IETF Logo Mail Archive

Re: RFC8064 implemented in linux ?

Fernando Gont <fgont@si6networks.com> Fri, 05 July 2019 23:49 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D2DF120122 for <ipv6@ietfa.amsl.com>; Fri, 5 Jul 2019 16:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hiRb1pI25mLV for <ipv6@ietfa.amsl.com>; Fri, 5 Jul 2019 16:49:33 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC7661200D7 for <ipv6@ietf.org>; Fri, 5 Jul 2019 16:49:32 -0700 (PDT)
Received: from [192.168.1.82] (unknown [41.249.98.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 31E81846CF; Sat, 6 Jul 2019 01:49:26 +0200 (CEST)
Subject: Re: RFC8064 implemented in linux ?
To: Martin Hunek <martin.hunek@tul.cz>, ipv6@ietf.org
References: <69fb7b6e-cb0b-34a8-9a36-006878787282@gmail.com> <1752910.pSMvptStIT@rumburak.ite.tul.cz> <c2233bf7-13a2-e74e-ec92-344e67d32054@si6networks.com> <3886024.MVVTRlPX46@rumburak.ite.tul.cz>
From: Fernando Gont <fgont@si6networks.com>
Openpgp: preference=signencrypt
Autocrypt: addr=fgont@si6networks.com; prefer-encrypt=mutual; keydata= mQINBE5so2gBEACzBQBLUy8nzgAzSZn6ViXT6TmZBFNYNqTpPRvTVtUqF6+tkI+IEd9N2E8p pXUXCd0W4dkxz6o7pagnK63m4QSueggvp881RVVHOF8oTSHOdnGxLfLeLNJFKE1FOutU3vod GK/wG/Fwzkv9MebdXpMlLV8nnJuAt66XGl/lU1JrNfrKO4SoYQi4TsB/waUQcygh7OR/PEO0 EttiU8kZUbZNv58WH+PAj/rdZCrgUSiGXiWUQQKShqKnJxLuAcTcg5YRwL8se/V6ciW0QR9i /sr52gSmLLbW5N3hAoO+nv1V/9SjJAUvzXu43k8sua/XlCXkqU7uLj41CRR72JeUZ4DQsYfP LfNPC98ZGTVxbWbFtLXxpzzDDT8i3uo7w1LJ2Ij/d5ezcARqw01HGljWWxnidUrjbTpxkJ9X EllcsH94mer728j/HKzC9OcTuz6WUBP3Crgl6Q47gY5ZIiF0lsmd9/wxbaq5NiJ+lGuBRZrD v0dQx9KmyI0/pH2AF8cW897/6ypvcyD/1/11CJcN+uAGIrklwJlVpRSbKbFtGC6In592lhu7 wnK8cgyP5cTU+vva9+g6P1wehi4bylXdlKc6mMphbtSA+T3WBNP557+mh3L62l4pGaEGidcZ DLYT2Ud18eAJmxU3HnM8P3iZZgeoK7oqgb53/eg96vkONXNIOwARAQABtCVGZXJuYW5kbyBH b250IDxmZ29udEBzaTZuZXR3b3Jrcy5jb20+iQJBBBMBAgArAhsjBQkSzAMABgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAUCTmylpQIZAQAKCRCuJQ1VHU50kv7wD/9fuNtTfxSLk3B3Hs3p ixTy8YXVjdkVwWlnJjFd7BOWmg7sI+LDhpjGfT6+ddOiwkumnvUZpObodj4ysH0i8c7P4C5t F9yu7WjklSlrB5Rth2CGChg5bKt541z2WHkFFxys9qBLmCSYDeKQkzLqhCjIUJizY2kOJ2GI MnSFDzJjhSFEh//oW830Y8fel1xnf/NVF+lBVtRMtMOfoWUqDjvP3sJ1G4zgkDCnF0CfncLx +hq2Mv26Uq9OTzvLH9aSQQ/f067BOkKAJKsfHdborX4E96ISTz57/4xECRSMr5dVsKVm4Y// uVIsb+L5z+a32FaiBZIAKDgnJO7Z8j6CV5e5yfuBTtX52Yi9HjYYqnYJGSDxYd6igD4bWu+7 xmJPHjkdqZgGV6dQIgiUfqkU+s5Cv350vK48CMaT/ZLo2BdsMhWsmaHmb+waePUMyq6E4E9x 9Js+EJb9ZiCfxS9exgieZQpet1L36IvhiwByvkQM009ywfa30JeMOltUtfLi5V06WQWsTzPL 5C+4cpkguSuAJVDTctjCA0moIeVDOpJ8WH9voQ4IeWapQnX35OIoj1jGJqqYdx65gc1ygbyx b8vw+pJ9E5GLse5TQnYifOWpXzX9053dtbwp/2OVhU4KLlzfCPCEsoTyfu9nIZxdI2PMwiL5 M85BfjX4NmwBLmPGoLkCDQRObKNoARAAqqXCkr250BchRDmi+05F5UQFgylUh10XTAJxBeaQ UNtdxZiZRm6jgomSrqeYtricM9t9K0qb4X2ZXmAMW8o8AYW3RrQHTjcBwMnAKzUIEXXWaLfG cid/ygmvWzIHgMDQKP+MUq1AGQrnvt/MRLvZLyczAV1RTXS58qNaxtaSpc3K/yrDozh/a4pu WcUsVvIkzyx43sqcwamDSBb6U8JFoZizuLXiARLLASgyHrrCedNIZdWSx0z0iHEpZIelA2ih AGLiSMtmtikVEyrJICgO81DkKNCbBbPg+7fi23V6M24+3syHk3IdQibTtBMxinIPyLFF0byJ aGm0fmjefhnmVJyCIl/FDkCHprVhTme57G2/WdoGnUvnT7mcwDRb8XY5nNRkOJsqqLPemKjz kx8mXdQbunXtX9bKyVgd1gIl+LLsxbdzRCch773UBVoortPdK3kMyLtZ4uMeDX3comjx+6VL bztUdJ1Zc9/njwVG8fgmQ+0Kj5+bzQfUY+MmX0HTXIx3B4R1I1a8QoOwi1N+iZNdewV5Zfq+ 29NlQLnVPjCRCKbaz9k6RJ2oIti55YUI6zSsL3lmlOXsRbXN5bRswFczkNSCJxJMlDiyAUIC WOay7ymzvgzPa+BY/mYn94vRaurDQ4/ljOfj6oqgfjts+dJev4Jj89vp8MQI3KJpZPEAEQEA AYkCJQQYAQIADwUCTmyjaAIbDAUJEswDAAAKCRCuJQ1VHU50km4xEACho45PZrUjY4Zl2opR DFNo5a6roTOPpgwO9PcBb3I5F8yX2Dnew+9OhgWXbBhAFq4DCx+9Gjs43Bn60qbZTDbLGJ/m 8N4PwEiq0e5MKceYcbetEdEUWhm5L6psU9ZZ82GR3UGxPXYe+oifEoJjOXQ39avf9S8p3yKP Diil0E79rn7LbJjMcgMLyjFg9SDoJ6pHLtniJoDhEAaSSgeV7Y745+gyMIdtQmrFHfqrFdjq D6G0HE+Z68ywc5KN67YxhvhBmSycs1ZSKAXv1zLDlXdmjHDHkU3xMcB+RkuiTba8yRFYwb/n j62CC4NhFTuIKOc4ta3dJsyXTGh/hO9UjWUnmAGfd0fnzTBZF8Qlnw/8ftx5lt4/O+eqY1EN RITScnPzXE/wMOlTtdkddQ+QN6xt6jyR2XtAIi7aAFHypIqA3lLI9hF9x+lj4UQ2yA9LqpoX 6URpPOd13JhAyDe47cwsP1u9Y+OBvQTVLSvw7Liu2b4KjqL4lx++VdBi7dXsjJ6kjIRjI6Lb WVpxe8LumMCuVDepTafBZ49gr7Fgc4F9ZSCo6ChgQNLn6WDzIkqFX+42KuHz90AHWhuW+KZR 1aJylERWeTcMCGUSBptd48KniWmD6kPKpzwoMkJtEXTuO2lVuborxzwuqOTNuYg9lWDl7zKt wPI9brGzquUHy4qRrA==
Message-ID: <48bee5f3-7fbb-55b9-6734-405fc8c722db@si6networks.com>
Date: Fri, 05 Jul 2019 23:36:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <3886024.MVVTRlPX46@rumburak.ite.tul.cz>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/AyVZ6JzbcBcIW5BlPVVLQ81Tse0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 23:49:37 -0000

Hello, Martin,

On 2/7/19 15:53, Martin Hunek wrote:
> Dne úterý 2. července 2019 14:39:34 CEST jste napsal(a):
>> On 28/6/19 17:35, Martin Hunek wrote:
>>> Hi Alex, hi all,
>>> 
>>> I hope that this mail would not be breach to Code of Conduct,
>>> but this is straight from network's operator heart. :-)
>>> 
>>> I hope that RFC8064 would never be implemented on any router. As 
>>> would be operational nightmare.
>>> 
>>> I can see need for privacy with global addresses as it is clear
>>> that individuals could be easily tracked over the internet when
>>> using EUI-64 suffixes. It is not so obvious with stationary
>>> servers, but OK - you could remotely detect vendor and model of
>>> hardware, so yes if you really need to hide that it is
>>> reasonable.
>>> 
>>> When client need to generate LL address with other method then 
>>> EUI-64, that is for me hard to grasp.
>> 
>> Using predictable numeric identifiers is bad practice. See e.g.: 
>> https://tools.ietf.org/html/draft-gont-predictable-numeric-ids-03
>> 
> Sorry, but this is your opinion not a fact. What is the thread of
> predictable IID used in *Link-Local* address?

What the referenced I-D shows is that whenever we have employed
predictable IDs, that has led to problems. That is a fact, not opinion.

And the fact that we have had to fix each numeric ID in each protocol
piecemeal is a sad story we should learn from, rather than something we
want to repeat.



> I can see reasons behind not using EUI-64 together with global
> addresses but not with LLs. There is no point of hiding LL address
> from your operator. I can still get both MAC and LL address, but
> instead of just taking picture of MAC sticker on your CPE (or from
> DHCPv4), I would need to eavesdrop on your line. I can imagine that
> it would be more of the privacy breach, than knowing your CPE LL
> address from your MAC...

I assume you are referring only to routers, right? -- Because Windows
has not employed the traditional SLAAC scheme (embedding mac addresses
in the IID) for a long time.




>>> Lastly the case of router (OpenWRT): Why would I need to use
>>> anything else than EUI-64? As network operator I need address
>>> that is static (on WAN interface at least), so I can do reliable
>>> static leases if customer wants them.
>> 
>> Not sure what you are referring to. LLs are not leased. RFC8064 is
>> about *autoconfigured* addresses.
>> 
> Sure the LL addresses are not leased, but network prefix is leased to
> them. At least that is a result of either DHCPv6-PD or manual lease
> in the routing table.

If the DUID is based on the MAC address, why would you care about the LL
address, anyway?




>> Besides, RFC7217 addresses are meant to be stable. Depending on
>> the implementation, they may even be stale across NIC
>> swaps/replacement.
>> 
> If every device on link would use a same method, which would allow to
> predict with absolute probability, LL address based on MAC address
> and maybe some other variables known to operator (as in EUI-64 case),
> I would have nothing against that.
> 
> But in case of RFC7217 there is: F(): Unknown to operator because
> every implementation can use different hash function. Prefix: Known
> to operator. Net_Iface: Unknown to operator. Network_ID: Known for
> WAN link to operator. DAD_Counter: Known to be initially 0. 
> secret_key: Pseudorandom - unknown to operator.
> 
> F(), Net_Iface could be somehow guested when you know MAC address so
> you know vendor + model if you also know software version. But there
> is still secret_key. So as network operator I'm not capable to say
> which LL address device would have just by looking on the box and
> reading MAC address from it. I would need to unbox it, connect it to
> network and read its address from wireshark.

If for some reason you use some other algorithm (e.g., the traditional
one) to generate addresses, override the default.


> Long story short, back in days prior any privacy addresses where all
> IIDs fould be generated by EUI-64, I would be able to tell which
> address would be used by which device. This makes process of doing
> manual entries to routing table easy. When you know which prefix you
> want to assign to CPE and you know CPE's MAC you know also CPE's LL
> address and it is all you need to make record in routing table. With
> RFC8064 and BYOD policy you are screwed.

You might consider this a feature. The goal is indeed to improve privacy
by default.


-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email