Re: "Recommendation on Temporary IPv6 Interface Identifiers" (revised I-D) (Fwd: New Version Notification for draft-gont-6man-non-stable-iids-01.txt)
Christian Huitema <huitema@huitema.net> Fri, 17 March 2017 00:51 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CD6A129B79 for <ipv6@ietfa.amsl.com>; Thu, 16 Mar 2017 17:51:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17M7WB_uvdhB for <ipv6@ietfa.amsl.com>; Thu, 16 Mar 2017 17:51:17 -0700 (PDT)
Received: from mx36-42.antispamcloud.com (mx36-42.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39C6D129B35 for <ipv6@ietf.org>; Thu, 16 Mar 2017 17:51:17 -0700 (PDT)
Received: from xsmtp12.mail2web.com ([168.144.250.177]) by mx36.antispamcloud.com with esmtps (TLSv1.2:AES128-SHA:128) (Exim 4.86) (envelope-from <huitema@huitema.net>) id 1cog6t-0001gE-F3 for ipv6@ietf.org; Fri, 17 Mar 2017 01:51:16 +0100
Received: from internal.xmail07.myhosting.com ([10.5.2.17] helo=xmail07.myhosting.com) by xsmtp12.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <huitema@huitema.net>) id 1cog6s-0005Mt-80 for ipv6@ietf.org; Thu, 16 Mar 2017 20:51:14 -0400
Received: (qmail 6494 invoked from network); 17 Mar 2017 00:51:13 -0000
Received: from unknown (HELO [192.168.1.100]) (Authenticated-user:_huitema@huitema.net@[172.56.42.159]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <ipv6@ietf.org>; 17 Mar 2017 00:51:12 -0000
To: ipv6@ietf.org
References: <148942937853.9227.2944252822855237301.idtracker@ietfa.amsl.com> <cb261f79-b008-f09b-e8af-d8718735f37e@si6networks.com> <CAO42Z2wUzy1ew4f5TVuNOC-u+dak9fGjOYWpXdPFAuQnFeYcJw@mail.gmail.com> <4deb5200-0f4f-d3d1-b164-e70fabc77d86@si6networks.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <70057719-4e20-4d71-e72a-caab6d0efe59@huitema.net>
Date: Thu, 16 Mar 2017 17:51:09 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <4deb5200-0f4f-d3d1-b164-e70fabc77d86@si6networks.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Subject: Re: "Recommendation on Temporary IPv6 Interface Identifiers" (revised I-D) (Fwd: New Version Notification for draft-gont-6man-non-stable-iids-01.txt)
X-Originating-IP: 168.144.250.177
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.29)
X-Recommended-Action: accept
X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49L/N1imVzxQGuMdyq1ILpVFTugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXrHYYTVXlYan2QPMpELk3j4RcOb18WfxGyg6Om6u4YYm+rC/BlViQoZSa1e lw9ROuA5hjoyEb9Oq0NWpyO3vrfYNrJwCbVSZviV1vzVlxiUlT3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSBe34TY+s3lj/RgDQoaICKQ3TFgIfDMShmlQFqCr5hA8xAXSGwpLGc/Znuh3MoIpK0lGBqE9Gg c8Y4ZxuY0/fX17bRF0J+AL6gRRwFcty0/RGJ+cv73CChOPjKA0/DVd83mzKXD5o/Ia+BqyQ7Q0nt IZ2PVtMHd8bHCmdzlxzVIEgwyGTHIAoNFX+jcW7DGmdE6eBVl9/A6GtGi+mfMSANmjLzCyMdOETT xDqixVDal2Zqxiuap5uKiBpffUsHYsfmrbtbs8GJuRKR6hnrta1usy6F/SOWlhnS7qkS/mOkSgAg eNjxIyqtWcsHzPElnaBFglzR8EKamCCPLRQqfIrw/hvxLqd67w5ZW6bZsK3PVhKr5jPEm1FO31NK RBlTUpu1GyoCJJa3e874rwXXGPuEmSKg33smtlc64dR/aNUnR+kcQlvCYTspYJdGl64rm9ixxYJS vH1uwzGpXypuXzvU+eHzgtWshl+1i/+vbfwZ46yKe72V7y3QDXL8JTpxprEN
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/mFpaMfJJtEDZVG_70MQ0K9H-BU0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 00:51:19 -0000
On 3/16/2017 9:35 AM, Fernando Gont wrote: > Hi, Mark, > > Thanks so much for your feedback! Please find my comments in-line... > > > On 03/15/2017 05:19 PM, Mark Smith wrote: >> Hi, >> >> Firstly, I really like this draft. > Thanks! Thanks for the feedback, Mark. As Fernando wrote, we are more than willing to improve the document. The general motivation here is that RFC 4941 was written 10 years ago, and we have learned a thing or two since that. In fact, while the current draft is written as an update to RFC 4941, we are wondering whether it would not be simpler to just evolve the draft into something like 4941bis. Among the dated parts of 4941, the first one is indeed the timing issues that you commented on. 4941 specified a simple periodic assignment. As we explain in the draft, we get better privacy characteristics if the temporary address generation is linked to "privacy events" such as a connection to a new network, a change in a MAC Address, or even a user request to "erase the web history". Keeping the same IID through such event enables "before and after" correlation, and that's not exactly good for privacy. Then, there is the cross-prefix correlation issue. In section 3.3., Generating Temporary Addresses, RFC 4941 specifies that "New temporary addresses MUST be created by appending the interface's current randomized interface identifier to the prefix that was received." That means that if different prefixes are configured, the temporary addresses for all these prefixes will use the same IID. Again, that is not the best way to protect privacy. Besides, 4941 requires running DAD on each temporary address, so there is little reason to mandate a single temporary IID per interface. The algorithm specifies the use of MD5, which is now a bit unfortunate. Using MD5 to generate random numbers in the specified way probably does not pose any serious security issue, but there is a global push to just get rid of MD5 everywhere. And in fact, there is no good reason to specify any particular hash function -- at least, no interoperability issue. SHA256, SHA512 or SHA3 would work just fine. There are probably a couple more details like that. -- Christian Huitema
- "Recommendation on Temporary IPv6 Interface Ident… Fernando Gont
- Re: "Recommendation on Temporary IPv6 Interface I… Mark Smith
- Re: "Recommendation on Temporary IPv6 Interface I… Fernando Gont
- Re: "Recommendation on Temporary IPv6 Interface I… Christian Huitema
- Re: "Recommendation on Temporary IPv6 Interface I… Mark Smith