[prev in list] [next in list] [prev in thread] [next in thread]
List: ipng
Subject: Re: Feedback on draft-gont-6man-stable-privacy-addresses-01
From: Tina TSOU <Tina.Tsou.Zouting () huawei ! com>
Date: 2012-04-15 20:55:49
Message-ID: 92C76338-38FC-40FE-9CDB-6C4365B67A2F () huawei ! com
[Download RAW message or body]
This function results in addresses that:
1. R stable within the same subnet
2. Have different Interface-IDs when moving across networks
Sent from my iPad
On Apr 15, 2012, at 7:30 AM, "Fernando Gont" <fgont@si6networks.com<mailto:=
fgont@si6networks.com>> wrote:
Hi, Fred,
On 04/15/2012 05:54 AM, Fred Baker wrote:
That said, a more general question would be: should we include the
(numeric) interface index rather than e.g. a hardware-specific
I-D?
Hmmm. I would tend to think that's a small positive integer, which
isn't all that unique.
Exactly.
Are you thinking of something different than I am?
I don't think so.
If you concern is security, bear in mind that the security of the
mechanism relies on the cryptographic strength of F(), and the
secret_key (and not on the "data" that is hashed. -- That said, the
current I-D recommends to include the machine's serial number in the
hash (as recommended by Steve Bellovin) as part of the data to be hashed
(and this value is expected to be unknown at least to a remote attacker).
If your concern is that two hosts might end up computing the same IID,
then note that the recommendation is for the secret_key to be set to a
random value, *and* as noted in the previous paragraph, we also
recommend to include the machine's serial number as part of the data to
be hashed (and this number is expected to vary from one node to another).
This approach would lead to addresses that do not vary if you change the
NIC (as we'd not be using the MAC address), and one might argue that is
even more 2general" since, as you correctly noted, not all interfaced
have IEEE addresses.
IN any case, this is just an idea. I personally think that would be
really cool. But I'd like you and others to comment.
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com<mailto:fgont@si6networks.com>
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body bgcolor="#FFFFFF">
<div>
<div class="page" title="Page 15">
<div class="layoutArea">
<div class="column">
<p><span class="Apple-style-span" style="-webkit-tap-highlight-color: rgba(26, 26, \
26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); \
-webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); ">This function \
results in addresses that:</span><br>
</p>
</div>
</div>
</div>
<div>1. R stable within the same subnet</div>
<div>2. Have different Interface-IDs when moving across networks</div>
<div><br>
</div>
Sent from my iPad</div>
<div><br>
On Apr 15, 2012, at 7:30 AM, "Fernando Gont" <<a \
href="mailto:fgont@si6networks.com">fgont@si6networks.com</a>> wrote:<br> <br>
</div>
<div></div>
<blockquote type="cite">
<div><span>Hi, Fred,</span><br>
<span></span><br>
<span>On 04/15/2012 05:54 AM, Fred Baker wrote:</span><br>
<blockquote type="cite">
<blockquote type="cite"><span>That said, a more general question would be: should we \
include the</span><br> </blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>(numeric) interface index rather than e.g. a \
hardware-specific</span><br> </blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>I-D?</span><br>
</blockquote>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Hmmm. I would tend to think that's a small positive \
integer, which</span><br> </blockquote>
<blockquote type="cite"><span>isn't all that unique. </span><br>
</blockquote>
<span></span><br>
<span>Exactly.</span><br>
<span></span><br>
<span></span><br>
<blockquote type="cite"><span>Are you thinking of something different than I \
am?</span><br> </blockquote>
<span></span><br>
<span>I don't think so.</span><br>
<span></span><br>
<span>If you concern is security, bear in mind that the security of the</span><br>
<span>mechanism relies on the cryptographic strength of F(), and the</span><br>
<span>secret_key (and not on the "data" that is hashed. -- That said, \
the</span><br> <span>current I-D recommends to include the machine's serial number in \
the</span><br> <span>hash (as recommended by Steve Bellovin) as part of the data to \
be hashed</span><br> <span>(and this value is expected to be unknown at least to a \
remote attacker).</span><br> <span></span><br>
<span>If your concern is that two hosts might end up computing the same \
IID,</span><br> <span>then note that the recommendation is for the secret_key to be \
set to a</span><br> <span>random value, *and* as noted in the previous paragraph, we \
also</span><br> <span>recommend to include the machine's serial number as part of the \
data to</span><br> <span>be hashed (and this number is expected to vary from one node \
to another).</span><br> <span></span><br>
<span>This approach would lead to addresses that do not vary if you change \
the</span><br> <span>NIC (as we'd not be using the MAC address), and one might argue \
that is</span><br> <span>even more 2general" since, as you correctly noted, not \
all interfaced</span><br> <span>have IEEE addresses.</span><br>
<span></span><br>
<span>IN any case, this is just an idea. I personally think that would be</span><br>
<span>really cool. But I'd like you and others to comment.</span><br>
<span></span><br>
<span>Thanks!</span><br>
<span></span><br>
<span>Best regards,</span><br>
<span>-- </span><br>
<span>Fernando Gont</span><br>
<span>SI6 Networks</span><br>
<span>e-mail: <a href="mailto:fgont@si6networks.com">fgont@si6networks.com</a></span><br>
<span>PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492</span><br>
<span></span><br>
<span></span><br>
<span></span><br>
<span>--------------------------------------------------------------------</span><br>
<span>IETF IPv6 working group mailing list</span><br>
<span><a href="mailto:ipv6@ietf.org">ipv6@ietf.org</a></span><br>
<span>Administrative Requests: <a href="https://www.ietf.org/mailman/listinfo/ipv6">
https://www.ietf.org/mailman/listinfo/ipv6</a></span><br>
<span>--------------------------------------------------------------------</span><br>
</div>
</blockquote>
</body>
</html>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
--===============5456387580940298933==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic