IETF Logo Mail Archive

Re: "RFC4941bis" and draft-gont-6man-non-stable-iids

Fernando Gont <fgont@si6networks.com> Thu, 20 July 2017 11:03 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AA5E131687 for <ipv6@ietfa.amsl.com>; Thu, 20 Jul 2017 04:03:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Ids-4tnx8Bc for <ipv6@ietfa.amsl.com>; Thu, 20 Jul 2017 04:03:25 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B1A7129AD1 for <6man@ietf.org>; Thu, 20 Jul 2017 04:03:24 -0700 (PDT)
Received: from [192.168.0.25] (unknown [46.13.174.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 5A1FD80D4D; Thu, 20 Jul 2017 13:04:49 +0200 (CEST)
Subject: Re: "RFC4941bis" and draft-gont-6man-non-stable-iids
To: Suresh Krishnan <suresh.krishnan@gmail.com>, Tim Chown <Tim.Chown@jisc.ac.uk>
Cc: "6man@ietf.org" <6man@ietf.org>
References: <4d1ef3d1-1c21-ec76-7c1b-7bb0f5eaa805@si6networks.com> <51F41F55-27B2-43BC-9199-FBE59B98BCFB@jisc.ac.uk> <f227bbe9-c038-185c-7868-67c9a6a89d5d@si6networks.com> <D4D7CEFD-AB01-41A4-A874-B0D8A485A4C8@jisc.ac.uk> <BF53B560-5B04-4656-BC3C-C789E809DC50@gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <6a64b2ad-6cc6-40e3-efa1-dee2eb2206cf@si6networks.com>
Date: Thu, 20 Jul 2017 14:03:26 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <BF53B560-5B04-4656-BC3C-C789E809DC50@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/9kss3qyuF-JiHl16uBi6ePgPoj4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 11:03:28 -0000

On 07/20/2017 11:21 AM, Suresh Krishnan wrote:
> Hi Tim,
> 
>> On Jul 19, 2017, at 6:00 PM, Tim Chown <Tim.Chown@jisc.ac.uk
>> <mailto:Tim.Chown@jisc.ac.uk>> wrote:
>>
>>> On 19 Jul 2017, at 13:57, Fernando Gont <fgont@si6networks.com
>>> <mailto:fgont@si6networks.com>> wrote:
>>>
>>> On 07/19/2017 01:58 PM, Tim Chown wrote:
>>>>> On 18 Jul 2017, at 15:52, Fernando Gont <fgont@si6networks.com
>>>>> <mailto:fgont@si6networks.com>>
>>>>> wrote:
>>>>>
>>>>> Folks,
>>>>>
>>>>> Among the list of RFCs to be progressed to full std is/was RFC4941 
>>>>> ("Privacy Extensions for Stateless Address Autoconfiguration in
>>>>> IPv6").
>>>>>
>>>>> As it stands, RFC4941 has a number of issues:
>>>>>
>>>>> * Using the same IID for multiple prefixes * Not changing the IID
>>>>> upon "security events" (including e.g., change in the underlying
>>>>> MAC address) * Using MD5 as opposed to something better * Requiring
>>>>> the use of temporary addresses along stable addresses (preventing
>>>>> use of temporary-only, for nodes that feel like) * Not treating
>>>>> IIDs as opaque values (see RFC7136)  when generating the randomized
>>>>> IIDs (see step 3 in section 3.2.1 of RFC4941) * Mandating one
>>>>> specific algorithm, when the same goals/properties can be achieved
>>>>> with multiple algorithms (see section 4 of 
>>>>> draft-gont-6man-non-stable-iids-01)
>>>>>
>>>>>
>>>>> Based on the above, I personally don't think that it would make
>>>>> sense to progress RFC4941 to Internet Standard, but rather think
>>>>> that we should work on  a replacement of it -- our proposal being 
>>>>> draft-gont-6man-non-stable-iids-01.
>>>>>
>>>>> Thoughts?
>>>>
>>>> Certainly any update on 4941 needs to be done in the light of a few
>>>> deficiencies that have emerged over the years, and the publication of
>>>> RFC7217.
>>>>
>>>> I think it’s still possible to do a -bis off 4941.
>>>
>>> My questions would be:
>>>
>>> 1) Can you actually address the aforementioned deficiencies without
>>> significant changes to RFC4941? -- It would seem to me that in order to
>>> address them, rfc4941bis would not be a bis document anymore.
>>>
>>> 2) If you were to address such deficiencies, could the bis document be
>>> progressed to Internet Standard? -- My assessment of this question
>>> is: No.
>>>
>>> If RFC4941 would take significant work, and the end result would
>>> actually be significantly different from what's in RFC4941, then I'm not
>>> sure that'd be different than starting from the I-D we already have...
>>
>> Just to be clear, I like the material in your new draft.
>>
>> That said, it seems you could do a similar style of update from 3041
>> to 4941, with a similar structure; the content is there in your draft,
>> it “just" needs to be merged in.
>>
>> That would mean obsoleting 4941, just as 4941 obsoleted 3041.  So you
>> would include the details in 4941 that would carry forward.
> 
> <AD hat off>. I agree. If we are planning a drop in replacement to
> RFC4941 creating a bis document from there is the right thing to do.

Can you explain your rationale? (along with answering the two questions
I posed to Tim).

RFC4941 can be summarized as consisting of two parts:

1) A discussion of privacy implications of Identifiers, and of IIDs in
particular

2) Specification of an algorithm to generate the IID


"1)" was much needed when RFC3041 was published, and then carried to
RFC4941 (when it was probably still needed). Nowadays, the security and
privacy properties of IPv6 addresses are discussed more thoroughly (and
in more dimensions) in RFC7721.  And the discussion of identifiers in
documents such as RFC6973 and draft-gont-predictable-numeric-ids
(besides the fact that one can always refer back to RFC3041 or even
RFC4941 for such discussion, in the same way we referenced RFC3041 in
RFC7721).

When it comes to "2)", if you really want to address the issues found in
RFC4941, essentially you need to replace the algorithm with something
else. One may tweak a few things here and there (e.g., the update we
propose in our I-D), but still there are drawbacks in RFC4941 that
cannot be addressed without fundamentally changing the algorithm (for
instance, RFC4941 has notable drawbacks when compared to simply
generating the IID as a random number that is not tied to previously
selected IIDs). If one were to do rfc4941bis, such document could not be
progressed to STD. And since there are better and/or alternative
approaches for generating temporary addresses, I'm not sure what would
be the benefit here.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email