IETF Logo Mail Archive

Re: Address privacy

Fernando Gont <fgont@si6networks.com> Tue, 28 January 2020 17:28 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE0F12002E for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 09:28:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BV3WfSKhnUBi for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 09:28:23 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6710F120072 for <ipv6@ietf.org>; Tue, 28 Jan 2020 09:28:23 -0800 (PST)
Received: from [192.168.100.103] (unknown [186.183.48.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 1835482E68; Tue, 28 Jan 2020 18:28:19 +0100 (CET)
Subject: Re: Address privacy
To: Gyan Mishra <hayabusagsm@gmail.com>
Cc: 6man WG <ipv6@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
References: <b606d8b0-b83d-1926-1cea-8165a1800c20@si6networks.com> <DB9D43C2-BE65-4DC0-AE25-E62E27569E90@gmail.com> <cfa3183b-76c3-a504-aba7-673d6d904f9b@si6networks.com> <CABNhwV1JnbcKvMdR2m0mHpgSQpU061VFYkft4FWp109X3Kw77w@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <a6745584-2bdf-59f1-9011-ac986219753e@si6networks.com>
Date: Tue, 28 Jan 2020 14:27:57 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CABNhwV1JnbcKvMdR2m0mHpgSQpU061VFYkft4FWp109X3Kw77w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/nvGZY1WX9qdmjYIgYaXtI4Ycnzo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 17:28:25 -0000

On 28/1/20 13:53, Gyan Mishra wrote:
[....]
>     http://download.microsoft.com/download/F/D/F/FDF4CF55-5FDE-4CFF-8539-3662BB5EB7A0/TD13Basel2-43.pptx
>      >
>      > Beginning with Windows Vista and Windows Server 2008, a randomized
>      > method is utilized to determine the Interface ID instead of EUI-64
> 
>     That's better that EUI-64, but still bad. Windows employs constant
>     IIDs,
>     that allow host tracking across networks.
> 
>     Gyan> Windows does employ the privacy extension for rolling
>     temporary address which addresses anonymity by using the temporary
>     address for outgoing connections and the stable random IID for
>     incoming connections.

Nodes typically have two "types" of addresses: temporary addresses and 
stable addresses.

Even if you implement RFC4941, stable addresses that embed the 
underlying MAC address pose a problem, because e.g. they result in 
patterns, and thus make hosts possible to address-scan.


Windows did two things:
1) They implemented temporary addresses (rfc4941), such that network 
activity correlation over time is mitigated.

2) They implemented an alternative algorithm to the traditional 
generation of IIDs based on the underlying MAC address (at the time they 
did it, RFC7217 didn't exist). The algorithm that they use to generate 
these stable IIDs is essentially the same as in RFV4941, except that, 
since the identifier is meant to be stable, they don¡t rotate *this* IID.


One ould expect that they will replace 2) with RFC7217 (as recommended 
by RFC8054). However, the flaws in RFC4941 (which you correctly 
referenced) need to be addressed with a replacement for RFC4941: that's 
the rfc4941bis draft we're discussing.



>     {...]
>      >
>      > Are you aware of this vulnerability with RFC 4941 privacy
>     algorithm and
>      > why OS vendors started using random numbers versus the privacy
>      > algorithm, which maybe why Microsoft started doing the same - using
>      > random number.
> 
>     You are mixing things up.
> 
>    Gyan>  Please read the link for RIPE below regarding the RFC 4941 
> privacy algorithm vulnerability.  Both links state the vulnerability 
> with the existing algorithm.

Indeed. THat's part of the motivation for rfc4941bis, and why we chose 
to replace the algorithm that generates the interface identifier (IID)


> 
> 
> 
>     Microsoft started using randomized IIDs because there was no
>     alternative
>     to MAC-based IIDs (such as RFC7217). So tey were proactive, and did
>     something to mitigate address scanning attacks.
> 
>      Gyan> Understood.  As stated above from the links below Microsoft 
> and other OS vendors moved to using their own random number generator 
> schema due to the RFC 4941 algorithm vulnerability for both the 
> interface IID and temporary address privacy extension.

No, that's not correct. Microsoft implemented the randomized IID 
because, at the time, the only standard to generate IIDs was to embed 
the MAC addresses, and that has a number of issues, as noted above.

As noted, there are two separate problems:
* stable addresses
* temporary addresses


The issue with stable addresses has been addressed by RFC7217. We still 
need to address the flaws in RFC4941, and that's why we're working on 
rfc4941bis.




> 
> 
>      > Here is another article that talks about RFC 4941 privacy algorithm
>      > vulnerabilities.
>      >
>      >
>     https://publications.sba-research.org/publications/Ullrich2015Privacy.pdf
>      >
>      > Do you think we should start this algorithm vulnerability in RFC
>     4941bis
>      > draft?
> 
>     I don't think that would be of much use for this I-D. We could add a
>     note such as:
>     "This document addresses a number of flaws discovered in RFC4931
>     [references], and formally obsoletes RFC4941."
> 
>     At the end of the day, it's always better to give copius credit than to
>     offer half baked explanations.
> 
>     I've just realized that the ref to Johanna's paper was lost when we
>     switched from  to rfc4941bis.
> 
>     FWIW, the ref is:
>          [RAID2015]
>                     Ullrich, J. and E. Weippl, "Privacy is Not an Option:
>                     Attacking the IPv6 Privacy Extension",  International
>                     Symposium on Recent Advances in Intrusion Detection
>                     (RAID), 2015, <https://www.sba-research.org/wp-
>                     content/uploads/publications/Ullrich2015Privacy.pdf>.
> 
> 
> 
>     Gyan> So you will get the text language updates into the current 
> version of 4941bis that was dropped from Johanna’s paper.  I will stand 
> down on adding updates to GitHub asked by Ole as we are on the same page 
> now, and you will be updating.

WHat I'm saying is that we coulf add something like:
      "This document addresses a number of flaws discovered in RFC4931
      [references], and formally obsoletes RFC4941."

thus making it explicit why we're changing the algorithm. The reader can 
always go and read the reference for further details.

WOuld this address your concern?

THanks!

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email