IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>

Fernando Gont <fgont@si6networks.com> Wed, 18 May 2016 22:51 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 090E512D79D for <ipv6@ietfa.amsl.com>; Wed, 18 May 2016 15:51:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.852
X-Spam-Level:
X-Spam-Status: No, score=-0.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GPspFxa2qGHa for <ipv6@ietfa.amsl.com>; Wed, 18 May 2016 15:51:16 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16E3512D79C for <ipv6@ietf.org>; Wed, 18 May 2016 15:51:15 -0700 (PDT)
Received: from [100.92.254.184] (unknown [152.206.74.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 2E9EA800EF; Thu, 19 May 2016 00:51:05 +0200 (CEST)
Subject: Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>
To: 神明達哉 <jinmei@wide.ad.jp>, Alissa Cooper <alissa@cooperw.in>
References: <20160428004904.25189.43047.idtracker@ietfa.amsl.com> <89CA2C18-AE61-4D40-8997-221201835944@gmail.com> <CAJE_bqdZ_D7jsDdWQ2FJpLH9cXveYfcye0W2J_mSi-7bYBrOKA@mail.gmail.com> <B849F263-9F99-48E8-B903-8FE7D2CDF277@cooperw.in> <CAJE_bqd1AWOuwvQcGzHg+dAWoump29g14HEA1BoVErXDXSMxaw@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <573BCFD0.8090801@si6networks.com>
Date: Tue, 17 May 2016 22:13:36 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <CAJE_bqd1AWOuwvQcGzHg+dAWoump29g14HEA1BoVErXDXSMxaw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/lvnPGlEKTZKhikg_3PQfvlJqxj4>
Cc: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 22:51:18 -0000

On 05/16/2016 01:25 PM, 神明達哉 wrote:
> 
>>> - clarify that this recommendation is only for environments where
>>>  address stability is needed
>>
>> The document says exactly this in the introduction:
>>
>> The recommendations in this document apply only in cases where
>>    implementations otherwise would have configured a stable IPv6 IID
>>    containing a link layer address.  That is, this document does not
>>    change any existing recommendations concerning the use of temporary
>>    addresses as specified in [RFC4941 <https://tools.ietf.org/html/rfc4941>], nor does it introduce any new
>>    requirements regarding when stable addresses are to be configured.
>>    Thus, the recommendations in this document simply improve the
>>    security and privacy properties of stable addresses.
> 
> This text specifically talks about RFC4941 as the "environments where
> address stability is NOT needed",

Please let me clarify this.

IPv6 nodes employ, by default, stable addresses. The only standardized
things that's different from that is temporary addresses, which
essentially specify how to generate temporary addresses *in addition* to
the stable ones.

If you want to do temporary-addresses-only, you need to update RFC4941,
because it says that you should have both stable and temporary addresses.

What we say in our document is: "where you'd configure a stable
addresses, do RFC7217 rather than embed link-layer addresses". We do not
argue whether you should have/use stable addresses in the first place.
Such requirements are elsewhere, and not in this document.


>  and, with the 'That is,' only talks
> about it.  On the other hand, my understanding of previous concerns in
> this context is to also cover other types of such environments,
> specifically the one using randomized link-layer addresses with the
> traditional algorithm of forming the IID from such LL addresses.
> 
>>From this one, and your response to the next point, it seems you are
> saying the decision was to refuse to address that concern.  Am I
> understanding it correctly?

No. My take is that the concern is flawed. Please read
draft-gont-predictable-protocol-ids, and even RFC4941, which talks at
length about security and privacy issues regarding reusing identifiers
in different context, for different scopes, etc.

Let's call a lemon a lemon: Asking to embed a layer-2 identifier/address
in a layer-3 address is extremely bad.

After 30+ years of experience with flaws related to improper selection
of numeric identifiers, it's really bad that people keep pushing this
sort of thing.


-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email