Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT)
Brian Haberman <brian@innovationslab.net> Fri, 17 July 2015 11:48 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79D11B332C; Fri, 17 Jul 2015 04:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4pWBxhSRoQCm; Fri, 17 Jul 2015 04:48:27 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 200EB1B3302; Fri, 17 Jul 2015 04:48:09 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id DE4568812C; Fri, 17 Jul 2015 04:48:08 -0700 (PDT)
Received: from Littlejohn.local (unknown [76.21.129.88]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 4109D3520395; Fri, 17 Jul 2015 04:48:07 -0700 (PDT)
Message-ID: <55A8EB70.1070307@innovationslab.net>
Date: Fri, 17 Jul 2015 07:48:00 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "Savolainen Teemu (Nokia-TECH/Tampere)" <teemu.savolainen@nokia.com>, ext Alissa Cooper <alissa@cooperw.in>, Fernando Gont <fgont@si6networks.com>, Dave Thaler <dthaler@microsoft.com>, Will Cheng <liushucheng@huawei.com>
References: <b366d082-133c-487f-a988-9bc5bfeb01a3@email.android.com> <32BFA1BC-3196-4DC3-B4E1-2151EA1345DE@cooperw.in> <4ab14b6a1a9146ef839ea3bff732ebb7@NOKWDCFIEXCH02P.nnok.nokia.com>
In-Reply-To: <4ab14b6a1a9146ef839ea3bff732ebb7@NOKWDCFIEXCH02P.nnok.nokia.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="SG0MfM48J2VLqnm8hi8J45pdhgF6AOerV"
Archived-At: <http://mailarchive.ietf.org/arch/msg/6lo/bLsqtEq6DysmhjUPcVpErK5EewI>
X-Mailman-Approved-At: Fri, 17 Jul 2015 10:25:39 -0700
Cc: ext Kerry Lynn <kerlyn@ieee.org>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, "draft-ietf-6lo-btle.ad@ietf.org" <draft-ietf-6lo-btle.ad@ietf.org>, "draft-ietf-6lo-btle.shepherd@ietf.org" <draft-ietf-6lo-btle.shepherd@ietf.org>, "draft-ietf-6lo-btle@ietf.org" <draft-ietf-6lo-btle@ietf.org>, "Gabriel.Montenegro@microsoft.com" <Gabriel.Montenegro@microsoft.com>, IESG <iesg@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Subject: Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 11:48:31 -0000
I believe that Alissa's points are valid and should be documented somewhere. However, I think those points are globally valid (i.e., well beyond the scope of this draft). Alissa's suggestion of putting the context and the recommendations in a more generic draft, like default-iids, makes more sense to me than trying to wordsmith them into this document and then having to do the same thing for every new ipv6-over-foo draft. Does the above work for everyone? Do we need to set some time aside in Prague to talk about this? Brian On 7/17/15 3:38 AM, Savolainen Teemu (Nokia-TECH/Tampere) wrote: > Hi Alissa, > > I would say that by definition people can build whatever they want on > top of IPv6 over BLE. Furthermore, nothing limits using IPv6 over BLE > only by most constrained devices. The Bluetooth LE is a nice radio > and is being supported by large number of devices, such as > smartphones, tablets, and PCs. And these potentially could start > supporting also IPv6 over BLE (no HW changes required). Hence even if > Bluetooth LE radio is designed for constrained devices, > non-constrained devices might find it useful as well (usefulness of > that on different scenarios of course depends and can be debated). > Thus we cannot limit applications, and probably this document is not > the right place to guide application developers about not leaking > device identity information via addresses. > > So, while general guidance probably is needed elsewhere, do we agree > that 6lo-btle-15 should nevertheless say: "However, the 6LBR MUST NOT > send the 6LN's link-local address outside of the local link."? . . . > What it the 6LBR logs connections and the logs are collected by > remote entity? This log would probably include device address of > connected devices, thus the link-local address, and hence would > violate "sending 6LN's link-local address outside of the local > link.".. our would that kind of activity be an allowed exception to > MUST NOT? > > I have been previously thinking that use of random device addresses > would be implementation decision, but would it help if in this > document we would recommend implementations to use random Bluetooth > device addresses (RECOMMENDED or SHOULD wording, perhaps)? I think > this could be added, for example, at the first paragraph of Section 3 > like this (the last two sentences of the paragraph are new): -- At > network interface initialization, both 6LN and 6LBR SHALL generate > and assign to the Bluetooth LE network interface IPv6 link-local > addresses [RFC4862] based on the 48-bit Bluetooth device addresses > (see Section 2.3) that were used for establishing the underlying > Bluetooth LE connection. A 6LN and a 6LBR are RECOMMENDED to use > random Bluetooth device addresses. A 6LN SHOULD pick a different > Bluetooth device address for every Bluetooth LE connection with a > 6LBR, and a 6LBR SHOULD periodically change its random Bluetooth > device address. -- > > Best regards, > > Teemu > > From: ext Alissa Cooper [mailto:alissa@cooperw.in] Sent: 16. > heinäkuuta 2015 22:35 To: Savolainen Teemu (Nokia-TECH/Tampere); > Fernando Gont; Dave Thaler; Will Cheng Cc: ext Kerry Lynn; > draft-ietf-6lo-btle@ietf.org; 6lo-chairs@ietf.org; > draft-ietf-6lo-btle.ad@ietf.org; > draft-ietf-6lo-btle.shepherd@ietf.org; 6lo@ietf.org; IESG; > Gabriel.Montenegro@microsoft.com Subject: Re: [6lo] Alissa Cooper's > Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT) > > + Dave, Fernando and Will, my co-authors on > draft-ietf-6man-default-iids and > draft-ietf-6man-ipv6-address-generation-privacy > > When we were writing draft-ietf-6man-ipv6-address-generation-privacy > we had a discussion about whether the analysis should apply to > link-locals as well as non-link-locals. The conclusion was yes > because link-locals leak out via higher layer protocols (the example > given is leakage in email headers). So my suggestion was in the vein > Teemu described, using "sending" in a broader sense than just > forwarding. As to why a node would send an unreachable address in a > higher layer protocol, it probably depends on the protocol and the > implementation and may happen by mistake or for no good reason other > than the fact that protocol calls for an address to be filled in and > the implementation chooses a link-local address to fill it. > > It's true that what I suggested can't be enforced at layer 3, so > maybe this recommendation needs some more context around it and > belongs somewhere else (draft-ietf-6man-default-iids?). But I do feel > that if we're going to write down the recommendations in > draft-ietf-6man-default-iids and then create an exception whenever a > case comes up where link-locals are expected not to leak, we should > be clear about both recommending against leakage and the reasons for > the exception. I'd like to understand if it's the case that you don't > expect applications to be built on top of BLTE that could have the > leakage problem (because of how constrained the devices are, etc.), > or if it's just unknown since people can build whatever they want on > top. > > Thanks, Alissa > > On Jul 14, 2015, at 2:31 PM, Savolainen Teemu (Nokia-TECH/Tampere) > <teemu.savolainen@nokia.com<mailto:teemu.savolainen@nokia.com>> > wrote: > > > > True. I'd like to hear Alissa's comment, as she proposed this > addition. > > Best regards, > > Teemu On Jul 15, 2015 12:09 AM, ext Kerry Lynn > <kerlyn@ieee.org<mailto:kerlyn@ieee.org>> wrote: On Tue, Jul 14, 2015 > at 4:58 PM, Savolainen Teemu (Nokia-TECH/Tampere) > <teemu.savolainen@nokia.com<mailto:teemu.savolainen@nokia.com>> > wrote: > > Hi, > > I understood the sending to be about wider scope than merely > forwarding of packets. I.e. it would include sending of link-local > addresses of connected nodes as part of some other protocol payload > (e.g. hypothetically in ICE negotiations or so). But I'm not sure if > that was the original intent. I can see this would be a potential > privacy concern but worse, it seems like a waste of bandwidth since > such an address could not be reached from outside the local network. > How could any IP-over-foo scheme enforce this for arbitrary L4 > protocols? > > Regards, Kerry > > Best regards, > > Teemu On Jul 14, 2015 11:22 PM, ext Kerry Lynn > <kerlyn@ieee.org<mailto:kerlyn@ieee.org>> wrote: On Tue, Jul 14, 2015 > at 1:53 AM, Savolainen Teemu (Nokia-TECH/Tampere) > <teemu.savolainen@nokia.com<mailto:teemu.savolainen@nokia.com>> > wrote: Hi Alissa, > > Thank you for your reply, understanding, and spending time to create > actual text proposals. The proposed pieces of text are good > improvements, in my opinion, and I didn't really have any objections > or comments. If no other opinions arise, these will be included in > -15 as you proposed. > > For 3.2.1 the proposed sentence is currently drafted to be added to > the end of the section like this: -- ....The 6LBR ensures address > collisions do not occur (see Section 3.2.3) and forwards packets sent > by one 6LN to another. However, the 6LBR MUST NOT send the 6LN's > link-local address outside of the local link. > > The definition of link-local address is given in RFC 4291, Section > 2.5.6: "Routers must not forward any packets with Link-Local source > or destination addresses to other links." > > It seems unnecessary and perhaps confusing to repeat it here. If it > is not universally understood that 6LBRs work in this fashion, then > we should clarify it in some architectural document (like RFC 4291) > so we don't have to spell it out in each 6lo proposal. > > Regards, Kerry Lynn > > -- > > Best regards, > > Teemu > > -----Original Message----- From: ext Alissa Cooper > [mailto:alissa@cooperw.in<mailto:alissa@cooperw.in>] Sent: 14. > heinäkuuta 2015 2:37 To: Savolainen Teemu (Nokia-TECH/Tampere) Cc: > IESG; > draft-ietf-6lo-btle@ietf.org<mailto:draft-ietf-6lo-btle@ietf.org>; > 6lo-chairs@ietf.org<mailto:6lo-chairs@ietf.org>; > Gabriel.Montenegro@microsoft.com<mailto:Gabriel.Montenegro@microsoft.com>; > draft-ietf-6lo-btle.ad@ietf.org<mailto:draft-ietf-6lo-btle.ad@ietf.org>; > draft-ietf-6lo-btle.shepherd@ietf.org<mailto:draft-ietf-6lo-btle.shepherd@ietf.org>; > 6lo@ietf.org<mailto:6lo@ietf.org> Subject: Re: Alissa Cooper's > Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT) > > Hi Teemu, > > Thanks for your reply. Comments inline. > > On Jul 7, 2015, at 10:59 PM, Savolainen Teemu (Nokia-TECH/Tampere) > <teemu.savolainen@nokia.com<mailto:teemu.savolainen@nokia.com>> > wrote: > >> Hi Alissa, >> >> Thank you for your review. I'll try to address your comments >> below: >> >>> My understanding from the discussions surrounding >>> draft-ietf-6man-default-iids was that RFC 6282 constitutes an >>> exception to the main recommendation ("By default, nodes SHOULD >>> NOT employ IPv6 address generation schemes that embed the >>> underlying link-layer address in the IID") because the header >>> compression scheme in RFC 6282 requires that the IID be based on >>> the link layer address. I see no text that justifies a similar >>> requirement in this document. >> >> This document uses the same RFC 6282 for header compression >> (normative reference) and requires IID to be derivable from >> somewhere. Hence I would see that this document is under the >> RFC6282 exception on that regard, and we would not need to repeat >> all justifications? Furthermore, if the IID cannot be derived from >> the Bluetooth LE connection itself, I don't really see from where >> it could be derived.. >> >>> I think if this document is going to specify generating the IID >>> from the device address as the only address generation scheme for >>> link-local addresses, it needs to provide a justification for >>> that. Otherwise, the default address generation scheme should be >>> one that generates an opaque IID of limited lifetime. The >>> possibility that the device address is generated randomly and >>> refreshed on each power cycle is important to note, but is not by >>> itself sufficient justification given what I assume is the wider >>> deployment of static device addresses. If the v6 address can >>> provide better privacy protection than the device address, it >>> should. >> >> Well the RFC 6282 requires IID to be computable from somewhere, >> when fully elided and we need that for best power efficiency, so >> isn't that already enough of justification? >> >> Furthermore, the subnet model (Section 3.2.1) restricts link-local >> addresses to be used only between 6LN and 6LBR. Hence the IID >> should not leak any further than to 6LBR. If the LE device is not >> changing its device address but is switching between different >> 6LBRs, the 6LBRs can already track the LE device based on its >> device address, and changing IPv6 IID for link-local addresses just >> adds complexity/loses efficiency, but does not provide privacy >> benefits. Right? > > I chatted with Brian about this during the telechat and he reaffirmed > that link-locals are not expected to leak outside the 6LN-6LBR > connection in this case. So I'm ok to clear the bulk of my discuss > with that assurance. But I would suggest being totally explicit about > it, e.g. by adding text to 3.2.1 such as: > > The 6LBR MUST NOT send the 6LN's link-local address outside of the > local link. > > With that said, this text about non-link-locals is not consistent > with the recommendations in draft-ietf-6man-default-iids: > > For non-link-local addresses a 64-bit IID MAY be formed by utilizing > the 48-bit Bluetooth device address. A 6LN can also use a randomly > generated IID (see Section 3.2.3), for example, as discussed in > [I-D.ietf-6man-default-iids], or use alternative schemes such as > Cryptographically Generated Addresses (CGA) [RFC3972], privacy > extensions [RFC4941], Hash-Based Addresses (HBA, [RFC5535]), or > DHCPv6 [RFC3315]. > > To be consistent with draft-ietf-6man-default-iids I think it would > have to say something more along these lines: > > For non-link-local addresses, 6LNs SHOULD NOT be configured to embed > the Bluetooth device address in the IID by default. Alternative > schemes such as Cryptographically Generated Addresses (CGA) > [RFC3972], privacy extensions [RFC4941], Hash-Based Addresses (HBA, > [RFC5535]), DHCPv6 [RFC3315], or static, semantically opaque addreses > [RFC7217] SHOULD be used by default. In situations where the > Bluetooth device address is known to be randomly generated and/or the > header compression benefits of embedding the device address in the > IID are required to support deployment constraints, 6LNs MAY form a > 64-bit IID by utilizing the 48-bit Bluetooth device address. > >> >> Even more, if device vendors choose to use static Bluetooth device >> addresses, *everybody* in vicinity will be able to track such >> devices simply by listening Bluetooth LE advertisements those >> devices broadcast for Bluetooth LE service discovery purposes. If >> they then use IPv6 link-local address that are only used between >> Bluetooth LE device and it's router, no additional information >> leaks out. It is of course another matter if the 6LN uses the >> static device address for global address generation. >> >> When it comes to assumption, I would assume static Bluetooth LE >> device addresses are actually not to be used that much, at least >> for Bluetooth LE nodes that are expected to be mobile. This is >> because in Bluetooth LE random addresses are inbuilt to >> specification and very easy to use, on the contrary to basic >> Bluetooth (BR/EDR) that does not have as good privacy features as >> the LE. So I don't really see need for LE device vendors not to use >> random device addresses. (If Bluetooth LE devices have been paired, >> they can choose to use random resolvable addresses in their >> advertisements, which the paired devices can recognize to indicate >> known device by using Identity Resolving Key, please see BLE specs >> for more). >> >> For non-link-local addresses variety of means for privacy are >> documented. >> >>> On that point, there also seems to be a discrepancy between >>> Section 3.2.2 and Section 5. Section 3.2.2 states: "(After a >>> Bluetooth LE logical link has been established, it >> is referenced with a Connection Handle in HCI. Thus possibly >> changing device addresses do not impact data flows within existing >> L2CAP channels. Hence there is no need to change IPv6 link-local >> addresses even if devices change their random device addresses >> during L2CAP channel lifetime)." >>> Section 5 states: "The IPv6 