| draft-ietf-6man-stable-privacy-addresses-08.txt | draft-ietf-6man-stable-privacy-addresses-09.txt | |||
|---|---|---|---|---|
| IPv6 maintenance Working Group (6man) F. Gont | IPv6 maintenance Working Group (6man) F. Gont | |||
| Internet-Draft SI6 Networks / UTN-FRH | Internet-Draft SI6 Networks / UTN-FRH | |||
| Intended status: Standards Track May 24, 2013 | Intended status: Standards Track June 3, 2013 | |||
| Expires: November 25, 2013 | Expires: December 5, 2013 | |||
| A method for Generating Stable Privacy-Enhanced Addresses with IPv6 | A method for Generating Stable Privacy-Enhanced Addresses with IPv6 | |||
| Stateless Address Autoconfiguration (SLAAC) | Stateless Address Autoconfiguration (SLAAC) | |||
| draft-ietf-6man-stable-privacy-addresses-08 | draft-ietf-6man-stable-privacy-addresses-09 | |||
| Abstract | Abstract | |||
| This document specifies a method for generating IPv6 Interface | This document specifies a method for generating IPv6 Interface | |||
| Identifiers to be used with IPv6 Stateless Address Autoconfiguration | Identifiers to be used with IPv6 Stateless Address Autoconfiguration | |||
| (SLAAC), such that addresses configured using this method are stable | (SLAAC), such that addresses configured using this method are stable | |||
| within each subnet, but the Interface Identifier changes when hosts | within each subnet, but the Interface Identifier changes when hosts | |||
| move from one network to another. This method is meant to be an | move from one network to another. This method is meant to be an | |||
| alternative to generating Interface Identifiers based on hardware | alternative to generating Interface Identifiers based on hardware | |||
| address (e.g., using IEEE identifiers), such that the benefits of | address (e.g., using IEEE identifiers), such that the benefits of | |||
| skipping to change at page 1, line 41 | skipping to change at page 1, line 41 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 25, 2013. | This Internet-Draft will expire on December 5, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Design goals . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2. Design goals . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3. Algorithm specification . . . . . . . . . . . . . . . . . . . 7 | 3. Algorithm specification . . . . . . . . . . . . . . . . . . . 8 | |||
| 4. Resolving Duplicate Address Detection (DAD) conflicts . . . . 12 | 4. Resolving Duplicate Address Detection (DAD) conflicts . . . . 13 | |||
| 5. Specified Constants . . . . . . . . . . . . . . . . . . . . . 13 | 5. Specified Constants . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 18 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 19 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 18 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 20 | |||
| Appendix A. Possible sources for the Net_Iface parameter . . . . 21 | Appendix A. Possible sources for the Net_Iface parameter . . . . 22 | |||
| A.1. Interface Index . . . . . . . . . . . . . . . . . . . . . 21 | A.1. Interface Index . . . . . . . . . . . . . . . . . . . . . 22 | |||
| A.2. Interface Name . . . . . . . . . . . . . . . . . . . . . . 21 | A.2. Interface Name . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| A.3. Link-layer Addresses . . . . . . . . . . . . . . . . . . . 21 | A.3. Link-layer Addresses . . . . . . . . . . . . . . . . . . . 22 | |||
| A.4. Logical Network Service Identity . . . . . . . . . . . . . 22 | A.4. Logical Network Service Identity . . . . . . . . . . . . . 23 | |||
| Appendix B. Privacy issues still present when temporary | Appendix B. Security/privacy issues with traditional SLAAC | |||
| addresses are employed . . . . . . . . . . . . . . . 23 | addresses . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| B.1. Host tracking . . . . . . . . . . . . . . . . . . . . . . 23 | B.1. Correlation of node activities within the same network . . 24 | |||
| B.1.1. Tracking hosts across networks #1 . . . . . . . . . . 23 | B.2. Correlation of node activities across networks . . . . . . 24 | |||
| B.1.2. Tracking hosts across networks #2 . . . . . . . . . . 24 | B.3. Host-tracking attacks . . . . . . . . . . . . . . . . . . 24 | |||
| B.1.3. Revealing the identity of devices performing | B.4. Address-scanning attacks . . . . . . . . . . . . . . . . . 25 | |||
| server-like functions . . . . . . . . . . . . . . . . 24 | B.5. Exploitation of device-specific information . . . . . . . 25 | |||
| B.2. Address-scanning attacks . . . . . . . . . . . . . . . . . 24 | Appendix C. Privacy issues still present when temporary | |||
| B.3. Information Leakage . . . . . . . . . . . . . . . . . . . 25 | addresses are employed . . . . . . . . . . . . . . . 26 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 26 | C.1. Host tracking . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| C.1.1. Tracking hosts across networks #1 . . . . . . . . . . 26 | ||||
| C.1.2. Tracking hosts across networks #2 . . . . . . . . . . 27 | ||||
| C.1.3. Revealing the identity of devices performing | ||||
| server-like functions . . . . . . . . . . . . . . . . 27 | ||||
| C.2. Address-scanning attacks . . . . . . . . . . . . . . . . . 27 | ||||
| C.3. Information Leakage . . . . . . . . . . . . . . . . . . . 28 | ||||
| C.4. Correlation of node activities within a network . . . . . 28 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 29 | ||||
| 1. Introduction | 1. Introduction | |||
| [RFC4862] specifies Stateless Address Autoconfiguration (SLAAC) for | [RFC4862] specifies Stateless Address Autoconfiguration (SLAAC) for | |||
| IPv6 [RFC2460], which typically results in hosts configuring one or | IPv6 [RFC2460], which typically results in hosts configuring one or | |||
| more "stable" addresses composed of a network prefix advertised by a | more "stable" addresses composed of a network prefix advertised by a | |||
| local router, and an Interface Identifier (IID) that typically embeds | local router, and an Interface Identifier (IID) that typically embeds | |||
| a hardware address (e.g., using IEEE identifiers) [RFC4291]. | a hardware address (e.g., using IEEE identifiers) [RFC4291]. | |||
| Cryptographically Generated Addresses (CGAs) [RFC3972] are yet | Cryptographically Generated Addresses (CGAs) [RFC3972] are yet | |||
| skipping to change at page 3, line 42 | skipping to change at page 3, line 42 | |||
| o since embedding the underlying link-layer address in the Interface | o since embedding the underlying link-layer address in the Interface | |||
| Identifier will result in specific address patterns, such patterns | Identifier will result in specific address patterns, such patterns | |||
| may be leveraged by attackers to reduce the search space when | may be leveraged by attackers to reduce the search space when | |||
| performing address scanning attacks. For example, the IPv6 | performing address scanning attacks. For example, the IPv6 | |||
