Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT)
Kerry Lynn <kerlyn@ieee.org> Tue, 14 July 2015 21:09 UTC
Return-Path: <kerlyn2001@gmail.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 903E61B2D50; Tue, 14 Jul 2015 14:09:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.027
X-Spam-Level:
X-Spam-Status: No, score=-1.027 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9XxGHzV2QSf; Tue, 14 Jul 2015 14:09:13 -0700 (PDT)
Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D3EC1B2D4D; Tue, 14 Jul 2015 14:09:13 -0700 (PDT)
Received: by obnw1 with SMTP id w1so14142060obn.3; Tue, 14 Jul 2015 14:09:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=bVzw1k463aRTTdy9CihGL4TA4rcL4PSrAjlkSvoKhqk=; b=lNg8tFKDpG+7GHHzs9fC8E0X41I40tdeFPbyYuqgaf4fIeIxYjPQNoclX6C43wMqqa i8tV0Z1Bgpjrg5Z9PELo6YDGyHlcIWGQhKYknVnFw8vREtx9a/VErWarMuiYrBt5zCIK K0OxEYJVXyJm82T2fF+e2ahi4QqGVb2SvTe6S97XRVp1uLNS8NJLqIy0vcmNdWP/M9MD N/WvNM+MwzotGu6+N/WsN3yzCkOY6gAdvUkWwf9o1sc4NXcCuBPvtiR2e4ASPg2ekmbK /OO8OI4x4YUu+hODT1dy4pQi/quMqs4YvSSgBrH+HbCS5mydBkyVrKI7/B2B7Azh9TPN 2/EQ==
MIME-Version: 1.0
X-Received: by 10.202.75.13 with SMTP id y13mr496835oia.92.1436908152716; Tue, 14 Jul 2015 14:09:12 -0700 (PDT)
Sender: kerlyn2001@gmail.com
Received: by 10.60.179.227 with HTTP; Tue, 14 Jul 2015 14:09:12 -0700 (PDT)
In-Reply-To: <cd2772b2-8f08-4a3a-8bec-05622b88fa49@email.android.com>
References: <cd2772b2-8f08-4a3a-8bec-05622b88fa49@email.android.com>
Date: Tue, 14 Jul 2015 17:09:12 -0400
X-Google-Sender-Auth: XNLuxfF64PqU0Vy-xR8H-qQJKSo
Message-ID: <CABOxzu0h9K2fAdxhofEy_EQF2k7o=1jRS=4bJMujPf=ZL7b+Vw@mail.gmail.com>
From: Kerry Lynn <kerlyn@ieee.org>
To: "Savolainen Teemu (Nokia-TECH/Tampere)" <teemu.savolainen@nokia.com>
Content-Type: multipart/alternative; boundary="001a11c17750048387051adc406b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/6lo/dSsaCMB8RZjxFL7qFDMErf3sE5M>
Cc: "draft-ietf-6lo-btle.shepherd@ietf.org" <draft-ietf-6lo-btle.shepherd@ietf.org>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, "draft-ietf-6lo-btle.ad@ietf.org" <draft-ietf-6lo-btle.ad@ietf.org>, ext Alissa Cooper <alissa@cooperw.in>, "draft-ietf-6lo-btle@ietf.org" <draft-ietf-6lo-btle@ietf.org>, "Gabriel.Montenegro@microsoft.com" <Gabriel.Montenegro@microsoft.com>, IESG <iesg@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Subject: Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with DISCUSS and COMMENT)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 21:09:17 -0000
On Tue, Jul 14, 2015 at 4:58 PM, Savolainen Teemu (Nokia-TECH/Tampere) < teemu.savolainen@nokia.com> wrote: > Hi, > > I understood the sending to be about wider scope than merely forwarding of > packets. I.e. it would include sending of link-local addresses of connected > nodes as part of some other protocol payload (e.g. hypothetically in ICE > negotiations or so). But I'm not sure if that was the original intent. > I can see this would be a potential privacy concern but worse, it seems like a waste of bandwidth since such an address could not be reached from outside the local network. How could any IP-over-foo scheme enforce this for arbitrary L4 protocols? Regards, Kerry > Best regards, > > Teemu > On Jul 14, 2015 11:22 PM, ext Kerry Lynn <kerlyn@ieee.org> wrote: > > On Tue, Jul 14, 2015 at 1:53 AM, Savolainen Teemu (Nokia-TECH/Tampere) < > teemu.savolainen@nokia.com> wrote: > > Hi Alissa, > > Thank you for your reply, understanding, and spending time to create > actual text proposals. The proposed pieces of text are good improvements, > in my opinion, and I didn't really have any objections or comments. If no > other opinions arise, these will be included in -15 as you proposed. > > For 3.2.1 the proposed sentence is currently drafted to be added to the > end of the section like this: > -- > ....The 6LBR ensures address collisions do not occur (see Section 3.2.3) > and forwards packets sent by one 6LN to another. However, the 6LBR MUST NOT > send the 6LN's link-local address outside of the local link. > > > The definition of link-local address is given in RFC 4291, Section 2.5.6: > "Routers must not forward any packets with Link-Local source or destination > addresses to other links." > > It seems unnecessary and perhaps confusing to repeat it here. If it is > not universally understood that > 6LBRs work in this fashion, then we should clarify it in some > architectural document (like RFC 4291) > so we don't have to spell it out in each 6lo proposal. > > Regards, Kerry Lynn > > -- > > Best regards, > > Teemu > > -----Original Message----- > From: ext Alissa Cooper [mailto:alissa@cooperw.in] > Sent: 14. heinäkuuta 2015 2:37 > To: Savolainen Teemu (Nokia-TECH/Tampere) > Cc: IESG; draft-ietf-6lo-btle@ietf.org; 6lo-chairs@ietf.org; > Gabriel.Montenegro@microsoft.com; draft-ietf-6lo-btle.ad@ietf.org; > draft-ietf-6lo-btle.shepherd@ietf.org; 6lo@ietf.org > Subject: Re: Alissa Cooper's Discuss on draft-ietf-6lo-btle-14: (with > DISCUSS and COMMENT) > > Hi Teemu, > > Thanks for your reply. Comments inline. > > On Jul 7, 2015, at 10:59 PM, Savolainen Teemu (Nokia-TECH/Tampere) < > teemu.savolainen@nokia.com> wrote: > > > Hi Alissa, > > > > Thank you for your review. I'll try to address your comments below: > > > >> My understanding from the discussions surrounding > draft-ietf-6man-default-iids was that RFC 6282 constitutes an exception to > the main recommendation ("By default, nodes SHOULD NOT employ IPv6 address > generation schemes that embed the underlying link-layer address in the > IID") because the header compression scheme in RFC 6282 requires that the > IID be based on the link layer address. I see no text that justifies a > similar requirement in this document. > > > > This document uses the same RFC 6282 for header compression (normative > reference) and requires IID to be derivable from somewhere. Hence I would > see that this document is under the RFC6282 exception on that regard, and > we would not need to repeat all justifications? Furthermore, if the IID > cannot be derived from the Bluetooth LE connection itself, I don't really > see from where it could be derived.. > > > >> I think if this document is going to specify generating the IID from > the device address as the only address generation scheme for link-local > addresses, it needs to provide a justification for that. Otherwise, the > default address generation scheme should be one that generates an opaque > IID of limited lifetime. The possibility that the device address is > generated randomly and refreshed on each power cycle is important to note, > but is not by itself sufficient justification given what I assume is the > wider deployment of static device addresses. If the v6 address can provide > better privacy protection than the device address, it should. > > > > Well the RFC 6282 requires IID to be computable from somewhere, when > fully elided and we need that for best power efficiency, so isn't that > already enough of justification? > > > > Furthermore, the subnet model (Section 3.2.1) restricts link-local > addresses to be used only between 6LN and 6LBR. Hence the IID should not > leak any further than to 6LBR. If the LE device is not changing its device > address but is switching between different 6LBRs, the 6LBRs can already > track the LE device based on its device address, and changing IPv6 IID for > link-local addresses just adds complexity/loses efficiency, but does not > provide privacy benefits. Right? > > I chatted with Brian about this during the telechat and he reaffirmed that > link-locals are not expected to leak outside the 6LN-6LBR connection in > this case. So I'm ok to clear the bulk of my discuss with that assurance. > But I would suggest being totally explicit about it, e.g. by adding text to > 3.2.1 such as: > > The 6LBR MUST NOT send the 6LN's link-local address outside of the local > link. > > With that said, this text about non-link-locals is not consistent with the > recommendations in draft-ietf-6man-default-iids: > > For non-link-local addresses a 64-bit IID MAY be formed by utilizing > the 48-bit Bluetooth device address. A 6LN can also use a randomly > generated IID (see Section 3.2.3), for example, as discussed in > [I-D.ietf-6man-default-iids], or use alternative schemes such as > Cryptographically Generated Addresses (CGA) [RFC3972], privacy > extensions [RFC4941], Hash-Based Addresses (HBA, [RFC5535]), or > DHCPv6 [RFC3315]. > > To be consistent with draft-ietf-6man-default-iids I think it would have > to say something more along these lines: > > For non-link-local addresses, 6LNs SHOULD NOT be configured to embed the > Bluetooth device address in the IID by default. Alternative schemes such as > Cryptographically Generated Addresses (CGA) [RFC3972], privacy extensions > [RFC4941], Hash-Based Addresses (HBA, [RFC5535]), DHCPv6 [RFC3315], or > static, semantically opaque addreses [RFC7217] SHOULD be used by default. > In situations where the Bluetooth device address is known to be randomly > generated and/or the header compression benefits of embedding the device > address in the IID are required to support deployment constraints, 6LNs MAY > form a 64-bit IID by utilizing the 48-bit Bluetooth device address. > > > > > Even more, if device vendors choose to use static Bluetooth device > addresses, *everybody* in vicinity will be able to track such devices > simply by listening Bluetooth LE advertisements those devices broadcast for > Bluetooth LE service discovery purposes. If they then use IPv6 link-local > address that are only used between Bluetooth LE device and it's router, no > additional information leaks out. It is of course another matter if the 6LN > uses the static device address for global address generation. > > > > When it comes to assumption, I would assume static Bluetooth LE device > addresses are actually not to be used that much, at least for Bluetooth LE > nodes that are expected to be mobile. This is because in Bluetooth LE > random addresses are inbuilt to specification and very easy to use, on the > contrary to basic Bluetooth (BR/EDR) that does not have as good privacy > features as the LE. So I don't really see need for LE device vendors not to > use random device addresses. (If Bluetooth LE devices have been paired, > they can choose to use random resolvable addresses in their advertisements, > which the paired devices can recognize to indicate known device by using > Identity Resolving Key, please see BLE specs for more). > > > > For non-link-local addresses variety of means for privacy are documented. > > > >> On that point, there also seems to be a discrepancy between Section > 3.2.2 and Section 5. Section 3.2.2 states: > >> "(After a Bluetooth LE logical link has been established, it > > is referenced with a Connection Handle in HCI. Thus possibly > > changing device addresses do not impact data flows within existing > > L2CAP channels. Hence there is no need to change IPv6 link-local > > addresses even if devices change their random device addresses during > > L2CAP channel lifetime)." > >> Section 5 states: > >> "The IPv6 link-local address configuration described in Section 3.2.2 > > strictly binds the privacy level of IPv6 link-local address to the > > privacy level device has selected for the Bluetooth LE. This means > > that a device using Bluetooth privacy features will retain the same > > level of privacy with generated IPv6 link-local addresses." > >> If the IID remains the same even when the device address changes, then > the IID can be used to correlate activities of the device for the full > lifetime of the IID, which goes beyond the lifetime of the device address. > So the "privacy level" afforded by the device address is not the same as > that of the IID. If this document is going to specify the generation of > IIDs based on device addresses, why not regenerate the IID when the device > address is regenerated? > > > > The Bluetooth LE device address change does not impact ongoing sessions. > So the IID will remain the same during an established LE L2CAP connection > lifetime - the possible device address change is not impacting existing > connections! However, for Bluetooth LE service discovery and for new > connections the new device address *does* impact, and hence new IPv6 IID > would be used for new connections. Actually, no matter what kind of IPv6 > address changes the 6LN performs, the 6LBR that has ongoing L2CAP > connection to 6LN will always know it is the same 6LN that is sending data. > Hence there's no point in changing IPv6 link-local address within ongoing > L2CAP connection. > > Ok, understood. I would suggest a slight modification to the text so it > gets more to the point: > > OLD > The IPv6 link-local address configuration described in Section 3.2.2 > strictly binds the privacy level of IPv6 link-local address to the > privacy level device has selected for the Bluetooth LE. This means > that a device using Bluetooth privacy features will retain the same > level of privacy with generated IPv6 link-local addresses. > > NEW > The IPv6 link-local address configuration described in Section 3.2.2 only > reveals information about the 6LN to the 6LBR that the 6LBR already knows > from the link layer connection. This means that a device using Bluetooth > privacy features reveals the same information in its IPv6 link-local > addresses as in its device addresses. > > > > > If the 6LN having connection up would wish to change its link-local > address so that the 6LBR cannot track it, the 6LN has to: > > - Tear down BLE connection (disconnect L2CAP and so on) > > - Change device address > > - Start advertising IPSP service > > - Wait for 6LBR to establish BLE connection to it > > - Start using IP with new link-local address > > > >> Why does this draft reference v4.1 of the Bluetooth spec rather than > v4.2? > > > > This draft requires Bluetooth 4.1 or newer. We wanted to have reference > to the minimum version of the Bluetooth spec that is required. > > > >> In 3.2.2, I think RFC 7217 should be added to the list in this sentence: > >> Similarly, in Section 5, s/[I-D.ietf-6man-default-iids]/[RFC7217]/ in > this sentence: > > > > That sound be fine, as long as we don't need to start defining how to > select things like Network_ID? > > I don't think that's necessary - it's not as if this has been defined > for other network types, and it's optional. > > Thanks, > Alissa > > > > > Best regards, > > > > Teemu > > > > _______________________________________________ > 6lo mailing list > 6lo@ietf.org > https://www.ietf.org/mailman/listinfo/6lo > > >
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- [6lo] Alissa Cooper's Discuss on draft-ietf-6lo-b… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Kerry Lynn
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Kerry Lynn
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alexandru Petrescu
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Brian Haberman
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Samita Chakrabarti
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Stephen Farrell
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Fernando Gont
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Savolainen Teemu (Nokia-TECH/Tampere)
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… Alissa Cooper
- Re: [6lo] Alissa Cooper's Discuss on draft-ietf-6… AbdurRashidSangi