IETF Logo Mail Archive

Re: ra privacy: an improvement to privacy extension plus source code

Andrew Yourtchenko <ayourtch@gmail.com> Fri, 25 October 2013 22:40 UTC

Return-Path: <ayourtch@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05A7411E819C for <ipv6@ietfa.amsl.com>; Fri, 25 Oct 2013 15:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p9+hyRXANOJ4 for <ipv6@ietfa.amsl.com>; Fri, 25 Oct 2013 15:40:06 -0700 (PDT)
Received: from mail-qe0-x22f.google.com (mail-qe0-x22f.google.com [IPv6:2607:f8b0:400d:c02::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 5133021F8411 for <ipv6@ietf.org>; Fri, 25 Oct 2013 15:40:04 -0700 (PDT)
Received: by mail-qe0-f47.google.com with SMTP id b4so2739919qen.20 for <ipv6@ietf.org>; Fri, 25 Oct 2013 15:39:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UfNIAU7rUsIeETLelXdLEbfvRYAfx50uNGJ6tXt71Rg=; b=RX5L60EsxlLqItRNqvyzZgzMS2KBxlVcnvMyQ0xb4CluXfRR4Ufq21kXWsPctjTC+l sK7yhQvdTG3shCzbO0+rMx/4h2xXIZ+ZRbEicw2BNwWnME7MF1og0uHuetGyo1zrwRB6 qqng9Zw3jID5s4HxdaQvT3zNbCgbNLaKPRIPEX5gFpP2SVUyYfWDSkrGqV+bcnsRdh6X Mnf4CRTDTvwN5+qYErs5KgnMSmgGGyj/7sEip/FGXSSSHyPctK2g2AxeUWD4vakgbC6v yo/XHTvRO6vpJI0iUN67OuY2r5TMcv3rhSepXM0khopTLVFrwJ0ogKuBaNsO2301e0+L mURg==
MIME-Version: 1.0
X-Received: by 10.224.12.207 with SMTP id y15mr14619199qay.101.1382740780946; Fri, 25 Oct 2013 15:39:40 -0700 (PDT)
Received: by 10.96.12.199 with HTTP; Fri, 25 Oct 2013 15:39:40 -0700 (PDT)
In-Reply-To: <008501ced1cf$2fab1620$8f014260$@rozanak.com>
References: <014301cece8a$2b780e20$82682a60$@rozanak.com> <CAPi140PStSx+HDM9rpgVjPed3OFD=gpsXkOdH2HiC7mf350f+Q@mail.gmail.com> <008501ced1cf$2fab1620$8f014260$@rozanak.com>
Date: Sat, 26 Oct 2013 00:39:40 +0200
Message-ID: <CAPi140N-rxv1QaBwiJ=Egp=1162ttWg=iOuFWsCrEOD_YcAwSQ@mail.gmail.com>
Subject: Re: ra privacy: an improvement to privacy extension plus source code
From: Andrew Yourtchenko <ayourtch@gmail.com>
To: Hosnieh Rafiee <ietf@rozanak.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Sun, 27 Oct 2013 08:16:46 -0700
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2013 22:40:13 -0000

Hi Hosnieh,

On 10/26/13, Hosnieh Rafiee <ietf@rozanak.com> wrote:
> Hi Andrew,
> Thanks a lot for taking time to review this
> http://tools.ietf.org/html/draft-rafiee-6man-ra-privacy .
>
>> "- RFC 4941 specifies the use of EUI-64 to generate the public address
>>    of node
>> "
>>
>> I would not agree with this. 4941 refers to 4862 for generating the
>> public
>> address, which in turn suggests to use "interface identifier"
>> when creating a global address, and does not mandate EUI-64 as the only
>> mechanism (as evidenced in some implementations, namely, Windows). The
>> 4291, on the other hand, does talk about EUI-64 *format* but it also
>> specifically mentions the MAC addresses are not necessary to be used. So,
>> IMHO this is not a problem.
>
> I call this the problem because when you have both temporary addresses and
> public/permanent addresses that is generated based on EUI-64 or
> EUI-48(MAC),
> your public address will allow the attackers to track your node.

http://www.ietf.org/id/draft-gont-6man-deprecate-eui64-based-addresses-00.txt
: short and to the point.

