IETF Logo Mail Archive

Re: Disabling temporary addresses by default?

David Farmer <farmer@umn.edu> Wed, 29 January 2020 23:17 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA5B120047 for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 15:17:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nn_Pad9dUedw for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 15:17:31 -0800 (PST)
Received: from mta-p6.oit.umn.edu (mta-p6.oit.umn.edu [134.84.196.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AAD512003E for <ipv6@ietf.org>; Wed, 29 Jan 2020 15:17:30 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 487KBy38VRz9vBpT for <ipv6@ietf.org>; Wed, 29 Jan 2020 23:17:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJxFNUUmrO9k for <ipv6@ietf.org>; Wed, 29 Jan 2020 17:17:30 -0600 (CST)
Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 487KBy0ppxz9vcJQ for <ipv6@ietf.org>; Wed, 29 Jan 2020 17:17:29 -0600 (CST)
Received: by mail-qt1-f198.google.com with SMTP id m8so1025287qta.20 for <ipv6@ietf.org>; Wed, 29 Jan 2020 15:17:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gNjcjXd6lcw1Y5AiSBcBIlAcpl949m575qq+TJlX3TY=; b=afGX3+bsTndbQuRwUwJTShQss0DXokRGLn6LBxu++d1DE9ViGVp1l1VklIXSlcIdSO WPKf2435eQHWyfjbM5mW961p5tkjdnIwCu1GsDGvwc6RxdEVwfT+a6/jRVTfoggIjB5K EzwO2ZDrXzH+++SMJS89k+uHCRg8mlPVrGhnVNav7gV1L+K10pkzYeZwwTtvuAAV86mF rgF/y6e/mM7JKtg+fFpqrffXEFm2BuzehP5Bdb2SJuMKs4RTmyI8/5sLJ1BkOnxMiLqz 7optjmbPG7IEJKiwm/YneUu9LlTjglEZepui5ofxb7rqha53vKXsqA2JOmocYHijIkAj Z7xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gNjcjXd6lcw1Y5AiSBcBIlAcpl949m575qq+TJlX3TY=; b=I6iQwoKkj5iLFh5zd0mKpVaYLY3S4ZLKmp0FbOp/b94Aj+u/VJ/6NxgGAu+3iYNBch Mx7Qya0AYSrPN4o/wnPOvm6rw0iIXq18s5qx/asUHoLZaSqPmdToT5TqZMoRSrEuA3sd 75mOH33Rp+HeI62anv0xpxTzgp6IUtUtKvnDVcRIU3IYJ2E3yGokDH21erJ8mJz4T+PJ A62VfJVZV7kC9v33LwCufwXd3ry7BLdI5REI5NCGNGEqhkK9XkdkFdjQILK0Swb0YzVw e2eRpNvoHRw89VUVjybSyeBeCGc0nx/CzBoOYBeOg+9XONWCcKuDwh5NLRkanUylUIHv RNYQ==
X-Gm-Message-State: APjAAAV43vWt7/yIafd6ZNIrw6XJPAxPavVjurX38QafMy6sKdLcXNpI TePtCGU5s9q7uxQWSFbMyXKAPrEe04B0qg+OHsFebvW24LpGwJToNcMNXlnoduP7XjJd38knCpm q+ltc8PH5F8LPDt5RJpZrgdaI
