IETF Logo Mail Archive

Re: RFC8064 implemented in linux ?

Mark Smith <markzzzsmith@gmail.com> Sat, 29 June 2019 00:37 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D12A120960 for <ipv6@ietfa.amsl.com>; Fri, 28 Jun 2019 17:37:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.498
X-Spam-Level:
X-Spam-Status: No, score=-0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fLuXAMAZqa3c for <ipv6@ietfa.amsl.com>; Fri, 28 Jun 2019 17:37:45 -0700 (PDT)
Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 168DE120700 for <ipv6@ietf.org>; Fri, 28 Jun 2019 17:37:45 -0700 (PDT)
Received: by mail-oi1-x243.google.com with SMTP id a127so5568559oii.2 for <ipv6@ietf.org>; Fri, 28 Jun 2019 17:37:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jqWWzbdc/R7Y7mhvDRWVk2T4t1Fxr+2983DDPbppIeU=; b=h/nlKzkhu8ib3XnKHB2/915NrRpr8Vxj0CM4JIglf01gR2399DYF3fiStKfjGMWa7z TU6DjXeT08frGHaWrRxtlECJPkOcOOJjf//vTWl+CKpWCzlNGSHiFhUfU/NTnTo2rJBT fQpE54wOItwseeJZ6RDDV3+3cuIAc2x+rXL1A702yeWeabyAJcqwCNPcJ+NnAum7fdme 6W6czzD1oKEzO0vk5pTQ497lWcFprsyIUkrjQBq6qfl0VdMBxp8n6lBMfRfbPoZdNOMS Nd2Hpx6J8EroxT/ahcaub5m28J7TTxI++zg3I9em4MAP2idOlijL0Y3fR2EgkSZEdMvv PqHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jqWWzbdc/R7Y7mhvDRWVk2T4t1Fxr+2983DDPbppIeU=; b=a52NcKW/fL/hn6bIDMQe4gTrpM7i4b7ciwBcEC5PTPjcvXY2Pj5zzMtZtD+mde3DAz 0yy3W4stb0eyqDBChr/v9/FAYse7dQY9YeHYAnKr/d8MmME6wrRPSPrITlRF7LgBfGI6 TE4p0JPDJL8JfrHbY8YruEDroM6sbFm3NU1VCew7R30RlzHUgh4KP+KwxpcceErGiLpD uriIozyyCmdJ/yBPiXmtSuCX7GcSfY3DTEBOIQcy6OiDCY7q/203C8A5gIJbI3BGaamk WbMh+aZokr2WvTrf1mPLaLLYNnDHd9yHviA/0V5zKpcTiURH0v9wO0+nDzMuudbLz5uv oUAQ==
X-Gm-Message-State: APjAAAVehy5YAU+OMdtuEXvpIvW6/kHqT8VAeo96cMojgiZt47nRBjBV mNaXmRznFyJlJ67ZnOAgks/A0V5UaEPglS1ad0I+Qg==
X-Google-Smtp-Source: APXvYqxtl42eA7rhWNc3WgOoxxu+/shRYpgscdFduEtduz5te1HSe0Xbx0srdwkt4ngE2ciHQ0vStjm/TwIG+vM3rQ8=
X-Received: by 2002:aca:b554:: with SMTP id e81mr370864oif.7.1561768664294; Fri, 28 Jun 2019 17:37:44 -0700 (PDT)
MIME-Version: 1.0
References: <69fb7b6e-cb0b-34a8-9a36-006878787282@gmail.com> <1752910.pSMvptStIT@rumburak.ite.tul.cz>
In-Reply-To: <1752910.pSMvptStIT@rumburak.ite.tul.cz>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sat, 29 Jun 2019 10:37:32 +1000
Message-ID: <CAO42Z2yag_jm2r4P0=D5OTm-V8qVC6WPyYu6Ns7AhAHbuEE3pQ@mail.gmail.com>
Subject: Re: RFC8064 implemented in linux ?
To: Martin Hunek <martin.hunek@tul.cz>
Cc: 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000074e7a0058c6b9a30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/27eC3kRh2Xb8abnZqzwBbrWxwbI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2019 00:37:48 -0000

On Sat., 29 Jun. 2019, 02:36 Martin Hunek, <martin.hunek@tul.cz> wrote:

> Hi Alex, hi all,
>
> I hope that this mail would not be breach to Code of Conduct, but this is
> straight from network's operator heart. :-)
>
> I hope that RFC8064 would never be implemented on any router. As would be
> operational nightmare.
>

It's intended to be implemented on all SLAAC implementations, not just
hosts.

That includes routers, and it explicitly includes Link Local addresses.

