[dhcwg] Security/Privacy & Addressing (was: Re: IETF-93 Follow Up - draft-ietf-dhc-stable-privacy-addresses (Respond by Aug 11, 2015))
Fernando Gont <fgont@si6networks.com> Sat, 01 August 2015 09:37 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 596081A1A13 for <dhcwg@ietfa.amsl.com>; Sat, 1 Aug 2015 02:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ko4Gwq-wJDow for <dhcwg@ietfa.amsl.com>; Sat, 1 Aug 2015 02:37:31 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF5531B2CFB for <dhcwg@ietf.org>; Sat, 1 Aug 2015 02:37:30 -0700 (PDT)
Received: from [84.47.113.16] (helo=[192.168.0.7]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZLTEM-0001vV-3J; Sat, 01 Aug 2015 11:37:26 +0200
Message-ID: <55BC9111.40201@si6networks.com>
Date: Sat, 01 Aug 2015 11:27:45 +0200
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Christian Huitema <huitema@microsoft.com>, Tomek Mrugalski <tomasz.mrugalski@gmail.com>, "Bernie Volz (volz)" <volz@cisco.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>
References: <489D13FBFA9B3E41812EA89F188F018E1CB90384@xmb-rcd-x04.cisco.com> <55B91127.9020403@gmail.com> <55BB7978.3030805@si6networks.com> <DM2PR0301MB0655ABDEDC12A4DD294E75C4A88A0@DM2PR0301MB0655.namprd03.prod.outlook.com>
In-Reply-To: <DM2PR0301MB0655ABDEDC12A4DD294E75C4A88A0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/5o2w-njCCxFJp1Omkiaal7KFRSw>
Subject: [dhcwg] Security/Privacy & Addressing (was: Re: IETF-93 Follow Up - draft-ietf-dhc-stable-privacy-addresses (Respond by Aug 11, 2015))
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Aug 2015 09:37:33 -0000
Hi, Christian, On 07/31/2015 09:34 PM, Christian Huitema wrote: > On Friday, July 31, 2015 6:35 AM, Fernando Gont wrote: >> >> On 07/29/2015 07:45 PM, Tomek Mrugalski wrote: ... >>> But my strongest objection to it is that privacy and stable do >>> not mix well. >> >> It all depends on what you mean by privacy. Here were *aiming* to >> allow to activity correlation within the same network. It's a goal, >> not a flaw. If what bothers you is the use of "privacy" in the >> title, please say so. > > By definition, stable addresses allow for tracking over time, which > is the antinomy of privacy. If you really don't want to be tracked, the best advice is: do not connect to any network. If you want/have to connect, then to an extent or another there's some degree of activity correlation that is possible, and sometimes needed or even desirable -- there are tradeoffs, of course. I believe it's hard to talk about security/privacy implications without referring the specifics in this case. First of all, and for the sake of simplicity, let's assume four different issues: 1) Correlation of activities across networks 2) Host scanning/network reconnaissance 3) Device-specific attacks 4) Correlation of activities over time RFC7217 tries to address #1-#3 above, but to explicitly allow for #4, because that is of value to e.g. many enterprises. Keeping #4 was a design goal, not a flaw -- because the inabiity to do #4 is what has led many enterprises to disable RFC4941. draft-ietf-dhc-stable-privacy-addresses aims at the same thing, with the addition that if you manage all the local DHCPv6 servers, you can achieve address stability across servers without any additional protocol. >> Has anyone really assessed everything that could go wrong with >> randomized MAC addresses? -- THink of SAVI and other >> first-hop-secuity mechanisms, issues with the ND cache, etc. > > There are certainly environments where administrators will require > users to give up privacy so the network can be controlled more > efficiently. But it is very obvious that if you want privacy, you do > not want to use stable identifiers. The identifiers will have to be stable (for some definition of stable) if you need "stable" TCP connections. e.g., I have plenty of ssh sessions at different machines, and do not really want them to break for some fancy "let's randomize this address over time" -- there's a tradeoff, of course. And the ability to e.g. have long-lived ssh sessions trumps in many cases, the desire to randomize addresses over time. Now, if you're argument is: "We'd only randomize the link-layer address and IPv6 address when you connect/re-connect to the network", I could, just as well, tell you that if you really want privacy, then you don't want such level of stability. You improve your "privacy" as you increase the rate at which you randomize all addresses.... until you get to the point in which such system is probably unusable, and you probably just disconnect from the net. Besides, if you're paranoid, you'd always do SLAAC -- because the local DHCPv6 server can always be evil. And maybe not even SLAAC, because some of the prefix bits could be advertised to you just for the sake of tracking you.. Besides, if correlation of network activity over time is a concern, network traffic patterns, TCP/IP stack fingerprinting, etc., all help, essentially, to achieve the same purpose. Summarizing the above: this I-D tries to tackle at least three concrete security/privacy issues. It is not meant to (and I don't think we ever claimed that) the perfect solution for every single privacy concern you might (correctly. If what bothers folks is the use of "privacy" e.g. in the filename, we can fix that, of course -- but I think that's a different discussion. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-stable… Bernie Volz (volz)
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Tomek Mrugalski
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Bernie Volz (volz)
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… 神明達哉
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Christian Huitema
- [dhcwg] Security/Privacy & Addressing (was: Re: I… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Loganaden Velvindron
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Tomek Mrugalski
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Liushucheng (Will)
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Lorenzo Colitti
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Bernie Volz (volz)
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Linhui Sun
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Lorenzo Colitti
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Lorenzo Colitti
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… 神明達哉
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Linhui Sun
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Chuck Anderson
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Lorenzo Colitti
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Fernando Gont
- Re: [dhcwg] IETF-93 Follow Up - draft-ietf-dhc-st… Lorenzo Colitti