IETF Logo Mail Archive

Re: draft-gont-6man-managing-privacy-extensions-00.txt

Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Sun, 13 March 2011 02:03 UTC

Return-Path: <ipng@69706e6720323030352d30312d31340a.nosense.org>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 830753A6ACD for <ipv6@core3.amsl.com>; Sat, 12 Mar 2011 18:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.828
X-Spam-Level:
X-Spam-Status: No, score=-1.828 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ovhb97GptnH0 for <ipv6@core3.amsl.com>; Sat, 12 Mar 2011 18:03:12 -0800 (PST)
Received: from smtp4.adam.net.au (smtp4.adam.net.au [202.136.110.247]) by core3.amsl.com (Postfix) with ESMTP id 3011A3A6AB4 for <ipv6@ietf.org>; Sat, 12 Mar 2011 18:03:12 -0800 (PST)
Received: from 114-30-119-224.ip.adam.com.au ([114.30.119.224] helo=opy.nosense.org) by smtp4.adam.net.au with esmtp (Exim 4.63) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1PyafQ-0000wk-7v; Sun, 13 Mar 2011 12:34:24 +1030
Received: from opy.nosense.org (localhost.localdomain [IPv6:::1]) by opy.nosense.org (Postfix) with ESMTP id A135D5355B; Sun, 13 Mar 2011 12:34:21 +1030 (CST)
Date: Sun, 13 Mar 2011 12:34:21 +1030
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: Fernando Gont <fernando@gont.com.ar>
Subject: Re: draft-gont-6man-managing-privacy-extensions-00.txt
Message-ID: <20110313123421.5a5c8ea1@opy.nosense.org>
In-Reply-To: <4D7C166A.9060608@gont.com.ar>
References: <7111FC5F-BC3F-4242-9C3F-037E79894749@gmail.com> <alpine.DEB.1.10.1103091212570.7942@uplift.swm.pp.se> <4D77CBB9.1080702@gmail.com> <233b01cbdef5$8e214550$aa63cff0$@com> <25B3D469-F3DA-4A1D-A462-FEB71FA69485@gmail.com> <091D1284-99E4-450E-8AFF-7D4C6310D760@apple.com> <78B923726E7D59429936580CF127E943A13E758C27@eu1rdcrdc1wx032.exi.nxp.com> <262f01cbdf5d$607c69f0$21753dd0$@com> <4D7C0EE5.2080405@gont.com.ar> <22F6318E46E26B498ABC828879B08D4F0C2420@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <4D7C166A.9060608@gont.com.ar>
X-Mailer: Claws Mail 3.7.8 (GTK+ 2.22.1; x86_64-unknown-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Cc: Christian Huitema <huitema@microsoft.com>, "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2011 02:03:13 -0000

On Sat, 12 Mar 2011 21:57:14 -0300
Fernando Gont <fernando@gont.com.ar> wrote:

> On 12/03/2011 09:44 p.m., Christian Huitema wrote:
> 
> >> It doesn't. The I-D aims at allowing routers specify which policy
> >> they want hosts to employ when generating their IPv6 addresses.
> > 
> > Uh? I definitely don't want to give the router at Starbucks the means
> > to specify the privacy configuration of my laptop.
> 
> Override the advice provided by the router at Starbucks, and you're done
> (e.g., I guess this could even be automatically done by the OS depending
> on how you tag the network you're connecting to (e.g., Public, Home,
> whatever)).
> 
> 

I doubt typical end-users will be capable of getting this right often
enough for them to accept the possible privacy compromise when they
don't.

So what is wrong with the record and observe model, avoiding modifying
existing protocols and end-nodes to achieve your goal?

I don't understand why proactively putting an entry in a
neighbor cache when an end-node performs DAD, on a designated audit
device, and then letting NUD observe and report state changes for that
neighbor cache entry won't achieve the goal. There may need to be some
minor changes to ND state mechanisms to achieve this (e.g. ignore the
DAD if there is already an entry for the DAD tentative IPv6 address,
as DAD will fail, and maybe report it), however those changes
would only be required to be deployed to the audit device.

> 
> > If we want policy options to be applied safely, they have to be
> > propagated by trusted mechanism, where the host can verify the
> > authority of the policy source. Anything else is abuse waiting to
> > happen.
> 
> The threat model for this case is no different to that for ND in general...
> 

Existing addressing mechanisms in ND only have a goal of advising
end-nodes what method they should use to acquire their IPv6 addresses.
The end-node has a vested interest in following that advice, as it
will provide connectivity to other peer nodes as well as off-link
connectivity. However, end-nodes can ignore it, and e.g. use static
addressing or link-local addressing to still achieve useful
connectivity, albeit more limited than if they followed the advice in
an RA.

If you want to place far more trust in the end-nodes' address
selection choice, for audit purposes, I think you're going to have to
build much more complicated mechanisms that the one proposed, that allow
you to be assured that they've followed your advice.

Regards,
Mark.

v2.23.0 | Report a Bug | By Email