Review of draft-ietf-6man-stable-privacy-addresses-16.txt
Thomas Narten <narten@us.ibm.com> Wed, 22 January 2014 18:36 UTC
Return-Path: <narten@us.ibm.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B9E81A018B for <ipv6@ietfa.amsl.com>; Wed, 22 Jan 2014 10:36:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.436
X-Spam-Level:
X-Spam-Status: No, score=-7.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ni_OcXKXlwVm for <ipv6@ietfa.amsl.com>; Wed, 22 Jan 2014 10:36:22 -0800 (PST)
Received: from e8.ny.us.ibm.com (e8.ny.us.ibm.com [32.97.182.138]) by ietfa.amsl.com (Postfix) with ESMTP id 98C241A01D9 for <ipv6@ietf.org>; Wed, 22 Jan 2014 10:36:11 -0800 (PST)
Received: from /spool/local by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <ipv6@ietf.org> from <narten@us.ibm.com>; Wed, 22 Jan 2014 13:36:09 -0500
Received: from d01dlp02.pok.ibm.com (9.56.250.167) by e8.ny.us.ibm.com (192.168.1.108) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 22 Jan 2014 13:36:08 -0500
Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by d01dlp02.pok.ibm.com (Postfix) with ESMTP id 1BFCA6E8048 for <ipv6@ietf.org>; Wed, 22 Jan 2014 13:36:04 -0500 (EST)
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by b01cxnp22034.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id s0MIa84S9044262 for <ipv6@ietf.org>; Wed, 22 Jan 2014 18:36:08 GMT
Received: from d01av01.pok.ibm.com (localhost [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s0MIa7KA030688 for <ipv6@ietf.org>; Wed, 22 Jan 2014 13:36:07 -0500
Received: from cichlid.raleigh.ibm.com (sig-9-65-92-95.mts.ibm.com [9.65.92.95]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id s0MIa6aL030636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipv6@ietf.org>; Wed, 22 Jan 2014 13:36:07 -0500
Received: from cichlid.raleigh.ibm.com.us.ibm.com (localhost [127.0.0.1]) by cichlid.raleigh.ibm.com (8.14.4/8.12.5) with ESMTP id s0MIa5lo002885 for <ipv6@ietf.org>; Wed, 22 Jan 2014 13:36:05 -0500
Date: Wed, 22 Jan 2014 13:36:05 -0500
Message-ID: <m31tzzamp6.wl%narten@us.ibm.com>
From: Thomas Narten <narten@us.ibm.com>
To: ipv6@ietf.org
Subject: Review of draft-ietf-6man-stable-privacy-addresses-16.txt
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (Gojō) APEL/10.8 EasyPG/1.0.0 Emacs/23.1 (x86_64-redhat-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 14012218-0320-0000-0000-000002429F5C
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2014 18:36:26 -0000
Note: I haven't been following this work and haven't read the document since its initial version. Overall, I think this document is a good thing and should move forward. I have a number of general comments. First, I'm surprised this document doesn't reference any of the DNA work (RFC 4436 & 6059). That work is all about determining whether you've attached to the same network as one you've attached to before and reusing the same network parameters if you do. Given that this document is about using the same IID when connecting to the same network... This seems like an oversight. I.e., shouldn't some of the same approaches for determining what network you are on be leveraged? Two things come to mind. If you have stable storage (and many devices do), it makes sense to just cache the addresses instead of regenerating them. DNA does this. Seems like that option should be allowed. (the current document suggests saving the number of DAD iterations in stable storage... why do that if you can just save the address itself?) Second, DNA also has recommendations for detecting when you (re)connect to a network you visited before. That is pretty much the same thing this spec needs to do in order to generate the same addresses when connecting to a previously visited network (i.e., the Network_ID paramater). For the wired case (i.e, no SSID), DNA suggests using the linklayer/linklocal address pair of routers to identify a link. This document might suggest doing the same thing. Seems this spec might benefit from a clearer applicability statement. There seem to be two motivations for the document: 1) mitigate off-site scanning attacks and 2) making it harder to track devices that move. The second item seems of interest (only) to personally owned devices, those that are typically owned by a single user and are (at least somewhat) mobile. For other types of devices (e.g., those typically found in data centers), I suspect this motivation is not compelling. I think it would be good to make this more clear. On mitigating address scanning attacks, that will be of interest to some folk. But I suspect there are others that won't care all that much. What I think this spec should be clear about is that it is optional, and give guidance for those scenarios where it is potentially useful. Finally, I want to raise a generic issue that applies to this document, but really is a general problem. The document adds a random delay between 0 and IDGEN_DELAY in order to avoid lock-step behavior. While that is a good thing, Using IDGEN_DELAY of 1 second is pretty long for some network technologies (think data center with 10G or higher interfaces). I wonder if we should stop using constants that are fixed and make them more dependent on actual network technology. E.g., 1 second seems OK for WiFi, but not for 10G. Likewise, should you ever stop trying to configure an address if you keep getting DAD failures? I'm of two minds. Going forward, it becomes increasingly painful to require operator intervention to "fix" something that isn't working. That argues for never giving up. But what should happen then is some sort of exponential backoff should be used to ensure that retries happen infrequently, so as not to cause network problems. The current text says: > We also > note that hosts MUST limit the number of tentative addresses that are > tried (rather than indefinitely try a new tentative address until the > conflict is resolved). But that is pretty vague advice. That all said, if you have a device with a (broken) implementation, having it try over and over again makes no sense either. Editorial comments: > However, implementations conforming to > this specification MAY employ the algorithm specified in [RFC4941] to > generate temporary addresses in addition to the addresses generated > with the algorithm specified in this document. reword to say something like "MAY employ other alogorithms for generating additional temporary addresses (e.g., RFC4941])." The MAY should make it clear that other approaches are allowed, with 4941 being one example. Rather than suggesting only that RFC4941 MAY be implemented. Network_ID: Some network specific data that identifies the subnet to which this interface is attached. For example the IEEE 802.11 Service Set Identifier (SSID) corresponding to the network to which this interface is associated. This parameter is OPTIONAL. RFC6059 (DNAv6) may be useful here. It has the notion of identifying a link by a combination of the routers Link-local + Link Layer address. Local Addresses (ULAs). In those scenarios where the Network_ID is unknown to the attacker, including this parameter might help mitigate attacks where a victim node connects to the same subnet as the attacker, and the attacker tries to learn the Interface Identifier used by the victim node for a remote network (see Section 9 for further details). add reference to ULAs on first use of term. Finally, we note that all of the bits in the resulting Interface IDs are treated as "opaque" bits [I-D.ietf-6man-ug]. For example, the universal/local bit of Modified EUI-64 format identifiers is treated as any other bit of such identifier. In theory, this might result in Duplicate Address Detection (DAD) failures that would otherwise not be encountered. However, this is not deemed as a real issue, because of the following considerations: Wording is awkward about DAD failures...wording suggests the problem is DAD. Actually, the problem is that failures lead to duplicate addresses -- that is the real issue. That DAD catches them is a good thing. NEW TEXT: In theory, this might result in address formation collisions and Duplicate Address Detection (DAD) failures that would otherwise not be encountered. However, this is not deemed as a real issue, because of the following considerations: also, s/real issue/likely issue/ It will be a very "real" issue when it happens, e.g., as it likely will when implementations mess up! o Since some popular and widely-deployed operating systems (such as Microsoft Windows) do not employ unique hardware addresses for the Interface IDs of their stable addresses, reliance on such unique identifiers is more reduced in the deployed world (fewer deployed systems rely on them for the avoidance of address collisions). wording is awkward. what are "unique hardware addresses"? Do you mean standard SLAAC? Also, what are you trying to say above? that because windows doesn't do SLAAC, and things didn't break, something isn't an issue? That's not much of a justification, and should maybe just be deleted. This procedure may be repeated a number of times until the address conflict is resolved. Hosts SHOULD try at least IDGEN_RETRIES (see Section 7) tentative addresses if DAD fails for successive generated addresses, in the hopes of resolving the address conflict. We also note that hosts MUST limit the number of tentative addresses that are tried (rather than indefinitely try a new tentative address until the conflict is resolved). wonder if it would be better to specify some rate limiting that makes sense. In those unlikely scenarios in which duplicate addresses are detected and in which the order in which the conflicting nodes configure their addresses may vary (e.g., because they may be bootstrapped in different order), the algorithm specified in this section for resolving DAD conflicts could lead to addresses that are not stable within the same subnet. In order to mitigate this potential problem, nodes MAY record the DAD_Counter value employed for a specific {Prefix, Net_Iface, Network_ID} tuple in non-volatile memory, such that the same DAD_Counter value is employed when configuring an address for the same Prefix and subnet at any other point in time. if you have non-volatle memory, wouldn't it just make more sense to save the address you generated before? I.e., that is what DNA does... In the event that a DAD conflict cannot be solved (possibly after trying a number of different addresses), address configuration would fail. In those scenarios, nodes MUST NOT automatically fall back to employing other algorithms for generating Interface Identifiers. why not? Hosts SHOULD introduce a random delay between 0 and IDGEN_DELAY seconds (see Section 7) before trying a new tentative address, to avoid lock-step behavior of multiple hosts. IDGEN_DELAY of 1 sec is too long for some network technologies. Need to put in a reference to ULA spec.
- Review of draft-ietf-6man-stable-privacy-addresse… Thomas Narten
- Re: Review of draft-ietf-6man-stable-privacy-addr… Fernando Gont