[dhcwg] Comments on draft-ietf-dhc-anonymity-profile-02.txt
"Bernie Volz (volz)" <volz@cisco.com> Thu, 27 August 2015 02:35 UTC
Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8CE01B3849; Wed, 26 Aug 2015 19:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.111
X-Spam-Level:
X-Spam-Status: No, score=-13.111 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J34I1F-ld5ZQ; Wed, 26 Aug 2015 19:35:52 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5042A1B3840; Wed, 26 Aug 2015 19:35:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10785; q=dns/txt; s=iport; t=1440642953; x=1441852553; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=0ZX54UpvlxDCPJ0LY+UsW1xHJZpID1rNE18Mwbd4OzY=; b=TO05WWyS51rvDQadhZ0IjsXYaukHWne7d8fIkGsUgw1w8iNi+cOHb+In IqretStKL5VYvTbxC1SkOXz8IB2YNV7F0r+0rBkQsvHZri2JMS+4XxFj4 bnD7S4Jxbo9b35y1sJJZlI/6fcVajlNZH+71bdAU/7Z5uFiv16TOp9cwu 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D7BACBdt5V/5tdJa1TCoMbgUO9d4dzAoE2ORMBAQEBAQEBfwuEJQEEJxM/EgEqDAhCJgEEDg2IJskUAQEBAQEBAQMBAQEBAQEciliFMBIaMRoMgnmBFAEEhyqOEgFvhH2IT4Qyhx2FEYg0JoIKAgMcgVSBdgkXBB+BBQEBAQ
X-IronPort-AV: E=Sophos;i="5.17,420,1437436800"; d="scan'208";a="181780277"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-2.cisco.com with ESMTP; 27 Aug 2015 02:35:52 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t7R2ZpWd032727 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 Aug 2015 02:35:51 GMT
Received: from xch-aln-004.cisco.com (173.36.7.14) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 26 Aug 2015 21:35:50 -0500
Received: from xhc-aln-x07.cisco.com (173.36.12.81) by xch-aln-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1104.5 via Frontend Transport; Wed, 26 Aug 2015 21:35:50 -0500
Received: from xmb-rcd-x04.cisco.com ([169.254.8.103]) by xhc-aln-x07.cisco.com ([173.36.12.81]) with mapi id 14.03.0248.002; Wed, 26 Aug 2015 21:35:50 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "draft-ietf-dhc-anonymity-profile@ietf.org" <draft-ietf-dhc-anonymity-profile@ietf.org>
Thread-Topic: Comments on draft-ietf-dhc-anonymity-profile-02.txt
Thread-Index: AdDgcKl9XXaT91jBQaaz5aGsMw+9GQ==
Date: Thu, 27 Aug 2015 02:35:48 +0000
Message-ID: <489D13FBFA9B3E41812EA89F188F018E1CC55254@xmb-rcd-x04.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.86.255.58]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/nokdgbHEkVoE4ROOr6pJptHP5D0>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: [dhcwg] Comments on draft-ietf-dhc-anonymity-profile-02.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 02:35:55 -0000
Hi:
In preparation for a (hopefully soon) WGLC, I did a more thorough review of this document. Comments are "inline" below (BV>). While many of the findings are minor nits, there are a few more significant issues as well. Though nothing that shouldn't be difficult to correct. And, feel free to push back if you don't agree with some comments.
- Bernie
Abstract
Some DHCP options carry unique identifiers. These identifiers can
enable device tracking even if the device administrator takes care of
randomizing other potential identifications like link-layer addresses
or IPv6 addresses. The anonymity profile is designed for clients
BV> Should it just be IP addresses? DHCPv4 can lease addresses too in the INIT-REBOOT phase.
that wish to remain anonymous to the visited network. The profile
provides guidelines on the composition of DHCP or DHCPv6 requests,
designed to minimize disclosure of identifying information. This
draft updates RFC4361.
BV> We need to review whether this updates RFC4361 is correct. There is not explicit "change this to that" text so it isn't really an "updates" in the strict sense. It is just to change its use for privacy, but then this would also update RFC 2131 and 3315? So is it really appropriate?
2. Application domain
...
"privacy" addresses. Privacy advocates have some reason to be
concerned.
BV> Some reasons?
2.2. MAC Address Randomization and DHCP
From a privacy point of view, it is clear that MAC Addresses, IP
BV> MAC address? Please check other usages as there were a bunch of these cases.
2.3. Radio fingerprinting
MAC address randomization solves the trivial monitoring problem in
which someone just uses a Wi-Fi scanner and records the MAC addresses
seen on the air. DHCP anonymity solves the more elaborated scenario
in which someone monitor MAC addresses and identities used in DHCP at
BV> monitors
the access point or DHCP server. But this are not the only ways to
BV> this are -> these are or this is ... way?
track a mobile device.
2.5. No anonymity profile identification
...
example a new type of DUID of temporary DUID that would be changing
BV> "DUID of " -> "DUID for a"? Just seems odd to have of .. of?
over time.
...
anonymity is a bit like walking around with a Guy Fawkes mask. When
BV> Show this have some kind of reference for the international audience or do you think it is globally clear?
BV> 2.6 and perhaps elsewhere, replace [I-D.ietf-dhc-dynamic-shared-v4allocation] with RFC 7618.
2.7. What about privacy for DHCP servers
The server part will be covered by the general mitigation work going
on in DHCP working group, following the analyses presented in
[I-D.ietf-dhc-dhcp-privacy] and [I-D.ietf-dhc-dhcpv6-privacy].
BV> Isn't this part of this work? Perhaps we say it is a topic for further work/study?
3. Anonymity profile for DHCPv4
...
RELEASE: The anonymized RELEASE messages SHOULD contain the Message
Type, Client Identifier and Server Identifier options.
INFORM: The anonymized INFORM messages MUST contain the Message
Type, Client Id, and Parameter Request List options. It SHOULD
NOT contain any other option.
BV> Should this be "Client Identifier" to match earlier usage?
BV> Also there is a general question (may impact 3.4) of why these clients even include a client-identifier option? It isn't required so perhaps one option is for them not to include it. That way, no value must be derived?
3.1. Client IP address field
Four bytes in the header of the DHCP messages carry the "Client IP
address" (ciaddr) as defined in [RFC2131]. In DHCP, this field is
used by the clients to indicate the address that they used
previously, so that as much as possible the server can allocate them
the same address.
BV> I'm not sure what cases this is to cover - perhaps just normal DHCPREQUEST for renew, since for INIT-REBOOT, RFC 2131 has:
For RFC 2131:
o DHCPREQUEST generated during INIT-REBOOT state:
'server identifier' MUST NOT be filled in, 'requested IP address'
option MUST be filled in with client's notion of its previously
assigned address. 'ciaddr' MUST be zero. The client is seeking to
verify a previously allocated, cached configuration. Server SHOULD
send a DHCPNAK message to the client if the 'requested IP address'
is incorrect, or is on the wrong network.
BV> END
they know that the network attachment has changed, and in particular
of the link layer address is reset by the device's administrator.
BV> of should be if
3.2. Requested IP address option
The Requested IP address option (code 50) allows the client to
request that a particular IP address be assigned. The option is
BV> For consistency, perhaps use "The Requested IP address option is defined in [RFC2132] with code 50 and ..."
When using the anonymity profile, clients SHOULD NOT use the
Requested IP address option in DHCPDISCOVER Messages. They MUST use
the option when mandated by the DHCP protocol, for example in
DHCPREQUEST Messages.
BV> lowercase Message(s)? Check elsewhere.
3.4. Client Identifier Option
The client identifier option is defined in [RFC2132] with option code
61. It is discussed in details in [RFC4361]. The purpose of the
BV> details -> detail?
BV> Also, see above as to why even send this at all?
BV> Note that if a client is dual stack and doing DHCPv4 and DHCPv6, it may be best that the 4361 requirement to send is used as then it would be possible to correlate the client's V4 and V6 address. But that can also be a privacy risk? Should this be discussed?
