IETF Logo Mail Archive

Re: Address privacy

Ted Lemon <mellon@fugue.com> Tue, 28 January 2020 03:05 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 153503A0B1C for <ipv6@ietfa.amsl.com>; Mon, 27 Jan 2020 19:05:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBbrsIHwuxF1 for <ipv6@ietfa.amsl.com>; Mon, 27 Jan 2020 19:05:13 -0800 (PST)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 259843A0A35 for <ipv6@ietf.org>; Mon, 27 Jan 2020 19:05:12 -0800 (PST)
Received: by mail-qk1-x72e.google.com with SMTP id g195so11916872qke.13 for <ipv6@ietf.org>; Mon, 27 Jan 2020 19:05:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=9GYa7DMFjkjcS8s888JKn3bPaUIuKCl9qsTuB3pb1Iw=; b=QuVdNgxWKz5JiOkFRlVpp6Q6r6jTyV14i5JvkzDSQ2CDS/3XtwXF3REBCpmFg/+2d8 oLHH2d0lUDhSgkkyNSKHoALF43pK7JNWeBMztIPlPHFbs/qMtZl1/iN5WDs51kJucKBS orNCGlbVuiHt813BIe0WPNH98YCyQEz9NNQ6jIAE9c52kFoPAQMowfamT8Qdz8BWhh5D STYYmtvhtvJjwZ2ITrr49g9sOk9H86HIJZ5dJ/lf2MlfughjLwebUZBsFI+s5U26RXoS KHdlGpNXaRcqcajdPwmu5kK3CcpUT6Ps/uFtL6tcvWPeEFX3BpZENVSwgGq2IYHUZxTT 738w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=9GYa7DMFjkjcS8s888JKn3bPaUIuKCl9qsTuB3pb1Iw=; b=Bq0bI/MQmLS6GUhC/rC8Gs7rz1rtyAYtTBx03RUhPrhM0extNVFiedBooIh2TXH0e6 07l06SSq9j80CcRp9ZjchvemMO4xBtifONTGiY9/TGI868kjnazoyQ67CNUtyR7SHSJ0 e10DGPxh7rjo9NMm4VWnstGba5IokmWUgYnHM1ih7KdW26hgwq97IEX29mHsgju2qq6T ObW4IuXjp/dSjfNBFagi9e3E+yiD/gmjGFCS70oy0pV+Wbnr+SXmDQSHDT6DDFckqDvb P/9qZyJ2Y8hDZZzlb/xaJgygUHJdzEhXKrwIxwS7JjR7cs93Tiijf2n9S4QDdnrvgoDz o5Qg==
X-Gm-Message-State: APjAAAWtiw1Z58Wxsnu4th5zZSrq6PRAW61yhzzdiVBd0Foup34F/jnT 0H95cVCjJmUgMzf2rGcWrr7fdQ==
X-Google-Smtp-Source: APXvYqxn5nJMQtnLRVHmXkG9dre6VFFHLvRo6lfA2XOI0XyILsS6OL5CZgnYYOO8OkqGqyVD7/yfOA==
X-Received: by 2002:a05:620a:78a:: with SMTP id 10mr20184788qka.392.1580180711928; Mon, 27 Jan 2020 19:05:11 -0800 (PST)
Received: from ?IPv6:2601:18b:300:36ee:b010:69d4:fbf6:14dc? ([2601:18b:300:36ee:b010:69d4:fbf6:14dc]) by smtp.gmail.com with ESMTPSA id u4sm11310841qkh.59.2020.01.27.19.05.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 27 Jan 2020 19:05:10 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Subject: Re: Address privacy
Date: Mon, 27 Jan 2020 22:05:09 -0500
Message-Id: <D42EDAFB-E7FF-48AB-A122-1EBD61E72F8B@fugue.com>
References: <b606d8b0-b83d-1926-1cea-8165a1800c20@si6networks.com>
Cc: Gyan Mishra <hayabusagsm@gmail.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>, 6man WG <ipv6@ietf.org>
In-Reply-To: <b606d8b0-b83d-1926-1cea-8165a1800c20@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: iPhone Mail (17E210a)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/p1ChimRCHYujGwIGxz9yH5UVqtk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 03:05:17 -0000

A bist can just generate a new DUID every time it connects to a new link, or at any time. So the ability to track clients essentially requires their cooperation. Which makes it kind of pointless. 

From the other side, a client can steal another client’s identity if DUIDs are being used for access control. To prevent it you need 802.1x. Once you have that, you don’t need DHCP. 

> On Jan 27, 2020, at 21:52, Fernando Gont <fgont@si6networks.com> wrote:
> 
> On 26/1/20 21:05, Gyan Mishra wrote:
>> On Sun, Jan 26, 2020 at 5:00 PM Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
> [....]
>> 1.  End user privacy on mobile device connected at home or
>> 2.  End user privacy within an enterprise- non existent as IT security and availability for mission critical applications -IPv6 stability and tracking ability is the primary objective.
>> Happy medium achieved:
>> For both scenarios following RFC 4941 disabling the temporary address and keeping the modified EUI-64 random IID - provides both privacy with MD5 randomized IID - and with the IID only changing with mobility when you receive an new RA for SLAAC with mobility from a different subnet which is what we want from and IT stability perspective.  If you reboot with permanent storage as most devices have the IID does not change as long as the prefix is the same.
> 
> Not sure what you mean. THe algorithm that windows was using for stable addresses was rfc4941 without regeneration. SO essentially they generate a random number, and use it instead of the mac address.
> 
> The resulting IIDs have all the same privacy issues as traditional slaac addresses, except that they cannot be address-scanned because they don't follow any patterns.
> 
> 
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email