IETF Logo Mail Archive

Re: [Geopriv] draft-ietf-geopriv-rfc3825bis

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Wed, 18 August 2010 08:39 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: geopriv@core3.amsl.com
Delivered-To: geopriv@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E51763A690A for <geopriv@core3.amsl.com>; Wed, 18 Aug 2010 01:39:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.481
X-Spam-Level:
X-Spam-Status: No, score=-102.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyMkFktLnLUV for <geopriv@core3.amsl.com>; Wed, 18 Aug 2010 01:39:20 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by core3.amsl.com (Postfix) with ESMTP id EB4D23A69FB for <geopriv@ietf.org>; Wed, 18 Aug 2010 01:39:19 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id o7I8dpT0026697 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 18 Aug 2010 10:39:51 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id o7I8doRc015518; Wed, 18 Aug 2010 10:39:51 +0200
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Wed, 18 Aug 2010 10:39:50 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 18 Aug 2010 11:39:49 +0300
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B4502ED5688@FIESEXC015.nsn-intra.net>
In-Reply-To: <201008171552.o7HFqgVf011939@sj-core-2.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Geopriv] draft-ietf-geopriv-rfc3825bis
Thread-Index: Acs+JDzlJIkvpqYDQDWx3T+j4oaWqwAjAZ3w
References: <3D3C75174CB95F42AD6BCC56E5555B4502E238B8@FIESEXC015.nsn-intra.net> <C886C565.2799E%mlinsner@cisco.com> <3D3C75174CB95F42AD6BCC56E5555B4502E5CD08@FIESEXC015.nsn-intra.net> <201008162037.o7GKbq6X023539@sj-core-2.cisco.com> <3D3C75174CB95F42AD6BCC56E5555B4502E9CADC@FIESEXC015.nsn-intra.net> <201008171552.o7HFqgVf011939@sj-core-2.cisco.com>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: "ext James M. Polk" <jmpolk@cisco.com>, ext Marc Linsner <mlinsner@cisco.com>, geopriv@ietf.org
X-OriginalArrivalTime: 18 Aug 2010 08:39:50.0842 (UTC) FILETIME=[EC3789A0:01CB3EB0]
Subject: Re: [Geopriv] draft-ietf-geopriv-rfc3825bis
X-BeenThere: geopriv@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Geographic Location/Privacy <geopriv.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/geopriv>
List-Post: <mailto:geopriv@ietf.org>
List-Help: <mailto:geopriv-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2010 08:39:22 -0000

Hi James, 

I already suggested text that should be included.
If this group cares about privacy then the document should better say
something (like it does in other documents as well). 

