Re: Magnus Westerlund's No Objection on draft-ietf-6man-rfc4941bis-11: (with COMMENT)
Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 26 October 2020 08:14 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5A723A19AD; Mon, 26 Oct 2020 01:14:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sy2IkxenDonQ; Mon, 26 Oct 2020 01:14:41 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10066.outbound.protection.outlook.com [40.107.1.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B94C53A19B3; Mon, 26 Oct 2020 01:14:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BLQkicPXMU+kCS92q/srLcO+cFtUsKJsJ2XupkqC2/+6VOKUMSj/eVkbNd3ogyeP6GNjjqG5IX+0ceHxmne+Dy5s4iwcp5cK37Lpuye2ntsJ+6cRwVbGPdJJyD3MgZQacc2g0HbS8Kqa9GvUdewSi+zcBsfqJm3gNMUvXobOhK4Q4a5/LDD/8+/uBpD9CnZabjtmb/hSV0tVBdpilBRYEFTodeyqsFBs/8Q+J8PfeR6KDBLl0ZKBJMZ+Xt9/0PZ27J4/2eB2OD1mQFozChiI7PJBdH7a5Nm4JqwdsEt/xP+6US5feOhfFcVzQbO4Md3IYLwJC06gL5xaDhCBCF162g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8Ves9+Zh5DsHfymCMw0PK5lsNCsGAZ3hS8jTg0q9duA=; b=MvqLBqLfsTVT+G6aqSptA7omCsr32pfHhouGTtEIqO11phJaho4cJ9sQgmGWIL0wzUrUXBu/yzsr1k1t0xKJZkV5CCWql+nu5a7ccLctcwckdyV/W+/r6rSFAH4JV3lHOOn9ZkB3lsSvSavY50GxLdJv1Hkg2RxzZDZAd8oy7y40nZVQNse4BI4wXo3hE+p8rrYpicM3l8vvCenqDcPmPtUnSesbFFk7iDWuKOO98mCjlmDTJU//Hz0Plo6VR7QcOiGB1p3roGqVqTVjQ2upZk87f1w2scbyenVrzNWLDMAmG0z+2bnsX95XsHdw35SdSehRMOu1250cOBSIIXUw+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8Ves9+Zh5DsHfymCMw0PK5lsNCsGAZ3hS8jTg0q9duA=; b=G4ZYr9ZSSnErlWBqha9I1xcCd1QSfZWxaJYhwemcd90kb/8KaLHeobCpfTi5UBIFLVMYVAZEqrdB3zwiauqBmd780UNUHweRLcxNzHKHZCMrFJvG2K2gnjhiKasEV1aSt0uSYdXu3PZZr7YcJfy/5t9SgIIWtBo/qXxDQ9SLI04=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0702MB3771.eurprd07.prod.outlook.com (2603:10a6:7:88::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.15; Mon, 26 Oct 2020 08:14:07 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::cd13:5bbc:84b2:cc8d]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::cd13:5bbc:84b2:cc8d%6]) with mapi id 15.20.3499.015; Mon, 26 Oct 2020 08:14:06 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "otroan@employees.org" <otroan@employees.org>
CC: "fgont@si6networks.com" <fgont@si6networks.com>, "ipv6@ietf.org" <ipv6@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-6man-rfc4941bis@ietf.org" <draft-ietf-6man-rfc4941bis@ietf.org>, "6man-chairs@ietf.org" <6man-chairs@ietf.org>
Subject: Re: Magnus Westerlund's No Objection on draft-ietf-6man-rfc4941bis-11: (with COMMENT)
Thread-Topic: Magnus Westerlund's No Objection on draft-ietf-6man-rfc4941bis-11: (with COMMENT)
Thread-Index: AQHWqEygmkB3VduLR0C/Y2Aa/A1qJ6mjsw6AgACizACAANIsAIAEZ1GA
Date: Mon, 26 Oct 2020 08:14:06 +0000
Message-ID: <4159e51dc50b1798b25127bcc24651cd371f8c2c.camel@ericsson.com>
References: <160335500152.2379.13344186464354332427@ietfa.amsl.com> <db074a10-8feb-3fc3-4e1a-910674e8628d@si6networks.com> <2c3e19f09c18ddb3bbec881102ff54d84572af51.camel@ericsson.com> <AF857A15-A1E0-44F1-B741-E98B07277324@employees.org>
In-Reply-To: <AF857A15-A1E0-44F1-B741-E98B07277324@employees.org>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: employees.org; dkim=none (message not signed) header.d=none; employees.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [98.128.243.114]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b4e5edb8-5822-4c58-54ea-08d879871beb
x-ms-traffictypediagnostic: HE1PR0702MB3771:
