IETF Logo Mail Archive

Re: Comments on draft-ietf-6man-default-iids-01.txt

Kerry Lynn <kerlyn@ieee.org> Tue, 11 November 2014 22:25 UTC

Return-Path: <kerlyn2001@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0D0C1A6F13 for <ipv6@ietfa.amsl.com>; Tue, 11 Nov 2014 14:25:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.027
X-Spam-Level:
X-Spam-Status: No, score=-1.027 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bmg_7J18wq6k for <ipv6@ietfa.amsl.com>; Tue, 11 Nov 2014 14:25:24 -0800 (PST)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A54FC1A6F0B for <ipv6@ietf.org>; Tue, 11 Nov 2014 14:25:24 -0800 (PST)
Received: by mail-oi0-f43.google.com with SMTP id e131so7704123oig.2 for <ipv6@ietf.org>; Tue, 11 Nov 2014 14:25:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=S6wKJ9se61zNrsKZoT4HOJhROYZSLLHUURupaqHw1Fs=; b=Zma6uFAh1KI3FEyYJlPXqyz4ZLzv8diEkEOsmKEjOg2ydaybjEtYB41ji4n7UUpcb0 8Gfa6YGgdQifKzi9MMfi1E1+z58p7CLAO4NDV+BmGW4Do6KV0e+Wa52naOoY9rvUXAEu eg4bIZ62R58s7U4MBWclQ83awIbWJ71jMV8JLZHCH9FwvJEb+nQSs5GuEs1CAdZpHIVV zhS+upxbAgxs9i4RM8FwLw8kI6K1jJ5XlxjGvkqcCyHS9BgBpUi8ix2kzuWOOf0awSYG gxIiqMe0DFNcuL9nVRtKfj56/exVnythMnvXldE/NvuSX798GdM0q/YFtXoZS5YhQcGt 79eA==
MIME-Version: 1.0
X-Received: by 10.60.94.73 with SMTP id da9mr35165015oeb.10.1415744723806; Tue, 11 Nov 2014 14:25:23 -0800 (PST)
Sender: kerlyn2001@gmail.com
Received: by 10.60.145.228 with HTTP; Tue, 11 Nov 2014 14:25:23 -0800 (PST)
In-Reply-To: <54618654.1060906@si6networks.com>
References: <8676AC11-85F1-4E58-9871-43FD04C89AB8@cisco.com> <54618654.1060906@si6networks.com>
Date: Tue, 11 Nov 2014 17:25:23 -0500
X-Google-Sender-Auth: p3o5is98n81p85KkdtgGucSo88s
Message-ID: <CABOxzu3-38B=32swvtbSqx+oJ0JFb+ZbHQQuNHBA-h2j=-Bmcg@mail.gmail.com>
Subject: Re: Comments on draft-ietf-6man-default-iids-01.txt
From: Kerry Lynn <kerlyn@ieee.org>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="089e012291765af8a905079cc130"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipv6/I12BM86AU9HUB7MczpWxDPMo5k0
Cc: "draft-ietf-6man-default-iids@tools.ietf.org" <draft-ietf-6man-default-iids@tools.ietf.org>, 6man WG <ipv6@ietf.org>, "Ralph Droms (rdroms)" <rdroms@cisco.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 22:25:27 -0000

Fernando,

Comments inline...

On Mon, Nov 10, 2014 at 10:45 PM, Fernando Gont <fgont@si6networks.com>
wrote:

> Hi, Ralph,
>
> Thanks so much for your feedback! (and apologies for the delay in my
> response)...
>
> On 10/27/2014 08:03 AM, Ralph Droms (rdroms) wrote:
> > In this document, I think it is important to be explicit about the
> > considerations that might lead to a decision not to follow the RFC
> > 2119 language recommendations in this document.  My immediate concern
> > is the 6LoWPAN standards, which use IIDs based on hardware addresses
> > as a method for IPv6 header compression.
>
> My personal take (also rather off-topic, you might argue) is that while
> the MAC address has been typically embedded in the IID, one cannot
> really (architecturally speaking) expect that to be the case. -- but
> yes, this is kind of off-topic.
>
> Have you read RFC 6282?  IPHC compression efficiency is *based* on the
idea that redundant information appears in both the L2 and L3 (IPv6) header
address fields and may be elided from the latter.

Having said that, some link technologies (e.g. 802.15.4) allow for
dynamically
assigned short-form identifiers assigned by a local coordinator.  Greater
IPHC compression efficiency is realized in this case.  In terms of your
concerns, short L2 addresses may make address scanning easier but
mitigate node tracking (since a device will get a different identifier when
it
changes networks) and device-specific attacks (since OUI is absent).

In general, we need to distinguish between L2 addresses (which may be
dynamic) and "hardware" addresses (which I take to mean EUI-64 or
Modified EUI-64 Format addresses formed from MAC-48 addresses).

>
>
> > As an editorial detail, the document lists the various RFCs that are
> > update, but does not explicitly state what is to be updated in those
> > documents.  While the updates could be reasonably inferred, seems to
> > me an explicit statement about what is to be updated would be good.
>
> Essentially, what we're updating is how Interface IDs should be
> generated for such technologies. Quoting the text to be replaced would
> make this document ugly... mm.. maybe just mention the relevant
> section(s)? Something else?
>
> (i.e., I understand your point, but do not (yet) see a cleaner way to do
> that than the one (rather vague, if you want) that we're currently
> employing) -- i.e., ideas are welcome.
>
> It was raised by Carsten in 6lo that we have to be more specific regarding
the use of the term "hardware address".  To discuss one 6lo proposal with
which I am intimately familiar (draft-ietf-6lo-6lobac), MS/TP master nodes
effectively have a 7-bit hardware address.  This is right-justified in a
field
of zeros to create a 16-bit short-form identifier, which is then converted
to
a 64-bit Modified EUI-64 Format IID (just as in RFC 4944).  Why?  It's
designed
to work with IPHC.  My point is that not all hardware addresses are EUI-64s
and not all L2 address are hardware addresses, so let's be more precise in
our
language and in our recommendations.

>
>
> > With those comments in mind, I'll suggest the following text
> > changes:
> >
> > In section 1, add this paragraph before the "NOTE":
> >
> > In some network technologies and adaptation layers, the use of an IID
> > based on a hardware address offers some advantages.  For example, the
> > IP-over-IEEE802.15.4 standard in RFC6775 allows for compression of
> > IPv6 addresses when the IID the address is based on the corresponding
> > hardware address.  The design and engineering tradeoffs between
> > security and privacy, and network efficiency should be considered in
> > any decision about the use of an IID based on a hardware address.
>
> I'm personally fine with haing an exception for say 6775 and similar
> technologies. However, as noted above, I'm not sure I'd state it as
> suggested - i.e., trading efficiency for security & privacy.
>
> It's actually trading cost for security and privacy.  Legacy technologies
like
MS/TP are designed to run on any micro-controller that has a UART, a 5 ms
resolution timer, and an RS-485 driver.  These technologies compete in very
cost-sensitive markets.  The system designer is making a conscious decision
to place security features elsewhere, e.g. in gateways. If privacy is a
concern
they can specify a more capable processor, more memory, and a different link
technology - but only of the customers will pay for it.

>
>
> > Replace section 3 with:
> >
> > It is RECOMMENDED by this document that nodes implement and employ
> > RFC 7217 as the default scheme for generating stable IPv6 addresses
> > with SLAAC.  Some specifications MAY use a an IID based on a node's
> > hardware address if design and engineering considerations warrant.
> >
> > It is RECOMMENDED by this document that nodes do not employ IPv6
> > address generation schemes that embed the underlying hardware address
> > in the Interface Identifier.  In particular, this document RECOMMENDS
> > that nodes do not generate Interface Identifiers with the schemes
> > specified in [RFC2464], [RFC2467], [RFC2470], [RFC2491], [RFC2492],
> > [RFC2497], [RFC2590], [RFC3146], [RFC3572], [RFC4338], [RFC4391],
> > [RFC5121], and [RFC5072], and updates those documents with this
> > recommendation.
> >
> > It is RECOMMENDED by this document that future specifications no not
> > specify IPv6 address generation schemes that embed the underlying
> > hardware address in the Interface Identifier. Future specifications
> > MAY use a an IID based on a node's hardware address if design and
> > engineering considerations warrant.
>
> Overall, the above seem fine to me. What do other folks think?
>
> As long as it remains RECOMMENDED and not a SHALL, I have no major
issue (implementers may follow the recommendation, or not, according to
their particular threat analyses).

Regards, Kerry

>
>
> > In section 4, replace the last paragraph with:
> >
> > Future revisions or updates of these documents should take the issues
> > of privacy and security mentioned in section 1 and explain any design
> > and engineering considerations that lead to the use of IIDs based on
> > a node's hardware address.
>
> This seems fine, too.
>
> Thanks!
>
> Best regards,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email