Anonymity Profiles for DHCP Clients
draft-ietf-dhc-anonymity-profile-08

[Ballot comment]
Great work, thanks.

= General =

This document seems to use the term "link-layer address randomization" to describe the situation where a link-layer address is randomly generated AND changes over time. While this seems the likely way that such addresses may be standardized in the future, it's not guaranteed. An address could be randomly generated (or otherwise semantically opaque, e.g. not containing an OUI) but permanent for the life of the device/interface, in which case the privacy benefits of what is specified in this draft are not the same. Therefore I think it's worth explicitly stating the interpretation of "random address" that is being used here.

= Section 1 =

s/Reports surfaced recently/There have been reports/

= Section 2 =

Would be good to update the references to work going on in IEEE 802.1. Also there were experiments at multiple IEEE and IETF meetings.

= Section 3 =

Section 3.1 says:

"The client willing to protect its privacy SHOULD limit the subset of
  options sent in messages to the subset listed in the following
  sections."

Then all the subsections discuss specific options and considerations for using them, except 3.9, which basically says "don't use these." I would assume there are a bunch of other options that clients definitely shouldn't use if they want to maintain anonymity (I was thinking of 123 and 144, geolocation). So why are only the PXE options mentioned here, when the text in 3.1 seemed to be saying that clients should avoid all other options not mentioned?

[Ballot comment]
Thanks for doing this. I have some comments, most of which can be safely ignored:

*** Substantive ***
- 2.6, 2nd paragraph:
It seems like the "if servers do not object" part goes against the spirit of section 2.5.

- 3 (top level)

-- There's a lot of normative language about things people MUST or MAY put into DHCP messages (as opposed to the SHOULD NOTs). Are those new requirements created by this profile, or statements of fact about DHCP in general? If the latter, please consider dropping the 2119 keywords.

-- "It SHOULD NOT contain any other option"
This language repeats several times. But there’s a fair amount of text later in the subsections that talks about specific “other options” that SHOULD NOT be included. That seems redundant. I wonder if there's an opportunity to simplify things?

-- 2nd to last paragraph:
It seems odd to say things SHOULD follow the dhcp standard; that's kind of implied by being dhcp.

- 3 and subsections:
There are a lot of SHOULDs that I am surprised are not MUSTs. I understand that the entire profile is optional, but it seems like some of the guidance could be stronger for clients that use the profile in the first place.

- 3.1, last paragraph:
Please describe the consequences of not following that SHOULD. For example, doesn’t the MAY alternative _add_ a fingerprinting opportunity?
- 3.2, 2nd to last paragraph: "DHCP clients should ensure"
Should that be SHOULD?
-3.3, 2nd paragraph: "They MUST use the option when mandated by the DHCP protocol..."
That seems more like a statement of fact.

-3.7, third paragraph:
What’s the point of allowing the sending of an obfuscated host name, rather than just saying MUST NOT send the host name in the first place?

- 4.3, 3rd paragraph:
Isn't the randomization of link-layer addresses a fundamental premise of this draft?

*** Editorial ***

- 3, 2nd to last paragraph:
Can the "following sections" be more specific? That is, list the section numbers, or mention "The remaining subsections"?

- 3.1, 2nd to last paragraph:
Are we really talking about clients "willing" to protect privacy, or clients "wishing" or "intending" to protect privacy?

- 3.4:
The document already spent several pages motivating the randomization of link-layer addresses. It seems unnecessary to do it again here.

-3.5, 2nd to last paragraph:
“based solely” seems ambiguous. Do I understand correctly that this means the client MUST NOT use client identifiers that persist across changes in the link layer address?
The assertion that this will ensure that no privacy leaks occur seems overstated. I suspect there are other ways clients can leak private information.

- 3.6:
The guidance on ordering seems redundant with 3.1.

- 3.9, 2nd paragraph, last sentence: "If only for privacy reasons..."
I suggest removing the clause. It weakens the following normative requirement.

- 4.5, first paragraph: "indemtified"
identified?

[Ballot comment]
Thank you for producing this document. It's important. I do have a couple of observations for you to consider.

In this text:

  We can also
  assume that privacy conscious users will attempt to evade this
  monitoring, for example by ensuring that low level identifiers such
  as link-layer addresses are "randomized," so that the devices do not
  broadcast a unique identifier in every location that they visit.
 
it would be clearer to me if it said "broadcast the same unique identifier".

