IETF Logo Mail Archive

Re: [dhcwg] Stephen Farrell's Discuss on draft-ietf-dhc-dhcpv6-active-leasequery-03: (with DISCUSS and COMMENT)

Kim Kinnear <kkinnear@cisco.com> Tue, 14 July 2015 00:57 UTC

Return-Path: <kkinnear@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFF001A0015; Mon, 13 Jul 2015 17:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.111
X-Spam-Level:
X-Spam-Status: No, score=-13.111 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8hUPsM2ZxsJ; Mon, 13 Jul 2015 17:57:26 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FFC31A0013; Mon, 13 Jul 2015 17:57:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6850; q=dns/txt; s=iport; t=1436835447; x=1438045047; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=H7BE7Z6MwsizNm9/Ltl4eR6HYCRrGiMdv8pO4O81kkI=; b=dwFucMcRTxHNGn1/4Cxw0Q0Ef64iWbwL9qlJ6mI9gj5STHkEaDDDKF7r uazVsloLol9l6M8vbmSsG/kM3mABg3QPO9QS96I9BVbVbQRTXjMskHmAN pEETwNKsBldgQvD0qpG8PJ4PUFHg6fRKVEY1bE4xCPoioZwcJfg5M3ErI s=;
X-IronPort-AV: E=Sophos;i="5.15,467,1432598400"; d="scan'208";a="168361471"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-4.cisco.com with ESMTP; 14 Jul 2015 00:57:26 +0000
Received: from bxb-kkinnear-8817.cisco.com (bxb-kkinnear-8817.cisco.com [10.98.10.248]) (authenticated bits=0) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id t6E0vNtt019351 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 14 Jul 2015 00:57:24 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Kim Kinnear <kkinnear@cisco.com>
In-Reply-To: <55A1160A.8050805@cs.tcd.ie>
Date: Mon, 13 Jul 2015 20:57:30 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <2F494A40-0C52-420D-BBAC-8242F5C5BD8C@cisco.com>
References: <20150708114206.28697.67541.idtracker@ietfa.amsl.com> <74130B2E-D0EC-4263-9403-421EED783B92@cisco.com> <55A1160A.8050805@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1878.6)
X-Authenticated-User: kkinnear
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/RSaqXQlOMA24Z2PB9pPpthT3X0o>
Cc: dhc-chairs@ietf.org, draft-ietf-dhc-dhcpv6-active-leasequery@ietf.org, The IESG <iesg@ietf.org>, dhcwg@ietf.org, Kim Kinnear <kkinnear@cisco.com>
Subject: Re: [dhcwg] Stephen Farrell's Discuss on draft-ietf-dhc-dhcpv6-active-leasequery-03: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 00:57:28 -0000

Stephen,

In an attempt to narrow down the discussion, I've selected a few sections
to respond to here, but I'm actually trying to respond to your entire 
concern w.r.t. privacy.

On Jul 11, 2015, at 9:11 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

> Sure, I don't doubt there's utility here. But the actual utility
> is still vague for me. I also don't doubt that it's not vague for
> you or those deploying but it's not really possible (for me) to try
> analyse the privacy properties without some more detailed knowledge
> of the purpose(s) to which this data will be put.

I do not believe that we going to be able to give you the information
as to which data elements are "necessary" and how they will be used.
We simply don't know, and in many cases our customers won't (or even
can't) tell us.  I think for the purposes of analysis here, that we
should assume that people using Active Leasequery are going to use all
of the data that the DHCP server has available to it about each client
and that it can send out in an Active Leasequery response.  I don't
doubt that vendor independent extensions will be used as well to
enhance the information with specific items in different
implementations.

Essentially, our customers are building a parallel database which
contains essentially everything they can get from an Active Leasequery
response (or a Bulk Leasequery response).  Trying to limit the data
that they can acquire from an Active Leasequery by limiting it in this
document will only, in my view, take us back to where they will find
other approaches to acquire the missing information.  Which is exactly
the reason that we developed an Active Leasequery-like capability in
the first place -- to remove the need to develop one-off solutions for
each customer.

That said, it would certainly serve the goal of privacy if there were
no standardized way to acquire this information.  We have no
particular incentive to standardize this Active Leasequery other than
it seemed like a "good thing to do".  Clearly from a privacy standpoint
it isn't.  Seems like from a user's standpoint, though, there is some
value in having this standardized.  Thus, we have added TLS support at
the request of the former AD.

>> 
>> 	Ultimately, we expect that the people in charge of the data on
>> 	the DHCP server are the same people in charge of the data that
>> 	a processing element can discover from the DHCP server through
>> 	the use of the active leasequery protocol.  These same people
>> 	have control of the data in both elements (as well as the
>> 	network on which the raw DHCP data flows).  Of course all of
>> 	this information can be garnered from a tcpdump of the wire on
>> 	which the DHCP server sits (and we have customers doing that
>> 	too, to meet their needs for a near-real time database of
>> 	client<->IP address binding information).
> 
> Sure a local tcpdump is what it is, but if someone deploys this
> without implementing and turning on TLS and screws up their f/w config
> then the entire world could find this data. And with zmap that's no
> longer unrealistic if the DHCP server has an IPv4 address. And we do
> know that people do screw up f/w configs. So the thing to analyse I
> think is the balance between the probability and downsides of
> publishing this information to the world, vs. the costs of making
> the spec more restrictive/protective. I'm not sure we've got that
> balance quite right, but then as I said I don't yet understand the
> beneficial uses of this.

You have put this well -- what is the probability and downsides of
making the information the DHCP server knows easily available vs the
cost of make this spec more restrictive.

I want to emphasize as well that we expect that the people who control
the information on the DHCP server are the same people who will
control the configuration of the DHCP server (regarding Active
Leasequery) as well as the database constructed by the requestor of
the Active and Bulk Leasequery information.

Yes, someone could mistakenly leave their firewall unconfigured
regarding DHCP and thus let anyone see what the DHCP server knows.

Of course this can already be done with DHCPv6 Bulk Leasequery (RFC
5460) as well as DHCPv6 Leasequery (RFC 5007).  I recognize, however,
that just because some existing protocols don't protect some data is
no justification for allowing a new protocol to not protect some data.
So I'm not using that as a justification for anything, yet I did want
to point it out.

I believe that anyone who allows TCP connections to port 67 on their
DHCP server is at risk of losing data to Bulk Leasequery already, and
so one would normally prevent TCP connections to port 67.  And that
would also cover Active Leasequery.

But mistakes certainly do happen when configuring networks, and I deal
with supporting customers who make such mistakes frequently.  So
perhaps simply telling people to "prevent access by unauthorized
requestors" isn't enough (which is essentially what we have done 
so far).

It would be straightforward to alter the draft to say that you MUST
NOT make Active Leasequery access available by default, and that it
MUST require explicit configuration in order to allow the DHCP server
to respond to any Active Leasequery request.  Then someone would have
to take an action to create a privacy problem.

Further we could say that it MUST take explicit configuration to allow
Active Leasequery without TLS even if TLS wasn't implemented.  So you
would have two explicit hurdles to overcome to do something dumb
regarding privacy.  This would largely prevent people who knew nothing
about Active Leasequery from having it enabled it on their servers,
as well as encouraging others to use it in a protected way.

> I'm asking wouldn't it be better if the spec said that "Mutually
> authenticated TLS MUST be supported and SHOULD be used and SHOULD
> be the default."
> 
> Right now, it says TLS SHOULD be implemented, which is consistent
> with overall IETF BCPs. I'm asking if, for this protocol, with
> the potential privacy exposure, we ought go further that those (now
> somewhat old) BCPs and say to just turn on TLS, since it ought not
> be that hard and really ought be the default.

Our answer is no, we don't believe that we should go further and
require TLS, in that we don't see this protocol as creating a privacy
exposure of sufficiently unusual magnitude to warrant taking that
extra step.  Possibly because we don't view the information available
as unusually ... useful to someone intent on violating privacy
concerns.  Useful, certainly, but not extraordinarily useful, and so
not requiring extraordinary measures to protect.

Thanks -- Kim

v2.23.0 | Report a Bug | By Email