IETF Logo Mail Archive

Re: [v6ops] Device ID [Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]]

Daryll Swer <contact@daryllswer.com> Wed, 03 January 2024 07:25 UTC

Return-Path: <contact@daryllswer.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 935A4C14CF1A for <v6ops@ietfa.amsl.com>; Tue, 2 Jan 2024 23:25:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=daryllswer.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9-XySyiS_4Qr for <v6ops@ietfa.amsl.com>; Tue, 2 Jan 2024 23:25:42 -0800 (PST)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01D39C14CEFA for <v6ops@ietf.org>; Tue, 2 Jan 2024 23:25:41 -0800 (PST)
Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1d3f8af8297so36477705ad.2 for <v6ops@ietf.org>; Tue, 02 Jan 2024 23:25:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daryllswer.com; s=google; t=1704266741; x=1704871541; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BNspTlNKc82gJIwcgDb5Suet2muG1eGLpsqeEeUcj0M=; b=Uh64c4zSld/R/co/TuJE0CtFSY3arXik5AypEpZV5CvhPSsQOxVmhgPp+AyNTznIqb yarLWUU/bQpJnU5ZLkDY1O+AIUFVf3JwG6E/k+hI1KEaT2eiA74OmORSzC0GXPpelOAt zGOT1aM3qZ7pnSp2OuK8b/3R8Ot0+6iMCxSYkE2wDK520bAoWNoda7EUu9rIfzfCT8BX 8MLTBOOdHAOR+wg/aMP8gZTt0S/y+PdQSjp3ZLMuA31ATfNFXfwCArxTPO7Bc4teOu7Q iHTeeLZ4ucYTQ6oLVb7btVM8IwcK3zd8lZJ6WF5lrPCJqJNwnUgJAIyw2PGfWpfqPX7h b5Dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704266741; x=1704871541; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BNspTlNKc82gJIwcgDb5Suet2muG1eGLpsqeEeUcj0M=; b=TAI/dj12KP9dwrBQnVuhw3GCRYXexjgWYsp7PO5skqStUOnHGoLbyIoUEidZyUChPi TVa3XmD91XGmVzok06LEwk3ny520YaI2ujBueEr9lUAP37vwIYt9ibcaSuFDmkH5iA66 UWWTQ7erZHYCfP6Mg3Aq1/6eMQ6wXK2VEKuet+9sudr8/gcm4gYTtqkfQnBioJxkcZl9 U9axsonaI+asIRYlIcHwLFg6Ob+/kKcrtlh16xd2esXNUkqbZs+pg36f6FLqPDYLPR3O BHdrwTiF8PvzYL7ruJwj/mq4/h2wCjpW4KpJURzMhBMW3AyHJAcT4iPa6gCLBEbrlsjl S2gg==
X-Gm-Message-State: AOJu0Yyi6AlTxBxTUV410dNJwBVmAOmbGg7XtZl0M/65yDjbEa19Y1rw 3eXT5kxw15AjF/xaZO+57HCTHooPqiBsDnVfhL8FEJo/cX+9Yl5C
X-Google-Smtp-Source: AGHT+IHPelt49KhnQHdeIwi6n6PtOXni68M9AiAbfJJkkThPnNk0KPnZqGjOBgoftK99A6kln8d7cA==
X-Received: by 2002:a17:902:d50d:b0:1d4:2c5e:c3cc with SMTP id b13-20020a170902d50d00b001d42c5ec3ccmr8971848plg.132.1704266741084; Tue, 02 Jan 2024 23:25:41 -0800 (PST)
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com. [209.85.210.177]) by smtp.gmail.com with ESMTPSA id jm7-20020a17090304c700b001d3e6f58e5esm22998614plb.6.2024.01.02.23.25.40 for <v6ops@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Jan 2024 23:25:40 -0800 (PST)
Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-6d98f6e8de1so3193438b3a.0 for <v6ops@ietf.org>; Tue, 02 Jan 2024 23:25:40 -0800 (PST)
X-Received: by 2002:aa7:8892:0:b0:6d9:ce7d:d48a with SMTP id z18-20020aa78892000000b006d9ce7dd48amr6346258pfe.27.1704266740115; Tue, 02 Jan 2024 23:25:40 -0800 (PST)
MIME-Version: 1.0
References: <8e5c38d1-b945-d727-12ad-2d32cb279c4f@gmail.com> <1A286541-4F15-40BE-BEBE-F339581E558F@delong.com> <CAPt1N1=+igiKPUwduqAGnGaS=pHAtUVFo4NdFRK2TK_j8d7=Cw@mail.gmail.com> <CACMsEX_PgTJX-inSAaHpp-zXVZG3keEg3mSAXQN+dcdjUTHRZw@mail.gmail.com> <CAO42Z2x--GtFadro=2eDeTBFtRveQjrC_QHaO2vzjVS=3SEAmQ@mail.gmail.com> <CACMsEX-Edawhq6yeG6MThTuVSn91qoVP5Yczi_+awUCi+4uUfA@mail.gmail.com> <141dce3e-55d8-0b62-6dbc-2ccc9add4e05@gmail.com>
In-Reply-To: <141dce3e-55d8-0b62-6dbc-2ccc9add4e05@gmail.com>
From: Daryll Swer <contact@daryllswer.com>
Date: Wed, 03 Jan 2024 12:55:01 +0530
X-Gmail-Original-Message-ID: <CACyFTPE+f=9qLnWNo+G5J1im5YJzuGeS7JUg+zY2Bv8jJKOG8A@mail.gmail.com>
Message-ID: <CACyFTPE+f=9qLnWNo+G5J1im5YJzuGeS7JUg+zY2Bv8jJKOG8A@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Nick Buraglio <buraglio@forwardingplane.net>, Mark Smith <markzzzsmith@gmail.com>, v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a5aee0060e0585c3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/yZJ2LBBWx9ed07AiSFEbY-742oo>
Subject: Re: [v6ops] Device ID [Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2024 07:25:46 -0000

>
> I don't think that's the assumption at all. It's more so the site security
> person can go to a specific desk, point at a specific device, and say "Who
> was using this at 10:38 a.m. last Tuesday?" (Or, of course, analyse logs to
> answer that question.) For a lot of obvious reasons, this question may be
> unanswerable or the answer will be untrue, but that is what identifying a
> device is for.
>
> Now if we want to argue that MAC addresses are no longer reliable device
> IDs, I agree. I run this laptop on the MAC address originally assigned to
> the laptop I bought in 2012. I expect you can work out why.
>
> If we want reliable device IDs, we really need to use IDevIDs with all the
> necessary cryptographic support.
>

Didn't see this thread, but yes +1 to Brian.

Like I said in the original “thread”, nobody in their right mind in 2024
would rely on MACs *alone*.

I'm not aware of any modern day enterprise that says “Oh, I need *static*
MACs”. This whole discussion was never about static MACs, at all, was it?

*--*
Best Regards
Daryll Swer
Website: daryllswer.com
<https://mailtrack.io/link/eec57f7186966b4ece7179d1b4c5f7ed5b5420af?url=https%3A%2F%2Fwww.daryllswer.com&userId=2153471&signature=7750237bbcd64e03>


On Wed, 3 Jan 2024 at 07:17, Brian E Carpenter <brian.e.carpenter@gmail.com>
wrote:

> We seem to have changed the subject, so I've changed the Subject.
>
> On 03-Jan-24 12:59, Nick Buraglio wrote:
> > On Tue, Jan 2, 2024 at 4:54 PM Mark Smith <markzzzsmith@gmail.com>
> wrote:
> >>
> >>   There is a fundamentally flawed assumption that all of the DHCP-only
> based schemes depend on.
> >>
> >> The assumption is that device IDs are reliable individual person IDs.
>
> I don't think that's the assumption at all. It's more so the site security
> person can go to a specific desk, point at a specific device, and say "Who
> was using this at 10:38 a.m. last Tuesday?" (Or, of course, analyse logs to
> answer that question.) For a lot of obvious reasons, this question may be
> unanswerable or the answer will be untrue, but that is what identifying a
> device is for.
>
> Now if we want to argue that MAC addresses are no longer reliable device
> IDs, I agree. I run this laptop on the MAC address originally assigned to
> the laptop I bought in 2012. I expect you can work out why.
>
> If we want reliable device IDs, we really need to use IDevIDs with all the
> necessary cryptographic support.
>
> >>
> >> IP addresses and MAC addresses are assumed to be a person ID, such that
> traffic and actions that can be attributed to an IP address or MAC address
> can be reliably and accurately attributed to a single person.
> >
> > Thanks, Mark.
> >
> > I think this is where the disconnect really is. Historically this was
> > achieved with IPv4 DHCP, but even that is less and less common due to
> > rotating MACs for privacy enforcement. Without things like a NAC or
> > another form of access authentication, this data is not terribly
> > useful in a large section of off the shelf scenarios.
>
> How are enterprise networks going to deal with mutating MAC addresses?
> If they rely on them for admission control to a LAN, VLAN or BSS,
> things just won't work. A system like Eduroam, that depends on end-user
> credentials rather than mutable numbers, seems much more robust.
>
> >>
> >> This is not the case unless there has been some authentication of the
> person that can tightly bind their identity to the IP addresses and MAC
> addresses of the device they're currently using.
> >
> > This is fairly straightforward on a cellular handset, but at that
> > point it's not even the MAC it's an ICCID, right?  For ethernet the
> > closest is the MAC, which on many platforms rotates unless that
> > feature is disabled, which it won't be unless dictated by policy and
> > probably central control.
>
> Exactly.
>
> >
> >>
> >> A device's IP addresses and MAC addresses can change regularly and
> automatically, and can be easily changed by a malicious actor.
> >
> > Yes, I think this is the elephant in the room. With dynamic MAC
> > addresses as a default on many (most?) modern devices, what does the
> > mac/ip binding really buy? In some cases this gets manufacturer and a
> > rough approximation of location based on the switchport / mac table.
> > This is, of course, less of an issue for things like a broadband
> > network where a CPE is likely the demarc and access to the network is
> > controlled and tracked via that, which does *not* indicate user, but
> > instead only provides the responsible party, which may be very
> > different.
> >
> >>
> >> A device's user can change, through being lent, stolen or sold.
> >
> > In many cases this is probably ok to ignore, in my experience the case
> > of LE the investigating body uses their discretion to determine things
> > like that and often it's more about responsible party identification,
> > at least on a first order approximation. My data is a few years old,
> > and solely based on experience with federal entities in the US. But
> > like someone said way above, we can't really expect to solve every
> > problem for everyone.
>
> Right. But using user credentials to validate users seems a lot more
> to the point. At the moment, I think there must be a lot of enterprises
> trying to forbid MAC address rotation and IPv6 temporary addresses,
> but as King Cnut demonstrated about 1000 years ago, this approach
> has its limits.
>
> >>
> >> Any security system that needs to reliably attribute people's actions
> to IP and MAC addresses can't rely on this assumption.
> >
> > I agree and I think that's really the point we have to come to terms
> > with. Unless we can implement something closer to an ICCID, and agree
> > that a responsible party is enough, the rest is at worst a security
> > theater operation or at best a compass that may point north.
> >
> > This is precisely why I suggested we talk through what we need from a
> > requirements standpoint rather than a technology point of view. It's
> > easy to throw around technologies and say "I want this to do what that
> > does" when in reality that may not actually provide what is actually
> > required, or maybe even the wrong question being asked all together.
> > Tracking users in today's day and age is harder than most folks think,
> > and it almost certainly relies on correlating data unless there is
> > total control from endpoint to access egress, and even then it is only
> > going to lead to a responsible party, not necessarily the offending
> > person. I don't think we can actually trust a MAC to L3 binding as
> > correct or authentic, unless there is resource control at the end
> > point. The least common denominator we can do *today* is try to
> > correlate what existed at a given time on the network with the traffic
> > it generated. A prefix makes that at least a bit easier.
> > And realistically every time I have had to run down something
> > questionable or nefarious that's exactly what it came down to: when
> > was it on the network? where was it, approximately, and what traffic
> > did it generate? Anything else is investigated but can rarely be
> > corroborated without an actual hardware device or user login tied to
> > the access.
> >
> > Enterprises operate differently. In many cases they can do things like
> > control the software load on the hosts and push policy, enforcing
> > behaviors. What I believe would solve more problems is better IPv6
> > support in existing tooling and products that are in use in
> > enterprises. This doesn't mean "make it like IPv4" it means "meet the
> > protocol where it is". and not trying to shoehorn a behavior into a
> > specific, existing way of thinking.
>
> Especially when that thinking (audit by MAC address and/or IP address)
> is in the process of being overtaken by events.
>
>      Brian
>
> >
> > nb
> >
> >
> >>
> >> Regards,
> >> Mark.
> >>
> >>
> >>
> >> On Wed, 3 Jan 2024, 09:03 Nick Buraglio, <buraglio@forwardingplane.net>
> wrote:
> >>>
> >>> This thread really went deep over the holiday =)
> >>>
> >>> Trying to recap a bit so we can re-focus, remembering that we are all
> >>> here for roughly the same reasons: to solve problems and because we
> >>> want to progress IPv6 deployments. I see a couple of topics at play
> >>> here:
> >>>
> >>> device tracking
> >>> log storage
> >>>
> >>> Folks see a need for tracking a device to a user with IPv6. - I get
> >>> this, I hear the same thing frequently. The commentary slides around
> >>> from a simple need to associate a hardware address with a layer 3
> >>> address to a full on mapping of user to device with a strong
> >>> preference by some to simply mimic what IPv4 does up to and including
> >>> state synchronization and redundancy of operations.
> >>> Personally, I don't think it is realistic to assume that we should
> >>> simply replicate something that exists already. We should aim for
> >>> whatever it is to be better and to address any shortcomings. I am very
> >>> excited about draft-ietf-dhc-addr-notification and prefix-per-device
> >>> as a solution set for most of what is discussed here.
> >>>
> >>> Of course, these mappings need to be stored somewhere and in cases
> >>> where logging may be of concern, I would compare much of this to
> >>> netflow and normal syslog generation - A reasonable amount of data
> >>> over a short period of time that is heavily influenced by activity on
> >>> the network. We have solutions for netflow storage, and we have well
> >>> traveled production options for log storage, all of which are tunable
> >>> and user controllable from a retention standpoint. I don't see this as
> >>> any different even if it means millions of logs. I am sure we have all
> >>> had to deal with that in the past, and that we all know it's not a
> >>> set-and-forget operation. Sizing and constant optimization is
> >>> important for any production system, regardless of size and scale.
> >>> With anything the logging is going to be wholly dependent on the long
> >>> term storage requirements. How long things need to be stored will
> >>> heavily influence how much storage is needed, and with text logs,
> >>> compression is extremely effective.
> >>>
> >>> As I write this, I am also reminded of the old adage I learned in the
> >>> early ISP days: "Cheap, Fast, Reliable. Pick two". I believe that is
> >>> still largely applicable here and with most technological solutions,
> >>> substituting "fast" for "easy", "approachable", "simple" or whatever
> >>> term applies for a given technology. We can't make the perfect the
> >>> enemy of the good.
> >>>
> >>> So, taking all specific technology out of the picture, what else are
> >>> we looking for besides device to address tracking and usable logging?
> >>> What parts of draft-ietf-dhc-addr-notification and prefix-per-device
> >>> *don't* do what is required? If we can identify the shortcomings then
> >>> we can work to address them.
> >>>
> >>> nb
> >>>
> >>>
> >>>
> >>>
> >>> On Tue, Jan 2, 2024 at 12:51 PM Ted Lemon <mellon@fugue.com> wrote:
> >>>>
> >>>> Actually I think the expectation is that if the 'a' bit is set in a
> prefix, you do SLAAC on that prefix regardless of whether or not you're
> doing DHCPv6 based on the RA.
> >>>>
> >>>> On Tue, Jan 2, 2024 at 1:04 PM Owen DeLong <owen=
> 40delong.com@dmarc.ietf.org> wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Jan 1, 2024, at 11:46, Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
> >>>>>
> >>>>> Simon,
> >>>>>
> >>>>> It doesn't matter. All nodes MUST contain a SLAAC implementation
> because Node Requirements says so. You can't half-implement RFC 4862. The
> node doesn't know what to do next unless it receives an RA, but it must be
> ready to do SLAAC.
> >>>>>
> >>>>> I agree, we generally use the term "SLAAC" to cover the pre-RA
> steps, because they don't have a separate name in RFC 4862.
> >>>>>
> >>>>> Owen is slightly wrong, though. Section 5.5.2 of RFC 4862 ("Absence
> of Router Advertisements") clarifies that a node may try DHCPv6 in the
> absence of any RAs. The M bit is not strictly required.
> >>>>>
> >>>>>
> >>>>> Fair enough, but that’s a “MAY” and not even a should, so it’s
> pretty shaky ground if you’re counting on it happening that way.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Regards
> >>>>>    Brian Carpenter
> >>>>>
> >>>>> On 02-Jan-24 08:18, Simon wrote:
> >>>>>
> >>>>> Owen DeLong <owen=40delong.com@dmarc.ietf.org> wrote:
> >>>>>
> >>>>> As conceived, DHCP6 doesn’t even start until you’ve completed most
> of SLAAC (you need to receive an RA to even tell you to try DHCP6 in
> theory).
> >>>>>
> >>>>> Sorry, but I’m not up on the detail of DHCPv6, but is this actually
> correct ?
> >>>>>
> >>>>> You don’t need to have done SLAAC, or even have any code for it, to
> generate a LL address and be able to solicit/receive RAs. In fact, SLAAC
> can’t be done until an RA has been received.
> >>>>>
> >>>>> Doesn't the same hold true for DHCP ?
> >>>>>
> >>>>>
> >>>>> Yes and no. As Brian notes, a host MAY try DHCPv6 if it doesn’t get
> an RA. However, the expected usual case is that an RA is received. If the M
> bit is set in the RA, then SLAAC is not completed and an IA_NA is requested
> via DHCPv6. If the M bit is not set, SLAAC is completed (assuming a usable
> PIO is present) and DHCPv6 will be consulted for other information if the O
> bit is set.
> >>>>>
> >>>>> Well, DHCPv6 kind of requires 70+% of SLAAC to function…
> >>>>>
> >>>>>
> >>>>> Packet
> >>>>>
> >>>>>    SLAAC  DHCP
> >>>>>
> >>>>> 1 RS->   RS->
> >>>>>
> >>>>> 2 RA<-   RA< (+M,?O)
> >>>>>
> >>>>> 3 NS (DAD)->  DHCP6 solicit->
> >>>>>
> >>>>> You’ve missed out a step - address generation. You can’t do NS (DAD)
> until you have generated a tentative address. And I’d argue that NS/RA
> isn’t “part of SLAAC”, it’s “part of the IPv6 stack WHICH IS USED BY
> ADDRESSING MECHANISMS” (note the plural). Or you could argue that if you
> use static addressing then you are using 70% of the SLAAC code if the OS
> does a sanity check before blindly configuring an address.
> >>>>>
> >>>>>
> >>>>> Yes, that step is required, but there’s no packet for it. It happens
> internal to the host and is (usually) the same algorithm as LLA generation
> which had to happen before you could send the RS.
> >>>>>
> >>>>> OWEN
> >>>>>
> >>>>> _______________________________________________
> >>>>> v6ops mailing list
> >>>>> v6ops@ietf.org
> >>>>> https://www.ietf.org/mailman/listinfo/v6ops
> >>>>
> >>>> _______________________________________________
> >>>> v6ops mailing list
> >>>> v6ops@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/v6ops
> >>>
> >>> _______________________________________________
> >>> v6ops mailing list
> >>> v6ops@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/v6ops
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email