Re: [6man] Stable privacy addresses (upcoming rev)

Ray Hunter <v6ops@globis.net> Fri, 30 March 2012 13:04 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BBFB21F84F8 for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2012 06:04:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[AWL=0.152, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OqUHrtsxikJX for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2012 06:04:28 -0700 (PDT)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id BD46721F8673 for <ipv6@ietf.org>; Fri, 30 Mar 2012 06:04:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id C2FFA8700D5; Fri, 30 Mar 2012 15:04:25 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5D5Y8XG3xMn; Fri, 30 Mar 2012 15:04:16 +0200 (CEST)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 5BC38870064; Fri, 30 Mar 2012 15:04:16 +0200 (CEST)
Message-ID: <4F75AF50.5000308@globis.net>
Date: Fri, 30 Mar 2012 15:04:16 +0200
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox Express 1.0.1 (Macintosh/20100705)
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>
Subject: Re: [6man] Stable privacy addresses (upcoming rev)
References: <4F7333F9.9090007@si6networks.com>
In-Reply-To: <4F7333F9.9090007@si6networks.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2012 13:04:29 -0000

I have reviewed draft-gont-6man-stable-privacy-addresses and have 
already sent some nits direct to the author.

I like this draft.

One of my biggest criticisms of RFC4941 today is that end nodes act 
unilaterally, and that due consideration was not made of the needs of 
organizations (such as Enterprises or ISPs), where logging is perfectly 
legal, desirable, and has compliance issues.



If I were to write the design goal for interface identifier privacy 
myself I'd write:

o    It should be easy for an authorized person to be able to reliably 
predict the interface
       identifiers that will be generated by the algorithm, provided 
that the authorized person has
       access to the algorithm and the secret keying material used in 
generating the interface identifiers, but not otherwise.

The idea being that authorized persons e.g. law enforcement and network 
managers SHOULD be able to correlate activity at a later date (for legal 
compliance, logging, fault finding etc.) whilst an attacker or 
unauthorized person SHOULD NOT.



I have no objection per se to the time variance of temporary addresses 
of RFC4941, provided that the rotation of addresses happens in a 
controlled manner. Again, a common criticism of 4941 is that long-lived 
sessions may be broken, and there's no way of knowing when authorized 
persons should relearn/re-correlate private addresses to native 
EUI64's/machines.

I can think of 2 mechanisms to achieve controlled time-variance using 
your draft:

1. If controlled renumbering is ever widely implemented, it would be 
possible for a network manager to regularly rotate the /64 subnet 
prefixes in a controlled manner (add new prefix, deprecate old prefix) 
to generate new Random Interface Identifiers (RIDs), rather than this 
being an unilateral choice of the end nodes as in 4941. An end node 
would generate a new RID and use this for new sessions, whilst existing 
sessions would continue to use the RID generated from the deprecated 
prefix. This would mean that the time-variant aspect of user privacy in 
4941 could be maintained, whilst end node activity could still also be 
tracked and correlated by the authorized person/network manager (but not 
as easily by an attacker who does not have access to the secret key).

Some might say that this is a weakness, in that a node connected to a 
3rd party LAN could be tricked into giving away a few bits of 
information every time a RID is regenerated. However, I don't consider 
that a major issue, because the 3rd party LAN manager could anyway track 
usage directly, either based on the /64 parent prefix or some other 
means like EUI64 media address. A remote passive attacker might also 
have difficulty working out exactly how a new /64 prefix is correlated 
to the existing /64 prefix (provided there was enough variance in users 
and all other things/information leaks being equal.)

2. If the implementation provided a mechanism for the secret_key to be 
changed, it would also be possible for a network manager to regularly 
update the secret_keys in a controlled manner so that an end node would 
generate a new RID when an interface was re-initialised.

For these reasons, I feel that all implementations SHOULD include a 
mechanism for the secret_key to be updated (to repair a potentially 
compromised node where the secret_key has been learned by an 
unauthorized person, complicate long-term snooping of RID changes when 
prefixes change, and to allow a manager to trigger a RID rotation per node)

I make no comment on the mechanism by which the secret_key should be 
updated. Some environments may require specialist hardware, or use of an 
existing Security Association to create a secure channel to a secure 
node, whilst others might consider a DHCPv6 option sufficient. These 
mechanisms could be defined in related drafts.

This secret_key could then also be stored somewhere in a central 
(secure) log for use in cross-referencing obfuscated addresses from 
various logs at a later date.


Some switches or other devices that limit access to a single IPv6 link 
local address per port may have problems with RIDs.  RFC4941 Sections 
3.6 & 4 are certainly pertinent.

regards,
RayH

Fernando Gont wrote:
> Folks,
>
> Probably the only objection that I got for
> draft-gont-6man-stable-privacy-addresses is that the prefix shouldn't be
> included in F() (the hash function).
>
> I'd like to clarify the motivation for that, and also trigger some
> discussion on the topic such that I can produce a revision of this
> docuement that addresses any remaining concerns.
>
>
> * Motivation for including the SLAAC Prefix in F() (the hash function)
>
> The essential rationale for including the prefix in the hash function is
> that, if we don't, then we'd be leaking more information than we should.
>
> If we don't include the prefix as part of the data to be hashed, then
> the Interface-ID will be exactly the same no matter whether the devices
> moves from one network to another, and hence the node could be tracked,
> even if it implements RFC 4941.
>
> For example, think about the following scenario:
>
> Attack scenario #1
>
> A host configures the stable addresses without including the Prefix in
> the hash function. Let's say the host employs any application that needs
> to perform a server-like function (P2P, or whatever). As a result of
> that, an attacker attacker participating in that application (e.g., P2P)
> would learn the Interface-ID used for the stable address.
>
> Now the same host moves to a completely different network, and uses the
> same P2P application, probably even with a different user. The attacker
> now interacts with the same node again, and hence can learn the "new"
> stable address. Since the interface ID is the same as the one above, he
> can infer that it is communicating with the same device as before.
>
> Had the host included the Prefix when computing the Interface-ID (with
> the hash function F()), the Interface-ID would have been different, and
> this wouldn't have been made possible.
>
> This is just *one* possible attack scenario, which should remind us that
> one shouldn't disclose more than it is really needed (and a static
> Interface-ID across many different networks does exactly that).
>
>
> * Use of draft-gont-6man-stable-privacy-addresses without RFC 4941
>
> Temporary addresses are painful to manage. They make painful to
> correlate the activities of your own nodes. FOr example, one host gets
> infeceted will malware, you logged the IPv6 address, but then you don't
> know which node was using that address at that point in time.
>
> This is the reason for which in many deployments temporary addresses
> (RFC 4941) are disabled (e.g., look at any presentation by Ron Broersma).
>
> When you disable temporary addresses, all you're left with is whatever
> stable addresses your host uses. If you don't include the Prefix in F()
> (the hash function) then, while you may be resistant to host scanning
> attacks (your addresses is not predictable anymore), you're still
> trackable, since your interface ID doesn't change as you move from one
> network to another.
>
> So yes, there are cases in which you may want privacy, without
> necessarily be willing to deal with the burden of temporary addresses.
> And if you're just going to have stable addresses, you do not really
> want the Interface ID to be constant across networks.
>
>
> * Concerns about CPU impact
>
> Other folks have expressed concerns (in corridor meetings) that if the
> Prefix is included in the hash function, they may need to recompute the
> hash every time they attach to a network (assuming the SLAAC prefix
> changes), and that would be expensive. I personally think this shouldn't
> be an issue for most implementations (for instance, we do MD5 for every
> single new TCP connection! -- see RFC 6528). And, in any case, we do not
> really specify which hash function to use. -- If you're concerned about
> CPU, you may want to use a (CPU-wise) cheaper function.
>
> That said, I'd have no problem with making the inclusion of the Prefix a
> SHOULD (i.e., do it, unless you have very good reasons not to do so
> (such as CPU-constraints)), or even a MAY (if inclusion of the Prefix in
> the hash function turns out to be the show-stopper here).
>
>
> If you have any feedback/comments, I'd be glad to hear. I'm planning to
> rev the document asap, clarifying and incorporating many of the things
> explained throughout this e-mail. So if you send your feedback shortly,
> the next rev could reflect your comments.
>
> Thanks,
>