link-local address configuration >>> described in Section 3.2.2 >> strictly binds the privacy level of IPv6 link-local address to the >> privacy level device has selected for the Bluetooth LE. This >> means that a device using Bluetooth privacy features will retain >> the same level of privacy with generated IPv6 link-local >> addresses." >>> If the IID remains the same even when the device address changes, >>> then the IID can be used to correlate activities of the device >>> for the full lifetime of the IID, which goes beyond the lifetime >>> of the device address. So the "privacy level" afforded by the >>> device address is not the same as that of the IID. If this >>> document is going to specify the generation of IIDs based on >>> device addresses, why not regenerate the IID when the device >>> address is regenerated? >> >> The Bluetooth LE device address change does not impact ongoing >> sessions. So the IID will remain the same during an established LE >> L2CAP connection lifetime - the possible device address change is >> not impacting existing connections! However, for Bluetooth LE >> service discovery and for new connections the new device address >> *does* impact, and hence new IPv6 IID would be used for new >> connections. Actually, no matter what kind of IPv6 address changes >> the 6LN performs, the 6LBR that has ongoing L2CAP connection to 6LN >> will always know it is the same 6LN that is sending data. Hence >> there's no point in changing IPv6 link-local address within ongoing >> L2CAP connection. > > Ok, understood. I would suggest a slight modification to the text so > it gets more to the point: > > OLD The IPv6 link-local address configuration described in Section > 3.2.2 strictly binds the privacy level of IPv6 link-local address to > the privacy level device has selected for the Bluetooth LE. This > means that a device using Bluetooth privacy features will retain the > same level of privacy with generated IPv6 link-local addresses. > > NEW The IPv6 link-local address configuration described in Section > 3.2.2 only reveals information about the 6LN to the 6LBR that the > 6LBR already knows from the link layer connection. This means that a > device using Bluetooth privacy features reveals the same information > in its IPv6 link-local addresses as in its device addresses. > >> >> If the 6LN having connection up would wish to change its link-local >> address so that the 6LBR cannot track it, the 6LN has to: - Tear >> down BLE connection (disconnect L2CAP and so on) - Change device >> address - Start advertising IPSP service - Wait for 6LBR to >> establish BLE connection to it - Start using IP with new link-local >> address >> >>> Why does this draft reference v4.1 of the Bluetooth spec rather >>> than v4.2? >> >> This draft requires Bluetooth 4.1 or newer. We wanted to have >> reference to the minimum version of the Bluetooth spec that is >> required. >> >>> In 3.2.2, I think RFC 7217 should be added to the list in this >>> sentence: Similarly, in Section 5, >>> s/[I-D.ietf-6man-default-iids]/[RFC7217]/ in this sentence: >> >> That sound be fine, as long as we don't need to start defining how >> to select things like Network_ID? > I don't think that's necessary - it's not as if this has been defined > for other network types, and it's optional. > > Thanks, Alissa > >> >> Best regards, >> >> Teemu >> > > _______________________________________________ 6lo mailing list > 6lo@ietf.org<mailto:6lo@ietf.org> > https://www.ietf.org/mailman/listinfo/6lo > > > >
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-b… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Kerry Lynn
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Kerry Lynn
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alexandru Petrescu
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Brian Haberman
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Samita Chakrabarti
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Stephen Farrell
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Fernando Gont
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… AbdurRashidSangi