x-microsoft-antispam-prvs: <HE1PR0702MB3771E149B4CD75113DA5094895190@HE1PR0702MB3771.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dQp8BPCOlJ/+qdcEo+WoHcSWHYSmtF8k9egz86VN+H+OFZzLg+XtOtGIOkCXMPZ9JYQOfKKak55/AwAVKn8qWigEz/C9IiWKzBVgi58Fj3d4/lWgsyQPICvKEp+vO5CyOvkHaLz4l404DhPkUXUYZVY/EXgBPl+AE5iHzh1EEAxTA0Gw5sHPvKZla3+w5scT7giZ7jeT+LCqlBblOy1WOhLUZcDUTxn5528LTjPwClVqY1D4cwiSeVPF72kEwbHDF5hVV3PDuDAzPS1zmpM5KUrJYYWUqsVpo8T38iUdvEz2tw9kgsn/QTXi7eEwJjS+FZ4oogtW4sc34hKwZ7J1/lNCFGRGO8mSnS+DTd/bCQexFajp9wm3kMPWPD1uG2Bb
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(366004)(346002)(136003)(39860400002)(26005)(4001150100001)(86362001)(53546011)(186003)(8676002)(76116006)(66946007)(66446008)(71200400001)(2906002)(5660300002)(4326008)(8936002)(66476007)(66556008)(66616009)(64756008)(2616005)(54906003)(6486002)(6512007)(83380400001)(6506007)(36756003)(316002)(478600001)(99936003)(44832011)(6916009)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 30EVsfn8O9d3KXQw1ENz5D2RQ/BUPxWmPsBu98waT1tg0X004eyTBkx26l2fy5r5d8mn1Hz8KaBSzkp8Kk/s1N7MFId7gLFOjhxrl87gFdffPQqEeEkpl3JxltV0/W2O4Ui2RsA2SMqVsiD/qlswZqd8VXmMxJ0I8gWdG/f57wrXCbadRpCqMfreAJDHeOhsDDswXQ8ppC7nKda8w9nibdoA9/isWKXRQtIAEPCeAB2XKqpzDCDV/cjq/udEdvRsVzxbLLcrUCMcwwbaSDNdiiHVg+4Mk5nRcFzW6ORnRjO7v5cTGKotuC40dX1oJg6ALjt1Tny9r6kdHFMG8PpejYhhyRGIbaRzhGb1PWiTrv5yvuDhYgXT2K1WHsn8bxW9OFSqs4B6Mj6vtz7dbud4TbxUl7SIBenIKEt898Z9LHsoracaDyXy/qdYdaax+BzVxVZbC7AAws3FRZKdwI0yTQqQb2wdLmWa3SF7FrLnx0caRW49kQRVXbxXrP1ZWaK4qemDOZf5q41rs3qNAz4CvhwEJdnP8jhLL8aRL1UdV1j1Fs3svzFWLzX7repWkpEBWE4TT0dXcipTscNI2WfWb5941oEVJlmH0N7DQtueYM3dLrlBsN7JjHP/Bm11uifgYwHcRZGyaNRjM8567H55Ow==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-Jl7cG+QlM2KAP1BWiKmd"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b4e5edb8-5822-4c58-54ea-08d879871beb
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Oct 2020 08:14:06.6679 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: n1GKd02W8jpwjhqLqWpHYlan9WUWKptoWmtjFmW2RB5IWdJM4LUBO+O0izARcReVD+NJriaLgWwdt94WGcRrQzXeEv+SI/vn+rukjSBGqno=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3771
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/aateAt5-cPR3RSPBIb-NPY1xISM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 08:14:43 -0000
Hi, I understand the difficulty in trying to address the various. So lets just drop this comment as not needing to be addressed. Cheers Magnus On Fri, 2020-10-23 at 14:59 +0200, otroan@employees.org wrote: > Magnus, > > > Unfortunately I think will not be able to propose a set of adjustment. I > > understand that might result in that the easiest way forward is to do > > nothing > > here. I fully understand that, please just keep it in mind if you anyway are > > doing any edits on the text if the formulation really are represenatative. > > During working group review we did quite a few edits to limit overstating the > claimed privacy improvements. > The only thing temporary addresses provide by itself is a mechanism for host > stacks/applications to use if they want to avoid remote end correlation. > > That correlation might of course be done independently of the mechanism: > - if application uses the temporary address if combined with a remote server > which identifies user > - the access network the host connects to does the correlation > - the application leaks the correlation itself, via e.g. ICE > > I don't think this document by itself should have to specify all the knobs > that