[dhcwg] Comments on draft-ietf-dhc-anonymity-profile-02.txt

"Bernie Volz (volz)" <volz@cisco.com> Thu, 27 August 2015 02:35 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id D8CE01B3849; Wed, 26 Aug 2015 19:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.111
X-Spam-Status: No, score=-13.111 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id J34I1F-ld5ZQ; Wed, 26 Aug 2015 19:35:52 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5042A1B3840; Wed, 26 Aug 2015 19:35:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10785; q=dns/txt; s=iport; t=1440642953; x=1441852553; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=0ZX54UpvlxDCPJ0LY+UsW1xHJZpID1rNE18Mwbd4OzY=; b=TO05WWyS51rvDQadhZ0IjsXYaukHWne7d8fIkGsUgw1w8iNi+cOHb+In IqretStKL5VYvTbxC1SkOXz8IB2YNV7F0r+0rBkQsvHZri2JMS+4XxFj4 bnD7S4Jxbo9b35y1sJJZlI/6fcVajlNZH+71bdAU/7Z5uFiv16TOp9cwu 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.17,420,1437436800"; d="scan'208";a="181780277"
Received: from rcdn-core-4.cisco.com ([]) by alln-iport-2.cisco.com with ESMTP; 27 Aug 2015 02:35:52 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com []) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t7R2ZpWd032727 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 Aug 2015 02:35:51 GMT
Received: from xch-aln-004.cisco.com ( by XCH-ALN-004.cisco.com ( with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 26 Aug 2015 21:35:50 -0500
Received: from xhc-aln-x07.cisco.com ( by xch-aln-004.cisco.com ( with Microsoft SMTP Server (TLS) id 15.0.1104.5 via Frontend Transport; Wed, 26 Aug 2015 21:35:50 -0500
Received: from xmb-rcd-x04.cisco.com ([]) by xhc-aln-x07.cisco.com ([]) with mapi id 14.03.0248.002; Wed, 26 Aug 2015 21:35:50 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "draft-ietf-dhc-anonymity-profile@ietf.org" <draft-ietf-dhc-anonymity-profile@ietf.org>
Thread-Topic: Comments on draft-ietf-dhc-anonymity-profile-02.txt
Thread-Index: AdDgcKl9XXaT91jBQaaz5aGsMw+9GQ==
Date: Thu, 27 Aug 2015 02:35:48 +0000
Message-ID: <489D13FBFA9B3E41812EA89F188F018E1CC55254@xmb-rcd-x04.cisco.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/nokdgbHEkVoE4ROOr6pJptHP5D0>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: [dhcwg] Comments on draft-ietf-dhc-anonymity-profile-02.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 02:35:55 -0000


In preparation for a (hopefully soon) WGLC, I did a more thorough review of this document. Comments are "inline" below (BV>). While many of the findings are minor nits, there are a few more significant issues as well. Though nothing that shouldn't be difficult to correct. And, feel free to push back if you don't agree with some comments.

- Bernie


   Some DHCP options carry unique identifiers.  These identifiers can
   enable device tracking even if the device administrator takes care of
   randomizing other potential identifications like link-layer addresses
   or IPv6 addresses.  The anonymity profile is designed for clients
BV> Should it just be IP addresses? DHCPv4 can lease addresses too in the INIT-REBOOT phase.
   that wish to remain anonymous to the visited network.  The profile
   provides guidelines on the composition of DHCP or DHCPv6 requests,
   designed to minimize disclosure of identifying information.  This
   draft updates RFC4361.
BV> We need to review whether this updates RFC4361 is correct. There is not explicit "change this to that" text so it isn't really an "updates" in the strict sense. It is just to change its use for privacy, but then this would also update RFC 2131 and 3315? So is it really appropriate?

2.  Application domain
   "privacy" addresses.  Privacy advocates have some reason to be
BV> Some reasons?

2.2.  MAC Address Randomization and DHCP

   From a privacy point of view, it is clear that MAC Addresses, IP
BV> MAC address? Please check other usages as there were a bunch of these cases.

2.3.  Radio fingerprinting

   MAC address randomization solves the trivial monitoring problem in
   which someone just uses a Wi-Fi scanner and records the MAC addresses
   seen on the air.  DHCP anonymity solves the more elaborated scenario
   in which someone monitor MAC addresses and identities used in DHCP at
BV> monitors
   the access point or DHCP server.  But this are not the only ways to
BV> this are -> these are or this is ... way?
   track a mobile device.

2.5.  No anonymity profile identification
   example a new type of DUID of temporary DUID that would be changing
BV> "DUID of " -> "DUID for a"? Just seems odd to have of .. of?
   over time.

   anonymity is a bit like walking around with a Guy Fawkes mask.  When
BV> Show this have some kind of reference for the international audience or do you think it is globally clear?

BV> 2.6 and perhaps elsewhere, replace [I-D.ietf-dhc-dynamic-shared-v4allocation] with RFC 7618.

2.7.  What about privacy for DHCP servers

   The server part will be covered by the general mitigation work going
   on in DHCP working group, following the analyses presented in
   [I-D.ietf-dhc-dhcp-privacy] and [I-D.ietf-dhc-dhcpv6-privacy].
BV> Isn't this part of this work? Perhaps we say it is a topic for further work/study?

3.  Anonymity profile for DHCPv4


   RELEASE:  The anonymized RELEASE messages SHOULD contain the Message
      Type, Client Identifier and Server Identifier options.

   INFORM:  The anonymized INFORM messages MUST contain the Message
      Type, Client Id, and Parameter Request List options.  It SHOULD
      NOT contain any other option.
BV> Should this be "Client Identifier" to match earlier usage? 

BV> Also there is a general question (may impact 3.4) of why these clients even include a client-identifier option? It isn't required so perhaps one option is for them not to include it. That way, no value must be derived?

3.1.  Client IP address field

   Four bytes in the header of the DHCP messages carry the "Client IP
   address" (ciaddr) as defined in [RFC2131].  In DHCP, this field is
   used by the clients to indicate the address that they used
   previously, so that as much as possible the server can allocate them
   the same address.

BV> I'm not sure what cases this is to cover - perhaps just normal DHCPREQUEST for renew, since for INIT-REBOOT, RFC 2131 has:

For RFC 2131:

   o DHCPREQUEST generated during INIT-REBOOT state:

      'server identifier' MUST NOT be filled in, 'requested IP address'
      option MUST be filled in with client's notion of its previously
      assigned address. 'ciaddr' MUST be zero. The client is seeking to
      verify a previously allocated, cached configuration. Server SHOULD
      send a DHCPNAK message to the client if the 'requested IP address'
      is incorrect, or is on the wrong network.

   they know that the network attachment has changed, and in particular
   of the link layer address is reset by the device's administrator.
BV> of should be if

3.2.  Requested IP address option

   The Requested IP address option (code 50) allows the client to
   request that a particular IP address be assigned.  The option is
BV> For consistency, perhaps use "The Requested IP address option is defined in [RFC2132] with code 50 and ..."

   When using the anonymity profile, clients SHOULD NOT use the
   Requested IP address option in DHCPDISCOVER Messages.  They MUST use
   the option when mandated by the DHCP protocol, for example in
   DHCPREQUEST Messages.

BV> lowercase Message(s)? Check elsewhere.

3.4.  Client Identifier Option

   The client identifier option is defined in [RFC2132] with option code
   61.  It is discussed in details in [RFC4361].  The purpose of the
BV> details -> detail?

BV> Also, see above as to why even send this at all?
BV> Note that if a client is dual stack and doing DHCPv4 and DHCPv6, it may be best that the 4361 requirement to send is used as then it would be possible to correlate the client's V4 and V6 address. But that can also be a privacy risk? Should this be discussed?

   In contradiction to [RFC4361], When using the anonymity profile, DHCP
BV> When -> when?

BV> New section between 3.4 and 3.5 to include the PRL similar to ORO text in 3.5? Kind of odd that the Parameter Request List isn't mentioned at all for DHCPv4 where there exists a fairly extensive fingerprinting database (mostly based on the PRL).

4.  Anonymity profile for DHCPv6

   The choice between the stateful and stateless scenario depends of
BV> depends on?
   flag and prefix options published by the "Router Advertisement"
   messages of local routers, as specified in [RFC4861].  When these
   options enable stateless address configuration hosts using the
   anonymity profile SHOULD choose it over stateful address
   configuration, because stateless configuration requires fewer
   information disclosure than stateful configuration.
BV> disclosure -> disclosures

   When using the anonymity profile, DHCPv6 clients carefully select
   DHCPv6 options used in the various messages that they sent.  The list
BV> sent -> send

4.1.  Do not send Confirm messages, unless really sure where

   The [RFC3315] requires clients to send a Confirm message when they
BV> Drop The?

4.2.  Client Identifier DHCPv6 Option

   The client identifier option is defined in [RFC3315] with option code
   1.  The purpose of the client identifier option is to identify the
   client to the server.  The content of the option is a DHCP User ID
BV> DHCP Unique Identifier (not DHCP User ID).

   tracking and profiling.  Three DUID formats are specified: Link-layer
   address plus time, Vendor-assigned unique ID based on Enterprise
   Number, Link-layer address.
BV> There is a 4th type, DUID-UUID defined in RFC 6355. Probably not a good idea to use this for privacy?

   cases the link-layer address is based on MAC.  The first three octets
   are composed of the OUI (Organizationally Unique Identifier) that is
   expected to have a value assigned to a real organization.  See
   [IEEE-OUI] for currently assigned values.  Using a value that is
   unassigned may disclose the fact that a DUID is randomized.  Using a
   value that belongs to a third party may have legal implications.
BV> I don't understand what the value of these last sentences is? It mentions the OUI but so what should someone do? What about the other octets??

4.4.1.  Obtain temporary addresses

   [RFC3315] defines a special container (IA_TA) for requesting
   temporary addresses.  This is a good mechanism in principle, but
   there are a number of issues associated with it.  First of all, this
   is not widely used feature.  Thus clients cannot count on it to be
BV> is not a widely used feature?
   always available.  Secondly, [RFC3315] does not specify any renewal
   mechanisms for temporary addresses.  Therefore the support for
BV> Yes it does. See RFC 3315, page 76 2nd paragraph?
   renewing temporary addresses in server implementations usually varies
   between poor and non-existent.  Finally, a client reveals its desire
   for privacy just by requesting temporary addresses, and potentially
   risks countermeasures as described in Section 2.5.

   needs to release the first one (using an old IAID) and then retry
   asking for a new address.
BV> "using the old IAID" would be better since client has to use the IAID under which address was obtained.

4.8.  Client FQDN Option

   The Client FQDN option is defined in [RFC4704] with option code 29.
   The option allows the DHCP clients to advertize to the DHCP their
BV> fix advertise spelling? And "to the DHCP server their".

6.  Security Considerations
BV> This is a bit light, but don't have any real recommendations - might reference RFC 2131 and 3315, but that might not help that much? I guess we'll see what the IESG or other reviewers say?

9.  Changes from previous versions

   Changes from draft-00 to draft-01:
BV> Might be worth a note that the RFC editor should remove this material?

Finally, be sure to run id-nits!!!

It does report (some of these are likely because of publications updated since this draft was posted):

  Checking references for intended status: Proposed Standard

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Outdated reference: A later version (-07) exists of

  == Outdated reference: A later version (-07) exists of

  == Outdated reference: A later version (-01) exists of

  == Outdated reference: draft-ietf-dhc-dynamic-shared-v4allocation has been
     published as RFC 7618

- Bernie