Re: [ANCP] Privacy issue in draft-ietf-ancp-mc-extensions-12

Tom Taylor <> Mon, 02 December 2013 09:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 61BAB1AE09E for <>; Mon, 2 Dec 2013 01:59:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zcEHAKA0Vndm for <>; Mon, 2 Dec 2013 01:59:57 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c03::229]) by (Postfix) with ESMTP id BBA4F1A1F3F for <>; Mon, 2 Dec 2013 01:59:57 -0800 (PST)
Received: by with SMTP id e14so20911200iej.28 for <>; Mon, 02 Dec 2013 01:59:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=K6cVUITrGyFE0ituV8rz0TTnLLq0B3fOQynQ4daISlg=; b=ZgDbRespm5ykQfD361nsABcdIpHBEtGN2P3s6oHojvg2EIV9k9C1uNe92l3OQ4ApXr rgnkaUl29zP1rly8f+Wc8VyVNCqqAOncfhkH0kmgbhWFrWR4pITjYMPlPp55GfAVoM6l RfcuXqNTgJXe/lSYdvkYsDTQ2mWVRDp/vxqdr+r2QN1R7FTecFdxJQGt1WkiWNWjY2E5 hB7e/wkx3AhFf0csjNVBWZvpvfLIFKi720dorLebPzsn3tgNFZjdcIA5U63lHxPgxE+z sI27v0vBSWN0QYmOrYk+lseFoTEjjQ32PslCxOOR/xgyUoeecB/Gkhl4Ys7sGCPsH0Fe mzLA==
X-Received: by with SMTP id pj3mr16858194igb.14.1385978395369; Mon, 02 Dec 2013 01:59:55 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id i11sm65246781igh.0.2013. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Dec 2013 01:59:54 -0800 (PST)
Message-ID: <>
Date: Mon, 02 Dec 2013 04:59:53 -0500
From: Tom Taylor <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: "Francois Le Faucheur (flefauch)" <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [ANCP] Privacy issue in draft-ietf-ancp-mc-extensions-12
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Access Node Control Protocol working group mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 02 Dec 2013 09:59:59 -0000

This justification makes sense. I can think of use cases where one would 
want per-device control.


On 02/12/2013 4:11 AM, Francois Le Faucheur (flefauch) wrote:
> Hello Tom,
> I think these TLVs bring some value:
> The ANCP Multicast Admission Control message supports the "Conditional Access and Admission Control Use Case". When conditional access is to be performed on a per device basis (as opposed to per DSL line basis), the message needs to provide the NAS with a way to identify the device.
> In general (and more or less by definition) the NAS has a lot of visibility on each DSL line (certainly for unicast), so I assume the privacy concern is not so much about communicating the info to the NAS but has more to do with the risk of a monitoring attack of the ANCP protocol. Right?
> How about an alternative approach where we keep these TLVs in the document and keep them as optional, but add a note that says that:
> 	* including those TLVs in the message is only useful when the NAS is to perform per-device "Conditional Access and Admission Control"
> 	* including those TLVs in the message results in an increased privacy concern because it exposes on the wire the corresponding privacy information about which IP/MAC is accessing which multicast channel, which could be exploited by a monitoring attack on the ANCP protocol.
> 	* these TLVs SHOULD NOT be included when per-device "Conditional Access and Admission Control" by the NAS is not used
> Makes sense?
> Francois
> On 1 Dec 2013, at 21:50, Tom Taylor <>
>   wrote:
>> In his review of draft-ietf-ancp-mc-extensions-12, our AD pointed out that the optional presence of the Request-Source-IP or Request-Source-MAC TLV in the ANCP Multicast Admission Control message posed privacy issues. Looking through the ANCP requirements in RFC 5851 and TR-101, I could find no requirement that these be reported.
>> I proposed that these TLVs be dropped from the message and from the document. I will assume that I have consent for this change if I do not hear arguments against it by the end of Wednesday, December 18.
>> Tom Taylor
>> _______________________________________________
>> ANCP mailing list