IETF Logo Mail Archive

Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt

Fernando Gont <fernando@gont.com.ar> Fri, 30 March 2018 23:50 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF41C12DA0A for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2018 16:50:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPR_fZhJn-Oc for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2018 16:50:01 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CF7B12D947 for <ipv6@ietf.org>; Fri, 30 Mar 2018 16:50:01 -0700 (PDT)
Received: from [192.168.0.40] (94-30-115-91.xdsl.murphx.net [94.30.115.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 133BF80720; Sat, 31 Mar 2018 01:49:57 +0200 (CEST)
Subject: Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt
To: Tom Herbert <tom@herbertland.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, Tim Chown <Tim.Chown@jisc.ac.uk>, 6man <ipv6@ietf.org>
References: <152203605148.3066.2744350974766846700@ietfa.amsl.com> <2c561929-98dc-beac-7916-20af889956a4@gmail.com> <50B5C57C-523B-437C-AD74-3F641648EA42@jisc.ac.uk> <803efd39-f488-7b97-cc34-232bc92c7623@gmail.com> <f728c0f7-512d-9d6d-7f76-03cead98d2f5@gont.com.ar> <7f2d9de6-fabe-e033-c3ad-21044e6054af@gmail.com> <42fc2c96-06cd-74e4-1ad3-34fef88e6611@gont.com.ar> <CALx6S37FsLEaonf2Ai489fTmvt-dcNUWfTrz=Ux=o42ATedGXw@mail.gmail.com> <6748ddbf-10ad-350d-38d5-d12455fc5332@gont.com.ar> <CALx6S3542ZEN7ed07ZK6uVv7kVBcy47R+unXuiuTgQX03r92tw@mail.gmail.com>
From: Fernando Gont <fernando@gont.com.ar>
Message-ID: <6c366b8c-d572-f17f-5226-6ac0e9cf6a8a@gont.com.ar>
Date: Sat, 31 Mar 2018 00:35:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CALx6S3542ZEN7ed07ZK6uVv7kVBcy47R+unXuiuTgQX03r92tw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/xtiyHF1lUm7_WzNcmMPk4C6sjLI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2018 23:50:08 -0000

On 03/29/2018 05:59 PM, Tom Herbert wrote:
> Hi Fernando,
> 
> I may be missing it, but I don't see in the draft where it directly
> answers the question: "How often (literally what frequency) must IPv6
> addresses be changed to ensure privacy?".

There's no answer for such question.  Network activity can be correlated
as long as you  reuse the same address. So, if you want no correlation
at all (to the extent of RFC4941), then you'd never reuse an IPv6
address. Again see
https://tools.ietf.org/html/draft-gont-6man-address-usage-recommendations-04



>  And if there are
> applications that don't tolerate address change across connections,
> then what are the exact requirements for dealing rectify the frequency
> of change they can tolerate with the frequency needed for privacy?

As noted in draft-gont-6man-address-usage-recommendations-04, we need
appropriate APIs to fully leverage IPv6 addressing. At the very least,
for apps to be able to specify desired addressing properties such as
"stability".



> The common problem with nearly any discussion on privacy and
> addressing is that the effects of proposed guidance are seemingly
> never quantified. Statements like "The longer an address is employed
> (i.e., the more stable it is), the longer such correlation will be
> possible." are intuitively true, but they're not quantifiable
> statements from which we can elicit any actionable guidance.

What kind of quantification would you expect?



> For
> instance, it's reasonable to assume that an address that is persistent
> for 12 hrs. is less of privacy risk than one persistent for 24 hrs.

"It depends" (of course). What else is the system doing? Simultaneously?
etc.



> But _how_much_better_ is this privacy benefit to the user? Is the
> probability that a users privacy being compromised with a 12 hr.
> address 50% of the probability of a 24 hr. address? Probably not!

That depends on so many factors (apps being employed, activities taing
place, etc., etc., etc.) which, IMO, if you expect to get any sort of
"quantifier", it will be meaningless.



> Another problem with much of the guidance is that recommendations may
> only be useful for a given point of time. For instance, RFC4941
> recommends the default address change to be one hour. Even if that
> provided good guidance ten years ago, it is almost certainly not
> reasonable today.

rfc4941bis is essentially an improvement of RFC4941bis (addressing known
issues that are within the scope of RFC4941, and incorporate errata).
What you want can't be addressed in rfc4941bis.

draft-gont-6man-address-usage-recommendations-04 tries to elaborate on
the problem statement.



> The capabilities of attackers and data collection
> has increased substantially so that they don't need nearly that much
> time to do their work. In fact, we proposed a simple exploit in
> draft-herbert-ipv6-prefix-address-privacy which would defeat any
> frequency of address change to provide privacy except when a different
> address is used per connection.

I'll take a look at your I-D.



>> RFC4941 just contains some default settings when your system is flying
>> blind, because it has not idea of the requirements of the app employing
>> the addresses.
>>
> Please look draft-herbert-ipv6-prefix-address-privacy. This deals with
> the privacy implications off address particular the problems of of
> assigning persistent prefixes to host devices (just changing IIDs is
> not sufficient for privacy).

I'll certainly take a look.

That said: topologically-dependent information will certainly identify
the node.

There's nothing you can do in terms of privacy when your upper node
controls how you get your addresses (whether that's because you are
leased addresses with DHCPV6, or whether because you are given a unique
prefix).



> Side note: I think your statements about APIs being so rigid that we
> couldn't make necessary changes to ensure user privacy might be overly
> pessimistic.

I'm not saying they are rigid. THey are just *extremely basic* for the
addressing capabilities of IPv6.


>  APIs are not written in stone and we can change them over
> time. Also, there's a lot that can be done even without API changes.
> For instance, if we are able to give the stack a pool of one-use
> addresses, it would be particularly difficult to change address
> binding for client communications to select from that pool. This
> wouldn't effect applications that do explicit address binding, and for
> the SMPT, POP3 these could opt-out (maybe by an environment variable).

Doing that is just guesswork on other side (a different rehash of the
guesswork in rfc4941). We should let app specify their requirements
regarding IPv6 addressing. *They* know better.

Thanks,

-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email