Re: [6lo] RESEND: Reveiw of draft-ietf-6lo-privacy-considerations-00
Dave Thaler <dthaler@microsoft.com> Thu, 07 July 2016 01:22 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D716612B032 for <6lo@ietfa.amsl.com>; Wed, 6 Jul 2016 18:22:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.022
X-Spam-Level:
X-Spam-Status: No, score=-102.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w8cPJN5Uvhz5 for <6lo@ietfa.amsl.com>; Wed, 6 Jul 2016 18:22:10 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0094.outbound.protection.outlook.com [104.47.40.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BA0E12B00D for <6lo@ietf.org>; Wed, 6 Jul 2016 18:22:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=qC2KBcyJ89BvByrWg17PjdndEYSAajhK9Z6Bx+u7Zi0=; b=Gx74jPttbk3Y0R97ZREUS6JuefQ0RTaDLQQrLmloQ4/5Y1cz7Vs399/67dFqAU5hgP6okuaas9FvQzAafXZIHrY9sYmaYF355muL4Gp7I0lUpEFMGoZIeOKs7TUGgdD0ThcPrSQSqOdGCMInJzVYL7vTLIMY6jA0Sjnzw3xJT3k=
Received: from DM2PR0301MB0717.namprd03.prod.outlook.com (10.160.97.13) by DM2PR0301MB0718.namprd03.prod.outlook.com (10.160.97.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.523.12; Thu, 7 Jul 2016 01:22:08 +0000
Received: from DM2PR0301MB0717.namprd03.prod.outlook.com ([10.160.97.13]) by DM2PR0301MB0717.namprd03.prod.outlook.com ([10.160.97.13]) with mapi id 15.01.0534.015; Thu, 7 Jul 2016 01:22:07 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: "6lo@ietf.org" <6lo@ietf.org>, Kerry Lynn <kerlyn@ieee.org>
Thread-Topic: RE: [6lo] RESEND: Reveiw of draft-ietf-6lo-privacy-considerations-00
Thread-Index: AdHXI6KQvHrJgkbFSuihW6hkeciJmQAx3idAAAADrYA=
Date: Thu, 07 Jul 2016 01:22:07 +0000
Message-ID: <DM2PR0301MB071714F2740B62FE43A7C50FA33B0@DM2PR0301MB0717.namprd03.prod.outlook.com>
References: <DM2PR0301MB0717E12C81B148B725353679A33A0@DM2PR0301MB0717.namprd03.prod.outlook.com> <DM2PR0301MB0717D9FC94C84FD357C572D0A33B0@DM2PR0301MB0717.namprd03.prod.outlook.com>
In-Reply-To: <DM2PR0301MB0717D9FC94C84FD357C572D0A33B0@DM2PR0301MB0717.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [2001:4898:80e8::635]
x-ms-office365-filtering-correlation-id: 6363b8e1-5ce9-48d0-b13a-08d3a6051ce2
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0718; 6:cIhB74gjdLrFeW5LcWf7jlLAmJrcARLRd+4iCW7ajKGHlbvp07YTQTRldO9X9wX0DzjC6mD3Sc18rZszQSfkWl4SkYmq3iE/PX0BjEJ3FoNw0dbU03tp2ANjNJjacEzL/Ep2iqEQYQVs5kTvEeYTnOk8LvN8dyL2Th9YlrORA+GcMIYdMzQC6NAtDklHY6wGp6S7pS2md7q5C0b9iJdtcpCRPfP1bxyTZPDaPu/FKArokyYUBmvQuegpE5bcuWviEktmLjhUcgIqtm50HPlVVhYGwnrNvM7+145Cok8Jpe9QbEFOTcbHt/aJ5vuax6ZjqqKj3VnuteJK8icxBaFcfQ==; 5:zpN7xCVQvWZhW8CfT5qzLB/dMtvTLRmVRJUxHzqMXzm/KLoHEjnmYp4M4s2/A2na2cvA5Ql/x0xqTdaZv8/ekeYLKKmD4ntTVxjQWznzVQ4XLK2ccrKyUSFqpuFWqCULGzsM7s1z77pSCU9UH/XvPA==; 24:ULrqKut1hZ378FyQcSUT+7WeZOo7+BOLtyK4Q11AjEBCuYHHxbgkjHxpqD9atIpiYTr1PAG3dvMkwBkz2iL2JtO5Q/YZ3TFUvQP6DsA1qG8=; 7:CRdgzltlhbQdkNhy44YDaG3dFSJm7ooYSM1qZ4DIVzXoVjvlTDQHnT2PtUU95iWjImB8P32SU/n1sxS12z1Z1yweXVqnnwCft3Fe79cvAZDQQJgtdbfIxbFJ0baz2YTpgcKea6OVKEZ2qEWEUK9sihzARnCkGBCk87h3ZTJocnTblprPUnQPB4gK3e2oi3VhwXalJYVGJtQzk57kLabtUomzdkSvBrRRWTRxsdKyP4qkYDJpejFhZecQdddy+xhi
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0718;
x-microsoft-antispam-prvs: <DM2PR0301MB071888F1FE6F136C9760207DA33B0@DM2PR0301MB0718.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(192374486261705)(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:DM2PR0301MB0718; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0718;
x-forefront-prvs: 0996D1900D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(51914003)(15374003)(189002)(377454003)(24454002)(199003)(43784003)(102836003)(8676002)(6116002)(106356001)(105586002)(2906002)(586003)(2501003)(76576001)(107886002)(92566002)(189998001)(77096005)(81166006)(81156014)(2900100001)(101416001)(86362001)(2950100001)(8990500004)(5002640100001)(305945005)(230783001)(10290500002)(10400500002)(54356999)(10090500001)(5005710100001)(99286002)(9686002)(50986999)(33656002)(74316002)(5003600100003)(68736007)(7696003)(7736002)(8936002)(86612001)(76176999)(7846002)(122556002)(19580395003)(87936001)(5001770100001)(3660700001)(19580405001)(3280700002)(97736004)(3900700001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0718; H:DM2PR0301MB0717.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2016 01:22:07.7496 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0718
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/B6OG14BvdEYl9Dk0TTfMgnO-f1c>
Subject: Re: [6lo] RESEND: Reveiw of draft-ietf-6lo-privacy-considerations-00
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2016 01:22:13 -0000
Ok, I just posted an update in which I tried to take Kerry's feedback into account. Some notes below about what I did, but see the diffs for details. > From: Dave Thaler > Sent: Tuesday, July 5, 2016 6:22 PM > To: 6lo@ietf.org; Kerry Lynn <kerlyn@ieee.org> > Subject: RE: [6lo] RESEND: Reveiw of draft-ietf-6lo-privacy-considerations-00 > > I'm working on updating this now. > > Kerry Lynn wrote: > > To begin finalizing the Security Considerations section of > > draft-ietf-6lo- 6lobac, i thought it would be useful to re-read and > > offer my review of draft-ietf-6lo-privacy-considerations-00. > > Thanks for the feedback! > > > First, some general comments: > > > > - I find the document clear and understandable, as per Dave's usual. > > > > - As this document pertains to constrained devices, I think some of > > the concerns expressed in other fora (e.g. leaking link-local address > > in email headers) don't apply here. > > Yes they do. Just because a device is resource constrained doesn't mean it > can't leak link-local addresses. In fact we have plenty of evidence that > leaking link-local addresses can easily happen by accident (or programmer > neglect), in any number of Internet protocols (DNS, SIP, SMTP, etc.) I did make changes in a number of places, especially any discussion around address scans, to make the discussion specific to routable addresses. I put in some text to state my points as well, but the primary focus of address scan text (and thus the larger number of entropy bits) is for routable addresses, which I hope is clear in the text now. > > - I think it would be helpful to clearly divide the document according > > to threats posed by off-link vs on-link adversaries. In the off-link > > case, we are dealing only with routable addresses and information that > > is at L3 or higher. This class of threats applies to all hosts, including 6lo. > > Using a random 60+ bit IID (per prefix?) will mitigate all threats > > discussed in draft-ietf-6man-ipv6-address-generation-privacy except > > correlation of activity over time. > > Ok, will see what I can do. I made textual changes, but not organizational changes (table of contents remains the same) since some points do not clearly delineate that way. So hopefully it's clear enough in each paragraph now. > > > In the on-link case, are we only concerned with threats that apply to > > (wireless) data links that are susceptible to eavesdropping, or must > > we also be concerned with intruders in the wiring closet? > > If the link is a multi-access link, and one of the devices can be compromised, > then it can potentially be used to eavesdrop on communication between two > other entities on the link. So it's not wired vs wireless so much as point-to- > point vs multi-access. I added a minor point about NBMA but the main focus in the text is, I hope, consistent with I think what your main point is. > > In any event, this > > class of threats would seem to exclude address scanning (which is > > trivial if an attacker has access to the local link traffic). > > Depends on the link-layer protocol. Some link layers (e.g., ones that don't > support multicast/broadcast) don't use ND and so address scanning may still > be an issue. > > > - If address scanning is eliminated as a concern (as in cases where it > > cannot be prevented), then arguments about "enough entropy" do not > > apply and locally assigned short addresses have their rightful place > > in forming link-local IIDs. The side effect of this is to enable > > maximally efficient RFC 6282 compression for link-local traffic. > > I think you're still assuming that link-local addresses can never leak via higher > layer protocols, whereas we know they can. So link-local addresses are still > an issue for the off-link case. Even though an attacker can't use them to > communicate with the constrained device, they can still result in privacy > vulnerabilities. As noted earlier, I updated the text so that address scans and the larger amount of entropy being mainly for routable addresses. > > > - Concerns about correlation over time may not apply to certain > > classes of devices (fixed servers) or applications (e.g. building > > automation, where associating link-layer address with location is a > > feature, not a bug). In some cases, it may simply be impractical to > > change link-layer address on