> a HIT collision? >>>>> >>>>> I had the math once (like back in '99 or '00) and can't find it >>>>> (probably did not survive the Eudora to Thunderbird migration). >>>>> Thought I actually had this in a very early draft, but could not >>>>> find any such beast. Of course that would have been for HIPv1 >>>>> HITs, not HIPv2. >>>>> >>>>> Any help on the math would be appreciated. Also does it change >>>>> with PK algorithm or key length? (seems not to me). >>>> >>>> Using the code at: http://en.wikipedia.org/wiki/Birthday_attack >>>> and compiling and running it via: >>>> http://www.compileonline.com/compile_cpp11_online.php >>>> >>>> I get the following probablities for HIT collisions: >>>> >>>> First the population of HITs (96 bits of hash) is: 7.9×10˛^(8) >>>> >>>> Then the probablities of collision are: >>>> >>>> .01% 3.98076e+12 >>>> .1% 1.25911e+13 >>>> 1% 3.99066e+13 >>>> 10% 1.29209e+14 >>>> >>>> And thus if each person in the world (7B) had 5 endpoints with HITs >>>> on them, the probablity >>>> of a collision would be 10^-6 % (p=e-8, pop=3.98066e+10). >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Hipsec mailing list >>>> Hipsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/hipsec >>> >>> >>> -- >>> email:rstruik.ext@gmail.com | Skype: rstruik >>> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 >> > > > -- > email:rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 --------------010800080900070208030805 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 05/05/2014 04:23 PM, Rene Struik wrote:
Hi Bob:

Let me clarify, the quantity p(k,n) below is the probability that k randomly picked elements taken from an n-set are all different (i.e., no collision occurs). You may be looking for the probability of having at least one collision, which is 1 - p(k,n).

I hope this helps.

that was it.  I missed that smallish detail.  thanks.


Rene

On 5/5/2014 4:19 PM, Robert Moskowitz wrote:

On 05/05/2014 03:32 PM, Rene Struik wrote:
Hi Bob:

The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), which can be approximated as roughly e^{-k^2/(2n)}, where n is the size of the set one takes uniformly selected samples from and where k is the number of drawn samples.

I am doing something wrong in LibreCalc with the formula:

=EXP(-(B6^2)/(2*C6))

Where B6 is the cell with K (3.86e+12) and C6 is n (2^96).  I am getting an answer of 99%.



Rene

On 5/5/2014 2:50 PM, Robert Moskowitz wrote:

On 05/04/2014 11:40 AM, Robert Moskowitz wrote:
What population of HIs is needed for a 1%, 10%, 50% probability of a HIT collision?

I had the math once (like back in '99 or '00) and can't find it (probably did not survive the Eudora to Thunderbird migration). Thought I actually had this in a very early draft, but could not find any such beast.  Of course that would have been for HIPv1 HITs, not HIPv2.

Any help on the math would be appreciated.  Also does it change with PK algorithm or key length?  (seems not to me).

Using the code at: http://en.wikipedia.org/wiki/Birthday_attack
and compiling and running it via: http://www.compileonline.com/compile_cpp11_online.php

I get the following probablities for HIT collisions:

First the population of HITs (96 bits of hash) is: 7.9×10²⁸

Then the probablities of collision are:

.01%    3.98076e+12
.1%    1.25911e+13
1%    3.99066e+13
10%    1.29209e+14

And thus if each person in the world (7B) had 5 endpoints with HITs on them, the probablity
of a collision would be 10−6%   (p=e-8, pop=3.98066e+10).





_______________________________________________
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec



-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363



-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

--------------010800080900070208030805-- From nobody Tue May 6 06:28:58 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EA151A019F for ; Tue, 6 May 2014 06:28:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.55 X-Spam-Level: X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l1wgWUN-lzPg for ; Tue, 6 May 2014 06:28:54 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id C5F4E1A00ED for ; Tue, 6 May 2014 06:28:53 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 9473F62B78 for ; Tue, 6 May 2014 13:28:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mpSMQXR+PdCX for ; Tue, 6 May 2014 09:28:37 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 545FA62AE3 for ; Tue, 6 May 2014 09:28:37 -0400 (EDT) Message-ID: <5368E384.6080408@htt-consult.com> Date: Tue, 06 May 2014 09:28:36 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hip WG References: <53665F53.6010006@htt-consult.com> <5367DD73.5000007@htt-consult.com> <5367E74D.3020501@gmail.com> <5367F243.5010003@htt-consult.com> <5367F35F.6020604@gmail.com> <5367F996.4050005@htt-consult.com> In-Reply-To: <5367F996.4050005@htt-consult.com> Content-Type: multipart/alternative; boundary="------------040108040200090803000001" Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/qWx5iovw6ykzuFaiK4VDHH1a-n8 Subject: [Hipsec] Final thoughts on - Re: HIT collision probability X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2014 13:28:57 -0000 This is a multi-part message in MIME format. --------------040108040200090803000001 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit I hope final thoughts. These probablity calculations are based on the premise that: 1) The keypairs are random over the population (of potentially 35B keys!) 2) THe HIT generation maintains this random distribution (especially for DEX HITs which are a fold of the ECDH public key) Of course this is for the total HIT population for a given algorithm. It is unlikely that all HITs will be in a single data collection. But considering this is the age of big data, someone might be interested in buliding such a database. Finally, feel free to use these numbers in any paper on HIP. On 05/05/2014 04:50 PM, Robert Moskowitz wrote: > > On 05/05/2014 04:23 PM, Rene Struik wrote: >> Hi Bob: >> >> Let me clarify, the quantity p(k,n) below is the probability that k >> randomly picked elements taken from an n-set are all different (i.e., >> no collision occurs). You may be looking for the probability of >> having at least one collision, which is 1 - p(k,n). >> >> I hope this helps. > > that was it. I missed that smallish detail. thanks. > >> >> Rene >> >> On 5/5/2014 4:19 PM, Robert Moskowitz wrote: >>> >>> On 05/05/2014 03:32 PM, Rene Struik wrote: >>>> Hi Bob: >>>> >>>> The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), >>>> which can be approximated as roughly e^{-k^2/(2n)}, where n is the >>>> size of the set one takes uniformly selected samples from and where >>>> k is the number of drawn samples. >>> >>> I am doing something wrong in LibreCalc with the formula: >>> >>> =EXP(-(B6^2)/(2*C6)) >>> >>> Where B6 is the cell with K (3.86e+12) and C6 is n (2^96). I am >>> getting an answer of 99%. >>> >>> >>>> >>>> Rene >>>> >>>> On 5/5/2014 2:50 PM, Robert Moskowitz wrote: >>>>> >>>>> On 05/04/2014 11:40 AM, Robert Moskowitz wrote: >>>>>> What population of HIs is needed for a 1%, 10%, 50% probability >>>>>> of a HIT collision? >>>>>> >>>>>> I had the math once (like back in '99 or '00) and can't find it >>>>>> (probably did not survive the Eudora to Thunderbird migration). >>>>>> Thought I actually had this in a very early draft, but could not >>>>>> find any such beast. Of course that would have been for HIPv1 >>>>>> HITs, not HIPv2. >>>>>> >>>>>> Any help on the math would be appreciated. Also does it change >>>>>> with PK algorithm or key length? (seems not to me). >>>>> >>>>> Using the code at: http://en.wikipedia.org/wiki/Birthday_attack >>>>> and compiling and running it via: >>>>> http://www.compileonline.com/compile_cpp11_online.php >>>>> >>>>> I get the following probablities for HIT collisions: >>>>> >>>>> First the population of HITs (96 bits of hash) is: 7.9×10˛^(8) >>>>> >>>>> Then the probablities of collision are: >>>>> >>>>> .01% 3.98076e+12 >>>>> .1% 1.25911e+13 >>>>> 1% 3.99066e+13 >>>>> 10% 1.29209e+14 >>>>> >>>>> And thus if each person in the world (7B) had 5 endpoints with >>>>> HITs on them, the probablity >>>>> of a collision would be 10^-6 % (p=e-8, pop=3.98066e+10). >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Hipsec mailing list >>>>> Hipsec@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/hipsec >>>> >>>> >>>> -- >>>> email:rstruik.ext@gmail.com | Skype: rstruik >>>> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 >>> >> >> >> -- >> email:rstruik.ext@gmail.com | Skype: rstruik >> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 > > > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec --------------040108040200090803000001 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit I hope final thoughts.

