Re: [ANCP] Privacy issue in draft-ietf-ancp-mc-extensions-12

Tom Taylor <tom.taylor.stds@gmail.com> Thu, 05 December 2013 16:39 UTC

Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: ancp@ietfa.amsl.com
Delivered-To: ancp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDA701AE0EB for <ancp@ietfa.amsl.com>; Thu, 5 Dec 2013 08:39:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7HBn1odLGbge for <ancp@ietfa.amsl.com>; Thu, 5 Dec 2013 08:39:48 -0800 (PST)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 5D1421AE0E7 for <ancp@ietf.org>; Thu, 5 Dec 2013 08:39:48 -0800 (PST)
Received: by mail-ie0-f182.google.com with SMTP id as1so29729861iec.41 for <ancp@ietf.org>; Thu, 05 Dec 2013 08:39:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=3Jc/DtE+WxEV17j5DlrGJYB/VVSGXAAS8fPw4a+ZtvU=; b=wESFtwHfNsvAiQpUKgrLSem0ntQ03FGNovVihhkbsJ7plcx4FNA4olu6pErtazgEJx PhJnsFhKaEbWutvX4HzE758UnSfkKImlDQfRUaVeodwHO4UqmkwokMW1SsoPOYyL0e+R uPV1+H3h+dEpfPwpV0CyHlIz21kUA89WMoUhcGTg6gFDF7z1LZolnUzLx9Gba+f1oycu 16C88z/ZK3cK/QfxUWlt9/iNoqcx3WW+6T1o8s29e1qLQrV0dnyNSmw79SE15m52ihRp uspz893cs/OWPZupatkXXrVwCpnLI/5dv2gL7jD1tGbKg8bw7qtsUTjsWJ37CYSDYrib +ztw==
X-Received: by 10.50.129.39 with SMTP id nt7mr7227403igb.13.1386261584978; Thu, 05 Dec 2013 08:39:44 -0800 (PST)
Received: from [192.168.1.65] ([64.56.250.4]) by mx.google.com with ESMTPSA id w4sm4443221igb.5.2013.12.05.08.39.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Dec 2013 08:39:44 -0800 (PST)
Message-ID: <52A0AC4C.1090906@gmail.com>
Date: Thu, 05 Dec 2013 11:39:40 -0500
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Ted Lemon <ted.lemon@nominum.com>, Roberta Maglione <robmgl.ietf@gmail.com>
References: <529BA104.2050500@gmail.com> <6EE0FD67-10BB-480C-941A-2C7986A91314@cisco.com> <8FB5A82B-9938-4D66-BE24-BD0E8EAC73E0@nominum.com> <529E3183.8010602@gmail.com> <CAKOT5KrPBxcof7pfQK2tWcaNJ4m7AGuUOc2kfiB5qts+b8OP2w@mail.gmail.com> <249E65A6-2248-4E9F-B70D-F2D919B127B5@nominum.com>
In-Reply-To: <249E65A6-2248-4E9F-B70D-F2D919B127B5@nominum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: roberta.maglione@telecomitalia.it, "ancp@ietf.org" <ancp@ietf.org>
Subject: Re: [ANCP] Privacy issue in draft-ietf-ancp-mc-extensions-12
X-BeenThere: ancp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Access Node Control Protocol working group mailing list <ancp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ancp>, <mailto:ancp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ancp/>
List-Post: <mailto:ancp@ietf.org>
List-Help: <mailto:ancp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ancp>, <mailto:ancp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 16:39:50 -0000

I propose to say in the main section that implementations MUST provide a 
mapping capability, either table-based or algorithmic, to map between 
device MAC and device identifier. Rather than separate requesting 
address and requesting MAC TLVs, define a single requesting device 
identifier TLV. Then in the Security Considerations section I can say 
that operators SHOULD deploy that mapping capability in the interest of 
privacy and untrackability.

Tom

On 05/12/2013 11:02 AM, Ted Lemon wrote:
> On Dec 5, 2013, at 9:56 AM, Roberta Maglione <robmgl.ietf@gmail.com> wrote:
>> In my opinion using the source MAC  address for conditional access purposes seems in-line with this approach, so I would prefer to keep a link with the MAC address (or the device id) in the ANCP message, mitigating the privacy issues either by using an optional hashing/mapping function as you suggested or by adding some clarifications notes as proposed by Francois.
>
> Roberta, I understand where you are coming from.   However, the way these things go is that you do something expedient at time T, which seems harmless.   Then at time T+N, you learn that there are negative consequences to doing that thing.   There is never any time T+M, where M>N, at which the cost of implementing a better solution is lower than it is at time T+N.   So either you fix the problem once you've discovered it, or you don't fix the problem.
>
> So I'm asking you, now that we understand the problem, to fix it.   I would also encourage you to work within the BBF to get the next version of TR-146 to switch over to using the same identifier we are proposing to use here.   I think this is a better approach in the long run than doing nothing, although I fully understand that it is not without cost.
>
>