Re: [v6ops] Some questions on draft-rafiee-v6ops-iid-lifetime

"Fred Baker (fred)" <fred@cisco.com> Sat, 26 October 2013 07:37 UTC

Return-Path: <fred@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE1F111E8214 for <v6ops@ietfa.amsl.com>; Sat, 26 Oct 2013 00:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.209
X-Spam-Level:
X-Spam-Status: No, score=-110.209 tagged_above=-999 required=5 tests=[AWL=-0.210, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mir3xKRIh8Nu for <v6ops@ietfa.amsl.com>; Sat, 26 Oct 2013 00:37:12 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id D906111E816F for <v6ops@ietf.org>; Sat, 26 Oct 2013 00:37:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6025; q=dns/txt; s=iport; t=1382773023; x=1383982623; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=bbCzzv7db0M337sy+B6HtAPrIpynGO0W60gOwz1RZYY=; b=de5SI/DnnExYXhDVc3kFDi1wnNbjg77TMKUH9f5wOJGmA0Ia4gQjLMkJ N2dyjo0W4430XyM85pSHS0xGrqjOOD7J/NvOi2P0pTCdV5aJEK4ikgjck /rx/X8yF5zt2BXw1Rc4xo8u6Jba/ZanRKVOe6p8Rt/vYHOAhipqka4ydE o=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgQFAH5wa1KtJV2d/2dsb2JhbABZgwc4VL5OgR4WdIIlAQEBAwFuCwULAgEIDhQkMiUCBA4FCAYLh2gGDbh8jyQxB4MfgQ0DkC2BMIdckFiDJoIq
X-IronPort-AV: E=Sophos; i="4.93,575,1378857600"; d="asc'?scan'208"; a="276975794"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-3.cisco.com with ESMTP; 26 Oct 2013 07:37:02 +0000
Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id r9Q7b2iv003747 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 26 Oct 2013 07:37:02 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.23]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.02.0318.004; Sat, 26 Oct 2013 02:37:01 -0500
From: "Fred Baker (fred)" <fred@cisco.com>
To: Hosnieh Rafiee <ietf@rozanak.com>
Thread-Topic: Some questions on draft-rafiee-v6ops-iid-lifetime
Thread-Index: AQHO0h4ohu+AJDz6okWKOgIP4IJSIw==
Date: Sat, 26 Oct 2013 07:37:00 +0000
Message-ID: <8C48B86A895913448548E6D15DA7553BA7B7F4@xmb-rcd-x09.cisco.com>
References: <201310221245.r9MCj1n09532@ftpeng-update.cisco.com> <008901ced1d5$434e5790$c9eb06b0$@rozanak.com>
In-Reply-To: <008901ced1d5$434e5790$c9eb06b0$@rozanak.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.61.201.55]
Content-Type: multipart/signed; boundary="Apple-Mail=_87E66DB0-43BA-4652-9ACA-510E29FF90DF"; protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
Cc: "6man-chairs@tools.ietf.org" <6man-chairs@tools.ietf.org>, "v6ops@ietf.org WG" <v6ops@ietf.org>, "v6ops-chairs@tools.ietf.org" <v6ops-chairs@tools.ietf.org>, Erik Nordmark <nordmark@sonic.net>
Subject: Re: [v6ops] Some questions on draft-rafiee-v6ops-iid-lifetime
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Oct 2013 07:37:17 -0000

Thanks.

Question for you. What is the interaction with draft-gont-6man-deprecate-eui64-based-addresses? In conversation with him there, you asked if he would be folding your draft into his and therefore making yours redundant. Does he plan to? If he does, it may be appropriate for you to become a co-author on that paper.

My sense, which could be completely incorrect, is that the exact value of the IID isn't all that interesting to most operators, as once it is in use nobody really cares how it was chosen. Duplicate IIDs in use would be a problem, so DAD is important. The means by which it is assigned is interesting (some operators require SLAAC, some use DHCPv6 but permit SLAAC, some require DHCPv6, and some assign IIDs to their servers or to routers for BGP purposes). Duplicate IIDs in use would be a problem, so DAD is important operationally if SLAAC is in use, and in DSL and Cable networks the behavior of DAD in their transmission systems is "interesting". The number of addresses that are in actual use at a given time (and therefore neighbor slots that are in use) is operationally interesting in that it affects and is affected by table capacity, and can therefore be an attack vector. The bits in the IID and the mechanism by which they are generated is, however, very important to 6man, which defines SLAAC. From that perspective, the paper may be of interest in 6man.

I'm looking, as always, for operational feedback on the list. But that's my initial thought.

On Oct 26, 2013, at 12:55 AM, Hosnieh Rafiee <ietf@rozanak.com>
 wrote:

> Hi Fred,
> 
> Actually the content of this draft
> (http://tools.ietf.org/html/draft-rafiee-v6ops-iid-lifetime )  was presented
> in IETF 87 as a part of ra-privacy. Some people during that meeting thought
> that it is better to make this draft more generate and separate it from
> ra-privacy;  http://tools.ietf.org/html/draft-rafiee-6man-ra-privacy  (this
> draft also does nothing with security and it address the problems with RFC
> 4941 and also deprecating EUI-64 in RFC 4941.  The draft "deprecated IID"
> that is new and contain most of the section that is already explained in
> ra-privacy could improve this existing draft)
> 
> So, iid lifetime draft, as you already know, does nothing with security but
> it is a way of maintaining privacy and try to avoid sacrificing user's
> connectivity in IPv6 networks. This draft, first, compares the current
> mechanisms available for the lifetime of an IID and then offer a new
> mechanism for the mentioned purpose (privacy and connectivity)
> 
>> 
>> 1) Please provide a succinct problem statement for your draft. What
>> problem/issue is this draft discussing? What operational problems does the
>> proposal address in real life networks?
> 
> We tried to have a short problem statement at the end of Introduction. But
> we are open to suggestions if you or anybody else think that there is  a
> need for expanding this section.
> 
>> 
>> 2) Where does this draft or presentation fits into v6ops' current charter
>> (http://datatracker.ietf.org/wg/v6ops/charter/)? Citing specific a
> section(s)
>> of the charter is preferable.
> 
> It might fit to number 4 and the rest of the explanation. Why we think it
> can fit? It is because IPv6 addresses are public and at least at the moment
> our computer connect to internet using its own unique IP address. I guess
> this will open new issues for privacy and security. The reason is the
> initial attack on node's security and privacy is to recon the node. So, when
> your node has a fix IID, then the attacker has better possibility to attack
> this node. 
> Now the purpose of this draft is only to give information to the
> implementers that they can improve the privacy and security of their
> mechanisms. It also provide a way for privacy-aware-applications to use a
> same framework which can also control the total number of IID and not
> generate the IID themselves. 
> This means they do not need to have any information about IP layer while at
> the same time they can ensure their users that their application is
> privacy-aware
> 
>> 3) Who is this draft's audience?
> 
> Privacy-aware implementers
> 
>> 4) Have any operators expressed interest in this draft or its problem
> space,
>> either via review or other discussion?
> 
> I guess I have already answered this 
> 
>> 5) Is this draft pursuing discussion in any other WGs? If so, please list
> them
>> here, along with rationale for the interaction with multiple WGs in
> parallel.
> 
> Please check the recordings of ra-privacy (lifetime section) and the mailing
> list discussion about ra-privacy after IETF 87
> 
> 
>> 6) Is any protocol work being recommended in the draft?
> 
> It is actually in informational track that gives the choice for
> implementers. I am also in the process of implementing it for Linux. 
> 
> Thank you again,
> -----------smile----------
> Hosnieh
> . success is a journey, not a destination..
> You cannot change your destination overnight, but you can change your
> direction ... Focus on the journey
> 
>