IETF Logo Mail Archive

Re: [dhcwg] Next step(s) for draft-ietf-dhc-stable-privacy-addresses -> abandon work? / IA_NA applicability

Lorenzo Colitti <lorenzo@google.com> Wed, 08 April 2015 12:46 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F0B01A1AC1 for <dhcwg@ietfa.amsl.com>; Wed, 8 Apr 2015 05:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tD8TBJm5bZsw for <dhcwg@ietfa.amsl.com>; Wed, 8 Apr 2015 05:46:01 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 579CC1A0276 for <dhcwg@ietf.org>; Wed, 8 Apr 2015 05:46:01 -0700 (PDT)
Received: by ignm3 with SMTP id m3so28460111ign.0 for <dhcwg@ietf.org>; Wed, 08 Apr 2015 05:46:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=AfMSt9KONKcbmhzWtvKkb3QTQ2rBFbkhb7Mcr7FtuEM=; b=aNXsXXfsHfBnJ8EXWXX+seN2G6th5r+EGbgaxLrD5yDtJ2dBIpYCIZpeeCRzLHCkIS vIE+y84eXBCj/QGeN3RzRfNY4SK8JT7S9Vn7iiH7/6A2cGNeqoryH3wHC8in9/Q6TOe+ 7XvDk6Gw7n4AKiLVSX1h1wHHhuXXygneh2NLT4lkLpA0zn8TpNzJKPQa02/x3HJM6y3d j/6XZ+OM/vadlTXVRZgZVDOffX43Upoj3v1/8d5qfVSZ/eCT2+7qicuGAbYySIliGAYl 23oT6IliiHyOra5ajdBlrWmecUU/H28pa1a1KQYy6Xf/VLT/gLjC4zOjVZ8nVJ8Mv7di UFXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=AfMSt9KONKcbmhzWtvKkb3QTQ2rBFbkhb7Mcr7FtuEM=; b=LyVdphW0keYrWDVopW8461lOtGpLIpW6yLHs7cnt5RKc7feq59qhLjEQDR04LD4leo CSeFWXjZ+ozyWn95Zue24xBXEziLUh2gMqv2rnWaP9h0sy/w1mINFEzSKVVg7u1xf3Ef 8BqTbFUi+TjMhiwN/3rHrhkawbXydiE2MV5VQNO9j12eSEq95W67gqf6wkJLJX5zbaOL 0uDHtt+KXjZu0UACnwSnrh3MB+6wj0a+OO/JFO/Hi/YLH6wAyAPKeswuMdnhBVv3kbFa +do55p8VoqJlW1/m45hQZydSkyqBagwduOJVWzoysXI+eVkX31120r9cE6qHEJQaYcDM qrOA==
X-Gm-Message-State: ALoCoQl4cNTQxAZBB12Cy/kup5dft0l7c3y/JoCSTSygeGXiiiHdaWOK7iY8D8BGMjcKQXQncGsE
X-Received: by 10.50.77.13 with SMTP id o13mr488226igw.39.1428497160799; Wed, 08 Apr 2015 05:46:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.195.75 with HTTP; Wed, 8 Apr 2015 05:45:40 -0700 (PDT)
In-Reply-To: <55251EFA.4000204@si6networks.com>
References: <489D13FBFA9B3E41812EA89F188F018E1CA32071@xmb-rcd-x04.cisco.com> <8C4E055C-ED1D-4951-8473-6166109ACE69@nominum.com> <489D13FBFA9B3E41812EA89F188F018E1CA321EE@xmb-rcd-x04.cisco.com> <6D7A465E-6EBE-4B69-9B65-BAC7BF2A9873@nominum.com> <489D13FBFA9B3E41812EA89F188F018E1CA3229F@xmb-rcd-x04.cisco.com> <55214802.1070305@si6networks.com> <CAKD1Yr3UYT0yPEqftEXpN8zmk=-dka_NMcu3rbb_GG+YSnk2ZQ@mail.gmail.com> <5524D09B.3090706@si6networks.com> <CAKD1Yr2Ztzoys+xKBzsEHU5hqJmfGpn-GeWPEqNCHRuWOTgsJQ@mail.gmail.com> <55250911.30100@si6networks.com> <CAKD1Yr0ojVmk-ctUO313zvAx01P=B-A2zVuwDm73+dLgVwDLOw@mail.gmail.com> <55250DF2.8050001@si6networks.com> <CAKD1Yr33wFmjjqjYu8YEpqYvnn=kh9oJhe1YAC7UEzacQFBaWg@mail.gmail.com> <55251EFA.4000204@si6networks.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 08 Apr 2015 21:45:40 +0900
Message-ID: <CAKD1Yr0XK-DQkcJKwTYmiWzCzZs4pubCme9rAgoZ_ig-P5MgsQ@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="047d7bdc110ad53ea8051335e9fc"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/yOLg6PYYkT1Etnactr8pvvbm9so>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, "Bernie Volz (volz)" <volz@cisco.com>, Ted Lemon <Ted.Lemon@nominum.com>
Subject: Re: [dhcwg] Next step(s) for draft-ietf-dhc-stable-privacy-addresses -> abandon work? / IA_NA applicability
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 12:46:03 -0000

