draft-ietf-hip-rfc6253-bis-08.txt   draft-ietf-hip-rfc6253-bis-09.txt 
Host Identity Protocol T. Heer Host Identity Protocol T. Heer
Internet-Draft Albstadt-Sigmaringen University Internet-Draft Albstadt-Sigmaringen University
Obsoletes: 6253 (if approved) S. Varjonen Obsoletes: 6253 (if approved) S. Varjonen
Updates: 7401 (if approved) University of Helsinki Updates: 7401 (if approved) University of Helsinki
Intended status: Standards Track April 22, 2016 Intended status: Standards Track July 6, 2016
Expires: October 24, 2016 Expires: January 7, 2017
Host Identity Protocol Certificates Host Identity Protocol Certificates
draft-ietf-hip-rfc6253-bis-08 draft-ietf-hip-rfc6253-bis-09
Abstract Abstract
The Certificate (CERT) parameter is a container for digital The Certificate (CERT) parameter is a container for digital
certificates. It is used for carrying these certificates in Host certificates. It is used for carrying these certificates in Host
Identity Protocol (HIP) control packets. This document specifies the Identity Protocol (HIP) control packets. This document specifies the
certificate parameter and the error signaling in case of a failed certificate parameter and the error signaling in case of a failed
verification. Additionally, this document specifies the verification. Additionally, this document specifies the
representations of Host Identity Tags in X.509 version 3 (v3). representations of Host Identity Tags in X.509 version 3 (v3).
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 24, 2016. This Internet-Draft will expire on January 7, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
skipping to change at page 6, line 42 skipping to change at page 6, line 42
INVALID_CERTIFICATE 50 INVALID_CERTIFICATE 50
Sent in response to a failed verification of a certificate. Sent in response to a failed verification of a certificate.
Notification Data MAY contain CERT group and CERT ID octet Notification Data MAY contain CERT group and CERT ID octet
(in this order) of the CERT parameter that caused the (in this order) of the CERT parameter that caused the
failure. failure.
6. IANA Considerations 6. IANA Considerations
The following changes to the "HIP Certificate Types" registry should This document defines the CERT parameter for the Host Identity
be made. Protocol [RFC7401]. The CERT parameter type number (768) is defined
in [RFC7401].
The references should be updated from [RFC6253] to this document. The CERT parameter has an 8-bit unsigned integer field for different
certificate types, for which IANA has created and maintains a sub-
registry entitled "HIP certificate types" under the "Host Identity
Protocol (HIP) Parameters". Values for the Certificate type registry
are given in Section 2. New values for the Certificate types from
the unassigned space are assigned through IETF Review.
In Section 5, this document defines two types for the "NOTIFY message
types" sub-registry under "Host Identity Protocol (HIP) Parameters".
As this document obsoletes [RFC6253], references to [RFC6253] in IANA
registries must be replaced by references to this document. This
document changes Certificate type registry in Section 2.
The following updates to the "HIP Certificate Types" registry must be
made.
The references must be updated from [RFC6253] to this document.
This document obsoleted the type numbers "2", "4", "6", "8" for This document obsoleted the type numbers "2", "4", "6", "8" for
the SPKI certificates. the SPKI certificates.
7. Security Considerations 7. Security Considerations
Certificate grouping allows the certificates to be sent in multiple Certificate grouping allows the certificates to be sent in multiple
consecutive packets. This might allow similar attacks, as IP-layer consecutive packets. This might allow similar attacks, as IP-layer
fragmentation allows, for example, the sending of fragments in the fragmentation allows, for example, the sending of fragments in the
wrong order and skipping some fragments to delay or stall packet wrong order and skipping some fragments to delay or stall packet
processing by the victim in order to use resources (e.g., CPU or processing by the victim in order to use resources (e.g., CPU or
memory). Hence, hosts SHOULD implement mechanisms to discard memory). Hence, hosts SHOULD implement mechanisms to discard
certificate groups with outstanding certificates if state space is certificate groups with outstanding certificates if state space is
scarce. scarce.
Although, CERT parameter is allowed in the first Initiator (I1) Although, CERT parameter is allowed in the first Initiator (I1)
skipping to change at page 11, line 21 skipping to change at page 11, line 37
o Addressed the Int-Dir review comments from Korhonen. o Addressed the Int-Dir review comments from Korhonen.
Changes from version 06 to 07: Changes from version 06 to 07:
o Addressed the GenArt, OPSdir, SecDir, and IANA comments. o Addressed the GenArt, OPSdir, SecDir, and IANA comments.
Changes from version 07 to 08: Changes from version 07 to 08:
o Addresses one editorial nit for CERT group numbers. o Addresses one editorial nit for CERT group numbers.
Changes from version 08 to 09:
o Rewrote the IANA section.
Authors' Addresses Authors' Addresses
Tobias Heer Tobias Heer
Albstadt-Sigmaringen University Albstadt-Sigmaringen University
Poststr. 6 Poststr. 6
72458 Albstadt 72458 Albstadt
Germany Germany
Email: heer@hs-albsig.de Email: heer@hs-albsig.de
Samu Varjonen Samu Varjonen
University of Helsinki University of Helsinki
Gustaf Haellstroemin katu 2b Gustaf Haellstroemin katu 2b
00560 Helsinki 00560 Helsinki
Finland Finland
Email: samu.varjonen@helsinki.fi Email: samu.varjonen@helsinki.fi
 End of changes. 8 change blocks. 
8 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/