These probablity calculations are based on the premise that:

1)    The keypairs are random over the population (of potentially 35B keys!)
2)    THe HIT generation maintains this random distribution (especially for DEX HITs which are a fold of the ECDH public key)

Of course this is for the total HIT population for a given algorithm.  It is unlikely that all HITs will be in a single data collection.  But considering this is the age of big data, someone might be interested in buliding such a database.

Finally, feel free to use these numbers in any paper on HIP.

On 05/05/2014 04:50 PM, Robert Moskowitz wrote:

On 05/05/2014 04:23 PM, Rene Struik wrote:
Hi Bob:

Let me clarify, the quantity p(k,n) below is the probability that k randomly picked elements taken from an n-set are all different (i.e., no collision occurs). You may be looking for the probability of having at least one collision, which is 1 - p(k,n).

I hope this helps.

that was it.  I missed that smallish detail.  thanks.


Rene

On 5/5/2014 4:19 PM, Robert Moskowitz wrote:

On 05/05/2014 03:32 PM, Rene Struik wrote:
Hi Bob:

The formula is roughly p(k,n)=1*(1-1/n)*(1-2/n)*...*(1 - {k-1}/n), which can be approximated as roughly e^{-k^2/(2n)}, where n is the size of the set one takes uniformly selected samples from and where k is the number of drawn samples.

I am doing something wrong in LibreCalc with the formula:

=EXP(-(B6^2)/(2*C6))

Where B6 is the cell with K (3.86e+12) and C6 is n (2^96).  I am getting an answer of 99%.



Rene

On 5/5/2014 2:50 PM, Robert Moskowitz wrote:

On 05/04/2014 11:40 AM, Robert Moskowitz wrote:
What population of HIs is needed for a 1%, 10%, 50% probability of a HIT collision?

I had the math once (like back in '99 or '00) and can't find it (probably did not survive the Eudora to Thunderbird migration). Thought I actually had this in a very early draft, but could not find any such beast.  Of course that would have been for HIPv1 HITs, not HIPv2.

Any help on the math would be appreciated.  Also does it change with PK algorithm or key length?  (seems not to me).

Using the code at: http://en.wikipedia.org/wiki/Birthday_attack
and compiling and running it via: http://www.compileonline.com/compile_cpp11_online.php

I get the following probablities for HIT collisions:

First the population of HITs (96 bits of hash) is: 7.9×10²⁸

Then the probablities of collision are:

.01%    3.98076e+12
.1%    1.25911e+13
1%    3.99066e+13
10%    1.29209e+14

And thus if each person in the world (7B) had 5 endpoints with HITs on them, the probablity
of a collision would be 10−6%   (p=e-8, pop=3.98066e+10).





_______________________________________________
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec



-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363



-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363



_______________________________________________
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec

--------------040108040200090803000001-- From nobody Mon May 19 11:09:11 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E2461A03AD for ; Mon, 19 May 2014 11:09:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54khxetBEWbp for ; Mon, 19 May 2014 11:09:08 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id CA5BE1A03AB for ; Mon, 19 May 2014 11:09:08 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 5F43A62AE2 for ; Mon, 19 May 2014 18:09:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tez1Fk1y6zGT for ; Mon, 19 May 2014 14:08:55 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 352B362AE1 for ; Mon, 19 May 2014 14:08:55 -0400 (EDT) Message-ID: <537A48B6.9030202@htt-consult.com> Date: Mon, 19 May 2014 14:08:54 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hip WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/EWUEzYSWm3AR0rGMbljIwaQBE8U Subject: [Hipsec] ESP in clientVPN tunnel mode - what is needed in exchange X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2014 18:09:10 -0000 I have a real need to provide ESP tunnel mode from a HIP client to a gateway. The world just won't go as nicely as I would have wanted it to. In the HIPL manual, there is an example of running OpenVPN within the BEET ESP connection, but I don't think that ends up with the same as ESP tunnel mode. So what would be needed. Simply a indicator that tunnel mode is in use, the run DHCP (or RA) through the tunnel? Actually send addressing information as HIP parameters? You don't want to use HITs in RFC4303 tunnel mode as is described in 5202-bis. You can use the initator's (client) HIT, but then you would still need to map it on the gateway side. Probably have to go look at what ESP does for tunnel support :)' but comments are welcome. The tunnel needs act differently than 'classic ESP tunnel' so that HIP mobility is maintained. I suspect that others have given this more thought in actually implementing it, so please direct me to any papers on this. THanks From nobody Mon May 19 11:14:37 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDF331A01C7 for ; Mon, 19 May 2014 11:14:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ih4EUwbaopTr for ; Mon, 19 May 2014 11:14:33 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 5866F1A01C5 for ; Mon, 19 May 2014 11:14:33 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 180D862A91 for ; Mon, 19 May 2014 18:14:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DUbU1WryCTxf for ; Mon, 19 May 2014 14:14:12 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 38E5562AE1 for ; Mon, 19 May 2014 14:14:12 -0400 (EDT) Message-ID: <537A49F3.5050606@htt-consult.com> Date: Mon, 19 May 2014 14:14:11 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hip WG References: <537A48B6.9030202@htt-consult.com> In-Reply-To: <537A48B6.9030202@htt-consult.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/QR25cXF5lgYB9R7w0liKSTFBEzE Subject: Re: [Hipsec] ESP in clientVPN tunnel mode - what is needed in exchange X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2014 18:14:34 -0000 More thoughts. 2 reserved bits can be used: 1 bit to indicate tunnel rather than transport 1 bit to indicate IPv4 or IPv6 tunnel addressing Initially use the HIT/LSI to carry DHCP/RA packets through tunnel? Though LSI is a bit messy. Though again, others more familiar with this part may tell me how easy this is to handle. On 05/19/2014 02:08 PM, Robert Moskowitz wrote: > I have a real need to provide ESP tunnel mode from a HIP client to a > gateway. The world just won't go as nicely as I would have wanted it to. > > In the HIPL manual, there is an example of running OpenVPN within the > BEET ESP connection, but I don't think that ends up with the same as > ESP tunnel mode. > > So what would be needed. Simply a indicator that tunnel mode is in > use, the run DHCP (or RA) through the tunnel? Actually send addressing > information as HIP parameters? > > You don't want to use HITs in RFC4303 tunnel mode as is described in > 5202-bis. You can use the initator's (client) HIT, but then you would > still need to map it on the gateway side. > > Probably have to go look at what ESP does for tunnel support :)' but > comments are welcome. > > The tunnel needs act differently than 'classic ESP tunnel' so that HIP > mobility is maintained. > > I suspect that others have given this more thought in actually > implementing it, so please direct me to any papers on this. > > THanks > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From nobody Mon May 19 11:53:13 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33B091A0156 for ; Mon, 19 May 2014 11:53:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.851 X-Spam-Level: X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wOeBHTW3zBlw for ; Mon, 19 May 2014 11:53:08 -0700 (PDT) Received: from mail.cs.hut.fi (mail.cs.hut.fi [130.233.192.7]) by ietfa.amsl.com (Postfix) with ESMTP id 892171A0104 for ; Mon, 19 May 2014 11:53:08 -0700 (PDT) Received: from [127.0.0.1] (hutcs.cs.hut.fi [130.233.192.10]) by mail.cs.hut.fi (Postfix) with ESMTP id 3BC8C308ED0 for ; Mon, 19 May 2014 21:53:07 +0300 (EEST) Message-ID: <537A5313.8090901@cs.hut.fi> Date: Mon, 19 May 2014 21:53:07 +0300 From: Miika Komu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: hipsec@ietf.org References: <537A48B6.9030202@htt-consult.com> In-Reply-To: <537A48B6.9030202@htt-consult.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/aODMc_UgXDo7M9Dh2NarJU429t0 Subject: Re: [Hipsec] ESP in clientVPN tunnel mode - what is needed in exchange X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2014 18:53:11 -0000 Hi, On 05/19/2014 09:08 PM, Robert Moskowitz wrote: > I have a real need to provide ESP tunnel mode from a HIP client to a > gateway. The world just won't go as nicely as I would have wanted it t= o. location-based security is old fashioned :( At the application layer, tunnel mode may have some implications on the=20 IPv4-IPv6 interoperability aspects of HIP. > In the HIPL manual, there is an example of running OpenVPN within the > BEET ESP connection, but I don't think that ends up with the same as ES= P > tunnel mode. We tried successfully OpenVPN over HIP and vice versa. > I suspect that others have given this more thought in actually > implementing it, so please direct me to any papers on this. my dissertation lists the following papers: * P. Salmela and J. Mel=E9n. Host Identity Protocol Proxy. In J. Filipe=20 and L. Vasiu, editors, ICETE, pages 222=96230. INSTICC Press, 2005. * G. Iapichino and C. Bonnet. Host Identity Protocol and Proxy Mobile=20 IPv6: a Secure Global and Localized Mobility Management Scheme for=20 Multihomed Mobile Nodes. In Proceedings of the 28th IEEE conference on=20 Global telecommunications, GLOBECOM=9209, pages 578=96583, Piscataway, NJ= ,=20 USA, 2009. IEEE Press. * D. Zhang, X. Xu, J. Yao, and Z. Cao. Investigation in HIP Proxies,=20 Oct. 2011. Work in progress, Internet draft. * T. Henderson, S. C. Venema, and D. Mattes. HIP-based Virtual Private=20 LAN Service (HIPLS), Mar. 2012. * J. Melen, J. Ylitalo, and P. Salmela. Host Identity Protocol-based=20 Mobile Proxy, Aug. 2009. An expired Internet draft. * R. H. Paine. Beyond HIP: The End to Hacking As We Know It. BookSurge=20 Publishing, 2009. Also this one: http://link.springer.com/chapter/10.1007%2F978-3-540-75993-5_11 From nobody Mon May 19 12:12:06 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD5C1A022A for ; Mon, 19 May 2014 12:12:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kXsKaAPKCSnD for ; Mon, 19 May 2014 12:12:02 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 2CA2B1A03BD for ; Mon, 19 May 2014 12:12:02 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id D4D0062AA4; Mon, 19 May 2014 19:12:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cPwBnlhh-t9N; Mon, 19 May 2014 15:11:51 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 3724562A81; Mon, 19 May 2014 15:11:51 -0400 (EDT) Message-ID: <537A5776.7000407@htt-consult.com> Date: Mon, 19 May 2014 15:11:50 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Miika Komu , hipsec@ietf.org References: <537A48B6.9030202@htt-consult.com> <537A5313.8090901@cs.hut.fi> In-Reply-To: <537A5313.8090901@cs.hut.fi> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/L8_fOXBFQeSsKQmigX7EVV7-P_M Subject: Re: [Hipsec] ESP in clientVPN tunnel mode - what is needed in exchange X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2014 19:12:05 -0000 On 05/19/2014 02:53 PM, Miika Komu wrote: > Hi, > > On 05/19/2014 09:08 PM, Robert Moskowitz wrote: >> I have a real need to provide ESP tunnel mode from a HIP client to a >> gateway. The world just won't go as nicely as I would have wanted it >> to. > > location-based security is old fashioned :( It is but it is a case of stepwise development/deployment. The parties involved first want their VPNs like they always had them but mobile. Then slowly migrate... > > At the application layer, tunnel mode may have some implications on > the IPv4-IPv6 interoperability aspects of HIP. > >> In the HIPL manual, there is an example of running OpenVPN within the >> BEET ESP connection, but I don't think that ends up with the same as ESP >> tunnel mode. > > We tried successfully OpenVPN over HIP and vice versa. Yes, but OpenVPN over HIP adds what overhead byte-wise. I would think there would be ESPnESP here. Granted that was in the design for ESP, but still this is mobile. > >> I suspect that others have given this more thought in actually >> implementing it, so please direct me to any papers on this. > > my dissertation lists the following papers: > > * P. Salmela and J. Melén. Host Identity Protocol Proxy. In J. Filipe > and L. Vasiu, editors, ICETE, pages 222–230. INSTICC Press, 2005. > > * G. Iapichino and C. Bonnet. Host Identity Protocol and Proxy Mobile > IPv6: a Secure Global and Localized Mobility Management Scheme for > Multihomed Mobile Nodes. In Proceedings of the 28th IEEE conference on > Global telecommunications, GLOBECOM’09, pages 578–583, Piscataway, NJ, > USA, 2009. IEEE Press. > > * D. Zhang, X. Xu, J. Yao, and Z. Cao. Investigation in HIP Proxies, > Oct. 2011. Work in progress, Internet draft. > > * T. Henderson, S. C. Venema, and D. Mattes. HIP-based Virtual Private > LAN Service (HIPLS), Mar. 2012. > > * J. Melen, J. Ylitalo, and P. Salmela. Host Identity Protocol-based > Mobile Proxy, Aug. 2009. An expired Internet draft. > > * R. H. Paine. Beyond HIP: The End to Hacking As We Know It. BookSurge > Publishing, 2009. > > Also this one: > > http://link.springer.com/chapter/10.1007%2F978-3-540-75993-5_11 One might think that a proxy has more work to perform on a per-packet basis than a gateway. From nobody Mon May 19 12:51:18 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 797741A03AB for ; Mon, 19 May 2014 12:51:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0nohGJ1F1po for ; Mon, 19 May 2014 12:51:12 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 4F1241A0129 for ; Mon, 19 May 2014 12:51:12 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id AEC4C62A81 for ; Mon, 19 May 2014 19:51:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nu7snrtdCvKU for ; Mon, 19 May 2014 15:51:01 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 0291062A78 for ; Mon, 19 May 2014 15:51:00 -0400 (EDT) Message-ID: <537A60A4.4060502@htt-consult.com> Date: Mon, 19 May 2014 15:51:00 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hip WG References: <537A48B6.9030202@htt-consult.com> <537A49F3.5050606@htt-consult.com> In-Reply-To: <537A49F3.5050606@htt-consult.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/zh454NTohV46EnOSg92SJGBSNcI Subject: Re: [Hipsec] ESP in clientVPN tunnel mode - what is needed in exchange X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2014 19:51:17 -0000 On 05/19/2014 02:14 PM, Robert Moskowitz wrote: > More thoughts. 2 reserved bits can be used: > > 1 bit to indicate tunnel rather than transport > 1 bit to indicate IPv4 or IPv6 tunnel addressing > > Initially use the HIT/LSI to carry DHCP/RA packets through tunnel? > Though LSI is a bit messy. Though again, others more familiar with > this part may tell me how easy this is to handle. RFC 3456 for DHCP over IPsec. At least for IPv4. Now to read it... > > > On 05/19/2014 02:08 PM, Robert Moskowitz wrote: >> I have a real need to provide ESP tunnel mode from a HIP client to a >> gateway. The world just won't go as nicely as I would have wanted it to. >> >> In the HIPL manual, there is an example of running OpenVPN within the >> BEET ESP connection, but I don't think that ends up with the same as >> ESP tunnel mode. >> >> So what would be needed. Simply a indicator that tunnel mode is in >> use, the run DHCP (or RA) through the tunnel? Actually send >> addressing information as HIP parameters? >> >> You don't want to use HITs in RFC4303 tunnel mode as is described in >> 5202-bis. You can use the initator's (client) HIT, but then you would >> still need to map it on the gateway side. >> >> Probably have to go look at what ESP does for tunnel support :)' but >> comments are welcome. >> >> The tunnel needs act differently than 'classic ESP tunnel' so that >> HIP mobility is maintained. >> >> I suspect that others have given this more thought in actually >> implementing it, so please direct me to any papers on this. >> >> THanks >> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec >> > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From nobody Tue May 20 06:13:46 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A4261A035B for ; Tue, 20 May 2014 06:13:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJi4cWNVCa-J for ; Tue, 20 May 2014 06:13:44 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id C85661A0357 for ; Tue, 20 May 2014 06:13:43 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 829C262B6C; Tue, 20 May 2014 13:13:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6vS6TWlgY6mG; Tue, 20 May 2014 09:13:32 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 1054962A78; Tue, 20 May 2014 09:13:31 -0400 (EDT) Message-ID: <537B54FB.1070006@htt-consult.com> Date: Tue, 20 May 2014 09:13:31 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Miika Komu , hipsec@ietf.org References: <537A48B6.9030202@htt-consult.com> <537A5313.8090901@cs.hut.fi> In-Reply-To: <537A5313.8090901@cs.hut.fi> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/0NfYPyAqpLiPCKWWC2VqPLnkL7k Subject: Re: [Hipsec] ESP in clientVPN tunnel mode - what is needed in exchange X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2014 13:13:45 -0000 On 05/19/2014 02:53 PM, Miika Komu wrote: > Hi, > > On 05/19/2014 09:08 PM, Robert Moskowitz wrote: >> I have a real need to provide ESP tunnel mode from a HIP client to a >> gateway. The world just won't go as nicely as I would have wanted it >> to. > > location-based security is old fashioned :( > > At the application layer, tunnel mode may have some implications on > the IPv4-IPv6 interoperability aspects of HIP. I have thought a lot about this, and BOY does it ever mess this up. There would need to be IPv4/v6 signalling within the ESP tunnel to make this work. The VPN interface (separate from the HIP interface) would 'know' if the incoming packet was v4 or v6, and would tag the ESP header appropriately? Or no, wait, not so simple. Actually the addresses ARE in the inner headers, I am getting confused with a HIP proxy that does not maintain an identity for each non-HIP host :) But can ESP tunnel mix and match v4 and v6 inner packets... Oh my head hurts! From nobody Tue May 20 13:48:03 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4281E1A00EA for ; Tue, 20 May 2014 13:48:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QciWqD9o_c_i for ; Tue, 20 May 2014 13:48:00 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 13F6C1A03C5 for ; Tue, 20 May 2014 13:48:00 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 2CD5962A6A for ; Tue, 20 May 2014 20:47:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjdnLICp8wkH for ; Tue, 20 May 2014 16:47:48 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 8801F63407 for ; Tue, 20 May 2014 16:47:48 -0400 (EDT) Message-ID: <537BBF74.3060400@htt-consult.com> Date: Tue, 20 May 2014 16:47:48 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hipsec@ietf.org References: <537A48B6.9030202@htt-consult.com> <537A5313.8090901@cs.hut.fi> <537B54FB.1070006@htt-consult.com> In-Reply-To: <537B54FB.1070006@htt-consult.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/XSuy6s5EeyexhMzmpQy1sUGKIlk Subject: [Hipsec] Just use 5203 registration - Re: ESP in clientVPN tunnel mode - what is needed in exchange X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2014 20:48:02 -0000 So DHCP could be sent in an R1 in a REQ_INFO parameter. I2 would have the DHCP request and R2 the DHCP information? You could pass DHCPv4/v6 as well as RA config information this way. Does make the packets a tad bigger! On 05/20/2014 09:13 AM, Robert Moskowitz wrote: > > On 05/19/2014 02:53 PM, Miika Komu wrote: >> Hi, >> >> On 05/19/2014 09:08 PM, Robert Moskowitz wrote: >>> I have a real need to provide ESP tunnel mode from a HIP client to a >>> gateway. The world just won't go as nicely as I would have wanted it >>> to. >> >> location-based security is old fashioned :( >> >> At the application layer, tunnel mode may have some implications on >> the IPv4-IPv6 interoperability aspects of HIP. > > I have thought a lot about this, and BOY does it ever mess this up. > There would need to be IPv4/v6 signalling within the ESP tunnel to > make this work. The VPN interface (separate from the HIP interface) > would 'know' if the incoming packet was v4 or v6, and would tag the > ESP header appropriately? > > Or no, wait, not so simple. Actually the addresses ARE in the inner > headers, I am getting confused with a HIP proxy that does not maintain > an identity for each non-HIP host :) But can ESP tunnel mix and match > v4 and v6 inner packets... > > Oh my head hurts! > > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From nobody Thu May 22 13:16:51 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 937871A02A9 for ; Thu, 22 May 2014 13:16:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uswgUgxqEAcU for ; Thu, 22 May 2014 13:16:47 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id E64291A0313 for ; Thu, 22 May 2014 13:16:28 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 1470B6348D for ; Thu, 22 May 2014 20:16:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azE6J++OJ3hO for ; Thu, 22 May 2014 16:16:16 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id D159D62A74 for ; Thu, 22 May 2014 16:16:15 -0400 (EDT) Message-ID: <537E5B0F.1090004@htt-consult.com> Date: Thu, 22 May 2014 16:16:15 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hipsec@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/zW7mzvbNZeEs3PNpx2OgHbXCFcI Subject: [Hipsec] Looking for slides on Relay server X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2014 20:16:49 -0000 At times I would like to strangle myself. WHY did I ever create private addresses for IPv4 and thus create a market for NAT boxes????? Well if I have not been involved, it would have still happened. The use cases were out there and ROAD was dead. Enough handwringing. We have Nasty NATs and mobile devices pop in and out of them. So we have to relay. But only the WiFi connection would get behind bad NATs. My testing over Verizon Wireless has worked well without relaying. So one MIGHT think that with LOCATORs we could say that this locator need not relay, but this better. Of course the phones have this tendency to roam and perhaps not all cellular providers are set up not to need relaying.... Andrei's lecture notes do not cover the relay server part, only rvs and I3 stuff. I am looking for some slides to cover relay. thanks From nobody Thu May 22 13:36:44 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 855F11A032F for ; Thu, 22 May 2014 13:36:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.851 X-Spam-Level: X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aw7mdM-NuIXn for ; Thu, 22 May 2014 13:36:41 -0700 (PDT) Received: from mail.cs.hut.fi (mail.cs.hut.fi [130.233.192.7]) by ietfa.amsl.com (Postfix) with ESMTP id 494FB1A0305 for ; Thu, 22 May 2014 13:36:41 -0700 (PDT) Received: from [127.0.0.1] (hutcs.cs.hut.fi [130.233.192.10]) by mail.cs.hut.fi (Postfix) with ESMTP id 29244308742 for ; Thu, 22 May 2014 23:36:39 +0300 (EEST) Message-ID: <537E5FD7.9030304@cs.hut.fi> Date: Thu, 22 May 2014 23:36:39 +0300 From: Miika Komu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: hipsec@ietf.org References: <537E5B0F.1090004@htt-consult.com> In-Reply-To: <537E5B0F.1090004@htt-consult.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/Vj1YezJBp5Kr9LJ9nWfIEB6tMc4 Subject: Re: [Hipsec] Looking for slides on Relay server X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2014 20:36:43 -0000 Hi, On 05/22/2014 11:16 PM, Robert Moskowitz wrote: > At times I would like to strangle myself. WHY did I ever create private > addresses for IPv4 and thus create a market for NAT boxes????? Well if > I have not been involved, it would have still happened. The use cases > were out there and ROAD was dead. Enough handwringing. We have Nasty > NATs and mobile devices pop in and out of them. So we have to relay. > > But only the WiFi connection would get behind bad NATs. My testing over > Verizon Wireless has worked well without relaying. So one MIGHT think > that with LOCATORs we could say that this locator need not relay, but > this better. Of course the phones have this tendency to roam and > perhaps not all cellular providers are set up not to need relaying.... > > Andrei's lecture notes do not cover the relay server part, only rvs and > I3 stuff. I am looking for some slides to cover relay. in HIPL project, we have been just using the Teredo infrastructure (with miredo software in Linux) to take care of the NAT penetration and HIP for its persistent namespace (as Teredo addresses can change). From nobody Thu May 22 13:49:09 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC74C1A0370 for ; Thu, 22 May 2014 13:49:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xoxC_5eX_0Bt for ; Thu, 22 May 2014 13:49:06 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 4973C1A034D for ; Thu, 22 May 2014 13:49:06 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 8F0D662A63; Thu, 22 May 2014 20:49:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idCdzURlWJpj; Thu, 22 May 2014 16:48:54 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 9C82F634A7; Thu, 22 May 2014 16:48:50 -0400 (EDT) Message-ID: <537E62B2.8050903@htt-consult.com> Date: Thu, 22 May 2014 16:48:50 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Miika Komu , hipsec@ietf.org References: <537E5B0F.1090004@htt-consult.com> <537E5FD7.9030304@cs.hut.fi> In-Reply-To: <537E5FD7.9030304@cs.hut.fi> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/NIjblT1Bvbld0gEBzjPzh8x384Q Subject: Re: [Hipsec] Looking for slides on Relay server X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2014 20:49:07 -0000 On 05/22/2014 04:36 PM, Miika Komu wrote: > Hi, > > On 05/22/2014 11:16 PM, Robert Moskowitz wrote: >> At times I would like to strangle myself. WHY did I ever create private >> addresses for IPv4 and thus create a market for NAT boxes????? Well if >> I have not been involved, it would have still happened. The use cases >> were out there and ROAD was dead. Enough handwringing. We have Nasty >> NATs and mobile devices pop in and out of them. So we have to relay. >> >> But only the WiFi connection would get behind bad NATs. My testing over >> Verizon Wireless has worked well without relaying. So one MIGHT think >> that with LOCATORs we could say that this locator need not relay, but >> this better. Of course the phones have this tendency to roam and >> perhaps not all cellular providers are set up not to need relaying.... >> >> Andrei's lecture notes do not cover the relay server part, only rvs and >> I3 stuff. I am looking for some slides to cover relay. > > in HIPL project, we have been just using the Teredo infrastructure > (with miredo software in Linux) to take care of the NAT penetration > and HIP for its persistent namespace (as Teredo addresses can change). I was JUST thinking about that!!! That is what I did in my demo some years back, running Miredo on one of my Centos boxes. From nobody Thu May 22 13:50:47 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 383231A037D for ; Thu, 22 May 2014 13:50:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JianxUOuUIV3 for ; Thu, 22 May 2014 13:50:39 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id D9D721A037A for ; Thu, 22 May 2014 13:50:38 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 66A6862A75; Thu, 22 May 2014 20:50:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpZH3CcvWsMl; Thu, 22 May 2014 16:50:27 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id DDD3762A63; Thu, 22 May 2014 16:50:26 -0400 (EDT) Message-ID: <537E6312.7010109@htt-consult.com> Date: Thu, 22 May 2014 16:50:26 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Miika Komu , hipsec@ietf.org References: <537E5B0F.1090004@htt-consult.com> <537E5FD7.9030304@cs.hut.fi> In-Reply-To: <537E5FD7.9030304@cs.hut.fi> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/8un-AWpvwLB9s3-ATW1-3UNtjS4 Subject: Re: [Hipsec] Looking for slides on Relay server X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2014 20:50:41 -0000 On 05/22/2014 04:36 PM, Miika Komu wrote: > Hi, > > On 05/22/2014 11:16 PM, Robert Moskowitz wrote: >> At times I would like to strangle myself. WHY did I ever create private >> addresses for IPv4 and thus create a market for NAT boxes????? Well if >> I have not been involved, it would have still happened. The use cases >> were out there and ROAD was dead. Enough handwringing. We have Nasty >> NATs and mobile devices pop in and out of them. So we have to relay. >> >> But only the WiFi connection would get behind bad NATs. My testing over >> Verizon Wireless has worked well without relaying. So one MIGHT think >> that with LOCATORs we could say that this locator need not relay, but >> this better. Of course the phones have this tendency to roam and >> perhaps not all cellular providers are set up not to need relaying.... >> >> Andrei's lecture notes do not cover the relay server part, only rvs and >> I3 stuff. I am looking for some slides to cover relay. > > in HIPL project, we have been just using the Teredo infrastructure > (with miredo software in Linux) to take care of the NAT penetration > and HIP for its persistent namespace (as Teredo addresses can change). And when you do Teredo, you only need RVS, not Relay. Actually, the Relaying is done in Teredo. My head hurts. But this means you are doing Teredo NAT traversal not HIP NAT traversal? From nobody Thu May 22 14:25:43 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B184E1A02DE for ; Thu, 22 May 2014 14:25:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.851 X-Spam-Level: X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ViGPti0sJT7R for ; Thu, 22 May 2014 14:25:40 -0700 (PDT) Received: from mail.cs.hut.fi (mail.cs.hut.fi [130.233.192.7]) by ietfa.amsl.com (Postfix) with ESMTP id 794FA1A0283 for ; Thu, 22 May 2014 14:25:40 -0700 (PDT) Received: from [127.0.0.1] (hutcs.cs.hut.fi [130.233.192.10]) by mail.cs.hut.fi (Postfix) with ESMTP id 74B4230879B for ; Fri, 23 May 2014 00:25:38 +0300 (EEST) Message-ID: <537E6B51.5080302@cs.hut.fi> Date: Fri, 23 May 2014 00:25:37 +0300 From: Miika Komu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: hipsec@ietf.org References: <537E5B0F.1090004@htt-consult.com> <537E5FD7.9030304@cs.hut.fi> <537E6312.7010109@htt-consult.com> In-Reply-To: <537E6312.7010109@htt-consult.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/gIEM-7Enkbfve--rL3ZJ6hF_Op0 Subject: Re: [Hipsec] Looking for slides on Relay server X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2014 21:25:41 -0000 Hi, On 05/22/2014 11:50 PM, Robert Moskowitz wrote: > > On 05/22/2014 04:36 PM, Miika Komu wrote: >> Hi, >> >> On 05/22/2014 11:16 PM, Robert Moskowitz wrote: >>> At times I would like to strangle myself. WHY did I ever create private >>> addresses for IPv4 and thus create a market for NAT boxes????? Well if >>> I have not been involved, it would have still happened. The use cases >>> were out there and ROAD was dead. Enough handwringing. We have Nasty >>> NATs and mobile devices pop in and out of them. So we have to relay. >>> >>> But only the WiFi connection would get behind bad NATs. My testing over >>> Verizon Wireless has worked well without relaying. So one MIGHT think >>> that with LOCATORs we could say that this locator need not relay, but >>> this better. Of course the phones have this tendency to roam and >>> perhaps not all cellular providers are set up not to need relaying.... >>> >>> Andrei's lecture notes do not cover the relay server part, only rvs and >>> I3 stuff. I am looking for some slides to cover relay. >> >> in HIPL project, we have been just using the Teredo infrastructure >> (with miredo software in Linux) to take care of the NAT penetration >> and HIP for its persistent namespace (as Teredo addresses can change). > > And when you do Teredo, you only need RVS, not Relay. Actually, the > Relaying is done