X-Received: by 2002:a37:9e12:: with SMTP id h18mr2338244qke.420.1580339849076; Wed, 29 Jan 2020 15:17:29 -0800 (PST)
X-Google-Smtp-Source: APXvYqygD4IEmevoa0Mcg25n+F9QYsqqI/WtehX4wDwv9VJNymXc+NjHAaFB4NomrrMhsLs5epDoMsHtl8gwfdOy1Fg=
X-Received: by 2002:a37:9e12:: with SMTP id h18mr2338206qke.420.1580339848649; Wed, 29 Jan 2020 15:17:28 -0800 (PST)
MIME-Version: 1.0
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <DE7B0688-230F-4A5C-8E24-9EAED9FD9FEB@puck.nether.net> <AFEBAD7D-DF24-4924-8B9A-60DF22BA1953@consulintel.es> <c42affce-fbd3-23ec-c9ff-4f05cdf38630@si6networks.com> <41173152-A8E8-4241-9DE7-376AA7AFB813@consulintel.es> <c4166907-b6c9-a4ef-fd59-cf539bbe0405@si6networks.com> <43D76C96-C16B-4BEB-B9B8-C68D53BCE63F@fugue.com> <fb5b8377-892d-2777-ef9b-4f9ddefa6c93@si6networks.com> <CAKD1Yr034_tu7ZoJ1FCfDYhNSN6igm-ZQyR4u3U+UDMr=huGOw@mail.gmail.com> <1af0b06d-f9d7-5ea1-27f3-b417eb9148fa@si6networks.com> <7606A049-318D-4526-917D-F2A801BF7050@cisco.com> <CAKD1Yr1d9kORFdoOJr22J_UDJ9hLPr6AQLyWuh7=bAQKa+aXGw@mail.gmail.com> <MN2PR11MB356588FC3E8A6410B725D159D80A0@MN2PR11MB3565.namprd11.prod.outlook.com> <CAKD1Yr35meRGh_POo_2jrHA_oazO1xUOG5G_rx43xNLFYHQsMQ@mail.gmail.com> <MN2PR11MB356526F01CAE1CADEF8E4472D80A0@MN2PR11MB3565.namprd11.prod.outlook.com> <CAKD1Yr0-rmyzz3y1d+pCpA0+tGuhSdjojaJovXUzVuyx6UdeLA@mail.gmail.com> <98179a48-8d86-4673-6c82-fc0022988862@foobar.org> <F84FEFAF-1F78-47D4-B3E0-981DCFD0CB58@employees.org> <CAKD1Yr11_SSUkCBuQ3-h+eRg0LPZQdhe+h7f0YZy9TiyRWj6mw@mail.gmail.com> <30A6C187-EB5F-427A-BAC6-BB847A288F7B@employees.org>
In-Reply-To: <30A6C187-EB5F-427A-BAC6-BB847A288F7B@employees.org>
From: David Farmer <farmer@umn.edu>
Date: Wed, 29 Jan 2020 17:17:12 -0600
Message-ID: <CAN-Dau2+=ddPjPav0N3x_4XO8N_60s_v9TYbFrXd4sRr78xhXA@mail.gmail.com>
Subject: Re: Disabling temporary addresses by default?
To: Ole Troan <otroan@employees.org>
Cc: Lorenzo Colitti <lorenzo@google.com>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004db50e059d4f8bea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/VAUm-tSC0rDmSghBBOvUon4WfVo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 23:17:33 -0000

