IETF Logo Mail Archive

Re: [v6ops] Are we competitive?

Tom Herbert <tom@herbertland.com> Mon, 15 August 2022 15:28 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFFB0C1524BF for <v6ops@ietfa.amsl.com>; Mon, 15 Aug 2022 08:28:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYXw8ULauVIn for <v6ops@ietfa.amsl.com>; Mon, 15 Aug 2022 08:28:09 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32EE6C1522A6 for <v6ops@ietf.org>; Mon, 15 Aug 2022 08:28:08 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id x25so7950779ljm.5 for <v6ops@ietf.org>; Mon, 15 Aug 2022 08:28:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=YFPdvgXPgyYu/0XR2Icq4B0I2SsvTs77oeN3D3D5x+g=; b=vX0pZ2/WwqiV3Yj2qNtIDBC1P35VtkWUUogqmh8J3WyGnRSpx+eWyG6Zs/Mb5v847B cXLGIrmZlNvBvSqTl0SHoq+/KiX/iEqKAzbayFM5gAXeEb8eFityVTg5v/Vxlk0AG1CM rVPgmR9FI2vV3xbXcxoqnBxyw6BVi6VM4iyKBvJJBN5cUi3mnDlzFj7X2iWKbfIUTje/ lHvvqsE74ceXpqhMf7cUZzycLrO6Z926R8fk6TX2BLTW19wBlnHiu0aqmaYFRTWTvykT 8T29cX+7rt2ZL4NE3IYSBasnLB5M4xGJmrC5UzOdPyBs/zb2LERD5WTCLfgVc4YEul1q Ujbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=YFPdvgXPgyYu/0XR2Icq4B0I2SsvTs77oeN3D3D5x+g=; b=EDpZ+P8t3noaB0k0jw29hitT2w8MPC1SLiW6jeqw2ZJ+ZzTwVy5zvZgO6kksg82AQz RQBf2KjHodvlYxW+8dASbI0E6bKDiGAVXBgO5K/m+kYCjPzLKrTWwxsOc4OURdTXt2ha 17/yuQ44nSViSaoxLB3j7/lERr7MtUaTF2LYjnDsvO1e7zYk14FijiRkhipN3ytEyjUE I1PfyIurYq0pyd1STVagA0VumN4Q6Rdpgn8o6F2p4xs3fZ7kbDSSWinRENXp+WHbfNNu w/W2OqAL3KmBrkdqh/XeTts5HdV2+a/lS4juhml4hr04Mv0HhOjfrVNuVhk8riEBhQKw xhBA==
X-Gm-Message-State: ACgBeo0gnff2YMyfJnixYrBo5KoOOAhRscIYUAj+8OY4FQ7AlScYKLjl 6Emcz3u2hvKOhq6SW7uE3SBN0Dc9F7wpl2CEs4DSFQ==
X-Google-Smtp-Source: AA6agR59cvy/AtoJ7JiKdne7pDpd6LpDsiuuctDkKoSzYjWL5GM7iMeSElFF9/GgPKhR0rbbc9N7FG4RtPaxEEHO5Gc=
X-Received: by 2002:a05:651c:1601:b0:25d:744b:cdb5 with SMTP id f1-20020a05651c160100b0025d744bcdb5mr5314697ljq.351.1660577286904; Mon, 15 Aug 2022 08:28:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAM5+tA9tOGuy8scXStxOTzWOwG_zvDHx4Hi5CwkGiYmzNLOvqw@mail.gmail.com> <9687af1f59a6492f8353ade4d920fa95@huawei.com> <CAM5+tA8UF-3ZHkE0npZ0r5sDQ+FudTSPhpWns1BsPCk=NecX+Q@mail.gmail.com> <7e4606c4534c49a593863bda870b6e63@huawei.com> <3f138b03-940a-e83a-6c6e-6039506b6e4b@gont.com.ar> <10f89b7cbe784881bd22b4af81577aa6@huawei.com> <CAN-Dau0nz0TouDnz5pei0MCmTzSbP8q+gHLx1m0sxX0hsuPX3w@mail.gmail.com> <b9f33aa499b043bb90ff926731db9739@huawei.com> <b885bdd4-d837-1eda-9614-36c76190d920@gont.com.ar> <a6975472445f49018abab153fa61b399@huawei.com> <YvoaJ+IJdl/VXYLj@Space.Net> <CADzU5g5gGOOPD8MRtwhOFF_je9p+J0sGhetcAnMoFsWVeB4KBA@mail.gmail.com> <33249103-b373-03f8-655a-71cb9751e36f@si6networks.com>
In-Reply-To: <33249103-b373-03f8-655a-71cb9751e36f@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 15 Aug 2022 08:27:55 -0700
Message-ID: <CALx6S35S+ZxsuSsC2EhwRXNR0Huis=QcZXhgOWvEcJWYTXSs3A@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Clark Gaylord <cgaylord@vt.edu>, Gert Doering <gert@space.net>, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>, David Farmer <farmer=40umn.edu@dmarc.ietf.org>, IPv6 Operations <v6ops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/xH9A-uaVKldn_EIIuFV7El4lUrc>
Subject: Re: [v6ops] Are we competitive?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 15:28:13 -0000

On Mon, Aug 15, 2022 at 7:30 AM Fernando Gont <fgont@si6networks.com> wrote:
>
> On 15/8/22 07:35, Clark Gaylord wrote:
> > Hiding a random 64 bit number??
>
> Please note:
>
> 1) The traditional SLAAC IID wasn't random, bur rather the underlying
>     MAC address.
>
> 2) Windows picks a randomied but otherwwise *constant* IID -- so, for
>     most practical purposes, it doesn't matter much whether it's random
>     or not -- because it's constant.
>
> 3) With RFC7217, the IIDs are random (but stable) -- by design. RFC8981
>     makes IIDs that vary over time -- but a) they may be stable for "long
>     enough", and b) enterprises generally disable temporary addresses
>
> 4) With DHCPv6, whether the number is random or not depends on the
>     DHCPv6 server implementation. And there is no formal requirement
>     (IIRC) for the IIDs to be randomized.. and even less for the address
>     pool to be a /64.
>
> 5) It doesn't matter how the number was selected. If the attacker can
>     learn the number, and use it for the necessary period of time (which,
>     with automated tools can be a really short period of time), you're
>     probably better off not leaking this number.
>

Fernando,

The moment someone connects to an external host on the Internet such a
number is leaked. For instance, if an attacker has access to an
Internet server with a user login, they would have the mapping from
address to user PII. With that information, they could cross correlate
unrelated intercepted traffic with the same address as being
attributed to the same user. If the address times out, then it's
likely that the application would login again to the server, so the
user's address is still compromised.

For real, quantifiable privacy in Internet addressing, we need to give
each connection its own unique pseudo random address. If there are
enough users behind a CGNAT this is effectively achieved. To get this
without NAT, I have proposed
draft-herbert-ipv6-prefix-address-privacy.

Tom

> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email