Ciao
Hannes

> At 02:46 AM 8/17/2010, Tschofenig, Hannes (NSN - FI/Espoo) wrote:
> 
> > > At 08:09 AM 8/10/2010, Tschofenig, Hannes (NSN - FI/Espoo) wrote:
> > > >Think about a regular hotel network.
> > >
> > > many/most wired hotel networks are DSL-like based, so this doesn't
> > > apply as directly as it may seem.
> >
> >Whether the hotel network provider uses DSL or Cable does 
> not matter for
> >this purpose.
> 
> huh? Cable uses BPI, and DSL systems are individually run. How are 
> they the same, and why is this an issue?
> 
> 
> 
> > >
> > > What you are suggesting (that the server MUST NOT hand 
> out location
> > > in shared mediums) is requiring a DHCP server to have physical
> > > topological awareness before implementing option 123.  
> The same DHCP
> > > server can be unaware of ever network topology between it and the
> > > client - therefore I believe you are placing an excessive 
> burden or
> > > limitation on DHCP as an LCI delivery means.
> >
> >The GEOPRIV working group is about describing what privacy properties
> >are being provided for the solutions we develop. You have always been
> >quite keen on documenting everything in detail -- particularly when
> >other people proposed something.
> >
> >Describing what we assume are reasonable operational 
> considerations that
> >are applicable is a good thing, I believe.
> 
> and yet your text could prevent a valid design choice(s). So 
> how is that good?
> 
> >We cannot have all these chats about how important privacy 
> is for us but
> >then when it actually has an operational impact then we back-off.
> >
> >In this specific case, I am not sure I understand what you mean with
> >additional requirements. A DHCP server better has an idea about the
> >network topology since otherwise how does it hand out the IP 
> addresses
> >and other configuration parameters.
> 
> for one, RAIO means it doesn't matter what topology is between the 
> server and the RAIO, but your suggested text doesn't account for that.
> 
> another point, in a built wiremap database, as long as the final link 
> is switched, the entire topology is immaterial - which isn't 
> accounted for in your text either.
> 
> and still another point, if the final hop is within the house, and 
> the house has a shared topology, does that mean the location provided 
> by the home gateway (acting as a DHCP server to the home) is an 
> invalid topology? You text says this home gateway MUST NOT hand out 
> any location, which is just plain wrong.
> 
> 
> > >
> > > I'm concerned about the SMB or residential gateway impact 
> of adding
> > > this context - which can easily lead to some vendor(s) 
> reading what
> > > you are proposing and consider DHCP not appropriate for homes or
> > > small businesses inadvertently, where it otherwise would 
> be logical
> > > to use. Many gateways of this sort have DHCP as a client 
> to the WAN,
> > > and as a server to the LAN.
> > >
> > > We need to be careful with how we word any changes.
> >
> >There are two parts here:
> >
> >1) The first part is to describe what the privacy risks are with the
> >technology
> 
> the doc already has a warning about DHCP communications not being 
> secure, and that already passed IESG review in RFC 3825. What changed 
> in this version that made things so much more insecure to warrant 
> modifying the text about that warning?
> 
> >2) The second part is to make some recommendations for anticipated
> >envionments.
> 
> Then I suggest you offer text about every type of topology and see if 
> you can get "strong" consensus, which is required to change the text 
> of a "bis" document.
> 
> 
> >With SMBs and the usage of this document you are touch on 
> item #2. Your
> >recommendation would be that the privacy risks are not so dramatic in
> >such an environment and I believe it is OK to say that.
> >
> >You still want to talk about item #1 in the document.
> 
> it is already there, as I and others have stated.
> 
> James
> 
> 
> >Ciao
> >Hannes
> >
> > >
> > > James
> > >
> > >
> > > > > -----Original Message-----
> > > > > From: ext Marc Linsner [mailto:mlinsner@cisco.com]
> > > > > Sent: Tuesday, August 10, 2010 3:59 PM
> > > > > To: Tschofenig, Hannes (NSN - FI/Espoo); geopriv@ietf.org
> > > > > Subject: Re: [Geopriv] draft-ietf-geopriv-rfc3825bis
> > > > >
> > > > > Hannes,
> > > > >
> > > > > What specific network type(s) are you worried about?
> > > > >
> > > > > -Marc-
> > > > >
> > > > >
> > > > > On 8/10/10 8:25 AM, "Tschofenig, Hannes (NSN - FI/Espoo)"
> > > > > <hannes.tschofenig@nsn.com> wrote:
> > > > >
> > > > > > But the conclusion is missing: if you are on a shared link
> > > > > then you must
> > > > > > not share location at the level of the individual
> > > hosts. I fear that
> > > > > > those who implement and deploy would not get the 
> point and would
> > > > > > nevertheless reveal information and put the user at risk.
> > > > > >
> > > > > >> -----Original Message-----
> > > > > >> From: ext Marc Linsner [mailto:mlinsner@cisco.com]
> > > > > >> Sent: Tuesday, August 10, 2010 3:23 PM
> > > > > >> To: Tschofenig, Hannes (NSN - FI/Espoo); geopriv@ietf.org
> > > > > >> Subject: Re: [Geopriv] draft-ietf-geopriv-rfc3825bis
> > > > > >>
> > > > > >> Hannes,
> > > > > >>
> > > > > >>
> > > > > >> On 8/10/10 3:33 AM, "Tschofenig, Hannes (NSN - FI/Espoo)"
> > > > > >> <hannes.tschofenig@nsn.com> wrote:
> > > > > >>
> > > > > >>> Hi all,
> > > > > >>>
> > > > > >>> during the GEOPRIV meeting I mentioned missing text in
> > > > > >>> draft-ietf-geopriv-rfc3825bis regarding security.
> > > > > >>>
> > > > > >>> DHCP does not provide confidentiality protection as a
> > > > > >> built-in feature.
> > > > > >>> As Marc mentioned in response to issue#23 (see
> > > > > >>> 
> http://trac.tools.ietf.org/wg/geopriv/trac/ticket/23) every
> > > > > >> target would
> > > > > >>> be given the exact same location information on a
> > > shared medium.
> > > > > >>>
> > > > > >>> Unfortunately, the security consideration section does not
> > > > > >> mention this
> > > > > >>> aspect with a single word.
> > > > > >>
> > > > > >> Not true, currently in the security consideration 
> section of
> > > > > >> the draft:
> > > > > >>
> > > > > >> " Since there is no privacy protection for DHCP 
> messages, an
> > > > > >>    eavesdropper who can monitor the link between the DHCP
> > > > > server and
> > > > > >>    requesting client can discover this LCI."
> > > > > >>
> > > > > >> I don't believe more text is needed.
> > > > > >>
> > > > > >> -Marc-
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >>  Hence, I suggest to add:
> > > > > >>>
> > > > > >>> "
> > > > > >>>    Since there is no confidentiality protection for DHCP
> > > > > >> messages, an
> > > > > >>>    eavesdropper who can monitor the link between the DHCP
> > > > > server and
> > > > > >>>    requesting client can discover this LCI. In cases
> > > > > where multiple
> > > > > >>>    hosts share the same link and can therefore see each
> > > > > others DHCP
> > > > > >>>    messages the DHCP MUST NOT hand out location for
> > > > > individual hosts
> > > > > >>>    but MUST rather provide location of the DHCP relay,
> > > > > DHCP server,
> > > > > >>>    or a similar device instead. This ensures that
> > > none of the end
> > > > > >>>    devices are able to learn exact information of the
> > > other hosts
> > > > > >>>    on the same network.
> > > > > >>> "
> > > > > >>>
> > > > > >>> Ciao
> > > > > >>> Hannes
> > > > > >>>
> > > > > >>> _______________________________________________
> > > > > >>> Geopriv mailing list
> > > > > >>> Geopriv@ietf.org
> > > > > >>> https://www.ietf.org/mailman/listinfo/geopriv
> > > > > >>
> > > > > >>
> > > > > >>
> > > > >
> > > > >
> > > > >
> > > >_______________________________________________
> > > >Geopriv mailing list
> > > >Geopriv@ietf.org
> > > >https://www.ietf.org/mailman/listinfo/geopriv
> > >
> > >
> 
>

v2.23.0 | Report a Bug | By Email