draft-gont-6man-stable-privacy-addresses (was: Re: Meta comment about "3484bis and privacy addresses")

Fernando Gont <fgont@si6networks.com> Tue, 27 March 2012 14:59 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9EC21E8217 for <ipv6@ietfa.amsl.com>; Tue, 27 Mar 2012 07:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hzcU8ZUrdH3N for <ipv6@ietfa.amsl.com>; Tue, 27 Mar 2012 07:59:54 -0700 (PDT)
Received: from srv01.bbserve.nl (unknown [IPv6:2a02:27f8:1025:18::232]) by ietfa.amsl.com (Postfix) with ESMTP id 09BD821E81D1 for <ipv6@ietf.org>; Tue, 27 Mar 2012 07:59:54 -0700 (PDT)
Received: from [2001:df8:0:16:1e65:9dff:febe:7f88] by srv01.bbserve.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <fgont@si6networks.com>) id 1SCXs9-00042Y-9y; Tue, 27 Mar 2012 16:59:47 +0200
Message-ID: <4F71D5DE.1050900@si6networks.com>
Date: Tue, 27 Mar 2012 16:59:42 +0200
From: Fernando Gont <fgont@si6networks.com>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: Dominik Elsbroek <dominik.elsbroek@gmail.com>
Subject: draft-gont-6man-stable-privacy-addresses (was: Re: Meta comment about "3484bis and privacy addresses")
References: <4F71B938.7030300@si6networks.com> <CAAVMDnUNZ5GGc08WY+AMr2QuxksyRjw+D-GL6qcw-L-v0w+nkQ@mail.gmail.com>
In-Reply-To: <CAAVMDnUNZ5GGc08WY+AMr2QuxksyRjw+D-GL6qcw-L-v0w+nkQ@mail.gmail.com>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 14:59:54 -0000

On 03/27/2012 04:44 PM, Dominik Elsbroek wrote:
> since I got confused on the discussion in the plenary this morning: I
> think we have to consider that having a temporary address like defined
> in RFC 4941 does not prevent from or even mitigates the scanning
> problem mentioned this morning in discussion. 

Exactly. That's why we need stable privacy-enhanced addresses regardless
of whether one implements RFC 4941.


> Scanning MAC-address
> derived addresses on hosts using privacy extension keeps possible and
> feasible since the privacy address is only an additional address. The
> address derived by the MAC address is still reachable and a valid
> address (like a have just tested on my macbook just to be sure). Thus
> it is still possible to scan an IPv6 network by iterating over the
> changing 24 bits.

Agreed.


> So I don't agree with the sentence: "Clearly, temporary addresses can
> help reduce the attack exposure   window, since the lifetime of each
> IPv6 address is reduced when compared to that of addresses generated
> with the method specified in this document." in
> draft-gont-6man-stable-privacy-addresses-00.txt.

What I meant is that if the attacker knows the host adresess, then
attack exposure is a bit reduced for the temporary addresses, simply
because their lifetime is shorter. But yes, this "reduced exposure" is
really debatable. The lifetime of temporary addresses is usually long
enough that, in practice, they don't really reduce exposure.

I will try to fix this in the next rev. (thanks for pointing this out!)




> The only goal achieved by using a temporary address (_and_ using it)
> is privacy in that way, a website, or any other third party service,
> cannot track a user also in case of prefix changes. 

Well, draft-gont-6man-stable-privacy-addresses addresses this point,
without the management burden usually implied by temporary addresses.

Temporary addresses could, in some sense, prevent correlation of
different activities of the same node from the same network... but
unless you use an insanely short lifetime, the lifetime is long enough
that these addresses do not prevent much of this possible "correlation".


> In my opinion
> there is no security related reason to use privacy extension.

So far, there is/was, because we didn't/don't have yet standardized
stable privacy addresses...

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492