I really like

  Declaring a preference for
  anonymity is a bit like walking around with a Guy Fawkes mask.
 
but I do wonder if that's accessible for a global audience. Is there a reference, or a short explanation that would work?

[Ballot comment]

Thank you for doing this work. I think it's important and an
excellent example.

- general: I have a question for which I think it'd be good if
the answer were visible to others doing similar work later. That
could be recorded in email that can be referenced (via an
archive URL) or it could be in this document. Perhaps the latter
is better, not sure.  Anyway, the question is: what was the
methodology used to identify the various DHCP related anonymity
issues that need to be tackled, and to consider/test proposed
mitigations? I think it may be worth including some text on
methodology in this document (maybe a new appendix or as a
section 2.8?) so that we can use this as a self-contained
example when other folks are doing similar work.  (Sorry for
trying to add work.) If a part of that answer is e.g. "I bought
Ralph a G&T" that is IMO also worth including in some anonymised
form:-)

- The IPR declaration makes me a bit sad, but I think the WG
did process it according to our processes.

- abstract: Is "anonymous to the visited network" the right
goal? Perhaps also "not be identified as the same entity as
previously connected to this or another network" is more like
it, but too wordy;-) If you can figure a way to include the
"another network" aspect in the abstract that'd be good I think,
as that might help motivate network admins to want this profile,
as they're not only protecting their users from themselves, but
from other network admins as well.

- section 2: In the introductory text, you could update this to
refer to IEEE's ongoing work here, which I think is now more
official than it was perhaps when this text was written.

- 2.5: The Guy Fawkes reference might not be meaningful in a
few years. I'd suggest deleting that sentence.

- 3.5: So this says to do the opposite of 4361, which is
correct.  I wonder does that mean this UPDATEs 4361? (But don't
care about the answer;-) Same issue may arise wrt 3315 I guess.
(And I still don't care about the answer:-)

- 3.7: typo, "SOULD"

- 4.3: "from the previous year" - that's neat! Don't think I've
seen that before.

- 4.5: typo, "indemtified"

- 4.5.2: This still seems a bit too negative to me. Can't PD
assist privacy in some cases even if further study is needed.
E.g. if a home router is given a prefix via PD and that changes
now and then.

- DHCPv6: is there really nothing to say about link local
addresses? (I'm not sure how those are used in DHCPv6, if they
are, but they do often contain MACs.)

- The secdir review of the dhcp-privacy draft [1] suggested some
additional text for the security considerations text there that
might be better here.

  [1] https://www.ietf.org/mail-archive/web/secdir/current/msg06338.html

(PS: This review was done on -06 with a quick look at the diff
vs. -07. I think it all still applies though.)

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-dhc-anonymity-profile-06.txt, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any IANA actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, IANA does not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: dhc-chairs@ietf.org, brian@innovationslab.net, volz@cisco.com, draft-ietf-dhc-anonymity-profile@ietf.org, dhcwg@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Anonymity profile for DHCP clients) to Proposed Standard


The IESG has received a request from the Dynamic Host Configuration WG
(dhc) to consider the following document:
- 'Anonymity profile for DHCP clients'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-02-15. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  Some DHCP options carry unique identifiers.  These identifiers can
  enable device tracking even if the device administrator takes care of
  randomizing other potential identifications like link-layer addresses
  or IPv6 addresses.  The anonymity profile is designed for clients
  that wish to remain anonymous to the visited network.  The profile
  provides guidelines on the composition of DHCP or DHCPv6 requests,
  designed to minimize disclosure of identifying information.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dhc-anonymity-profile/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dhc-anonymity-profile/ballot/


The following IPR Declarations may be related to this I-D:

  https://datatracker.ietf.org/ipr/2654/

Write up for draft-ietf-dhc-anonymity-profile(-05).txt:

NOTE TO AD: The 3 documents (draft-ietf-dhc-dhcp-privacy,
draft-ietf-dhc-dhcpv6-privacy, and draft-ietf-dhc-anonymity-profile)
should likely be sent to IETF/IESG together as a package.


(1) What type of RFC is being requested (BCP, Proposed Standard,
    Internet Standard, Informational, Experimental, or Historic)? Why
    is this the proper type of RFC? Is this type of RFC indicated in
    the title page header?

