HIPRG IETF79 Tue 9.11.2010 9.00-11.00 Garden Ballroom 1 Agenda Andrei Gurtov. Status of HIPRG work items and their further progress [15 min] Aaron Falk: IoT meeting is a bar BoF, not official. Gyu Myoung Lee. Update on HIP RFID. [30 min] Dacheng Zhang. Updates on key revocation [30 min] Proxies Hierarchical HITs ?: When two hosts communicate with HIP, will the HIT change during the communication? Dacheng: In present HIP, no, that will not happen. It is possible in a key revocation scenario. ?: Are there any additional computational costs when many proxies communicate with a DNS server? Dacheng: Yes there are, but they are much the same as any other DI proxy situation. Tobias Heer. A Certificate-based Namespace for HIP [30 min] Update on HIPL implementation Status of HIP WLAN deployment project : What is the motivation for this? Tobias: The original motivation is to change the server's keys over time, while keeping HIT static, but you can use it for other things, such as enabling the HIT to be reverse looked up. Need means to couple identities back to common roots. We could look at DNSSEC mechanisms. Dacheng: Do you need a PKI to support this Tobias: there's an assumption that we do, you need a way to change a CA key. This is intended for more controlled scenarios. Dacheng: Noted a similarity to work he knew of, will forward info to Tobias. Also relates to hierarchical HIT ideas. Tobias: the new namespace arises from mechanism to change HIs, it's an artifact of that and not a goal Dacheng Tobias: HITs can be stored in a bunch of places, but without live communication it's hard to update that. Andrei: is there a relation between this and name-based sockets? Tobias: You could certainly run NBS over this. : What are the lightweight device features? Tobias: 5201bis has a larger selection of crypto suites, including ECC Is there a relationship with 6lowpan? Not directly, diet exchange is somewhat related as well. ECC is just a requirement. You mentioned cloud security, can you say more about this? This came from Miika Komu, talk to him. Andrei: Can you explain the removal of code while adding features? HIPL has been a research project, and there have been lots of research features included in the code. This results in unmaintained code, and we have been removing this. Andrei: I thought the point of incorporating code was to keep it maintained. Miika: Old features remain in the old releases. Andrei: DHT is something we're working on, so I find it strange that it has been removed. Tobias: We can put it back if someone wants to maintain it. x: Can you comment on the authentication computation load? In MobileIP you'd do quite a lot with RADIUS, but we do it with HIP mobility signaling. We do have more authentication cost, but less management overhead. It's a signature and certificate verification, which is a little expensive with RSA and DSA signatures. Presently we have APs that can do about 25 per second, ECC should be about 10x that x: How is this related to the previous technology? The mobility is HIPL, but the auth comes from the Chin Wong?: Did you test the interrupt time from mobility? Yes, we did, I don't have the data handy. It was on the order of 50 ms or so. I have to admit the handover delay was on a local network, and of course you have to add the RTT between mobile device and trust point, so the handover delay is 3x that RTT. Jani Pellikka. Certificate request mechanism [15 min] (presented by Andrei) Andrew McGregor: This seems to be a mechanism for providing the non-hash HIT binding certificates required by the earlier presentation. Tobias: This could be very useful for the auth part of our mobility architecture. Do you know if this goes in the signed or unsigned part of the packet? Andrei: Details are given in an internet draft (to be submitted) Tobias: it would be good if it had an unsigned typeid as well, so middleboxes can append requests Jani Pellikka. Comparison and Analysis of Secure Mobile Architecture and Evolved Packet System [20 min] (presented by Andrei) Tobias: Have you already had discussions with any operators? Andrei: There is some interest, but I don't know to what extent it's mainstream or experimental. Tobias: Can we please have more reviews on WG documents, to move that forward quicker. General discussion [10 min]