IETF Logo Mail Archive

Re: [Iot-directorate] [Last-Call] [v6ops] Iotdir last call review of draft-ietf-v6ops-nd-cache-init-05

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 18 September 2020 19:27 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: iot-directorate@ietfa.amsl.com
Delivered-To: iot-directorate@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA0213A0CA5; Fri, 18 Sep 2020 12:27:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZI_3itwHdaC; Fri, 18 Sep 2020 12:27:05 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0D7E3A0C94; Fri, 18 Sep 2020 12:27:04 -0700 (PDT)
Received: from dooku.sandelman.ca (CPE788a207f397a-CMbc4dfb96bb50.sdns.net.rogers.com [174.116.121.43]) by relay.sandelman.ca (Postfix) with ESMTPS id 4A4611F45B; Fri, 18 Sep 2020 19:27:03 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 2165D1A022D; Fri, 18 Sep 2020 15:27:02 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Philip Homburg <pch-v6ops-9@u-1.phicoh.com>
cc: v6ops@ietf.org, "iot-directorate@ietf.org" <iot-directorate@ietf.org>, "Pascal Thubert (pthubert)" <pthubert@cisco.com>, "iesg@ietf.org" <iesg@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
In-reply-to: <m1kIWtD-0000GCC@stereo.hq.phicoh.net>
References: <MN2PR11MB35651BFF4671D89D12E7703DD8270@MN2PR11MB3565.namprd11.prod.outlook.com> <CAFU7BATkRYD6m++gb6_is6oU=PGpQDTx8V2vm0gcJEcAnc1Tgg@mail.gmail.com> <3A6E80C9-07FC-4B4E-9A20-D02C8743448F@cisco.com> <CAFU7BATk7k_6Xfis2yXxjEEx+1N6GaKZg5MZTkPXpLrsdU8mzw@mail.gmail.com> <MN2PR11MB3565BF7E140C68AAFFD93849D8210@MN2PR11MB3565.namprd11.prod.outlook.com> <m1kIUgH-0000IaC@stereo.hq.phicoh.net> <MN2PR11MB35650E694D6D44792D324E22D8210@MN2PR11MB3565.namprd11.prod.outlook.com> <m1kIWtD-0000GCC@stereo.hq.phicoh.net>
Comments: In-reply-to Philip Homburg <pch-v6ops-9@u-1.phicoh.com> message dated "Wed, 16 Sep 2020 14:50:22 +0200."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 18 Sep 2020 15:27:02 -0400
Message-ID: <101824.1600457222@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-directorate/wLqwnXUbzsN0GiO_BDT5CnU6gD0>
Subject: Re: [Iot-directorate] [Last-Call] [v6ops] Iotdir last call review of draft-ietf-v6ops-nd-cache-init-05
X-BeenThere: iot-directorate@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for the IoT Directorate Members <iot-directorate.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-directorate/>
List-Post: <mailto:iot-directorate@ietf.org>
List-Help: <mailto:iot-directorate-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 19:27:07 -0000

Philip Homburg <pch-v6ops-9@u-1.phicoh.com> wrote:
    >> > This has huge privacy and security implications.
    >> 
    >> This is way, way too vague to be useful in the cons section.  Can you
    >> please elaborate, like an example attack? Also, is the current stack
    >> behavior exposing the user to that threat as well?

    > Suppose every device basics pings $vendor.com when it gets a new
    > address as part of a very low level function of the stack.

    > So basically we spend a lot of time worrying about tracking devices. We
    > have randomized MACs. We avoid embedding MAC addresses in IPv6

I agree with your observation.
That's why we need to specify a standard way, such that it could be an
anycast that is implemented in as many places as possible, so that it does
not leak too far.

    > I know that mobile devices do some weird stuff, but not all devices are
    > mobile devices. And the whole captive portal discovery seems to be
    > mostly a flight between device vendors and captive portals. There is no
    > technical reason it has to be this ugly for mobile devices.

The CAPPORT WG has produced some really good work.
HTTPS everywhere is rapidly killing the UX on most existing hijack-based
captive portals, and I think that once a few places have CAPPORT based ones,
the marketing/UX people will kill the rest of them.
Getting that anycast in place could be part of the new solution.

    > The situation would be better if there were a well-known anycast
    > address.  However that has operational implications (pinging $vendor as
    > well, because it has happened often enough that vendors stopped
    > renewing the DNS registrary after they stopped supporting a particular
    > brand of devices).

Anycast in DNS?
I was thinking about a well known L3 address, with some kind of AS119-like
support dealing with ISPs that haven't configured it locally.
If we need to give it a DNS name, then .arpa is the right place.

    > Even the well-known address may cause operational problems for
    > disconnected operation.


-- 
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email