Security and Privacy Considerations for IPv6 Address Generation Mechanisms
draft-ietf-6man-ipv6-address-generation-privacy-08

[Ballot comment]
Thanks for this (analysis in) this document and also the section 5.1 "network operation".
I like table 1 very much.

- Fine with the new proposal for the text below (I had the same remark):

o  Manual configuration

      *  IPv4 address

      *  Service port

      *  Wordy

      *  Low-byte



- DHT = Distributed Hash Table, I guess

- Section 3, "The first three of these rely on the
  attacker first gaining knowledge of the target host's IID."

Host's IID? Which one is this from the terminology section, the constant IDD, the stable IID, or the temporary IID?
I guess, all of them depending on the use case, right? Please make it clear.
Alternatively, you might to add a "host IDD" definition, , or "IID": a generic term for constant IDD, the stable IID, and the temporary IID.
I'm after some terms consistency here. I see some other instances, such as: "host's interface identifier", "host's IIDs"

[Ballot comment]
Thanks for this (analysis in) this document and also the section 5.1 "network operation".
I like table 1 very much.

- Fine with the new proposal for the text below (I had the same remark):

o  Manual configuration

      *  IPv4 address

      *  Service port

      *  Wordy

      *  Low-byte



- DHT = Distributed Hash Table, I guess

- Section 3, "The first three of these rely on the
  attacker first gaining knowledge of the target host's IID."

Host's IID? Which one is this from the terminology section, the constant IDD, the stable IID, or the temporary IID?
I guess, all of them depending on the use case, right? Please make it clear.
I see some other instances, such as: "host's interface identifier", "host's IIDs"
Alternatively, you might to add a "host IDD" definition, , or "IID": a generic term for constant IDD, the stable IID, and the temporary IID.
I'm after some consistency.

- Any final recommendation?

[Ballot comment]
Well constructed document - Thanks!

No action for the authors or shepherd here: so in answer to Barry's question. I think this document is able to stand on its own feet as informational - it doesn't need (in my opinion) to be classified as a BCP to add gravitas. The approach in the document stands as informational but the clear language and coverage of mechanisms and the resulting tradeoffs provide its own weight.

[Ballot comment]

- general: I really like this document but wonder about
how complete it is (or can be). For example, I think
there's very little here on transition mechanism
consequences, and no mention at all of the privacy trade
offs between CGN and IPv6 addressing. I do think it's a
good thing to publish this now though, but it might also
be nice to see if we can get it udpated sometime in
future. (Which'd argue that maybe we should have a
standards track thing like this that recommends what to
do when one cares about privacy in different contexts,
but I'm not asking we go there now.)

- section 1: I'm surprised only A+P gets onto the list
here - aren't there more worthy of mention? I hope you
can extend this list to include the most commonly used
of those.

- section 2: I'd not have thought of a SIP proxy as a
place to which I'd publish addresses - might be nice (no
more) to add a reference that explains that?

- section 2: the definitions are probably ok, but they
don't really specify disjoint sets of things, e.g.  for
the stable vs. temporary IID some things will fit both
definitions, which seems a bit odd. However, I'm not
sure that being much more precise is worthwhile.

- section 3: If an addr with an IID like that is used in
an ACL (e.g. on a router/switch) that can also be bad if
the device moves now and then. (Since anyone can fake
'em.)

- section 3: The ways in which a bad actor can gain
knowledge are worse than stated - if the IID is broadcast
from a handset whilst wandering about, which is what
happens a lot!

- section 3: Would it be a good idea to try scare the
reader a bit via a reference to the Canadian govt story
about tracking everyone going throught Toronto airport?
I'm not sure readers of this will otherwise get the full
import otherwise.

- Table 1: I don't agree with some of your "no"
statements. I think what you mean by "no" is really "not
solely based on wire protocols" or somesuch, e.g. with
DHCP the servers can assist with location tracking based
on client ID or layer 2 information. I think you should
clarify what "no" means here to not give a slightly
wrong impression.

- Table 1: What logic was used to determine how many
rows to include here? Actually all of section 4 seems
overly focused on IIDs.

- 4.8: I'm surprised there's so little to be said here.

[Ballot comment]
A nit, and a compliment in the form of a question for the IESG ...

The nit: The term "low byte" doesn't have a reference on first use in Section 4.2, and doesn't appear in the terminology section. I think I understand the point this text is making:
 
  The extent to which location tracking can be successfully performed
  depends, to a some extent, on the uniqueness of the employed
  Interface ID.  For example, one would expect "low byte" Interface IDs
                                                ^^^^^^^^^^
  to be more widely reused than, for example, Interface IDs where the
  whole 64-bits follow some pattern that is unique to a specific
  organization.  Widely reused Interface IDs will typically lead to
  false positives when performing location tracking.
 
but I'm guessing, and the point seems important enough to justify clarity. Could you add "low byte" to the terminology section, unless it's a term of art all your readers will understand?

The following text was helpful to me in guessing what "low byte" means,

  On the other hand, some DHCPv6 software leases sequential addresses
  (typically low-byte addresses).  These addresses can be considered to
  be stable addresses.  The drawback of this address generation scheme
  compared to "stable, semantically opaque" addresses is that, since
  they follow specific patterns, they enable IPv6 address scans.

but it didn't appear until Section 4.8.

Authors and 6man working group, please take what follows as a compliment - no action required on your part, I think.

For the IESG - I wonder if this document could be published as something more than Informational. It's important, relevant, useful, and clearly written. Maybe it doesn't quite fit being published as a BCP. Maybe it doesn't quite fit being published as an Applicability Statement (https://tools.ietf.org/html/rfc2026#section-3.2). The response to the first question in the shepherd writeup didn't explain why Informational was the proper intended RFC status, so I thought I should ask here.

Maybe it has enough gravitas as is.

But I'd also ballot Yes for either BCP or AS.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-6man-ipv6-address-generation-privacy-07, which is currently in Last Call, and has the following comments:

We understand that, upon approval of this document, there are no IANA Actions that need completion.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, IANA does not object.

If this assessment is not accurate, please respond as soon as possible.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Privacy Considerations for IPv6 Address Generation Mechanisms) to Informational RFC


The IESG has received a request from the IPv6 Maintenance WG (6man) to
consider the following document:
- 'Privacy Considerations for IPv6 Address Generation Mechanisms'
  as
Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-07-13. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document discusses privacy and security considerations for
  several IPv6 address generation mechanisms, both standardized and
  non-standardized.  It evaluates how different mechanisms mitigate
  different threats and the trade-offs that implementors, developers,
  and users face in choosing different addresses or address generation
  mechanisms.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-6man-ipv6-address-generation-privacy/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-6man-ipv6-address-generation-privacy/ballot/


No IPR declarations have been submitted directly on this I-D.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

  Informational document. The type is indicated on the title page.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

  This document discusses privacy and security considerations for
  several IPv6 address generation mechanisms, both standardized and
  non-standardized.  It evaluates how different mechanisms mitigate
  different threats and the trade-offs that implementors, developers,
  and users face in choosing different addresses or address generation
  mechanisms.

Working Group Summary

  The initial revision of this work was published in July 2013. There
  is a strong consensus in support of this document.

Document Quality

  The 6man working group appoints reviewers for all documents being
  advanced to the IESG. This document has been reviewed in detail by
  6man reviewers, and it has had extensive discussion on the mailing
  list.
 
Personnel

  Document Shepherd: Ole Troan
  Responsible Area Director: Brian Haberman

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

  The document has been reviewed by the 6man chairs, ID nits have been
  checked, as well as by the appointed 6man reviewers.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed? 

  No.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

  No.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.
 
  The Document Shepherd has no issues with this document.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

  Yes.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

  Strong consensus.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

  No appeal or discontent registered.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

No nits.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

  No formal reviews required.

(13) Have all references within this document been identified as
either normative or informative?

  Yes.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

  No.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

  None.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

  No. Not directly. While the material here is used as justification
  for changing the default interface-id and for the work on mechanisms
  with a higher level of privacy.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

  I can confirm all points.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

  None.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

  There are no formal language in this document.