On Wed, Apr 8, 2015 at 9:28 PM, Fernando Gont <fgont@si6networks.com> wrote:

> > That just changes the question to "what happens if the server uses both
> > this type of address and other types of address".
>
> The intent is that if you're going to use this scheme, for leasing
> addreses, you use this scheme for all prefixes: at the end of the day,
> if *one* of your addresses is predictable, that's enough for the
> attacker to track you or scan you.
>

No, it's not enough. The attacker can only track or scan you if you use a
stupid algorithm to generate the IIDs. Yours is not stupid, but neither are
many others such as "random". You can perfectly well use random assignment
on some subnets and your algorithm on other subnets.

Regardless - if that's the intent, then the draft should say so.


> > then you'll need to make it clear
> > what is required for it to coexist with other ways of generating IPv6
> > IIDs. If not, then you'll need to make it clear that it cannot coexist
> > with other ways of generating addresses.
>
> Other ways of generating IIDs for the same prefix, or for other prefixes?
>
> For other prefixes, the idea is that if you use a weak scheme for other
> prefixes, you're toast. For the same prefix, if you employ multple
> schemes you won't achieve address stability.
>
> Is this what you were referring to?
>

I was referring to the lack of any such statement in the draft, yes.


> > Another issue I see is that the document says that the addresses are
> > stable and stateless, but they're not, because the value of counter for
> > every lease needs to be shared between the servers. For example, if the
> > client sends a DECLINE because it fails DAD, what do you do? The address
> > is no longer stable.
>
> IMO, I see the counter as mostly an "optional" parameter, which allows
> to recover from address collisions (rather than a mandatory field). If
> you do employ the Counter, but do not store it, then whether the
> addresses are stable or not depends on the order in which systems are
> bootstrapped.
>

Then the draft needs to say what the server needs to do if it doesn't use
the counter and the client sends a decline. Does the client get no address?


> > Another issue: if the addresses are stable and stateless, then that
> > means you can replace a server and have the client keep the same
> > address. What modifications are needed on the server side for that to
> > work? If the client sends a renew unicast to the new server, will this
> > just work?
>
> This deserves a clarification, indeed.
>
> Of th top of my head:
>
> * Address stability can be achieved 100% stateless-ly, but need not.
> e.g., you can generate addresses as specified in this document, but
> still keep an address lease database. In that case, the server would
> employ this algorithm for generating the addresses in the first place,
> but the address lease would be recorded in the lease database. After
> that, things would work as for any other DHCPv6 address generation
> scheme. If the server is replaced (same IP address, same server DUID),
> renew/rebind itself would "fail" but then but then the same address
> would be leased again (when the algorithm is applied ot generate a "new"
> IPv6 address). For failover to a different server this doesn't really
> matter, as a renew is sent to the same server, nt just ot "any server".
>
>
> For a 100% stateless operation, then the server should check whether the
> address t be renewed is the result of applying the expression in the
> I-D. If it is, that'd be the same as having an entry in the lease
> database. Otherwise, it's a "no binding" scenario. For the case where
> one wants to cope with possible address clollisions, one might (MAY) the
> server to try to expression (incrementing Counter) up to "MaxRetries"
> (which should be the same value that the server should use when trying
> to come up with a unique address but collissions are found).
>
> Does (some version of) this sound reasonable?
>

Perhaps. But you have to document this, and if you document this and it
turns out that you need server-side behaviour changes, then you need to
update RFC 3315.

Again, I don't think it's worth it.

v2.23.0 | Report a Bug | By Email