| addresses of all nodes manufactured by the same vendor (at a given | addresses of all nodes manufactured by the same vendor (at a given | |||
| time frame) will likely contain the same IEEE Organizationally | time frame) will likely contain the same IEEE Organizationally | |||
| Unique Identifier (OUI) in the Interface Identifier. | Unique Identifier (OUI) in the Interface Identifier. | |||
| o embedding the underlying link-layer address in the Interface | o embedding the underlying link-layer address in the Interface | |||
| Identifier leaks device-specific information that could be | ||||
| leveraged to launch device-specific attacks. | ||||
| o embedding the underlying link-layer address in the Interface | ||||
| Identifier means that replacement of the underlying interface | Identifier means that replacement of the underlying interface | |||
| hardware will result in a change of the IPv6 address(es) assigned | hardware will result in a change of the IPv6 address(es) assigned | |||
| to that interface. | to that interface. | |||
| Appendix B provides additional details regarding how these | ||||
| vulnerabilities could be exploited, and the extent to which the | ||||
| method discussed in this document mitigates them. | ||||
| The "Privacy Extensions for Stateless Address Autoconfiguration in | The "Privacy Extensions for Stateless Address Autoconfiguration in | |||
| IPv6" [RFC4941] (henceforth referred to as "temporary addresses") | IPv6" [RFC4941] (henceforth referred to as "temporary addresses") | |||
| were introduced to complicate the task of eavesdroppers and other | were introduced to complicate the task of eavesdroppers and other | |||
| information collectors to correlate the activities of a node, and | information collectors (e.g. IPv6 addresses in web server logs or | |||
| email headers, etc.) to correlate the activities of a node, and | ||||
| basically result in temporary (and random) Interface Identifiers. | basically result in temporary (and random) Interface Identifiers. | |||
| These temporary addresses are generated in addition to the | These temporary addresses are generated in addition to the | |||
| traditional IPv6 addresses based on IEEE identifiers, with the | traditional IPv6 addresses based on IEEE identifiers, with the | |||
| "temporary addresses" being employed for "outgoing communications", | "temporary addresses" being employed for "outgoing communications", | |||
| and the traditional SLAAC addresses being employed for "server" | and the traditional SLAAC addresses being employed for "server" | |||
| functions (i.e., receiving incoming connections). | functions (i.e., receiving incoming connections). | |||
| It should be noted that temporary addresses can be challenging in | ||||
| a number of areas. For example, from a network-management point | ||||
| of view, they tend to increase the complexity of event logging, | ||||
| trouble-shooting, enforcement of access controls and quality of | ||||
| service, etc. As a result, some organizations disable the use of | ||||
| temporary addresses even at the expense of reduced privacy | ||||
| [Broersma]. Temporary addresses may also result in increased | ||||
| implementation complexity, which might not be possible or | ||||
| desirable in some implementations (e.g., some embedded devices). | ||||
| In scenarios in which temporary addresses are deliberately not | ||||
| used (possibly for any of the aforementioned reasons), all a host | ||||
| is left with is the stable addresses that have been generated | ||||
| using e.g. IEEE identifiers. In such scenarios, it may still be | ||||
| desirable to have addresses that mitigate address scanning | ||||
| attacks, and that at the very least do not reveal the node's | ||||
| identity when roaming from one network to another -- without | ||||
| complicating the operation of the corresponding networks. | ||||
| However, even with "temporary addresses" in place, a number of issues | However, even with "temporary addresses" in place, a number of issues | |||
| remain to be mitigated. Namely, | remain to be mitigated. Namely, | |||
| o since "temporary addresses" [RFC4941] do not eliminate the use of | o since "temporary addresses" [RFC4941] do not eliminate the use of | |||
| fixed identifiers for server-like functions, they only partially | fixed identifiers for server-like functions, they only partially | |||
| mitigate host-tracking and activity correlation across networks | mitigate host-tracking and activity correlation across networks | |||
| (see Appendix B.1 for some example attacks that are still possible | (see Appendix C.1 for some example attacks that are still possible | |||
| with temporary addresses). | with temporary addresses). | |||
| o since "temporary addresses" [RFC4941] do not replace the | o since "temporary addresses" [RFC4941] do not replace the | |||
| traditional SLAAC addresses, an attacker can still leverage | traditional SLAAC addresses, an attacker can still leverage | |||
| patterns in those addresses to greatly reduce the search space for | patterns in those addresses to greatly reduce the search space for | |||
| "alive" nodes [Gont-DEEPSEC2011] [CPNI-IPv6] | "alive" nodes [Gont-DEEPSEC2011] [CPNI-IPv6] | |||
| [I-D.ietf-opsec-ipv6-host-scanning]. | [I-D.ietf-opsec-ipv6-host-scanning]. | |||
| Hence, there is a motivation to improve the properties of "stable" | Hence, there is a motivation to improve the properties of "stable" | |||
| addresses regardless of whether temporary addresses are employed or | addresses regardless of whether temporary addresses are employed or | |||
| not. | not. | |||
| Additionally, it should be noted that temporary addresses can be | We note that attackers can employ a plethora of probing techniques | |||
| challenging in a number of areas. For example, from a network- | [I-D.ietf-opsec-ipv6-host-scanning] to exploit the aforementioned | |||
| management point of view, they tend to increase the complexity of | issues. Some of them (such as the use of ICMPv6 Echo Request and | |||
| event logging, trouble-shooting, enforcement of access controls and | ICMPv6 Echo Response packets) could mitigated by a personal firewall | |||
| quality of service, etc. As a result, some organizations disable the | at the target host. For other vectors, such listening to ICMPv6 | |||
| use of temporary addresses even at the expense of reduced privacy | "Destination Unreachable, Address Unreachable" (Type 1, Code 3) error | |||
| [Broersma]. Temporary addresses may also result in increased | messages referring to the target addresses | |||
| implementation complexity, which might not be possible or desirable | [I-D.ietf-opsec-ipv6-host-scanning], there is nothing a host can do | |||
| in some implementations (e.g., some embedded devices). | (e.g., a personal firewall at the target host would not be able to | |||
| mitigate this probing technique). | ||||
| In scenarios in which temporary addresses are deliberately not used | ||||
| (possibly for any of the aforementioned reasons), all a host is left | ||||
| with is the stable addresses that have been generated using e.g. | ||||
| IEEE identifiers. In such scenarios, it may still be desirable to | ||||
| have addresses that mitigate address scanning attacks, and that at | ||||
| the very least do not reveal the node's identity when roaming from | ||||
| one network to another -- without complicating the operation of the | ||||
| corresponding networks. | ||||
| We note that even with temporary addresses [RFC4941] in place, | ||||
| preventing correlation of activities of a node within a network | ||||
| may be difficult (if at all possible) to achieve. As a trivial | ||||
| example, consider a scenario where there is a single node (or a | ||||
| reduced number of nodes) connected to a specific network. An | ||||
| attacker could detect new addresses in use at that network, an | ||||
| infer which addresses are being employed by which hosts. This | ||||
| task is made particularly easier by the fact that use of | ||||
| "temporary addresses" can be easily inferred (since the follow | ||||
| different patterns from that of traditional SLAAC addresses), and | ||||
| since they are re-generated periodically (i.e., after a specific | ||||
| amount of time has elapsed). | ||||
| This document specifies a method to generate Interface Identifiers | This document specifies a method to generate Interface Identifiers | |||
| that are stable/constant for each network interface within each | that are stable/constant for each network interface within each | |||
| subnet, but that change as hosts move from one network to another, | subnet, but that change as hosts move from one network to another, | |||
| thus keeping the "stability" properties of the Interface Identifiers | thus keeping the "stability" properties of the Interface Identifiers | |||
| specified in [RFC4291], while still mitigating address-scanning | specified in [RFC4291], while still mitigating address-scanning | |||
| attacks and preventing correlation of the activities of a node as it | attacks and preventing correlation of the activities of a node as it | |||
| moves from one network to another. | moves from one network to another. | |||
| The method specified in this document is a orthogonal to the use of | The method specified in this document is a orthogonal to the use of | |||
| skipping to change at page 6, line 46 | skipping to change at page 7, line 46 | |||
| o The method specified in this document is meant to be an | o The method specified in this document is meant to be an | |||
| alternative to producing IPv6 addresses based on e.g. IEEE | alternative to producing IPv6 addresses based on e.g. IEEE | |||
| identifiers (as specified in [RFC2464]). It is meant to be | identifiers (as specified in [RFC2464]). It is meant to be | |||
| employed for all of the stable (i.e. non-temporary) IPv6 addresses | employed for all of the stable (i.e. non-temporary) IPv6 addresses | |||
| configured with SLAAC for a given interface, including global, | configured with SLAAC for a given interface, including global, | |||
| link-local, and unique-local IPv6 addresses. | link-local, and unique-local IPv6 addresses. | |||
| We note that of use of the algorithm specified in this document is | We note that of use of the algorithm specified in this document is | |||
| (to a large extent) orthogonal to the use of "temporary addresses" | (to a large extent) orthogonal to the use of "temporary addresses" | |||
| [RFC4941]. When employed along "temporary addresses", the method | [RFC4941]. When employed along with "temporary addresses", the | |||
| specified in this document will mitigate address-scanning attacks and | method specified in this document will mitigate address-scanning | |||
| correlation of node activities across networks (see Appendix B and | attacks and correlation of node activities across networks (see | |||
| [IAB-PRIVACY]). On the other hand, hosts that do not implement/use | Appendix C and [IAB-PRIVACY]). On the other hand, hosts that do not | |||
| "temporary addresses" but employ the method specified in this | implement/use "temporary addresses" but employ the method specified | |||
| document would, at the very least, mitigate the host-tracking and | in this document would, at the very least, mitigate the host-tracking | |||
| address scanning issues discussed in the previous section. | and address scanning issues discussed in the previous section. | |||
| 3. Algorithm specification | 3. Algorithm specification | |||
| IPv6 implementations conforming to this specification MUST generate | IPv6 implementations conforming to this specification MUST generate | |||
| Interface Identifiers using the algorithm specified in this section | Interface Identifiers using the algorithm specified in this section | |||
| in replacement of any other algorithms used for generating "stable" | in replacement of any other algorithms used for generating "stable" | |||
| addresses (such as that specified in [RFC2464]). However, | addresses (such as those specified in [RFC2464]). However, | |||
| implementations conforming to this specification MAY employ the | implementations conforming to this specification MAY employ the | |||
| algorithm specified in [RFC4941] to generate temporary addresses in | algorithm specified in [RFC4941] to generate temporary addresses in | |||
| addition to the addresses generated with the algorithm specified in | addition to the addresses generated with the algorithm specified in | |||
| this document. The method specified in this document MUST be | this document. The method specified in this document MUST be | |||
| employed for generating the Interface Identifiers for all the stable | employed for generating the Interface Identifiers for all the stable | |||
| addresses of a given interface, including IPv6 global, link-local, | addresses of a given interface, including IPv6 global, link-local, | |||
| and unique-local addresses. | and unique-local addresses. | |||
| This means that this document does not formally obsolete or | This means that this document does not formally obsolete or | |||
| deprecate any of the existing algorithms to generate Interface | deprecate any of the existing algorithms to generate Interface | |||
| skipping to change at page 8, line 46 | skipping to change at page 9, line 46 | |||
| secret_key: | secret_key: | |||
| A secret key that is not known by the attacker. The secret | A secret key that is not known by the attacker. The secret | |||
| key MUST be initialized at operating system installation time | key MUST be initialized at operating system installation time | |||
| to a pseudo-random number (see [RFC4086] for randomness | to a pseudo-random number (see [RFC4086] for randomness | |||
| requirements for security). An implementation MAY provide the | requirements for security). An implementation MAY provide the | |||