>
>>
>> Anyway if the nodes want to use the stable public addresses that are
>> scan-
>> resistant, there is a draft by Fernando Gont which solves this problem.
> I'd
>> rather see you contribute to that one if that solution is not good enough
> you
>> think, rather than having yet another fork.
>
> I guess you missed the point again. That draft generates a stable IID which
> means that the node will have the same IID whenever it is fixed in a same
> network. IPv6 addresses are the public addresses so the node use this
> address to access websites or other data through the internet and this
> address soon will be known to all websites or resources on that this user
> use it. If as a mistake this user also check a resources which belongs to
> an
> attacker. The attacker will have his IP address and this IP never changes
> until the router prefix changes. This actually will not happen at least in
> the short time or it can be permanent.
> So, this allows the attacker to access the information of this user.
> This is why I like privacy extension approach more. Because it also changes
> the IID within the same subnet but in ra-privacy, I explained that if the
> node wants to have this public addresses it should not generate it based on
> EUI-64 or MAC and might change it based on Stable addresses that, at least,
> we can decrease the chance of exposing hardware information.
> The new draft recently sent  "deprecated addresses" actually contains most
> part of information which this draft was addressed and addressing.
>
>

Please re-read the
https://datatracker.ietf.org/doc/draft-ietf-6man-stable-privacy-addresses/?include_text=1.
It solves this problem imho as well.

I like the privacy, but I severely dislike the pain and additional
cost that the frivolous usage of it inflicts on the real-world network
administrators of the large networks.

Read e.g. the http://www.gossamer-threads.com/lists/nsp/ipv6/47882 for
more info.

>
>>    - If the node is changing the physical link, it may keep the IID
>>    already used on the link it is leaving, to form an IPv6 address on
>>    the new link using SLAAC.
>> "
>>
>> This is a problem I agree is a problem, which has been fixed in some
>> implementations; and arguably in the other implementations a bug should
>> be
>> filed "If the prefix changes, the node MUST NOT reuse the already used
>> temporary IID". But, maybe to fix this bug, an update to
>> 4941 could be useful.
>
> You say this fixed in implementation. My question is why we have standards?
> If implementers wants to implement something in whatever way they like,
> then
> I guess we cannot communicate via internet anymore as it would be ruled by
> incompatible systems and we will back to 19 century.
> I am open to suggestions and improve it.

I am saying the node maintaining IID on link change is the only valid
point in this draft in my opinion, no need to argue it :-)

Also I am saying that picking the IID is a node-local decision which
does not affect the communication, and it's not as dramatic as
portrayed above.

IETF is about rough consensus and running code - so if you have
running code and you get rough consensus on this draft being a
positive thing - my opinion does not really count, nor should it - I
was simply stating my reasons for thinking the way I am thinking.

We do not have to agree on everything. I am glad that you found some
of my comments useful.

--a

>
>
>> Fernando's draft also specifies that IID of the "stable addresses"
>> needs to be different on different prefixes, so this problem only applies
> to
>> temporary addresses.
>
> That is true. Ra-privacy has no recommendation about public addresses
> except
> not to use the hardware information or EUI-64 RFC. The recommendation in
> this draft is about temporary addresses and a few explanation of the
> current
> problem with Privacy Extension.
>
>
>>
>> I read the 4941 and I think it is flexible enough allow oneself to both
> shoot
>> oneself in the foot and to make a sane implementation. So I am not sure
> this
>> is a valid problem to solve.
>
> I just noticed some ambiguous words in this RFC. It does not effect on the
> proper implementation but will effect on new implementation of this RFC or
> any bad implementation of this RFC.
>
>> "
>>    - This document also clarifies the use of other algorithm and compare
>>    it with CGA and DHCPv6 when there is no stable storage available. So
>>    that the node may be able to make use of a greatly randomized IID
>>    because, according to section 3.2.2 of RFC 4941, there is nothing to
>>    force the use of RFC 4086.
>> "
>>
>> We had tons of the discussions about the algorithm. I maintain that it
> boils
>> down to:
>
>> "On each link change, take 64 bits of random data and put it into IID.
>> Ensure the random data is good quality".
>>
>> There is a significant body of work on generating good random numbers and
> I
>> do not see this draft contributing anything new to it, in this regard.
>>
>> So, as I support only 1 portion of the draft out of 4, in general I am
> still
>> opposed to it.
>>
>
> Spending time on implementation was only for showing how ra-privacy works
> in
> compare with Privacy extension and how good it can generates random number
> with this suggested algorithm. Test it please and then say it wasn't any
> contribution for generating a good random number.
> Again I am open to good suggestions if you have any.
>
> Thank you,
> -----------smile----------
> Hosnieh
> . success is a journey, not a destination..
> You cannot change your destination overnight, but you can change your
> direction ... Focus on the journey
>
>
>
>

v2.23.0 | Report a Bug | By Email