dhc T. Mrugalski
Internet-Draft ISC
Updates: 3315 (if approved) S. Krishnan
Intended status: Standards Track Ericsson
Expires: September 10, 2015 March 9, 2015
Mitigation of Privacy Concerns in DHCPv6
draft-mrugalski-dhc-dhcpv6-privacy-mitigation-00
Abstract
There is work ongoing in the dhc working group that discusses the
various identifiers used by DHCPv6 and the potential privacy
implications. This draft explores several migitation techniques that
could be used to address the privacy issues in DHCPv6. This draft is
expected to evolve significantly over time, but the ultimate goal is
to standardize mitigation techniques the DHC working group considers
useful.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Mrugalski & Krishnan Expires September 10, 2015 [Page 1]
Internet-Draft DHCPv6 Privacy Concerns Mitigation March 2015
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Client Mitigation Techniques . . . . . . . . . . . . . . . . 3
3.1. Not disclose the desire for privacy . . . . . . . . . . . 3
3.2. Use randomized DUIDs . . . . . . . . . . . . . . . . . . 3
3.3. Do not send Confirm messages . . . . . . . . . . . . . . 4
3.4. Obtain temporary addresses . . . . . . . . . . . . . . . 4
3.5. Do not request the FQDN Option . . . . . . . . . . . . . 5
3.6. Randomize ordering of Options in messages and in the ORO 5
3.7. Anonymous Information-Request . . . . . . . . . . . . . . 6
4. Server Mitigation Techniques . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
DHCPv6 [RFC3315] is a protocol that is used to provide addressing and
configuration information to IPv6 hosts. The DHCPv6 protocol uses
several identifiers that could become a source for gleaning
additional information about the IPv6 host. This information may
include device type, operating system information, location(s) that
the device may have previously visited, etc.
[I-D.ietf-dhc-dhcpv6-privacy] discusses the various identifiers used
by DHCPv6 and the potential privacy issues [RFC6973]. This document
proposes
2. Terminology
This document uses the term "Stable identifier" as defined in
[I-D.ietf-dhc-dhcpv6-privacy]
Mrugalski & Krishnan Expires September 10, 2015 [Page 2]
Internet-Draft DHCPv6 Privacy Concerns Mitigation March 2015
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. When these
words are not in ALL CAPS (such as "should" or "Should"), they have
their usual English meanings, and are not to be interpreted as
[RFC2119] key words.
3. Client Mitigation Techniques
3.1. Not disclose the desire for privacy
A naive approach to privacy would be to simply disclose the desire to
protect one's privacy, e.g. by sending requests for temporary
addresses or defining a new type of temporary DUID that would be
changing over time. This is not workable in a large number of cases
as it is possible that the network operator (or other entities that
have access to the operator's network) might be actively
participating in surveillance and anti-privacy, willingly or not.
Simply revealing the desire for privacy, could cause the attacker to
react by triggering additional surveillance or monitoring mechanisms.
Therefore we feel that it is preferable to not disclose one's desire
for privacy. This preference leads to some important implications.
In particular, we make an effort to make the mitigation techniques
difficult to distinguish from regular client behaviors, if at all
possible.
3.2. Use randomized DUIDs
One of the primary privacy concerns is that a client is disclosing a
stable identifier (the DUID) that can be use for tracking and
profiling. The most common way of disclosing client's MAC/hardware
address in DHCPv6 is to use DUID type LLT (link-layer with time) or
LL (link-layer). Another DUID of type UUID is also bad in this
regard, as its the UUID may contain additional information about the
device it is tied to.
Discussion: As stated in Section 3.1, the desire for privacy should
not be explicitly advertised. Therefore a new DUID type is not
recommended here.
PROPOSAL: The clients that want to protect their privacy SHOULD
generate a new randomized DUID-LLT every time they attach to a new
link or detect a possible link change event. The exact details are
left up to implementors, but there are several factors should be
taken into consideration. The DUID type SHOULD be set to 1 (DUID-
LLT). Hardware type SHOULD be set appropriately to the hardware
type. Time MAY be set to current time, but this will reveal the fact
that the DUID is newly generated. Implementors interested in hiding
Mrugalski & Krishnan Expires September 10, 2015 [Page 3]
Internet-Draft DHCPv6 Privacy Concerns Mitigation March 2015
this fact MAY use a time stamp from the past. e.g. a random timestamp
from the previous year could be a good value. In the most common
cases the link-layer address is based on MAC. The first three octets
are composed of the OUI (Organizationally Unique Identifier) that is
expected to have a value assigned to a real organization. See
[IEEE-OUI] for currently assigned values. Using a value that is
unassigned may disclose the fact that a DUID is randomized. Using a
value that belongs to a third party may have legal implications.
3.3. Do not send Confirm messages
The [RFC3315] requires clients to send a Confirm message when they
attach to a new link to verify whether the addressing and
configuration information they previously received is still valid.
When these clients send Confirm messages, they include any IAs
assigned to the interface that may have moved to a new link, along
with the addresses associated with those IAs. By examining the
addresses in the Confirm message an attacker can trivially identify
the previous point(s) of attachment.
PROPOSAL: Clients interested in protecting their privacy SHOULD NOT
send Confirm messages and instead directly try to acquire addresses
on the new link.
3.4. Obtain temporary addresses
[RFC3315] defines a special container (IA_TA) for requesting
temporary addresses. This is a good mechanism in principle, but
there are a number of issues associated with it. First, this is not
widely used feature, so clients depending solely on temporary
addresses may lock themselves out of service. Secondly, [RFC3315]
does not specify any renewal mechanisms for temporary addresses.
Therefore support for renewing temporary addresses may vary between
server implementations, including not being supported at all.
Finally, by requesting temporary addresses a client reveals its
desire for privacy and potentially risks countermeasures as described
in Section 3.1.
Mrugalski & Krishnan Expires September 10, 2015 [Page 4]
Internet-Draft DHCPv6 Privacy Concerns Mitigation March 2015
PROPOSAL: Clients interested in their privacy SHOULD not use IA_TA.
They should simply send an IA_NA with a randomized IAID. This, along
with the mitigation technique discussed in Section 3.2, will ensure
that a client will get a new address that can be renewed and can be
used as long as needed. To get a new address, it can send Request
message with a new randomized IAID before releasing the other one.
This will cause the server to assign a new address, as it still has a
valid lease for the old IAID value. Once a new address is assigned,
the address obtained using the older IAID value can be released
safely, using the Release message or it may simply be allowed to time
out.
This proposal may not work if the server enforces specific policies,
e.g. only one address per client. If client does not succeed in
receiving a second address using a new IAID, it may release the first
one (using an old IAID) and then retry asking for a new address.
From the Operating System perspective, addresses obtained using this
technique SHOULD be treated as temporary as specified in [RFC4941].
3.5. Do not request the FQDN Option
A typical client uses FQDN option, defined in [RFC4704] to negotiate
with a server the DNS entries that should be updated. In the
process, the client typically reveals its hostname and possibly its
home domain. Server, depending on configured policies, may accept or
override the name with network specific information.
PROPOSAL: Clients SHOULD avoid disclosing their hostnames, as the
hostnames may contain personally identifying information (e.g.
"Tomek's laptop"). Even if the hostname does not contain personally
identifying information, it can still be used as a stable identifier
for tracking. Therefore a client SHOULD not send FQDN option at all.
This ensures that the host does not expose a stable identifier, but
also implies that the host will not have a resolvable DNS name.
Should DNS name be useful, a client SHOULD send a randomly generated
hostname, consisting of a single label. The server is expected to
append the domain name and return FQDN to the client. Client can
then use this FQDN as its temporary hostname that will be discarded
once its location changes or the client chooses to assume a new
identity.
3.6. Randomize ordering of Options in messages and in the ORO
A DHCPv6 client may reveal other types of information, besides unique
identifiers. There are many ways a DHCPv6 client can perform certain
actions and the specifics can be used to fingerprint the client.
This may not reveal the identity of a client, but may provide
Mrugalski & Krishnan Expires September 10, 2015 [Page 5]
Internet-Draft DHCPv6 Privacy Concerns Mitigation March 2015
additional information, such as the device type, vendor type or OS
type and in some cases specific version.
One specific method used for fingerprinting utilizes the order in
which options are included in the message. Another related technique
utilizes the order in which option codes are included in an ORO
(Option Request Option).
PROPOSAL: The client willing to protect its privacy SHOULD randomize
options order before sending any DHCPv6 message. Such a client
SHOULD also randomly shuffle the option codes order in ORO.
3.7. Anonymous Information-Request
According to [RFC3315], a DHCPv6 client typically includes its client
identifier in most of the messages it sends. There is one exception,
however. Client is allowed to omit its client identifier when
sending Information-Request.
PROPOSAL: When using stateless DHCPv6, clients wanting to protect
their privacy SHOULD not include client identifiers in their
Information-Request messages. This will prevent the server from
specifying client-specific options if it is configured to do so, but
the need for anonymity precludes such options anyway.
