IETF Logo Mail Archive

Re: Disabling temporary addresses by default?

otroan@employees.org Wed, 29 January 2020 11:28 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A95B312023E for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 03:28:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTA2rXx6m405 for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 03:28:21 -0800 (PST)
Received: from clarinet.employees.org (clarinet.employees.org [198.137.202.74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A3D6120833 for <ipv6@ietf.org>; Wed, 29 Jan 2020 03:28:21 -0800 (PST)
Received: from astfgl.hanazo.no (unknown [IPv6:2a01:79d:53aa:d30:fc8a:d6d2:e1dc:cd64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 154534E11AD8; Wed, 29 Jan 2020 11:28:20 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id 744C72A6094A; Wed, 29 Jan 2020 12:28:17 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Subject: Re: Disabling temporary addresses by default?
From: otroan@employees.org
In-Reply-To: <CAKD1Yr05GqFr1r018qHZev8SB6Gd=zm_45TtuShQH_5PVkXpKw@mail.gmail.com>
Date: Wed, 29 Jan 2020 12:28:17 +0100
Cc: Gyan Mishra <hayabusagsm@gmail.com>, Fernando Gont <fgont@si6networks.com>, Christian Huitema <huitema@huitema.net>, 6man WG <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <56BD2286-D761-44EF-812B-82BAFB380992@employees.org>
References: <CAKD1Yr11_SSUkCBuQ3-h+eRg0LPZQdhe+h7f0YZy9TiyRWj6mw@mail.gmail.com> <751D59E0-F60B-4FE1-840F-3FEAB82F618F@huitema.net> <c058863d-9e29-3ddb-a020-0ebadef26ad4@si6networks.com> <CABNhwV0KsKN7LQY2D-BJkCtvB40oZCT65EmOCr0oE56c9g7-aQ@mail.gmail.com> <CAKD1Yr05GqFr1r018qHZev8SB6Gd=zm_45TtuShQH_5PVkXpKw@mail.gmail.com>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/51yoyBFV_dUBIleP3UyStzbYTwU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 11:28:25 -0000


> On 29 Jan 2020, at 12:13, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> wrote:
> 
> On Wed, Jan 29, 2020 at 2:46 AM Gyan Mishra <hayabusagsm@gmail.com> wrote:
>    The main reason this topic comes has up is due to possible impact of usage of the temporary address when it gets deprecated with long lived session.  That’s the crux of why this topic is critical and has severe operational impact. When the address changes for long lived connections from the deprecated temporary address to the new preferred address, the session would terminate and have to re-establish, which is impacts the user.
> 
> If there is a permanent address as well, then an application that is not able to deal with session resets (like SSH) can use the IPV6_PREFER_SRC_PUBLIC socket options to use the permanent address instead.
>  
> This would allow us to maintain privacy extension temporary address enabled by default change to benefit privacy advocates and also eliminate impact for enterprise users where availability and stability is utmost importance.
> 
> But don't enterprises care about not leaking the habits of their employees? If I was on an enterprise security team, I would be pretty concerned about the levels of leakage and cross-site tracking that are enabled by never changing the IPv6 addresses of a host. This doesn't happen in IPv4 because we use NAT, but it will definitely happen in IPv6.

So, are you saying that using temporary addresses does not leak the habits of employees?
Can you ellaborate on that please? Preferably with some data points.

Worth reading ISBN-13: 978-1610395694 if you are interested in a more thorough discussion of the problem.

Enterprises use web proxies and SSL intercepting gateways anyway, don't they (sigh).

Cheers,
Ole

v2.23.0 | Report a Bug | By Email