[Int-area] IoT-dir early review of draft-ietf-intarea-broadcast-consider
"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Mon, 25 September 2017 22:57 UTC
Return-Path: <ncamwing@cisco.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9EA21345E4; Mon, 25 Sep 2017 15:57:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nqvi9rw-vcD8; Mon, 25 Sep 2017 15:57:47 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E8471345E3; Mon, 25 Sep 2017 15:57:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=40360; q=dns/txt; s=iport; t=1506380267; x=1507589867; h=from:to:subject:date:message-id:mime-version; bh=hMd66ZHW+3FCOtNrjgqAHvK02uGiRYJKx4TizIiakXY=; b=T2eKTRGd0EAjNE7mlghS0L/7/j1rxVWT82vgfhKND5VdgWAxI2AnHcw8 BoQMl3QFrqUDHsZsf0l8BjydFL1AVFLf1j/qUVOuyGsvvZLL8XfeDjRwj oYXnVjVl1NEnj6Gfbbv/Ro4LuPLTuC58daVsXOBv25GqDhlwldKiNEeeJ o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CQAQDgiMlZ/51dJa1SAQkZAQEBAQEBAQEBAQEHAQEBAQGCbz4tZG4ug2+ySoIECoVXhB1XAQIBAQEBAQJrKIVCaAEGOgEJAgQwJwQBEB2JNGSKR51mgicninkBAQEBAQEBAwEBAQEBAQEBIIMrgWIggzgrC4c5CAkBAw+DKy+CMQWYTYhSApRakwaVGQIRGQGBOAFXgQ54FVsBhQccgWdEiEiBMoEQAQEB
X-IronPort-AV: E=Sophos;i="5.42,438,1500940800"; d="scan'208,217";a="8030382"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Sep 2017 22:57:46 +0000
Received: from XCH-RTP-011.cisco.com (xch-rtp-011.cisco.com [64.101.220.151]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v8PMvjmt010155 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 25 Sep 2017 22:57:45 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-011.cisco.com (64.101.220.151) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 25 Sep 2017 18:57:45 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Mon, 25 Sep 2017 18:57:45 -0400
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: "iot-dir@ietf.org" <iot-dir@ietf.org>, "draft-ietf-intarea-broadcast-consider.all@ietf.org" <draft-ietf-intarea-broadcast-consider.all@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>
Thread-Topic: IoT-dir early review of draft-ietf-intarea-broadcast-consider
Thread-Index: AQHTNlGz6yRYszwduEOtalHkjXB9DA==
Date: Mon, 25 Sep 2017 22:57:44 +0000
Message-ID: <1301971C-29C9-4279-8523-FF5CC8617875@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.86.254.8]
Content-Type: multipart/alternative; boundary="_000_1301971C29C942798523FF5CC8617875ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/VAKI0vHOFc8PJ-Yohh-DFKpKIJ8>
Subject: [Int-area] IoT-dir early review of draft-ietf-intarea-broadcast-consider
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2017 22:57:50 -0000
Reviewer: Nancy Cam-Winget Review result: On the right track General Comments There are actual distinctions that need to be made from a general privacy/security and considerations of using broadcast vs. multicast. Whereas multicast has the means by which multicast groups can be managed and thus authentication and authorization of group membership to a multicast group can be handled, broadcast does not. As such, the privacy considerations, while sharing a lot of commonality between multicast vs. broadcast, hold differences that need to be called out. Technical comments: Introduction: The 2 respects called out need to be better clarified: For (a): messages can be protected especially in a multicast group and keys can be managed with membership changes, whereas broadcast is more difficult to manage. For (b): why is encryption more difficult?? Broadcast/multicast messages today are being encrypted, but are subject to full viewership by the key holders (e.g. members of the broadcast or multicast domain for the duration of that key) The last paragraph is of concern as its intent is not clear. I believe it is trying to state that the draft is needed as RFC6973 focuses on the general privacy but more care is needed for broadcast and multicast. If that’s the case, suggest to reduce paragraph to a sentence or 2 to just highlight that point. Section 2.1 “Frequent bcast/mcast traffic caused by an application…” I think you mean the continuous use and the patterns it draws can define a behavioral pattern….I don’t believe the literal “frequent” lends itself to improving accuracy, but rather the temporal length of time in observing such a pattern can improve on the fidelity of the behavioral pattern observed. In general, making the periodicity of the message use unpredictable is what can help. Otherwise, a better rationale or guidance on what “conservative” in “the frequency SHOULD be chosen conservatively” is needed. Section 2.2 “true in case the IP and/or MAC address changes” I think you mean DOES NOT change. Also, these track devices not users. I would actually disagree that “frequent rotations of IDs” (in general) make user tracking more difficult. This section needs to improve the qualifications and conditions for when and how it can make tracking more difficult. While I do not entirely agree with rotation as a solution, I can see SOME instances in which it can slow down the tracking but not completely obfuscate behavior that can be used to deduce identity (of a device, or user). I am also puzzled as to how this is unique to broadcast/multicast messages? Section 2.4 Need to capitalize the ‘should’ in the last paragraph as the intent is to provide that as a recommended consideration. Section 2.5 What is a “safe” environment? The first paragraph needs to be clear on intent and definition of what is “safe”. This section will need to elaborate on the applications developed and where they sit in the networking layer…..application layer apps may want to use established ports and addresses that may need to be configured at a lower layer of the network stack. How would this be achieved? I percieve the goals of this section to be: - provide guidance to enable devices to have a configurable means of what networks (and applications?) it can trust and thus allow to run - provide guidance to developers to be aware of privacy leakage and allow for configuration but at which layer? ….but its not quite clear… Section 3 Would agree that it is difficult to change “human” behavior…. however, I do not understand the purpose or intent of this section as I see no guidance, consideration or recommendation. Section 4 There are bcast/mcast protocols that may not need DNS, is the intent of the first recommendation meant to state that protocols that offer privacy considerations like mDNS SHOULD (or perhaps MUST) be used? Or are you referring to the techniques used in mDNS to enable privacy considerations? “a broadcast/multicast protocol and cannot use an IETF-specified protocol” IETF protocols are starting to be conscious of privacy, do you mean protocols that do not offer privacy considerations? “(e.g. based on the SSID)” As requested in Section 2.5, a better definition of “safe” is required as applications may not map to an SSID (applications may also run on different PHYs). Other considerations This section speaks mainly to performance issues which (1) doesn’t apply to privacy and (2) the descriptions are limited with no salient consideration applicable to the focus of this draft; I suggest it be removed. Section 8 What is the intent of the 2nd paragraph? RFC 5374 described a framework that is suited to protect some broadcast/multicast which this paragraph notes, but what is its purpose? Is the intent to say these mechanisms can help with privacy and if so how? Nits: Introduction: “Also application developers use broadcast/multicast messages to implement things like local service or peer discovery and it appears that an increasing number of applications make use of it as suggested by experimental results obtained on campus networks including the IETF meeting network [TRAC2016]. That is not entirely surprising.” [ncw] This reads awkwardly. Suggest breaking it to something like: “Also, application developers use broadcast/multicast messages to implement local services. As suggested by the experimental results documented in “How broadcast data reveals your identity and social graph [trac2016], it is not surprising to see the increasing trend of using these messages.” “ Given the above, privacy protection for protocols based on broadcast or multicast communication is significantly more difficult compared to unicast communication and at the same time invading the privacy is much easier.” [ncw] Do you mean privacy is even more difficult to achieve than general data confidentiality and integrity?? Inconsistent references? “….or RFC 7919 [RFC7819])” Section 2.2 Is there an extraneous “e.g.” in “These IDs, which e.g. identify”? also as its the first instance of ID, call it out as “Identifiers (ID)”
- [Int-area] IoT-dir early review of draft-ietf-int… Nancy Cam-Winget (ncamwing)
- Re: [Int-area] IoT-dir early review of draft-ietf… Rolf Winter