Re: rfc4941bis: trying to keep focus

Gyan Mishra <> Sun, 02 February 2020 02:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 64E501201C6 for <>; Sat, 1 Feb 2020 18:06:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MQTt2-VIfgnB for <>; Sat, 1 Feb 2020 18:06:25 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6B871201AA for <>; Sat, 1 Feb 2020 18:06:24 -0800 (PST)
Received: by with SMTP id f5so9637707ilq.5 for <>; Sat, 01 Feb 2020 18:06:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qSR6mAvSOsJD1fwAmzNQGDD43t5mMgvUiQ0qYM4DbHM=; b=We4tWUGqznFcZUmgym+tEQ4h3qZkNHc2VVBmyygrIIWsuP7bkLCjTc0YqA02oLqW1/ yUH8NEa9MQ+5wLtJ3zP9plGIWQXlrJ52rHCqRXobg2iynmuSC6HTuPlyg4QXZAIPpuwu aMlT2XQbqJS14rH3usJDx+kfXa/zHCu8UTGuwt8JBwZfbLlNusBiHZjcSD9N9I5l2KBR EPSmYTwi9rmuHa3NdrZmcWVoTgR9+eujLSU75zHFqldMS5AqH/WDi2Xl6oBQ+kh9Dq26 t0BXKVgEUJsDBlL6vN0PoOakswVP+KLinEwSo1ow3RxXLHQrQkuSyLqnTUJPQSMONQuM yevw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qSR6mAvSOsJD1fwAmzNQGDD43t5mMgvUiQ0qYM4DbHM=; b=DbqNbzvTjyWocmOXfpZGI160dAQDBqI+4HtqnBeEvAZtrKOtQ5WS5GhT+ImW8U/9ZQ UHK8x0eTDXXaV50hp+F2mMCiIHZtYGEMLigw9L2b8LzYljnbRHqjGsS5ZqwrWoVJQlln bISmj7w+yki+vZYZeqvRMT6lqkaZ+mcvxNbvAshtorD07fgcuM2x/Mw1GDadox21fldv 0nzPaNM0YYK8bUK9mfoo/2KX1okZcaG6k5HF/xF0a+jy9NEIrDA1d71T05EJohqYZmkw VtNFFodWyARM9W+AVFQIuo6khpQC9hf8+0jkiLtpYA891fyqMpSKVfq+tP0BXkABeWJ0 CG6Q==
X-Gm-Message-State: APjAAAWJdsG51oCTPHEmr4r7M24hdpnzv3l67zA83FbWFNSnzOMjSwCO 7kWhKaASYkxIWZ6YvEBYErJ2MzYIFLBqKPGo9d0=
X-Google-Smtp-Source: APXvYqwPwlTDUf3TtHmhLF5GKKAzOhh+lZGpj1y8qWKzMq/FsRMIcat7Xjrur4aA4MPNy4EAxh22212YONZN05Bsofc=
X-Received: by 2002:a92:4e:: with SMTP id 75mr15857891ila.276.1580609184203; Sat, 01 Feb 2020 18:06:24 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Gyan Mishra <>
Date: Sat, 1 Feb 2020 21:05:54 -0500
Message-ID: <>
Subject: Re: rfc4941bis: trying to keep focus
To: Lorenzo Colitti <>
Cc: "" <>, Fernando Gont <>
Content-Type: multipart/alternative; boundary="000000000000f408c0059d8e406c"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 02 Feb 2020 02:06:28 -0000

On Sat, Feb 1, 2020 at 8:31 PM Gyan Mishra <> wrote:

> On Sat, Feb 1, 2020 at 5:20 PM Gyan Mishra <> wrote:
>> Fernando
>> I agree as well with Lorenzo that we should be able to come to consensus
>> on moving forward with RFC 4941bis.
>> I understand that in the post Snowden era that privacy and pervasive
>> monitoring is an IETF objective per RFC 7258 that we have to be cognizant
>> of across the board.
>> From a personal privacy perspective use case connected to the internet on
>> your home broadband connection or anywhere, you want to limit or eliminate
>>  ease of pervasive monitoring ; given that sophisticated pervasive
>> monitoring or attacks will require an IPv6 TOR capability or a anonymity
>> provider NAT bridge discussed in some of the threads, of course that is out
>> of scope for this document but valid concerns.
>> From an enterprise IT security perspective, with regard to long lived
>> connections, we would still have the option to disable the temporary
>> address even with RFC 4941bis if you want a “stable” random address.  That
>> option could be used if desired,  if the host endpoints are “owned” by the
>> corporation and are in fact not mobile and remains permanently in the
>> office .  If the employee owned or private mobile endpoint is used at the
>> office and taken home or also shared use for “personal” use as well ; the
>> recommendation would be to not disable the temporary address.  For all the
>> use cases described above, from an operations perspective, limiting the
>> valid lifetime down from 7 days to 2 days - drastically reduces the maximum
>> number of depreciated addresses from 7 down to 2. That is a huge
>> operational gain that will help enterprises as far as troubleshooting and
>> availability and MTTR ( mean time to recovery).
>> Another point as far as “stable” address from an enterprise operations
>> and MTTR perspective, even though you could a maximum of 7 temporary
>> addresses for outgoing connections, 1 stable for incoming connections, link
>> local for ND/RA communications ; total of 9 addresses per RA slaac address-
>>  For “client host” only the one (preferred) is used.  There maybe home or
>> enterprise use cases where you are sharing your local drive for
>> peer-to-peer communications - moreso with home versus enterprise use case.
>> As a happy medium for the enterprise versus home user connected directly
>> to the internet the following:
>> 1. Temporary address enabled by Default
>> 2.  Valid lifetime change form 7 to 2
>> 3.  Allow the ability to disable the temporary address if desired.
>  I was thinking further about the valid lifetime and other then the user
> or network administrator knowing history state values what other use does
> that provide.
> The preferred life time is the most important from a stable address
> perspective as how long an address can be used before it is deprecated.
> Also the preferred lifetime provides the privacy temporary address
>  expiration time of when the address will change.  So if we make valid and
> preferred set to 1 day we would not have any deprecated address and only
> one preferred address.
> From an operations standpoint per slaac address we now only have LL +
> temporary and stable address a total of 3 at any given time.
> What do you think and is that even feasible??
> From a network perspective the ND cache is monitored by the enterprise or
> provider perspective in order to meet SLA agreements for 99.99%
> availability ; so the operators can correlate your Mac to all your
> historical Privacy addresses easily.  For both enterprises and service
> providers networks,  all links are monitored and have sniffer active and
> passive in line or Y cable sniffer taps which is network engineering
> requirement for any network.  This is a requirement for troubleshooting and
> being able to isolate rouge ports and partition offenders off the network
> by disabling their port.  This is also done by enterprise operators to be
> able to monitor employee network activity as the network resources are only
> allowed to be used for work related and not personal activity.  Similarly
> service provider operators have to monitor all links and ND cache as well
> for LFA for criminal activity.  Side effect of that is impacts we have seen
> from disclosures from Snowden related to wire tapping and subsequent
> publishing of RFC 7258.   So monitoring is always present and has been from
> Day 1 and its a requirement that will never go away from a network
> engineering and operations perspective.  It’s something we have to be
> cognizant off as to reasons why it’s there and not just the “privacy”
> aspect that all monitoring is bad and sometimes that should be eliminated
> as its an invasion of privacy ; as per reasons given removal of monitoring
> will never be possible or an option.
> Also no matter how often you change your address lowering the preferred
> lifetime, since the ND cache is kept in a database saved ; correlation can
> be done to your MAC address easily and all the historical IPV6 addresses
> you have ever used.

   Another thought ...

   Network operators both enterprises and service providers are required to
tap “wire tap” all links and monitoring of all network traffic on their
network which is a requirement from an operations perspective to run a

So the “wire tap” data is there for troubleshooting network issues and
providing SLA to customers.

The government and LFA require service provider operators to save so many
days worth of data for forensic analysis for crime fighting.  So the data
is being already captured and saved and all the data mining is already done
by the operators.  So LFA is really if you think about it is protecting you
by invading your privacy and using the data for crime fighting so that a
perpetrator that spoofs your cable modem IP does not use that IP turn
around to commit a crime now called “ip address identity theft”.  In the
aftermath of Snowden it feels terrible that your every move is being

This goes a lot deeper with social media and FB etc gathering your data all
your habits and your personality and know more about you then you know
about yourself.  Scary for sure.  I think that is the privacy that we need
to be after gaining back and not IP address privacy.

So which one is worse:

a. Monitoring and invasion of privacy as a “sidr effect”by LFA to help
catch criminals
b.  Catching a criminal that stole your IP to hack into Walmart POS system
and pin the crime on you.

>> Gyan
>> On Fri, Jan 31, 2020 at 3:44 AM Lorenzo Colitti <lorenzo=
>>> wrote:
>>> Fernando,
>>> I agree with all your points. I don't think it's a good idea to pause or
>>> derail this update because of more general concerns that some participants
>>> have with temporary addresses in general or with SLAAC in general.
>>> Temporary addresses have been extremely widely deployed for many years, and
>>> it seems unlikely that we would degrade them to historic, or that
>>> implementers would stop implementing them. If there are bugs in RFC 4941
>>> that impact user privacy, and we can fix them, then we should absolutely do
>>> so, and do so sooner rather than later.
>>> Cheers,
>>> Lorenzo
>>> On Fri, Jan 31, 2020 at 5:51 AM Fernando Gont <>
>>> wrote:
>>>> Folks,
>>>> I'm trying to summarize what I've seen as part of the recent discussion
>>>> about (or at least triggered by) rfc4941bis.
>>>> First, let me give the (obvious) context:
>>>> rfc4941bis is meant, for the most part, to address flaws in RFC4941 --
>>>> RFC4941 is a Standards Track document, already. rfc4941bis is not
>>>> proposing or introducing temporary addresses, but simply addressing
>>>> flows in the scheme *we already have* (which is widely deployed).
>>>> Now, let's move to the main topics of this discussion:
>>>> 1) "temporary addresses results in too many addresses"
>>>> This is not a problem araising from RFC4941, but a problem with SLAAC.
>>>> In SLAAC, routers offer network configuration information, and hosts
>>>> do... what they virtually please.
>>>> Routers could also advertise many different prefixes on the same link,
>>>> leading to many addresses. Hosts could also manually configure lots of
>>>> addresses.  An OS might also provide a proprietary interface for
>>>> proprietary apps to request "one address per flow".
>>>> Given a sufficient number of prefixes and hosts, this may get to a
>>>> point
>>>> where implementation limits such as the maximum number of NCE may be
>>>> hit.
>>>> If folks are concerned about the maximum number of addresses that may
>>>> be
>>>> employed in a network (a valid concern), then I guess energy should be
>>>> spent on how to address this general issue of SLAAC, *in SLAAC*, as
>>>> opposed to simply bother about one of the many possible ways in which a
>>>> host may configure addresses.
>>>> I'd note that we have a BCP (RFC7934) about the topic of "number of
>>>> addresses". In the typical/default case, RFC4941 will lead to a maximum
>>>> of 7 addresses per host. In the context of RFC7934, I guess being able
>>>> to handle 7 addresses per host is the least one could expect. I do
>>>> understand that some systems can't handle them (given a sufficient
>>>> number of hosts). Maybe we need to send a signal to router vendors.
>>>> Maybe a few thousand entries in the NC is way too IPv4ish? All these
>>>> issues are worth discussing... but they are issues with SLAAC or ipv6
>>>> network configuration, and not with RFC4941.
>>>> That said, and given recent feedback, it seems sensible to reduce the
>>>> preferred lifetime and valid lifetime of temporary addresses to 1 day
>>>> and 2 days, respectively. This would result in one preferred and one
>>>> deprecated temporary addresses (as opposed to 1 preferred and 6
>>>> deprecated addresses resulting from RFC4941).
>>>> 2) The value of temporary addresses
>>>> As noted above, one would assume that since RFC4941 has not been
>>>> deprecated, there is consensus that RFC4941 provides value in the area
>>>> of privacy.
>>>> Everytime you reuse an identifier, it leaks information. Temporary
>>>> addresses reduce the address lifetime, and hence limit the amount of
>>>> time you reuse an identifier. That's an improvement. And it is a
>>>> middleground between not using temporary addresses (and hence resuse
>>>> the
>>>> same identifier forever) or doing "one address per flow" which, while
>>>> interesting, would take the number of addresses employed in any network
>>>> to another dimension. As such (a middle-ground), it can't be expected
>>>> to
>>>> be perfect.
>>>> Temporary addresses are meant employed for outgoing connections. Maybe
>>>> RFC4941 should provide stronger hints or even recommendations that this
>>>> use mode is enforced. For connection-oriented transport protocols, the
>>>> concept is straightforward. For stateless protocols, not so much.
>>>> But even if this mode is enforced for connection-oriented transport
>>>> protocols, this would make temporary addresses reduce host exposure
>>>> quite a lot. This is another area where temporary addresses have value.
>>>> That said, I'm not sure to what extent it makes sense to argue about
>>>> the
>>>> value of temporary addresses in the context of *this* document. If we
>>>> take the to extreme possible outcomes:
>>>> * we don't publish rfc4941bis, and we keep a flawed RFC4941
>>>> * we publish rfc4941bis, and have an improved version of rfc4941
>>>> Only one of these options will improve RFC4941, and none of them will
>>>> obsolete rfc4941.
>>>> 3) Should temporary addresses be enabled by default?
>>>> One would assume that since RFC4941 has not been deprecated, there is
>>>> consensus that RFC4941 provides value in the area of privacy.
>>>> In that sense, and in the context of RFC7258, I believe it would be a
>>>> hard case to make to have temporary addresses disabled by default.
>>>> I do believe some network might want to disable them. That would
>>>> require
>>>> the network to be able to convey this policy to hosts. This was tried
>>>> (draft-gont-6man-managing-slaac-policy) and rejected ten years ago.
>>>> I believe that, at least in the absence of policy, and in the context
>>>> of
>>>> RFC7258, it is sensible for the default to be "on".
>>>> Besides, in a post-Snowden era, I believe we'd nevertheless have a hard
>>>> time recommending OS vendors to disable them by default.
>>>> Thanks!
>>>> Cheers,
>>>> --
>>>> Fernando Gont
>>>> SI6 Networks
>>>> e-mail:
>>>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> Administrative Requests:
>>>> --------------------------------------------------------------------
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> Administrative Requests:
>>> --------------------------------------------------------------------
>> --
>> Gyan  Mishra
>> Network Engineering & Technology
>> Verizon
>> Silver Spring, MD 20904
>> Phone: 301 502-1347
>> Email:
>> --
> Gyan  Mishra
> Network Engineering & Technology
> Verizon
> Silver Spring, MD 20904
> Phone: 301 502-1347
> Email:
> --

Gyan  Mishra

Network Engineering & Technology


Silver Spring, MD 20904

Phone: 301 502-1347