Re: [dhcwg] Alissa Cooper's Yes on draft-ietf-dhc-anonymity-profile-07: (with COMMENT)
Christian Huitema <huitema@microsoft.com> Fri, 19 February 2016 21:50 UTC
Return-Path: <huitema@microsoft.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F30C1B3423; Fri, 19 Feb 2016 13:50:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvrDdh9qZ8LX; Fri, 19 Feb 2016 13:50:29 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0105.outbound.protection.outlook.com [65.55.169.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB08D1B3439; Fri, 19 Feb 2016 13:50:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eC3stUI9YUeu5+fY75zGzhpUA4gKa0WnUAn2MgGdUqM=; b=UFHlmvXc1ftoiyJrnR5ANITpWpY2tRsxF6cjPZPb4j3y3rtnoL0PO7sU1oUr8vt+q2VuI+8ZEoNJGabJMai1FetejZzU4cW/TFu1EE7s2zaqaVJ32SA+P1a7Su+jeRHPRO5DeHzLZ+kcTUhsqm3sNqcW/vbBvEgv9PBeqGnBUMA=
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0654.namprd03.prod.outlook.com (10.160.96.16) with Microsoft SMTP Server (TLS) id 15.1.409.15; Fri, 19 Feb 2016 21:50:25 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0409.017; Fri, 19 Feb 2016 21:50:25 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
Thread-Topic: Alissa Cooper's Yes on draft-ietf-dhc-anonymity-profile-07: (with COMMENT)
Thread-Index: AQHRacZxDTRaHnuRC0a/Iv6IJ2DGOZ8z5hkA
Date: Fri, 19 Feb 2016 21:50:25 +0000
Message-ID: <DM2PR0301MB065517EC5515D9C59562C6B8A8A00@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <20160217210157.24922.8163.idtracker@ietfa.amsl.com>
In-Reply-To: <20160217210157.24922.8163.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cooperw.in; dkim=none (message not signed) header.d=none;cooperw.in; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:e::409]
x-ms-office365-filtering-correlation-id: ca624dfe-a210-48f8-2662-08d33976acdb
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0654; 5:4a6jju3T/24+m5KLQ9Os4IAxrZDL9j4Z/JoX95Lw/EKAKd0SivGY0oje+vGDe8CIWe1dN4gjC8jZw51Gr13AnUdKY8ZKrJynnv8P+QTI92x85dkg6ByRDlMouEGtDnazbTUkgAzRePwkktPYs6RsLA==; 24:8Tryaqou5nXqHiW66b5KzSzJHGYfHjhW3pXclcZf4V1xuTsKCiH7KgZPWJuz09nVjODMJXwKynGg+FNp7q0+eKX1EfQj9ibmt3PqAU50iBo=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0654;
x-microsoft-antispam-prvs: <DM2PR0301MB0654EB2E61962D210845A835A8A00@DM2PR0301MB0654.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(61426038)(61427038); SRVR:DM2PR0301MB0654; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0654;
x-forefront-prvs: 08572BD77F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(24454002)(5008740100001)(11100500001)(5003600100002)(3280700002)(33656002)(5001770100001)(74316001)(230783001)(1096002)(5002640100001)(1220700001)(87936001)(76176999)(122556002)(50986999)(5005710100001)(189998001)(106116001)(10400500002)(586003)(5001960100002)(102836003)(40100003)(86362001)(10290500002)(76576001)(92566002)(99286002)(2906002)(3660700001)(77096005)(5004730100002)(2950100001)(8990500004)(4326007)(54356999)(2900100001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0654; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2016 21:50:25.4433 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0654
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/WRBOCsOE5bmFb9n3m_CnkM1Ux8Q>
Cc: "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "JuanCarlos.Zuniga@InterDigital.com" <JuanCarlos.Zuniga@InterDigital.com>, "volz@cisco.com" <volz@cisco.com>, "draft-ietf-dhc-anonymity-profile@ietf.org" <draft-ietf-dhc-anonymity-profile@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] Alissa Cooper's Yes on draft-ietf-dhc-anonymity-profile-07: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 21:50:32 -0000
On Wednesday, February 17, 2016 1:02 PM, Alissa Cooper wrote: > ... > > This document seems to use the term "link-layer address randomization" to > describe the situation where a link-layer address is randomly generated AND > changes over time. While this seems the likely way that such addresses may > be standardized in the future, it's not guaranteed. An address could be > randomly generated (or otherwise semantically opaque, e.g. not containing > an OUI) but permanent for the life of the device/interface, in which case the > privacy benefits of what is specified in this draft are not the same. Therefore > I think it's worth explicitly stating the interpretation of "random address" that > is being used here. Would you add something to section 2.1, MAC address Randomization hypotheses? > = Section 1 = > > s/Reports surfaced recently/There have been reports/ OK. > = Section 2 = > > Would be good to update the references to work going on in IEEE 802.1. > Also there were experiments at multiple IEEE and IETF meetings. Yes, will add a reference to the IEEE work. > = Section 3 = > > Section 3.1 says: > > "The client willing to protect its privacy SHOULD limit the subset of > options sent in messages to the subset listed in the following > sections." > > Then all the subsections discuss specific options and considerations for using > them, except 3.9, which basically says "don't use these." I would assume > there are a bunch of other options that clients definitely shouldn't use if they > want to maintain anonymity (I was thinking of 123 and 144, geolocation). So > why are only the PXE options mentioned here, when the text in 3.1 seemed > to be saying that clients should avoid all other options not mentioned? The real requirement is "do not advertise unique identifiers or previously assigned parameters." We scrutinized the options that did that, and PXE is one of them. And we limit the list of options and values that can be inserted in client messages. But we do not limit the number of options that can be requested by the clients. The draft does not preclude adding request codes in the Parameter Request List. RFC 6225 says "DHCPv4 clients request the DHCPv4 server to send GeoConf Option 123, GeoLoc Option 144, or both via inclusion of the Parameter Request List option." That's fine. The client is not disclosing anything, except its willingness to read the information provided by the server. The main issue is that the geoloc option values can be sent back by the server in clear text, and thus monitored. Monitoring just the local link will reveal the location of the local link, which is not that big a deal. Monitoring happens between a proxy and a centralized server is of course more "interesting." But the anonymity profile provides a mitigation against both: sure, the monitor can read the geoloc information; but since the device is anonymous, the monitor does not know who travelled at that location. -- Christian Huitema
- [dhcwg] Alissa Cooper's Yes on draft-ietf-dhc-ano… Alissa Cooper
- Re: [dhcwg] Alissa Cooper's Yes on draft-ietf-dhc… Christian Huitema