Re: [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-anonymity-profile-07: (with COMMENT)
Christian Huitema <huitema@microsoft.com> Fri, 19 February 2016 20:58 UTC
Return-Path: <huitema@microsoft.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFC7C1B3520; Fri, 19 Feb 2016 12:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIzb2vyyPvtA; Fri, 19 Feb 2016 12:58:49 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0714.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::714]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 639FC1B351F; Fri, 19 Feb 2016 12:58:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=WiCj39FuWDqnZL3LFon4nDPZL0XHnq7bpMwkwN5Fmjw=; b=YC5+8Ze8gwdALHquhTzKOVtJz3IXDA7euY86zFYMTFif+Alu0KxnYIGN4chff9YZts4MhPBPXbb+vj5+Kl9QVByTncqAZph2QQVDZ6v8bg149g5WVFNIyuBcMrpY588Fay16FnRRLb3vCDNyWIX+qe6xQGYJlocpkl98EaPmYdI=
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0656.namprd03.prod.outlook.com (10.160.96.18) with Microsoft SMTP Server (TLS) id 15.1.409.15; Fri, 19 Feb 2016 20:58:30 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0409.017; Fri, 19 Feb 2016 20:58:30 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Ben Campbell <ben@nostrum.com>, The IESG <iesg@ietf.org>
Thread-Topic: Ben Campbell's Yes on draft-ietf-dhc-anonymity-profile-07: (with COMMENT)
Thread-Index: AQHRaShXolUb80HWIEy0z+tnE4mU8p8zzY0Q
Date: Fri, 19 Feb 2016 20:58:30 +0000
Message-ID: <DM2PR0301MB06552237A51A85B1A07F5F33A8A00@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <20160217021008.17111.65342.idtracker@ietfa.amsl.com>
In-Reply-To: <20160217021008.17111.65342.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: nostrum.com; dkim=none (message not signed) header.d=none;nostrum.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:e::409]
x-ms-office365-filtering-correlation-id: 6b88aca3-471c-4a70-d7f7-08d3396f6bf7
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0656; 5:wcso+R1XZA7AiKE52d4uZO0ZttOBlb7j8WL7xzs19ysHnSashrb2xuYoTZ/+WjADqli01uPzgpLChRbYD9690av3nVbU2Gq7KlbT8gzK9K55aR8VhKm8rBESJK9yVu+l3Nv425Gx9ZoUQZ5IxSC03g==; 24:5CcUYv9yKKhT+6Dthz2T12g0myRCIy632oLskiD58gBbM15VzbF+hDkZlPWw613f2kmQ6FowC6BMOQDDPFoWlJXfTj0rKmV0HnIWtueFrSs=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0656;
x-microsoft-antispam-prvs: <DM2PR0301MB0656ABA54C65BE6E19A00375A8A00@DM2PR0301MB0656.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(61426038)(61427038); SRVR:DM2PR0301MB0656; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0656;
x-forefront-prvs: 08572BD77F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(51914003)(24454002)(377454003)(4326007)(586003)(5008740100001)(5001770100001)(77096005)(3280700002)(33656002)(11100500001)(1220700001)(1096002)(2906002)(5004730100002)(8990500004)(122556002)(74316001)(99286002)(5001960100002)(40100003)(189998001)(230783001)(76576001)(106116001)(10400500002)(5005710100001)(5003600100002)(2950100001)(2900100001)(10290500002)(5002640100001)(86362001)(87936001)(50986999)(54356999)(76176999)(3660700001)(92566002)(102836003)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0656; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2016 20:58:30.2898 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0656
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/yhi7P5BfFwwTA0Q31vC64F2gbhg>
Cc: "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "volz@cisco.com" <volz@cisco.com>, "draft-ietf-dhc-anonymity-profile@ietf.org" <draft-ietf-dhc-anonymity-profile@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-anonymity-profile-07: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 20:58:53 -0000
On Tuesday, February 16, 2016 6:10 PM, Ben Campbell wrote: >... > *** Substantive *** > - 2.6, 2nd paragraph: > It seems like the "if servers do not object" part goes against the spirit of > section 2.5. I guess we can suppress the "if server do not object" part. Servers could do all kind of things, but this specification is really for clients. There is an example in section 5 of how servers might object -- by enforcing a white list of MAC addresses. Probably no need to say that again in 2.6. > - 3 (top level) > > -- There's a lot of normative language about things people MUST or MAY put > into DHCP messages (as opposed to the SHOULD NOTs). Are those new > requirements created by this profile, or statements of fact about DHCP in > general? If the latter, please consider dropping the 2119 keywords. The part specific to the anonymity profile is the restriction, "should not contain more options." The MUST part is largely a repeat of the main spec. > -- "It SHOULD NOT contain any other option" > This language repeats several times. But there’s a fair amount of text later in > the subsections that talks about specific “other options” that SHOULD NOT > be included. That seems redundant. I wonder if there's an opportunity to > simplify things? We went through several iterations of this text, and it was thoroughly reviewed. I am concerned that changing something now would require going back to the WG. > -- 2nd to last paragraph: > It seems odd to say things SHOULD follow the dhcp standard; that's kind of > implied by being dhcp. Yes. What is meant is that since this is DHCP, we will of course follow the standard, but we are going to have some deviations and choices, as explained in the remaining subsections. Do you have a better text? > - 3 and subsections: > There are a lot of SHOULDs that I am surprised are not MUSTs. I understand > that the entire profile is optional, but it seems like some of the guidance > could be stronger for clients that use the profile in the first place. The problem is that in many case there is a conflict between perfection and usability, as well as doubts about how far to go to avoid fingerprinting. > - 3.1, last paragraph: > Please describe the consequences of not following that SHOULD. For > example, doesn’t the MAY alternative _add_ a fingerprinting opportunity? We can debate that. What you see there is a compromise between theory and practice. Our Windows 10 implementation actually uses the fix order, because that can be set at compile time. Also, we use the same fixed order whether or not the client is using anonymity profile. So you could say that not randomizing fingerprints the device as "running windows 10", while randomizing would fingerprint as "using the anonymity profile." > - 3.2, 2nd to last paragraph: "DHCP clients should ensure" > Should that be SHOULD? Yes. > -3.3, 2nd paragraph: "They MUST use the option when mandated by the > DHCP protocol..." > That seems more like a statement of fact. Yes. We were concerned that implementers would scratch their head and wonder how to balance the anonymity statement "this is sometimes dangerous" versus the DHCP specification. Do you suggest to drop the sentence? > -3.7, third paragraph: > What’s the point of allowing the sending of an obfuscated host name, rather > than just saying MUST NOT send the host name in the first place? Well, we say "SHOULD NOT" send the host name. This is what the Windows 10 implementation does, and we have verified that it does not cause problems in practice. But during the draft development we were really concerned that some network functionality might require sending a name value in DHCP. I am concerned that changing that now will require WG feedback. > - 4.3, 3rd paragraph: > Isn't the randomization of link-layer addresses a fundamental premise of this > draft? This is meant for example for anonymous VPN links. There was specific WG feedback requesting that. > *** Editorial *** > > - 3, 2nd to last paragraph: > Can the "following sections" be more specific? That is, list the section > numbers, or mention "The remaining subsections"? "The remaining subsections" looks good. > - 3.1, 2nd to last paragraph: > Are we really talking about clients "willing" to protect privacy, or clients > "wishing" or "intending" to protect privacy? "intending" is fine. > - 3.4: > The document already spent several pages motivating the randomization of > link-layer addresses. It seems unnecessary to do it again here. There is a key requirement to implementers there: do not pick a static value at boot time, but instead always check whether it has changed. But I suppose we could suppress the middle sentence of the 2nd paragraph. > -3.5, 2nd to last paragraph: > “based solely” seems ambiguous. Do I understand correctly that this means > the client MUST NOT use client identifiers that persist across changes in the > link layer address? "based solely" is a deliberate repeat of the text in RFC 4361, explaining that we recommend exactly what RFC 4361 recommends against. > The assertion that this will ensure that no privacy leaks occur seems > overstated. I suspect there are other ways clients can leak private > information. The text does not say "no privacy leak," it is more cautious than that. But yes, we could be more specific, say ”will not be nullified by the Client Identifier Option" instead of "will not be nullified by DHCP options." > - 3.6: > The guidance on ordering seems redundant with 3.1. It is actually different. 3.1 describe the arrangement of the various options in the message, 3.6 describes the arrangement of the requested option numbers inside the PRL option. > - 3.9, 2nd paragraph, last sentence: "If only for privacy reasons..." > I suggest removing the clause. It weakens the following normative > requirement. OK. > - 4.5, first paragraph: "indemtified" > identified? Yes. Thanks for the feedback! -- Christian Huitema
- [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-anon… Ben Campbell
- Re: [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-… Christian Huitema