IETF Logo Mail Archive

RE: Iotdir telechat review of draft-ietf-6man-rfc4941bis-11

Dave Thaler <dthaler@microsoft.com> Wed, 21 October 2020 00:16 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 741683A0B1D; Tue, 20 Oct 2020 17:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ze2rER9evOJg; Tue, 20 Oct 2020 17:16:01 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2116.outbound.protection.outlook.com [40.107.94.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AF853A0B1C; Tue, 20 Oct 2020 17:15:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SflvlTO7ywuS6ZLT5iOWD5569eQ63b90p9RdTVcylxg/OuvWJEzTh53zTUNFADWTenPbb3jgbFkpB8lgsLDZmd+3+5gvad+CIMD3DUMlnn7jLQIB+9c14a7VPbN+WpwtXgXn/VH7mDD1elsO5uOQ6xvNgBHe9e/kKZmbvvwby7ISMQn0/QNeCilw24++3ZLzyEWH4W8d87RlFumop8u2jMrrqyu2s0RCoEqjcTdFChLtkwpQ5Vd9So9xRVL3T2E3ygBD5qU2RBFOfIQ2HvnxS76/k8fHFJWHBNW1ep9IpvmVd2z+EQYq2rjFKSvchCvo9iE/mR3r0v4L9BK1PnGAiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dO+5daOH+vZt+Q4y+p7mJX4XJVoiXVTrU3kC/YVUrm4=; b=Kr1riT8zBuoVCojGBoIsjJFOExw1CSlFHrztftqXtV7KR86Dyujhvo0du22V3+G5BtMkMsWbJR1sL13oCN9In8GqnaW/0wvteZlH04HA3fqDLA2TtTiehz87Jmp9TgjealBz45HEq2q5TXG33hhUHIHgNl/1bSsrpJg5MIllTNmwytRwF8Oi2ap3fK96E67a3ioO/Mn8cFEKio4RNqcX8bzHV2mkQd2WEnLvdzIsY9FAlZbAoum5sUYrdOcmKkjaaRfe6jj1SPkiofBfQJcFG4Qu92Y59f+FJEOfeeLMG0pcVPWE76SVFlprOlS/y0tVYJhE8sFItoZQX/0bV9dmcQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dO+5daOH+vZt+Q4y+p7mJX4XJVoiXVTrU3kC/YVUrm4=; b=VfK1nrw2tfq0dlHnc9kWz4PIw54bhbJrV97C4DNf0Gms9qFoLA75RexYeYeQGRWwJreyfUTve6AQnLLoNfW49nYnVOtn+iLs0qZNo5AcNYXci1daYpsdSE1OGYc4RZU4ALO1RMsbNWVGWCSc0QU/sReFsxEgjQF7YWbpdxGhwDw=
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com (2603:10b6:207:30::33) by BL0PR2101MB1057.namprd21.prod.outlook.com (2603:10b6:207:37::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.3; Wed, 21 Oct 2020 00:15:54 +0000
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::4da:87a4:8d47:889f]) by BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::4da:87a4:8d47:889f%6]) with mapi id 15.20.3499.017; Wed, 21 Oct 2020 00:15:47 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Fernando Gont <fgont@si6networks.com>
CC: "ipv6@ietf.org" <ipv6@ietf.org>, "draft-ietf-6man-rfc4941bis.all@ietf.org" <draft-ietf-6man-rfc4941bis.all@ietf.org>
Subject: RE: Iotdir telechat review of draft-ietf-6man-rfc4941bis-11
Thread-Topic: Iotdir telechat review of draft-ietf-6man-rfc4941bis-11
Thread-Index: AQHWpywty7i22BO01kCOczJfaaj9JKmhLIfQ
Date: Wed, 21 Oct 2020 00:15:47 +0000
Message-ID: <BL0PR2101MB1027C36ADE6DB02621E4746EA31C0@BL0PR2101MB1027.namprd21.prod.outlook.com>
References: <160322759593.31761.4896737564742954595@ietfa.amsl.com> <6431e4d6-faf9-2910-69b3-e69f8a6c2a69@si6networks.com>
In-Reply-To: <6431e4d6-faf9-2910-69b3-e69f8a6c2a69@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-10-21T00:15:44Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=916b861f-6370-4f6c-aa32-b847f84b58ed; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: si6networks.com; dkim=none (message not signed) header.d=none;si6networks.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:9780:8d0:dc6:3e38:e906:7a16]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: aada95bb-d690-4913-d8de-08d875567590
x-ms-traffictypediagnostic: BL0PR2101MB1057:
x-microsoft-antispam-prvs: <BL0PR2101MB10576EF419AF7E3D1DF34060A31C0@BL0PR2101MB1057.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2S4U9eRFCbkf6uNGx+mq770ZDNIUQASo72Bw8pRazzXSLxxPGfrLWtZduHxfxOQ0C+SpYlZY36uhzgDc07Zcyyw3v8ZEsz/06m/6fb8XkeS3ME4xe/iYs0O0j8ccRuvAxBFbUGI5UpYuWu4l6PI7bSsB7F1lrTA9CXCzTtcrfJ4tr1lAUrjs9fnuhgNOucVljZOh5Y63IV4Z7sGQCVXJbqJwsbXPPaOxt0IVaCwmsBf8D/vxO0dHW12hZH/golMIL2Ngr92stQ3n2JiRgujw9iddFTp1u2GIjUYcGLhvcy+2pbfwUvuRFJt//Xl2wCkN
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR2101MB1027.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39860400002)(396003)(136003)(376002)(366004)(6506007)(82960400001)(4326008)(5660300002)(76116006)(7696005)(8676002)(82950400001)(2906002)(9686003)(478600001)(52536014)(6916009)(10290500003)(8990500004)(33656002)(66446008)(316002)(83380400001)(55016002)(71200400001)(66946007)(186003)(64756008)(8936002)(66556008)(86362001)(66476007)(54906003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 6hZa25pVWbC5Papg07zi5iRQhxP++axR+SjBfaPqQwcngjrv7i02WdomLczQuU+D4C/0TDh4DZuiuVLDYR6kAlI0sHZIOwCm6xyVt6OkenXPNn6MevFaOsKt5upTV1GirFhE5cUuM2bS7YzRuNAIWM8oQ19zic3Vv0EFmUe9ZfoOIiL6BOIx0EB4SQX5JKv6+GTAmvBEVtMJJMBcp+lon10MW0vra0K0TPNs6mugd1cOM9Vsmt1/MjLPdVirE0aWHh5suDhHG66knKElK6puD1vC7EvGQlOmxJywKTF3BlN89iWawGc+ZQd0LPKcIreuF+f4+4qBdjKaa/VWRqTy9iDyqZoEM4menf/E/XjrRhg5Lmua/QoDYeZf6SM4JOhoXWA8OTC57xWGgAvjpKIDMKoKp8wKAM5MbWt1UR+MzdtwY+cJqku6vuGVt9o2i/73zXbOpiomfl093O/UWjA3bVtBhuldL4CdyqUwWRit/0z5DvMi9Sa5eLXyL/vQd4QId0xHuwE/G2+8dUn6gNNemELFdvg84Y5vyVKghcJxfFdRd/XNEbmKY0ic8lr4l64DjttYycoItQD3sZZepGtGVngjsrTsdy9I08vR9PqF3iXgw6wCLYQdBXBRYvMn96vZziOYA8zcDzk0c8VpPSWFheNu6Ka04KNKrIYAcKfvFx9MaAgfLppZp8oWzyzlhTImSubf6qt2iERnlEzuBtvflg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR2101MB1027.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: aada95bb-d690-4913-d8de-08d875567590
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2020 00:15:47.1180 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 88YPMgCLkBAn9V5T9xRyw7dqniVvfuc/8j5ll66G4YLwtt9aQanTsCrnuYI91H/IdlfVgEVhdyIgEhrje+ZjfNhq5Iun7shDExicjiRh7Wo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR2101MB1057
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/FhtpXDhOYvJumRJWLE_6S-6ALyc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2020 00:16:03 -0000

Fernando Gont <fgont@si6networks.com> wrote:
> > Section 1.2:
> > The change from RFC 4941 to add "on unencrypted packets" in the 
> > paragraph starting "Note that an attacker, who is on path, may be able 
> > to perform significant correlation" is incorrect.
> > That's because the 2nd bullet (about packet size and timing) can still 
> > apply to encrypted packets.
>
> Good grief!
>
> How about moving "on unencrypted packets" to the first bullet, as:
> 
>     o  The payload contents of unencrypted packets on the wire
> 
> ?
>
> (but see below)

Yes, that's what I had in mind when writing my review.

> > Instead the "unencrypted"
> > clause only applies to the first bullet.  Either the change should be 
> > reverted, or else it should be moved into the first bullet.
> > Similarly the text added to the end of 1.2 has the same problem.
> > Deployment of encryption will not prevent correlation based on timing, 
> > and it will only prevent correlation based on packet size if padding 
> > is used to make packets all the same size.  Simply encrypting does not 
> > solve this.
>
> How reverting this text as:
[...]
> NEW:
> ---- cut here ----
>     Note that an attacker, who is on path, may be able to perform
>     significant correlation based on
>
>     o  The payload contents of the packets on the wire
>
>     o  The characteristics of the packets such as packet size and timing
>
>     Use of temporary addresses will not prevent such payload-based
>     correlation.
> ---- cut here ----
>
> (Tweaking our text to elaborate what encryption may or may not mitigate would seem to introduce complexity for what's a mostly orthogonal topic)
> 
> Thoughts?

