IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>

Lorenzo Colitti <lorenzo@google.com> Fri, 20 May 2016 00:48 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 438EE12D545 for <ipv6@ietfa.amsl.com>; Thu, 19 May 2016 17:48:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.126
X-Spam-Level:
X-Spam-Status: No, score=-4.126 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7tEr5cjo-rla for <ipv6@ietfa.amsl.com>; Thu, 19 May 2016 17:48:39 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B399312B04A for <ipv6@ietf.org>; Thu, 19 May 2016 17:48:39 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id x194so95341014ywd.0 for <ipv6@ietf.org>; Thu, 19 May 2016 17:48:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9FF/tgYlRAr3y2Xq75qNbjEmF4mUvU0LHtDwR3gnK3Y=; b=cgurN/9LWUDKfCEbskIisubnnsQkXqRlZWgBF8S3n/boQfhZuianxmo2l61ec7Qlwo eE7Z9VH7V3WJvA3mSWdM3LrpI8gSXq+eDWyqblSz6ddrJ3Q0cvWXFoAL7H7LGaMMTHuf sYpPY2F0mReMFF9VcyAJ0It0p+3enm76NTcFrle5XFAkOtOsXDOpcRw6VykQLLtf0FPs 9igzNRCy250XE5CkgZJbr6vWb6bpTyp7ZDRqAywqxIzYkruRppqLSzgUGA0o9ilutKFM /DstluwidnmEVfz8GAYdwfLautZuaovoRESUvbQcIgghWqgLorS2D4LQBEhq2kxrd8en EcCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9FF/tgYlRAr3y2Xq75qNbjEmF4mUvU0LHtDwR3gnK3Y=; b=Ve7Dw49z/38xebkCgmXk2I8h77dshp/Z0mRgbvhDf+sni9KDJOVxlYsEsS20HNw2Lb 21j74R1dHfGnJEvBBNeXC1w/Qrhmgbduu4bCp9ht36NeLJjGzeorv3OBy07EaTn9dVQM VZgXgrD1ySHcdZnNIqNjzHSZG4BrrKMXi2gb5XTa8dCxWnAX3IwrrzoeMS600sF0cyJl BdXFloxgMoESEP+8YiVCkhUHrQ1Nx3j9QkA/yKnsMsRfx/gojjozbOMnQr0UIhkJxgoB 70+U7DSCk+SZ1AC8yUXfUqhieFqsK65haC/d4bbrqvo0+zQuVD2UXwqZvvSrQ9ubNiLa p+Gg==
X-Gm-Message-State: AOPr4FXkXM3beg/A8nCecTA5RiCiaWgxmJDWCQjneNXLiWdqC9VcX06eKxEa4ZuUfQg4U4sNharPpeJd/inSmMDX
X-Received: by 10.37.79.87 with SMTP id d84mr130821ybb.49.1463705318567; Thu, 19 May 2016 17:48:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.198.68 with HTTP; Thu, 19 May 2016 17:48:18 -0700 (PDT)
In-Reply-To: <19ae94cd-849f-0622-54bc-42cbad51368a@gmail.com>
References: <20160428004904.25189.43047.idtracker@ietfa.amsl.com> <89CA2C18-AE61-4D40-8997-221201835944@gmail.com> <CAJE_bqdZ_D7jsDdWQ2FJpLH9cXveYfcye0W2J_mSi-7bYBrOKA@mail.gmail.com> <B849F263-9F99-48E8-B903-8FE7D2CDF277@cooperw.in> <CAJE_bqd1AWOuwvQcGzHg+dAWoump29g14HEA1BoVErXDXSMxaw@mail.gmail.com> <573BCFD0.8090801@si6networks.com> <CAJE_bqfKUbO7C6LnxOOUCVBU9e679_=159Yu6Ti0zhOGDuw98Q@mail.gmail.com> <A1111BEA-C14C-4574-9214-3D9B5500FEA1@cooperw.in> <CAKD1Yr23S4yHM=31VXTJq7t11P3__GEbbRhM0c085gBjQEGi-Q@mail.gmail.com> <19ae94cd-849f-0622-54bc-42cbad51368a@gmail.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Fri, 20 May 2016 09:48:18 +0900
Message-ID: <CAKD1Yr1YN6SnUNp0HKqTNg6G0egkLveCOTG_7pHo9Zq3OFP4=g@mail.gmail.com>
Subject: Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Content-Type: multipart/alternative; boundary="001a113f5cd0925d2605333b7368"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/nOrCdNARtaf5Y9yfXAUoipTmSLs>
Cc: IETF IPv6 Mailing List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2016 00:48:42 -0000

Brian,

I will concede that there might be theoretical threats involving ephemeral
link layer addresses and non-IP protocols that we have not yet thought of.
However, the key thing to note is that even if these threats exist, their
impact is limited in time. By contrast, any threat involving a stable IP
address, in addition to being much easier to carry out because it's
available off-link, causes permanent impact because the stable address
never changes.

So if you think about it, your argument is actually in favour of link layer
address randomization, not against it. Assuming that the link layer address
will leak sometimes (here's a real-world example that's affects a lot more
people than IPX: captive portal redirect URLs that contain the MAC address
in the clear), it's much safer for that link address to be ephemeral than
to be permanent.

As to your statement that "whether people use stable IIDs is an operational
choice we can only leave to site operators" - this document is not leaving
it to site operators.

Let's all always keep in mind that the current text of the draft says that
on every network, hosts SHOULD configure an IPv6 address that never changes
until the end of time. I think that recommendation is irresponsible.

Cheers,
Lorenzo

On Fri, May 20, 2016 at 5:43 AM, Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> On 19/05/2016 18:10, Lorenzo Colitti wrote:
> > On Thu, May 19, 2016 at 2:19 PM, Alissa Cooper <alissa@cooperw.in>
> wrote:
> >
> >> The draft makes just about a clear a statement in this vein as is
> possible:
> >>
> >> "By default, nodes SHOULD NOT employ IPv6 address generation schemes
> >>    that embed the underlying link-layer address in the IID.”
> >>
> >> Note that this statement does not prohibit anything, nor does it make a
> >> normative (in the moral sense) judgment. It just states the
> recommendation,
> >> which is the point of the document.
> >>
> >> I appreciate that not everyone on the list agrees with this
> >> recommendation. But I find the claim that this recommendation is
> unclear to
> >> be difficult to understand. That is, I can’t think of a way to convey
> the
> >> same recommendation that would be clearer. If you can, please suggest
> text.
> >>
> >
> > Alissa,
> >
> > I don't think anybody is claiming that the recommendation itself is
> > difficult to understand. What is difficult to understand is how the
> > document justifies that claim.
> >
> > It looks like the main argument used to justify this recommendation is
> > major privacy risks. But embedding a link layer identifier into an IP
> > address is not a major [1] privacy risk. It is only embedding a *STABLE*
> > link-layer address that is a major privacy risk.
> >
> > Recommending that link-layer address be embedded only if they are
> ephemeral
> > would address the privacy concerns just as well as (or maybe even better)
> > than the approach proposed in this document.
> >
> > I think what people are do not understand is why this document recommends
> > one but not the other. I certainly don't.
> >
> > Cheers,
> > Lorenzo
> >
> > [1] I argue that cross-referencing IPX traffic to IP traffic is not a
> major
> > privacy risk because IPX is so uncommon.
>
> I only chose that example because it's an obvious one. Do we know all the
> contexts
> in which a MAC address may appear in an off-link packet? I doubt it.
>
> A privacy risk doesn't have to be "major" to be important. If we are
> concerned
> about massive-scale surveillance, where the opponent is using Hadoop and
> machine
> learning technologies to glean information, minor risks become
> significant. So
> I support the draft as it stands: any case in which a layer 2 identifier is
> embedded *in clear* in a higher layer identifier is a bad thing, even if
> it's
> a temporary and pseudo-random bit string.
>
> [I hadn't remembered that RFC1958 already said that ;-)]
>
> I think this is completely orthogonal to whether stable IIDs should be used
> by clients at all - that's an operational choice that we can only leave to
> site
> operators.
>
> Regards
>    Brian
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email