Re: [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-dhcpv6-privacy-04: (with COMMENT)
Tomek Mrugalski <tomasz.mrugalski@gmail.com> Wed, 24 February 2016 13:16 UTC
Return-Path: <tomasz.mrugalski@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3DE81A0018; Wed, 24 Feb 2016 05:16:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aqt_Srsb9vZH; Wed, 24 Feb 2016 05:16:37 -0800 (PST)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A3DF1A03A6; Wed, 24 Feb 2016 05:16:36 -0800 (PST)
Received: by mail-lf0-x22d.google.com with SMTP id l143so11508487lfe.2; Wed, 24 Feb 2016 05:16:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=XLCX9U8qZqQ7DDIzQKJJiDh3RF7ii2Jg0GpocSfKc9s=; b=mIUY93+PQjqt9mHxyDa3kMMt1Sko08XcHKq1IC2KUtGiNZD5A6cmwoRhdQzQ3hPMxH wWCPPmHOClGVPD7Z6JeMR9sYwtRlRa9aK4jp04VJbZ6XCTFWDW8LWJh46WXM/d0M9e3a S1rTzJ6l90zstz4eaotRb5ADwkMYNte8TAsvTfTzHDjsukUevQ1TUU5cWHfj1GqmstEW Tvuz8aEfCvXLukrdpyerxMbn689BasVtIFymSUHOl8z+U32DJJ/zCxi2xjz4WHEJbJkA nbx1GDY20u02hPOr9MqRTf5nGlqtTBz4Ci2tGw85FN+/477lHdYlpLizCtTPKM9i4tn0 SWBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=XLCX9U8qZqQ7DDIzQKJJiDh3RF7ii2Jg0GpocSfKc9s=; b=aWxrD55WiS80H48TPufjjnDns91rtvnwCH1YkUc5IdKQgI1jj7zfn92u7HYA1MvCpF ML4RqiQA6KHLpe377boNwgNZTPzK6hU4+CwWcMoScPoTIeohMPsefz4pcFAiVpHDa9EX vXORpMkzRAgnjE4GhXTMFFjFwGLDAkHTPWSV05K0B+14LYq98r4O8Xi0u4EcUJjfd+4n crJnfsT3x3cwRfLJE9in5Dd2Kq4jpAOfrJoHHLo5kI/hJBRx4E3HfaTTTo7U6+X9qqAT Eo9ewK4CoEQEA1seNhKnk4kSFpzuwGGg7M4A+mXsCc0nO9dQWcuLAi+tDRpGaooX7o1U TIhw==
X-Gm-Message-State: AG10YOTymkBHxIgsJ9yMpmCjPfrGyNBDjTC+jU4e6ULG/QGaDDeamvqgFwGADA7fRcxfqQ==
X-Received: by 10.25.21.29 with SMTP id l29mr11866562lfi.123.1456319794680; Wed, 24 Feb 2016 05:16:34 -0800 (PST)
Received: from [10.0.0.100] (109107011157.gdansk.vectranet.pl. [109.107.11.157]) by smtp.googlemail.com with ESMTPSA id f184sm378712lfe.6.2016.02.24.05.16.32 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 24 Feb 2016 05:16:33 -0800 (PST)
To: Ben Campbell <ben@nostrum.com>, The IESG <iesg@ietf.org>
References: <20160217230718.32558.47975.idtracker@ietfa.amsl.com>
From: Tomek Mrugalski <tomasz.mrugalski@gmail.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56CDAD2F.9070505@gmail.com>
Date: Wed, 24 Feb 2016 14:16:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <20160217230718.32558.47975.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/t2GjIC9W-HfXJ8pef88QT0RdFcA>
Cc: dhc-chairs@ietf.org, draft-ietf-dhc-dhcpv6-privacy@ietf.org, dhcwg@ietf.org
Subject: Re: [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-dhcpv6-privacy-04: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 13:16:38 -0000
Oops, seems nobody answered this comment yet. On 18.02.2016 00:07, Ben Campbell wrote: > Ben Campbell has entered the following ballot position for > draft-ietf-dhc-dhcpv6-privacy-04: Yes > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > -2: > If this is strictly an analysis with no proposed solution, why does it > need 2119 keywords? Actually, I only found one MAY, and that seemed more > a statement of fact than a new requirement. 2119 references removed, normative language removed (MAY is now lower case). > -5.6: > This seems to talk about pervasive monitoring in a very general sense. > Can you say something about how that specifically relates to dhcpv6? Sure. Here's the proposed text for section 5.6. The first paragraph comes from RFC7258 (this addressed a comment made earlier that suggested to borrow the text directly rather than try to describe PM with our own words). The last two paragraphs are new. Are they sufficient? 5.6. Pervasive monitoring Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large scale, rather than by introducing new types of technical compromise. See [RFC7258] for a discussion about PM. In the DHCPv6 context, PM approach can be used to collect any identifiers discussed in Section 3. DHCPv4 and DHCPv6 are especially susceptible as the initial message sent (SOLICIT in case of DHCPv6) is one of the very first packets sent when visiting a network. Furthermore, in certain cases this packet can be logged even on networks that do not support IPv6 (some implementations initiate DHCPv6 even without receiving RA with M or O bits set). This may be an easily overlooked attack vector when IPv6-capable device connects to an IPv4 only network, gains only IPv4 connectivity, but still leaks its stable identifiers over DHCPv6. Using PM approach, attacks discussed in Sections 5.1, 5.2, 5.3, 5.4, 5.5, 5.7, 5.8 and possibly 5.9 apply. Once we sort out this last comment, I can upload -05 and it should be ready to go. Thanks, Tomek
- [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-dhcp… Ben Campbell
- Re: [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-… Tomek Mrugalski
- Re: [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-… Ben Campbell