HIPRG IETF 78 TUESDAY, July 27, 2010 0900-1130 Morning Session I HIP RG Session Meeting minutes (based on notes of Andrew McGregor and Tobias Heer) 1) Andrei Gurtov. Update on RG status. Update on Experiment Report (10 min) - draft-irtf-hip-experiment-08 2) Pascal Urien. HIP-RFID (20min) Bob: This is very important, and is going to be incorporated as a reference in the standards-track architecture document. Signatures should be called MACs. Is there a communication protocol that could be secured with HIP, rather than enforcing ESP? Where is the rfid community going wrt hash functions? Pascal: Will call signatures MACs. Bob: There are waybill formats etc, is there a defined communication protocol? Andrew: Yes there is, look at GS1 standards. (BTW: the GS1 rfid protocol has TCP and HTTP bindings, it would be almost trivial to define a TCP over HIP binding. See http://www.epcglobalinc.org/standards) Tobias: HAT name etc... The HAT is a protocol translator, between RFID and HIP. That device is very important to get right. We have to make sure that there is interoperability, and it would be as well to make sure that the HIP protocol itself is as compatible as possible. 3) Dacheng Zhang. Proxy. (20 min) Key revocation. (20 min) Hierarchical HITs (20 min) draft-xu-hip-hierarchical-00 Dacheng: Why is there a not-before-time? Is it important? Andrew: Distribute key in advance of having infrastructure ready. Bob: Used for key rollover... distribute a root key in advance of having all the sub-keys signed. Tobias: There are details wrt various kinds of proxies for IP networks, to some extent Urien's HAT is also a proxy, it would be good to include these in the document. ??: This is for HIP hosts to communicate with non-HIP hosts, not vice-versa? Dacheng: Our deployment scenario was that the non-HIP hosts were in a private network. Actually the proxy should be able to support communication in both directions. Bob: The concept of the proxy is that the proxy has the HI for the hosts it is proxying for, and therefore its routing is the route to the HI; the proxy can therefore find the proxied host by its own means, whatever those are. Security of the proxy is rather a problem, so this should be in the security considerations. Tobias: Is this draft an RG draft about proxies, or is it a specific draft about some solutions. Dacheng: Intention was for it to be a generic document. Tobias: Therefore people who are doing things with proxies should contact Dacheng to get that work incorporated. Andrew: The practical things we see done are using certificates. Bob: Documents in 2000 had heirarchy, by 2003 it had been removed. Heirarchy might be important for IoT work. So, where is this going to be applied? Can we find a case where this really matters? Andrei: There's little discussion on how to secure heirarchical HITs, this needs expanded. Andrew: I think that was one of Pekka Nikander's original objections. Bob: There's a restart on CGAs going on, CGA bound the prefix with the tail. HIT does not. This is something which may need to be reevaluated. 4) DHT Interface Last Call (10 min) Ari Keranen: Why is this informational and not experimental? (sounds like this is an oversight) Andrei: It's basically a method to resolve HITs to IP addresses, and has some implementations. Tobias: It's good to have such a thing around, and good to have an RFC on that to preempt future chaos. 5) Robert Moskowitz. HIP Diet EXchange (DEX). (30 min) draft-moskowitz-hip-rg-dex-00 Bob: Please supply information on the actual cost of ECC on small processors. Tobias: I think this is interesting and important work. Should be coordinated with Urien. 6) Miika Komu. HIP-PLA. (20min) draft-lagutin-hip-pla-00 Bob: Trusted network connect is developing an extensive model where a backend system can be inserting information. Secondly, there is a cgasec bof on cga ipv6 headers to provide some of this functionality, so there may be reason to talk to those people too. Andrei: Performance. We looked at in the context of how many HIP exchanges you can do per second: software and hardware are roughly equal in performance these days. Andrew: Hardware is still cheaper and uses less power. Andrei: Is this similar to HIP certs? Tobias: certs don't give you replay protection, whereas this proposal does. That requires global time synchronisation. 7) Joakim Koskela, A secure p2p web framework. (presented by Andrei) Andrew: Seems like a cool idea. ------- Tobias: People interested in 5201bis crafting session, this is at 3pm at reception.