Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT)
Fernando Gont <fgont@si6networks.com> Sun, 19 July 2015 12:42 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D26CC1ACE65; Sun, 19 Jul 2015 05:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UPu6j5RE3LKI; Sun, 19 Jul 2015 05:42:41 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12DF21ACE5D; Sun, 19 Jul 2015 05:42:41 -0700 (PDT)
Received: from [91.234.248.1] (helo=[192.168.254.134]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZGnvM-0004va-6s; Sun, 19 Jul 2015 14:42:32 +0200
Message-ID: <55AB9A6C.2080209@si6networks.com>
Date: Sun, 19 Jul 2015 09:39:08 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Samita Chakrabarti <samita.chakrabarti@ericsson.com>, Alissa Cooper <alissa@cooperw.in>, "Savolainen Teemu (Nokia-TECH/Tampere)" <teemu.savolainen@nokia.com>, Dave Thaler <dthaler@microsoft.com>, Will Cheng <liushucheng@huawei.com>
References: <b366d082-133c-487f-a988-9bc5bfeb01a3@email.android.com> <32BFA1BC-3196-4DC3-B4E1-2151EA1345DE@cooperw.in> <ECA43DA70480A3498E43C3471FB2E1F02222914F@eusaamb103.ericsson.se>
In-Reply-To: <ECA43DA70480A3498E43C3471FB2E1F02222914F@eusaamb103.ericsson.se>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/6lo/IZJe-56tJbMXXQNAJ01Ar7VKCa8>
X-Mailman-Approved-At: Sun, 19 Jul 2015 05:51:08 -0700
Cc: ext Kerry Lynn <kerlyn@ieee.org>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, "draft-ietf-6lo-btle.ad@ietf.org" <draft-ietf-6lo-btle.ad@ietf.org>, "draft-ietf-6lo-btle.shepherd@ietf.org" <draft-ietf-6lo-btle.shepherd@ietf.org>, "draft-ietf-6lo-btle@ietf.org" <draft-ietf-6lo-btle@ietf.org>, "Gabriel.Montenegro@microsoft.com" <Gabriel.Montenegro@microsoft.com>, IESG <iesg@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Subject: Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2015 12:42:46 -0000
Folks, I'm trying to catch up with this discussion. SO far, my two observations are: 1) The issue of link-local addresses had been debated when we were working on RFC7217. There are number of reasons for which those addresses might leak out: main one being through application layer protocols. 2) I believe that any need to provide requirements for IID generation whould be addressed by referencing draft-ietf-6man-defaul-iids. If there's any need to go against the advice in default-iids, only the advice and the rationale should be documented in the new document. Thanks! Best regards, Fernando On 07/18/2015 07:31 PM, Samita Chakrabarti wrote: > Hi Alissa, > > > > From the general L3 perspective, a valid IPv6 implementation does not > forward Link-local addressing [ as we all know ]. > > It’s an operational issue when a rogue implementation does not follow > the standards. > > The only way it can “leak” the LL addresses is through applications, > human reading of logs, snooping of LL-addresses in a link etc. as discussed. > > > > I think we need to be careful about when we need to apply privacy and > when not. In some cases, privacy is not desirable as the service > provider might want to know who it is serving. If it is not IID based LL > address – there is some sort of unique ID there. > > > > The use-cases for privacy are quite application/usecase specific. Thus > providing a guideline through the 6man-default-iid draft is the best way > – as you propose below as well. I also don’t think that > draft-ietf-6lo-* is the right place to talk about application behavior > for default-iids. > > > > If we want to prevent others to snoop LL-address in the local subnet, > one can use encrypted L3 header or we should develop a tool to prevent > snooping in the local subnet without permission from the local > router/administrative domain. > > > > As far as I can tell, the scope of draft-ietf-6lo-* documents are in > the realm of 6lo domain and they are served by a 6lowpan-GW(6LBR) for > that(foo) L2 technology. Either 6LBR can assign random IIDs or the > devices can generate random IID and generate new LL-addresses (for > example, everytime they wake up). But, note that it will require more > signaling, messaging in the network and will not be desirable for the > reduced function nodes or low energy networks. However, it could be an > optional function which require further analysis from 6lo perspective. > > > > Regards, > > -Samita > > > > > > > > *From:*Alissa Cooper [mailto:alissa@cooperw.in] > *Sent:* Thursday, July 16, 2015 12:35 PM > *To:* Savolainen Teemu (Nokia-TECH/Tampere); Fernando Gont; Dave Thaler; > Will Cheng > *Cc:* ext Kerry Lynn; draft-ietf-6lo-btle@ietf.org; 6lo-chairs@ietf.org; > draft-ietf-6lo-btle.ad@ietf.org; draft-ietf-6lo-btle.shepherd@ietf.org; > 6lo@ietf.org; IESG; Gabriel.Montenegro@microsoft.com > *Subject:* Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: > (with DISCUSS and COMMENT) > > > > + Dave, Fernando and Will, my co-authors on draft-ietf-6man-default-iids > and draft-ietf-6man-ipv6-address-generation-privacy > > > > When we were writing draft-ietf-6man-ipv6-address-generation-privacy we > had a discussion