Re: [Geopriv] draft-ietf-geopriv-rfc3825bis
"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Wed, 18 August 2010 08:39 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: geopriv@core3.amsl.com
Delivered-To: geopriv@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E51763A690A for <geopriv@core3.amsl.com>; Wed, 18 Aug 2010 01:39:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.481
X-Spam-Level:
X-Spam-Status: No, score=-102.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyMkFktLnLUV for <geopriv@core3.amsl.com>; Wed, 18 Aug 2010 01:39:20 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by core3.amsl.com (Postfix) with ESMTP id EB4D23A69FB for <geopriv@ietf.org>; Wed, 18 Aug 2010 01:39:19 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id o7I8dpT0026697 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 18 Aug 2010 10:39:51 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id o7I8doRc015518; Wed, 18 Aug 2010 10:39:51 +0200
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Wed, 18 Aug 2010 10:39:50 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 18 Aug 2010 11:39:49 +0300
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B4502ED5688@FIESEXC015.nsn-intra.net>
In-Reply-To: <201008171552.o7HFqgVf011939@sj-core-2.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Geopriv] draft-ietf-geopriv-rfc3825bis
Thread-Index: Acs+JDzlJIkvpqYDQDWx3T+j4oaWqwAjAZ3w
References: <3D3C75174CB95F42AD6BCC56E5555B4502E238B8@FIESEXC015.nsn-intra.net> <C886C565.2799E%mlinsner@cisco.com> <3D3C75174CB95F42AD6BCC56E5555B4502E5CD08@FIESEXC015.nsn-intra.net> <201008162037.o7GKbq6X023539@sj-core-2.cisco.com> <3D3C75174CB95F42AD6BCC56E5555B4502E9CADC@FIESEXC015.nsn-intra.net> <201008171552.o7HFqgVf011939@sj-core-2.cisco.com>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: "ext James M. Polk" <jmpolk@cisco.com>, ext Marc Linsner <mlinsner@cisco.com>, geopriv@ietf.org
X-OriginalArrivalTime: 18 Aug 2010 08:39:50.0842 (UTC) FILETIME=[EC3789A0:01CB3EB0]
Subject: Re: [Geopriv] draft-ietf-geopriv-rfc3825bis
X-BeenThere: geopriv@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Geographic Location/Privacy <geopriv.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/geopriv>
List-Post: <mailto:geopriv@ietf.org>
List-Help: <mailto:geopriv-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2010 08:39:22 -0000
Hi James, I already suggested text that should be included. If this group cares about privacy then the document should better say something (like it does in other documents as well). Ciao Hannes > At 02:46 AM 8/17/2010, Tschofenig, Hannes (NSN - FI/Espoo) wrote: > > > > At 08:09 AM 8/10/2010, Tschofenig, Hannes (NSN - FI/Espoo) wrote: > > > >Think about a regular hotel network. > > > > > > many/most wired hotel networks are DSL-like based, so this doesn't > > > apply as directly as it may seem. > > > >Whether the hotel network provider uses DSL or Cable does > not matter for > >this purpose. > > huh? Cable uses BPI, and DSL systems are individually run. How are > they the same, and why is this an issue? > > > > > > > > > What you are suggesting (that the server MUST NOT hand > out location > > > in shared mediums) is requiring a DHCP server to have physical > > > topological awareness before implementing option 123. > The same DHCP > > > server can be unaware of ever network topology between it and the > > > client - therefore I believe you are placing an excessive > burden or > > > limitation on DHCP as an LCI delivery means. > > > >The GEOPRIV working group is about describing what privacy properties > >are being provided for the solutions we develop. You have always been > >quite keen on documenting everything in detail -- particularly when > >other people proposed something. > > > >Describing what we assume are reasonable operational > considerations that > >are applicable is a good thing, I believe. > > and yet your text could prevent a valid design choice(s). So > how is that good? > > >We cannot have all these chats about how important privacy > is for us but > >then when it actually has an operational impact then we back-off. > > > >In this specific case, I am not sure I understand what you mean with > >additional requirements. A DHCP server better has an idea about the > >network topology since otherwise how does it hand out the IP > addresses > >and other configuration parameters. > > for one, RAIO means it doesn't matter what topology is between the > server and the RAIO, but your suggested text doesn't account for that. > > another point, in a built wiremap database, as long as the final link > is switched, the entire topology is immaterial - which isn't > accounted for in your text either. > > and still another point, if the final hop is within the house, and > the house has a shared topology, does that mean the location provided > by the home gateway (acting as a DHCP server to the home) is an > invalid topology? You text says this home gateway MUST NOT hand out > any location, which is just plain wrong. > > > > > > > > I'm concerned about the SMB or residential gateway impact > of adding > > > this context - which can easily lead to some vendor(s) > reading what > > > you are proposing and consider DHCP not appropriate for homes or > > > small businesses inadvertently, where it otherwise would > be logical > > > to use. Many gateways of this sort have DHCP as a client > to the WAN, > > > and as a server to the LAN. > > > > > > We need to be careful with how we word any changes. > > > >There are two parts here: > > > >1) The first part is to describe what the privacy risks are with the > >technology > > the doc already has a warning about DHCP communications not being > secure, and that already passed IESG review in RFC 3825. What changed > in this version that made things so much more insecure to warrant > modifying the text about that warning? > > >2) The second part is to make some recommendations for anticipated > >envionments. > > Then I suggest you offer text about every type of topology and see if > you can get "strong" consensus, which is required to change the text > of a "bis" document. > > > >With SMBs and the usage of this document you are touch on > item #2. Your > >recommendation would be that the privacy risks are not so dramatic in > >such an environment and I believe it is OK to say that. > > > >You still want to talk about item #1 in the document. > > it is already there, as I and others have stated. > > James > > > >Ciao > >Hannes > > > > > > > > James > > > > > > > > > > > -----Original Message----- > > > > > From: ext Marc Linsner [mailto:mlinsner@cisco.com] > > > > > Sent: Tuesday, August 10, 2010 3:59 PM > > > > > To: Tschofenig, Hannes (NSN - FI/Espoo); geopriv@ietf.org > > > > > Subject: Re: [Geopriv] draft-ietf-geopriv-rfc3825bis > > > > > > > > > > Hannes, > > > > > > > > > > What specific network type(s) are you worried about? > > > > > > > > > > -Marc- > > > > > > > > > > > > > > > On 8/10/10 8:25 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" > > > > > <hannes.tschofenig@nsn.com> wrote: > > > > > > > > > > > But the conclusion is missing: if you are on a shared link > > > > > then you must > > > > > > not share location at the level of the individual > > > hosts. I fear that > > > > > > those who implement and deploy would not get the > point and would > > > > > > nevertheless reveal information and put the user at risk. > > > > > > > > > > > >> -----Original Message----- > > > > > >> From: ext Marc Linsner [mailto:mlinsner@cisco.com] > > > > > >> Sent: Tuesday, August 10, 2010 3:23 PM > > > > > >> To: Tschofenig, Hannes (NSN - FI/Espoo); geopriv@ietf.org > > > > > >> Subject: Re: [Geopriv] draft-ietf-geopriv-rfc3825bis > > > > > >> > > > > > >> Hannes, > > > > > >> > > > > > >> > > > > > >> On 8/10/10 3:33 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" > > > > > >> <hannes.tschofenig@nsn.com> wrote: > > > > > >> > > > > > >>> Hi all, > > > > > >>> > > > > > >>> during the GEOPRIV meeting I mentioned missing text in > > > > > >>> draft-ietf-geopriv-rfc3825bis regarding security. > > > > > >>> > > > > > >>> DHCP does not provide confidentiality protection as a > > > > > >> built-in feature. > > > > > >>> As Marc mentioned in response to issue#23 (see > > > > > >>> > http://trac.tools.ietf.org/wg/geopriv/trac/ticket/23) every > > > > > >> target would > > > > > >>> be given the exact same location information on a > > > shared medium. > > > > > >>> > > > > > >>> Unfortunately, the security consideration section does not > > > > > >> mention this > > > > > >>> aspect with a single word. > > > > > >> > > > > > >> Not true, currently in the security consideration > section of > > > > > >> the draft: > > > > > >> > > > > > >> " Since there is no privacy protection for DHCP > messages, an > > > > > >> eavesdropper who can monitor the link between the DHCP > > > > > server and > > > > > >> requesting client can discover this LCI." > > > > > >> > > > > > >> I don't believe more text is needed. > > > > > >> > > > > > >> -Marc- > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> Hence, I suggest to add: > > > > > >>> > > > > > >>> " > > > > > >>> Since there is no confidentiality protection for DHCP > > > > > >> messages, an > > > > > >>> eavesdropper who can monitor the link between the DHCP > > > > > server and > > > > > >>> requesting client can discover this LCI. In cases > > > > > where multiple > > > > > >>> hosts share the same link and can therefore see each > > > > > others DHCP > > > > > >>> messages the DHCP MUST NOT hand out location for > > > > > individual hosts > > > > > >>> but MUST rather provide location of the DHCP relay, > > > > > DHCP server, > > > > > >>> or a similar device instead. This ensures that > > > none of the end > > > > > >>> devices are able to learn exact information of the > > > other hosts > > > > > >>> on the same network. > > > > > >>> " > > > > > >>> > > > > > >>> Ciao > > > > > >>> Hannes > > > > > >>> > > > > > >>> _______________________________________________ > > > > > >>> Geopriv mailing list > > > > > >>> Geopriv@ietf.org > > > > > >>> https://www.ietf.org/mailman/listinfo/geopriv > > > > > >> > > > > > >> > > > > > >> > > > > > > > > > > > > > > > > > > >_______________________________________________ > > > >Geopriv mailing list > > > >Geopriv@ietf.org > > > >https://www.ietf.org/mailman/listinfo/geopriv > > > > > > > >
- [Geopriv] draft-ietf-geopriv-rfc3825bis Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Marc Linsner
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Ivan Shmakov
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Marc Linsner
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Brian Rosen
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Marc Linsner
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Hannes Tschofenig
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Henning Schulzrinne
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Marc Linsner
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Hannes Tschofenig
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Hannes Tschofenig
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Marc Linsner
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Carl Reed
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Bernard Aboba
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Thomson, Martin
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Bernard Aboba
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Thomson, Martin
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis James M. Polk
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis James M. Polk
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Geopriv] draft-ietf-geopriv-rfc3825bis Marc Linsner