in Teredo. You still need RVS for double jump. > My head hurts. But this means you are doing Teredo NAT traversal not HIP > NAT traversal? Currently, HIP for Linux supports just full relay. The bis-style NAT traversal extensions are not supported. We did implement RFC5770, but this was removed from the trunk, so you have to use Teredo if you don't like the full relay. Anyway, this is getting a bit implementation specific for this mailing list. From nobody Fri May 23 04:55:01 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA2D71A0166 for ; Fri, 23 May 2014 04:55:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJtgiFVwSOsX for ; Fri, 23 May 2014 04:54:59 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 28A0B1A017F for ; Fri, 23 May 2014 04:54:59 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 53F53634C2 for ; Fri, 23 May 2014 11:54:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WMlfA6qIF0UF for ; Fri, 23 May 2014 07:54:47 -0400 (EDT) Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 11D52634B4 for ; Fri, 23 May 2014 07:54:47 -0400 (EDT) Message-ID: <537F3706.8020805@htt-consult.com> Date: Fri, 23 May 2014 07:54:46 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hipsec@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/F1LmN8ElBvteGv0ajaDPhdwOR8I Subject: [Hipsec] Teredo and HIP mobility/NAT X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2014 11:55:01 -0000 I have thought a lot about this and generally it works out bad no matter how you slice it. Well, if I was writing the network kernel, I would incorporate Teredo so that all interfaces presented an IPv6 address at all times and if it had a 'native' IPv6 would not use Teredo. Basically tying Teredo right into the interface handling? We have probably all thought long and hard about this. Multiple interfaces, most of them mobile. They are suppose to be changing their priority based on something or other (IEEE 802.21?) IPv6 should be IPv6 publicly routable. But IPv4 will change from public, to good NAT, to bad NAT, and bounce around. Because of this bad mix of reality we go to the lowest common denominator and do everything as if there is a bad NAT in the way. We have no effective method of intelligently switching. HIP everywhere does not fix bad NATs. Networking reality basically xxxxx, well I do try and control my language in public. From nobody Fri May 23 05:56:24 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E0F1A046B for ; Fri, 23 May 2014 05:56:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.851 X-Spam-Level: X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QeXPzMXreLpe for ; Fri, 23 May 2014 05:56:20 -0700 (PDT) Received: from mail.cs.hut.fi (mail.cs.hut.fi [130.233.192.7]) by ietfa.amsl.com (Postfix) with ESMTP id 4829C1A01D4 for ; Fri, 23 May 2014 05:56:20 -0700 (PDT) Received: from [127.0.0.1] (hutcs.cs.hut.fi [130.233.192.10]) by mail.cs.hut.fi (Postfix) with ESMTP id 2B017308F2F for ; Fri, 23 May 2014 15:56:17 +0300 (EEST) Message-ID: <537F4570.1050603@cs.hut.fi> Date: Fri, 23 May 2014 15:56:16 +0300 From: Miika Komu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: hipsec@ietf.org References: <537F3706.8020805@htt-consult.com> In-Reply-To: <537F3706.8020805@htt-consult.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/oY6RC_jZ3yPNyt5GXk6JXdZT-rU Subject: Re: [Hipsec] Teredo and HIP mobility/NAT X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2014 12:56:22 -0000 Hi, On 05/23/2014 02:54 PM, Robert Moskowitz wrote: > I have thought a lot about this and generally it works out bad no matter > how you slice it. Well, if I was writing the network kernel, I would > incorporate Teredo so that all interfaces presented an IPv6 address at > all times and if it had a 'native' IPv6 would not use Teredo. Basically > tying Teredo right into the interface handling? > > We have probably all thought long and hard about this. Multiple > interfaces, most of them mobile. They are suppose to be changing their > priority based on something or other (IEEE 802.21?) IPv6 should be IPv6 > publicly routable. But IPv4 will change from public, to good NAT, to > bad NAT, and bounce around. Because of this bad mix of reality we go to > the lowest common denominator and do everything as if there is a bad NAT > in the way. We have no effective method of intelligently switching. > > HIP everywhere does not fix bad NATs. > > Networking reality basically xxxxx, well I do try and control my > language in public. yes, draft-keranen-hip-native-nat-traversal-01 would allow HIP a better control of the NAT traversal. From nobody Tue May 27 09:18:43 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31A0F1A0431 for ; Tue, 27 May 2014 09:18:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.901 X-Spam-Level: X-Spam-Status: No, score=-3.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7UAA_FKNuPa for ; Tue, 27 May 2014 09:18:38 -0700 (PDT) Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 550901A0186 for ; Tue, 27 May 2014 09:18:38 -0700 (PDT) X-AuditID: c1b4fb25-f79226d000004024-4d-5384bad93db6 Received: from ESESSHC018.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id D7.F6.16420.9DAB4835; Tue, 27 May 2014 18:18:33 +0200 (CEST) Received: from mail.lmf.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.74) with Microsoft SMTP Server id 14.3.174.1; Tue, 27 May 2014 18:18:32 +0200 Received: from nomadiclab.lmf.ericsson.se (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id EB283110201; Tue, 27 May 2014 19:18:32 +0300 (EEST) Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 0186E4E97B; Tue, 27 May 2014 19:18:30 +0300 (EEST) Received: from tri60.nomadiclab.com (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id A3DED4E857; Tue, 27 May 2014 19:18:29 +0300 (EEST) Message-ID: <5384BAD8.5060902@ericsson.com> Date: Tue, 27 May 2014 19:18:32 +0300 From: =?ISO-8859-1?Q?Ari_Ker=E4nen?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Robert Moskowitz References: <537E5B0F.1090004@htt-consult.com> In-Reply-To: <537E5B0F.1090004@htt-consult.com> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOLMWRmVeSWpSXmKPExsUyM+Jvje7NXS3BBue3qllMXTSZ2aJh3WdG ByaP3ZOa2D2WLPnJFMAUxWWTkpqTWZZapG+XwJUx8+tNtoKzTBXrj9xgbWDsZupi5OSQEDCR 6D2zghXCFpO4cG89WxcjF4eQwFFGiRO/3jFBOBsYJV79WssM4exllLjcdxqqbB2jxKOPK5lB +oUEVjBKvL6XDWLzCmhLPP7wgA3EZhFQlVg56TmYzSZgL3FzwnV2EFtUIFli+vm17BD1ghIn Zz5hAbFFBLQkbl7fAFTPwcEsICqxfVYVSFhYwEKid3UXG8QqPYmeZdcYQWxOAX2Ja28aweLM ArYSF+ZcZ4Gw5SW2v53DDPGamsTVc5ugzlSVuPrvFeMERtFZSDbPQtI+C0n7AkbmVYyixanF SbnpRsZ6qUWZycXF+Xl6eaklmxiBMXFwy2/VHYyX3zgeYhTgYFTi4VVobA4WYk0sK67MPcQo zcGiJM57UaM6WEggPbEkNTs1tSC1KL6oNCe1+BAjEwenVANjrkXjomyPAzJ9E46wNKXd0vZ5 laC0eOLi/VwKhubV2Q4F3f/Kfmd8N5NsUvAuztpRveJaZYrzDLs7HnUdyjEFXw23Vc9/LmfJ frZTIbLjY9uspY1H9cX2i8/f9PbA7hqlA2u6o+Ubd+2Oiyho0RZ4XzU/XW7trtSL3w80xoVu Fvyyyy/oapkSS3FGoqEWc1FxIgCAuKu6agIAAA== Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/xS_LwmcVRZWyCcBHzB_uvtcZkB0 Cc: hipsec@ietf.org Subject: Re: [Hipsec] Looking for slides on Relay server X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2014 16:18:41 -0000 Hi Bob, On 22/05/14 23:16, Robert Moskowitz wrote: > Andrei's lecture notes do not cover the relay server part, only rvs and > I3 stuff. I am looking for some slides to cover relay. Some of the old RFC5770 preso slides cover relaying too. For example: http://www.ietf.org/proceedings/72/slides/hip-2.pdf Cheers, Ari From nobody Wed May 28 09:04:30 