Feedback on draft-gont-6man-stable-privacy-addresses-01 (was: Re: Consensus call on adopting:....)
Fernando Gont <fgont@si6networks.com> Fri, 13 April 2012 21:10 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4FAB11E810B for <ipv6@ietfa.amsl.com>; Fri, 13 Apr 2012 14:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.549
X-Spam-Level:
X-Spam-Status: No, score=-1.549 tagged_above=-999 required=5 tests=[AWL=-0.019, BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjZUmLXg+iG4 for <ipv6@ietfa.amsl.com>; Fri, 13 Apr 2012 14:10:25 -0700 (PDT)
Received: from srv01.bbserve.nl (unknown [IPv6:2a02:27f8:1025:18::232]) by ietfa.amsl.com (Postfix) with ESMTP id 0A98411E810A for <ipv6@ietf.org>; Fri, 13 Apr 2012 14:10:23 -0700 (PDT)
Received: from 130.41-14-84.ripe.coltfrance.com ([84.14.41.130] helo=[192.168.102.30]) by srv01.bbserve.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <fgont@si6networks.com>) id 1SInku-0006Rh-06; Fri, 13 Apr 2012 23:10:08 +0200
Message-ID: <4F882A44.3080305@si6networks.com>
Date: Fri, 13 Apr 2012 15:29:40 +0200
From: Fernando Gont <fgont@si6networks.com>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: Karl Auer <kauer@biplane.com.au>
Subject: Feedback on draft-gont-6man-stable-privacy-addresses-01 (was: Re: Consensus call on adopting:....)
References: <E7607B61-9889-43A9-B86B-133BD4238BA2@gmail.com> <1334276068.3945.408.camel@karl>
In-Reply-To: <1334276068.3945.408.camel@karl>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2012 21:10:25 -0000
Hi, Karl, Thanks so much for your feedback! Please find my comments inline... ["Subject" changed so that this discussion doesn't mix up with the poll] On 04/13/2012 02:14 AM, Karl Auer wrote: > That said, I have some comments. My apologies if I have missed some > discussion where these were covered already: > > 1: I'm unsure about this bit: > > IPv6 implementations conforming to this specification > MUST generate interface identifiers using the algorithm > specified in this section. > > While this does not explicitly *say* that other interface identifiers > MUST NOT be used, that interpretation seems to be possible. Good point. Maybe we could replace that para with: "IPv6 implementations conforming to this specification MUST generate interface identifiers using the algorithm specified in this section in replacement of Modified EUI-64 format identifiers." ? > A hint that > stable addresses may be used alongside privacy addresses, is found in > the sentence: > > On the other hand, in scenarios in which "Privacy Extensions" > are employed, implementation of the mechanism described in this > document would [...] > > Section five does mention replacing IEEE-based interface IDs, but I > think it needs to be stronger, one way or the other. The document should > make clear which other mechanisms it excludes, if any - for example, > that a host using this mechanism SHOULD NOT (MUST NOT?) also generate > interface IDs based on IEEE identifiers but MAY also use privacy > extensions. See also point 4 below. Please let me know if the suggested change (above) is okay, or whether you think it would be better to include an additional note with something along the lines of "That is, they MUST NOT employ Modified EUI-64 format identifiers, but MAY still implement RFC 4941 in addition to the algorithm specified in this document". > 2: What exactly is a "serial number"? Some number that varies from one machine to another, which is not expected to be known by an attacker. > Do all machines, even > small/embedded etc machines, have a serial number? Now that you mention it, I think I should tweak the corresponding text, making inclusion of such serial number a "MAY". > Seems to me that the > algorithm should use a default value, such as zero, for the "serial > number" if none is available OR should fail to generate a secret key > (and thus fail to generate interface IDs later). My preference would be > for the first of these - i.e., a default. Agreed. Either that, or simply not include the serial number if it's not available. > 3: Related to the previous point, if it is possible to fail to generate > a secret key, It shouldn't be possible. The idea is that the secret key is set to a random number (by default). > 4: Assuming point 1 above has relevance, and a host using this algorithm > MUST NOT also use IEEE-based interface IDs, then a host which fails to > generate a stable address for any reason MUST NOT fall back to the use > of IEEE-based interface IDs. Why? Because that would expose the host to > precisely the disadvantages that the stable addresses were supposed to > prevent. Agreed. But this would be implied when we say "... MUST use this algorithm in replacement of Modified EUI-64 format identifiers"? > 5: Duplicate address detection is not mentioned explicitly, but probably > should be - what happens if a host does DAD and determines that its > stable address is already in use? Address configuration fails. Note: I didn't discuss DAD because to some extent *what* you do is not discussed in the traditional-SLAAC specs. That said, if deemed appropriate, one could include one additional byte, "DAD" in the hash function, which is initialized to 0, and that is incremented by 1 if the host wants to try a different address if/when DAD fails. If we do that, the implementations should probably cache the resulting address, such that it is stable. (otherwise the resulting address might change if the same node was brought up while the node with the conflicting address is off). > 6: The interface IDs generated are 64 bits long. I think it should be > stated explicitly that this algorithm MUST NOT be used where the prefix > is not 64 bits long. Actually, this algorithm could still be used with longer prefixes (i.e., fewer bits for the IID). So I'm not sure whether we should include this requirement. e.g., if we were to eventually allow non-/64 autoconfigured addresses, this algorithm could be use without any changes (while the traditional MAC-based identifiers couldn't). (Note: Just me thinking out loud). > 7: Add "An implementation SHOULD provide the means for the user to > enable and disable the use of stable addresses." May be s/stable addresses/this specification/? That said, I think we should probably note what nodes are supposed to be done with this specification as a whole. Me, I'd argue that "nodes SHOULD employ generate IIDs with this algorithm in replacement of Modified-EUI 64 format identifiers" -- since we clearly want to move away from MAC-based IIDs. (Note that this is a different issue from item #1 above: Item #1 above is about what you should do if you implement this spec, while the point that I'm making in the previous paragraph is that you SHOULD implement this spec). Thoughts? > 8: This may be a bit out of scope, but it occurs to me that being able > to specify a static interface identifier and have it used in any > (64-bit) prefix would also be useful in some contexts. That is, have an > address which is stable, but explicitly specified. The problem is that as soon as you use a static identifier, you can be tracked. -- Yes, you may argue that if your identifiers is "::1", then it's very likely that many other systems will be using the same identifier, and hence it would not be of much help to an attacker for tracking purposes.... but I'd say that's walking a fine line. Additionally, I'd argue that in order to have such thing, then 1) You'd need to manually configure your address each time you move from one network to another (as with manual configuration requires you to set the whole address, rather than just the IID bits), or, 2) You should be using e.g. Windows algorithm for generating the IIDs, which is sub-optimal, since they mitigate only host-scanning attacks and not host-stacking attacks. That said, I wonder what the use might be. e.g., would the user be expected to remember all the bits from the IID, and then say "ok, the prefix we're using on this net is [blah..blah], so the resulting IPv6 address of the host with known IID is blah-blah"? -- If that's the expected use case, then I'd argue that you should be doing mDNS, LLNR, or DNS dynamic updates.... Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Consensus call on adopting: <draft-gont-6man-stab… Bob Hinden
- RE: Consensus call on adopting: <draft-gont-6man-… Manfredi, Albert E
- Re: Consensus call on adopting: <draft-gont-6man-… Karl Auer
- Re: Consensus call on adopting: <draft-gont-6man-… Brian E Carpenter
- Re: Consensus call on adopting: <draft-gont-6man-… Eliot Lear
- Re: Consensus call on adopting: <draft-gont-6man-… Tim Chown
- Re: Consensus call on adopting: <draft-gont-6man-… Fernando Gont
- Feedback on draft-gont-6man-stable-privacy-addres… Fernando Gont
- Re: Consensus call on adopting: <draft-gont-6man-… Fernando Gont
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Karl Auer
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Washam Fan
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Karl Auer
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Tim Chown
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fernando Gont
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Karl Auer
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fernando Gont
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fernando Gont
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Tim Chown
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Brian E Carpenter
- Tokenized addresses (was: Re: Feedback on draft-g… Fernando Gont
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fred Baker
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fernando Gont
- RE: Feedback on draft-gont-6man-stable-privacy-ad… Christian Huitema
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fred Baker
- RE: Feedback on draft-gont-6man-stable-privacy-ad… Christian Huitema
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fred Baker
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fernando Gont
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fernando Gont
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fred Baker
- RE: Feedback on draft-gont-6man-stable-privacy-ad… Christian Huitema
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fernando Gont
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Fernando Gont
- Re: Feedback on draft-gont-6man-stable-privacy-ad… Tina TSOU
- Re: Consensus call on adopting: <draft-gont-6man-… Jong-Hyouk Lee
- Re: Consensus call on adopting: <draft-gont-6man-… Eliot Lear
- Re: Consensus call on adopting: <draft-gont-6man-… Fernando Gont
- Re: Consensus call on adopting: <draft-gont-6man-… Eliot Lear
- Re: Consensus call on adopting: <draft-gont-6man-… Fernando Gont
- Re: Consensus call on adopting: <draft-gont-6man-… Dominik Elsbroek
- Re: Consensus call on adopting: <draft-gont-6man-… Mohacsi Janos
- Re: Consensus call on adopting: <draft-gont-6man-… Fernando Gont
- Re: Consensus call on adopting: <draft-gont-6man-… Mohacsi Janos
- Re: Consensus call on adopting: <draft-gont-6man-… Fernando Gont
- Re: Consensus call on adopting: <draft-gont-6man-… Ole Trøan
- Re: Consensus call on adopting: <draft-gont-6man-… Fernando Gont
- Re: Consensus call on adopting: <draft-gont-6man-… Bob Hinden
- Re: Consensus call on adopting: <draft-gont-6man-… Fernando Gont
- Re: Consensus call on adopting: <draft-gont-6man-… RJ Atkinson
- Re: Consensus call on adopting: <draft-gont-6man-… Randy Bush
- Re: Consensus call on adopting: <draft-gont-6man-… Bob Hinden
- Re: Consensus call on adopting: <draft-gont-6man-… Randy Bush
- Re: Consensus call on adopting:<draft-gont-6man-s… Brian E Carpenter