Re: [dhcwg] Stephen Farrell's Discuss on draft-ietf-dhc-access-network-identifier-13: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 08 February 2016 22:35 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F3CA1B3445; Mon, 8 Feb 2016 14:35:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.302
X-Spam-Level:
X-Spam-Status: No, score=-3.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_BACKHAIR_56=1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0rdj20ERDlt; Mon, 8 Feb 2016 14:35:51 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 334921B343A; Mon, 8 Feb 2016 14:35:51 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id CC7ADBE64; Mon, 8 Feb 2016 22:35:49 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rILRfHFAWZEi; Mon, 8 Feb 2016 22:35:46 +0000 (GMT)
Received: from [10.87.48.75] (unknown [86.46.17.89]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 47C53BE58; Mon, 8 Feb 2016 22:35:45 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1454970946; bh=vPmL4c8dI1B6IRpFPiw92eTiswfdSp0mgDssmRCOBKs=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=SwafPFS/ShESvxjklM2ueVON2A6XQKdicRhVbVRKz9T4Urv5BX2+Toj48PQ/wr7C/ 4hHgLjb4Y96ipbWpgkysuIDDG6tvmaB+4zQUh2JV2iv2OanSvazeHDqt+I83I4BvL+ h/Akad8vxGk26dJ9Y88aGAtbYCkj+N+goQRbfhPk=
To: "Bernie Volz (volz)" <volz@cisco.com>, Brian Haberman <brian@innovationslab.net>, "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
References: <20160208121140.8235.49754.idtracker@ietfa.amsl.com> <D2DE108D.206925%sgundave@cisco.com> <8B7BDF27-834F-4D9C-A546-0C42AE6F0949@cisco.com> <56B8E0EC.9040908@innovationslab.net> <ec35bbad24e34330b9edccee4f70f32f@XCH-ALN-003.cisco.com> <56B91468.3070408@cs.tcd.ie> <f0fcc3dd4b4e43fbb1f4fd3d3aa4312b@XCH-ALN-003.cisco.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56B91821.80301@cs.tcd.ie>
Date: Mon, 08 Feb 2016 22:35:13 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <f0fcc3dd4b4e43fbb1f4fd3d3aa4312b@XCH-ALN-003.cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/oQSsTuVybJBZliM5TjN3gBrDo1s>
Cc: "draft-ietf-dhc-access-network-identifier@ietf.org" <draft-ietf-dhc-access-network-identifier@ietf.org>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, The IESG <iesg@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] Stephen Farrell's Discuss on draft-ietf-dhc-access-network-identifier-13: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2016 22:35:54 -0000
On 08/02/16 22:32, Bernie Volz (volz) wrote: > Hi Stephen and Brian: > > I've added an item to the list of agenda requests regarding this. See > https://github.com/dhcwg/wg/wiki/IETF-95-(Buenos-Aires)-DHC-WG-Agenda: > > DHCP Relay / Server Communication and Pervasive Monitoring - 10 > minutes > > Title of session: DHCP Relay / Server Communication and Pervasive > Monitoring Presenter: TBD (Likely Bernie Volz) Related Drafts: None > Time Required: 10 min Purpose of Session: There were several IESG > discusses regarding draft-ietf-dhc-access-network-identifier and the > security implications of Relay to Server communication, especially > with regard to Pervasive Monitoring. As the WG recently developed the > privacy drafts which focused primarily on client/server interaction, > does the WG want to take on writing a document to review the > Relay/Server security implications and how best to mitigate them. See > https://datatracker.ietf.org/doc/draft-ietf-dhc-access-network-identifier/ballot/ > for more details. Submitter: Bernie Volz Great, thanks. Let me know if I can help. Cheers, S. > > - Bernie > > -----Original Message----- From: Stephen Farrell > [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, February 08, 2016 > 5:19 PM To: Bernie Volz (volz) <volz@cisco.com>; Brian Haberman > <brian@innovationslab.net>; Sri Gundavelli (sgundave) > <sgundave@cisco.com> Cc: The IESG <iesg@ietf.org>; > draft-ietf-dhc-access-network-identifier@ietf.org; > dhc-chairs@ietf.org; jiangsheng@huawei.com; dhcwg@ietf.org Subject: > Re: Stephen Farrell's Discuss on > draft-ietf-dhc-access-network-identifier-13: (with DISCUSS and > COMMENT) > > > Hi Bernie, > > On 08/02/16 19:42, Bernie Volz (volz) wrote: >> Brian: >> >> I am not aware of such a specific discussion in the record ... > > Thanks for clarifying. > >> that doesn't mean it wasn't had, but just that I am not aware of >> any specific record. Note that these emails and others regarding >> Stephen's discusses were sent to the DHC WG mailing list but did >> not generate any comments (except those from the co-authors). > > Yeah, that's a fair comment. I would hope that if list members had > opinions, they'd express them. > >> We generally view the information that is exchanged between a relay >> and server are in "one" operator's domain and that this can be >> (and should be) secured (such as using IPsec and/or VPNs -- RFC >> 3315 already outlines IPsec usage). And, that if some third party >> can monitor this flow, there is a lot more that they can gather >> that is much more sensitive than these particular options. >> >> The current privacy drafts (draft-ietf-dhc-dhcpv6-privacy-03, >> draft-ietf-dhc-dhcp-privacy-03, >> draft-ietf-dhc-anonymity-profile-06) have focused on the client >> interaction as that is viewed as being the most susceptible to >> pervasive monitoring (as typically it requires just listening for >> packets, or entering promiscuous mode). We did send notification of >> those 3 privacy drafts to the pervasive monitoring mailing list and >> receive absolutely no feedback on them >> (https://mailarchive.ietf.org/arch/msg/perpass/oFlTXR0LZalQZy9W5nKs2ZV >> >> fVFM) >> - good or bad. > > Yes, getting more comment is often hard but I think those drafts were > discussed a little on the perpass list before they were adopted by > the DHCWG. If if helps I could ask again and see if that gets any > more comment, happy to do that if you want, just let me know. > >> >> The WG has been working on seDhcpv6 but that has been a challenging >> document and has been sent back to the WG several times now - but >> this work also primarily focuses on the client to server >> communication. >> >> Finally, these options, as all relay and client options are just >> hitching a ride on the DHCP exchange. So if this is a serious issue >> that the IESG and/or Int Area Directors feel the DHC WG needs to >> address, we can discuss at IETF-95 to see if there is interest from >> the WG to attempt to address the relay to server communication >> channel to assure it is secure and prevents pervasive monitoring. > > That sounds reasonable too, thanks. I'm fine to clear this discuss > and see how that conversation goes. > > FWIW, while I'd personally not argue that DHCP relay<->server poses > the absolutely most important privacy problem on the Internet, I do > think the conversation could be useful - given this WG has already > done the privacy and nymity drafts you mention above, it could be > that this set of participants are more aware of the issues. (Or maybe > not, but good if we find out:-) > > Thanks, S. > > >> >> - Bernie >> >> -----Original Message----- From: Brian Haberman >> [mailto:brian@innovationslab.net] Sent: Monday, February 08, 2016 >> 1:40 PM To: Bernie Volz (volz) <volz@cisco.com>; Sri Gundavelli >> (sgundave) <sgundave@cisco.com> Cc: Stephen Farrell >> <stephen.farrell@cs.tcd.ie>; The IESG <iesg@ietf.org>; >> draft-ietf-dhc-access-network-identifier@ietf.org; >> dhc-chairs@ietf.org; jiangsheng@huawei.com; dhcwg@ietf.org >> Subject: Re: Stephen Farrell's Discuss on >> draft-ietf-dhc-access-network-identifier-13: (with DISCUSS and >> COMMENT) >> >> Hi Bernie & Sri, >> >> On 2/8/16 1:08 PM, Bernie Volz (volz) wrote: >>> Agree with Sri's points. DHC wg would like to advance draft. >>> >>> - Bernie (from iPhone) >>> >>>> On Feb 8, 2016, at 12:44 PM, Sri Gundavelli (sgundave) >>>> <sgundave@cisco.com> wrote: >>>> >>>> >>>> Thanks Stephen. If I read this correctly, I assume this is the >>>> only pending DISCUSS point. >>>> >>>> >>>>> "Did the DHC working group consider how this information, >>>>> when sent without adequate protection between relay and dhcp >>>>> server, could help in pervasive monitoring?" >>>> >>>> I will let chairs answer this question. >> >> I would like a chair to explicitly answer Stephen's question above >> and provide a pointer to the mailing list archives or meeting >> minutes where this point was discussed. >> >> Specifically, did the WG reach a consensus on the sensitive >> information elements and their vulnerability to pervasive >> monitoring? >> >> Regards, Brian >> >>>> >>>> >>>> But, from my point view: >>>> >>>> 1.) we have identified the information elements that are >>>> sensitive in nature from privacy point of view 2.) we have >>>> identified the interfaces where these information elements can >>>> possibly get exposed; interfaces where threats can be >>>> activated 3.) we have listed the deployment context (Ex: Single >>>> operator) 4.) we have listed considerations on how to entities >>>> have to deal with this data; points such as not to store the >>>> data at DHCP server ..etc. 4.) we have listed the existing >>>> tools that are available for the operator to mitigate that >>>> threat >>>> >>>> All of these points were discussed in the DHC WG and there were >>>> no explicit comments either supporting, or disagreeing with >>>> these views. >>>> >>>> >>>> Regards Sri >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On 2/8/16, 4:11 AM, "Stephen Farrell" >>>>> <stephen.farrell@cs.tcd.ie> wrote: >>>>> >>>>> Stephen Farrell has entered the following ballot position >>>>> for draft-ietf-dhc-access-network-identifier-13: Discuss >>>>> >>>>> When responding, please keep the subject line intact and >>>>> reply to all email addresses included in the To and CC lines. >>>>> (Feel free to cut this introductory paragraph, however.) >>>>> >>>>> >>>>> Please refer to >>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for >>>>> more information about IESG DISCUSS and COMMENT positions. >>>>> >>>>> >>>>> The document, along with other ballot positions, can be >>>>> found here: >>>>> https://datatracker.ietf.org/doc/draft-ietf-dhc-access-network-iden >>>>> >>>>> t >>>>> >>>>> > ifier/ >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------- >>>>> >>>>> - >>>>> >>>>> > -- >>>>> DISCUSS: >>>>> ------------------------------------------------------------------- >>>>> >>>>> - >>>>> >>>>> > -- >>>>> >>>>> >>>>> Thanks for the changes made in response to my and, in >>>>> particular, Alissa's discuss ballots. >>>>> >>>>> Having looked back at the email thread I don't believe I got >>>>> any answer to the question "Did the DHC working group >>>>> consider how this information, when sent without adequate >>>>> protection between relay and dhcp server, could help in >>>>> pervasive monitoring?" >>>>> >>>>> I think the focus of the discussion has been on the >>>>> applicability of this being limited to "typically" one >>>>> operator's network, which does of course mean that the >>>>> traffic is less at risk than had it transited many networks. >>>>> However, we have seen (Belgacom) that the PM threat also >>>>> applies within a single operator's network. So I am still >>>>> interested in the answer to the above question. >>>>> >>>>> The DHC WG might consider this threat and still conclude that >>>>> a SHOULD statement about IPsec is the best we can do in >>>>> practice, but that isn't clear to me at present, so I'd still >>>>> like to chat about the PM threat. (Note: it's the WG's >>>>> consideration of the threat I'd like to chat about, not only >>>>> about the potential of IPsec to mitigate that threat.) >>>>> >>>>> >>>>> ------------------------------------------------------------------- >>>>> >>>>> - >>>>> >>>>> > -- >>>>> COMMENT: >>>>> ------------------------------------------------------------------- >>>>> >>>>> - >>>>> >>>>> > -- >>>>> >>>>> >>>>> >>>>> >>>>> OLD DISCUSS TEXT BELOW: >>>>> >>>>> (Sent mail 2016-01-10, checking on change vs. discuss) >>>>> >>>>> (1) Did the DHC working group consider how this information, >>>>> when sent without adequate protection between relay and dhcp >>>>> server, could help in pervasive monitoring? If so, what was >>>>> the conclusion reached? We have seen http header field >>>>> information sent between infrastructure nodes being >>>>> intercepted for that purpose, so this has to be similarly at >>>>> risk. If the answer is that this is only to be used within a >>>>> single network operator's setup (or a roaming arrangement) >>>>> then that needs to be justified (as practical) and, if it can >>>>> be justified (I'm not sure tbh), also made explicit. >>>>> >>>>> (2) I had a DISCUSS on the draft that became rfc 6757 about >>>>> protection of this kind of data. In that context I think I >>>>> was assured that everything (in PMIPv6) was IPsec protected >>>>> so it was fine. Why, in what we now know is a more threated >>>>> environment, is it ok to now have weaker protection when I >>>>> was assured then that IPsec was in fact quite usable in >>>>> PMIPv6? I think you maybe need to put in a MUST use IPsec >>>>> requirement for this to be as safe. >>>>> >>>>> (3) section 7: MAY store - this is possibly sensitive >>>>> information so you ought say that it SHOULD NOT be stored >>>>> unless needed, and if stored, SHOULD be deleted as soon as >>>>> possible. Storing sensitive information when not needed just >>>>> shouldn't be considered acceptable anymore I think - is that >>>>> reasonable? >>>>> >>>>> OLD COMMENT TEXT BELOW >>>>> >>>>> - I (strongly) support Alissa's DISCUSS and will be >>>>> interested in watching how that is resolved. Some of my >>>>> DISCUSS points do overlap though so from my POV feel free to >>>>> mix'n'match the discussions. Or to process first one then the >>>>> other, whatever you think is best. >>>>> >>>>> - RFC6757 defines exactly this for PMIPv6. That implies that >>>>> PMIPv6 should not be used to illustrate or motivate this, as >>>>> that problem is solved. Perhaps you would be better off if >>>>> you limited the scope of this to be used for networks that >>>>> are some kind of extension to PMIPv6 only? (You'd need to >>>>> define what kind I think.) >>>> >>
- [dhcwg] Stephen Farrell's Discuss on draft-ietf-d… Stephen Farrell
- Re: [dhcwg] Stephen Farrell's Discuss on draft-ie… Sri Gundavelli (sgundave)
- Re: [dhcwg] Stephen Farrell's Discuss on draft-ie… Bernie Volz (volz)
- Re: [dhcwg] Stephen Farrell's Discuss on draft-ie… Brian Haberman
- Re: [dhcwg] Stephen Farrell's Discuss on draft-ie… Bernie Volz (volz)
- Re: [dhcwg] Stephen Farrell's Discuss on draft-ie… Stephen Farrell
- Re: [dhcwg] Stephen Farrell's Discuss on draft-ie… Bernie Volz (volz)
- Re: [dhcwg] Stephen Farrell's Discuss on draft-ie… Stephen Farrell