IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>

Fernando Gont <fgont@si6networks.com> Wed, 18 May 2016 00:24 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61D3312D548 for <ipv6@ietfa.amsl.com>; Tue, 17 May 2016 17:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.358
X-Spam-Level:
X-Spam-Status: No, score=-0.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tv-LiMbgkt6t for <ipv6@ietfa.amsl.com>; Tue, 17 May 2016 17:24:54 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87F1812DAF4 for <ipv6@ietf.org>; Tue, 17 May 2016 17:24:54 -0700 (PDT)
Received: from [100.68.251.15] (unknown [152.206.104.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 8631282886; Wed, 18 May 2016 02:24:48 +0200 (CEST)
Subject: Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>
To: Lorenzo Colitti <lorenzo@google.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>
References: <20160428004904.25189.43047.idtracker@ietfa.amsl.com> <89CA2C18-AE61-4D40-8997-221201835944@gmail.com> <6f2edbbc-d208-03a0-3c33-503a05c0bee8@gmail.com> <CAKD1Yr1So_tFFSr=sk8ew-UJG-dWK=U6N9mwJnwkZdNX=__SVQ@mail.gmail.com> <11cf3f90-e693-a640-a372-f419a8f7a1a0@gmail.com> <CAKD1Yr0OPuSmp-OWG-+ZjDsHucQYTG2PMZw7jdiU=4kQqK+tyQ@mail.gmail.com> <663debf7-cfba-b19b-92ef-89cc66b452d8@gmail.com> <CAKD1Yr2Km2A6XO8nvNv31Ti_Rr2j4gse1KLadJPcrgFMKyzszw@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <573B3BA8.70803@si6networks.com>
Date: Tue, 17 May 2016 11:41:28 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <CAKD1Yr2Km2A6XO8nvNv31Ti_Rr2j4gse1KLadJPcrgFMKyzszw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/UlqkhZXp0YywF--JsufxCM2Oo2k>
Cc: IETF IPv6 Mailing List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 00:24:55 -0000

On 05/13/2016 11:29 PM, Lorenzo Colitti wrote:
> On Sat, May 14, 2016 at 12:00 PM, Brian E Carpenter
> <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
> 
>     Because if someone is trying to correlate different types of my traffic,
>     let's say something sent over IPX and something sent over IPv6, the task
>     will be made easier if the lower 48 bits are the same in both types of
>     traffic. (Obviously, someone on-link can use ND to correlate MAC address
>     and IP address, so we're talking about someone observing off-link
>     packets.)
> 
> That seems extremely unlikely to happen in practice,

Yes... as was "pervasive monitoring" and others. -- C'mon...

That's not how you think security&privacy wise: either provide numbers
that show that that can't happen (which you really can't), or assume it
will happen. You have to fail on the safe side, not on the other. And
since you cannot predict the standardization of other technologies
(either) -- which might happen outside the IETF --- I'm not sure how you
can make this sort of claim.




> By contrast, here is one weakness that is pretty much mandated by this
> draft as written: because addresses have to be stable, any remote
> attacker anywhere on the Internet that ever exchanges a packet with that
> host can track it every time the host visits the same network,
> *forever*, with no recourse. Section 3 point 1.

Use RFC4941 for that -- that's why they were standardized in the first
place. And you choose how you employ your addresses.

And if you just hate the fact of having a stable address, please write a
proposal to update RFC4941, such that stable addresses (alongside
temporary addresses) are not required.


-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email