IETF Logo Mail Archive

Re: [Madinas] Call for adoption: draft-henry-madinas-framework

Hai Shalom <haishalom@google.com> Wed, 26 January 2022 03:29 UTC

Return-Path: <haishalom@google.com>
X-Original-To: madinas@ietfa.amsl.com
Delivered-To: madinas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D67563A1EBD for <madinas@ietfa.amsl.com>; Tue, 25 Jan 2022 19:29:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3dSX5bp2t_47 for <madinas@ietfa.amsl.com>; Tue, 25 Jan 2022 19:29:16 -0800 (PST)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE2323A1EBA for <madinas@ietf.org>; Tue, 25 Jan 2022 19:29:15 -0800 (PST)
Received: by mail-lf1-x134.google.com with SMTP id x23so13548036lfc.0 for <madinas@ietf.org>; Tue, 25 Jan 2022 19:29:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LXh7eCzjlCuJTL4G9K2fzFCoY/rfR1Sw6mDAhPNJF4w=; b=gdcZgo7bkTPulYxEZfmlJVrqNuRFXA7Cn2xOQDs/CISNzqXZgiZpR/lt6RqV7MiM8K m57M0HVdscajqRc7i+uQGvrzsXQbST70R9tt/MGCzQ8nohEEtxV/DBJdDTIh+On55KSR y7B/8SOpbbXE84N2bpep17zAUOBuOYQokPwKj7gLIaXFDPgt7g7DKC0/7GJ84rQvm2yx fL9NEWkmPRzO0oNCXaJzNkskK52C8ziIhue0SvnI6BInFYW8nmk89Hudm1cHsDGKqvGo Rqik5SWRAkSJk2xD4AKT8AKlYYkrdB9DgNcHqPukiGaWki2vnXUdfAeHAlLylZaCWsSV YHoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LXh7eCzjlCuJTL4G9K2fzFCoY/rfR1Sw6mDAhPNJF4w=; b=eg1SIo/BojkYPJ0XCpiY9pDZsdajzQ4I2aeFaFi2Y3i2X6w8unh7Ao/yJHslvXxeDO xPqXMJzDSHo8xUxS2PSrz8JDh0RQl544etHaM/QmJfhc9qQd1Br+sty0osEjXaqkjItd nCVkaxHEeJZEsbyxlcrlh/Iyx+3PwCSS6uu/MptBusileCzN7+Xpw13/ASR/XUdMXTjk 6hLzMJo9NN6L7e74rGnBUxYTzwA62DDxgcCIu8aQfFo/cuV8LDGC96tM5Hs/EGfXkVMh 5tB6r9ugTIAZqxDuntgSJdfqy7fCGwwJXMM4f4pc/uB/pHWxOpBeQb4Jb4nz7/M1ZCfq iAUQ==
X-Gm-Message-State: AOAM531/A9T9uL+kdwDBkko73e7ake5GNu8HmEqvk1Ica++uKPuNTwDw wD8QtBtHkcqA1pO0ord/QLzPC/64GPwox8yCDXkmHQ==
X-Google-Smtp-Source: ABdhPJytT0RA0s7Uv+tv18QoqGmcrYuC1rvEB+FUEw7qxV+fc9arVRRwkejTQ8QLs/kgQKyYDlen88/KsBbyMcF3H38=
X-Received: by 2002:a05:6512:20c4:: with SMTP id u4mr17455452lfr.620.1643167752789; Tue, 25 Jan 2022 19:29:12 -0800 (PST)
MIME-Version: 1.0
References: <DB7PR08MB3179129EAD3F2D06ACC9AFD989939@DB7PR08MB3179.eurprd08.prod.outlook.com> <CALypLp82AHck84BVZ4Hfybdi5pnFcBcyFpDaP8i+p76g3izKSw@mail.gmail.com>
In-Reply-To: <CALypLp82AHck84BVZ4Hfybdi5pnFcBcyFpDaP8i+p76g3izKSw@mail.gmail.com>
From: Hai Shalom <haishalom@google.com>
Date: Tue, 25 Jan 2022 19:28:36 -0800
Message-ID: <CADrZi0dkAN_fYHZdTiD2524cnfN+8Qw2RvaDe+TixtwDYk4Azw@mail.gmail.com>
To: CARLOS JESUS BERNARDOS CANO <cjbc@it.uc3m.es>
Cc: Juan Carlos Zuniga <juancarlos.zuniga@sigfox.com>, Juan Carlos Zuniga <j.c.zuniga@ieee.org>, "madinas@ietf.org" <madinas@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003699e805d673ce7d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/madinas/zbmy867wzVOwjtVqZ-iqibRRLdg>
Subject: Re: [Madinas] Call for adoption: draft-henry-madinas-framework
X-BeenThere: madinas@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: MAC Address Device Identification for Network and Application Services <madinas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/madinas>, <mailto:madinas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/madinas/>
List-Post: <mailto:madinas@ietf.org>
List-Help: <mailto:madinas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/madinas>, <mailto:madinas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2022 03:29:21 -0000

