IETF Logo Mail Archive

Re: Re: Detailed review of Significance of IPv6 Interface Identifiers

Ray Hunter <v6ops@globis.net> Sun, 01 September 2013 09:34 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0571121F9BA2 for <ipv6@ietfa.amsl.com>; Sun, 1 Sep 2013 02:34:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GK6CX-TQqo2W for <ipv6@ietfa.amsl.com>; Sun, 1 Sep 2013 02:34:05 -0700 (PDT)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 5786321F9B0E for <6man@ietf.org>; Sun, 1 Sep 2013 02:33:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 51DEB8700BA; Sun, 1 Sep 2013 11:33:28 +0200 (CEST)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izdXlYzXl-HL; Sun, 1 Sep 2013 11:33:28 +0200 (CEST)
Received: from Rays-iMac-2.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 2614B870087; Sun, 1 Sep 2013 11:33:28 +0200 (CEST)
Message-ID: <522309E1.7050806@globis.net>
Date: Sun, 01 Sep 2013 11:33:21 +0200
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: Re: Detailed review of Significance of IPv6 Interface Identifiers
References: <520B3529.80802@si6networks.com> <520BF653.8060603@gmail.com>
In-Reply-To: <520BF653.8060603@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Cc: Fernando Gont <fgont@si6networks.com>, "6man@ietf.org" <6man@ietf.org>, draft-ietf-6man-ug@tools.ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Sep 2013 09:34:06 -0000

inline

Brian E Carpenter wrote:
> Hi Fernando,
>
> Thanks once again! We'll make corresponding updates in the next version.
> Just a few discussion points below:
>
> On 14/08/2013 19:43, Fernando Gont wrote:
> ...
>> * Section 2:
>>> However, this has not so far proved to be the case.  Also, there is 
>>> evidence from the field that IEEE MAC addresses with universal scope 
>>> are sometime incorrectly assigned to multiple MAC interfaces.
>> I recall some folk mentioned that, from an IEEE std point of view, this
>> is not incorrect. -- Just me relaying some comment (on v6ops?).. I don't
>> recall of the top of my head of what the relevant IEEE std says.
>
> 802.1 section 9.2.2 makes it clear that the U bit is intended to
> make the address universally unique:
>
> "The method that an assignee uses to ensure that no two of its devices carry the same address will, of course,
> depend on the assignment or manufacturing process, the nature of the organization, and the organization’s
> philosophy. However, the users of networks worldwide expect to have unique addresses. The ultimate
> responsibility for assuring that user expectations and requirements are met, therefore, lies with the
> organization offering such devices."

I'd be careful on making that link if you pardon the pun. EUI64 != LAN
hardware address.

See

http://grouper.ieee.org/groups/msc/MSC200407/OnlineTutorialsD/EUI64.htm
http://standards.ieee.org/develop/regauth/tut/eui.pdf

AFAIK 802.1 is a specific application of MAC-48 in LAN identifiers. Not
EUI48. Quote "The use of the MAC-48 identifier is obsolete".

Quote "48-bit EUI-48 identifiers were originally created to serve as
network or media access control (MAC) addresses for local area networks
(LANs) by IEEE Project 802. Within this environment, EUI-48 identifiers
are intended to identify items of real physical equipment, parts of such
equipment, or functions that apply to many instances of physical
equipment. The use of 48-bit identifiers has been extended to serve as
protocol identifiers to identify protocol designs and design revisions
of protocols operating between instances of physical equipment, where
there are expected to be far fewer such protocols identified than there
are items of addressable physical equipment."

AFAIK EUI64 has different/ less restrictions to EUI48 and certainly MAC-48.

Quote: "Given the minimal probability of consuming all the EUI-64
identifiers, the IEEE/RAC places minimal restrictions on their use
within standards. Their major use is to distinctively identify hardware
instances of devices. They may also be used for other purposes where a
unique identifier is desired. "

So AFAICS the u/l restriction and uniqueness restriction is only
relevant when EUI64 is used in the context of specific LAN hardware, but
perhaps not all router interface hardware.

There's a specific IEEE contact (IEEE/RAC) who can clarify this when
referencing IEEE defined terms in other standards.
http://standards.ieee.org/about/bog/rac.html

I'd humbly suggest that we run this draft standard document by them.

>> You might want to reference this presentation, which comments on
>> duplicate MAC addresses:
>>
>>    [HDMoore]  HD Moore, "The Wild West",  Louisville, Kentucky, U.S.A.
>>               September 25-29, 2012,
>>               <https://speakerdeck.com/hdm/derbycon-2012-the-wild-west>.
>
> We have references to that and to
> http://enterpriseadmins.org/blog/scripting/virtual-machines-with-duplicate-mac-addresses
> commented out in the source file. In general the RFC Editor doesn't much like
> conference or blog URLs because they tend to disappear.
>
>> * Section 3:
>>> To the extent that each method of IID creation specifies the values 
>>> of the "u" and "g" bits, and that each new method is carefully 
>>> designed in the light of its predecessors, these bits tend to reduce 
>>> the chances of duplicate IIDs.
>> Not sure what you mean. Do you mean that *if* each IID-generation method
>> were to use a different combination of "ug", colisions between them
>> would be avoided? If so, I'd argue that since there's no coordination of
>> which combinations should be used for which method, that's unfeasible.
>> For instance, traditional SLAAC uses all combinations (modulo
>> "illegal/unused" combinations of ug).
>
> The argument is fuzzy and the sentence needs to be rewritten.
>
> (I would actually suggest that in a pseudo-random method, now that we
> are clear that the bits have no meaning, it would be best to use them to
> provide two more bits of entropy rather than giving them fixed values.)
>
> ...
>> * Section 5:
>>> The EUI-64 to IID transformation defined in the IPv6 addressing 
>>> architecture [RFC4291] MUST be used for all cases where an IPv6 IID 
>>> is derived from an IEEE MAC or EUI-64 address.  With any other form 
>>> of link layer address, an equivalent transformation SHOULD be used.
>> I'd remove this paragraph altogether. Here's my rationale:
>>
>> 1) You're just clarifying the u/g bits. *Which* method is used for
>> generating addresses with SLAAC is kind of out of the scpe of this document.
>
> Well, I believe we have broadened the scope a bit. What this text is trying
> to do is clarify the wording in 4291, which really is written as if
> Modified EUI-64 is the *only* kind of IID.
>
>> 2) If we end up deprecating IEE-MAC-based addresses (and it looks like
>> we're heading there), this document will have to be updated, too.
>
> No, because it only applies when EUI-64 is used. If we drop EUI-64
> completely (which would amaze me) the words would be irrelevant but
> not harmful.
>
> So personally I don't think we should change this.
>
>> * Security Considerations:
>>
>> Since this document allows address generation methods to use the ug bits
>> in any way they want, that allows for extra entropy when IIDs are
>> generated in such a way that they are unpredictable (e.g., as in
>> draft-ietf-6man-stable-privacy-addresses).
>
> It's true (see above comment on fuzzy text).
>
>> Besides, and while *this* document does *not* introduce any new issues,
>> you should probably briefly comment on the implications of EUI-64 based
>> IIDs. Alissa's document and/or draft-ietf-opsec-ipv6-host-scanning
>> and/or draft-ietf-6man-stable-privacy-addresses might be good references
>> to include along with whatever text you craft on the subject.
>
> Actually we decided that the whole privacy issue was orthogonal,
> partly because there are several drafts and having a bunch of "work
> in progress" references is quite annoying to the reader. How about just
> adding a general comment that the method of IID generation has privacy
> implications but they are considered out of scope for the document?
>
>> * Last, but not least....
>> Should we do anything about RFC2526? -- It currently requires specific
>> semantics for u/g... but without any explicit motivation for doing so.
>
> That's also orthogonal IMHO. Separate thread?
>
> Thanks again,
>
>     Brian
>
>

-- 
Regards,
RayH

v2.23.0 | Report a Bug | By Email