Security and Privacy Considerations for IPv6 Address Generation Mechanisms
draft-ietf-6man-ipv6-address-generation-privacy-08
Yes
(Ben Campbell)
(Brian Haberman)
No Objection
(Alvaro Retana)
(Barry Leiba)
(Deborah Brungard)
(Joel Jaeggli)
Recuse
(Alissa Cooper)
Note: This ballot was opened for revision 07 and is now closed.
Alia Atlas Former IESG member
Yes
Yes
(2015-08-05 for -07)
Unknown
Thanks for the informative and well-written work.
Ben Campbell Former IESG member
Yes
Yes
(for -07)
Unknown
Brian Haberman Former IESG member
Yes
Yes
(for -07)
Unknown
Kathleen Moriarty Former IESG member
Yes
Yes
(2015-08-04 for -07)
Unknown
Nice work on this draft!
Spencer Dawkins Former IESG member
Yes
Yes
(2015-08-04 for -07)
Unknown
A nit, and a compliment in the form of a question for the IESG ... The nit: The term "low byte" doesn't have a reference on first use in Section 4.2, and doesn't appear in the terminology section. I think I understand the point this text is making: The extent to which location tracking can be successfully performed depends, to a some extent, on the uniqueness of the employed Interface ID. For example, one would expect "low byte" Interface IDs ^^^^^^^^^^ to be more widely reused than, for example, Interface IDs where the whole 64-bits follow some pattern that is unique to a specific organization. Widely reused Interface IDs will typically lead to false positives when performing location tracking. but I'm guessing, and the point seems important enough to justify clarity. Could you add "low byte" to the terminology section, unless it's a term of art all your readers will understand? The following text was helpful to me in guessing what "low byte" means, On the other hand, some DHCPv6 software leases sequential addresses (typically low-byte addresses). These addresses can be considered to be stable addresses. The drawback of this address generation scheme compared to "stable, semantically opaque" addresses is that, since they follow specific patterns, they enable IPv6 address scans. but it didn't appear until Section 4.8. Authors and 6man working group, please take what follows as a compliment - no action required on your part, I think. For the IESG - I wonder if this document could be published as something more than Informational. It's important, relevant, useful, and clearly written. Maybe it doesn't quite fit being published as a BCP. Maybe it doesn't quite fit being published as an Applicability Statement (https://tools.ietf.org/html/rfc2026#section-3.2). The response to the first question in the shepherd writeup didn't explain why Informational was the proper intended RFC status, so I thought I should ask here. Maybe it has enough gravitas as is. But I'd also ballot Yes for either BCP or AS.
Stephen Farrell Former IESG member
Yes
Yes
(2015-08-05 for -07)
Unknown
- general: I really like this document but wonder about how complete it is (or can be). For example, I think there's very little here on transition mechanism consequences, and no mention at all of the privacy trade offs between CGN and IPv6 addressing. I do think it's a good thing to publish this now though, but it might also be nice to see if we can get it udpated sometime in future. (Which'd argue that maybe we should have a standards track thing like this that recommends what to do when one cares about privacy in different contexts, but I'm not asking we go there now.) - section 1: I'm surprised only A+P gets onto the list here - aren't there more worthy of mention? I hope you can extend this list to include the most commonly used of those. - section 2: I'd not have thought of a SIP proxy as a place to which I'd publish addresses - might be nice (no more) to add a reference that explains that? - section 2: the definitions are probably ok, but they don't really specify disjoint sets of things, e.g. for the stable vs. temporary IID some things will fit both definitions, which seems a bit odd. However, I'm not sure that being much more precise is worthwhile. - section 3: If an addr with an IID like that is used in an ACL (e.g. on a router/switch) that can also be bad if the device moves now and then. (Since anyone can fake 'em.) - section 3: The ways in which a bad actor can gain knowledge are worse than stated - if the IID is broadcast from a handset whilst wandering about, which is what happens a lot! - section 3: Would it be a good idea to try scare the reader a bit via a reference to the Canadian govt story about tracking everyone going throught Toronto airport? I'm not sure readers of this will otherwise get the full import otherwise. - Table 1: I don't agree with some of your "no" statements. I think what you mean by "no" is really "not solely based on wire protocols" or somesuch, e.g. with DHCP the servers can assist with location tracking based on client ID or layer 2 information. I think you should clarify what "no" means here to not give a slightly wrong impression. - Table 1: What logic was used to determine how many rows to include here? Actually all of section 4 seems overly focused on IIDs. - 4.8: I'm surprised there's so little to be said here.
Terry Manderson Former IESG member
Yes
Yes
(2015-08-05 for -07)
Unknown
Well constructed document - Thanks! No action for the authors or shepherd here: so in answer to Barry's question. I think this document is able to stand on its own feet as informational - it doesn't need (in my opinion) to be classified as a BCP to add gravitas. The approach in the document stands as informational but the clear language and coverage of mechanisms and the resulting tradeoffs provide its own weight.
Alvaro Retana Former IESG member
No Objection
No Objection
(for -07)
Unknown
Barry Leiba Former IESG member
No Objection
No Objection
(for -07)
Unknown
Benoît Claise Former IESG member
No Objection
No Objection
(2015-08-06 for -07)
Unknown
Thanks for this (analysis in) this document and also the section 5.1 "network operation". I like table 1 very much. - Fine with the new proposal for the text below (I had the same remark): o Manual configuration * IPv4 address * Service port * Wordy * Low-byte - DHT = Distributed Hash Table, I guess - Section 3, "The first three of these rely on the attacker first gaining knowledge of the target host's IID." Host's IID? Which one is this from the terminology section, the constant IDD, the stable IID, or the temporary IID? I guess, all of them depending on the use case, right? Please make it clear. Alternatively, you might to add a "host IDD" definition, , or "IID": a generic term for constant IDD, the stable IID, and the temporary IID. I'm after some terms consistency here. I see some other instances, such as: "host's interface identifier", "host's IIDs"
Deborah Brungard Former IESG member
No Objection
No Objection
(for -07)
Unknown
Joel Jaeggli Former IESG member
No Objection
No Objection
(for -07)
Unknown
Alissa Cooper Former IESG member
Recuse
Recuse
(for -07)
Unknown