I apologize, but I do not follow this working group due to time zone
differences. However, I would like to comment about the following comments,
thanks in advance for your time and consideration!

In other contexts, operators assign network resources based
>    on contractual conditions (e.g., fee, bandwidth fair share).  In
>    these scenarios, these operators may attempt to identify the devices
>    and the users of their networks.  They can use the MAC address to
>    represent an identified device.
>
>
I believe that such operators are aware that this is a "happy accident" and
that associating liability and payments to a weak identifier that can be
easily spoofed was already a flawed concept, even before RCM was
introduced. RCM just expedited this realization. Shouldn't the text
recommend other means, or point to current activities in IEEE that are
trying to solve it?

   In wireless contexts, 802.1X authenticators rely on the device and
>    user identity validation provided by a AAA server to open their port
>    to data transmission.  The MAC address is used to verify that the
>    device is in the authorized list, and the associated key used to
>    decrypt the device traffic.  A change in MAC address causes the port
>    to be closed to the device data traffic until the AAA server confirms
>    the validity of the new MAC address.  Therefore, MAC rotation can
>    interrupt the device traffic, and cause a strain on the AAA server.
>
>
This is only true if the device rotates its MAC address during an active
session, but current 802.11 text specifies that in order to keep the state
of a session, a non-AP STA shall keep its MAC address. So it looks like
this text is irrelevant because this will never happen while the device is
connected. If it does happen, the specs will define a secure way for a
non-AP STA to communicate with the AP STA about the change.

DHCP servers, without a unique identification of the device, lose
>    track of which IP address is validly assigned. ....
>
>
The text abstract says "this document examines solutions to maintain user
privacy...". It can recommend short leases to requests that come from the
wireless LAN interface (although MAC addresses can be changed by stationary
devices). Was the intention of this text to just specify issues?

device recognition and ranging may be
>    used for IoT-related functionalities (door unlock, preferred light
>    and temperature configuration, etc.)  These functions often rely on
>    the detection of the device wireless MAC address.  MAC address
>    rotation breaks the services based on such model.
>
>
Using MAC addresses to range devices and implement security operations is
something that should not be mentioned or encouraged, other than explaining
what NOT to do. If a door lock unlocks by detecting a MAC address presence
in the area getting closer - this is considered a critical security
vulnerability, so saying "often rely" on MAC address is not true. There are
new standards that are being worked on to solve these problems in a secure
way.

For example: a Home network is considered to be trusted and safe.
>    Users expect a simple procedure to connect to their home network.
>    All devices in the home network trust each other.  Privacy within the
>    Layer 2 domain is not a major concern.
>
>
I agree that this is the perception of the non-technical, naive user.
However, this text ignores the fact that the RF is not confined to the
walls of the structure, such that an attacker can detect the presence of a
particular device in the home at any given time (e.g. can detect when a
person leaves for work while waiting hidden in an adjacent apartment).
Additionally, IoT devices that use constant OUIs allow attackers to deploy
attacks on known vulnerabilities of particular devices, and detect if they
are offline (e.g. the doorbell is offline, so someone can now approach the
front door without being detected). So while the trust in the network is
high, the network is not immune from privacy related issues, and this is
not reflected in table 1 (or in "Trust" of the network).

