IETF Logo Mail Archive

Re: Magnus Westerlund's No Objection on draft-ietf-6man-rfc4941bis-11: (with COMMENT)

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 23 October 2020 12:35 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ED143A0C24; Fri, 23 Oct 2020 05:35:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8HGBDGi84so; Fri, 23 Oct 2020 05:35:23 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140087.outbound.protection.outlook.com [40.107.14.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B86EE3A0AE8; Fri, 23 Oct 2020 05:35:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XMBrsykERAf5Gyd7IaCi8n8tkuVUFmfmHgOkK7/zH0l69AeixqnKDJJIJFP991daPIAiSeRz5wxvwJrkbxcjZP5VyVwCs0A6L3iKUsTKEP1I7qJrgQERGQGNwFkd2BjfZ6U6It+XSt+GxHCgz+lxUi5MygyFXDQ1rP7KLIbN/b1hFwYXdOdj0YB1vdS3FGEUmisrHXifqhrEkkrqQKfFkZFRCKhR1kw0jinu9uIMPdFF6lTRT48QV94Hi107lF4IQpDJHgH019NEx97f7nNVNU3N5J0lwyc4wmNT2nGBMVN2pmPqbIVH8rUbP+VEmYMU8M3480ucN4fuEt4Uxq2lgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WaYFXv2Ae6ah3h1yjfCj/ClBEid7XaE3210hiEZNJgc=; b=Z3EI7Tsp2sa1PUL65XGtS1RK92l6hv5hERESrig+iTshGEkuTwbddQlYTI0F/BqdiBbXS9K8NsueCPrIoJlkMOSFoNpfyb7ke4ZLNNKCcwX0OxWQ4VJ081ucS2rc6cKOZBW+w4Zy+HmqWz7CAOvLNqclYW5/GfSaT2JrUHUBvDlrhBIjNa9mGMo0yrvszhfgDO8NYs4EDM5gHDCy8YUZiiM1Vgj67zkcjyEk4y5eSQym1AFX7sgOLNoZURM+Gm0zJUlFWEvk9K9OjB1rbblmZdrh4ZQwNbMIvTn8Mj9fnAyKtx0Nw91KNdRDiaQX/N0qIurQlcHM9EhOWcWOmkx0QQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WaYFXv2Ae6ah3h1yjfCj/ClBEid7XaE3210hiEZNJgc=; b=diSg0m9+3ZyKI9gP0rNgC9d80REOPRI3QgG5Al/Jq7M7ORzaA1wF9hVLsX3KEoFlIBRGDm51dIe1FGR6jX6vkoCGR4ZOmTFBIAhN73Qd73EbvzzuG1JTzZq+4rl9YcokP6h5N/M2+2gwceC6ZFA0OcsvyOYsy85D4EeCWqlKm7s=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB2793.eurprd07.prod.outlook.com (2603:10a6:3:99::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.15; Fri, 23 Oct 2020 12:35:11 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::cd13:5bbc:84b2:cc8d]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::cd13:5bbc:84b2:cc8d%6]) with mapi id 15.20.3499.015; Fri, 23 Oct 2020 12:35:11 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "fgont@si6networks.com" <fgont@si6networks.com>, "iesg@ietf.org" <iesg@ietf.org>
CC: "ipv6@ietf.org" <ipv6@ietf.org>, "draft-ietf-6man-rfc4941bis@ietf.org" <draft-ietf-6man-rfc4941bis@ietf.org>, "6man-chairs@ietf.org" <6man-chairs@ietf.org>, "otroan@employees.org" <otroan@employees.org>
Subject: Re: Magnus Westerlund's No Objection on draft-ietf-6man-rfc4941bis-11: (with COMMENT)
Thread-Topic: Magnus Westerlund's No Objection on draft-ietf-6man-rfc4941bis-11: (with COMMENT)
Thread-Index: AQHWqEygmkB3VduLR0C/Y2Aa/A1qJ6mjsw6AgACizAA=
Date: Fri, 23 Oct 2020 12:35:10 +0000
Message-ID: <2c3e19f09c18ddb3bbec881102ff54d84572af51.camel@ericsson.com>
References: <160335500152.2379.13344186464354332427@ietfa.amsl.com> <db074a10-8feb-3fc3-4e1a-910674e8628d@si6networks.com>
In-Reply-To: <db074a10-8feb-3fc3-4e1a-910674e8628d@si6networks.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: si6networks.com; dkim=none (message not signed) header.d=none;si6networks.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [98.128.243.114]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5de4da20-c916-4e03-ea71-08d87750153b
x-ms-traffictypediagnostic: HE1PR0701MB2793:
x-microsoft-antispam-prvs: <HE1PR0701MB279385FD2F2F166D2C226378951A0@HE1PR0701MB2793.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: p9GM/33rR7LEEKAvPLQSGVpt1TgqjZ/KtAIeHKvC7xCsR+Pk8UpeKneoz8NVCLr4MiqzJBsv/N5rvtjNi8h1FMV5Py9RrVy+F0/UW78k/+k0yZYSAx7AoUPam88DVsanaLY5MEp0ZQevA8JLefTXASgeYydsNMrAbp70+PenIu0eOkPrO9mlBfkdvHEHhmoNlM6IYiU/uGHbsC7n4k354pk1Fj+AcrJFO4PRrPaZwOIM3sMfRA8xK3jX/Zoao1mQPtnWXkTWz2kwyq4pqplS53poLbqX+HPGK139NTGfCbXqTSsjTaCKCD0d6Wfu5CcLcis3uaVNqFzg64k4H0a9hOVCEfTyHAZMepF8KtnsLcMFeR/BJzEMR5AqdzemQPuj
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(366004)(39860400002)(376002)(396003)(6512007)(99936003)(4326008)(110136005)(54906003)(186003)(83380400001)(316002)(6486002)(71200400001)(8936002)(4001150100001)(53546011)(6506007)(8676002)(5660300002)(2906002)(44832011)(2616005)(26005)(64756008)(478600001)(66556008)(66446008)(66946007)(86362001)(36756003)(76116006)(66476007)(66616009)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: sl5bXOJ4Wb2QQr/nCW5LUTT0LMJ6/14ilK8ug49F6Cu1vSb/VbgoMJKtD/RSlmcBGpGZdKgirLmemH9pLVyrW7+gLtNwTTLmqhBaH6q8l+SSQN+LU6g0MJ8wNsODex7g4y0Cq0C3kTNfvdRn/8yuqoOLcD1H9c2ayicDWztb1ceYJdx3mPJn4LWFq2FacQcfHhoGz3HLqRBybUmxVOn2J22n4Bml3VMpi58eeVW3Qy6gccdlGHv8k63wZ+cprx9NONjzB8EZ8FdnmD9LNyhKIrC8Ft+O08LLr+upgI+EDxz0zVb4WC1DaQST84klFqydBI5FHXIASyU/nFhlhsroozGNvYxmH2THobOQOHptY8sUKBH1pmh4d7VbQRlduwUg+JUw7CioHz8cxGdfEAkDSl2UJUlQke+y345+nwpRIzzhc4N8aJ4phLm3/IIO3vobG5f9ymko8Ex1ygikb/NJa98l62OxBh0hlbQlDJ9p2wlFno+bUhxNH4ifjyfexrH1l8heflyx7o5YevdjrUkWpO5RwTlfVP+WqJJMA4Ha3WrEAL3dRIcz+d/bqdPvVnst/mNl+TXiVxnQIWLZLPqo1/5OE12XujTh72u5Cfy3JEtfV2F3Y+FuwHFkhI8x0omvaOK5QvKlRerlL387C/Drfg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-IL0fZPwWJyzbS7L5qC0N"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5de4da20-c916-4e03-ea71-08d87750153b
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2020 12:35:10.8263 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uce+/uxyQykTgRgYlHYCT+l5RGA8Qc9t54LBRSAfblMu1s5VBPep8S9hinMPI3npCVmMzZkHZxRusBS76BYgsqDW8q+7cnEp9SAntjThm78=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2793
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/9AP4hgdoJ4oo8cKan1CjrYxdcBc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2020 12:35:25 -0000

