Hi Alissa,

Thanks for your review.  Sorry it has taken to long to get back to you.
Comments inline...


On Wed, Nov 30, 2016 at 11:33 AM, Alissa Cooper <ali...@cooperw.in> wrote:

> Alissa Cooper has entered the following ballot position for
> draft-ietf-6lo-6lobac-06: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-6lo-6lobac/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Section 12 says:
>
> "For this reason, it is RECOMMENDED that a different (but stable) IID be
>    generated for each globally scoped address in use according to, for
>    example, [RFC3315], [RFC3972], [RFC4941], [RFC5535], or [RFC7217]."
>
> I have a couple of questions about this recommendation that should be
> easy to clear up. First, do you really mean "different" IID? EUI-64
> identifiers are different from each other, but embedding one in an IID
> still leaves you susceptible to address scanning attacks. Maybe what is
> meant here is "semantically opaque" or "with maximum supportable entropy"
> or something along those lines?
>
> <kel>
I've added text that distinguishes between "MAC-address-derived" and
"semantically opaque" IIDs.  The first is formed from the dynamically
assigned 8-bit MS/TP node address and is recommended for link-local
traffic (which is likely the only type of traffic for many deployments).

"Semantically opaque" IIDs having 64 bits of entropy are strongly
recommended for forming globally scoped addresses.  Section 12
recommends a different such IID for each routable address in use.
</kel?


> Second, what is meant by the word "stable" here? The mechanisms cited
> offer a variety of different "stability" spans -- DHCP lease lifetime,
> temporary address lifetime, lifetime of connection to a link, etc. So
> it's not clear what is actually being recommended or if the cited
> mechanisms all provide the desired property.
>
> <kel>
Section 12 now references RFC 8065, which distinguishes between "stable"
and "temporary" addresses  - the former typically employed by servers and
the latter by clients.  Section 12 recommends the latter be changed
"frequently" but doesn't go into details (implying you should read RFC 8065
for guidance).

The point of changing global addresses frequently is to mitigate address
scanning attacks.  The analysis in RFC 8065 Section 2 could have been
presented as (number of trials to 0.5 probability of a "hit") X (time per
trial).
The number of trials to 0.5 probability of a hit can be modeled as between
an urn without replacement (in the case of a stable address) to an urn with
replacement (in the limit, where the address changes with each new
connection).
</kel>

>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> I mostly understand why Sections 6 and 12 are specified as they are but
> there are a couple of points of departure from
> draft-ietf-6lo-privacy-considerations and draft-ietf-6man-default-iids
> that I'd like to discuss.
>
> (1) draft-ietf-6man-default-iids says that the choice of address
> generation mechanism should be configurable when a mechanism is specified
> to embed a link layer address in an IID. Is there a reason that doesn't
> apply here? The document doesn't say anything about it for the link-local
> case.
>
> <kel>
I have been trying to follow RFC 8064, but not too successfully.  I'm under
the impression that it only applies to situations where the guidance is that
a link-layer derived IID is used in a globally scoped address?  6LoBAC
strongly recommends the use of semantically opaque IIDs for such addresses.
</kel>


> (2) draft-ietf-6lo-privacy-considerations says:
>
> "Specifications should make sure that an IPv6 address can change
>       over long periods of time.  For example, the interface identifier
>       might change each time a device connects to the network (if
>       connections are short), or might change each day (if connections
>       can be long).  This is necessary to mitigate correlation over
>       time."
>
> This document doesn't seem to provide any guidance about supporting the
> ability to change an IPv6 address within the life span of a long-lived
> attachment to the same physical network. Some of the mechanisms cited in
> Section 12 provide this and some do not. I appreciate that correlation of
> activities over time isn't perceived to be a huge threat here, but aren't
> there cases where being able to change an address despite remaining
> attached to the same physical network would be desirable? That seems
> worth some guidance for nodes that want to support it.
>
> <kel>
The guidance is that "temporary" globally scoped addresses should change
frequently.  An issue arises with MAC-address-derived IIDs used to form
link-local addresses.  It is quite typical that the address of an MS/TP
device
is selected by DIP switches and then the device is placed e.g. in the
ceiling
for an extended period (ideally years).  For this to present a correlation
of
activities over time risk, the link-local address would a) have to leak
offlink,
and b) be correlated with a temporary globally scoped address that is
changing frequently.

Does this scenario pose a serious concern?  If so, I think the best guidance
that can be offered is to not let link-local addresses leak.  This is
unlikely
in the first place, as MS/TP devices are usually quite constrained and all
the bytes in flash are accounted for (thermostats don't typically send
email).
</kel>

Thanks again, Kerry
_______________________________________________
6lo mailing list
6lo@ietf.org
https://www.ietf.org/mailman/listinfo/6lo

Reply via email to