[dhcwg] Security/Privacy & Addressing (was: Re: IETF-93 Follow Up - draft-ietf-dhc-stable-privacy-addresses (Respond by Aug 11, 2015))

Fernando Gont <fgont@si6networks.com> Sat, 01 August 2015 09:37 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 596081A1A13 for <dhcwg@ietfa.amsl.com>; Sat, 1 Aug 2015 02:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ko4Gwq-wJDow for <dhcwg@ietfa.amsl.com>; Sat, 1 Aug 2015 02:37:31 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF5531B2CFB for <dhcwg@ietf.org>; Sat, 1 Aug 2015 02:37:30 -0700 (PDT)
Received: from [84.47.113.16] (helo=[192.168.0.7]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZLTEM-0001vV-3J; Sat, 01 Aug 2015 11:37:26 +0200
Message-ID: <55BC9111.40201@si6networks.com>
Date: Sat, 01 Aug 2015 11:27:45 +0200
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Christian Huitema <huitema@microsoft.com>, Tomek Mrugalski <tomasz.mrugalski@gmail.com>, "Bernie Volz (volz)" <volz@cisco.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>
References: <489D13FBFA9B3E41812EA89F188F018E1CB90384@xmb-rcd-x04.cisco.com> <55B91127.9020403@gmail.com> <55BB7978.3030805@si6networks.com> <DM2PR0301MB0655ABDEDC12A4DD294E75C4A88A0@DM2PR0301MB0655.namprd03.prod.outlook.com>
In-Reply-To: <DM2PR0301MB0655ABDEDC12A4DD294E75C4A88A0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/5o2w-njCCxFJp1Omkiaal7KFRSw>
Subject: [dhcwg] Security/Privacy & Addressing (was: Re: IETF-93 Follow Up - draft-ietf-dhc-stable-privacy-addresses (Respond by Aug 11, 2015))
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Aug 2015 09:37:33 -0000

Hi, Christian,

On 07/31/2015 09:34 PM, Christian Huitema wrote:
> On Friday, July 31, 2015 6:35 AM, Fernando Gont wrote:
>> 
>> On 07/29/2015 07:45 PM, Tomek Mrugalski wrote: ...
>>> But my strongest objection to it is that privacy and stable do
>>> not mix well.
>> 
>> It all depends on what you mean by privacy. Here were *aiming* to
>> allow to activity correlation within the same network. It's a goal,
>> not a flaw. If what bothers you is the use of "privacy" in the
>> title, please say so.
> 
> By definition, stable addresses allow for tracking over time, which
> is the antinomy of privacy.

If you really don't want to be tracked, the best advice is: do not
connect to any network.

If you want/have to connect, then to an extent or another there's some
degree of activity correlation that is possible, and sometimes needed or
even desirable -- there are tradeoffs, of course.

I believe it's hard to talk about security/privacy implications without
referring the specifics in this case.

First of all, and for the sake of simplicity, let's assume four
different issues:

1) Correlation of activities across networks
2) Host scanning/network reconnaissance
3) Device-specific attacks
4) Correlation of activities over time


RFC7217 tries to address #1-#3 above, but to explicitly allow for #4,
because that is of value to e.g. many enterprises. Keeping #4 was a
design goal, not a flaw -- because the inabiity to do #4 is what has led
many enterprises to disable RFC4941.

draft-ietf-dhc-stable-privacy-addresses aims at the same thing, with the
addition that if you manage all the local DHCPv6 servers, you can
achieve address stability across servers without any additional protocol.



>> Has anyone really assessed everything that could go wrong with
>> randomized MAC addresses?  -- THink of SAVI and other
>> first-hop-secuity mechanisms, issues with the ND cache, etc.
> 
> There are certainly environments where administrators will require
> users to give up privacy so the network can be controlled more
> efficiently. But it is very obvious that if you want privacy, you do
> not want to use stable identifiers.

The identifiers will have to be stable (for some definition of stable)
if you need "stable" TCP connections. e.g., I have plenty of ssh
sessions at different machines, and do not really want them to break for
some fancy "let's randomize this address over time" -- there's a
tradeoff, of course.

And the ability to e.g. have long-lived ssh sessions trumps in many
cases, the desire to randomize addresses over time.

Now, if you're argument is: "We'd only randomize the link-layer address
and IPv6 address when you connect/re-connect to the network", I could,
just as well, tell you that if you really want privacy, then you don't
want such level of stability. You improve your "privacy" as you increase
the rate at which you randomize all addresses.... until you get to the
point in which such system is probably unusable, and you probably just
disconnect from the net.

Besides, if you're paranoid, you'd always do SLAAC -- because the local
DHCPv6 server can always be evil. And maybe not even SLAAC, because some
of the prefix bits could be advertised to you just for the sake of
tracking you..

Besides, if correlation of network activity over time is a concern,
network traffic patterns, TCP/IP stack fingerprinting, etc., all help,
essentially, to achieve the same purpose.


Summarizing the above: this I-D tries to tackle at least three concrete
security/privacy issues. It is not meant to (and I don't think we ever
claimed that) the perfect solution for every single privacy concern you
might (correctly. If what bothers folks is the use of "privacy" e.g. in
the filename, we can fix that, of course -- but I think that's a
different discussion.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492