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCF751A0440; Wed, 28 May 2014 09:04:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8xx_IJwNWo8; Wed, 28 May 2014 09:04:26 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A41B21A040C; Wed, 28 May 2014 09:04:26 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 5.4.2.p3 Auto-Submitted: auto-generated Precedence: bulk Sender: Message-ID: <20140528160426.31345.98483.idtracker@ietfa.amsl.com> Date: Wed, 28 May 2014 09:04:26 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/idniEOaAy7AjRaCUefGfwW1W1Rc Cc: hipsec@ietf.org Subject: [Hipsec] Last Call: (An IPv6 Prefix for Overlay Routable Cryptographic Hash Identifiers Version 2 (ORCHIDv2)) to Proposed Standard X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Reply-To: ietf@ietf.org List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2014 16:04:28 -0000 The IESG has received a request from the Host Identity Protocol WG (hip) to consider the following document: - 'An IPv6 Prefix for Overlay Routable Cryptographic Hash Identifiers Version 2 (ORCHIDv2)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2014-06-11. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies an updated Overlay Routable Cryptographic Hash Identifiers format that obsoletes RFC4843. These identifiers are intended to be used as endpoint identifiers at applications and Application Programming Interfaces (API) and not as identifiers for network location at the IP layer, i.e., locators. They are designed to appear as application layer entities and at the existing IPv6 APIs, but they should not appear in actual IPv6 headers. To make them more like regular IPv6 addresses, they are expected to be routable at an overlay level. Consequently, while they are considered non-routable addresses from the IPv6 layer point-of-view, all existing IPv6 applications are expected to be able to use them in a manner compatible with current IPv6 addresses. The Overlay Routable Cryptographic Hash Identifiers originally defined in RFC4843 lacked a mechanism for cryptographic algorithm agility. The updated ORCHID format specified in this document removes this limitation by encoding in the identifier itself an index to the suite of cryptographic algorithms in use. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-hip-rfc4843-bis/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-hip-rfc4843-bis/ballot/ No IPR declarations have been submitted directly on this I-D. From nobody Wed May 28 09:06:15 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67B6B1A04D2; Wed, 28 May 2014 09:06:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbHordfCAeY9; Wed, 28 May 2014 09:06:10 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BECDA1A0429; Wed, 28 May 2014 09:06:10 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 5.4.2.p3 Auto-Submitted: auto-generated Precedence: bulk Sender: Message-ID: <20140528160610.26601.60366.idtracker@ietfa.amsl.com> Date: Wed, 28 May 2014 09:06:10 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/p29I_bSHzgKfC3g_y1MLbyfC9G8 Cc: hipsec@ietf.org Subject: [Hipsec] Last Call: (Host Identity Protocol Version 2 (HIPv2)) to Proposed Standard X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Reply-To: ietf@ietf.org List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2014 16:06:12 -0000 The IESG has received a request from the Host Identity Protocol WG (hip) to consider the following document: - 'Host Identity Protocol Version 2 (HIPv2)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2014-06-11. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies the details of the Host Identity Protocol (HIP). HIP allows consenting hosts to securely establish and maintain shared IP-layer state, allowing separation of the identifier and locator roles of IP addresses, thereby enabling continuity of communications across IP address changes. HIP is based on a SIGMA- compliant Diffie-Hellman key exchange, using public key identifiers from a new Host Identity namespace for mutual peer authentication. The protocol is designed to be resistant to denial-of-service (DoS) and man-in-the-middle (MitM) attacks. When used together with another suitable security protocol, such as the Encapsulated Security Payload (ESP), it provides integrity protection and optional encryption for upper-layer protocols, such as TCP and UDP. This document obsoletes RFC 5201 and addresses the concerns raised by the IESG, particularly that of crypto agility. It also incorporates lessons learned from the implementations of RFC 5201. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-hip-rfc5201-bis/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-hip-rfc5201-bis/ballot/ The following IPR Declarations may be related to this I-D: http://datatracker.ietf.org/ipr/1541/ From nobody Wed May 28 09:08:00 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05F391A09D1; Wed, 28 May 2014 09:07:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0hX8KK53yZ5P; Wed, 28 May 2014 09:07:55 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EA6C41A016C; Wed, 28 May 2014 09:07:55 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 5.4.2.p3 Auto-Submitted: auto-generated Precedence: bulk Sender: Message-ID: <20140528160755.23381.51349.idtracker@ietfa.amsl.com> Date: Wed, 28 May 2014 09:07:55 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/PyFzvoR-84o8pSbOpZUjBkO2_5s Cc: hipsec@ietf.org Subject: [Hipsec] Last Call: (Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)) to Proposed Standard X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Reply-To: ietf@ietf.org List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2014 16:07:57 -0000 The IESG has received a request from the Host Identity Protocol WG (hip) to consider the following document: - 'Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2014-06-11. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This memo specifies an Encapsulated Security Payload (ESP) based mechanism for transmission of user data packets, to be used with the Host Identity Protocol (HIP). This document obsoletes RFC 5202. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-hip-rfc5202-bis/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-hip-rfc5202-bis/ballot/ No IPR declarations have been submitted directly on this I-D. From nobody Wed May 28 12:44:24 2014 Return-Path: X-Original-To: hipsec@ietfa.amsl.com Delivered-To: hipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC241A06A0 for ; Wed, 28 May 2014 12:44:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1AZbbNNKy_o5 for ; Wed, 28 May 2014 12:44:21 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id C410F1A0601 for ; Wed, 28 May 2014 12:44:21 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 1B22D62B8D for ; Wed, 28 May 2014 19:44:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FFGF8SKL5Ha1 for ; Wed, 28 May 2014 15:44:04 -0400 (EDT) Received: from lx120e.htt-consult.com (nc4010.htt-consult.com [208.83.67.156]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 036D962B77 for ; Wed, 28 May 2014 15:44:03 -0400 (EDT) Message-ID: <53863C83.8060005@htt-consult.com> Date: Wed, 28 May 2014 15:44:03 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: hipsec@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/iv3NmX_P2QsoBj0ojGBiSkT13AU Subject: [Hipsec] On to last call X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2014 19:44:23 -0000 Well 3 so far. A bit more to go.