4. Server Mitigation Techniques
TODO: - don't send GEOLOCATION options to anyone who asks (preferably
don't sent that option at all); - if running on mobile device,
possibly change its server-id when its link flips; - don't send FQDN
options if you don't intend to do actual DNS Updates; -
5. Security Considerations
The use of randomized DUIDs and IAIDs allows malicious clients to
exhaust address and prefix pools on DHCPv6 servers by simply
requesting more and more addresses/prefixes. This attack is
certainly possible already in today's networks, but this document
provides a *legitimate* use case for random DUIDs and IAIDs making
countermeasures more difficult. In addition to exhausting configured
address and prefix pools, these clients may also cause increased
state (and hence resource utilization) on the DHCPv6 servers.
Mrugalski & Krishnan Expires September 10, 2015 [Page 6]
Internet-Draft DHCPv6 Privacy Concerns Mitigation March 2015
6. Privacy Considerations
This document at its entirety discusses privacy considerations in
DHCPv6. As such, no separate section about this is needed.
7. IANA Considerations
This draft does not request any IANA action.
8. Acknowledgements
The authors would like to thanks the valuable comments made by
Stephen Farrell, Ted Lemon, Ines Robles, Russ White, Christian
Schaefer and other members of DHC WG.
This document was produced using the xml2rfc tool [RFC2629].
9. References
9.1. Normative References
[I-D.ietf-dhc-dhcpv6-privacy]
Krishnan, S., Mrugalski, T., and S. Jiang, "Privacy
considerations for DHCPv6", draft-ietf-dhc-
dhcpv6-privacy-00 (work in progress), February 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
9.2. Informative References
[I-D.ietf-6man-ipv6-address-generation-privacy]
Cooper, A., Gont, F., and D. Thaler, "Privacy
Considerations for IPv6 Address Generation Mechanisms",
draft-ietf-6man-ipv6-address-generation-privacy-03 (work
in progress), January 2015.
[IEEE-OUI]
IEEE, "Organizationally Unique Identifiers
http://www.ieee.org/netstorage/standards/oui.txt", .
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999.
Mrugalski & Krishnan Expires September 10, 2015 [Page 7]
Internet-Draft DHCPv6 Privacy Concerns Mitigation March 2015
[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
Host Configuration Protocol (DHCP) version 6", RFC 3633,
December 2003.
[RFC4580] Volz, B., "Dynamic Host Configuration Protocol for IPv6
(DHCPv6) Relay Agent Subscriber-ID Option", RFC 4580, June
2006.
[RFC4649] Volz, B., "Dynamic Host Configuration Protocol for IPv6
(DHCPv6) Relay Agent Remote-ID Option", RFC 4649, August
2006.
[RFC4704] Volz, B., "The Dynamic Host Configuration Protocol for
IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN)
Option", RFC 4704, October 2006.
[RFC4776] Schulzrinne, H., "Dynamic Host Configuration Protocol
(DHCPv4 and DHCPv6) Option for Civic Addresses
Configuration Information", RFC 4776, November 2006.
[RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy
Extensions for Stateless Address Autoconfiguration in
IPv6", RFC 4941, September 2007.
[RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng,
"DHCPv6 Leasequery", RFC 5007, September 2007.
[RFC5460] Stapp, M., "DHCPv6 Bulk Leasequery", RFC 5460, February
2009.
[RFC5970] Huth, T., Freimann, J., Zimmer, V., and D. Thaler, "DHCPv6
Options for Network Boot", RFC 5970, September 2010.
[RFC6225] Polk, J., Linsner, M., Thomson, M., and B. Aboba, "Dynamic
Host Configuration Protocol Options for Coordinate-Based
Location Configuration Information", RFC 6225, July 2011.
[RFC6355] Narten, T. and J. Johnson, "Definition of the UUID-Based
DHCPv6 Unique Identifier (DUID-UUID)", RFC 6355, August
2011.
[RFC6939] Halwasia, G., Bhandari, S., and W. Dec, "Client Link-Layer
Address Option in DHCPv6", RFC 6939, May 2013.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July
2013.
Mrugalski & Krishnan Expires September 10, 2015 [Page 8]
Internet-Draft DHCPv6 Privacy Concerns Mitigation March 2015
Authors' Addresses
Tomek Mrugalski
Internet Systems Consortium, Inc.
950 Charter Street
Redwood City, CA 94063
USA
Email: tomasz.mrugalski@gmail.com
Suresh Krishnan
Ericsson
8400 Decarie Blvd.
Town of Mount Royal, QC
Canada
Phone: +1 514 345 7900 x42871
Email: suresh.krishnan@ericsson.com
Mrugalski & Krishnan Expires September 10, 2015 [Page 9]