idnits 2.17.1 draft-gont-6man-deprecate-eui64-based-addresses-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([I-D.ietf-6man-stable-privacy-addresses]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The draft header indicates that this document updates RFC4291, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC2470, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC2464, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC2467, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Couldn't figure out when the document was first submitted -- there may comments or warnings related to the use of a disclaimer for pre-RFC5378 work that could not be issued because of this. Please check the Legal Provisions document at https://trustee.ietf.org/license-info to determine if you need the pre-RFC5378 disclaimer. -- The document date (October 22, 2013) is 3811 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD' is mentioned on line 150, but not defined ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) == Outdated reference: A later version (-17) exists of draft-ietf-6man-stable-privacy-addresses-14 == Outdated reference: A later version (-08) exists of draft-ietf-6man-ipv6-address-generation-privacy-00 Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPv6 maintenance Working Group (6man) F. Gont 3 Internet-Draft SI6 Networks / UTN-FRH 4 Updates: 2464, 2467, 2470, 4291 (if approved) A. Cooper 5 Intended status: Standards Track CDT 6 Expires: April 25, 2014 D. Thaler 7 Microsoft 8 W. Liu 9 Huawei Technologies 10 October 22, 2013 12 Deprecating EUI-64 Based IPv6 Addresses 13 draft-gont-6man-deprecate-eui64-based-addresses-00 15 Abstract 17 Stateless Address Autoconfiguration (SLAAC) for IPv6 typically 18 results in hosts configuring one or more stable addresses composed of 19 a network prefix advertised by a local router, and an Interface 20 Identifier that typically embeds a hardware address (e.g., an IEEE 21 LAN MAC address). The security and privacy implications of embedding 22 hardware addresses in the Interface Identifier have been known and 23 understood for some time now, and some popular IPv6 implementations 24 have already deviated from such scheme to mitigate these issues. 25 This document deprecates the use of hardware addresses in IPv6 26 Interface Identifiers, and recommends the use of an alternative 27 scheme ([I-D.ietf-6man-stable-privacy-addresses]) for the generation 28 of IPv6 stable addresses. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at http://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on April 25, 2014. 47 Copyright Notice 48 Copyright (c) 2013 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 3. Generation of IPv6 Interface Identifiers . . . . . . . . . . 3 66 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 67 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 68 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 69 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 7.1. Normative References . . . . . . . . . . . . . . . . . . 4 71 7.2. Informative References . . . . . . . . . . . . . . . . . 5 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 74 1. Introduction 76 [RFC4862] specifies Stateless Address Autoconfiguration (SLAAC) for 77 IPv6 [RFC2460], which typically results in hosts configuring one or 78 more "stable" addresses composed of a network prefix advertised by a 79 local router, and an Interface Identifier (IID) [RFC4291] that 80 typically embeds a hardware address (e.g., an IEEE LAN MAC address). 82 The security and privacy implications of embedding a hardware address 83 in an IPv6 Interface ID have been known for some time now, and are 84 discussed in great detail in 85 [I-D.ietf-6man-ipv6-address-generation-privacy]; they include: 87 o Network activity correlation 89 o Location tracking 91 o Address scanning 93 o Device-specific vulnerability exploitation 94 Some popular IPv6 implementations have already deviated from the 95 traditional IID generation scheme to mitigate the aforementioned 96 security and privacy implications [Microsoft]. 98 As a result of the afforementioned issues, this document deprecates 99 the use of hardware addresses in Interface Identifiers, and 100 recommends the implementation of an alternative scheme 101 ([I-D.ietf-6man-stable-privacy-addresses]) that mitigates most of the 102 aforementioned issues. 104 NOTE: [RFC4291] defines the "Modified EUI-64 format" (which this 105 document does not deprecate) for Interface identifiers. Appendix A 106 of [RFC4291] then describes how to transform an IEEE EUI-64 107 identifier, or an IEEE 802 48-bit MAC address from which an EUI-64 108 identifier is derived, into an interface identifier in the Modified 109 EUI-64 format. Deriving an IPv6 interface identifier based on an 110 IEEE EUI-64 identifier is what is deprecated in this document. Other 111 ways of generating an interface identifier in the Modified EUI-64 112 format are unaffected. 114 2. Terminology 116 Stable address: 117 An address that does not vary over time within the same network 118 (as defined in [I-D.ietf-6man-ipv6-address-generation-privacy]. 120 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 121 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 122 document are to be interpreted as described in RFC 2119 [RFC2119]. 124 3. Generation of IPv6 Interface Identifiers 126 Nodes MUST NOT employ IPv6 address generation schemes that embed the 127 underlying hardware address in the Interface Identifier. Namely, 128 nodes MUST NOT generate Interface Identifiers with the schemes 129 specified in [RFC2464], [RFC2467], and [RFC2470]. 131 Nodes SHOULD implement and employ 132 [I-D.ietf-6man-stable-privacy-addresses] as the default scheme for 133 generating stable IPv6 addresses with SLAAC. 135 4. IANA Considerations 137 There are no IANA registries within this document. The RFC-Editor 138 can remove this section before publication of this document as an 139 RFC. 141 5. Security Considerations 143 This document deprecates the use of hardware addresses in IPv6 144 Interface Identifiers, and recommends an alternative scheme for 145 generating IPv6 addresses with SLAAC such that a number of security 146 and privacy issues are mitigated. 148 6. Acknowledgements 150 The authors would like to thank [TBD] for providing valuable comments 151 on earlier versions of this document. 153 Fernando Gont would like to thank Ray Hunter for providing valuable 154 input on this topic. 156 7. References 158 7.1. Normative References 160 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 161 Requirement Levels", BCP 14, RFC 2119, March 1997. 163 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 164 (IPv6) Specification", RFC 2460, December 1998. 166 [RFC2464] Crawford, M., "Transmission of IPv6 Packets over Ethernet 167 Networks", RFC 2464, December 1998. 169 [RFC2467] Crawford, M., "Transmission of IPv6 Packets over FDDI 170 Networks", RFC 2467, December 1998. 172 [RFC2470] Crawford, M., Narten, T., and S. Thomas, "Transmission of 173 IPv6 Packets over Token Ring Networks", RFC 2470, December 174 1998. 176 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 177 Architecture", RFC 4291, February 2006. 179 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 180 Address Autoconfiguration", RFC 4862, September 2007. 182 [I-D.ietf-6man-stable-privacy-addresses] 183 Gont, F., "A Method for Generating Semantically Opaque 184 Interface Identifiers with IPv6 Stateless Address 185 Autoconfiguration (SLAAC)", draft-ietf-6man-stable- 186 privacy-addresses-14 (work in progress), October 2013. 188 7.2. Informative References 190 [I-D.ietf-6man-ipv6-address-generation-privacy] 191 Cooper, A., Gont, F., and D. Thaler, "Privacy 192 Considerations for IPv6 Address Generation Mechanisms", 193 draft-ietf-6man-ipv6-address-generation-privacy-00 (work 194 in progress), October 2013. 196 [Microsoft] 197 Davies, J., "Understanding IPv6, 3rd. ed", page 83, 198 Microsoft Press, 2012, . 200 Authors' Addresses 202 Fernando Gont 203 SI6 Networks / UTN-FRH 204 Evaristo Carriego 2644 205 Haedo, Provincia de Buenos Aires 1706 206 Argentina 208 Phone: +54 11 4650 8472 209 Email: fgont@si6networks.com 210 URI: http://www.si6networks.com 212 Alissa Cooper 213 CDT 214 1634 Eye St. NW, Suite 1100 215 Washington, DC 20006 216 US 218 Phone: +1-202-637-9800 219 Email: acooper@cdt.org 220 URI: http://www.cdt.org/ 222 Dave Thaler 223 Microsoft 224 Microsoft Corporation 225 One Microsoft Way 226 Redmond, WA 98052 228 Phone: +1 425 703 8835 229 Email: dthaler@microsoft.com 230 Will Liu 231 Huawei Technologies 232 Bantian, Longgang District 233 Shenzhen 518129 234 P.R. China 236 Email: liushucheng@huawei.com