On Wed, Jan 29, 2020 at 3:04 AM <otroan@employees.org> wrote:

> Lorenzo, et al,
>
> > Changing subject because many participants are likely to just ignore yet
> another "SLAAC vs DHCPv6" thread. :-)
> >
> > On Tue, Jan 28, 2020 at 11:27 PM <otroan@employees.org> wrote:
> > In the context of 4941bis last call, it might be prudent of us to
> revisit this change:
> >
> > https://tools.ietf.org/html/draft-ietf-6man-rfc4941bis-05#section-8
> > 6.  Temporary addresses are *not* disabled by default.
> >
> > Saying that temporary addresses should be disabled by default (assuming
> hosts actually do that) seems like a terrible privacy problem. It means
> that by default, a host that doesn't change prefix will use the same IPv6
> address to communicate with *everyone* on the internet until the end of
> time. That provides lots of opportunities for cross-site tracking, and the
> user can do very little to protect themselves because they don't have
> control over IP addressing like they do over higher-layer identifiers
> (e.g., users can clear cookies, or use different browser profiles or
> different browsers/apps for different sites).
>
> This seems like an exaggeration. Temporary addresses does not provide
> privacy. They provide a small piece of a much larger and complex puzzle.
> One which likely requires not technological solutions but regulatory ones.
>
> How efficient and useful that piece is compared to e.g. 7217 iids I have
> not seen any data on.
> If we don't have any data for the 4941 effectiveness, operational
> experience and implementation experience (ICE, MPTCP, applications), then
> all we can do here is to offer our anecdotal data. Although given your
> affiliation perhaps you could tell us how little or how much value
> temporary addresses have for tracking?
>
> > I don't think 4191bis should advance if it says that privacy addresses
> are disabled by default. It would be a strong statement by the IETF that we
> don't care about privacy of IP addresses and would be a terrible signal to
> send.
> >
> > Instead of disabling, why not change the default of the number of
> addresses maintained? For example, instead of maintaining 1 permanent + 1
> valid + 7 deprecated, why not just default to maintaining 1 permanent + 1
> valid + 1 deprecated. That means that applications would have to
> re-establish their connections once a day instead of once every 7 days. But
> if they use privacy addresses, they already need to re-establish
> connections after 7 days. And they can always use not to use privacy
> addresses via the appropriate socket option.
>
>
> The current (draft standard) text in 4941 is:
>    "Consequently, the use of temporary addresses SHOULD be disabled by
>    default in order to minimize potential disruptions.  Individual
>    applications, which have specific knowledge about the normal duration
>    of connections, MAY override this as appropriate."
>
> I would like to understand the rationale for removing that text.
> Note, 4941bis in it's current form does not have an opinion regarding a
> default.
>

This is all about trade-offs, the use of temporary addresses by no means
guarantees privacy, there is no perfect privacy, it's not an absolute,
privacy is relative. Furthermore, the only way to provide perfect privacy
is to not communicate with anyone over the Internet or by any other means
for that matter. All communications risks interception,
information leakage, that compromise your privacy. We risk this
interception, information leakage and compromise of privacy, for the
rewards communications bring us.

That said, using the same address over an extended period of time (months
to years) is an obvious and unwarranted threat to privacy, in my opinion.
The use of temporary addresses helps prevent this, and while they are not
appropriate in all cases, neither is saying that that temporary addresses
should be disabled by default.

I think something like the following needs to be added to RFC4941bis;


While using the same address over an extended period of time (months to
years) is an obvious and unwarranted threat to privacy, in that it allows
for an easy correlation of a user to an address over this extended period
of time. However, this same correlation of user to an address, at least in
the short-term (hours to days), that this technique seeks to limit, is
frequently a necessary first step in most troubleshooting activities.
Therefore, changing temporary addresses too frequently will likely
exacerbate operational problems, frustrating attempts to correct them, and
in extreme cases could impact the operational stability of networks.
Furthermore, the successful troubleshooting of intermittent problems
occurring over a period of time (especially over several days) may require
a stable address and at least the short-term disabling of the use of
temporary addresses.

The choice of default timers in this document attempts to balance this
trade-off between privacy, the effective troubleshooting of problems, and
the operational stability of networks, all of which are in individual
users' and network operators' mutual interest.

Finally, changing temporary addresses at a high-frequency (minutes to
hours) will have operational impacts especially in troubleshooting as
discussed above. However, changing temporary addresses at these
high-frequencies will also likely impact network stability and host
performance due to the unreasonably high levels of neighbor discovery
traffic necessitated by such high-frequency changing of
temporary addresses, this is especially true when amplified by a large
number of hosts changing their temporary addresses at a high-frequency.


If I were to make any changes to the default timers in the document I would
shorten the TEMP_VALID_LIFETIME from 1 week to something like 2 or 2.5
days. I think TEMP_PREFERRED_LIFETIME of 1 day is a reasonable compromise
between privacy, the effective troubleshooting of problems, and the
operational stability of networks.

Thanks.
--
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email