idnits 2.17.1 draft-ietf-6man-rfc4941bis-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. -- The abstract seems to indicate that this document obsoletes RFC4941, but the header doesn't have an 'Obsoletes:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 5, 2019) is 1694 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4941 (Obsoleted by RFC 8981) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPv6 Maintenance (6man) Working Group F. Gont 3 Internet-Draft SI6 Networks / UTN-FRH 4 Obsoletes: rfc4941 (if approved) S. Krishnan 5 Intended status: Standards Track Ericsson Research 6 Expires: March 8, 2020 T. Narten 7 IBM Corporation 8 R. Draves 9 Microsoft Research 10 September 5, 2019 12 Privacy Extensions for Stateless Address Autoconfiguration in IPv6 13 draft-ietf-6man-rfc4941bis-03 15 Abstract 17 Nodes use IPv6 stateless address autoconfiguration to generate 18 addresses using a combination of locally available information and 19 information advertised by routers. Addresses are formed by combining 20 network prefixes with an interface identifier. This document 21 describes an extension that causes nodes to generate global scope 22 addresses with randomized interface identifiers that change over 23 time. Changing global scope addresses over time makes it more 24 difficult for eavesdroppers and other information collectors to 25 identify when different addresses used in different transactions 26 actually correspond to the same node. This document formally 27 obsoletes RFC4941. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at https://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on March 8, 2020. 46 Copyright Notice 48 Copyright (c) 2019 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (https://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 65 1.2. Problem Statement . . . . . . . . . . . . . . . . . . . . 3 66 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 67 2.1. Extended Use of the Same Identifier . . . . . . . . . . . 4 68 2.2. Possible Approaches . . . . . . . . . . . . . . . . . . . 6 69 3. Protocol Description . . . . . . . . . . . . . . . . . . . . 6 70 3.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 7 71 3.2. Generation of Randomized Interface Identifiers . . . . . 8 72 3.2.1. Simple Randomized Interface Identifiers . . . . . . . 8 73 3.2.2. Hash-based Generation of Randomized Interface 74 Identifiers . . . . . . . . . . . . . . . . . . . . . 9 75 3.3. Generating Temporary Addresses . . . . . . . . . . . . . 10 76 3.4. Expiration of Temporary Addresses . . . . . . . . . . . . 12 77 3.5. Regeneration of Randomized Interface Identifiers . . . . 12 78 3.6. Deployment Considerations . . . . . . . . . . . . . . . . 13 79 4. Implications of Changing Interface Identifiers . . . . . . . 14 80 5. Defined Constants . . . . . . . . . . . . . . . . . . . . . . 15 81 6. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 15 82 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 83 8. Significant Changes from RFC4941 . . . . . . . . . . . . . . 16 84 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 85 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 86 10.1. Normative References . . . . . . . . . . . . . . . . . . 17 87 10.2. Informative References . . . . . . . . . . . . . . . . . 18 88 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 90 1. Introduction 92 Stateless address autoconfiguration [RFC4862] defines how an IPv6 93 node generates addresses without the need for a Dynamic Host 94 Configuration Protocol for IPv6 (DHCPv6) server. The security and 95 privacy implications of such addresses have been discussed in great 96 detail in [RFC7721],[RFC7217], and RFC7707. This document specifies 97 an extension for SLAAC to generate temporary addresses, such that the 98 aforementioned issues are mitigated. 100 The default address selection for IPv6 has been specified in 101 [RFC6724]. We note that the determination as to whether to use 102 stable versus temporary addresses can in some cases only be made by 103 an application. For example, some applications may always want to 104 use temporary addresses, while others may want to use them only in 105 some circumstances or not at all. An API such as that specified in 106 [RFC5014] can enable individual applications to indicate with 107 sufficient granularity their needs with regards to the use of 108 temporary addresses. 110 Section 2 provides background information on the issue. Section 3 111 describes a procedure for generating temporary interface identifiers 112 and global scope addresses. Section 4 discusses implications of 113 changing interface identifiers. 115 1.1. Terminology 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in [RFC2119]. 121 The terms "public address", "stable address", "temporary address", 122 "constant IID", "stable IID", and "temporary IID" are to be 123 interpreted as specified in [RFC7721]. 