That is so that Link Local addresses of routers are both auto-generated and
stable across interface module swaps.




> I can see need for privacy with global addresses


RFC8064 (indirectly RFC 7217) is not about privacy addresses.

They're the opposite use case - persistent, stable addresses, entirely
independent of or only loosely coupled to hardware e.g. device backplane
slot.


as it is clear that individuals could be easily tracked over the internet
> when using EUI-64 suffixes. It is not so obvious with stationary servers,
> but OK - you could remotely detect vendor and model of hardware, so yes if
> you really need to hide that it is reasonable.
>
> When client need to generate LL address with other method then EUI-64,
> that is for me hard to grasp. Reactions to reasons from RFC8064:
> As network operator, I can still correlate network activity by accounting
> in RADIUS or just mirror access port and track it based on L2 addresses.
> There is no location tracking possible with LL address as prefix fe80::
> would not tell any more or less about location with or without randomized
> suffix. Address scanning is still not needed as all I need is ask at all
> nodes multicast address and I get a list of addresses in local segment.
> Only real reason why I would like to hide device vendor+model is so called
> "device-specific vulnerability exploitation". But still I can just listen
> on the line waiting for traffic and then just connect to port 80 or 443 and
> it would just happily tell. But OK, if someone thinks that it is really
> needed and that it would be beneficial to cover vendor+model instead of
> doing proper firewall...
>
> Lastly the case of router (OpenWRT):
> Why would I need to use anything else than EUI-64? As network operator I
> need address that is static (on WAN interface at least), so I can do
> reliable static leases if customer wants them. You could argue that there
> is DUID for that and you would be right - in theory. But I have seen
> routers which generated random DUID on every boot (UBNT), that of course
> was major problem so only static thing left was LL address, which was
> EUI64. Other thing I seen were custom DHCPv6-PD hooks, which extracted MAC
> from some DUID types, made LL address from that and placed record for
> delegated prefix paired with computed LL address as destination. And I've
> seen clients which hides DUID so well that easiest way how to get it is
> packet snooping and manual link reset.
>
> So when there would not be predictable LL address on WAN interface, I
> would not be able to make static routing records in routing table based on
> value written on customer CPE - the MAC address. So no more prefix
> reservation based on phone customer support, we would have to go trough
> provisioning of CPE prior installation.
>
> Another "solution" would be to make dynamic routing table and when I'm
> giving customer /56, I can reduce it to /120 so I can encode 64b of random
> ID into prefix. Hopefully just an idea for April fool's RFC:
>
> Address scheme would than look like:
> /29 from RIR -> 3b for MANs
> /32 for my MAN -> 8b for POPs
> /40 for POP -> 8b for interface+VLAN
> /48 for interface/VLAN -> 64b left for client LL suffix to provide static
> pool
> /112 would be max prefix length for customer or /120 when "legacy" devices
> on segment.
>
> All that because router could get tracked on local link? By whom? Network
> operator would still be able to track every connection and they often must
> by law. By the way network operator still must be able to deliver packets
> to router so it needs to keep track of router's addresses/prefixes. Only
> real "benefit" RFC8064 brings to network operators would be a headache.
>
> Because similar privacy related solution we are actually forced to go from
> SLAAC to DHCPv6 for server addresses because we cannot tell what IPv6
> address server would have, so either no AAAA+PTR records (DDNS is not an
> option) or we would have to provision every server to use EUI64.
>
> Long story short, RFC8064 needs a bis that it MUST NOT be used on routers.
> Otherwise it could bring real problems to real networks. All for purely
> theoretical issue router could have with its privacy.
>
> I hope that I didn't offend anyone, I couldn't help myself.
>
> Regards,
> Martin
>
> PS: If you read it up to this point, than you are real good. :-)
>
> Dne pátek 28. června 2019 13:49:29 CEST, Alexandre Petrescu napsal(a):
> > Is RFC8064 implemented in linux, with kernels 4.x, on openwrt? (in
> > addition to BSD).
> >
> > I am asking because the IPWAVE WG IPv6-over-OCB document is not
> > implemented in BSD. IPv6-over-OCB is implemented extensively on linux.
> >
> > The IPv6-over-OCB document suggests a 'transition time' to migrate from
> > current embedded platforms that do LL addresses formed from hardwired
> > MAC addresses (linux kernel 4.x openwrt) to future software where the LL
> > addresses are formed from more random IID (RFC8064).
> >
> > The Transport Area review of this document demands a value for this
> > 'transition time'.  My speculation, without knowing the current
> > implementation status of RFC8064 on openwrt with kernels 4.x, is that
> > the value of 'transition time' nears 5 years.
> >
> > Alex
> >
> >
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email