IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-default-iids-04.txt

Mark Smith <markzzzsmith@gmail.com> Sat, 11 July 2015 06:00 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24EF71A6EF2 for <ipv6@ietfa.amsl.com>; Fri, 10 Jul 2015 23:00:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YwFmJhbY5ICm for <ipv6@ietfa.amsl.com>; Fri, 10 Jul 2015 23:00:56 -0700 (PDT)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E3A91A0387 for <ipv6@ietf.org>; Fri, 10 Jul 2015 23:00:56 -0700 (PDT)
Received: by igrv9 with SMTP id v9so26783987igr.1 for <ipv6@ietf.org>; Fri, 10 Jul 2015 23:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=My0vGmKMo9oPzRBX0whqB0bgdvzExZ3rRMcxCCiBgHA=; b=sj3DK5y7/+rvTlgXRdi53rCiio8Urp5USVkdLyhpXxgRqQnellNu65GVZTwJgDOmfo 6nCTWiJuE1y2DN2F/YwX00qflxNSq0cGA+15rtLP+90D4brc3Jq0/1RpaXvk3W1e6Ypz 3AeaEF1eovh1KofjMG5QkBYOxb/vWXROpCFhmu07p7+3RXB8UMLZyoNsC2fvGdDRfAlk OHk9R+LrLgk3EvyfxDhW1mvYf/5NC2gtWB3PvS70Iq6m2XrEkJN4NR8ZTMEXFw7S5S+r EIHOYUBwQl5NCtj1rdvRhkrgSjsb8roB97jy2nUtolxXWmo2LjJAb7dPlSlqQarU5i9G 4ToA==
X-Received: by 10.107.6.87 with SMTP id 84mr9615625iog.35.1436594456097; Fri, 10 Jul 2015 23:00:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.205.5 with HTTP; Fri, 10 Jul 2015 23:00:26 -0700 (PDT)
In-Reply-To: <CY1PR0301MB064906BB14115F6105FEB38DA89E0@CY1PR0301MB0649.namprd03.prod.outlook.com>
References: <20150626053554.16572.72663.idtracker@ietfa.amsl.com> <926657903.827241.1435374995889.JavaMail.yahoo@mail.yahoo.com> <5591BF9C.8080307@si6networks.com> <CAO42Z2zf5-g1aOAWfaDxX47H9w9Kyc0QEX+0oKyzL9nwzCb_DQ@mail.gmail.com> <5592370E.6070705@si6networks.com> <CAO42Z2xacdABghT5W269V9y3aucmh2QQd6AHNLK+MpsaLzeB8g@mail.gmail.com> <55931DAE.8000701@si6networks.com> <CAO42Z2ywMEfXKSSFeSd5DNvEW4URfmTKvaWgxNw6odXRHWW=Jw@mail.gmail.com> <559378AE.70506@si6networks.com> <CABOxzu0WkrFv9a-jjc7Txzg_ronsMucKXsu_7X+mfHyoVFZz0Q@mail.gmail.com> <559AB1CD.6000605@si6networks.com> <CABOxzu2iy8XBbCDv33ZKoA9VcfFj1f9FfVTv88=fSsM7krxguw@mail.gmail.com> <DM2PR0301MB0655C36E42E9EA90BCB1548DA8930@DM2PR0301MB0655.namprd03.prod.outlook.com> <559AF8D0.405@si6networks.com> <m1ZCnUO-0000G3C@stereo.hq.phicoh.net> <559D87CD.7040707@gmail.com> <559FD485.8080201@innovationslab.net> <55A02DD4.9040501@gmail.com> <CY1PR0301MB064906BB14115F6105FEB38DA89E0@CY1PR0301MB0649.namprd03.prod.outlook.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sat, 11 Jul 2015 16:00:26 +1000
Message-ID: <CAO42Z2w5VyjhnPtMtbZfFwLw9tSMUZRrXYGkStnSrAhSxk7ymQ@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-6man-default-iids-04.txt
To: Christian Huitema <huitema@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/FoYbipTyx1joBWnaGdVSB5hoTEg>
Cc: Brian Haberman <brian@innovationslab.net>, "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2015 06:00:58 -0000

On 11 July 2015 at 14:13, Christian Huitema <huitema@microsoft.com> wrote:
> On Friday, July 10, 2015 1:41 PM, Brian E Carpenter wrote:
>
>>> How do you see RFC 7217 playing into the above? One of the arguments
>>> for that draft was that network security folks wanted stable, but not
>>> EUI-64-based, IPv6 addresses for things like ACLs. Randomizing MAC
>>> addresses, and then re-generating the corresponding IPv6 addresses,
>>> seems to take us back to the RFC 4941 state-of-the-art.
>>
>> It's a dilemma. As far as I can see, there's a real difference between end-user systems (even
>> within an enterprise network), where privacy arguments might dominate, and servers, where
>> stability and ACL arguments might dominate. I'm thinking that for privacy-sensitive systems,
>> we'll have to use a firewall penetration solution rather than ACLs.
>
> I think we need to educate the enterprise IT managers. Right now, they consider only one facet of the problem, the need to manage a variety of devices. So they make sure that devices have stables addresses, because using these as stable identifiers is very convenient. But then, by doing that, they also facilitate tracking of these device's traffic outside the enterprise, which is the other facet of the problem.  And I am afraid that IT managers are not taking that second facet in consideration.
>
> One possibility is to have devices with different behaviors "inside" and "outside." For example, use a stable MAC address at the office, and a random one on the road. That solves some of the problem, but the stable addresses can still be tracked if the user does TCP connections "from the inside to the outside."
>

I think Multipath TCP would make this a much harder problem when using
mobile multihomed hosts e.g., smartphones. Application MPTCP
connections can survive crossing from "inside" to "outside" and
vice-versa.

A stable "Inside" identifier can be correlated with random "outside"
identifiers either via concurrent MPTCP subflows that use the same 32
bit MPTCP token, across different networks, or when the host's
addresses are announced to the MPTCP peer via MPTCP optons, even if
the "inside" address/identifier isn't reachable by the MPTCP peer.

Using global MAC addresses as asset numbers won't be a reliable as it
used to be, as they're not as globally unique as they would have been
in the past. Based on some research HD Moore did a couple of years
ago, there are more 6 million instances of one "globally unique" MAC
address, and 4 other instances where a "globally unique" MAC address
has been duplicated more and many more than 100 000 times. Summary of
the top 10 occurrences here:

https://www.ietf.org/mail-archive/web/ipv6/current/msg17109.html

It would be more reliable for enterprises to be assigning their own
device asset numbers/identifiers rather than relying on manufacturer
assigned ones. I think it would be best that these asset
numbers/identifiers are at a layer above IP, so that if IP addresses
or MAC addresses change or aren't unique for any reason, the
identity/asset number of the device doesn't change.

Regards,
Mark.







> -- Christian Huitema
>
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email