IETF Logo Mail Archive

Re: default-iids ready for WGLC? (Re: I-D Action: draft-ietf-6man-default-iids-10.txt)

Alissa Cooper <alissa@cooperw.in> Fri, 25 March 2016 19:32 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 213AF12D196 for <ipv6@ietfa.amsl.com>; Fri, 25 Mar 2016 12:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cooperw.in header.b=jL0YeR/I; dkim=pass (1024-bit key) header.d=messagingengine.com header.b=TVlSNjSJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N9lUoZd5HE6n for <ipv6@ietfa.amsl.com>; Fri, 25 Mar 2016 12:32:09 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68C8012D0EF for <ipv6@ietf.org>; Fri, 25 Mar 2016 12:32:09 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id A86722096E for <ipv6@ietf.org>; Fri, 25 Mar 2016 15:32:08 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute3.internal (MEProxy); Fri, 25 Mar 2016 15:32:08 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=ImC1hxxTVqi1IlAHp2ReA5hUbnE=; b=jL0YeR /IloVa5TMLpv/rm6Fncpgi5LSeGoW8PWXSHRTB9wvRKOgC3/60FZ05JoTpQUm0XZ +rp1w6Hot9hPBqXeN8gh11rMjzlsX3DyicQhHqfVziPTOKLOWcQchXLa9ksNFX63 /+X1H3xiD4Jc2MP6ezjmfH+QXdMSlJHMgPTNQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=ImC1hxxTVqi1IlA Hp2ReA5hUbnE=; b=TVlSNjSJU2rCI7PlPKTmoBNve2/CH3cLK2ZvmE38xSg25Mw rqkwEWVXUlxi6NY2k2jhNWpU5rSGZhsr3lpChdCXkAYwaXIEDZ8LEqSyHzH99AKF SDLEwmmrV1BBUySOQ07FTK8+MnCn84ma0naQP+2fGBRErbi83kUQ5u5+ux50=
X-Sasl-enc: Xu7wawhW0pC0LGLKNJWzV9+sTk5HKP7rhf8ISVrWfkgb 1458934328
Received: from dhcp-171-68-20-98.cisco.com (dhcp-171-68-20-98.cisco.com [171.68.20.98]) by mail.messagingengine.com (Postfix) with ESMTPA id D783368021D; Fri, 25 Mar 2016 15:32:07 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Subject: Re: default-iids ready for WGLC? (Re: I-D Action: draft-ietf-6man-default-iids-10.txt)
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <DM2PR0301MB0655E824D1D31AB7CC224365A8830@DM2PR0301MB0655.namprd03.prod.outlook.com>
Date: Fri, 25 Mar 2016 12:32:34 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E5554904-BB73-42AE-9251-1471328239C0@cooperw.in>
References: <20160217110334.12586.6254.idtracker@ietfa.amsl.com> <56EACDE3.3020708@si6networks.com> <CAKD1Yr0xHUaZtgGr-_kDykP7xSzSOdwpucp60KZkzgnh8OEATw@mail.gmail.com> <56EBF1EE.4080105@si6networks.com> <CAKD1Yr0ffqhbfKt4w465eD7zg5XQu9URgF9FYH-XZcGVM-PjGg@mail.gmail.com> <56EBFF21.3010202@si6networks.com> <CAKD1Yr2VXmDfvzVk9g-PuKXkrNzF2JUrCeov27_U4eH_tUvOAA@mail.gmail.com> <56EC0ABB.4050608@si6networks.com> <CAKD1Yr2xDO+wsRtni-2oTCskxt5UsyY-tnf7nviXvjnqEWCAhQ@mail.gmail.com> <56EC29BE.7020802@si6networks.com> <CAO42Z2w+ezd9-K+xczTjA2pZz-it7v6=4E3LTHMhRfHG5B128A@mail.gmail.com> <CAKD1Yr1VEjQRW5VgpYNQYbK=ZcHvYrmvGuFoaJp=B5fD92dygw@mail.gmail.com> <56EFF988.4040703@si6networks.com> <CAKD1Yr2t8OJLgfPUFnabayku9jus+wc1ZhtEd__5Zj9enJcERw@mail.gmail.com> <56F07C82.2020400@si6networks.com> <CAKD1Yr3akJ1Fa=8Ch+nKzz_FO4+46AUPMfH8n8AbG1106PM79g@mail.gmail.com> <56F12754.4020209@innovationslab.net> <CAKD1Yr2SUNz5Vc0uzvOyXif9tgiyG3P=C1Gt6zxs5nux5Mj48w@mail.gmail.com> <56F3046D.4040700@si6networks.com> <DM2PR0301MB0655E824D1D31AB7CC224365A8830@DM2PR0301MB0655.namprd03.prod.outlook.com>
To: Christian Huitema <huitema@microsoft.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/tZ9j2M0AxwbI3fpzPWgnDZJFuQk>
Cc: Fernando Gont <fgont@si6networks.com>, Brian Haberman <brian@innovationslab.net>, IETF IPv6 Mailing List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 19:32:11 -0000

> On Mar 24, 2016, at 6:10 PM, Christian Huitema <huitema@microsoft.com> wrote:
> 
>>> What concerns me the most is that platforms that are already
>>> implementing MAC address randomization, and that have strong privacy
>>> requirements, should not be forced to implement RFC 7217, which from a
>>> privacy perspective is inferior to EUI-64 with MAC address randomization.
>> 
>> That has nothing to do with this document. If that's your concern, then
>> you're calling for an update to RFC4941, such that you do both random link-
>> layer addresses and temporary addresses with no stable addresses.
>> 
>> However, I'd say that you can probably get away with what you want, while
>> doing RFC7217, even without doing RFC4941: use your randomized MAC
>> address as the Net_Iface parameter, and your address will change as often
>> as your MAC address. From the point of view of achiving a stable address, I'd
>> say you chose the wrong surce of Net_Iface ;-), but it'll get what you want...
> 
> I am reading this discussion just now. I think that the issue is with the requirements stated in section, or precisely with what is not stated there. The first requirement stated is about stability, "The resulting Interface Identifiers remain stable for each prefix used with SLAAC within each subnet for the same network interface." That requires that when a mobile node visits a particular subnet, it should obtain exactly the same IID. 
> 
> Well, the practice of MAC Address Randomization goes against that. When a user decides to randomize the MAC address used on a particular link, the user expects that during the next visit to the link, after randomization, the interface will obtain a different address. Failing that would allow tracking through IID, and negate the privacy value of the randomization.
> 
> As Lorenzo points out, the simple solution is to use the randomized MAC address as the Net_Iface parameter specified for RFC7217. As far as I can tell, at least one stack is doing exactly that today.
> 
> Note that this is unrelated to whether IT admins allow randomized addresses, or whether a specific hardware supports it. If randomization is forbidden or unavailable, of course it will not be used and the address will not change. And the users will be easy to track.


Thinking this through, I think part of the difficulty with this kind of document is the gap between what is standardized and what is implemented. What we have today, from a standards perspective is:

(1) a bunch of specs that normatively specify embedding in an IID a MAC address as presently specified by IEEE 802 

(2) RFC 4941 which specifies a method for temporary address generation but indicates that such addresses can/should be generated alongside a MAC-based address

(3) RFC 7217 which specifies a method for generating a random address that stays stable per-subnet

Aside from what has been standardized, it sounds like what we also have are MAC addresses getting randomized more commonly, use of the method in 7217 to generate addresses that do not necessarily remain stable per subnet, and perhaps use of 4941 temporary addresses in isolation, without a stable address also configured.

If we want to replace (1) with something better from a security/privacy perspective, we have limited choices if we want to point to an existing standard. If we do not care about pointing to an existing standard, we could just list what the requirements are, and have all the specs that fall under (1) be updated to use some (unspecified) mechanisms that meet those requirements. Or we could first standardize mechanisms to cover all the cases that the requirements would cover, and then point to those mechanisms.

Personally I think requirements 2-4 in Sec. 3 of default-iids represent the minimum change that is worth updating all the specs that fall under (1). Adding a requirement or changing requirement 2 to speak to an address change per network connection/disconnection rather than per subnet would be reasonable if we decide to ditch requirement 1. From this discussion it sounds like adding a requirement against direct embedding of a link layer address in an IID may also be a good addition.

Alissa


> 
> -- Christian Huitema
> 
> 
> 
> 
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email