IETF Logo Mail Archive

Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt

Tom Herbert <tom@herbertland.com> Sat, 31 March 2018 00:35 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAE5F1205F0 for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2018 17:35:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cthKFv0se26j for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2018 17:35:19 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C246A1200FC for <ipv6@ietf.org>; Fri, 30 Mar 2018 17:35:19 -0700 (PDT)
Received: by mail-qk0-x232.google.com with SMTP id w6so10441744qkb.4 for <ipv6@ietf.org>; Fri, 30 Mar 2018 17:35:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=842itk7v0jda7bGOivl4GaiZ6hHz5IWwwmOefBNlP5Y=; b=bskmv9MgHsy24EGr98GI2+1/uI9hFDdMIDJyMaUJ4pbOAupqi4py+Lp1tZbISdKYQU HdP59QbAJt2mDGmoOH5/EPT6HdRHcu0LnyfRvJeEhgrGzu3xx4bOneSp2mKYkXSg7/GI TY+zNxDTepunV0yE7qZFvC1aGJK045gTQ9pL+VebYfWbYUy9oSPB5tO/FL1Edm8h09Tl yZ325zf8WEMYyhWnh6jzyK5scS0Fuumc1ARU84WNnoyRFtMHfRgIjqqjIYPb3k27rdTd ZPVueGVkOJqsmiLcsOfPIZDAfMpNs+m6w+dlKu6u3sYdfh/pnqcq24RvNMIPCcGfbObx oGIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=842itk7v0jda7bGOivl4GaiZ6hHz5IWwwmOefBNlP5Y=; b=q4tWQJw5PHMzIhzEJxU9csMy9CANVNFT2RgCSCRZyDyWzLwSbFNqRrzGQPozyEN2py 6/gdM+SLxzxzONfjW79Hj2tsZCsuAF35/6Ryha/dBgt1goW7AGQc5qC6FXgAO+NbS+0U l8RKNcWCMhxaTxFKooFFnoI1pYoYFr1Fa7A/nZqxMZTSFmPC4aqkeAhg3jJ7n7kyC9/a tTpaOEl02ZgANxiKSMtpPrG8xQwIASFJTO7KAyFNVtbe4N6APxxfvyxd7LqpiqYKs6xK WweNSXBCwJVIRIiN9ts8LTa4D5FYG5YTOtlRGQpYZZESPJ/UAFcPDCEezAM2M3Wm9zgm vf1w==
X-Gm-Message-State: ALQs6tBJZ3jdNoY1XZcatIOd0Tpb1Xx0sKkNXhnr2f9SVQYwo/19C6yk E2sp+LcEL2tO+ahhoZgkS87lI8+X8/mZtlWo2V6N6oT0
X-Google-Smtp-Source: AIpwx49VK/8j1Vf0WKnsYoexN77+Y3WEs72aqIQHFYNKNqipLUwGIHQ97O2Ket6XpjOpHWRjUhMvEH3twlgwZQJjPNQ=
X-Received: by 10.55.75.205 with SMTP id y196mr1602156qka.44.1522456518559; Fri, 30 Mar 2018 17:35:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.26.135 with HTTP; Fri, 30 Mar 2018 17:35:17 -0700 (PDT)
In-Reply-To: <6c366b8c-d572-f17f-5226-6ac0e9cf6a8a@gont.com.ar>
References: <152203605148.3066.2744350974766846700@ietfa.amsl.com> <2c561929-98dc-beac-7916-20af889956a4@gmail.com> <50B5C57C-523B-437C-AD74-3F641648EA42@jisc.ac.uk> <803efd39-f488-7b97-cc34-232bc92c7623@gmail.com> <f728c0f7-512d-9d6d-7f76-03cead98d2f5@gont.com.ar> <7f2d9de6-fabe-e033-c3ad-21044e6054af@gmail.com> <42fc2c96-06cd-74e4-1ad3-34fef88e6611@gont.com.ar> <CALx6S37FsLEaonf2Ai489fTmvt-dcNUWfTrz=Ux=o42ATedGXw@mail.gmail.com> <6748ddbf-10ad-350d-38d5-d12455fc5332@gont.com.ar> <CALx6S3542ZEN7ed07ZK6uVv7kVBcy47R+unXuiuTgQX03r92tw@mail.gmail.com> <6c366b8c-d572-f17f-5226-6ac0e9cf6a8a@gont.com.ar>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 30 Mar 2018 17:35:17 -0700
Message-ID: <CALx6S35u1N30LrkiknO+qn6aVJKh6zqDHYj1BfNr8bBo7juFew@mail.gmail.com>
Subject: Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt
To: Fernando Gont <fernando@gont.com.ar>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, Tim Chown <Tim.Chown@jisc.ac.uk>, 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/pdWx1fmLnXykGeIYf3ytWi4jffQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Mar 2018 00:35:23 -0000

On Fri, Mar 30, 2018 at 4:35 PM, Fernando Gont <fernando@gont.com.ar> wrote:
> On 03/29/2018 05:59 PM, Tom Herbert wrote:
>> Hi Fernando,
>>
>> I may be missing it, but I don't see in the draft where it directly
>> answers the question: "How often (literally what frequency) must IPv6
>> addresses be changed to ensure privacy?".
>
> There's no answer for such question.  Network activity can be correlated
> as long as you  reuse the same address. So, if you want no correlation
> at all (to the extent of RFC4941), then you'd never reuse an IPv6
> address. Again see
> https://tools.ietf.org/html/draft-gont-6man-address-usage-recommendations-04
>
Right, single use addresses are the one case that could reasonably
claim to provide any quantifiable level of privacy.

>
>
>>  And if there are
>> applications that don't tolerate address change across connections,
>> then what are the exact requirements for dealing rectify the frequency
>> of change they can tolerate with the frequency needed for privacy?
>
> As noted in draft-gont-6man-address-usage-recommendations-04, we need
> appropriate APIs to fully leverage IPv6 addressing. At the very least,
> for apps to be able to specify desired addressing properties such as
> "stability".
>
Maybe, but then this pushes the impetus to the applications to
understand the ramifications on privacy when presented with choices.

>
>
>> The common problem with nearly any discussion on privacy and
>> addressing is that the effects of proposed guidance are seemingly
>> never quantified. Statements like "The longer an address is employed
>> (i.e., the more stable it is), the longer such correlation will be
>> possible." are intuitively true, but they're not quantifiable
>> statements from which we can elicit any actionable guidance.
>
> What kind of quantification would you expect?
>
Well, for instance, in security the strength of crytosystem can be
measured but the computational effort needed to break keys. I wish
there were equivalent metrics for privacy. We aren't going to find
something like that here, but we should be able to define what
quantifiable strong privacy in addressing would be (section 5 of
draft-herbert-ipv6-prefix-address-privacy-00). As pointed out in that
draft, NAT can meet those criteria for strong privacy so that might at
least provide a baseline for comparison.

>
>
>> For
>> instance, it's reasonable to assume that an address that is persistent
>> for 12 hrs. is less of privacy risk than one persistent for 24 hrs.
>
> "It depends" (of course). What else is the system doing? Simultaneously?
> etc.
>
>
>
>> But _how_much_better_ is this privacy benefit to the user? Is the
>> probability that a users privacy being compromised with a 12 hr.
>> address 50% of the probability of a 24 hr. address? Probably not!
>
> That depends on so many factors (apps being employed, activities taing
> place, etc., etc., etc.) which, IMO, if you expect to get any sort of
> "quantifier", it will be meaningless.
>
Right, so we're just left with providing unquantified "soft" guidance
to users for which privacy might be a critical concern.

>
>
>> Another problem with much of the guidance is that recommendations may
>> only be useful for a given point of time. For instance, RFC4941
>> recommends the default address change to be one hour. Even if that
>> provided good guidance ten years ago, it is almost certainly not
>> reasonable today.
>
> rfc4941bis is essentially an improvement of RFC4941bis (addressing known
> issues that are within the scope of RFC4941, and incorporate errata).
> What you want can't be addressed in rfc4941bis.
>
> draft-gont-6man-address-usage-recommendations-04 tries to elaborate on
> the problem statement.
>
>
>
>> The capabilities of attackers and data collection
>> has increased substantially so that they don't need nearly that much
>> time to do their work. In fact, we proposed a simple exploit in
>> draft-herbert-ipv6-prefix-address-privacy which would defeat any
>> frequency of address change to provide privacy except when a different
>> address is used per connection.
>
> I'll take a look at your I-D.
>
>
>
>>> RFC4941 just contains some default settings when your system is flying
>>> blind, because it has not idea of the requirements of the app employing
>>> the addresses.
>>>
>> Please look draft-herbert-ipv6-prefix-address-privacy. This deals with
>> the privacy implications off address particular the problems of of
>> assigning persistent prefixes to host devices (just changing IIDs is
>> not sufficient for privacy).
>
> I'll certainly take a look.
>
> That said: topologically-dependent information will certainly identify
> the node.
>
Yes, that is why we need identifier/locator split. Other than a
provider prefix, addresses wouldn't contain any topological
information.

> There's nothing you can do in terms of privacy when your upper node
> controls how you get your addresses (whether that's because you are
> leased addresses with DHCPV6, or whether because you are given a unique
> prefix).
>
Right, the privacy problem needs to be addressed in the network.
RFC4941 acknowledged this, but somehow addresses created per that RFC
came to be known as "privacy addresses".

>
>
>> Side note: I think your statements about APIs being so rigid that we
>> couldn't make necessary changes to ensure user privacy might be overly
>> pessimistic.
>
> I'm not saying they are rigid. THey are just *extremely basic* for the
> addressing capabilities of IPv6.

It would be interesting to see a proposed API.

>
>
>>  APIs are not written in stone and we can change them over
>> time. Also, there's a lot that can be done even without API changes.
>> For instance, if we are able to give the stack a pool of one-use
>> addresses, it would be particularly difficult to change address
>> binding for client communications to select from that pool. This
>> wouldn't effect applications that do explicit address binding, and for
>> the SMPT, POP3 these could opt-out (maybe by an environment variable).
>
> Doing that is just guesswork on other side (a different rehash of the
> guesswork in rfc4941). We should let app specify their requirements
> regarding IPv6 addressing. *They* know better.

I'm not convinced of that given recent revelations for some major
applications concerning privacy and addressing.

Tom

>
> Thanks,
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>

v2.23.0 | Report a Bug | By Email