IETF Logo Mail Archive

Re: [Madinas] I-D Action: draft-ietf-madinas-mac-address-randomization-10.txt

CARLOS JESUS BERNARDOS CANO <cjbc@it.uc3m.es> Thu, 22 February 2024 09:40 UTC

Return-Path: <cjbc@it.uc3m.es>
X-Original-To: madinas@ietfa.amsl.com
Delivered-To: madinas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0038C14CE3B for <madinas@ietfa.amsl.com>; Thu, 22 Feb 2024 01:40:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.006
X-Spam-Level:
X-Spam-Status: No, score=-7.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=it.uc3m.es
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Maa19trRPNHQ for <madinas@ietfa.amsl.com>; Thu, 22 Feb 2024 01:40:51 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4D13C14F616 for <madinas@ietf.org>; Thu, 22 Feb 2024 01:40:51 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2d22fa5c822so63004681fa.2 for <madinas@ietf.org>; Thu, 22 Feb 2024 01:40:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=it.uc3m.es; s=google; t=1708594849; x=1709199649; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CFl9PjPyIdFr1eNGrOeL7jHo2Phq/Qlc/wV5DQVdDFc=; b=L6vr7b5byO/ZphkHCK62zjqiG5pMoQbZgjvB+DR6NY41ufQKznpJaT10JKUVZxLv0s Afvgt4fw0ZbO0Rtc2rHiTVy6PWBbPcgP+EYmnrtumiBeGkGZFED5IA2g0XU9oMN8gNRk WnFlqLTU6P6nrDE7htvlTjWKNurpL78KUqXjKOCmeOga1xvq2M7TJpf6M095TPCoAc6u jvkTRtoTOumGwfXADwmv682gtVsDYt+6yPAV+Kr6CBfh+nm5UZDUhjZuz71t4B/LtXAY puHtWvniHq8QAXeWaLJXgmO4etcxoBGxNkBD2/O3+ktQ8sM4ARfwYBCNwvUwYuQ2YsGi 1uow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708594849; x=1709199649; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CFl9PjPyIdFr1eNGrOeL7jHo2Phq/Qlc/wV5DQVdDFc=; b=TscegKjOEcUIiXNUwKuAZCOVq+ZNzvC8cKR4gvwNAnMTSF+CoWz7xznSYqpRov6bKE oKDCyZVdGpQugl3CWvkgTk4VfhDllSpxGB7Nw5Mx1UZhk1j/5KHGLx2fIJ5SSHuMeRCs xQvXq8qxDoFisHKeN386e5K1JTyDtACkg5UPbw0ehI1z8aWD1mCXouyvrx0Wy0ihbM38 lKM/GAgjfQ/o8anrvlJVGJhLpDw/RrCayg8MxsFcAZ+NEB80YZ443zBlS2l5awFJgeoQ 01PaRtvSSOxjZg+GGXX6EVPtjKzoRJCzpeUdFVrjkxns5tyC6vVADdkndPavnzfAqLkt 1Lxg==
X-Gm-Message-State: AOJu0Ywr2VBuFXUZ7n/MGL7VcUAIRlN1M4DCoBFBhmvVNWR8V2Xe7x1K powfiTZKtQNgBdUeL/Y/+pqObhu0pqLNsyX1lvihGPAsQSzY7bmEiZ6hGgt8+WCiBsW/Tn4tQPg YCqav+v2UPYzoJUv0bveVe7PCF2VsWqpd3UJKDJBdBH0t632t6gNj9P3K
X-Google-Smtp-Source: AGHT+IFU4Fhtum5YgqFz+OHEl6kQL3MmdhuQy3bbZJH5PNIBHfhU6g40bwwHDpXhLLn9mGZVLw6+Wklmmy6XSBoKxas=
X-Received: by 2002:a05:651c:220c:b0:2d2:30b8:fbe2 with SMTP id y12-20020a05651c220c00b002d230b8fbe2mr13503656ljq.43.1708594848866; Thu, 22 Feb 2024 01:40:48 -0800 (PST)
MIME-Version: 1.0
References: <170497095275.13340.12464306135239574020@ietfa.amsl.com> <E8162B32-363A-4B7C-86D6-5D7B2AD1F03E@gmail.com> <CALypLp-2cuBo-4t=Fu6F2y0DqOjsy3_vqhdYfzyJiEraVZi0xQ@mail.gmail.com> <FCE4EEAF-D7BC-49F5-94AA-80D6D9E286B0@gmail.com> <CALypLp9usT2b8U4qxjr=QRixvwTHhNwFi6B5i_fZ+HxdK7OpgQ@mail.gmail.com> <706C6A9B-965A-4587-8544-7BAA0C30EF4A@gmail.com>
In-Reply-To: <706C6A9B-965A-4587-8544-7BAA0C30EF4A@gmail.com>
From: CARLOS JESUS BERNARDOS CANO <cjbc@it.uc3m.es>
Date: Thu, 22 Feb 2024 10:40:33 +0100
Message-ID: <CALypLp-fU+vNB75rTDa8zyqWs=vQk+eeA+AwtnmZ7XrvboBqGQ@mail.gmail.com>
To: Bob Hinden <bob.hinden@gmail.com>
Cc: madinas@ietf.org
Content-Type: multipart/alternative; boundary="000000000000087c380611f53dba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/madinas/NvAW7kgd6D3exHjI8pD9tP1Sl2w>
Subject: Re: [Madinas] I-D Action: draft-ietf-madinas-mac-address-randomization-10.txt
X-BeenThere: madinas@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: MAC Address Device Identification for Network and Application Services <madinas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/madinas>, <mailto:madinas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/madinas/>
List-Post: <mailto:madinas@ietf.org>
List-Help: <mailto:madinas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/madinas>, <mailto:madinas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2024 09:40:56 -0000

Thanks a lot Bob for your comments. Please see inline below.

On Wed, Feb 21, 2024 at 6:28 PM Bob Hinden <bob.hinden@gmail.com> wrote:

> Carlos,
>
> Greatly improved, thanks very much!
>
> A few suggested edits and comments to Section 6 below.
>
> Bob
>
>
> 6.  MAC randomization in IETF Protocol Standards
>
>    [RFC4862] specifies Stateless Address Autoconfiguration (SLAAC) for
>    IPv6, which typically results in hosts configuring one or more
>    "stable" addresses composed of a network prefix advertised by a local
>    router, and an Interface Identifier (IID).  [RFC8064] formally
>    updated the original IPv6 IID selection mechanism to avoid generating
>    the IID from the MAC address of the interface (via EUI64), as this
>    potentially allowed for global tracking of a device at L3 from any
>    point on the Internet (note that the prefix part of the address
>    provides meaningful insights of the physical location of the device
>    in general, which together with the MAC address-based IID, made it
>    easier to perform global device tracking).
>
>
> The same can be said for IPv4 prefixes, they can be used to track the
> location.
>

[Carlos] True, we will try to adapt the text to mention that as well.


>
>    [RFC8981] identifies and describes the privacy issues associated with
>    embedding MAC stable addressing information into the IPv6 addresses
>    (as part of the IID).  It describes an extension to IPv6 Stateless
>    Address Autoconfiguration that causes hosts to generate temporary
>    addresses with randomized interface identifiers for each prefix
>    advertised with autoconfiguration enabled.  Changing addresses over
>    time limits the window of time during which eavesdroppers and other
>    information collectors may trivially perform address-based network-
>    activity correlation when the same address is employed for multiple
>    transactions by the same host.  Additionally, it reduces the window
>    of exposure of a host as being accessible via an address that becomes
>    revealed as a result of active communication.  These temporary
>    addresses are meant to be used for a short period of time (hours to
>    days) and would then be deprecated.  Deprecated addresses can
>    continue to be used for already established connections, but are not
>    used to initiate new connections.  New temporary addresses are
>    generated periodically to replace temporary addresses that expire.
>    In order to do so, a node produces a sequence of temporary global
>    scope addresses from a sequence of interface identifiers that appear
>    to be random in the sense that it is difficult for an outside
>    observer to predict a future address (or identifier) based on a
>    current one, and it is difficult to determine previous addresses (or
>    identifiers) knowing only the present one.  The main problem with the
>    temporary addresses is that they should not be used by applications
>    that listen for incoming connections (as these are supposed to be
>    waiting on permanent/well-known identifiers).  Besides, if a node
>
>
>
> Zuniga, et al.           Expires 23 August 2024                 [Page 8]
> 
> Internet-Draft     Randomized and Changing MAC Address     February 2024
>
>
>    changes network and comes back to a previously visited one, the
>    temporary addresses that the node would use will be different, and
>    this might be an issue in certain networks where addresses are used
>    for operational purposes (e.g., filtering or authentication).
>    [RFC7217], summarized next, partially addresses the problems
>    aforementioned.
>
>
> I am not sure I would say “The main problem with temporary addresses….”
>
> If you want to be reachable, then you need a stable address.    This isn’t
> a problem with temporary addresses.    Clients should use temporary
> addresses, servers should use stable addresses.  You can be reachable
> without some sort of stable identifier.
>

[Carlos] OK, we will slightly adapt the text to make it more precise along
the lines of your comment.


>    [RFC7217] describes a method to generate Interface Identifiers that
>    are stable for each network interface within each subnet, but that
>    change as a host moves from one network to another.  This method
>    enables keeping the "stability" properties of the Interface
>    Identifiers specified in [RFC4291], while still mitigating address-
>    scanning attacks and preventing correlation of the activities of a
>    host as it moves from one network to another.  The method defined to
>    generate the IPv6 IID is based on computing a hash function which
>    takes as input information that is stable and associated to the
>    interface (e.g., a local interface identifier), stable information
>    associated to the visited network (e.g., IEEE 802.11 SSID), the IPv6
>    prefix, and a secret key, plus some other additional information.
>    This basically ensures that a different IID is generated when any of
>    the input fields changes (such as the network or the prefix), but
>    that the IID is the same within each subnet.
>
>    Currently, [RFC8064] recommends nodes to implement [RFC7217] as the
>    default scheme for generating stable IPv6 addresses with SLAAC, to
>    mitigate the privacy threats posed by the use of MAC-derived IIDs.
>
>    In addition to the former documents, [RFC8947] proposes an extension
>    to DHCPv6 that allows a scalable approach to link-layer address
>    assignments where preassigned link-layer address assignments (such as
>    by a manufacturer) are not possible or unnecessary.  [RFC8948]
>    proposes extensions to DHCPv6 protocols to enable a DHCPv6 client or
>    a DHCPv6 relay to indicate a preferred SLAP quadrant to the server,
>    so that the server may allocate MAC addresses in the quadrant
>    requested by the relay or client.
>
>    Not only MAC and IP addresses can be used for tracking purposes.
>    Some DHCP options carry unique identifiers.  These identifiers can
>    enable device tracking even if the device administrator takes care of
>    randomizing other potential identifications like link-layer addresses
>    or IPv6 addresses.  [RFC7844] introduces anonymity profiles, designed
>    for clients that wish to remain anonymous to the visited network.
>    The profiles provide guidelines on the composition of DHCP or DHCPv6
>    messages, designed to minimize disclosure of identifying information.
>    [RFC7844] also indicates that the link-layer address, IP address, and
>    DHCP identifier shall evolve in synchrony.
>
>
> Just a comment, this section is titled "MAC randomization in IETF Protocol
> Standards”.  I wonder if the paragraph above is going beyond that.   It’s
> not only DHCP that has things that can be used for tracking.   Many of the
> higher level protocols such as used in the world wide web have things that
> are commonly used for tracking.  For example, “cookies”.
>
> Think about if this section is about MAC randomization” or if it is about
> the larger issue of tracking.   If the latter, there is a lot more to
> discuss.
>
> [Carlos] Fully agree. The rationale of this part of the text is that it
relates to the MAC addresses, as DHCP servers may make use of the MAC
address of the client to provide the same IP address. There are other
parameters that can also be used, and all this, including the binding
IP-MAC address generates a potential security threat related to tracking.
But of course, the goal of this section is not to discuss tracking in
general.

Thanks!

Carlos


>
>
> On Feb 20, 2024, at 11:18 PM, CARLOS JESUS BERNARDOS CANO <cjbc@it.uc3m.es>
> wrote:
>
> Hi Bob, all,
>
> We have just posted a new version addressing your comments.
>
> Thanks!
>
> Carlos
>
> On Sat, Jan 13, 2024 at 8:46 PM Bob Hinden <bob.hinden@gmail.com> wrote:
>
>> Thanks
>> Bob
>>
>>
>>
>> On Jan 12, 2024, at 12:33 PM, CARLOS JESUS BERNARDOS CANO <
>> cjbc@it.uc3m.es> wrote:
>>
>> Hi Bob,
>>
>> Sorry, I think I overlooked your previous comment. I'll update the draft
>> next week.
>>
>> Thanks!
>>
>> Carlos
>>
>> On Fri, Jan 12, 2024 at 1:38 AM Bob Hinden <bob.hinden@gmail.com> wrote:
>>
>>> I believe I made similar comments a while back.   Repeating myself.
>>>
>>> 6. MAC randomization-related activities at the IETF
>>>
>>> This title is ambiguous (and Section 4 and 5 the same problem).   “at
>>> the IETF” sounds like at an IETF meeting and “activities” isn’t clear.
>>> Protocols are not “activities”   This should be something like:
>>>
>>>           MAC randomization in IETF Protocol Standards
>>>
>>> The text in this section starts with:
>>>
>>> Several IP address assignment mechanisms such as the IPv6 stateless
>>> autoconfiguration techniques (SLAAC) [RFC4862] generate the Interface
>>> Identifier (IID) of the address from its MAC address (via EUI64), which
>>> then becomes visible to all IPv6 communication peers. This potentially
>>> allows for global tracking of a device at L3 from any point on the
>>> Internet. Besides, the prefix part of the address provides meaningful
>>> insights of the physical location of the device in general, which together
>>> with the MAC address-based IID, makes it easier to perform global device
>>> tracking.
>>>
>>>
>>> This is wrong and out dated.   RFC 8064 "Recommendation on Stable IPv6
>>> Interface Identifiers” published in 2017 formally updated IPv6 IID
>>> selection to prefer RFC 7217 IIDs and recommends against embedding stable
>>> link-layer address in IPv6 IIDS.
>>>
>>> This section needs a serious rewrite.
>>>
>>> Today, I also noted in third paragraph of this section a reference to
>>> [RFC4191].  The text is:
>>>
>>> [RFC4191] identifies and describes the privacy issues associated with
>>> embedding MAC stable addressing information into the IPv6 addresses (as
>>> part of the IID) and describes some mechanisms to mitigate the associated
>>> problems.
>>>
>>>
>>> RFC4191 is "Default Router Preferences and More-Specific Routes”.  This
>>> has nothing to do with embedding MAC stable addresss.
>>>
>>> Bob
>>>
>>>
>>> On Jan 11, 2024, at 3:02 AM, internet-drafts@ietf.org wrote:
>>>
>>> Internet-Draft draft-ietf-madinas-mac-address-randomization-10.txt is now
>>> available. It is a work item of the MAC Address Device Identification for
>>> Network and Application Services (MADINAS) WG of the IETF.
>>>
>>>   Title:   Randomized and Changing MAC Address state of affairs
>>>   Authors: Juan Carlos Zuniga
>>>            Carlos J. Bernardos
>>>            Amelia Andersdotter
>>>   Name:    draft-ietf-madinas-mac-address-randomization-10.txt
>>>   Pages:   18
>>>   Dates:   2024-01-11
>>>
>>> Abstract:
>>>
>>>   Internet privacy has become a major concern over the past few years.
>>>   Users are becoming more aware that their online activity leaves a
>>>   vast digital footprint, that communications are not always properly
>>>   secured, and that their location and actions can be easily tracked.
>>>   One of the main factors for the location tracking issue is the wide
>>>   use of long-lasting identifiers, such as MAC addresses.
>>>
>>>   There have been several initiatives at the IETF and the IEEE 802
>>>   standards committees to overcome some of these privacy issues.  This
>>>   document provides an overview of these activities, with the intention
>>>   to inform the technical community about them, and help coordinate
>>>   between present and future standardization activities.
>>>
>>> The IETF datatracker status page for this Internet-Draft is:
>>>
>>> https://datatracker.ietf.org/doc/draft-ietf-madinas-mac-address-randomization/
>>>
>>> There is also an HTMLized version available at:
>>>
>>> https://datatracker.ietf.org/doc/html/draft-ietf-madinas-mac-address-randomization-10
>>>
>>> A diff from the previous version is available at:
>>>
>>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-madinas-mac-address-randomization-10
>>>
>>> Internet-Drafts are also available by rsync at:
>>> rsync.ietf.org::internet-drafts
>>>
>>>
>>> --
>>> Madinas mailing list
>>> Madinas@ietf.org
>>> https://www.ietf.org/mailman/listinfo/madinas
>>>
>>>
>>> --
>>> Madinas mailing list
>>> Madinas@ietf.org
>>> https://www.ietf.org/mailman/listinfo/madinas
>>>
>>
>>
>

v2.23.0 | Report a Bug | By Email