[Int-area] IoT-dir early review of draft-ietf-intarea-broadcast-consider
"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Mon, 25 September 2017 22:57 UTC
Return-Path: <ncamwing@cisco.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9EA21345E4; Mon, 25 Sep 2017 15:57:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nqvi9rw-vcD8; Mon, 25 Sep 2017 15:57:47 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E8471345E3; Mon, 25 Sep 2017 15:57:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=40360; q=dns/txt; s=iport; t=1506380267; x=1507589867; h=from:to:subject:date:message-id:mime-version; bh=hMd66ZHW+3FCOtNrjgqAHvK02uGiRYJKx4TizIiakXY=; b=T2eKTRGd0EAjNE7mlghS0L/7/j1rxVWT82vgfhKND5VdgWAxI2AnHcw8 BoQMl3QFrqUDHsZsf0l8BjydFL1AVFLf1j/qUVOuyGsvvZLL8XfeDjRwj oYXnVjVl1NEnj6Gfbbv/Ro4LuPLTuC58daVsXOBv25GqDhlwldKiNEeeJ o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CQAQDgiMlZ/51dJa1SAQkZAQEBAQEBAQEBAQEHAQEBAQGCbz4tZG4ug2+ySoIECoVXhB1XAQIBAQEBAQJrKIVCaAEGOgEJAgQwJwQBEB2JNGSKR51mgicninkBAQEBAQEBAwEBAQEBAQEBIIMrgWIggzgrC4c5CAkBAw+DKy+CMQWYTYhSApRakwaVGQIRGQGBOAFXgQ54FVsBhQccgWdEiEiBMoEQAQEB
X-IronPort-AV: E=Sophos;i="5.42,438,1500940800"; d="scan'208,217";a="8030382"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Sep 2017 22:57:46 +0000
Received: from XCH-RTP-011.cisco.com (xch-rtp-011.cisco.com [64.101.220.151]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v8PMvjmt010155 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 25 Sep 2017 22:57:45 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-011.cisco.com (64.101.220.151) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 25 Sep 2017 18:57:45 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Mon, 25 Sep 2017 18:57:45 -0400
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: "iot-dir@ietf.org" <iot-dir@ietf.org>, "draft-ietf-intarea-broadcast-consider.all@ietf.org" <draft-ietf-intarea-broadcast-consider.all@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>
Thread-Topic: IoT-dir early review of draft-ietf-intarea-broadcast-consider
Thread-Index: AQHTNlGz6yRYszwduEOtalHkjXB9DA==
Date: Mon, 25 Sep 2017 22:57:44 +0000
Message-ID: <1301971C-29C9-4279-8523-FF5CC8617875@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.86.254.8]
Content-Type: multipart/alternative; boundary="_000_1301971C29C942798523FF5CC8617875ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/VAKI0vHOFc8PJ-Yohh-DFKpKIJ8>
Subject: [Int-area] IoT-dir early review of draft-ietf-intarea-broadcast-consider
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2017 22:57:50 -0000
Reviewer: Nancy Cam-Winget
Review result: On the right track
General Comments
There are actual distinctions that need to be made from a general privacy/security
and considerations of using broadcast vs. multicast. Whereas multicast has
the means by which multicast groups can be managed and thus authentication
and authorization of group membership to a multicast group can be handled,
broadcast does not. As such, the privacy considerations, while sharing a lot
of commonality between multicast vs. broadcast, hold differences
that need to be called out.
Technical comments:
Introduction:
The 2 respects called out need to be better clarified:
For (a): messages can be protected especially in a multicast group and keys
can be managed with membership changes, whereas broadcast is more
difficult to manage.
For (b): why is encryption more difficult?? Broadcast/multicast messages today
are being encrypted, but are subject to full viewership by the key holders
(e.g. members of the broadcast or multicast domain for the duration of that key)
The last paragraph is of concern as its intent is not clear. I believe it is trying to state
that the draft is needed as RFC6973 focuses on the general privacy but more care is
needed for broadcast and multicast. If that’s the case, suggest to reduce paragraph
to a sentence or 2 to just highlight that point.
