IETF Logo Mail Archive

Re: 3484bis and privacy addresses

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 10 April 2012 06:53 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3AC621F8745 for <ipv6@ietfa.amsl.com>; Mon, 9 Apr 2012 23:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.654
X-Spam-Level:
X-Spam-Status: No, score=-101.654 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yMWLy-CuqaXk for <ipv6@ietfa.amsl.com>; Mon, 9 Apr 2012 23:53:11 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id BBA2021F8741 for <ipv6@ietf.org>; Mon, 9 Apr 2012 23:53:10 -0700 (PDT)
Received: by werb10 with SMTP id b10so3635274wer.31 for <ipv6@ietf.org>; Mon, 09 Apr 2012 23:53:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=88Vowe5NWEjZoLui+6wedd2SYyveUH3F6WMwqyKtRsk=; b=by/HXxRtMBHcBFsbiZyUZ8pt6+OtntIesGiBwp0MlJDFlq3XBgXZyypRn2EvFLAPP7 3MqUrSn6b94VzHKZeR7iE0K8MLNe2chFC3Sj8CPukEw/xwD8ONzqkotJXF03Slnqi6+S yBllHFBkuobWzkHcFQpt2i6l+KG2WAVlVVVkZLRvxSOChSyw6EXE9K5x5CRxbk2ds+GZ RXYAyD5J9ji2CpHKktYkffnjwX9AXSnvEI0Vr0goDhgUL/l9LU3P6Ww+FKjKCwwxQ/x5 G13D1EDiJKSyEFcxkb1Xb7WSEfPaOm8avXAj3ioetK/SLABIZmlj520+IBBnEG0ra6ef iYwg==
Received: by 10.180.82.136 with SMTP id i8mr4067586wiy.19.1334040789997; Mon, 09 Apr 2012 23:53:09 -0700 (PDT)
Received: from [192.168.1.69] (host-2-102-219-159.as13285.net. [2.102.219.159]) by mx.google.com with ESMTPS id k6sm35673765wiy.7.2012.04.09.23.53.08 (version=SSLv3 cipher=OTHER); Mon, 09 Apr 2012 23:53:09 -0700 (PDT)
Message-ID: <4F83D8D0.5030402@gmail.com>
Date: Tue, 10 Apr 2012 07:53:04 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Dave Thaler <dthaler@microsoft.com>
Subject: Re: 3484bis and privacy addresses
References: <4F716D5C.40402@innovationslab.net> <4F726C9E.50107@gmail.com> <9B57C850BB53634CACEC56EF4853FF653B5054C1@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <9B57C850BB53634CACEC56EF4853FF653B5054C1@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2012 06:53:13 -0000

below...

On 2012-04-10 01:08, Dave Thaler wrote:
> Brian Carpenter writes:
>> On 2012-03-27 20:33, Brian Haberman wrote:
>> ...
>>> A. Prefer public addresses over privacy addresses
>>>
>>> B. Prefer privacy addresses over public addresses
>> In terms of a general default in shipped IPv6 stacks, I prefer B, but it has to be qualified:
>>
>> There MUST be a user option to change this preference.
> 
> That wording would be confusing, as there's a distinction between an
> (unprivileged) user and a (privileged) admin.   It would be a security
> vulnerability if an unprivileged user could change a system-wide setting.
> 
>> There SHOULD be a network manager option to change this preference.
> 
> Similarly, the term "network manager" is also confusing.  It would be a security vulnerability
> if an untrusted user on the network could change a system-wide setting locally.
> 
>> The rationale for this is that we need privacy by default in shipped products, with the
>> ability for the person deploying the product to override this.
> 
> I (and I gather from the +1's that many others) agree with having a config knob to
> reverse the preference.   The doc already has text about that on a *per-app* basis,
> but not system-wide.   The wording I propose to add is:
> 
>     "There SHOULD be an administrative option to change this preference, if the 
>     implementation supports privacy addresses.  If there is no such option, there 
>     MUST be an administrative option to disable privacy addresses."
> 
> -Dave

That works for me. Perhaps there also needs to be a general statement in the
security considerations that all administrative changes and options MUST be
secured against illicit use.

   Brian

v2.23.0 | Report a Bug | By Email