Re: [Hipsec] Stephen Farrell's No Objection on draft-ietf-hip-multihoming-11: (with COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 21 September 2016 07:28 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B87212B151; Wed, 21 Sep 2016 00:28:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.617
X-Spam-Level:
X-Spam-Status: No, score=-6.617 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQ2TdsJ02XkS; Wed, 21 Sep 2016 00:28:47 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBFF112B147; Wed, 21 Sep 2016 00:28:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 710A3BE5B; Wed, 21 Sep 2016 08:28:45 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03ok9Byg6SEz; Wed, 21 Sep 2016 08:28:44 +0100 (IST)
Received: from [193.167.168.236] (eduroam-168-236.csc.fi [193.167.168.236]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 1AB9ABE56; Wed, 21 Sep 2016 08:28:43 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1474442924; bh=5pSJ9CaMLa8Upng8qva1A9nJMLU6KOR6WBswQs6uLQM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=ENl4x23Txhu/lbt7NP7KhOZD70PK1hhCYmTUco439dqgSHg6TZx6rZVK7w8scjf3B gjcqPhXfGY+VT+NhZDhLlnW94IW7bIql5VBvDr0fnZ5WmpS30fea6mCQzTEi9y1p+T tzfIolkHApENxMavljV3uKwZ0uSyaPQi/avS2BRs=
To: Tom Henderson <tomhend@u.washington.edu>
References: <alpine.LRH.2.01.1609181200180.32623@hymn04.u.washington.edu>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <3344fc32-496b-79a6-1a80-8fbefd681e1f@cs.tcd.ie>
Date: Wed, 21 Sep 2016 08:28:42 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <alpine.LRH.2.01.1609181200180.32623@hymn04.u.washington.edu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030403000508010504060208"
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/bZllBTBeudUw2NX9_4lU3IlMGDo>
Cc: draft-ietf-hip-multihoming@ietf.org, hip-chairs@ietf.org, The IESG <iesg@ietf.org>, hipsec@ietf.org
Subject: Re: [Hipsec] Stephen Farrell's No Objection on draft-ietf-hip-multihoming-11: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Sep 2016 07:28:48 -0000
Hi Tom, On 18/09/16 20:00, Tom Henderson wrote: > Stephen, thanks for your comments; replies inline below > > On 09/14/2016 04:25 AM, Stephen Farrell wrote: >> Stephen Farrell has entered the following ballot position for >> draft-ietf-hip-multihoming-11: No Objection >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> - I think section 6 ought note the privacy issue that >> was relatively recently with WebRTC and ICE where a >> client might not want all of it's IP addresses >> exposed, as doing so could expose the fact that the >> client e.g. is using Tor or another VPN service. The >> issue being that in some locations, that information >> may be quite sensitive. 4.2 notes this but in a quite >> opaque way, ("may be held back") but it'd be better to >> say some more. 5.1 is also relevant maybe in that it >> says one "SHOULD avoid" sending info about virtual >> interfaces. Anyway, I think it'd be good to add some >> recognition of this privacy issue to section 6. I am >> not arguing that this draft ought specify the one true >> way to avoid this problem, but only that it be >> recognised. > > Your comment led me to review this draft > > https://www.ietf.org/id/draft-ietf-rtcweb-ip-handling-01.txt > > which I would be inclined to cite, but I am not sure whether it will be put forward for publication soon (and therefore am not sure about citing it). > > The below might make a possible summary paragraph to add, however: > > "The exposure of all of a host's IP addresses through HIP > multihoming extensions may raise privacy concerns. A host > may be trying to hide its location in some contexts through > the use of a VPN or other virtual interfaces. Similar > privacy issues also arise in other frameworks such as WebRTC > and are not specific to HIP. Implementations SHOULD provide > a mechanism to allow the host administrator to block the > exposure of selected addresses or address ranges." > Looks good to me, thanks. >> >> - 4.11: what's the concern about anti-replay windows? >> I didn't get that fwiw, not sure if that just my >> relative ignorance of HIP or if more needs to be said >> in the document. > > It is explained in this sentence: > > "However, the use of different source > and destination addresses typically leads to different paths, with > different latencies in the network, and if packets were to arrive via > an arbitrary destination IP address (or path) for a given SPI, the > reordering due to different latencies may cause some packets to fall > outside of the ESP anti-replay window." Really? I'm surprised that that's at all likely. What size of window do folks tend to use? It must be small if path diversity has that effect. (Note: I'm not asking for a change to the text just wondering about it/educating myself:-) Cheers, S. > > Can you suggest changes or do you have a concern with what is stated? > > - Tom >
- [Hipsec] Stephen Farrell's No Objection on draft-… Stephen Farrell
- Re: [Hipsec] Stephen Farrell's No Objection on dr… Jari Arkko
- Re: [Hipsec] Stephen Farrell's No Objection on dr… Tom Henderson
- Re: [Hipsec] Stephen Farrell's No Objection on dr… Stephen Farrell