about whether the analysis should apply to link-locals > as well as non-link-locals. The conclusion was yes because link-locals > leak out via higher layer protocols (the example given is leakage in > email headers). So my suggestion was in the vein Teemu described, using > “sending” in a broader sense than just forwarding. As to why a node > would send an unreachable address in a higher layer protocol, it > probably depends on the protocol and the implementation and may happen > by mistake or for no good reason other than the fact that protocol calls > for an address to be filled in and the implementation chooses a > link-local address to fill it. > > > > It’s true that what I suggested can’t be enforced at layer 3, so maybe > this recommendation needs some more context around it and belongs > somewhere else (draft-ietf-6man-default-iids?). But I do feel that if > we’re going to write down the recommendations > in draft-ietf-6man-default-iids and then create an exception whenever a > case comes up where link-locals are expected not to leak, we should be > clear about both recommending against leakage and the reasons for the > exception. I’d like to understand if it's the case that you don’t expect > applications to be built on top of BLTE that could have the leakage > problem (because of how constrained the devices are, etc.), or if it’s > just unknown since people can build whatever they want on top. > > > > Thanks, > > Alissa > > > > On Jul 14, 2015, at 2:31 PM, Savolainen Teemu (Nokia-TECH/Tampere) > <teemu.savolainen@nokia.com <mailto:teemu.savolainen@nokia.com>> wrote: > > > > True. I'd like to hear Alissa's comment, as she proposed this addition. > > Best regards, > > Teemu > > On Jul 15, 2015 12:09 AM, ext Kerry Lynn <kerlyn@ieee.org > <mailto:kerlyn@ieee.org>> wrote: > > On Tue, Jul 14, 2015 at 4:58 PM, Savolainen Teemu (Nokia-TECH/Tampere) > <teemu.savolainen@nokia.com <mailto:teemu.savolainen@nokia.com>> wrote: > > Hi, > > I understood the sending to be about wider scope than merely forwarding > of packets. I.e. it would include sending of link-local addresses of > connected nodes as part of some other protocol payload (e.g. > hypothetically in ICE negotiations or so). But I'm not sure if that was > the original intent. > > I can see this would be a potential privacy concern but worse, it seems > like a waste > > of bandwidth since such an address could not be reached from outside the > local > > network. How could any IP-over-foo scheme enforce this for arbitrary L4 > protocols? > > > > Regards, Kerry > > Best regards, > > Teemu > > On Jul 14, 2015 11:22 PM, ext Kerry Lynn <kerlyn@ieee.org > <mailto:kerlyn@ieee.org>> wrote: > > On Tue, Jul 14, 2015 at 1:53 AM, Savolainen Teemu > (Nokia-TECH/Tampere) <teemu.savolainen@nokia.com > <mailto:teemu.savolainen@nokia.com>> wrote: > > Hi Alissa, > > Thank you for your reply, understanding, and spending time to create > actual text proposals. The proposed pieces of text are good > improvements, in my opinion, and I didn't really have any objections > or comments. If no other opinions arise, these will be included in > -15 as you proposed. > > For 3.2.1 the proposed sentence is currently drafted to be added to > the end of the section like this: > -- > ....The 6LBR ensures address collisions do not occur (see Section > 3.2.3) and forwards packets sent by one 6LN to another. However, the > 6LBR MUST NOT send the 6LN's link-local address outside of the local > link. > > > > The definition of link-local address is given in RFC 4291, Section > 2.5.6: > > "Routers must not forward any packets with Link-Local source > or destination addresses to other links." > > > > It seems unnecessary and perhaps confusing to repeat it here. If it > is not universally understood that > > 6LBRs work in this fashion, then we should clarify it in some > architectural document (like RFC 4291) > > so we don't have to spell it out in each 6lo proposal. > > > > Regards, Kerry Lynn > > > > -- > > Best regards, > > Teemu > > > -----Original Message----- > From: ext Alissa Cooper [mailto:alissa@cooperw.in > <mailto:alissa@cooperw.in>] > Sent: 14. heinäkuuta 2015 2:37 > To: Savolainen Teemu (Nokia-TECH/Tampere) > Cc: IESG; draft-ietf-6lo-btle@ietf.org > <mailto:draft-ietf-6lo-btle@ietf.org>; 6lo-chairs@ietf.org > <mailto:6lo-chairs@ietf.org>; Gabriel.Montenegro@microsoft.com > <mailto:Gabriel.Montenegro@microsoft.com>; > draft-ietf-6lo-btle.ad@ietf.org > <mailto:draft-ietf-6lo-btle.ad@ietf.org>; > draft-ietf-6lo-btle.shepherd@ietf.org > <mailto:draft-ietf-6lo-btle.shepherd@ietf.org>; 6lo@ietf.org > <mailto:6lo@ietf.org> > Subject: Re: Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: > (with DISCUSS and COMMENT) > > Hi Teemu, > > Thanks for your reply. Comments inline. > > On Jul 7, 2015, at 10:59 PM, Savolainen Teemu > (Nokia-TECH/Tampere) <teemu.savolainen@nokia.com > <mailto:teemu.savolainen@nokia.com>> wrote: > > > Hi Alissa, > > > > Thank you for your review. I'll try to address your comments > below: > > > >> My understanding from the discussions surrounding > draft-ietf-6man-default-iids was that RFC 6282 constitutes an > exception to the main recommendation ("By default, nodes SHOULD > NOT employ IPv6 address generation schemes that embed the > underlying link-layer address in the IID") because the header > compression scheme in RFC 6282 requires that the IID be based on > the link layer address. I see no text that justifies a similar > requirement in this document. > > > > This document uses the same RFC 6282 for header compression > (normative reference) and requires IID to be derivable from > somewhere. Hence I would see that this document is under the > RFC6282 exception on that regard, and we would not need to > repeat all justifications? Furthermore, if the IID cannot be > derived from the Bluetooth LE connection itself, I don't really > see from where it could be derived.. > > > >> I think if this document is going to specify generating the > IID from the device address as the only address generation > scheme for link-local addresses, it needs to provide a > justification for that. Otherwise, the default address > generation scheme should be one that generates an opaque IID of > limited lifetime. The possibility that the device address is > generated randomly and refreshed on each power cycle is > important to note, but is not by itself sufficient justification > given what I assume is the wider deployment of static device > addresses. If the v6 address can provide better privacy > protection than the device address, it should. > > > > Well the RFC 6282 requires IID to be computable from > somewhere, when fully elided and we need that for best power > efficiency, so isn't that already enough of justification? > > > > Furthermore, the subnet model (Section 3.2.1) restricts > link-local addresses to be used only between 6LN and 6LBR. Hence > the IID should not leak any further than to 6LBR. If the LE > device is not changing its device address but is switching > between different 6LBRs, the 6LBRs can already track the LE > device based on its device address, and changing IPv6 IID for > link-local addresses just adds complexity/loses efficiency, but > does not provide privacy benefits. Right? > > I chatted with Brian about this during the telechat and he > reaffirmed that link-locals are not expected to leak outside the > 6LN-6LBR connection in this case. So I'm ok to clear the bulk of > my discuss with that assurance. But I would suggest being > totally explicit about it, e.g. by adding text to 3.2.1 such as: > > The 6LBR MUST NOT send the 6LN's link-local address outside of > the local link. > > With that said, this text about non-link-locals is not > consistent with the recommendations in draft-ietf-6man-default-iids: > > For non-link-local addresses a 64-bit IID MAY be formed by utilizing > the 48-bit Bluetooth device address. A 6LN can also use a > randomly > generated IID (see Section 3.2.3), for example, as discussed in > [I-D.ietf-6man-default-iids], or use alternative schemes such as > Cryptographically Generated Addresses (CGA) [RFC3972], privacy > extensions [RFC4941], Hash-Based Addresses (HBA, [RFC5535]), or > DHCPv6 [RFC3315]. > > To be consistent with draft-ietf-6man-default-iids I think it > would have to say something more along these lines: > > For non-link-local addresses, 6LNs SHOULD NOT be configured to > embed the Bluetooth device address in the IID by default. > Alternative schemes such as Cryptographically Generated > Addresses (CGA) [RFC3972], privacy extensions [RFC4941], > Hash-Based Addresses (HBA, [RFC5535]), DHCPv6 [RFC3315], or > static, semantically opaque addreses [RFC7217] SHOULD be used by > default. In situations where the Bluetooth device address is > known to be randomly generated and/or the header compression > benefits of embedding the device address in the IID are required > to support deployment constraints, 6LNs MAY form a 64-bit IID by > utilizing the 48-bit Bluetooth device address. > > > > > Even more, if device vendors choose to use static Bluetooth > device addresses, *everybody* in vicinity will be able to track > such devices simply by listening Bluetooth LE advertisements > those devices broadcast for Bluetooth LE service discovery > purposes. If they then use IPv6 link-local address that are only > used between Bluetooth LE device and it's router, no additional > information leaks out. It is of course another matter if the 6LN > uses the static device address for global address generation. > > > > When it comes to assumption, I would assume static Bluetooth > LE device addresses are actually not to be used that much, at > least for Bluetooth LE nodes that are expected to be mobile. > This is because in Bluetooth LE random addresses are inbuilt to > specification and very easy to use, on the contrary to basic > Bluetooth (BR/EDR) that does not have as good privacy features > as the LE. So I don't really see need for LE device vendors not > to use random device addresses. (If Bluetooth