IETF Logo Mail Archive

Re: 64bit MAC addresses and SLAAC

Fernando Gont <fgont@si6networks.com> Wed, 17 June 2020 15:14 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FBF83A0922 for <ipv6@ietfa.amsl.com>; Wed, 17 Jun 2020 08:14:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vr2bMOFF6McC for <ipv6@ietfa.amsl.com>; Wed, 17 Jun 2020 08:14:10 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E33F93A083A for <ipv6@ietf.org>; Wed, 17 Jun 2020 08:14:09 -0700 (PDT)
Received: from [IPv6:2800:810:464:1f7:e998:ff26:4eb6:2dc9] (unknown [IPv6:2800:810:464:1f7:e998:ff26:4eb6:2dc9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id B2C58280D4E; Wed, 17 Jun 2020 15:14:06 +0000 (UTC)
Subject: Re: 64bit MAC addresses and SLAAC
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>, sarikaya@ieee.org, Bob Hinden <bob.hinden@gmail.com>
Cc: IPv6 List <ipv6@ietf.org>
References: <e8a25961-5ac9-d35e-77dd-bf86f45cd077@gmail.com> <a17ae9f3-001c-07f6-84f9-a0ca583e6a00@gmail.com> <7AE5B6D0-AB01-4077-A9EF-5BD86F428681@gmail.com> <CAC8QAcdDjQvonke7hytV8pCYsTAjATNi560v_b32jus_jDW8bw@mail.gmail.com> <b43a00f5-c957-923a-cef4-ed541ebdb39a@gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <a96f1262-d152-dc09-1c2f-b2604ca21890@si6networks.com>
Date: Wed, 17 Jun 2020 12:13:26 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <b43a00f5-c957-923a-cef4-ed541ebdb39a@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/SQCmzhLxi_hi0MPYWK12S-iY2Zo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2020 15:14:24 -0000

On 17/6/20 08:16, Alexandre Petrescu wrote:
[....]
> 
> There are many problems with RFC7217 plus RFC8064, among which:
> 
> - RFC8064 recommends simply stable IIDs; to do that it uses RFC7217
>    which defines stables IIDs _within_ a subnet.  That is an
>    inconsistency.  A stable IID with a stable prefix is often needed for
>    mobility, and, a same IID within distinct prefixes might ease
>    administration; yet none of these two aspects seems mentioned.

RFC8064 describes desired properties for stable addresses. RFC7217 
specifies an algorithm that allows the generation of addresses with such 
properties.

TL;DR : RFC7217 aims at producing IIDs that are stable within the same 
network, but that change as the node moves to other networks.

The case of "same IID with distinct prefixes" is the same as using the 
same IID as the host moves from one network to another. And that's quite 
bad for privacy. PLease see RFC7721.


> - neither RFC8064 nor RFC7217 mention the use of random numbers in MAC
>    addresses.  Yet that is implemented in Windows at least.

It doesn't, and it shouldn't. If you randomize MAC addresses, you may 
want to use temporary-only. rfc4941bis allows you to do that.


> - RFC8064 is somehow not implemented in linux, even though linux does
>    offer privacy IIDs.

Quite the contrary: Linux was the first implementation of RFC7217. 
RFC7217 is currently implemented in virtually all (*) host operating 
systems, including Mac OS, OpenBSD, and virtually all LInux distributions.

There's a Linux kernel implementation, plus an implementation in 
systemd-networkd, NetworkManager, and dhcpcd.


>  The part of RFC8064 that is not implemented in
>    linux is the part that says that the IID length can be anything and
>    not necessarily 64.

You are misreading RFC7217. RFC7217 simply says that the algorithm is 
not tied to any specific prefix length -- which, if one looks at the 
algorithm, should be evident. That said, the addressing architecture 
calls for 64-bit IIDs.



> Because of these reasons, generally speaking about SLAAC and IID
> generation, there might still be other necessary ways to generate IIDs
> than just 64bit random IIDs.  Easy to remember IIDs, same IIDs for
> distinct interfaces, are a couple of new potential rules that come to mind.
> 
> If so, probably the easiness of generating IP addresses containing MAC
> addresses might also be a good idea in some context: just copy paste the
> 64bit (random) MAC address to the last 8 bytes of the IP address.

RFC8064 says you shouldn't. But, as "SHOULD/SHOULD NOTs" go, you may 
behave otherwise if you feel you know better.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email