IETF Logo Mail Archive

Re: [Int-area] draft-daveor-slaac-privacy-logging-00

Christian Huitema <huitema@huitema.net> Wed, 30 May 2018 17:20 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8EFB12DA1C for <int-area@ietfa.amsl.com>; Wed, 30 May 2018 10:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vB_d5MYPhT4E for <int-area@ietfa.amsl.com>; Wed, 30 May 2018 10:20:14 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AE6412DA18 for <int-area@ietf.org>; Wed, 30 May 2018 10:20:14 -0700 (PDT)
Received: from xsmtp05.mail2web.com ([168.144.250.245]) by mx15.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1fO4lc-0001oF-Cy for int-area@ietf.org; Wed, 30 May 2018 19:20:12 +0200
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp05.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1fO4lX-0001ZR-Le for int-area@ietf.org; Wed, 30 May 2018 13:20:07 -0400
Received: (qmail 16498 invoked from network); 30 May 2018 17:19:59 -0000
Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.56.42.246]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <int-area@ietf.org>; 30 May 2018 17:19:59 -0000
To: Dave O'Reilly <rfc@daveor.com>, Alexandre Petrescu <alexandre.petrescu@gmail.com>
Cc: int-area@ietf.org
References: <24C20997-65E5-4FA4-B435-EA3438245D0D@daveor.com> <52a54590-182f-64e3-91d9-5e1f99215831@gmail.com> <0FF3C748-2132-4F9E-9FE8-4818D3766D14@daveor.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= xsBNBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAHNJ0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsLAeQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1bOwE0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAcLBfgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <733a9dc1-a91a-239e-8aa8-af19a805b8b8@huitema.net>
Date: Wed, 30 May 2018 10:19:58 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <0FF3C748-2132-4F9E-9FE8-4818D3766D14@daveor.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 168.144.250.245
X-AntiSpamCloud-Domain: xsmtpout.mail2web.com
X-AntiSpamCloud-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-AntiSpamCloud-Outgoing-Class: unsure
X-AntiSpamCloud-Outgoing-Evidence: Combined (0.19)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5ukRBoO2u38ttBoYN1caK11602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO3NBQ8jcSCSHwUCPl9o/grPBFCAKYcLuPfWMLWK7DDnqiWkat7b6+VVZVD263mOMlCTg 127TqHZDxA/kZB41Rh901iU5yAsBk1OyzGhUzELBhsx9ycV+H++6ewdLHPW1pTSkkFlQZz6yFr2K mBj9WjaK54YNgBMK/cTYPsBEoX179aHqbsOLz4EkKfELCxwJIuCuRipgeuVjmv1s/D+SPSrFkCxZ 25wl+SuGnaEIRu161qkK742y4wCes8FTZAV12aOHsLIgU6CxRwTS/pCI4IAd4WM/pHSp5vEtSzeE iAXwP8biGVaHxdIhJpX2SF/frT/TpQy8kTfRo7YlxVS4t1aI+8ftzFe2XyLppMxgk9v7VqJR6J2i W088Nl7RXq3VxAIPbR6iF0Io2IR6cFULTLnHEgV4HBy01ru1y7iS4JNjYab5Xr0qCKMm/9FIygp7 hGiH1Wgh6RAenBR+licROGaX3Boon9SxUKxCjuDQ3yDinjJnvOJb7QLz3fRlX8x/qe9ZEEPeztMw aixWNVQi56fUdLWq1MCLe4uzYlSTS/YzOILorw8hkXvCsQxELmff7J1gP4HWZlfj1ueWMBAfk0cY VXicmMOpI2clI133E9HJ/WRbdco3pKNX9x7s84ASzu4jeF7MIDAd/+68q5OewVPQlbjfK+wIqfO1 0PXQnhAFcrFb19VwxgqrGRAXg24bNoQKSK3P4ypiY56j+sEW5bRPbYOsJydpa2UlAmayhWLBTAz/ vUCXk3dj4MGE7pxybkIjCEOQnJE+FWh5plwfd47NTt/aVJj3FpzwJHlTKBf4P5hMT+A79/UQxSgW IabEpmvDK3PKrieG7T6bf9hS7hSjMM96sV7dcXymT/Bh/IEEdD/a7oKc1xB6o1ApfCO9+GHf4ys4 4rg2B8/9FmK9a1M2fwlGUBjVgiQQJUTeFgMs
X-Report-Abuse-To: spam@quarantine6.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/opXvCBoH_rs1BzwxxHUsMmN2Y6E>
Subject: Re: [Int-area] draft-daveor-slaac-privacy-logging-00
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 17:20:17 -0000

Dave,

I like the general tone of your draft, but I am a bit concerned that it
mixes requirements and a very specific solution.

You are trying to strike a balance between your requirements and
privacy, and the part I like is the attempt to engineer a logging system
that narrowly meets your requirements while preventing widespread
exploitation of logs for another usage. This is going to be a widespread
problem. Keeping too much data in the log invites abuse, and may be a
violation of privacy regulations. But some data is obviously useful, be
it for debugging purposes, security analysis, or in your example a
desire to provide data for legitimate law enforcement purposes.

There are efforts to achieve something similar with DNS logs, e.g.:
https://datatracker.ietf.org/doc/draft-dickinson-bcp-op/. They end up
using the same bag of tricks, combinations of encryption, hashing and
indexing. This is a difficult engineering problem, with know pitfalls
like de-anonymization. The first part of solving a problem like that is
to understand the requirements, and specifically understand the
envelope, delineate what "narrowly meeting the requirements" would mean.
Your draft is a great contribution to that.

On the other hand, I am far less enthusiastic with proposed solutions
such as using IP addresses as keys. It comes close to another known
issue in the field, "designing your own crypto". I am also not convinced
at all by your section 6.1, cryptographic strength. Contrary to your
assertion, 64 bit keys are not considered strong today, and would be a
mere speed-bump to a determined adversary. How about we first gather the
requirements, and then have some kind of study of the best solutions?

-- Christian Huitema



On 5/29/2018 5:59 AM, Dave O'Reilly wrote:
> Hi Alex,
>
> Thanks for your feedback.
>
>
>> On 29 May 2018, at 13:13, Alexandre Petrescu <alexandre.petrescu@gmail.com> wrote:
>>
>> Why the history value is precisely 64bit long?  I suggest it to be variable length.
>>
> I presume you’re talking about the history value for temporary address generation? If so, you’re going to have to take that up with the authors of RFC4941 because that is what is specified in the standard.
>
>> another point is the following:
>>
>>
>>>  
>>>    Code was also developed to attempt to brute force log entries, and it
>>>    was noted that on the same PC used for the testing above (single CPU
>>>    PC with an Intel Core i7 running at 2.8GHz) attempting to brute force
>>>    a single log entry would be computationally infeasible (approximately
>>>    22,313,257 years required).  To decrypt the entire log would require
>>>    this same amount of time for each individual log entry.
>>>
>>
>> This part is interesting.  I would rather conclude the paragraph with saying that the number of years required may be dramatically reduced by improving the algorithmic method to take advantage of local core multiplicity, near range IoT computing power availability and Internet-scale computing.
>>
>>
> Of course, you’re quite right. I haven’t coded professionally in years, nor is the hardware at my disposal particularly powerful, nor did I make any particular effort to optimise the code. The point I was trying to make, however, was that searching for a specific log entry is computationally relatively easy whereas extracting all records is computationally significantly more difficult.
>
> I will add this comment to a list of amendments which I will make in the next draft.
>
> Regards,
> daveor
>
>
> _______________________________________________
> Int-area mailing list
> Int-area@ietf.org
> https://www.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email