a frequent basis (e.g. it is common in > > the case of MS/TP nodes to set the L2 address via DIP switches). > > Right, in cases like fixed services that might even be resolvable via DNS or > some other mechanism, public addresses are used and privacy of such > addresses is not an issue. However, the point is that that IETF should not > design protocols that can ONLY support such cases. (The draft is a bit softer > than saying that though, it just says that your Privacy Considerations section > needs to have a discussion of the issues, and then the IETF community and > the IESG can decide whether there is IETF consensus on it.) > > > - It has been suggested that ND might be eliminated in some cases to > > further increase bandwidth efficiency. (For example, in cases where a > > locally-assigned short identifier has been assigned at L2 and is then > > used to form an IID, ND is redundant.) > > Well there's multiple parts of "ND". The NUD part is still relevant in all > cases. The Address Resolution part can be eliminated in some cases (and > indeed it's up to each link-layer protocol to say how Address Resolution is > done, which defaults to normal ND if you say nothing). > > > AFAIK, there hasn't been any > > discussion about how to tell the difference between L2-derived and > > "random" IIDs. We might identify L2-derived IIDs as those containing > > the 0xFFFE pattern in the middle, or not having the 0xFFFE pattern but > > having the U/L bit = 0 in the IID. This would exclude these patterns > > from valid privacy IIDs and result in a maximum entropy of ~63 bits. > > One cannot positively tell the difference simply by looking at an address. > One needs additional information to say for sure, because ultimately it's up > to each link (or maybe even finer granularity). But for things like address-to- > string conversion ("pretty-printing") purposes, some implementations (like > Windows) do have a random generation algorithm that avoids colliding with > the patterns you mention, and do result in a max entropy of ~63 bits. > So far I don't see any reason the draft needs to discuss this point though. > > > Now on to specifics: > > > > - In section 2, I think the analysis pertains to the lifetime of a > > given link so the wording "average lifetime of a device" should > > instead be "average lifetime of a link". > > Right, will fix (it's correct in the equation at top of page 4 but then the text > below it wasn't consistent with it). Done. > > > It is worth noting that CoAP servers do not have a "stealth mode". > > According to [RFC7252] a CoAP server MUST respond to an empty > > Confirmable message with a Reset message. > > It's not worth noting because the same could be said for TCP or HTTP or > ICMP. The "stealth mode" is a property of a host firewall in front of it but on > the same device. Section 5 of RFC 7288 (which the draft > references) already contains a discussion of this point, and just uses TCP and > ICMP as examples, and that text equally applies to COAP. Updated text to discuss firewalls and reword to make it clearer that it's about dropping unsolicited inbound traffic before it ever reaches the TCP/ICMP/COAP/whatever layer, and also mentioned network firewalls in front of the subnet, that have the same effect. > > > - In section 3, MS/TP has 7 or 64 bits (since L2 addresses must be in > > the range 0 - 127). > > Thanks, will fix. Fixed. > > > - Section 3.1 seems to alternately switch between discussing > > link-layer addresses and IIDs formed from those addresses. Perhaps > > consistent use of "link identifier" and "interface identifier" would > > help disambiguate the meaning. > > Ok, will see what I can do. Changed. > > > EUI-64 and EUI-48 are well-defined terms (trademarked in fact, and > > this should be noted in the document). > > Why should it be noted? Can you point me to a 6man RFC (since many 6man > RFCs mention EUI-64 and EUI-48) that notes that the term is trademarked? Is > there an RFC style guide directive on such matters? > > > An EUI-64 may have 40, 36, or > > 28 bits of entropy, while an EUI-48 may have 24, 20, or 12 bits, none > > of which meet the standard of "at least 46 bits". > > When the OUI is unknown, the lack of such knowledge provides a few more > bits of entropy since the attacker has to at least try any well-known OUI's and > do a search within each one. For example, if there's 64+ possible OUI's in > use, that's around 6 more bits of entropy. An off-link attacker cannot, > without additional information, know what the link type is and so has to try > OUIs without being able to narrow it down to OUI's for that link type. I also reduced the number of occurrences of the "46 bits" number, since that's just an example for links that can last 8 years or more. (Many 6lo links last for far less time than that, so we shouldn't over-index on the number 46, it's just an example. The key point is to derive the number from the max expected link lifetime.) > > > I'm not sure it's > > accurate to use "randomized IEEE identifiers", unless this refers to > > locally-assigned MAC addresses with the U/L bit = 1, in which case we > > might want to reference an appropriate IEEE 802 or ISO standard. > > Random MAC addresses was the intent, but "MAC" as a term only applies to > specific link types. Maybe "randomized link-layer addresses" is a better > term, so I'll use that. Done > > > - In Section 4, first bullet, it should be enough to indicate that > > privacy IIDs are RECOMMENDED for routable addresses. (Is there a case > > where a privacy IID is less than ~63 bits of entropy?) > > Such a recommendation may be too strong for some cases (it would indeed > be sufficient, but not necessary). For example, if the link lifetime is usually > <1 second, then privacy IIDs might be overkill. The point of the first bullet is > to say that an IP-over-Foo doc should contain such a discussion. However, > perhaps your point is that it could say that using privacy addresses is one easy > way to meet the requirement. > > That is, I don't believe there is 6lo WG consensus for stating that privacy IIDs > are RECOMMENDED for routable addresses. > > > This section > > should also discuss options for providing privacy IIDs via DHCPv6 > > (M=1 in RA). > > I have no problem adding such a reference. The point is to say what privacy > considerations need to be addressed in a doc, rather than details of *how* > to address them, in order to leave maximum freedom. > But providing examples as informative references as you suggest is a good > thing. I checked and there is no reference (RFC or draft) as far as anyone I asked knows. So I didn't mention DHCPv6 in this document, I left it for 6man documents to discuss since it's not specific to 6lo. > > > Second bullet - as I've indicated above, there's no such thing as a > > "random" EUI-64 or EUI-48. We can probably use "randomized MAC > > addresses". I need to go back and re-read [RFC7136] to see if it > > makes sense to specify U/L bit in this context. > > Agreed, will use "randomized link-layer addresses". Done > > > Third bullet - this advice should not apply to link-local IIDs. Any > > attacker wishing to find "hits" just needs to fire up a sniffer. > > Disagree as noted above. It applies due to off-link leakage. > (And the IP-over-Foo layer should not make assumptions about what upper- > layer protocols do.) The risk might be smaller, and hence it might apply > "less", but it still applies. > > > Fourth bullet - this advice should not apply to link-local IIDs for > > devices or applications where correlation of activities over time is not a > concern. > > Same answer. The risk might be smaller and hence it might apply "less", but > it still applies. Also the whole section is under the heading of "recommendations" not "requirements", so they're already implied SHOULD's rather than MUST's in that sense. But either way, the security/privacy text in a draft should address the issue, whatever the answer is. > > Again the main point of this draft is not to say what one MUST or MUST NOT > do (or rather *how* one MUST or MUST NOT solve some privacy issue), but > rather what issues need to be addressed in a doc, and some > recommendations > ("shoulds") on good ways to address them. So the fact that there's still a risk > means there's still a need for text to address them or convincingly (to the > IETF community and to the IESG) explain why some issue doesn't apply to a > particular IP-over-foo mechanism. > > Thanks again for the review, > Dave
- Re: [6lo] RESEND: Reveiw of draft-ietf-6lo-privac… Kerry Lynn
- Re: [6lo] RESEND: Reveiw of draft-ietf-6lo-privac… Dave Thaler
- Re: [6lo] RESEND: Reveiw of draft-ietf-6lo-privac… Dave Thaler
- [6lo] RESEND: Reveiw of draft-ietf-6lo-privacy-co… Kerry Lynn
- Re: [6lo] RESEND: Reveiw of draft-ietf-6lo-privac… AbdurRashidSangi
- Re: [6lo] RESEND: Reveiw of draft-ietf-6lo-privac… Dave Thaler