rfc4941bis: trying to keep focus

Fernando Gont <fgont@si6networks.com> Thu, 30 January 2020 20:51 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0BE612086F for <ipv6@ietfa.amsl.com>; Thu, 30 Jan 2020 12:51:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SrP9hSeUXI4V for <ipv6@ietfa.amsl.com>; Thu, 30 Jan 2020 12:51:08 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E034D120872 for <6man@ietf.org>; Thu, 30 Jan 2020 12:51:07 -0800 (PST)
Received: from [192.168.100.103] (unknown [186.183.50.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id B386586A1D; Thu, 30 Jan 2020 21:51:01 +0100 (CET)
From: Fernando Gont <fgont@si6networks.com>
Subject: rfc4941bis: trying to keep focus
To: "6man@ietf.org" <6man@ietf.org>
Message-ID: <4085840f-6c30-323a-b2e9-544f1a783103@si6networks.com>
Date: Thu, 30 Jan 2020 17:50:45 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/dddGvk-LxIdH2E8Rdj-FE87YQwA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jan 2020 20:51:12 -0000

Folks,

I'm trying to summarize what I've seen as part of the recent discussion 
about (or at least triggered by) rfc4941bis.

First, let me give the (obvious) context:

rfc4941bis is meant, for the most part, to address flaws in RFC4941 --
RFC4941 is a Standards Track document, already. rfc4941bis is not 
proposing or introducing temporary addresses, but simply addressing 
flows in the scheme *we already have* (which is widely deployed).


Now, let's move to the main topics of this discussion:


1) "temporary addresses results in too many addresses"

This is not a problem araising from RFC4941, but a problem with SLAAC. 
In SLAAC, routers offer network configuration information, and hosts 
do... what they virtually please.

Routers could also advertise many different prefixes on the same link, 
leading to many addresses. Hosts could also manually configure lots of 
addresses.  An OS might also provide a proprietary interface for 
proprietary apps to request "one address per flow".

Given a sufficient number of prefixes and hosts, this may get to a point 
where implementation limits such as the maximum number of NCE may be hit.

If folks are concerned about the maximum number of addresses that may be 
employed in a network (a valid concern), then I guess energy should be 
spent on how to address this general issue of SLAAC, *in SLAAC*, as 
opposed to simply bother about one of the many possible ways in which a 
host may configure addresses.

I'd note that we have a BCP (RFC7934) about the topic of "number of 
addresses". In the typical/default case, RFC4941 will lead to a maximum 
of 7 addresses per host. In the context of RFC7934, I guess being able 
to handle 7 addresses per host is the least one could expect. I do 
understand that some systems can't handle them (given a sufficient 
number of hosts). Maybe we need to send a signal to router vendors. 
Maybe a few thousand entries in the NC is way too IPv4ish? All these 
issues are worth discussing... but they are issues with SLAAC or ipv6 
network configuration, and not with RFC4941.

That said, and given recent feedback, it seems sensible to reduce the 
preferred lifetime and valid lifetime of temporary addresses to 1 day 
and 2 days, respectively. This would result in one preferred and one 
deprecated temporary addresses (as opposed to 1 preferred and 6 
deprecated addresses resulting from RFC4941).


2) The value of temporary addresses

As noted above, one would assume that since RFC4941 has not been 
deprecated, there is consensus that RFC4941 provides value in the area 
of privacy.

Everytime you reuse an identifier, it leaks information. Temporary 
addresses reduce the address lifetime, and hence limit the amount of 
time you reuse an identifier. That's an improvement. And it is a 
middleground between not using temporary addresses (and hence resuse the 
same identifier forever) or doing "one address per flow" which, while 
interesting, would take the number of addresses employed in any network 
to another dimension. As such (a middle-ground), it can't be expected to 
be perfect.

Temporary addresses are meant employed for outgoing connections. Maybe 
RFC4941 should provide stronger hints or even recommendations that this 
use mode is enforced. For connection-oriented transport protocols, the 
concept is straightforward. For stateless protocols, not so much.

But even if this mode is enforced for connection-oriented transport 
protocols, this would make temporary addresses reduce host exposure 
quite a lot. This is another area where temporary addresses have value.

That said, I'm not sure to what extent it makes sense to argue about the 
value of temporary addresses in the context of *this* document. If we 
take the to extreme possible outcomes:

* we don't publish rfc4941bis, and we keep a flawed RFC4941
* we publish rfc4941bis, and have an improved version of rfc4941

Only one of these options will improve RFC4941, and none of them will 
obsolete rfc4941.


3) Should temporary addresses be enabled by default?

One would assume that since RFC4941 has not been deprecated, there is 
consensus that RFC4941 provides value in the area of privacy.

In that sense, and in the context of RFC7258, I believe it would be a 
hard case to make to have temporary addresses disabled by default.

I do believe some network might want to disable them. That would require 
the network to be able to convey this policy to hosts. This was tried 
(draft-gont-6man-managing-slaac-policy) and rejected ten years ago.

I believe that, at least in the absence of policy, and in the context of 
RFC7258, it is sensible for the default to be "on".

Besides, in a post-Snowden era, I believe we'd nevertheless have a hard 
time recommending OS vendors to disable them by default.

Thanks!

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492