IETF Logo Mail Archive

Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT)

"Savolainen Teemu (Nokia-TECH/Tampere)" <teemu.savolainen@nokia.com> Wed, 08 July 2015 05:59 UTC

Return-Path: <prvs=624d92423=teemu.savolainen@nokia.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7A741B3100; Tue, 7 Jul 2015 22:59:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTHUc2pw9ihH; Tue, 7 Jul 2015 22:59:30 -0700 (PDT)
Received: from nok-msg-2.service.capgemini.fi (nok-msg-2.service.capgemini.fi [145.247.12.203]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3A0C1B30FB; Tue, 7 Jul 2015 22:59:22 -0700 (PDT)
Received: from unknown (HELO NOKWDCFIEXCH02P.nnok.nokia.com) ([10.50.38.50]) by noi-msg-2.service.capgemini.fi with ESMTP; 08 Jul 2015 08:59:20 +0300
Received: from NOKWDCFIEXCH02P.nnok.nokia.com (10.50.38.50) by NOKWDCFIEXCH02P.nnok.nokia.com (10.50.38.50) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 8 Jul 2015 08:59:19 +0300
Received: from NOKWDCFIEXCH02P.nnok.nokia.com ([fe80::99d1:400a:d939:3ebe]) by NOKWDCFIEXCH02P.nnok.nokia.com ([fe80::99d1:400a:d939:3ebe%17]) with mapi id 15.00.1044.021; Wed, 8 Jul 2015 08:59:19 +0300
From: "Savolainen Teemu (Nokia-TECH/Tampere)" <teemu.savolainen@nokia.com>
To: ext Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
Thread-Topic: Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT)
Thread-Index: AQHQuTS+wn7BuDrWgEu6Hd6gdGPkdZ3RACKQ
Date: Wed, 08 Jul 2015 05:59:18 +0000
Message-ID: <39c6d3e913fd44d6bdd24a4596564cb3@NOKWDCFIEXCH02P.nnok.nokia.com>
References: <20150708041531.28644.93106.idtracker@ietfa.amsl.com>
In-Reply-To: <20150708041531.28644.93106.idtracker@ietfa.amsl.com>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.50.32.5]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/6lo/cwvR7ScmfrRPLZtBpEPum8Gxbm8>
Cc: "draft-ietf-6lo-btle.shepherd@ietf.org" <draft-ietf-6lo-btle.shepherd@ietf.org>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, "draft-ietf-6lo-btle.ad@ietf.org" <draft-ietf-6lo-btle.ad@ietf.org>, "draft-ietf-6lo-btle@ietf.org" <draft-ietf-6lo-btle@ietf.org>, "Gabriel.Montenegro@microsoft.com" <Gabriel.Montenegro@microsoft.com>, "6lo@ietf.org" <6lo@ietf.org>
Subject: Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 05:59:33 -0000

Hi Alissa,

Thank you for your review. I'll try to address your comments below:

>My understanding from the discussions surrounding draft-ietf-6man-default-iids was that RFC 6282 constitutes an exception to the main recommendation ("By default, nodes SHOULD NOT employ IPv6 address generation schemes that embed the underlying link-layer address in the IID") because the header compression scheme in RFC 6282 requires that the IID be based on the link layer address. I see no text that justifies a similar requirement in this document. 

This document uses the same RFC 6282 for header compression (normative reference) and requires IID to be derivable from somewhere. Hence I would see that this document is under the RFC6282 exception on that regard, and we would not need to repeat all justifications? Furthermore, if the IID cannot be derived from the Bluetooth LE connection itself, I don't really see from where it could be derived..

>I think if this document is going to specify generating the IID from the device address as the only address generation scheme for link-local addresses, it needs to provide a justification for that. Otherwise, the default address generation scheme should be one that generates an opaque IID of limited lifetime. The possibility that the device address is generated randomly and refreshed on each power cycle is important to note, but is not by itself sufficient justification given what I assume is the wider deployment of static device addresses. If the v6 address can provide better privacy protection than the device address, it should.

Well the RFC 6282 requires IID to be computable from somewhere, when fully elided and we need that for best power efficiency, so isn't that already enough of justification?

Furthermore, the subnet model (Section 3.2.1) restricts link-local addresses to be used only between 6LN and 6LBR. Hence the IID should not leak any further than to 6LBR. If the LE device is not changing its device address but is switching between different 6LBRs, the 6LBRs can already track the LE device based on its device address, and changing IPv6 IID for link-local addresses just adds complexity/loses efficiency, but does not provide privacy benefits. Right?

Even more, if device vendors choose to use static Bluetooth device addresses, *everybody* in vicinity will be able to track such devices simply by listening Bluetooth LE advertisements those devices broadcast for Bluetooth LE service discovery purposes. If they then use IPv6 link-local address that are only used between Bluetooth LE device and it's router, no additional information leaks out. It is of course another matter if the 6LN uses the static device address for global address generation.

When it comes to assumption, I would assume static Bluetooth LE device addresses are actually not to be used that much, at least for Bluetooth LE nodes that are expected to be mobile. This is because in Bluetooth LE random addresses are inbuilt to specification and very easy to use, on the contrary to basic Bluetooth (BR/EDR) that does not have as good privacy features as the LE. So I don't really see need for LE device vendors not to use random device addresses. (If Bluetooth LE devices have been paired, they can choose to use random resolvable addresses in their advertisements, which the paired devices can recognize to indicate known device by using Identity Resolving Key, please see BLE specs for more).

For non-link-local addresses variety of means for privacy are documented.

>On that point, there also seems to be a discrepancy between Section 3.2.2 and Section 5. Section 3.2.2 states:
>"(After a Bluetooth LE logical link has been established, it
   is referenced with a Connection Handle in HCI.  Thus possibly
   changing device addresses do not impact data flows within existing
   L2CAP channels.  Hence there is no need to change IPv6 link-local
   addresses even if devices change their random device addresses during
   L2CAP channel lifetime)." 
>Section 5 states:
>"The IPv6 link-local address configuration described in Section 3.2.2
   strictly binds the privacy level of IPv6 link-local address to the
   privacy level device has selected for the Bluetooth LE.  This means
   that a device using Bluetooth privacy features will retain the same
   level of privacy with generated IPv6 link-local addresses."
>If the IID remains the same even when the device address changes, then the IID can be used to correlate activities of the device for the full lifetime of the IID, which goes beyond the lifetime of the device address. So the "privacy level" afforded by the device address is not the same as that of the IID. If this document is going to specify the generation of IIDs based on device addresses, why not regenerate the IID when the device address is regenerated?

The Bluetooth LE device address change does not impact ongoing sessions. So the IID will remain the same during an established LE L2CAP connection lifetime - the possible device address change is not impacting existing connections! However, for Bluetooth LE service discovery and for new connections the new device address *does* impact, and hence new IPv6 IID would be used for new connections. Actually, no matter what kind of IPv6 address changes the 6LN performs, the 6LBR that has ongoing L2CAP connection to 6LN will always know it is the same 6LN that is sending data. Hence there's no point in changing IPv6 link-local address within ongoing L2CAP connection. 

If the 6LN having connection up would wish to change its link-local address so that the 6LBR cannot track it, the 6LN has to:
- Tear down BLE connection (disconnect L2CAP and so on)
- Change device address
- Start advertising IPSP service
- Wait for 6LBR to establish BLE connection to it
- Start using IP with new link-local address

>Why does this draft reference v4.1 of the Bluetooth spec rather than v4.2?

This draft requires Bluetooth 4.1 or newer. We wanted to have reference to the minimum version of the Bluetooth spec that is required.

>In 3.2.2, I think RFC 7217 should be added to the list in this sentence:
>Similarly, in Section 5, s/[I-D.ietf-6man-default-iids]/[RFC7217]/ in this sentence:

That sound be fine, as long as we don't need to start defining how to select things like Network_ID?

Best regards,

Teemu

v2.23.0 | Report a Bug | By Email