Section 2.1
“Frequent bcast/mcast traffic caused by an application…”
I think you mean the continuous use and the patterns it draws can define
a behavioral pattern….I don’t believe the literal “frequent” lends itself to
improving accuracy, but rather the temporal length of time in observing
such a pattern can improve on the fidelity of the behavioral pattern observed.
In general, making the periodicity of the message use unpredictable is what
can help. Otherwise, a better rationale or guidance on what “conservative” in
“the frequency SHOULD be chosen conservatively” is needed.
Section 2.2
“true in case the IP and/or MAC address changes”
I think you mean DOES NOT change. Also, these track devices not users.
I would actually disagree that “frequent rotations of IDs” (in general) make
user tracking more difficult. This section needs to improve the qualifications
and conditions for when and how it can make tracking more difficult.
While I do not entirely agree with rotation as a solution, I can see SOME
instances in which it can slow down the tracking but not completely obfuscate
behavior that can be used to deduce identity (of a device, or user).
I am also puzzled as to how this is unique to broadcast/multicast messages?
Section 2.4
Need to capitalize the ‘should’ in the last paragraph as the intent is to provide
that as a recommended consideration.
Section 2.5
What is a “safe” environment? The first paragraph needs to be clear on
intent and definition of what is “safe”.
This section will need to elaborate on the applications developed and where
they sit in the networking layer…..application layer apps may want to use
established ports and addresses that may need to be configured at a lower
layer of the network stack. How would this be achieved?
I percieve the goals of this section to be:
- provide guidance to enable devices to have a configurable means of
what networks (and applications?) it can trust and thus allow to run
- provide guidance to developers to be aware of privacy leakage and allow
for configuration but at which layer?
….but its not quite clear…
Section 3
Would agree that it is difficult to change “human” behavior….
however, I do not understand the purpose or intent of this section as I see no guidance,
consideration or recommendation.
Section 4
There are bcast/mcast protocols that may not need DNS, is the intent of
the first recommendation meant to state that protocols that offer privacy
considerations like mDNS SHOULD (or perhaps MUST) be used? Or are you
referring to the techniques used in mDNS to enable privacy considerations?
“a broadcast/multicast protocol and cannot use an IETF-specified protocol”
IETF protocols are starting to be conscious of privacy, do you mean
protocols that do not offer privacy considerations?
“(e.g. based on the SSID)”
As requested in Section 2.5, a better definition of “safe” is required as
applications may not map to an SSID (applications may also run on different PHYs).
Other considerations
This section speaks mainly to performance issues which (1) doesn’t apply to privacy
and (2) the descriptions are limited with no salient consideration applicable to the focus
of this draft; I suggest it be removed.
Section 8
What is the intent of the 2nd paragraph? RFC 5374 described a framework that is suited
to protect some broadcast/multicast which this paragraph notes, but what is its purpose?
Is the intent to say these mechanisms can help with privacy and if so how?
Nits:
Introduction:
“Also application
developers use broadcast/multicast messages to implement things like
local service or peer discovery and it appears that an increasing
number of applications make use of it as suggested by experimental
results obtained on campus networks including the IETF meeting
network [TRAC2016]. That is not entirely surprising.”
[ncw] This reads awkwardly. Suggest breaking it to something like:
“Also, application developers use broadcast/multicast messages to implement
local services. As suggested by the experimental results documented in “How
broadcast data reveals your identity and social graph [trac2016], it is not
surprising to see the increasing trend of using these messages.”
“ Given the above, privacy protection for protocols based on broadcast
or multicast communication is significantly more difficult compared
to unicast communication and at the same time invading the privacy is
much easier.”
[ncw] Do you mean privacy is even more difficult to achieve than general
data confidentiality and integrity??
Inconsistent references? “….or RFC 7919 [RFC7819])”
Section 2.2
Is there an extraneous “e.g.” in “These IDs, which e.g. identify”?
also as its the first instance of ID, call it out as “Identifiers (ID)”
- [Int-area] IoT-dir early review of draft-ietf-int… Nancy Cam-Winget (ncamwing)
- Re: [Int-area] IoT-dir early review of draft-ietf… Rolf Winter