Re: [v6ops] Benjamin Kaduk's No Objection on draft-ietf-v6ops-cpe-slaac-renum-07: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Fri, 26 February 2021 02:20 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A14AA3A15D3; Thu, 25 Feb 2021 18:20:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t69Bka0GPrce; Thu, 25 Feb 2021 18:20:39 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC0D23A15D0; Thu, 25 Feb 2021 18:20:38 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 11Q2KRUH021482 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 25 Feb 2021 21:20:33 -0500
Date: Thu, 25 Feb 2021 18:20:27 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Fernando Gont <fgont@si6networks.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-v6ops-cpe-slaac-renum@ietf.org, v6ops-chairs@ietf.org, v6ops@ietf.org, Owen DeLong <owen@delong.com>
Message-ID: <20210226022027.GZ21@kduck.mit.edu>
References: <161411841162.993.9337833948854729986@ietfa.amsl.com> <2f375954-aae1-8089-c59c-f575d2ef8dde@si6networks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2f375954-aae1-8089-c59c-f575d2ef8dde@si6networks.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/GI5p7v1bqY7Ly6EJijoTurD8Png>
Subject: Re: [v6ops] Benjamin Kaduk's No Objection on draft-ietf-v6ops-cpe-slaac-renum-07: (with COMMENT)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 02:20:41 -0000
On Thu, Feb 25, 2021 at 05:27:36PM -0300, Fernando Gont wrote: > Hello, Ben, > > Thanks a lot for our comments! In-line.... > > On 23/2/21 19:13, Benjamin Kaduk via Datatracker wrote: > [....] > > Section 3 > > > > o WPD-10: CE Routers MUST by default use a stable IAID value that > > does not change between CE Router restarts, DHCPv6 client > > restarts, or interface state changes. e.g., Transient PPP > > interfaces. See Section 3.2 for further details. > > > > The text in Section 3.2 goes into a bit more detail to clarify that this > > is basically a pre-existing requirement from RFC 8415, but the short > > text here is easy to misread as imposing a requirement to use a stable > > persistent identifier, which would have lousy privacy properties. RFC > > 8415 does acknowledge this issue to some extent, but the most applicable > > text about it seems to be in Section 4.5 of RFC 7844, that clarifies > > that the IAID needs to be consistent for the association *as long as the > > link-layer address remains constant*, which is a very natural scope and > > consistent with best practices for simultaneously changing identifiers > > at different layers when needed for privacy improvement. > > You're right that if the CE Router changes its link-layer address, it's > probably because it's trying to its identity, and hence the IAID should > also change. > > (FWIW, to a large extent we phrased the text as is because I know of no > CE Router that randomizes it's link-layer address, so in practice it > would result in the same thing). Not surprisingly, I'm keen to improve > the specification of this numeric id ;-), so how about: > > o WPD-10: CE Routers MUST by default use an IAID > value on the WAN-side that does not change between CE Router > restarts, DHCPv6 client restarts, or interface state changes > (e.g., Transient PPP interfaces), as long as the underlying > link-layer address (if any) does not change.. See Section 3.2 > for further details. > > > Or maybe: > o WPD-10: CE Routers MUST by default use a WAN-side IAID > value that is stable between CE Router > restarts, DHCPv6 client restarts, or interface state changes > (e.g., Transient PPP interfaces), as long as the underlying > link-layer address (if any) does not change.. See Section 3.2 > for further details. The thread has continued and I think has gotten into enough details that I don't know much about that my insight will not be very valuable. About the only contribution I might make is that a construction of the form "MUST by default behave such that [list of things] or behave according to RFC 7844" might be a little easier to read, since it's a choice rather than a primary behavior and exception. > > > > > It would be > > great if we could spend a few words here to clarify that this is not a > > permanent identifier that could be abused for tracking, perhaps "(Per > > [RFC8415] it is still expected to change when the link-layer address > > changes.)", though I was hoping to have something shorter. > > Is it? There doesn't seem to be such provision in RFC8415. And RFC7844 > is really an opt-in... My mistake; I think that was sloppy writing from me here and I meant to say something like "still permitted to change". > > > > Additionally, while RFC 8415 is clear that the IAID is assigned by the > > client, this text might benefit from noting (e.g.) which interface it is > > used on, since the CE router will often be on both ends of different > > DHCPv6 exchanges. > > You mean like the "WAN-side" text above? Exactly! Thanks, Ben
- [v6ops] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Fernando Gont
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Bernie Volz (volz)
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Fernando Gont
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Bernie Volz (volz)
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Fernando Gont
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Fernando Gont
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk