Re: [ipwave] Alissa Cooper's Discuss on draft-ietf-ipwave-ipv6-over-80211ocb-49: (with DISCUSS and COMMENT)
Alexandre Petrescu <alexandre.petrescu@gmail.com> Fri, 12 July 2019 11:02 UTC
Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BE911202E1; Fri, 12 Jul 2019 04:02:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgA-fyDzU5Hu; Fri, 12 Jul 2019 04:02:47 -0700 (PDT)
Received: from sainfoin-smtp-out.extra.cea.fr (sainfoin-smtp-out.extra.cea.fr [132.167.192.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 019D1120113; Fri, 12 Jul 2019 04:02:45 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by sainfoin-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id x6CB2bR5018018; Fri, 12 Jul 2019 13:02:37 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id DDC46203CC9; Fri, 12 Jul 2019 13:02:37 +0200 (CEST)
Received: from muguet1-smtp-out.intra.cea.fr (muguet1-smtp-out.intra.cea.fr [132.166.192.12]) by pisaure.intra.cea.fr (Postfix) with ESMTP id C369B200C9C; Fri, 12 Jul 2019 13:02:37 +0200 (CEST)
Received: from [10.8.35.150] (is154594.intra.cea.fr [10.8.35.150]) by muguet1-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id x6CB2bmW012036; Fri, 12 Jul 2019 13:02:37 +0200
To: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
Cc: draft-ietf-ipwave-ipv6-over-80211ocb@ietf.org, its@ietf.org, cjbc@it.uc3m.es, ipwave-chairs@ietf.org, Barry Leiba <barryleiba@computer.org>
References: <156278324219.15531.9469512400534766331.idtracker@ietfa.amsl.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <645edc7b-8768-92bf-564e-93f8aa9e78f5@gmail.com>
Date: Fri, 12 Jul 2019 13:02:37 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <156278324219.15531.9469512400534766331.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/2xRXq3Dsv7mtsh7rrOHLYziygdQ>
Subject: Re: [ipwave] Alissa Cooper's Discuss on draft-ietf-ipwave-ipv6-over-80211ocb-49: (with DISCUSS and COMMENT)
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 11:02:49 -0000
This is a difficult thing to do, and it needs some long reflection on my
side. But I would like to help progress the document.
Allow me to group below the privacy-related quotations from Alissa
Cooper, Barry Leiba and Roman Danyliw. This is in order to reduce the
number of emails that I send.
Le 10/07/2019 à 20:27, Alissa Cooper via Datatracker a écrit :
[...]
> ----------------------------------------------------------------------
>
>
>
>
>
>
>
> DISCUSS:
> ----------------------------------------------------------------------
>
>
>
>
>
>
>
> I support Roman's DISCUSS.
>
> Overall I am unclear on the privacy properties of what this document
> specifies.
Basically, at this stage the situation is that there are privacy issues
with talking cars and talking Road-Side Units. These issues can be
witnessed in all IP car trials that I looked at.
They come from:
- lack of implementation of RFC7217 ('privacy' IIDs) in the embedded
computers. To my knowledge no embedded linux displays obfuscated
(random) IIDs in IP LL addresses when typing ifconfig command.
- lack of common recommendation of how to generate a more obfuscated MAC
address ('random'). There is a recommendation at ETSI ITS, a
recommendation at Microsoft, and a recommendation at IEEE. These
three distinct recommendations are supposedly different. Others may
disagree.
- unknowns about the IPR status of the MAC generation techniques.
The places to explore are Microsoft, ETSI and IEEE. There are some
clarifications I received in private from something about Microsoft,
but more exploration is needed. BEcause, on my side, I do not want to
put here a method of MAC address generation that is protected by
somebody else.
> I think it would help to have a clear statement about the
> circumstances under which each kind of address generation scheme is
> recommended.
After much reflection, I express I agree with the need. It would be so
much helpful for implementer reading an RFC to see an algorithm in front
of his eyes telling what to implement, and what to not care about.
The recommendation could be something like this: if on your embedded
platform the RFC 7217 (privacy IIDs) implementation is available then
use it all while making sure the changes in IIDs dont break your
application; if they do, dont use it, and inform users there are
Privacy risks.
And I have some doubts. I often fear that it is not because we make
MUST RFC 7217 that it becomes implemented. There are good reasons from
implementers not to implement it.
Others think the contrary: put the MUST RFC 7217 in the I-D and the
implementers will have to.
So, I am some times tempted to just reflect the current situation (there
is no privacy) and develop later a method to protect.
But it is just my thoughts. Others may have another oppinion, that I am
curious to learn.
> Were RFC 4941 addresses not considered because addresses generated
> according to RFC 8064 have functionally equivalent properties given
> how often moving vehicle change subnets?
YEs, that is one reason why.
There are more reasons:
- rfc 4941 (privacy addresses) are not implemented in many embedded
systems. rfc 4941 and rfc 7217 (privacy addresses) are implemented
mainly in BSD and derivatives; these BSD flavors do not implement OCB;
given the choice, BSD is not used. There are other OSs specific to
embedded systems, and none has MAC address generations schemes, as far
as I know.
- stable link-local addresses are needed when forming subnets of cars,
because there are routing table entries with next hop values that must
stay stable. (worse, they should be easily remembered by humans in the
beginning, and even the LL addresses EUI64 are hard to work with).
> For link-local addresses, is it possible to give recommendations for
> when IIDs should be re-generated?
It is possible.
On my side I do not want to do it (re-generate), because I have never
tried to regenerate. I do not want it.
There are groups of people at ETSI and some trials that do consider
re-generations of LL address. This implies re-generatin of certificates
as well. These certificates are not openly available; they depend on
closed-circuit CAs. They are hard to test and dont scale to large
sizes. They are hard to access.
I do not want to get in the way of satisfying the request of giving
recommendations for when IIDs should be re-generated. Maybe a
recommendation should be given by somebody trying it.
Barry Leiba wrote recently:
>>>> If semantically opaque IIDs are needed, they MAY be generated
>>>> using the method for generating semantically opaque IIDs
>>>
>>> This isn’t wrong with the “MAY”, but I think it really is just a
>>> non-keyword “may”.
I tend to agree. It is a non-keyword 'may'.
>>>> In 802.11-OCB networks, the MAC addresses MAY change during
>>>> well defined renumbering events.
>>>
>>> Also a statement of fact, so “may”.
I agree.
Roman Danyliw wrote recently:
> ** What specific ETSI protocols are being recommended from
> [ETSI-sec-archi]?
I do not know for sure myself. One would ask Jérôme Härri.
I looked myself at the public document referred (ETSI TS 102 940 V1.2.1
(2016-11)). I could find a recommendation to generate MAC address:
"shall be derived from the identifier provided by the Security Entity in
the ID change notification". (the "ID Change Notification" seems to be
an application layer message).
From my side, I do not agree with this method to generate more
obfuscated MAC addresses.
I have some ideas how to generate more obfuscated MAC addresses, but
certainly not in that ETSI way.
> ** What is meant by the drivers’ identity in this case?
There is activity at Gemalto now Thales about e-Driver's License.
Supposedly that is an electronic format of a driver's license that is
more accessible. I think that driver's license in some countries have
no electronic equivalent at this time.
The trials of electronic Driver's License happened mostly in America,
and were probably totally absent in Europe.
That is all I know.
> What is the pseudonym scheme is being used to protect it or what
> requirements are being set for it?
I do not know myself.
> ** What are the specific challenges of concern around
> pseudo-anonymization approaches to which an allusion is made?
>
> ** Who is the trusted third parted needed?
There is no trusted third party in the automotive networks. There are a
few efforts to build national Certificate Authorities, European
automotive PKIs, and similar. Most are backed by trials. But there is
no universally agreed CA (like is e.g. Verisign in the Internet world).
They are all expensive to access, and some times even impossible.
What is needed is that the automotive networks use the CAs from Internet.
What is needed is that the automotive networks use the CAs from Internet.
Alex
- [ipwave] Alissa Cooper's Discuss on draft-ietf-ip… Alissa Cooper via Datatracker
- Re: [ipwave] Alissa Cooper's Discuss on draft-iet… Nabil Benamar
- Re: [ipwave] Alissa Cooper's Discuss on draft-iet… Alissa Cooper
- Re: [ipwave] Alissa Cooper's Discuss on draft-iet… Nabil Benamar
- Re: [ipwave] Alissa Cooper's Discuss on draft-iet… Alexandre Petrescu
- Re: [ipwave] Alissa Cooper's Discuss on draft-iet… Alexandre Petrescu
- Re: [ipwave] Alissa Cooper's Discuss on draft-iet… Alexandre Petrescu
- Re: [ipwave] Alissa Cooper's Discuss on draft-iet… Alissa Cooper
- Re: [ipwave] Alissa Cooper's Discuss on draft-iet… Nabil Benamar