Hi Fernando,

Unfortunately I think will not be able to propose a set of adjustment. I
understand that might result in that the easiest way forward is to do nothing
here. I fully understand that, please just keep it in mind if you anyway are
doing any edits on the text if the formulation really are represenatative. 

Cheers

Magnus



On Thu, 2020-10-22 at 11:44 -0300, Fernando Gont wrote:
> Hello, Magnus,
> 
> Thanks so much for your review! In-line....
> 
> On 22/10/20 05:23, Magnus Westerlund via Datatracker wrote:
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> > 
> > I understand that this is an update of an older document resolving several
> > important issues. However, what was advanced traffic analysis 10 years ago
> > is
> > not as advanced today. The security consideration discuss some of the
> > weakness.
> > To me it appears that there are significant risks of correlation old
> > temporary
> > address passed preferred life time with the new preferred temporary address.
> 
> How would you do this at the address level? (caveat: if you do it at an 
> upper layer, I'd probably say that this is mentioned both in the 
> Security Considerations and in the discussion on persitent IDs earlier 
> on in the document).

I don't think you need high level payload analysis, 5-tuple information over
time will enable certain correlations. I understand that this is a scale not a
black and white issue. I am somewhat concerned that maybe the document indicate
that the point on this scale is somewhat more on the secure side than what I
think it is. 

> 
> > Especially if an attacker can trigger an endpoint reconnecting to a site
> > where
> > the previous temporary address was used and thus correlate the attempt to
> > force
> > reconnection combined detected use of a new temporary address to the same
> > destination. It might even be another destination but associated with the
> > same
> > remote site.
> 
> If the correlation happens at a higher layer, that's indeed possible -- 
> but out of the scope of this particular work.
> 
> 
> 
> > I have not putt this on discuss level, but my impression is that although
> > beneficial the strength of its protection might be overstated in the various
> > statements.
> 
> Please do let us know if you think that there's more that is to be 
> added, and if you have any suggestions.

> 
> Thanks!
> 
> Regards,

v2.23.0 | Report a Bug | By Email