RE: draft-gont-6man-managing-privacy-extensions

Christian Huitema <> Fri, 01 April 2011 21:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF9023A6991 for <>; Fri, 1 Apr 2011 14:51:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.58
X-Spam-Status: No, score=-10.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lQPPeI74nNbx for <>; Fri, 1 Apr 2011 14:51:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D97963A6981 for <>; Fri, 1 Apr 2011 14:51:16 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 1 Apr 2011 14:52:51 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 1 Apr 2011 14:52:51 -0700
Received: from ([]) by ([]) with mapi id 14.01.0270.002; Fri, 1 Apr 2011 14:52:50 -0700
From: Christian Huitema <>
To: "" <>, Fernando Gont <>
Subject: RE: draft-gont-6man-managing-privacy-extensions
Thread-Topic: draft-gont-6man-managing-privacy-extensions
Thread-Index: AQHL7v4pNFfXosTXMEm4VX/hGfn7FpRJHIGAgAByliA=
Date: Fri, 1 Apr 2011 21:52:50 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Apr 2011 21:51:19 -0000

We trust the router to transmit packets. We have to, otherwise we would not get connectivity. We can actually verify that by observing that packets are received by peers on the other side of the network. Depending on our level of paranoia, we can use various levels of end-to-end encryption to verify that we are indeed speaking to the right peer. We can elect to stop attempting to send packets through a particular router if we are not getting the forwarding service.

Configuring the prefixes is very linked to the routing function, so we can trust a router when it tells us that he will serve a particular prefix. Again, we can verify that using that prefix provides end-to-end connectivity.

Trusting the router to transmit packets does not mean trusting the router form something else, like configuring my security posture. 

-----Original Message-----
From: [] On Behalf Of Carlos Martinez-Cagnazzo
Sent: Friday, April 01, 2011 12:58 AM
To: Fernando Gont
Subject: Re: draft-gont-6man-managing-privacy-extensions

Hi all,

I do agree with Fernando that we need to be more clear on the trust models that we apply ( I don't think this is an issue only on 6man, it's a general thing ).

If we distrust some network element, then we distrust it for *any* purpose, not just for this or that bit. In this particular case, if we distrust the router we need to consider that a rogue router could do well, almost anything, including just capturing all your packets and uploading them to some place.

I'm not saying that concerns on trust boundaries should then be dismissed, but rather than we need to be more strict about them. We trust the network element or we don't, we can't trust it for some features but not for others.



On Wed, Mar 30, 2011 at 5:01 PM, Fernando Gont <>; wrote:
> Folks,
> At the 6man wg meeting, the aforementioned I-D was deemed "as a very 
> bad idea", because of its privacy implications.
> My question is: what's the trust model that leads to that conclusion?
> I mean, a host doing SLAAC trusts the router about the prefix to be 
> configured, default route, various network parameters (Hop Count, MTU, 
> etc.), recursive DNS resolver, etc.
> Why do folks consider that for some of this information, the router is 
> to be trusted, while for other (the SAG bits that our I-D specifies) 
> shouldn't?
> That aside, if a router is deemed as possibly malicious, even without 
> the SAG bits it could claim that DHCPv6 is needed, and then have the 
> DHCP server lease an address that embeds the source link-layer address 
> of the DHCPv6 request...
> *And*, as noted in the upcoming version that I had posted, the final 
> decision on which policy to apply is on de hands of the host (and not 
> the router).
> Thanks,
> --
> Fernando Gont
> e-mail: || PGP Fingerprint: 7809 
> 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> Administrative Requests:
> --------------------------------------------------------------------

Carlos M. Martinez-Cagnazzo
IETF IPv6 working group mailing list
Administrative Requests: