IETF Logo Mail Archive

Re: Address privacy

Fernando Gont <fgont@si6networks.com> Thu, 30 January 2020 19:51 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BD2912013D for <ipv6@ietfa.amsl.com>; Thu, 30 Jan 2020 11:51:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ikjDbAVeFB3C for <ipv6@ietfa.amsl.com>; Thu, 30 Jan 2020 11:51:56 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35EA0120128 for <ipv6@ietf.org>; Thu, 30 Jan 2020 11:51:56 -0800 (PST)
Received: from [192.168.100.103] (unknown [186.183.50.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id C855786813; Thu, 30 Jan 2020 20:51:52 +0100 (CET)
Subject: Re: Address privacy
To: Ted Lemon <mellon@fugue.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: 6man WG <ipv6@ietf.org>
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <1962.1579823388@localhost> <f83ab037-9125-bb74-dbac-68850aeb1020@huitema.net> <CBB23ABE-A7A3-4208-873C-E47EE063E34B@fugue.com> <11855.1579980079@localhost> <CALx6S36V_VjaxhELYcsgDYLWsCkj20p6gtiY9T9Q=9-9Oibyjw@mail.gmail.com> <32626.1580060558@localhost> <CALx6S37prWACD0jv9c-XHD-JtPqZAcgeT2Ax0EZHkiQaDR4t=g@mail.gmail.com> <419b7c7a-e364-7951-5a44-6c39e1da65fb@joelhalpern.com> <CALx6S36802oDaEgojAPq2c6hM_s1BayidXPh1Sc6RZmZa9UHpQ@mail.gmail.com> <6c5ba72d-9289-90ba-a1c9-2307ed29a4da@foobar.org> <a98bf2ab-32e7-459b-14d2-5e0e1c65a229@si6networks.com> <CALx6S36J5TPnXJQyMW2NUbQV6KL_oqUQ01m+BEzBJ+xcHpmQWw@mail.gmail.com> <bc 0d1eb8-2301-224d-dc33-19f6a60e593e@si6networks.com> <CALx6S34i67ivt8t1P3omRVzsj9NfxY2t41JLjmjT6X0vtBQHKQ@mail.gmail.com> <CAD6AjGTDPAM_FjMODUDAdeZthMD78vCydQNYLTFCVwyK5JnYmg@mail.gmail.com> <28618.1580407210@dooku> <EEBE5FB2-3CBA-412C-968A-E9EE8416F217@fugue.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <82e51a83-a15b-09cc-c611-dd9493b76a7c@si6networks.com>
Date: Thu, 30 Jan 2020 16:50:15 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <EEBE5FB2-3CBA-412C-968A-E9EE8416F217@fugue.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/4q3d8oxMx-PDfqkcNNXcgAzdi2U>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jan 2020 19:51:59 -0000

On 30/1/20 15:03, Ted Lemon wrote:
> On Jan 30, 2020, at 1:00 PM, Michael Richardson <mcr+ietf@sandelman.ca 
> <mailto:mcr+ietf@sandelman.ca>> wrote:
>>> Anecdotally, i would say unequivocally yes at a large scale eyeballs
>>> network, random iid has materially improved security of the host.
>>> The
>>> inability to do network scanning is huge.
>>
>> This feels like an anecdotal observation.
> 
> Furthermore, it’s mathematically simply wrong or else a non-sequitur.   
> If I have N addresses out of a space M, my chance of getting hit 
> randomly is N/M.  So the more temporary addresses I have, the higher the 
> change of a probe hitting me.

Of course attacker's don't think that way: Attackers don't randomly scan 
the IPv6 address space. That's a waste of time.

That said, what has addressed the problem of address scanning is 
RFC7217, *not* RFC4941. -- since attackers were after addresses that 
follow patterns, not the random ones.

On the other hand, when you consume information from the Internet, you 
are exposing your address. Host can simply not bind any ports to 
temporary addresses: -- this means that even if you expose your address 
for *consuming information* none of such nodes can contact you back. 
This would be a big improvement achieved via RFC4941.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email