Re: OPS-DIR review of draft-6man-stable-privacy-addresses-16

[Hannes Frederic Sowa <hannes@stressinduktion.org>]

Hi!

On Thu, Jan 23, 2014 at 01:05:28AM +0000, Tim Chown wrote:
> 2. In the algorithm section, there is a comment that interface names MUST remain the same across boots or down/up events for the stable privacy address to remain stable. I have (admittedly some time ago, and in rare cases) seen Linux installations where network interface names can ‘swap’, thus changing the address in use on the interface under the proposed algorithm, whereas with existing EUI64 SLAAC the IIDs would remain the same even if the interface name for a physical interface changed. This is probably rather more likely if replacing a network card on motherboard with on-board NIC(s).  Perhaps Fernando can comment on whether this is a realistic concern with modern OSes.

It is mostly solved. Currently earily user space reconfigures the names
of the network interface cards based on mac addresses. This also means
we cannot generate those addresses while kernel boot-up but must wait
until those renames have occured.

For the linux implementation we are currently more and more considering a pure
userspace implementation as we have problems with dad counter persistence and
possible address generation algorithm configurations.

> 3. I assume the IID may/will vary for a different OS run on the same host, e.g. where the host is dual-boot, or where a new OS installed (or the same OS re-installed). A different OS may well use a different F(), given that’s not specified.  With EUI-64, a dual-boot host would likely have the same address under either OS (well, not Windows any more…).  This may be worth making explicit.

Problem here is the sharing of the secret. Well, a different OS must read the
other OSes filesystem to get the secret needed for address generation.

Maybe we could install those secrets into some uEFI store but I am not an
expert on this.

> 6. I’d suggest not mentioning MD5.

Ack.

Thanks,

  Hannes