| means for the the system administrator to change or display | means for the the system administrator to change or display | |||
| the secret key. | the secret key. | |||
| 2. The Interface Identifier is finally obtained by taking as many | 2. The Interface Identifier is finally obtained by taking as many | |||
| bits from the RID value (computed in the previous step) as | bits from the RID value (computed in the previous step) as | |||
| necessary, starting from the rightmost bit. | necessary, starting from the least significant bit. | |||
| We note that [RFC4291] requires that, the Interface IDs of all | We note that [RFC4291] requires that, the Interface IDs of all | |||
| unicast addresses (except those that start with the binary | unicast addresses (except those that start with the binary | |||
| value 000) be 64-bit long. However, the method discussed in | value 000) be 64-bit long. However, the method discussed in | |||
| this document could be employed for generating Interface IDs | this document could be employed for generating Interface IDs | |||
| of any arbitrary length, albeit at the expense of reduced | of any arbitrary length, albeit at the expense of reduced | |||
| entropy (when employing Interface IDs smaller than 64 bits). | entropy (when employing Interface IDs smaller than 64 bits). | |||
| The resulting Interface Identifier should be compared against the | The resulting Interface Identifier should be compared against the | |||
| Subnet-Router Anycast [RFC4291] and the Reserved Subnet Anycast | Subnet-Router Anycast [RFC4291] and the Reserved Subnet Anycast | |||
| skipping to change at page 15, line 18 | skipping to change at page 16, line 18 | |||
| Identifiers to be used with IPv6 Stateless Address Autoconfiguration | Identifiers to be used with IPv6 Stateless Address Autoconfiguration | |||
| (SLAAC), as an alternative to e.g. Interface Identifiers that embed | (SLAAC), as an alternative to e.g. Interface Identifiers that embed | |||
| IEEE identifiers (such as those specified in [RFC2464]). When | IEEE identifiers (such as those specified in [RFC2464]). When | |||
| compared to such identifiers, the identifiers specified in this | compared to such identifiers, the identifiers specified in this | |||
| document have a number of advantages: | document have a number of advantages: | |||
| o They prevent trivial host-tracking, since when a host moves from | o They prevent trivial host-tracking, since when a host moves from | |||
| one network to another the network prefix used for | one network to another the network prefix used for | |||
| autoconfiguration and/or the Network ID (e.g., IEEE 802.11 SSID) | autoconfiguration and/or the Network ID (e.g., IEEE 802.11 SSID) | |||
| will typically change, and hence the resulting Interface | will typically change, and hence the resulting Interface | |||
| Identifier will also change (see Appendix B.1). | Identifier will also change (see Appendix C.1). | |||
| o They mitigate address-scanning techniques which leverage | o They mitigate address-scanning techniques which leverage | |||
| predictable Interface Identifiers (e.g., known Organizationally | predictable Interface Identifiers (e.g., known Organizationally | |||
| Unique Identifiers) [I-D.ietf-opsec-ipv6-host-scanning]. | Unique Identifiers) [I-D.ietf-opsec-ipv6-host-scanning]. | |||
| o They may result in IPv6 addresses that are independent of the | o They may result in IPv6 addresses that are independent of the | |||
| underlying hardware (i.e. the resulting IPv6 addresses do not | underlying hardware (i.e. the resulting IPv6 addresses do not | |||
| change if a network interface card is replaced) if an appropriate | change if a network interface card is replaced) if an appropriate | |||
| source for Net_Iface (Section 3) is employed. | source for Net_Iface (Section 3) is employed. | |||
| skipping to change at page 15, line 48 | skipping to change at page 16, line 48 | |||
| at the same time or at some other point in time). | at the same time or at some other point in time). | |||
| In scenarios in which an attacker can connect to the same subnet as a | In scenarios in which an attacker can connect to the same subnet as a | |||
| victim node, the attacker might be able to learn the Interface | victim node, the attacker might be able to learn the Interface | |||
| Identifier employed by the victim node for an arbitrary prefix, by | Identifier employed by the victim node for an arbitrary prefix, by | |||
| simply sending a forged Router Advertisement [RFC4861] for that | simply sending a forged Router Advertisement [RFC4861] for that | |||
| prefix, and subsequently learning the corresponding address | prefix, and subsequently learning the corresponding address | |||
| configured by the victim node (either listening to the Duplicate | configured by the victim node (either listening to the Duplicate | |||
| Address Detection packets, or to any other traffic that employs the | Address Detection packets, or to any other traffic that employs the | |||
| newly configured address). We note that a number of factors might | newly configured address). We note that a number of factors might | |||
| limit the ability of an attacker from successfully performing such | limit the ability of an attacker to successfully perform such an | |||
| attack: | attack: | |||
| o First-Hop security mechanisms such as RA-Guard [RFC6105] | o First-Hop security mechanisms such as RA-Guard [RFC6105] | |||
| [I-D.ietf-v6ops-ra-guard-implementation] could prevent the forged | [I-D.ietf-v6ops-ra-guard-implementation] could prevent the forged | |||
| Router Advertisement from reaching the victim node | Router Advertisement from reaching the victim node | |||
| o If the victim implementation includes the (optional) Network_ID | o If the victim implementation includes the (optional) Network_ID | |||
| parameter for computing F() (see Section 3), and the Network_ID | parameter for computing F() (see Section 3), and the Network_ID | |||
| employed by the victim for a remote network is unknown to the | employed by the victim for a remote network is unknown to the | |||
| attacker, the Interface Identifier learned by the attacker would | attacker, the Interface Identifier learned by the attacker would | |||
| skipping to change at page 16, line 29 | skipping to change at page 17, line 29 | |||
| Interface Identifiers such as those specified in [RFC2464], but is | Interface Identifiers such as those specified in [RFC2464], but is | |||
| not meant as an alternative to temporary Interface Identifiers (such | not meant as an alternative to temporary Interface Identifiers (such | |||
| as those specified in [RFC4941]). Clearly, temporary addresses may | as those specified in [RFC4941]). Clearly, temporary addresses may | |||
| help to mitigate the correlation of activities of a node within the | help to mitigate the correlation of activities of a node within the | |||
| same network, and may also reduce the attack exposure window (since | same network, and may also reduce the attack exposure window (since | |||
| temporary addresses are short-lived when compared to the addresses | temporary addresses are short-lived when compared to the addresses | |||
| generated with the method specified in this document). We note that | generated with the method specified in this document). We note that | |||
| implementation of this algorithm would still benefit those hosts | implementation of this algorithm would still benefit those hosts | |||
| employing "temporary addresses", since it would mitigate host- | employing "temporary addresses", since it would mitigate host- | |||
| tracking vectors still present when such addresses are used (see | tracking vectors still present when such addresses are used (see | |||
| Appendix B.1), and would also mitigate address-scanning techniques | Appendix C.1), and would also mitigate address-scanning techniques | |||
| that leverage patterns in IPv6 addresses that embed IEEE identifiers. | that leverage patterns in IPv6 addresses that embed IEEE identifiers. | |||
| Finally, we note that the method described in this document addresses | Finally, we note that the method described in this document addresses | |||
| some of the privacy concerns arising from the use of IPv6 addresses | some of the privacy concerns arising from the use of IPv6 addresses | |||
| that embed IEEE identifiers, without the use of temporary addresses, | that embed IEEE identifiers, without the use of temporary addresses, | |||
| thus possibly offering an interesting trade-off for those scenarios | thus possibly offering an interesting trade-off for those scenarios | |||
| in which the use of temporary addresses is not feasible. | in which the use of temporary addresses is not feasible. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| The algorithm specified in this document has been inspired by Steven | The algorithm specified in this document has been inspired by Steven | |||
| Bellovin's work ([RFC1948]) in the area of TCP sequence numbers. | Bellovin's work ([RFC1948]) in the area of TCP sequence numbers. | |||
| The author would like to thank (in alphabetical order) Ran Atkinson, | The author would like to thank (in alphabetical order) Ran Atkinson, | |||
| Karl Auer, Steven Bellovin, Matthias Bethke, Ben Campbell, Brian | Karl Auer, Steven Bellovin, Matthias Bethke, Ben Campbell, Brian | |||
| Carpenter, Tassos Chatzithomaoglou, Tim Chown, Alissa Cooper, Dominik | Carpenter, Tassos Chatzithomaoglou, Tim Chown, Alissa Cooper, Dominik | |||
| Elsbroek, Brian Haberman, Bob Hinden, Christian Huitema, Ray Hunter, | Elsbroek, Brian Haberman, Bob Hinden, Christian Huitema, Ray Hunter, | |||
| Jouni Korhonen, Eliot Lear, Jong-Hyouk Lee, Andrew McGregor, Tom | Jouni Korhonen, Eliot Lear, Jong-Hyouk Lee, Andrew McGregor, Tom | |||
| Petch, Michael Richardson, Mark Smith, Ole Troan, James Woodyatt, and | Petch, Michael Richardson, Mark Smith, Dave Thaler, Ole Troan, James | |||
| He Xuan, for providing valuable comments on earlier versions of this | Woodyatt, and He Xuan, for providing valuable comments on earlier | |||
| document. | versions of this document. | |||
| This document is based on the technical report "Security Assessment | This document is based on the technical report "Security Assessment | |||
| of the Internet Protocol version 6 (IPv6)" [CPNI-IPv6] authored by | of the Internet Protocol version 6 (IPv6)" [CPNI-IPv6] authored by | |||
| Fernando Gont on behalf of the UK Centre for the Protection of | Fernando Gont on behalf of the UK Centre for the Protection of | |||
| National Infrastructure (CPNI). | National Infrastructure (CPNI). | |||
| Fernando Gont would like to thank CPNI (http://www.cpni.gov.uk) for | Fernando Gont would like to thank CPNI (http://www.cpni.gov.uk) for | |||
| their continued support. | their continued support. | |||
| 9. References | 9. References | |||
| skipping to change at page 18, line 18 | skipping to change at page 19, line 18 | |||
| [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", RFC 2460, December 1998. | (IPv6) Specification", RFC 2460, December 1998. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2526] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast | [RFC2526] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast | |||
| Addresses", RFC 2526, March 1999. | Addresses", RFC 2526, March 1999. | |||
| [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. | ||||
| Stevens, "Basic Socket Interface Extensions for IPv6", | ||||
| RFC 3493, February 2003. | ||||
| [RFC3542] Stevens, W., Thomas, M., Nordmark, E., and T. Jinmei, | ||||
| "Advanced Sockets Application Program Interface (API) for | ||||
| IPv6", RFC 3542, May 2003. | ||||
| [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure | [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure | |||
| Neighbor Discovery (SEND)", RFC 3971, March 2005. | Neighbor Discovery (SEND)", RFC 3971, March 2005. | |||
| [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", | [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", | |||
| RFC 3972, March 2005. | RFC 3972, March 2005. | |||
| [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness | [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness | |||
| Requirements for Security", BCP 106, RFC 4086, June 2005. | Requirements for Security", BCP 106, RFC 4086, June 2005. | |||
| [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally | ||||
| Unique IDentifier (UUID) URN Namespace", RFC 4122, | ||||
| July 2005. | ||||
| [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing | [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing | |||
| Architecture", RFC 4291, February 2006. | Architecture", RFC 4291, February 2006. | |||
| [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | |||
| "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | |||
| September 2007. | September 2007. | |||
| [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless | [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless | |||
| Address Autoconfiguration", RFC 4862, September 2007. | Address Autoconfiguration", RFC 4862, September 2007. | |||
| skipping to change at page 19, line 5 | skipping to change at page 20, line 17 | |||
| February 2011. | February 2011. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [RFC1948] Bellovin, S., "Defending Against Sequence Number Attacks", | [RFC1948] Bellovin, S., "Defending Against Sequence Number Attacks", | |||
| RFC 1948, May 1996. | RFC 1948, May 1996. | |||
| [RFC2464] Crawford, M., "Transmission of IPv6 Packets over Ethernet | [RFC2464] Crawford, M., "Transmission of IPv6 Packets over Ethernet | |||
| Networks", RFC 2464, December 1998. | Networks", RFC 2464, December 1998. | |||
| [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. | ||||
| Stevens, "Basic Socket Interface Extensions for IPv6", | ||||
| RFC 3493, February 2003. | ||||
| [RFC3542] Stevens, W., Thomas, M., Nordmark, E., and T. Jinmei, | ||||
| "Advanced Sockets Application Program Interface (API) for | ||||
| IPv6", RFC 3542, May 2003. | ||||
| [I-D.ietf-opsec-ipv6-host-scanning] | [I-D.ietf-opsec-ipv6-host-scanning] | |||
| Gont, F. and T. Chown, "Network Reconnaissance in IPv6 | Gont, F. and T. Chown, "Network Reconnaissance in IPv6 | |||
| Networks", draft-ietf-opsec-ipv6-host-scanning-01 (work in | Networks", draft-ietf-opsec-ipv6-host-scanning-01 (work in | |||
| progress), April 2013. | progress), April 2013. | |||
| [I-D.ietf-v6ops-ra-guard-implementation] | [I-D.ietf-v6ops-ra-guard-implementation] | |||
| Gont, F., "Implementation Advice for IPv6 Router | Gont, F., "Implementation Advice for IPv6 Router | |||
| Advertisement Guard (RA-Guard)", | Advertisement Guard (RA-Guard)", | |||
| draft-ietf-v6ops-ra-guard-implementation-07 (work in | draft-ietf-v6ops-ra-guard-implementation-07 (work in | |||
| progress), November 2012. | progress), November 2012. | |||
| skipping to change at page 22, line 15 | skipping to change at page 23, line 15 | |||
| might want to employ the link-layer address of the interface for the | might want to employ the link-layer address of the interface for the | |||
| Net_Iface parameter, albeit at the expense of making the | Net_Iface parameter, albeit at the expense of making the | |||
| corresponding IPv6 addresses dependent on the underlying network | corresponding IPv6 addresses dependent on the underlying network | |||
| interface card (i.e., the corresponding IPv6 address would typically | interface card (i.e., the corresponding IPv6 address would typically | |||
| change upon replacement of the underlying network interface card). | change upon replacement of the underlying network interface card). | |||
| A.4. Logical Network Service Identity | A.4. Logical Network Service Identity | |||
| Host operating systems with a conception of logical network service | Host operating systems with a conception of logical network service | |||
| identity, distinct from network interface identity or index, may keep | identity, distinct from network interface identity or index, may keep | |||
| a Universally Unique Identifier (UUID) or similar number with the | a Universally Unique Identifier (UUID) [RFC4122] or similar | |||
| stability properties appropriate for use as the Net_Iface parameter. | identifier with the stability properties appropriate for use as the | |||
| Net_Iface parameter. | ||||
| Appendix B. Privacy issues still present when temporary addresses are | Appendix B. Security/privacy issues with traditional SLAAC addresses | |||
| This section provides additional details regarding security/privacy | ||||
| issues arising from traditional SLAAC addresses- Namely, it provides | ||||
| additional details regarding how those issues could be exploited, and | ||||
| the extent to which the method specified in this document mitigates | ||||
| such issues. | ||||
| B.1. Correlation of node activities within the same network | ||||
| Since traditional SLAAC addresses employ Interface Identifiers that | ||||
| are constant within the same network, such identifiers can be | ||||
| leveraged to correlate the activities of a node within the same | ||||
| network. One sample scenario is that in which a client repeatedly | ||||
| connects to a server over a period of time, and hence, based on the | ||||
| stable Interface Identifier, the server can correlate all | ||||
| communication instances as being initiated by the same node. | ||||
| The method specified in this document does not mitigate this attack | ||||
| vector, since it produces Interface Identifiers that are constant | ||||
| within a given network. | ||||
| This attack vector could only be mitigated by employing "temporary | ||||
| addresses" [RFC4941]. However, as noted earlier in this document, | ||||
| in scenarios in which there is a reduced number of nodes in a | ||||
| given network, mitigation of this vector might be difficult (if at | ||||
| all possible) -- even with "temporary addresses" [RFC4941] in | ||||
| place. | ||||
| B.2. Correlation of node activities across networks | ||||
| Since traditional SLAAC addresses employ Interface Identifiers that | ||||
| are constant across networks, such identifiers can be leveraged to | ||||
| correlate the activities of a node across networks. One sample | ||||
| scenario is that in which a client repeatedly connects to a server | ||||
| over a period of time, and hence, based on the stable Interface | ||||
| Identifier, the server can correlate all communication instances as | ||||
| being initiated by the same node. Since the method specified in this | ||||
| document results in Interface Identifiers that are not constant | ||||
| across networks, this attack vector is mitigated. | ||||
| B.3. Host-tracking attacks | ||||
| Since traditional SLAAC addresses employ Interface Identifiers that | ||||
| are constant across networks, such identifiers can be leveraged to | ||||
| track a node across networks. | ||||
| For example, let us assume that the attacker knows the Interface | ||||
| Identifier employed by the target node. If the target node contacts | ||||
| an attacker-operated node each time it moves from one network to | ||||
| another, the attacker will be able to track the node as it moves from | ||||
| one network to another. | ||||
| An active version of this attack would imply that, once the Interface | ||||
| Identifier is known to the attacker the attacker probes whether there | ||||
| is an address with that Interface Identifier in each target network | ||||
| (i.e., in each network the client might connect to). If such address | ||||
| is found to be "alive", then the attacker could infer that the target | ||||
| node has connected to the corresponding network. | ||||
| This vector is discussed in detail in Appendix C.1.2. | ||||
| Since the method specified in this document results in Interface | ||||
| Identifiers that are not constant across networks, this attack vector | ||||
| is mitigated. | ||||
| B.4. Address-scanning attacks | ||||
| Since traditional SLAAC addresses typically embed the underlying | ||||
| link-layer address, the aforementioned addresses follow specific | ||||
| patterns that can be leveraged to reduce the search space when | ||||
| performing IPv6 address-scanning attacks (this is discussed in detail | ||||
| in [I-D.ietf-opsec-ipv6-host-scanning]). The method specified in | ||||
| this document produces random (but table within each subnet) | ||||
| Interface Identifiers, thus mitigating this attack vector. | ||||
| B.5. Exploitation of device-specific information | ||||
| Since traditional SLAAC addresses typically embed the underlying | ||||
| link-layer address, the aforementioned addresses leaks device- | ||||
| specific information that might be leveraged to launch device- | ||||
| specific attacks. For example, an attacker with knowledge about a | ||||
| specific vulnerability in devices manufactured by some vendor might | ||||
| easily identify potential targets by looking at the Interface | ||||
| Identifier of a list of IPv6 addresses. The method specified in this | ||||
| document produces random (but table within each subnet) Interface | ||||
| Identifiers, thus mitigating this attack vector. | ||||
| Appendix C. Privacy issues still present when temporary addresses are | ||||
| employed | employed | |||
| It is not unusual for people to assume or expect that all the | It is not unusual for people to assume or expect that all the | |||
| security/privacy implications of traditional SLAAC addresses are | security/privacy implications of traditional SLAAC addresses are | |||
| mitigated when "temporary addresses" [RFC4941] are employed. | mitigated when "temporary addresses" [RFC4941] are employed. | |||
| However, as noted in Section 1 of this document and [IAB-PRIVACY], | However, as noted in Section 1 of this document and [IAB-PRIVACY], | |||
| since temporary addresses are employed in addition to (rather than in | since temporary addresses are employed in addition to (rather than in | |||
| replacement of) traditional SLAAC addresses, many of the security/ | replacement of) traditional SLAAC addresses, many of the security/ | |||
| privacy implications of traditional SLAAC addresses are not mitigated | privacy implications of traditional SLAAC addresses are not mitigated | |||
| by the use of temporary addresses. | by the use of temporary addresses. | |||
| This section discusses a (non-exhaustive) number of scenarios in | This section discusses a (non-exhaustive) number of scenarios in | |||
| which host security/privacy is still negatively affected as a result | which host security/privacy is still negatively affected as a result | |||
| of employing Interface Identifiers that are constant across networks | of employing Interface Identifiers that are constant across networks | |||
| (e.g., those resulting from embedding IEEE identifiers), even when | (e.g., those resulting from embedding IEEE identifiers), even when | |||
| temporary addresses [RFC4941] are employed. It aims to clarify the | temporary addresses [RFC4941] are employed. It aims to clarify the | |||
| motivation of employing the method specified in this document in | motivation of employing the method specified in this document in | |||
| replacement of the traditional SLAAC addresses even when privacy/ | replacement of the traditional SLAAC addresses even when privacy/ | |||
| temporary addresses [RFC4941] are employed. | temporary addresses [RFC4941] are employed. | |||
| B.1. Host tracking | C.1. Host tracking | |||
| This section describes two attack scenarios which illustrate that | This section describes two attack scenarios which illustrate that | |||
| host-tracking may still be possible when privacy/temporary addresses | host-tracking may still be possible when privacy/temporary addresses | |||
| [RFC4941] are employed. These examples should remind us that one | [RFC4941] are employed. These examples should remind us that one | |||
| should not disclose more than it is really needed for achieving a | should not disclose more than it is really needed for achieving a | |||
| specific goal (and an Interface Identifier that is constant across | specific goal (and an Interface Identifier that is constant across | |||
| different networks does exactly that: it discloses more information | different networks does exactly that: it discloses more information | |||
| than is needed for providing a stable address). | than is needed for providing a stable address). | |||
| B.1.1. Tracking hosts across networks #1 | C.1.1. Tracking hosts across networks #1 | |||
| A host configures its stable addresses with the constant Interface | A host configures its stable addresses with the constant Interface | |||
| Identifier, and runs any application that needs to perform a server- | Identifier, and runs any application that needs to perform a server- | |||
| like function (e.g. a peer-to-peer application). As a result of | like function (e.g. a peer-to-peer application). As a result of | |||
| that, an attacker/user participating in the same application (e.g., | that, an attacker/user participating in the same application (e.g., | |||
| P2P) would learn the constant Interface Identifier used by the host | P2P) would learn the constant Interface Identifier used by the host | |||
| for that network interface. | for that network interface. | |||
| Some time later, the same host moves to a completely different | Some time later, the same host moves to a completely different | |||
| network, and employs the same P2P application. The attacker now | network, and employs the same P2P application. The attacker now | |||
| interacts with the same host again, and hence can learn its newly- | interacts with the same host again, and hence can learn its newly- | |||
| configured stable address. Since the Interface Identifier is the | configured stable address. Since the Interface Identifier is the | |||
| same as the one used before, the attacker can infer that it is | same as the one used before, the attacker can infer that it is | |||
| communicating with the same device as before. | communicating with the same device as before. | |||
| B.1.2. Tracking hosts across networks #2 | C.1.2. Tracking hosts across networks #2 | |||
| Once an attacker learns the constant Interface Identifier employed by | Once an attacker learns the constant Interface Identifier employed by | |||
| the victim host for its stable address, the attacker is able to | the victim host for its stable address, the attacker is able to | |||
| "probe" a network for the presence of such host at any given network. | "probe" a network for the presence of such host at any given network. | |||
| See Appendix B.1.1 for just one example of how an attacker could | See Appendix C.1.1 for just one example of how an attacker could | |||
| learn such value. Other examples include being able to share the | learn such value. Other examples include being able to share the | |||
| same network segment at some point in time (e.g. a conference | same network segment at some point in time (e.g. a conference | |||
| network or any public network), etc. | network or any public network), etc. | |||
| For example, if an attacker learns that in one network the victim | For example, if an attacker learns that in one network the victim | |||
| used the Interface Identifier 1111:2222:3333:4444 for its stable | used the Interface Identifier 1111:2222:3333:4444 for its stable | |||
| addresses, then he could subsequently probe for the presence of such | addresses, then he could subsequently probe for the presence of such | |||
| device in the network 2011:db8::/64 by sending a probe packet (ICMPv6 | device in the network 2011:db8::/64 by sending a probe packet (ICMPv6 | |||
| Echo Request, or any other probe packet) to the address 2001:db8:: | Echo Request, or any other probe packet) to the address 2001:db8:: | |||
| 1111:2222:3333:4444. | 1111:2222:3333:4444. | |||
| B.1.3. Revealing the identity of devices performing server-like | C.1.3. Revealing the identity of devices performing server-like | |||
| functions | functions | |||
| Some devices, such as storage devices, may typically perform server- | Some devices, such as storage devices, may typically perform server- | |||
| like functions and may be usually moved from one network to another. | like functions and may be usually moved from one network to another. | |||
| Such devices are likely to simply disable (or not even implement) | Such devices are likely to simply disable (or not even implement) | |||
| privacy/temporary addresses [RFC4941]. If the aforementioned devices | privacy/temporary addresses [RFC4941]. If the aforementioned devices | |||
| employ Interface Identifiers that are constant across networks, it | employ Interface Identifiers that are constant across networks, it | |||
| would be trivial for an attacker to tell whether the same device is | would be trivial for an attacker to tell whether the same device is | |||
| being used across networks by simply looking at the Interface | being used across networks by simply looking at the Interface | |||
| Identifier. Clearly, performing server-like functions should not | Identifier. Clearly, performing server-like functions should not | |||
| imply that a device discloses its identity (i.e., that the attacker | imply that a device discloses its identity (i.e., that the attacker | |||
| can tell whether it is the same device providing some function in two | can tell whether it is the same device providing some function in two | |||
| different networks, at two different points in time). | different networks, at two different points in time). | |||
| The scheme proposed in this document prevents such information | The scheme proposed in this document prevents such information | |||
| leakage by causing nodes to generate different Interface Identifiers | leakage by causing nodes to generate different Interface Identifiers | |||
| when moving from one network to another, thus mitigating this kind of | when moving from one network to another, thus mitigating this kind of | |||
| privacy attack. | privacy attack. | |||
| B.2. Address-scanning attacks | C.2. Address-scanning attacks | |||
| While it is usually assumed that IPv6 address-scanning attacks are | While it is usually assumed that IPv6 address-scanning attacks are | |||
| unfeasible, an attacker can leverage address patterns in IPv6 | unfeasible, an attacker can leverage address patterns in IPv6 | |||
| addresses to greatly reduce the search space | addresses to greatly reduce the search space | |||
| [I-D.ietf-opsec-ipv6-host-scanning] [Gont-BRUCON2012]. Addresses | [I-D.ietf-opsec-ipv6-host-scanning] [Gont-BRUCON2012]. Addresses | |||
| that embed IEEE identifiers result in one of such patterns that could | that embed IEEE identifiers result in one of such patterns that could | |||
| be leveraged to reduce the search space when other nodes employ the | be leveraged to reduce the search space when other nodes employ the | |||
| same IEEE OUI (Organizationally Unique Identifier). | same IEEE OUI (Organizationally Unique Identifier). | |||
| As noted earlier in this document, temporary addresses [RFC4941] do | As noted earlier in this document, temporary addresses [RFC4941] do | |||
| not replace/eliminate the use of IPv6 addresses that embed IEEE | not replace/eliminate the use of IPv6 addresses that embed IEEE | |||
| identifiers (they are employed in addition to those), and hence hosts | identifiers (they are employed in addition to those), and hence hosts | |||
| implementing [RFC4941] would still be vulnerable to address-scanning | implementing [RFC4941] would still be vulnerable to address-scanning | |||
| attacks. The method specified in this document is meant as an | attacks. The method specified in this document is meant as an | |||
| alternative to addresses that embed IEEE identifiers, and hence | alternative to addresses that embed IEEE identifiers, and hence | |||
| eliminates such patterns (thus mitigating the aforementioned address- | eliminates such patterns (thus mitigating the aforementioned address- | |||
| scanning attacks). | scanning attacks). | |||
| B.3. Information Leakage | C.3. Information Leakage | |||
| IPv6 addresses embedding IEEE identifiers leak information about the | IPv6 addresses embedding IEEE identifiers leak information about the | |||
| device (Network Interface Card vendor, or even Operating System | device (Network Interface Card vendor, or even Operating System | |||
| and/or software type), which could be leveraged by an attacker with | and/or software type), which could be leveraged by an attacker with | |||
| device/software-specific vulnerabilities knowledge to quickly find | device/software-specific vulnerabilities knowledge to quickly find | |||
| possible targets. Since temporary addresses do not replace the | possible targets. Since temporary addresses do not replace the | |||
| traditional SLAAC addresses that typically embed IEEE identifiers, | traditional SLAAC addresses that typically embed IEEE identifiers, | |||
| employing temporary addresses does not eliminate this possible | employing temporary addresses does not eliminate this possible | |||
| information leakage. | information leakage. | |||
| C.4. Correlation of node activities within a network | ||||
| In scenarios in which the number of nodes connected to a subnetwork | ||||
| is small, preventing the correlation of the activities of those nodes | ||||
| within such network might be difficult (if at all possible) to | ||||
| achieve, even with temporary addresses [RFC4941] in place. As a | ||||
| trivial example, consider a scenario where there is a single node (or | ||||
| a reduced number of nodes) connected to a specific network. An | ||||
| attacker could detect new addresses in use at that network along with | ||||
| addresses that are no longer in use, and infer which addresses are | ||||
| being employed by which hosts. This task is made particularly easier | ||||
| by the fact that use of "temporary addresses" can be easily inferred | ||||
| (since they follow different patterns from that of traditional SLAAC | ||||
| addresses), and since they are re-generated periodically (i.e., after | ||||
| a specific amount of time has elapsed). | ||||
| Author's Address | Author's Address | |||
| Fernando Gont | Fernando Gont | |||
| SI6 Networks / UTN-FRH | SI6 Networks / UTN-FRH | |||
| Evaristo Carriego 2644 | Evaristo Carriego 2644 | |||
| Haedo, Provincia de Buenos Aires 1706 | Haedo, Provincia de Buenos Aires 1706 | |||
| Argentina | Argentina | |||
| Phone: +54 11 4650 8472 | Phone: +54 11 4650 8472 | |||
| Email: fgont@si6networks.com | Email: fgont@si6networks.com | |||
| End of changes. 30 change blocks. | ||||
| 95 lines changed or deleted | 219 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||