LE devices have > been paired, they can choose to use random resolvable addresses > in their advertisements, which the paired devices can recognize > to indicate known device by using Identity Resolving Key, please > see BLE specs for more). > > > > For non-link-local addresses variety of means for privacy are > documented. > > > >> On that point, there also seems to be a discrepancy between > Section 3.2.2 and Section 5. Section 3.2.2 states: > >> "(After a Bluetooth LE logical link has been established, it > > is referenced with a Connection Handle in HCI. Thus possibly > > changing device addresses do not impact data flows within > existing > > L2CAP channels. Hence there is no need to change IPv6 > link-local > > addresses even if devices change their random device > addresses during > > L2CAP channel lifetime)." > >> Section 5 states: > >> "The IPv6 link-local address configuration described in > Section 3.2.2 > > strictly binds the privacy level of IPv6 link-local address > to the > > privacy level device has selected for the Bluetooth LE. > This means > > that a device using Bluetooth privacy features will retain > the same > > level of privacy with generated IPv6 link-local addresses." > >> If the IID remains the same even when the device address > changes, then the IID can be used to correlate activities of the > device for the full lifetime of the IID, which goes beyond the > lifetime of the device address. So the "privacy level" afforded > by the device address is not the same as that of the IID. If > this document is going to specify the generation of IIDs based > on device addresses, why not regenerate the IID when the device > address is regenerated? > > > > The Bluetooth LE device address change does not impact ongoing > sessions. So the IID will remain the same during an established > LE L2CAP connection lifetime - the possible device address > change is not impacting existing connections! However, for > Bluetooth LE service discovery and for new connections the new > device address *does* impact, and hence new IPv6 IID would be > used for new connections. Actually, no matter what kind of IPv6 > address changes the 6LN performs, the 6LBR that has ongoing > L2CAP connection to 6LN will always know it is the same 6LN that > is sending data. Hence there's no point in changing IPv6 > link-local address within ongoing L2CAP connection. > > Ok, understood. I would suggest a slight modification to the > text so it gets more to the point: > > OLD > The IPv6 link-local address configuration described in Section 3.2.2 > strictly binds the privacy level of IPv6 link-local address > to the > privacy level device has selected for the Bluetooth LE. This > means > that a device using Bluetooth privacy features will retain > the same > level of privacy with generated IPv6 link-local addresses. > > NEW > The IPv6 link-local address configuration described in Section > 3.2.2 only reveals information about the 6LN to the 6LBR that > the 6LBR already knows from the link layer connection. This > means that a device using Bluetooth privacy features reveals the > same information in its IPv6 link-local addresses as in its > device addresses. > > > > > If the 6LN having connection up would wish to change its > link-local address so that the 6LBR cannot track it, the 6LN has to: > > - Tear down BLE connection (disconnect L2CAP and so on) > > - Change device address > > - Start advertising IPSP service > > - Wait for 6LBR to establish BLE connection to it > > - Start using IP with new link-local address > > > >> Why does this draft reference v4.1 of the Bluetooth spec > rather than v4.2? > > > > This draft requires Bluetooth 4.1 or newer. We wanted to have > reference to the minimum version of the Bluetooth spec that is > required. > > > >> In 3.2.2, I think RFC 7217 should be added to the list in > this sentence: > >> Similarly, in Section 5, > s/[I-D.ietf-6man-default-iids]/[RFC7217]/ in this sentence: > > > > That sound be fine, as long as we don't need to start defining > how to select things like Network_ID? > > I don't think that's necessary - it's not as if this has been > defined for other network types, and it's optional. > > > Thanks, > Alissa > > > > > Best regards, > > > > Teemu > > > > _______________________________________________ > 6lo mailing list > 6lo@ietf.org <mailto:6lo@ietf.org> > https://www.ietf.org/mailman/listinfo/6lo > > > > > > > -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-b… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Kerry Lynn
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Kerry Lynn
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alexandru Petrescu
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Brian Haberman
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Samita Chakrabarti
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Stephen Farrell
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Fernando Gont
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… AbdurRashidSangi