I like that approach.

> > Section 2:
> > Grammatically, the addition of "and" is unnecessary and arguably poor 
> > grammar.  I would hope the RFC editor would revert it if you didn't. 
> > Instead, Oxford comma fans will want to insert a comma before "and 
> > makes comparisons".
>
> This might have been my fault (English as second-language here). This is how I would have written the text:
>
>     This section discusses the problem in more detail, provides context
>     for evaluating the significance of the concerns in specific
>     environments, and makes comparisons with existing practices.

Yes that matches what I would say.

> (not sure what you meant about the "addition of 'and'", though).

The word "and" was inserted before "provides context" so -11 reads
like "A, and B and C" instead of "A, B, and C" as in your text above.

[...]
> > Section 5:
[...]
> > Also, significant text from RFC 4941 (sections 2.2 and 2.3) was removed
> > in the update and replaced with one sentence referencing RFCs 7721,
> > 7707, and 7217.  That's fine but I wonder why it isn't mentioned in 
> > section 5 (Significant Changes from RFC 4941).
>
> (me thinking out loud) Probably because it's not a change to the actual protocol
> (i.e., those are not necessarily changes "an implementer of RFC 4941 should be
> aware of"). Please do let us know if you think this should be added to the
> bulleted list in Section 5, though.

I think it should be part of section 5 outside of the bulleted list, IF the
bulleted list is the list for implementers only.

[...]
> I guess one might apply this:
>
> OLD:
>
>    This section summarizes the changes in this document relative to RFC
>    4941 that an implementer of RFC 4941 should be aware of.
>
> NEW:
>
>    This section summarizes the substantive changes in this document
>    relative to RFC 4941.
>
> Then, regarding the item you've raised above, one might add a bullet like this one:
>
>   o The discussion about the security and privacy implications of
>     different address generation mechanisms has been replaced with
>     references to recent work in this area ([RFC7707], [RFC7721], and
>     [RFC7217]).

That approach sounds fine to me. 

> > Section 4:
> > With the change to use a separate IID per prefix, I believe the 2nd 
> > paragraph should be augmented to point out that simply upgrading an 
> > RFC 4941-compliant node to an implementation of this draft can 
> > exacerbate the problem mentioned in this paragraph.
>
> For all practical scenarios, this will actually be the other way around: 
> Since this document reduces the Valid Lifetime, then, for the case where
> the local network employs say, one GUA prefix and one ULA prefix, nodes
> would end up using 4 concurrent temporary addresses, as opposed to the
> 14 temporary addresses they might end up employing with RFC4941.

That depends on whether a non-default Valid Lifetime is configured.
My meta-point is that this paragraph would benefit from a discussion about
the upgrade effects, like we're now discussing here.

[...]
> > Section 9:
> > RFC 4941 reused the same IID for multiple prefixes, with the rationale 
> > explained in point 4 of section 3 of the RFCs.  With the change to use 
> > a separate IID per prefix, additional security considerations are 
> > needed since there is now a way to conduct new attacks that were not 
> > present before.  Namely, by sending a large enough number of prefixes 
> > one can force the host into multicast promiscuous mode and thereby 
> > consume more host resources (e.g., drain battery).  > For regular 
> > hosts "large enough" might mean enough to generate 8 or 16 IIDs total 
> > (link-local + stable + temporary total), but for some smaller devices 
> > such as IoT devices, a much smaller number of prefixes (potentially 
> > just one more) might be needed to result in such an effect.
>
> Is this any different from RFC4941 or even with SLAAC itself?

Only in the sense that it's another case.  An implementer or admin might
have configured settings assuming a particular result (e.g., robust to rogue
advertisements of 1 prefix), and after an upgrade those assumptions might
not hold.  Hence this should be pointed out in Security Considerations.

> Namely:
>
> * As noted above, for all typical cases nodes will end up employing fewer temporary addresses than with RFC4941.
> 
> * An attacker can always advertise multiple PIOs, or both SLAAC PIOs plus RAs with M set
> (such that nodes configure addresses with both SLAAC and DHCPv6). Ultimately, it's up to the
>  node to enforce a limit on the maximum number of configured addresses.

Yes, which still means for *atypical cases* there may be a new security consideration.
I'm not arguing against the change, only that it ought to be mentioned for the benefit
of security IT pros, deployers who might use non-default values, etc.

Hope this helps,
Dave

v2.23.0 | Report a Bug | By Email