Re: A common problem with SLAAC in "renumbering" scenarios

Tom Herbert <tom@herbertland.com> Sun, 17 February 2019 02:13 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ABC3126D00 for <ipv6@ietfa.amsl.com>; Sat, 16 Feb 2019 18:13:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mW2sbnJNKOda for <ipv6@ietfa.amsl.com>; Sat, 16 Feb 2019 18:13:22 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 140C9124C04 for <ipv6@ietf.org>; Sat, 16 Feb 2019 18:13:22 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id w4so15586928qtc.1 for <ipv6@ietf.org>; Sat, 16 Feb 2019 18:13:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sKKqH+cKOMmCnWwE8hHStc+vYOeKoHIlG0Yz9aNDRSA=; b=GTIEmKkGJbv42jhTg2kwYvFxCflhxmM0yF6oNr59a0FV0KhYoI97FvywMVngWu4Ig9 ifIsQgIOa4y8Hrq1gHqL98ZlzAx5AXA7m88TeevtKi7m95daruAyNRPIVFPU9ZFhUEV/ rKwFOSNIMeNibhLYnnLjbHTZGKox/Wl4ZFDelZ8EzVub781EnoSTTOss+bhDLLOdNO0k L1UVfjFeQ50FkmhmAxWN/dDiujIz45REoNzcI4RG4QLcqXZEGf8dv7rj4ZyPGmY2Zrf1 2qIlNZJDX/V1aQmEA+c0eZuXC6DUfSTb+Y87B/klTQFeIkYZKxRKBdGHls9LqOXgbudI tlfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sKKqH+cKOMmCnWwE8hHStc+vYOeKoHIlG0Yz9aNDRSA=; b=W5Rn/XJiQx7p5lx5DFQDZABDvo+NjJ8fV8siNieMOdUfN/h/zPf8Ge5ERFaZos3iTh fHUyqoyhzc10erzd8Uo2bY6cdrPDgscO0imrMETPH7XdxsU08oU2eL+c9lbETE+RQMBa 3ylu76/9ICkiiVD1aXsNWIjVbKp4C1HqBDUQkbTsG7Uh0/+JDRU7t5SHSSUpUIv7p79p dqyyqmjI1CUoLSi2FjHJTcSG/2BqKBBKbgQiItsgWdSZOHkn5sxDTG/Q1IDkAKJvb2Sb H/rKprk1XjWY4NfXBns3GLetopTNhYKlq1oJ1R7Lbv5EcfF9Fo1uhiBdv2of7DWwj0ko bLRA==
X-Gm-Message-State: AHQUAuZtmNnCp3xIl2q6M2ek9YJ3BcjRJCqY5tIAGrR/b85PrU8jG3j+ 534Yz9eLLa5VjpL2vc0FgnYVxHkOpCn3qfmBw/8bhQ==
X-Google-Smtp-Source: AHgI3IaV9d5KY0mYow7jWeNyDKnii35KzjMcz7aidAk7Ek1gkjen12m4zxF3NUgEeTwsRwMz96GqZzTf/vUVvrFDPxY=
X-Received: by 2002:aed:38c6:: with SMTP id k64mr12545513qte.97.1550369600761; Sat, 16 Feb 2019 18:13:20 -0800 (PST)
MIME-Version: 1.0
References: <60fabe4b-fd76-4b35-08d3-09adce43dd71@si6networks.com> <CAO42Z2zh7fKAgQJq9aLCTiFoSSsTeGM=pK3gXitg+gcxH=9fhQ@mail.gmail.com> <d38857c2-6e92-91d6-bb5d-d3eeeb61276a@gmail.com> <CAO42Z2yb47OyXk__Sz-kO00pfcBJgLAhff5DF=mpAddR0iCnAA@mail.gmail.com> <2612280f-195a-ae7a-b3b1-9022d9282fa7@foobar.org> <56F813F4-C512-40A9-8A68-1090C76A80F6@consulintel.es> <CAHL_VyCN8kU7qnLOphfGR25-xGBe_p6WeGTkKVXwU5uy5aJ8Dg@mail.gmail.com> <65DB4854-97D2-4C31-A691-2CD93812EF93@consulintel.es> <CAHL_VyCMpCcGkEQu+RV1GRf2QLB-HD0+AOOBV0YhfQ5sbydVzQ@mail.gmail.com> <8CE7A0CD-97D9-46A0-814D-CAF8788F9964@consulintel.es> <e3e0bf2273e04f15b792665d0f66dfe5@boeing.com> <4c5fab33-2bff-e5b5-fc1d-8f60a01a146d@go6.si> <b4525832-9151-20bf-7136-31d87ba6c88d@huitema.net> <463f15cf-2754-e2e8-609d-dc0f33448c6c@go6.si> <ff649810-7242-7bc2-d36f-3f998f7bdd71@asgard.org> <2839D69E-1AB8-485E-95C4-B2882A355217@thehobsons.co.uk> <alpine.DEB.2.20.1902160553370.23912@uplift.swm.pp.se> <d2704b05cf844ed181921636bd7b6b57@boeing.com>
In-Reply-To: <d2704b05cf844ed181921636bd7b6b57@boeing.com>
From: Tom Herbert <tom@herbertland.com>
Date: Sat, 16 Feb 2019 18:13:08 -0800
Message-ID: <CALx6S34Zyjz62fs3DZjW0oiYmmzuOoQj_2s7T1b-saqfTKmBVw@mail.gmail.com>
Subject: Re: A common problem with SLAAC in "renumbering" scenarios
To: "Manfredi, Albert E" <albert.e.manfredi@boeing.com>
Cc: Mikael Abrahamsson <swmike@swm.pp.se>, 6man <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000053043c05820d8d79"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/hmP8H5VrCjLZiEWbEL8Glh2Palw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Feb 2019 02:13:26 -0000

On Sat, Feb 16, 2019, 5:16 PM Manfredi (US), Albert E <
albert.e.manfredi@boeing.com wrote:

> -----Original Message-----
> From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Mikael Abrahamsson
>
> > I advocate the semi-static model, where the same address space is handed
> out as long as the customer is up and there are no network changes. This
> is what I have and it means my addresses (IPv4 and IPv6) change at a
> frequency of once per year or something like that. This is acceptable to
> me...
>
> That's much like my ISP is doing. With IPv4, as long as I don't reboot my
> home router, the WAN side IP address remains the same. Occasionally, the
> ISP remotely reboots my CPE, and then too, the WAN facing IP address
> changes.
>
> What are the security aspects of this sort of operation, for IPv6? Well,
> if I were concerned about someone keeping track of the household, then I'd
> just reboot the CPE equipment more frequently. Done.
>

Albert,

That technique is easily defeated by "always connected" applications. After
an address change, the application logs into the server and the server logs
identity, address, and a timestamp. Then it's just a matter of applying the
server logs to infer identities in unrelated traffic

Increasing frequency of address change might make it a little harder to
track users, but I think it's mostly a false sense of security in reality.
If a user really cares about privacy they want single use untrackable
addresses.

Tom


> But this has nothing to do with someone tracking my own movements. If I
> bring my phone or PC to a library of coffee shop, I get a different IP
> address anyway. Even if the home IPv6 prefix remains fixed, one's movements
> outside the home aren't impacted. Still (repeating myself), since the IETF
> has been so diligent in recommending against the use of EUI-64, and for
> random and even short-lived privacy IIDs, it only makes sense for the IETF
> to not spend a lot of time finding ways to keep your IPv6 home prefix
> static.
>
> To solve this problem, it seems more beneficial to make appropriate
> changes to SLAAC, than anything else.
>
> Bert
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>