And last word about address collisions: 1 in 2^46. So even in a crowded
airport, the probability is negligible.

Thanks in advance.

- Hai


On Thu, Jan 20, 2022 at 2:46 AM CARLOS JESUS BERNARDOS CANO <cjbc@it.uc3m.es>
wrote:

> Dear all,
>
> Based on the comments received, we declare consensus in
> adopting draft-henry-madinas-framework-03 as MADINAS WG document.
>
> Based on the discussion, can you please consider updating the name of the
> draft to better reflect its content and purpose?
>
> Authors, please submit this as draft-ietf-madinas-***-00
>
> Thanks,
>
> Carlos and Juan-Carlos
> MADINAS chairs
>
>
> On Wed, Nov 10, 2021 at 2:56 PM Juan Carlos Zuniga <
> juancarlos.zuniga@sigfox.com> wrote:
>
>> Dear all,
>>
>>
>>
>> Confirming what was said at the meeting, we are starting a Call for
>> Adoption of
>> https://datatracker.ietf.org/doc/html/draft-henry-madinas-framework-03
>>
>>
>>
>> Please let us know if you support or oppose the adoption. Likewise,
>> please let us know if you have any comments or suggestions.
>>
>>
>>
>> Best,
>>
>>
>>
>> Juan-Carlos & Carlos
>>
>> MADINAS chairs
>>
>>
>>
>> Your privacy is important to us. Please see our Privacy Notice
>> <https://www.sigfox.com/en/privacy-and-cookies-policy> for further
>> details. The information contained in this Message is confidential. If you
>> are not the addressee, you may not copy, forward, disclose or use any part
>> of it. If you have received this Message in error, please delete it and all
>> copies from your system and notify the sender immediately by return
>> message. Any use of information contained in this Message not in accordance
>> with its intended purpose, any dissemination or disclosure (either whole or
>> partial), is prohibited unless expressly authorized. Email communication
>> cannot be guaranteed to be timely secure, error or virus-free. The sender
>> cannot be held responsible for any alteration, errors or omissions, which
>> arise as a result.
>>
>>
>> ..................................................................................................................
>>
>> La protection de vos données personnelles est primordiale pour notre
>> établissement. Merci de consulter notre notice sur la protection des
>> données personnelles
>> <https://www.sigfox.com/en/privacy-and-cookies-policy>pour plus
>> d’informations. Ce message et toutes les pièces jointes (ci-après le
>> 'Message') sont établis à l'intention exclusive des destinataires. Les
>> informations qui y figurent sont confidentielles. Si vous n'êtes pas le
>> destinataire de ce Message, il vous est interdit de le copier, de le faire
>> suivre, de le divulguer ou d'en utiliser tout ou partie. Si vous avez reçu
>> ce Message par erreur, merci de le supprimer de votre système, ainsi que
>> toutes ses copies, et de n'en garder aucune trace sur quelque support que
>> ce soit. Veuillez également en avertir immédiatement l'expéditeur par
>> retour du Message. Toute utilisation de ce Message non conforme à sa
>> destination, toute diffusion ou toute publication totale ou partielle, est
>> interdite sauf autorisation expresse. Il est impossible de garantir que les
>> communications par messagerie électronique arrivent en temps utile, soient
>> sécurisées ou dénuées de toute erreur ou virus. L'expéditeur ne peut être
>> tenu responsable des modifications, erreurs ou omissions qui pourraient en
>> résulter.
>>
>> --
> Madinas mailing list
> Madinas@ietf.org
> https://www.ietf.org/mailman/listinfo/madinas
>

v2.23.0 | Report a Bug | By Email