In contradiction to [RFC4361], When using the anonymity profile, DHCP
BV> When -> when?
BV> New section between 3.4 and 3.5 to include the PRL similar to ORO text in 3.5? Kind of odd that the Parameter Request List isn't mentioned at all for DHCPv4 where there exists a fairly extensive fingerprinting database (mostly based on the PRL).
4. Anonymity profile for DHCPv6
...
The choice between the stateful and stateless scenario depends of
BV> depends on?
flag and prefix options published by the "Router Advertisement"
messages of local routers, as specified in [RFC4861]. When these
options enable stateless address configuration hosts using the
anonymity profile SHOULD choose it over stateful address
configuration, because stateless configuration requires fewer
information disclosure than stateful configuration.
BV> disclosure -> disclosures
When using the anonymity profile, DHCPv6 clients carefully select
DHCPv6 options used in the various messages that they sent. The list
BV> sent -> send
4.1. Do not send Confirm messages, unless really sure where
The [RFC3315] requires clients to send a Confirm message when they
BV> Drop The?
4.2. Client Identifier DHCPv6 Option
The client identifier option is defined in [RFC3315] with option code
1. The purpose of the client identifier option is to identify the
client to the server. The content of the option is a DHCP User ID
BV> DHCP Unique Identifier (not DHCP User ID).
tracking and profiling. Three DUID formats are specified: Link-layer
address plus time, Vendor-assigned unique ID based on Enterprise
Number, Link-layer address.
BV> There is a 4th type, DUID-UUID defined in RFC 6355. Probably not a good idea to use this for privacy?
cases the link-layer address is based on MAC. The first three octets
are composed of the OUI (Organizationally Unique Identifier) that is
expected to have a value assigned to a real organization. See
[IEEE-OUI] for currently assigned values. Using a value that is
unassigned may disclose the fact that a DUID is randomized. Using a
value that belongs to a third party may have legal implications.
BV> I don't understand what the value of these last sentences is? It mentions the OUI but so what should someone do? What about the other octets??
4.4.1. Obtain temporary addresses
[RFC3315] defines a special container (IA_TA) for requesting
temporary addresses. This is a good mechanism in principle, but
there are a number of issues associated with it. First of all, this
is not widely used feature. Thus clients cannot count on it to be
BV> is not a widely used feature?
always available. Secondly, [RFC3315] does not specify any renewal
mechanisms for temporary addresses. Therefore the support for
BV> Yes it does. See RFC 3315, page 76 2nd paragraph?
renewing temporary addresses in server implementations usually varies
between poor and non-existent. Finally, a client reveals its desire
for privacy just by requesting temporary addresses, and potentially
risks countermeasures as described in Section 2.5.
needs to release the first one (using an old IAID) and then retry
asking for a new address.
BV> "using the old IAID" would be better since client has to use the IAID under which address was obtained.
4.8. Client FQDN Option
The Client FQDN option is defined in [RFC4704] with option code 29.
The option allows the DHCP clients to advertize to the DHCP their
BV> fix advertise spelling? And "to the DHCP server their".
6. Security Considerations
BV> This is a bit light, but don't have any real recommendations - might reference RFC 2131 and 3315, but that might not help that much? I guess we'll see what the IESG or other reviewers say?
9. Changes from previous versions
Changes from draft-00 to draft-01:
BV> Might be worth a note that the RFC editor should remove this material?
Finally, be sure to run id-nits!!!
It does report (some of these are likely because of publications updated since this draft was posted):
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-07) exists of
draft-ietf-6man-default-iids-05
== Outdated reference: A later version (-07) exists of
draft-ietf-6man-ipv6-address-generation-privacy-03
== Outdated reference: A later version (-01) exists of
draft-ietf-dhc-dhcpv6-privacy-00
== Outdated reference: draft-ietf-dhc-dynamic-shared-v4allocation has been
published as RFC 7618
- Bernie
- [dhcwg] Comments on draft-ietf-dhc-anonymity-prof… Bernie Volz (volz)
- Re: [dhcwg] Comments on draft-ietf-dhc-anonymity-… Christian Huitema