IETF Logo Mail Archive

Re: RFC4941bis implementations

Tim Chown <tjc.ietf@gmail.com> Thu, 09 April 2020 19:55 UTC

Return-Path: <tjc.ietf@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ADA43A0D8D for <ipv6@ietfa.amsl.com>; Thu, 9 Apr 2020 12:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1fhsZF1VUHXS for <ipv6@ietfa.amsl.com>; Thu, 9 Apr 2020 12:55:08 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C36513A0D3E for <ipv6@ietf.org>; Thu, 9 Apr 2020 12:54:56 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id h9so13389535wrc.8 for <ipv6@ietf.org>; Thu, 09 Apr 2020 12:54:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1oftHPMJk62lUmmCDl2UMo3twkuJjYq76sgb4zoET+c=; b=dP0dJEAaxrzWY7K+RhjyjmFfky7xFHl7T4SxH+nO53saB6MCRH0A+nMtKzXs73ZK2I mfmP5fOTtV6MTvVvTytdiY4BCzwVlft6YHqPGgKdtSAgpPa3DBIjgIyTvOVUugc2ZfkW djUjREmfxTgy7S41lUziDWwpBDJx7dFFqpbfOV/40mYCdK6Z0QcY27VFbQKfheKCLMSj 03yFYWgTbl3JyCn4NO7xpd6a6TInuIm9r1qt0rLcqchgDlMNjc05AcBuTGt84XtpBRRD xPTp5zT9DiYdshc0EZlrHZn7p9zu2mfHozFUaIQ+3LOWs3nOnxi+X+KKjzMapJAdqKec sb0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1oftHPMJk62lUmmCDl2UMo3twkuJjYq76sgb4zoET+c=; b=jSm6QS3y6gc+RACa4tgmYnKkSnMgqEB5I4gf+Y+px6ihNZRZvzk+8pZ3IWmrYhRdXl HhpYvleoV0/h2qh661DLulCv+WTYHOUQyOdr8B8OQ3ZkR4/fLjS1UHBjleGwhe8wl9o7 btphduKfyorLg3/jiru9Ohe8KRu/bz1F0Su4KWcEQZaG0LPEmlWaE3AExTNzA1yboQF3 drnllBF+lRvFJ0O/TJnGjvQSlPjggqOQOPFvjOJcUs+P9DqZCqolDFPNyX6Y52rXPZ3B Lfv7sO2eWbe2PBBaEpqxsBy68JrGIft9iDJpQqnH/zvjiIuvRN7kLoyYNw0mXMijJSHP eEGA==
X-Gm-Message-State: AGi0PuboYm+Qsg44XjAldiqDb+v6EiP0iyaQCakAWjnMGJA0AzxRnT4L i4mOjChD+EXI3yzTEOXui6A=
X-Google-Smtp-Source: APiQypIppbZVPMJJ2chhxeGb2AbvTcdA0G9H5cL9C/ZPsoSwTDfkBow52ab1JIU4PRofgd0VTfXKVw==
X-Received: by 2002:a5d:4081:: with SMTP id o1mr898998wrp.114.1586462095226; Thu, 09 Apr 2020 12:54:55 -0700 (PDT)
Received: from [192.168.0.8] (tchowndsl.claranet.co.uk. [212.188.254.49]) by smtp.gmail.com with ESMTPSA id f5sm31980318wrj.95.2020.04.09.12.54.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Apr 2020 12:54:54 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Subject: Re: RFC4941bis implementations
From: Tim Chown <tjc.ietf@gmail.com>
In-Reply-To: <CAO42Z2x6_x-4H8SO7=-xq7E93Ak4U3ojrn6W56raOsD5i4jtBA@mail.gmail.com>
Date: Thu, 09 Apr 2020 20:54:52 +0100
Cc: Ole Troan <otroan@employees.org>, Alexandre Petrescu <alexandre.petrescu@gmail.com>, 6man WG <ipv6@ietf.org>, Florian Obser <florian@openbsd.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0276F2DB-225F-4407-9252-480DD70CE6B5@gmail.com>
References: <7d65f86a-7a82-6139-b455-a27046496c52@si6networks.com> <af621915-ad9d-eb89-01d7-6ec7c5dfdd5e@gmail.com> <20200402201140.4ohxhod3oa7fah3i@imap.narrans.de> <CAO42Z2yRpPZVaqV0Q=k7u6WQbJNSt=oRGW-hjSNnp0uBDhgLWQ@mail.gmail.com> <99BB4440-450B-44FB-8F20-2AF3B4DD9281@employees.org> <CAO42Z2x6_x-4H8SO7=-xq7E93Ak4U3ojrn6W56raOsD5i4jtBA@mail.gmail.com>
To: Mark Smith <markzzzsmith@gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/mPbFfW-_yZG6dHJe7BO2mwkKhkg>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 19:55:16 -0000

> On 5 Apr 2020, at 08:56, Mark Smith <markzzzsmith@gmail.com> wrote:
> 
> Hi Ole,
> 
> On Fri, 3 Apr 2020 at 09:20, <otroan@employees.org> wrote:
>> 
>> Mark,
>> 
>>>> Does it work with a plen 65 in RA?
>>> 
>>> I'm happy to report that slaacd(8) in OpenBSD does not care about the plen.
>>> It just forms a 128 bit random number and overwrites the front with
>>> the prefix.[1]
>>> So if you put your whole /29 onlink you can have 99 bits of entropy!
>>> 
>>> Or 1 bit of entropy if you use a 127.
>>> 
>>> Might be worth issuing a warning about the privacy properties of an RFC4941 address if the prefix length gets to long.
>>> 
>>> A false sense of privacy is probably just as bad as a false sense of security.
>> 
>> 4941bis is for SLAAC. SLAAC uses 64 bit IIDs.
> 
> Thoroughly agree. When people want to support other length prefixes,
> and ignore the consequences, I'll point out those consequences.

Well, there is an RFC on that topic; at least pointing to the issues (which may or may not be ignored if you choose to do it…)

Tim

> 
> Security/privacy mechanisms should fail safe or closed, not fail
> unsafe or open. In this instance, for example, OpenBSD should at least
> generate a warning if the IID size is too small for useful privacy,
> or, better, actually fail safe and refuse to bring up IPv6 on an
> interface that has a too long preifx/too small IID when rfc4291bis is
> enabled.
> 
>> I don't think we need to get into this discussion. See also 7421.
>> 
> 
> "An extremely detailed review by Mark Smith was especially helpful." ;-)
> 
> I support a default subnet/IID size that accommodates as many use
> cases as possible because it is the simplest option. That value is 64
> bits (48 bits was the chosen size of IIDs, I'd probably be happy with
> that too, it's is the single, universal and large enough size that is
> more important than the particular value.)
> 
>> Note also the title change.
> 
> Does this mean that rfc4941bis doesn't apply to DHCPv6 IA_TAs?
> 
> If original RFC4941 is obsoleted by rfc4941bis, then I think that
> means that RFC8415 would now have an unresolved RFC4941 reference.
> Looking in the current dhc WG drafts, I can't see a DHCPv6 ID that
> would be the equivalent of what rfc4941bis is now becoming for SLAAC.
> 
> 
> Best regards,
> Mark.
> 
>> These are temporary addresses. I believe the document does not make any exaggerated claims about privacy.
>> I.e. it claims very little in that respect...
>> 
>> Best regards,
>> Ole
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email