Standards Track. This is the proper type because this document specifies
a mechanism for DHCP anonymity (v4 and v6) and the more DHCP implementations
that use this approach, the less profiling and tracking will be possible. If
different implementation use different techniques, some profiling and
tracking may still be possible.


(2) The IESG approval announcement includes a Document Announcement
    Write-Up. Please provide such a Document Announcement
    Write-Up. Recent examples can be found in the "Action"
    announcements for approved documents. The approval announcement
    contains the following sections:

Technical Summary:

This document specifies an anonymity profile for DHCP clients to remain
as anonymous as possible on visited networks.


Working Group Summary:

This document is an answer to the privacy considerations raised in
draft-ietf-dhc-dhcp-privacy and draft-ietf-dhc-dhcpv6-privacy with respect
to DHCPv4 and DHCPv6, respectively. The profile provides guidelines on the
composition of DHCP or DHCPv6 requests, designed to minimize disclosure of
identifying information.

Document Quality:

This document has had thorough reviews by many interested and
knowledgeable folks (beyond those mentioned in the acknowledgements
section). There were no significant points of difficulty or
controversy with the contents of the document.

Microsoft did a prototype implementation and reported great results (see
https://www.ietf.org/proceedings/93/slides/slides-93-dhc-1.pdf).

Personnel:

Bernie Volz is the document shepherd. Brian Haberman is the responsible AD.


(3) Briefly describe the review of this document that was performed by
    the Document Shepherd. If this version of the document is not
    ready for publication, please explain why the document is being
    forwarded to the IESG.

I read the document thoroughly several times, and submitted editorial and
technical suggestions to the authors, which they implemented. I believe it
is ready for publication.


(4) Does the document Shepherd have any concerns about the depth or
    breadth of the reviews that have been performed?

No, the document has had a good deal of careful review.


(5) Do portions of the document need review from a particular or from
    broader perspective, e.g., security, operational complexity, AAA,
    DNS, DHCP, XML, or internationalization? If so, describe the
    review that took place.

The WGLC was posted to the perpass mailing list, though no comments were
received (see
http://www.ietf.org/mail-archive/web/perpass/current/msg01911.html).


(6) Describe any specific concerns or issues that the Document
    Shepherd has with this document that the Responsible Area Director
    and/or the IESG should be aware of? For example, perhaps he or she
    is uncomfortable with certain parts of the document, or has
    concerns whether there really is a need for it. In any event, if
    the WG has discussed those issues and has indicated that it still
    wishes to advance the document, detail those concerns here.

I think the document is good as written, and serves a useful purpose.


(7) Has each author confirmed that any and all appropriate IPR
    disclosures required for full conformance with the provisions of
    BCP 78 and BCP 79 have already been filed. If not, explain why?

Yes. However, please see (8).


(8) Has an IPR disclosure been filed that references this document? If
    so, summarize any WG discussion and conclusion regarding the IPR
    disclosures.

Yes. One IPR was filed about a month before the WGLC was started. The WGLC
announcement mentioned the IPR. No one raised a concern. The IPR is from
an involved party and its exact impact has not been reviewed.


(9) How solid is the WG consensus behind this document? Does it
    represent the strong concurrence of a few individuals, with others
    being silent, or does the WG as a whole understand and agree with it?

There is a strong consensus behind this document and in particular from
very active WG participants (i.e. "DHCP experts").


(10) Has anyone threatened an appeal or otherwise indicated extreme
    discontent? If so, please summarise the areas of conflict in
    separate email messages to the Responsible Area Director. (It
    should be in a separate email because this questionnaire is
    publicly available.)

No.


(11) Identify any ID nits the Document Shepherd has found in this
    document. (See http://www.ietf.org/tools/idnits/ and the
    Internet-Drafts Checklist). Boilerplate checks are not enough;
    this check needs to be thorough.

No issues or nits reported.


(12) Describe how the document meets any required formal review
    criteria, such as the MIB Doctor, media type, and URI type
    reviews.

N/A


(13) Have all references within this document been identified as
    either normative or informative?

Yes, and seems to be done appropriately.


(14) Are there normative references to documents that are not ready
    for advancement or are otherwise in an unclear state? If such
    normative references exist, what is the plan for their
    completion?

No.


(15) Are there downward normative references references (see RFC
    3967)? If so, list these downward references to support the Area
    Director in the Last Call procedure.

No.


(16) Will publication of this document change the status of any
    existing RFCs? Are those RFCs listed on the title page header,
    listed in the abstract, and discussed in the introduction? If the
    RFCs are not listed in the Abstract and Introduction, explain
    why, and point to the part of the document where the relationship
    of this document to the other RFCs is discussed. If this
    information is not in the document, explain why the WG considers
    it unnecessary.

No.


(17) Describe the Document Shepherd's review of the IANA
    considerations section, especially with regard to its consistency
    with the body of the document. Confirm that all protocol
    extensions that the document makes are associated with the
    appropriate reservations in IANA registries. Confirm that any
    referenced IANA registries have been clearly identified. Confirm
    that newly created IANA registries include a detailed
    specification of the initial contents for the registry, that
    allocations procedures for future registrations are defined, and
    a reasonable name for the new registry has been suggested (see
    RFC 5226).

There are no IANA actions required.


(18) List any new IANA registries that require Expert Review for
    future allocations. Provide any public guidance that the IESG
    would find useful in selecting the IANA Experts for these new
    registries.

There are no new IANA registries requested by this draft.


(19) Describe reviews and automated checks performed by the Document
    Shepherd to validate sections of the document written in a formal
    language, such as XML code, BNF rules, MIB definitions, etc.

There are no such parts to the document.

1. In reviewing this in preparation for the shepherd write-up, the change to the 04 draft:

  3.  Anonymity profile for DHCPv4  . . . . . . . . . . . . . . . .  8
    3.1.  Option encoding and avoiding  Avoiding fingerprinting . . . . . . . . . . . . . . . . .  9

Yet:

  4.  Anonymity profile for DHCPv6  . . . . . . . . . . . . . . . .  14
    4.1.  Option encoding and avoiding fingerprinting . . . . . . .  14  15

I am curious to know if the difference between the two section titles was intentional or not?

Also, I didn’t find anything that requested this change (but that doesn’t mean there was a reason for it).


Here’s some other nits from the changes in Section 4.5:

  We interpret that as requiring that the IAID MUST be constant for the
  association, as long as the link layer Address remains constant.

Should Address be capitalized here?

  Clients MAY meet the privacy, uniqueness and stability requirement of
  the IAID using by constructing it as the combination of one byte

The “using by constructing” seems odd? Drop “using”?
  encoding the interface number in the system, and three bytes of the
  link layer address.

(Not sure if it matters which 3 bytes and the order of the combination. Though perhaps if that varies by implementations, it can be used to fingerprint so perhaps better to be more explicit?)

2. Also, I ran through idnits:

The one issue that likely needs to be fixed is the one about the header should have the “Updates:” line to match what the abstract states? But, I don’t see any specific text that specifies a specific change to RFC 4361 and the change log has:

          Changes from draft-02 to draft-03:

          1.  Removed the update of [RFC4361] since we are specifying when to
              use that RFC, but are not recommending any specific change.

So, perhaps rewording the abstract is what is really needed? Can we just drop “ This draft updates RFC4361.” from the Abstract?

3. And, there is a Normative Reference to ietf-dhc-rfc3315bis.

This will cause this document to block (RFC editor queue) until that work is done and is ready to be an RFC. I don’t think we want this?

Can this be changed to an Informative reference so it does not block?

While it doesn’t matter that much, I do wonder why some references are Normative – such as to RFC4702. Please review all references if you could to assure that they are appropriate. (RFC2132, 3925, 4361, 4704  all look like they could be Informative?)

Hi all,

This message starts the DHC Working Group Last Call to advance draft-ietf-dhc-anonymity-profile-03, Anonymity profile for DHCP clients, http://tools.ietf.org/html/draft-ietf-dhc-anonymity-profile-03. This document’s intended status is Standards Track.

Note: At present, there is 1 IPR against file against this document (http://datatracker.ietf.org/ipr/2654/).

This is a part of the WGLC of 3 documents (draft-ietf-dhc-dhcp-privacy-01,  draft-ietf-dhc-dhcpv6-privacy-01, and draft-ietf-dhc-anonymity-profile-03).

Please send your comments by September 22th, 2015. If you do not feel this  document should advance, please state your reasons why.

Bernie Volz is the assigned shepherd.

- Tomek & Bernie