IETF Logo Mail Archive

Re: Disabling temporary addresses by default?

Tom Herbert <tom@herbertland.com> Wed, 29 January 2020 23:21 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34CEA12003E for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 15:21:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUiI_yhs4VVl for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 15:21:13 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9118120018 for <ipv6@ietf.org>; Wed, 29 Jan 2020 15:21:12 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id p23so1699212edr.5 for <ipv6@ietf.org>; Wed, 29 Jan 2020 15:21:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7myQptgvRlhrhX+ujy8MWr8hthondwh468X9iTk6i9c=; b=eBal5jBEu+PkHm6TRpXdf4wjElt7+TWZR+vVn7Q4gABS1gamUM/QhWIk2gql525C6/ n1sKPAV6Pnqulv01dCNpMayRnTX3cDUlW7DVNFnGfc4nxKJxafasbPAkDyt2HdxkZ1u8 WBajIpuX5pIeJmMkq7s/I8mFvsSFwCvzdli4SdXfnOuRkP7MjR5omjlhMBB7DkK+fUAP NS7s0RbRMFhXorxDoiMO4J27pRgzO9JayvdhMi8OVUQi2b0y1BpIMWsx9HxK6yfP0kwA Qhu4AsyyPyfWUyk6ZMVDKTcOfd6xQsaV1U6osZI4KTKgYVS61O8GYcUshQs7Xc5Wai0h d7Pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7myQptgvRlhrhX+ujy8MWr8hthondwh468X9iTk6i9c=; b=FsOBPrQzNunfY3Rcsn8Vsz0xBglWEgjqQw6WYqFYvqXxVGGkWKh3Vq2NrgG6QyL7AC aedNtqRiaVlaaVjDUQaUE20ltXPw4gMjiaTUBipnOQGMB1X1z/93b7NGONyJ/Ktsh6qT aBINxInVgGOnj8yNFTJBvWVlF8W3VBxYa8LTJdb3H4rsrrzbj+c8gIBuy/TN9u6SGb8M kjYlXX6zdQLRj1e5VCFalEpYJyqS3wqtl51z7Jcxr0NWGaxKhWXhYm5fUdFik6dNkNKR B/Uba3HymkfiJqpU3Vg8MD6PLmwGJYbvOkgviKw2a/LIhsRC1MZ4FkhpQqZ0BaSM/TkV ztxg==
X-Gm-Message-State: APjAAAWqLtKQpzwbSSoh+PNFFOHjnAqr2+WlEFb/tRwxqsuY0ACQ6Bw8 XOClQ6IuPOdQ5O254XJv3SXpRXVFR6eHd6FU2tYClnFo
X-Google-Smtp-Source: APXvYqxxqJDgBMCJHyJTgb4JxbNNKY0oozxspznQbeVBrWb4hmyCmr2gpYUEtx0zu4SFyhMODNRRIQjs4KbuvcOmlvc=
X-Received: by 2002:a17:906:5e4d:: with SMTP id b13mr1566573eju.266.1580340071149; Wed, 29 Jan 2020 15:21:11 -0800 (PST)
MIME-Version: 1.0
References: <CAKD1Yr11_SSUkCBuQ3-h+eRg0LPZQdhe+h7f0YZy9TiyRWj6mw@mail.gmail.com> <751D59E0-F60B-4FE1-840F-3FEAB82F618F@huitema.net> <c058863d-9e29-3ddb-a020-0ebadef26ad4@si6networks.com> <CABNhwV0KsKN7LQY2D-BJkCtvB40oZCT65EmOCr0oE56c9g7-aQ@mail.gmail.com> <CAKD1Yr05GqFr1r018qHZev8SB6Gd=zm_45TtuShQH_5PVkXpKw@mail.gmail.com> <56BD2286-D761-44EF-812B-82BAFB380992@employees.org> <CAKD1Yr23BOEQztLyxu8BF4ivVCmX-Aspv6XfAMUHNR=iDp7uKg@mail.gmail.com> <83FE7A0B-DB50-47CB-85DA-507A33CFCD37@employees.org> <CAL9jLaZu_HbU3zv67SvFx3jfWBrZRsf-yKxFxuOSniQOoKLgOQ@mail.gmail.com>
In-Reply-To: <CAL9jLaZu_HbU3zv67SvFx3jfWBrZRsf-yKxFxuOSniQOoKLgOQ@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 29 Jan 2020 15:20:59 -0800
Message-ID: <CALx6S34gWnHepE3RaHa0sKoCHbYpH3LuaPaBSe68RUKS4B5K9g@mail.gmail.com>
Subject: Re: Disabling temporary addresses by default?
To: Christopher Morrow <christopher.morrow@gmail.com>
Cc: Ole Troan <otroan@employees.org>, Fernando Gont <fgont@si6networks.com>, 6man WG <ipv6@ietf.org>, Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/67b-thLtMJdKk0SD-IQ8QcvPuZU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 23:21:15 -0000

On Wed, Jan 29, 2020 at 3:07 PM Christopher Morrow
<christopher.morrow@gmail.com> wrote:
>
> (I'm going to hate myself in the morning for this, but..)
>
> On Wed, Jan 29, 2020 at 6:54 AM <otroan@employees.org> wrote:
> >
> > Lorenzo,
> >
> > > So, are you saying that using temporary addresses does not leak the habits of employees?
> > >
> > > I'm saying using temporary addresses makes a number of attacks, including cross-site tracking, more difficult, infeasible, or defeatable by the employee or IT admin. If you believe that to be false, you can always try to see if you can get consensus on a document that says that privacy addresses are not useful and declares RFC 4941 historic. :-)
> >
> > Anything you can cite here?
> > Just because you state it does not make it fact.
> > After almost 20 years of temporary addressing, it seems there is very little data available.
>
> If we're talking about 'employees' and 'employers' (you can extend
> this to the ISP if you like easily enough)
>   1) you can see port / mac / neighbor maps on
> switches/routers/brouters/swouters  (this gets you a
> person/desk/machine)
>   2) you can link DNS requests and firewall logs to the IP address(es)
>   3) you can be even simpler by just logging the IP src-address on any
> 'single sign-on' (or access to authenticated corporate resource) to
> ensure you mapped the things in 1 correctly
>   4) you can sort / sift / alert on that data to your heart's content.
>
> This isn't rocket science... Is there data for this? kinda? there are
> products which do this today, One even I think made by the Cisco /
> Talos folks for 'idp / ids / exfiltration detection' and similar uses.
> Heck, any SEIM today can/does do this work trivially.
>
Christopher,

The Internet equivalent for #3 would be login services (like FB,
gmail, etc.) as well as the use of cookies that include an identifying
cookie (like ads). It's likely that even just a few seconds after an
address is changed some third party has already logged the association
of IP address to user or device. Exploiting this information, step 4,
is a matter of applying the logs to make correlations and
identifications in completely uncorrelated traffic. Increasing the
frequency of address change problem does little more than increase the
number of log entries that an attacker needs to process (and that's
only a problem for them if everyone is changing addresses a high
frequency).

Tom
>
> Now, extend that to your ISP? sure, same problem, larger userbase and
> higher feeds/speeds.
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email