[dhcwg] Review of the draft-ietf-dhc-anonymity-profile-01
Marcin Siodelski <msiodelski@gmail.com> Wed, 22 July 2015 13:26 UTC
Return-Path: <msiodelski@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 654B41A1AA6 for <dhcwg@ietfa.amsl.com>; Wed, 22 Jul 2015 06:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dTV6KboaIgC for <dhcwg@ietfa.amsl.com>; Wed, 22 Jul 2015 06:26:09 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C5431B3319 for <dhcwg@ietf.org>; Wed, 22 Jul 2015 06:26:05 -0700 (PDT)
Received: by wibxm9 with SMTP id xm9so102340562wib.1 for <dhcwg@ietf.org>; Wed, 22 Jul 2015 06:26:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=Ivt2ufEEH4c7UdYkKcixjLMuiqOw6KKMIc/T7X/kAz0=; b=pP7fjVfbJNBL5pLIpxkxci27N1ZfJDpDQay/npkIbBb+peP70PsM5FdNkSUkHgtO2x 0dnJsbjGqdTExlhYi/Cl8LXZOj/o6rkS1aGiAJjW4DgOK+6DHWbPEep9E8gY6iVNMKvm ziNPmqtOyVrwvwo4ytls4A8bnSG5TeI1OVRgLUPK+GO+hjtFNY+ZOQHMTpaWf7Ee8nRJ BytTl8DNz03RweG8Qyh2Rw6r/SShqUk60yn0c0im3S++9IY2OdPFnBB68BirrWjM9QqG V0/YIE4yNG5o+sRiFYo3kLv0atrazSTT5ZzaAkFyFskMM00z4iJl56WsQ8USBVBhhhc8 MumQ==
X-Received: by 10.194.119.161 with SMTP id kv1mr4918066wjb.157.1437571564181; Wed, 22 Jul 2015 06:26:04 -0700 (PDT)
Received: from MacBook-Pro-Marcin.local ([2001:67c:1231:998:381a:ea7d:4765:1e99]) by smtp.googlemail.com with ESMTPSA id v9sm2400231wjq.41.2015.07.22.06.26.03 for <dhcwg@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Jul 2015 06:26:03 -0700 (PDT)
Message-ID: <55AF99DA.8050507@gmail.com>
Date: Wed, 22 Jul 2015 15:25:46 +0200
From: Marcin Siodelski <msiodelski@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: DHC WG <dhcwg@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/Q1ORPdAqegdDCVvVKzmUybAOOqY>
Subject: [dhcwg] Review of the draft-ietf-dhc-anonymity-profile-01
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 13:26:11 -0000
Here are a few points about the version -01 of the draft. 3. Anonymity Profile for DHCPv4 The normative language for messages should be cleaned up. For example: in some cases the "Message Type" MUST be included, in other cases it SHOULD be included. Also requiring a MUST for the Hostname option in DISCOVER goes against the text elsewhere, which says that: "DHCP clients SHOULD avoid sending the host name option" On this last one. I suggest updating this wording to: "DHCP client SHOULD NOT send the host name option" as the current text sounds ambiguous. 3.2. Requested IP address option There is the case of the INIT-REBOOT client's state when the client remembers its previous address. Shouldn't the text explicitly discourage sending the DHCPREQUEST in the INIT-REBOOT state, in favor of the 4-way exchange to obtain a new address. I presume that there may be some cases when the client reboots and determines that it has been attached to the same network a previously, in which case it may be fine to request the same address as previously. But, when working in the "per-connection randomization mode", the reboot should constitute randomization of the MAC address and thus 4-way exchange. No? 3.5. Host Name Option and 3.6. Client FQDN option "When obfuscating the host name, DHCP clients SHOULD construct a randomized host name by computing a secure hash of a local secret and of the link layer address that will be used in the underlying connection, and then use as the name the hexadecimal representation of the first 6 bytes of the hash. This procedure ensures that the random name will not reveal the underlying link layer address." Aren't you afraid that sending the fixed-length hostname is a pattern that my disclose my desire for the privacy? Perhaps if many clients do the same thing, the fact that they follow the certain pattern doesn't harm because you can't distinguish them from each other? If so, it may matter if there are only a few privacy-concerned clients which can be distinguished from the crowd. Maybe some considerations of this kind should be included in this section? And this is not necessarily to say that the proposed algorithm is wrong. 4.4.1. Obtain temporary addresses I am not certain that I understand how the randomization of IAID and obtaining new address helps improving the privacy of the client in the context of this draft. The scenario described assumes that the client having an address requests another address, using the randomized IAID. If the client holds the same DUID and hasn't randomized its "MAC" address at this point, the two addresses can be easily correlated. If the client continues, and sends the Release message it only confirms that this particular client has replaced its address. Perhaps, I miss the context of this section. 5. Operational Considerations "Implementers should be careful to only use the anonymity profile when privacy trumps management considerations." How does the implementor know when the privacy trumps the management considerations? I presume that "privacy mode" is rather an option in the device which is under user's control. Implementors simply provide means to enable or disable privacy on the device. Marcin
- [dhcwg] Review of the draft-ietf-dhc-anonymity-pr… Marcin Siodelski