IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>

Mark Smith <markzzzsmith@gmail.com> Tue, 17 May 2016 22:23 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE8C212DAB2 for <ipv6@ietfa.amsl.com>; Tue, 17 May 2016 15:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.197
X-Spam-Level:
X-Spam-Status: No, score=-2.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LiegVvkuA6xZ for <ipv6@ietfa.amsl.com>; Tue, 17 May 2016 15:23:11 -0700 (PDT)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4D6B12DAAC for <ipv6@ietf.org>; Tue, 17 May 2016 15:23:10 -0700 (PDT)
Received: by mail-vk0-x233.google.com with SMTP id s184so38741862vkb.3 for <ipv6@ietf.org>; Tue, 17 May 2016 15:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=rPJIKM1JDI8u9UOXBZIeqiTxLQnW4i0bgCfgpyTm/Jk=; b=nJhNZ51xTwODnMScVyljKuFYrEJNNSBMvnErKJ9Pk8j3AabWAzoQ59vJtk1E6gyP4O s+banyknIMbGg/O3sNfJFh9cGHmjXellSPcgRaQNSAIWtvLapvNbQxyyw2z+3RFvtnvI Vg1PbER9PFk1a1fQXEKvxd+bHI18EYJkFB+TePWKeDFHNJpwQak3fi0glAjsSka6ew/a 9IiCGoIEyNYsFgvx0WaqfbRIvb6cm2LxKTFqyCTVjSAM4Y7MvCW9a3v7Mge+LpYrVeCG vzf7zfxAG0TD1TKJWqGXQogTrJC5/FZ/DVhay+fUtoknlK3hqVt69Phx+5RXMZvvTD6u TEHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=rPJIKM1JDI8u9UOXBZIeqiTxLQnW4i0bgCfgpyTm/Jk=; b=UV8jCZc0ExTjIjDTJUmrZ3oBZIdGyPsStnZSTDRupswVofxTXfB8JurkifZup3YgnW AYiNXmNyAhgVrFyheeXt8wbZb9rCQHI4omaVvcJxxUb+H2jvL9ptVQw17Ps8ejIEEvIm aXnOmQ1PDQ3kCBKGWfuJ7p82Mxdi5Jy0HHRXx4xSHzEqMf66r2U+1rwF1+ET62BSgXP6 V+igSEGM6AS6uX4H73gArqrNyT6XfP037VtlhJ0usib/9QjHKWO0nciuh7EnI05KFQap wt01A+E0FLebgT1TxAEg0EDdNCjAbX50EJQiyFE9GADOKgSsmordXadalUaPsX78kfm5 3+SA==
X-Gm-Message-State: AOPr4FWSlmFsr6egcFCIx/D4h5GHnw9P3XTlQ7P0TEpHMsBNDhPYKVAVfncTE4RWoeIWuYDoc3Wk2x93jOe/6w==
MIME-Version: 1.0
X-Received: by 10.31.51.11 with SMTP id z11mr2018323vkz.150.1463523789769; Tue, 17 May 2016 15:23:09 -0700 (PDT)
Received: by 10.176.3.168 with HTTP; Tue, 17 May 2016 15:23:09 -0700 (PDT)
Received: by 10.176.3.168 with HTTP; Tue, 17 May 2016 15:23:09 -0700 (PDT)
In-Reply-To: <CAKD1Yr2Km2A6XO8nvNv31Ti_Rr2j4gse1KLadJPcrgFMKyzszw@mail.gmail.com>
References: <20160428004904.25189.43047.idtracker@ietfa.amsl.com> <89CA2C18-AE61-4D40-8997-221201835944@gmail.com> <6f2edbbc-d208-03a0-3c33-503a05c0bee8@gmail.com> <CAKD1Yr1So_tFFSr=sk8ew-UJG-dWK=U6N9mwJnwkZdNX=__SVQ@mail.gmail.com> <11cf3f90-e693-a640-a372-f419a8f7a1a0@gmail.com> <CAKD1Yr0OPuSmp-OWG-+ZjDsHucQYTG2PMZw7jdiU=4kQqK+tyQ@mail.gmail.com> <663debf7-cfba-b19b-92ef-89cc66b452d8@gmail.com> <CAKD1Yr2Km2A6XO8nvNv31Ti_Rr2j4gse1KLadJPcrgFMKyzszw@mail.gmail.com>
Date: Wed, 18 May 2016 08:23:09 +1000
Message-ID: <CAO42Z2yGEoHunw12fCKvQ=gBmE+M1MO-rSbVS94cGRTEk1zfog@mail.gmail.com>
Subject: Re: 6man w.g. last call for <draft-ietf-6man-default-iids-11.txt>
From: Mark Smith <markzzzsmith@gmail.com>
To: Lorenzo Colitti <lorenzo@google.com>
Content-Type: multipart/alternative; boundary="001a114475989c110a0533112f76"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/xZDy4Iufee5Bl_MK8zMtd9VJ3ek>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 22:23:14 -0000

On 14 May 2016 1:29 PM, "Lorenzo Colitti" <lorenzo@google.com> wrote:
>
> On Sat, May 14, 2016 at 12:00 PM, Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:
>>
>> Because if someone is trying to correlate different types of my traffic,
>> let's say something sent over IPX and something sent over IPv6, the task
>> will be made easier if the lower 48 bits are the same in both types of
>> traffic. (Obviously, someone on-link can use ND to correlate MAC address
>> and IP address, so we're talking about someone observing off-link
packets.)
>
>
> That seems extremely unlikely to happen in practice, given that the vast
majority of hosts either don't have an IPX stack at all or have it disabled
by default, and embedding a MAC address in a protocol payload is not very
useful so people tend not to do it.
>
> By contrast, here is one weakness that is pretty much mandated by this
draft as written: because addresses have to be stable, any remote attacker
anywhere on the Internet that ever exchanges a packet with that host can
track it every time the host visits the same network, *forever*, with no
recourse. Section 3 point 1.
>

Already fixed, RFC6724:

"5. Changed the default recommendation for Source Address Selection Rule 7
to prefer temporary addresses rather than public addresses, while providing
an administrative override (in addition to the application-specific
override that was already specified). This change was made because of the
increasing importance of privacy considerations, as well as the fact that
widely deployed implementations have preferred temporary addresses for many
years without major application issues."

Most hosts that will use these addresses as source addresses for their
packets are unlikely to move around and will value stability - servers
providing services to clients and router and other infrastructure devices'
interfaces.

If a client hosts use these types of addresses for their out bound
connection source addresses, then privacy addresses have been actively
switched off for some reason or are not and have never been available (e.g.
router interfaces). In other words, a conscious choice has been made to
disable privacy. That may or may not be a good idea in that context and in
others' external opinion, however we can't stop people doing stupid things,
we've just got to encourage them to do the right thing either implicitly or
explicitly by choosing good defaults.

This is a better default than EUI-64 based IIDs for when privacy addresses
aren't used or available (by choice).

Regards,
Mark.

> Either we fix that or we stop asserting that this draft is motivated by
privacy considerations.
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email