Re: <draft-ietf-6man-default-iids> update to rfc2464bis
Mark Smith <markzzzsmith@gmail.com> Thu, 12 January 2017 20:10 UTC
Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C19F7129408 for <ipv6@ietfa.amsl.com>; Thu, 12 Jan 2017 12:10:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mNuUHC_ixZSR for <ipv6@ietfa.amsl.com>; Thu, 12 Jan 2017 12:10:05 -0800 (PST)
Received: from mail-ua0-x22f.google.com (mail-ua0-x22f.google.com [IPv6:2607:f8b0:400c:c08::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCC8F1293F0 for <ipv6@ietf.org>; Thu, 12 Jan 2017 12:10:05 -0800 (PST)
Received: by mail-ua0-x22f.google.com with SMTP id i68so22518445uad.0 for <ipv6@ietf.org>; Thu, 12 Jan 2017 12:10:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=BKY0bfxMBQm9V7M7ID1pFkKnnU4JiKKUtQCEP2BLqF8=; b=IF8CvqfRFzI1j4iU3jKclHI7/rOLF5kD73CadxDCMYIu5FVtZsM0RGlTdMFRiUxozn cNb11GmE6ETPQAopUQf6MtL4DOO9OHawKXnZDGk7Xgp9wLcD+qlOTNM25fIwLvKhySKH KP1OA1CQtpNvs7gOmgwD2i+XAEEXF15gdFQu8hDEELF+OKiNgocXX++SW47/TBwXASf9 8E/4HqLeThW2b4XrnI7jYnT4nz4KZyTKiWxQszRw0qvYlx7PENQYdvihHXGh7rzoq98G DKwUNNDwda7DEzrZQYVIeisq1r/5twSbRgKmjHx6DEmz/OTRAPIW7vJYrsH9oE2ETVjT DSaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=BKY0bfxMBQm9V7M7ID1pFkKnnU4JiKKUtQCEP2BLqF8=; b=Jed2MXzIgX4YXhqoVaP+2GwuyCksa1Qe5DuycTqMirQOtYj2yhLNVnHF+nGGNL0Ssu nskd02JNs/GF6FgeWn/ByRJ2sHNVXj5ngX3FztrurwIZcFSPPa5CL68273dvP9K+6NvN SGLEYzhiQuIadcfopEib8mJykkdYfU/UqPrUIqJVYnXxDFvrct5tHGpdNLHPmr5+pu8s m7tqjMrO0coEhSlsg6CSSXoxxcJXKYRHOrWUd32JvqdM6FtNTyuq42Vi54D8cYF9+3cX hepFbqlLsHTSWE3X0tA1kNj8sHBktwi6OPw3zitkxFUUD/a5cvN37xQf4DEpaAUHWOrJ v2Vw==
X-Gm-Message-State: AIkVDXKUK1jO+GQ6OEumd/mCNJWYwhvbaZ9Mx+Pmj1rHQRgfGt5AYRCwSQ1vtzX7o14yRSvWzpz8Tw0CpQG6qQ==
X-Received: by 10.159.36.73 with SMTP id 67mr8500748uaq.124.1484251804810; Thu, 12 Jan 2017 12:10:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.2.235 with HTTP; Thu, 12 Jan 2017 12:09:34 -0800 (PST)
In-Reply-To: <CAKD1Yr0sAU-AfvezDy7XiVrNMYZO4XkTR3cgfg2=iMWifD2JBw@mail.gmail.com>
References: <1E7F90AC-79BB-49BE-B397-EC829EA95AA4@gmail.com> <CAKD1Yr0O6gnXZc3qEY7bqkBYu-sx1_erwum2DRwpe+Vv+jmdiw@mail.gmail.com> <7456833d-aa3f-d368-6041-cfdc1ac95f6f@si6networks.com> <CAKD1Yr1dQF7Cg0mppZVcSXC15pue_y1Qb-GugKY+G8u-dRyJtg@mail.gmail.com> <89fc8838-f6cd-1647-8468-1c8c11466aff@si6networks.com> <CAKD1Yr2z22ZX85ywAcqobbHZ20Kx4VvFhEmzJnSG_0hQBLLvyw@mail.gmail.com> <b3707115-b9d1-cc14-4cb9-0a3ffdd0cdfc@si6networks.com> <CAKD1Yr0WkMJ4+FwdE2Re=Aifm2HgCha2i67mexpcO5rkz3PYww@mail.gmail.com> <33d91d6c-18dc-1ec0-fc4d-edc83a86ce83@si6networks.com> <CAKD1Yr0sAU-AfvezDy7XiVrNMYZO4XkTR3cgfg2=iMWifD2JBw@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 13 Jan 2017 07:09:34 +1100
Message-ID: <CAO42Z2wTDgCYFQ78pb0DKvqpBj8HA=_JF-quTE55Tu5xFbk3Ng@mail.gmail.com>
Subject: Re: <draft-ietf-6man-default-iids> update to rfc2464bis
To: Lorenzo Colitti <lorenzo@google.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/7Ya6g4jVcZG4f-_Npi29BhYiHAc>
Cc: 6man WG <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>, Suresh Krishnan <suresh.krishnan@ericsson.com>, Fernando Gont <fgont@si6networks.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jan 2017 20:10:08 -0000
On 12 Jan. 2017 23:19, "Lorenzo Colitti" <lorenzo@google.com> wrote: On Thu, Jan 12, 2017 at 8:29 PM, Fernando Gont <fgont@si6networks.com> wrote: > > > All these documents are about generating stable addresses, not temporary > > addresses. So I'm not sure why the text should be removed. The text in > > all this documents ae about stable addresses. IETF-wise, the only doc > > that is about temporary addresses is RFC4941. Hence the text seems > > correct to me. > > > > If instead of removing that text we can clarify that it only applies to > > stable addresses, that works for me. Suggestion: change "These are > > described in Appendix A and are no longer recommended." to ""These are > > described in Appendix A and are no longer recommended for stable addresses." > > Fine. Isn't the assumption in all these RFCs that the addresses are > stable, and that the MAC addresses are unique? > Yes, those documents were written when randomized MAC addresses did not yet exist, yes. But those assumptions are not valid today; randomized MAC addresses are not only in use, there are standards track documents that assume their use (e.g., RFC7844). Since we're now republishing these documents, we need to make them reflect the state of the world as it is today, and the revised documents must not assume that MAC addresses are unique and static. (IEEE) MAC addresses aren't the only types of link layer addresses and may not be in the future. ARCNet only has 8 bit link-layer addresses and despite its age, it still looks like it is being manufactured and used. https://www.ccontrols.com/tech/arcnet.htm CanBus, used in cars, looks to only have 11 bit or 29 bit addresses https://en.wikipedia.org/wiki/CAN_bus#Frames I'm sure there are other link layers out there that we would want IPv6 to run over that have similar sorts of link layer address sizes. I don't think we shouldn't bind IPv6 address security properties to link layer address properties, because then it puts the IPv6 address security properties out of our control. We could require link-layer addresses to be of a certain size and have certain properties before running IPv6 over it, however that will limit IPv6 applicability (in other words, demand that the link layer addresses under IPv6 MUST be IEEE MAC addresses.) We could try to check the randomness properties of the link layer address before using it in a IPv6 address, however then you still need a fall back if the link-layer address fails that test, so you're going to have general, non-link layer specific fall back method available anyway, and the extra code complexity of link layer address validation checks. I think it is simpler and easier to ignore the link layer address properties and generate IPv6 addresses with good security properties independently of them. The only use of link layer properties is as a possible seed and as an interface distinguisher when useful or necessary, which is what RFC7217 does. I think it is better to try to minimise the coupling and dependencies between the link layer and link layer properties and the IPv6 layer rather than trying to tighten it. That seems to have been a theme of IPv6 e.g., using DHCPv6 over PPP rather than embedding IPv6 upper layer parameters in PPP such as DNS addresses, and the shifting of neighbor discovery into IPv6 rather than having a parallel link layer specific neighbor discovery protocol (i.e., ARP and IPv4 being in a parallel, and ARP being Ethernet specific.) This theme is described in RFC1958, even though security benefits may not have been the reason for it at the time. "The Internet level protocol must be independent of the hardware medium and hardware addressing. This approach allows the Internet to exploit any new digital transmission technology of any kind, and to decouple its addressing mechanisms from the hardware. It allows the Internet to be the easy way to interconect fundamentally different transmission media, and to offer a single platform for a wide variety of Information Infrastructure applications and services. There is a good exposition of this model, and other important fundemental issues, in [Clark]." > > The reason the text needs to be changed is because during the discussion > > of default-iids there was substantial discussion of the use case of > > using EUI-64 with randomized MAC addresses. There was consensus that > > this is a use case we want to support, and as a result, the working > > group concluded that we should change every occurrence of the phrase > > "based on a link-layer address" to "based on a stable link-layer > > address" in the default-iids draft. > > My read of the discussion is that you didn't want default-iids to ban > this case (and maybe there was not more than one or two voices in this > direction), and we simply decided to have default-iids fous on stable > addresses to be able to do progress on something. Claiming that doing > temp adderesses by doing MOdified-EUI64 is streching that outcome quite > a bit, IMO. > Funny... my read of the discussion is that everyone wanted to support this case and only you didn't (and maybe there was not more than one or two voices in this direction". :-P I also supported the decoupling. I understand the convenience and motivation for using random MAC addresses (I've had many of my systems including my main laptop changing them at boot for a number of years now), however I think it is a layer dependency that is better to avoid (i.e., have addresses at both layers that have good security properties and that don't have any security bindings or couplings between each other.) Regards, Mark. >But seriously: regardless of which of the two interpretations above is correct (likely neither), the fact of the matter is that the text in default-iids says "stable" and that did not happen by chance, but through explicit working group discussion. We have to respect that here. > All this documents talk about stable addresses. Discussing temp > addresses in them is actually talking about stuff that simply wasn't > there, with operating conditions different from those assummed so far. Again: we are republish these documents and we have to do so taking into account things as they are today. Today, the fact of the matter today is that MAC addresses are in use and the documents have to reflect that. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- <draft-ietf-6man-default-iids> update to rfc2464b… Bob Hinden
- Re: <draft-ietf-6man-default-iids> update to rfc2… Fernando Gont
- Re: <draft-ietf-6man-default-iids> update to rfc2… Lorenzo Colitti
- Re: <draft-ietf-6man-default-iids> update to rfc2… Fernando Gont
- Re: <draft-ietf-6man-default-iids> update to rfc2… Lorenzo Colitti
- Re: <draft-ietf-6man-default-iids> update to rfc2… Fernando Gont
- Re: <draft-ietf-6man-default-iids> update to rfc2… Lorenzo Colitti
- Re: <draft-ietf-6man-default-iids> update to rfc2… Fernando Gont
- Re: <draft-ietf-6man-default-iids> update to rfc2… Lorenzo Colitti
- Re: <draft-ietf-6man-default-iids> update to rfc2… Fernando Gont
- Re: <draft-ietf-6man-default-iids> update to rfc2… Lorenzo Colitti
- Re: <draft-ietf-6man-default-iids> update to rfc2… Philip Homburg
- Re: <draft-ietf-6man-default-iids> update to rfc2… Fernando Gont
- Re: <draft-ietf-6man-default-iids> update to rfc2… Tim Chown
- Re: <draft-ietf-6man-default-iids> update to rfc2… 神明達哉
- Re: <draft-ietf-6man-default-iids> update to rfc2… Mark Smith
- Re: <draft-ietf-6man-default-iids> update to rfc2… Brian E Carpenter
- Re: <draft-ietf-6man-default-iids> update to rfc2… Bob Hinden
- Re: <draft-ietf-6man-default-iids> update to rfc2… Bob Hinden
- Re: <draft-ietf-6man-default-iids> update to rfc2… Lorenzo Colitti
- Re: <draft-ietf-6man-default-iids> update to rfc2… Lorenzo Colitti
- Re: <draft-ietf-6man-default-iids> update to rfc2… Bob Hinden
- Re: <draft-ietf-6man-default-iids> update to rfc2… Lorenzo Colitti
- RE: <draft-ietf-6man-default-iids> update to rfc2… Christian Huitema
- Re: <draft-ietf-6man-default-iids> update to rfc2… Bob Hinden
- Re: <draft-ietf-6man-default-iids> update to rfc2… Tim Chown