IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>

otroan@employees.org Mon, 23 May 2016 07:59 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 835A812D5FA for <ipv6@ietfa.amsl.com>; Mon, 23 May 2016 00:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.566
X-Spam-Level:
X-Spam-Status: No, score=-0.566 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_SORBS_WEB=0.77, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=otroan@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zVJUuE9M7Zp for <ipv6@ietfa.amsl.com>; Mon, 23 May 2016 00:59:52 -0700 (PDT)
Received: from incoming.kjsl.com (inbound02.kjsl.com [IPv6:2001:1868:2002::144]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D44412D129 for <ipv6@ietf.org>; Mon, 23 May 2016 00:59:52 -0700 (PDT)
Received: from cowbell.employees.org ([65.50.211.142]) by ironport02.kjsl.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 May 2016 07:59:50 +0000
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id 5036E9CC4F; Mon, 23 May 2016 00:59:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=subject :mime-version:content-type:from:in-reply-to:date:cc:message-id :references:to; s=selector1; bh=CgKeZ57SmmIuxxG8rwRe9nOBrUg=; b= Z9QRPqXBsbPXMix0uEGCYjYLJIBhY2hx4HJe+VHRzgvcKrNPD5sazzti5psc94Jl NJuBP4yNxB1At6mQPJyFdj88cqDVFex2jP+r+OV5e7SNdhc9dL4iF2YOFI1er7+j jdK7o2Cjgdrb1s/fzEJ5V2shbsY0Xy8QdkMIOHTvjpk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=subject :mime-version:content-type:from:in-reply-to:date:cc:message-id :references:to; q=dns; s=selector1; b=oGHhBh8kbdsCO3VZc8gNPCR3uf 3+bnfC7AK7tWAt4GmAJ7+CGvWhdFXr/AE2fJPHgwfhf7FxcxJm1nxSIXnpiJkArt 5aVL+ag+bmnJtgBNVGNoPf+/isX2QmTPs8ndlhCUlv5RmG/BgfZ7OWayibiwax/n WVHPEk6el0z3yvjPg=
Received: from h.hanazo.no (cm-84.213.17.83.getinternet.no [84.213.17.83]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by cowbell.employees.org (Postfix) with ESMTPSA id D1F5A9CC4E; Mon, 23 May 2016 00:59:48 -0700 (PDT)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id CFA0416C9EAB; Mon, 23 May 2016 09:59:41 +0200 (CEST)
Subject: Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_36AD1B1E-D92C-4175-9CBD-ABE61231CFEC"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: otroan@employees.org
In-Reply-To: <CAJE_bqczeopdc2qRU2aiY9-+6zS3oKzhJVPWQyQHJ-k46Nr5KQ@mail.gmail.com>
Date: Mon, 23 May 2016 09:59:37 +0200
Message-Id: <2C580655-9E56-422C-A346-1978CF5B162C@employees.org>
References: <20160428004904.25189.43047.idtracker@ietfa.amsl.com> <89CA2C18-AE61-4D40-8997-221201835944@gmail.com> <CAJE_bqdZ_D7jsDdWQ2FJpLH9cXveYfcye0W2J_mSi-7bYBrOKA@mail.gmail.com> <B849F263-9F99-48E8-B903-8FE7D2CDF277@cooperw.in> <CAJE_bqd1AWOuwvQcGzHg+dAWoump29g14HEA1BoVErXDXSMxaw@mail.gmail.com> <573BCFD0.8090801@si6networks.com> <CAJE_bqfKUbO7C6LnxOOUCVBU9e679_=159Yu6Ti0zhOGDuw98Q@mail.gmail.com> <A1111BEA-C14C-4574-9214-3D9B5500FEA1@cooperw.in> <CAKD1Yr23S4yHM=31VXTJq7t11P3__GEbbRhM0c085gBjQEGi-Q@mail.gmail.com> <19ae94cd-849f-0622-54bc-42cbad51368a@gmail.com> <CAKD1Yr1YN6SnUNp0HKqTNg6G0egkLveCOTG_7pHo9Zq3OFP4=g@mail.gmail.com> <a65c2157-044e-6207-314e-833313e5d458@gmail.com> <CAKD1Yr0e3NuLCFK2N35FymoQmx4UUH-83rkQxtUB1RJbwNzY9A@mail.gmail.com> <E13EFAE7-2191-4B19-957D-B7DBA78B6C78@employees.org> <CAJE_bqczeopdc2qRU2aiY9-+6zS3oKzhJVPWQyQHJ-k46Nr5KQ@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/4PLslKXh1sWyuj8cABcNonVL04g>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 May 2016 07:59:53 -0000

[...]

> I've been unwilling to propose text as I didn't even understand the
> authors' actual intent, but if it's actually that "it says what an
> implementation SHOULD do _iff_ a stable IID is to be generated", I'd
> suggest revising the above paragraph as follows:
> 
>   The recommendations in this document apply only in cases where
>   implementations otherwise would have configured a stable IPv6 IID
>   containing a link layer address.  For example, this document does
>   not change any existing recommendations concerning the use of
>   temporary addresses as specified in [RFC4941], nor do the
>   recommendations apply to cases where the link layer address is not
>   stable (e.g., it is periodically randomized) in the first place,
>   nor does it introduce any new requirements regarding when stable
>   addresses are to be configured.  Thus, the recommendations in this
>   document simply improve the security and privacy properties of
>   stable addresses.
> 
> If the intent of this document is really just that it applies iff a
> stable IID is to be generated and does not make any judgment on, e.g.,
> use of randomized link-layer addresses, this proposed text shouldn't
> be a problem for anyone. (for some, it may seem to say the obvious and
> therefore redundant, but given that whether randomized LL address is
> good or bad was so controversial here, I think it's helpful to
> explicitly clarify that).  But I was not sure if it's really
> acceptable, especially for the authors, by seeing opinions like
> the "extremely bad" comment.

I think we have an assumption embedded in most of our documents that a stable IID is generated on all interfaces.
I don't think this document is the place to to clarify that there might be interfaces with only short-lived IIDs.

This document tries to improve the security and privacy of the default IID generation mechanism. I think it is clear on that. It's in the title, it is in the abstract. I'm not sure how much clearer it is possible to make it.

The other consequence of this document is that it forces changes in implementations that don't necessarily benefit from the privacy improvements. Public servers, router interfaces and so on. Is a consequence of updating 2464 that I now have to go and retrofit 7217 style IID generation in lots of code? I'm not sure I want to accept the collateral damage.

> To be clear, I'm not particularly an advocator of the use of
> randomized link-layer addresses.  But I've seen this as one central
> point concerning how to move forward for this document, so I believe
> we should be at least clear on this in the document text.

With regards to random MAC addresses, I see the arguments that we in general shouldn't couple the L3 address with the L2 address.
In that aspect randomized MAC should not have any implication on this document.
On the other hand I do see how it would make for a very easy implementation change to do random MACs (which you probably have to do on certain devices anyway), and keep the current IID generation mechanism.

I have to admit that I'm unsure of what the right thing to do is. I'm uncomfortable with removing the existing mechanism from all the IPv6 over foo documents. I'm not convinced that we are in a position to make a recommendation for all scenarios and all devices at this point.Î

cheers,
Ole

v2.23.0 | Report a Bug | By Email