have to be set correctly to avoid correlation. > > The document is written with the reverse assumption. Long lived IPv6 addresses > provide an easy and cheap way to correlate users across web-sites. > Temporary addresses solves that particular problem and nothing else. > > I wouldn't mind text proposals making that even clearer, although as I > mentioned at the top the WG has done quite a bit already. > (I have a quite dystopian view of what we can do here that has any practical > improvement. Hopefully this document isn't written to give the reader any > glimmer of hope). > > Cheers, > Ole, document shepherd. > > > > > > On Thu, 2020-10-22 at 11:44 -0300, Fernando Gont wrote: > > > Hello, Magnus, > > > > > > Thanks so much for your review! In-line.... > > > > > > On 22/10/20 05:23, Magnus Westerlund via Datatracker wrote: > > > > ---------------------------------------------------------------------- > > > > COMMENT: > > > > ---------------------------------------------------------------------- > > > > > > > > I understand that this is an update of an older document resolving > > > > several > > > > important issues. However, what was advanced traffic analysis 10 years > > > > ago > > > > is > > > > not as advanced today. The security consideration discuss some of the > > > > weakness. > > > > To me it appears that there are significant risks of correlation old > > > > temporary > > > > address passed preferred life time with the new preferred temporary > > > > address. > > > > > > How would you do this at the address level? (caveat: if you do it at an > > > upper layer, I'd probably say that this is mentioned both in the > > > Security Considerations and in the discussion on persitent IDs earlier > > > on in the document). > > > > I don't think you need high level payload analysis, 5-tuple information over > > time will enable certain correlations. I understand that this is a scale not > > a > > black and white issue. I am somewhat concerned that maybe the document > > indicate > > that the point on this scale is somewhat more on the secure side than what I > > think it is. > > > > > > > > > Especially if an attacker can trigger an endpoint reconnecting to a site > > > > where > > > > the previous temporary address was used and thus correlate the attempt > > > > to > > > > force > > > > reconnection combined detected use of a new temporary address to the > > > > same > > > > destination. It might even be another destination but associated with > > > > the > > > > same > > > > remote site. > > > > > > If the correlation happens at a higher layer, that's indeed possible -- > > > but out of the scope of this particular work. > > > > > > > > > > > > > I have not putt this on discuss level, but my impression is that > > > > although > > > > beneficial the strength of its protection might be overstated in the > > > > various > > > > statements. > > > > > > Please do let us know if you think that there's more that is to be > > > added, and if you have any suggestions. > > > > > > Thanks! > > > > > > Regards, > >
- Magnus Westerlund's No Objection on draft-ietf-6m… Magnus Westerlund via Datatracker
- Re: Magnus Westerlund's No Objection on draft-iet… Fernando Gont
- Re: Magnus Westerlund's No Objection on draft-iet… Magnus Westerlund
- Re: Magnus Westerlund's No Objection on draft-iet… otroan
- Re: Magnus Westerlund's No Objection on draft-iet… Magnus Westerlund