125 The term "global scope addresses" is used in this document to 126 collectively refer to "Global unicast addresses" as defined in 127 [RFC4291] and "Unique local addresses" as defined in [RFC4193]. 129 1.2. Problem Statement 131 Addresses generated using stateless address autoconfiguration 132 [RFC4862] contain an embedded interface identifier, which remains 133 stable over time. Anytime a fixed identifier is used in multiple 134 contexts, it becomes possible to correlate seemingly unrelated 135 activity using this identifier. 137 The correlation can be performed by 138 o An attacker who is in the path between the node in question and 139 the peer(s) to which it is communicating, and who can view the 140 IPv6 addresses present in the datagrams. 142 o An attacker who can access the communication logs of the peers 143 with which the node has communicated. 145 Since the identifier is embedded within the IPv6 address, which is a 146 fundamental requirement of communication, it cannot be easily hidden. 147 This document proposes a solution to this issue by generating 148 interface identifiers that vary over time. 150 Note that an attacker, who is on path, may be able to perform 151 significant correlation based on 153 o The payload contents of the packets on the wire 155 o The characteristics of the packets such as packet size and timing 157 Use of temporary addresses will not prevent such payload-based 158 correlation, which can only be addressed by widespread deployment of 159 encryption as advocated in [RFC7624]. 161 2. Background 163 This section discusses the problem in more detail, provides context 164 for evaluating the significance of the concerns in specific 165 environments and makes comparisons with existing practices. 167 2.1. Extended Use of the Same Identifier 169 The use of a non-changing interface identifier to form addresses is a 170 specific instance of the more general case where a constant 171 identifier is reused over an extended period of time and in multiple 172 independent activities. Any time the same identifier is used in 173 multiple contexts, it becomes possible for that identifier to be used 174 to correlate seemingly unrelated activity. For example, a network 175 sniffer placed strategically on a link across which all traffic to/ 176 from a particular host crosses could keep track of which destinations 177 a node communicated with and at what times. Such information can in 178 some cases be used to infer things, such as what hours an employee 179 was active, when someone is at home, etc. Although it might appear 180 that changing an address regularly in such environments would be 181 desirable to lessen privacy concerns, it should be noted that the 182 network prefix portion of an address also serves as a constant 183 identifier. All nodes at, say, a home, would have the same network 184 prefix, which identifies the topological location of those nodes. 185 This has implications for privacy, though not at the same granularity 186 as the concern that this document addresses. Specifically, all nodes 187 within a home could be grouped together for the purposes of 188 collecting information. If the network contains a very small number 189 of nodes, say, just one, changing just the interface identifier will 190 not enhance privacy at all, since the prefix serves as a constant 191 identifier. 193 One of the requirements for correlating seemingly unrelated 194 activities is the use (and reuse) of an identifier that is 195 recognizable over time within different contexts. IP addresses 196 provide one obvious example, but there are more. Many nodes also 197 have DNS names associated with their addresses, in which case the DNS 198 name serves as a similar identifier. Although the DNS name 199 associated with an address is more work to obtain (it may require a 200 DNS query), the information is often readily available. In such 201 cases, changing the address on a machine over time would do little to 202 address the concerns raised in this document, unless the DNS name is 203 changed as well (see Section 4). 205 Web browsers and servers typically exchange "cookies" with each other 206 [RFC6265]. Cookies allow web servers to correlate a current activity 207 with a previous activity. One common usage is to send back targeted 208 advertising to a user by using the cookie supplied by the browser to 209 identify what earlier queries had been made (e.g., for what type of 210 information). Based on the earlier queries, advertisements can be 211 targeted to match the (assumed) interests of the end-user. 213 The use of a constant identifier within an address is of special 214 concern because addresses are a fundamental requirement of 215 communication and cannot easily be hidden from eavesdroppers and 216 other parties. Even when higher layers encrypt their payloads, 217 addresses in packet headers appear in the clear. Consequently, if a 218 mobile host (e.g., laptop) accessed the network from several 219 different locations, an eavesdropper might be able to track the 220 movement of that mobile host from place to place, even if the upper 221 layer payloads were encrypted. 223 Using temporary address alone may not be sufficient to prevent all 224 forms of tracking. It is however quite clear that some usage of 225 temporary addresses is necessary to improve user privacy. 227 The security and privacy implications of IPv6 addresses are discussed 228 in detail in [RFC7721], [RFC7707], and [RFC7217]. 230 2.2. Possible Approaches 232 One way to avoid having a stable non-changing address is to use 233 DHCPv6 [RFC8415] for obtaining addresses. Section 12 of [RFC8415] 234 discusses the use of DHCPv6 for the assignment and management of 235 "temporary addresses", which are never renewed and provide the same 236 property of temporary addresses described in this document with 237 regards to the privacy concern. 239 Another approach, compatible with the stateless address 240 autoconfiguration architecture, would be to change the interface 241 identifier portion of an address over time. Changing the interface 242 identifier can make it more difficult to look at the IP addresses in 243 independent transactions and identify which ones actually correspond 244 to the same node, both in the case where the routing prefix portion 245 of an address changes and when it does not. 247 Many machines function as both clients and servers. In such cases, 248 the machine would need a DNS name for its use as a server. Whether 249 the address stays fixed or changes has little privacy implication 250 since the DNS name remains constant and serves as a constant 251 identifier. When acting as a client (e.g., initiating 252 communication), however, such a machine may want to vary the 253 addresses it uses. In such environments, one may need multiple 254 addresses: a stable address registered in the DNS, that is used to 255 accept incoming connection requests from other machines, and a 256 temporary address used to shield the identity of the client when it 257 initiates communication. These two cases are roughly analogous to 258 telephone numbers and caller ID, where a user may list their 259 telephone number in the public phone book, but disable the display of 260 its number via caller ID when initiating calls. 262 On the other hand, a machine that functions only as a client may want 263 to employ only temporary addresses for public communication. 265 To make it difficult to make educated guesses as to whether two 266 different interface identifiers belong to the same node, the 267 algorithm for generating alternate identifiers must include input 268 that has an unpredictable component from the perspective of the 269 outside entities that are collecting information. 271 3. Protocol Description 273 The goal of this section is to define procedures that can generate 274 IPv6 addresses with the following properties: 276 1. Temporary addresses can be employed for initiating outgoing 277 sessions. 279 2. Temporary addresses are used for a short period of time 280 (typically hours to days) and are subsequently deprecated. 281 Deprecated addresses can continue to be used for already 282 established connections, but are not used to initiate new 283 connections. 285 3. New temporary addresses are generated periodically to replace 286 temporary addresses that expire. 288 4. Temporary addresses must have a limited lifetime (limited "valid 289 lifetime" and "preferred lifetime" from [RFC4862]), that should 290 be statistically different for different addresses. The lifetime 291 of an address should be further reduced when privacy-meaningful 292 events (such as a node attaching to a different network, or the 293 regeneration of a new randomized MAC address) takes place. 295 5. By default, one address is generated for each prefix advertised 296 for stateless address autoconfiguration. The resulting Interface 297 Identifiers must be statistically different when addresses are 298 configured for different prefixes. That is, when temporary 299 addresses are generated for different autoconfiguration prefixes 300 for the same network interface, the resulting Interface 301 Identifiers must be statistically different. This means that, 302 given two addresses that employ different prefixes, it must be 303 difficult for an outside entity to tell whether the addresses 304 correspond to the same network interface or even whether they 305 have been generated by the same host. 307 6. It must be difficult for an outside entity to predict the 308 Interface Identifiers that will be employed for temporary 309 addresses, even with knowledge of the algorithm/method employed 310 to generate them and/or knowledge of the Interface Identifiers 311 previously employed for other temporary addresses. These 312 Interface Identifiers must be semantically opaque [RFC7136] and 313 must not follow any specific patterns. 315 3.1. Assumptions 317 The following algorithm assumes that for a given temporary address, 318 an implementation can determine the prefix from which it was 319 generated. When a temporary address is deprecated, a new temporary 320 address is generated. The specific valid and preferred lifetimes for 321 the new address are dependent on the corresponding lifetime values 322 set for the prefix from which it was generated. 324 Finally, this document assumes that when a node initiates outgoing 325 communication, temporary addresses can be given preference over 326 stable addresses (if available), when the device is configured to do 327 so. [RFC6724] mandates implementations to provide a mechanism, which 328 allows an application to configure its preference for temporary 329 addresses over stable addresses. It also allows for an 330 implementation to prefer temporary addresses by default, so that the 331 connections initiated by the node can use temporary addresses without 332 requiring application-specific enablement. This document also 333 assumes that an API will exist that allows individual applications to 334 indicate whether they prefer to use temporary or stable addresses and 335 override the system defaults. 337 3.2. Generation of Randomized Interface Identifiers 339 The following subsections specify some possible algorithms for 340 generating temporary interface identifiers that follow the guidelines 341 in Section 3 of this document. The algorithm specified in 342 Section 3.2.1 benefits from a Pseudo-Random Number Generator (PRNG) 343 available on the system. On the other hand, the algorithm specified 344 in Section 3.2.2 allows for code reuse by nodes that implement 345 [RFC7217]. 347 3.2.1. Simple Randomized Interface Identifiers 349 One possible approach would be to select a pseudorandom number of the 350 appropriate length. A node employing this algorithm should generate 351 IIDs as follows: 353 1. Obtain a random number (see [RFC4086] for randomness requirements 354 for security) 356 2. The Interface Identifier is obtained by taking as many bits from 357 the aforementioned random number (obtained in the previous step) 358 as necessary. 360 We note that [RFC4291] requires that the Interface IDs of all 361 unicast addresses (except those that start with the binary 362 value 000) be 64 bits long. However, the method discussed in 363 this document could be employed for generating Interface IDs 364 of any arbitrary length, albeit at the expense of reduced 365 entropy (when employing Interface IDs smaller than 64 bits). 367 3. The resulting Interface Identifier SHOULD be compared against the 368 reserved IPv6 Interface Identifiers [RFC5453] [IANA-RESERVED-IID] 369 and against those Interface Identifiers already employed in an 370 address of the same network interface and the same network 371 prefix. In the event that an unacceptable identifier has been 372 generated, a new interface identifier should be generated, by 373 repeating the algorithm from the first step. 375 3.2.2. Hash-based Generation of Randomized Interface Identifiers 377 The algorithm in [RFC7217] can be augmented for the generation of 378 temporary addresses. The benefit of this would be that a node could 379 employ a single algorithm for generating stable and temporary 380 addresses, by employing appropriate parameters. 382 Nodes would employ the following algorithm for generating the 383 temporary IID: 385 1. Compute a random identifier with the expression: 387 RID = F(Prefix, MAC_Address, Network_ID, Time, DAD_Counter, 388 secret_key) 390 Where: 392 RID: 393 Random Identifier 395 F(): 396 A pseudorandom function (PRF) that MUST NOT be computable from 397 the outside (without knowledge of the secret key). F() MUST 398 also be difficult to reverse, such that it resists attempts to 399 obtain the secret_key, even when given samples of the output 400 of F() and knowledge or control of the other input parameters. 401 F() SHOULD produce an output of at least 64 bits. F() could 402 be implemented as a cryptographic hash of the concatenation of 403 each of the function parameters. SHA-1 [FIPS-SHS] and SHA-256 404 are two possible options for F(). Note: MD5 [RFC1321] is 405 considered unacceptable for F() [RFC6151]. 407 Prefix: 408 The prefix to be used for SLAAC, as learned from an ICMPv6 409 Router Advertisement message. 411 MAC_Address: 412 The MAC address corresponding to the underlying network 413 interface card. Employing the MAC address in this expression 414 (in replacement of the Net_Iface parameter of the expression 415 in RFC7217) means that the re-generation of a randomized MAC 416 address will result in a different temporary address. 418 Network_ID: 419 Some network-specific data that identifies the subnet to which 420 this interface is attached -- for example, the IEEE 802.11 421 Service Set Identifier (SSID) corresponding to the network to 422 which this interface is associated. Additionally, Simple DNA 424 [RFC6059] describes ideas that could be leveraged to generate 425 a Network_ID parameter. This parameter is SHOULD be employed 426 if some form of "Network_ID" is available. 428 Time: 429 An implementation-dependent representation of time. One 430 possible example is the representation in UNIX-like systems 431 [OPEN-GROUP], that measure time in terms of the number of 432 seconds elapsed since the Epoch (00:00:00 Coordinated 433 Universal Time (UTC), 1 January 1970). 435 DAD_Counter: 436 A counter that is employed to resolve Duplicate Address 437 Detection (DAD) conflicts. 439 secret_key: 440 A secret key that is not known by the attacker. The secret 441 key SHOULD be of at least 128 bits. It MUST be initialized to 442 a pseudo-random number (see [RFC4086] for randomness 443 requirements for security) when the operating system is 444 "bootstrapped". 446 2. The Interface Identifier is finally obtained by taking as many 447 bits from the RID value (computed in the previous step) as 448 necessary, starting from the least significant bit. The 449 resulting Interface Identifier SHOULD be compared against the 450 reserved IPv6 Interface Identifiers [RFC5453] [IANA-RESERVED-IID] 451 and against those Interface Identifiers already employed in an 452 address of the same network interface and the same network 453 prefix. In the event that an unacceptable identifier has been 454 generated, the value DAD_Counter should be incremented by 1, and 455 the algorithm should be restarted from the first step. 457 3.3. Generating Temporary Addresses 459 [RFC4862] describes the steps for generating a link-local address 460 when an interface becomes enabled as well as the steps for generating 461 addresses for other scopes. This document extends [RFC4862] as 462 follows. When processing a Router Advertisement with a Prefix 463 Information option carrying a global scope prefix for the purposes of 464 address autoconfiguration (i.e., the A bit is set), the node MUST 465 perform the following steps: 467 1. Process the Prefix Information Option as defined in [RFC4862], 468 adjusting the lifetimes of existing temporary addresses. If a 469 received option may extend the lifetimes of temporary addresses, 470 with the overall constraint that no temporary addresses should 471 ever remain "valid" or "preferred" for a time longer than 472 (TEMP_VALID_LIFETIME) or (TEMP_PREFERRED_LIFETIME - 473 DESYNC_FACTOR) respectively. The configuration variables 474 TEMP_VALID_LIFETIME and TEMP_PREFERRED_LIFETIME correspond to 475 approximate target lifetimes for temporary addresses. 477 2. One way an implementation can satisfy the above constraints is to 478 associate with each temporary address a creation time (called 479 CREATION_TIME) that indicates the time at which the address was 480 created. When updating the preferred lifetime of an existing 481 temporary address, it would be set to expire at whichever time is 482 earlier: the time indicated by the received lifetime or 483 (CREATION_TIME + TEMP_PREFERRED_LIFETIME - DESYNC_FACTOR). A 484 similar approach can be used with the valid lifetime. 486 3. If the node has not configured any temporary address for the 487 corresponding prefix, the node SHOULD create a new temporary 488 address for such prefix. 490 4. When creating a temporary address, the lifetime values MUST be 491 derived from the corresponding prefix as follows: 493 * Its Valid Lifetime is the lower of the Valid Lifetime of the 494 prefix and TEMP_VALID_LIFETIME 496 * Its Preferred Lifetime is the lower of the Preferred Lifetime 497 of prefix and TEMP_PREFERRED_LIFETIME - DESYNC_FACTOR. 499 5. A temporary address is created only if this calculated Preferred 500 Lifetime is greater than REGEN_ADVANCE time units. In 501 particular, an implementation MUST NOT create a temporary address 502 with a zero Preferred Lifetime. 504 6. New temporary addresses MUST be created by appending a randomized 505 interface identifier (generates as described in Section 3.2 of 506 this document) to the prefix that was received. 508 7. The node MUST perform duplicate address detection (DAD) on the 509 generated temporary address. If DAD indicates the address is 510 already in use, the node MUST generate a new randomized interface 511 identifier, and repeat the previous steps as appropriate up to 512 TEMP_IDGEN_RETRIES times. If after TEMP_IDGEN_RETRIES 513 consecutive attempts no non-unique address was generated, the 514 node MUST log a system error and MUST NOT attempt to generate 515 temporary addresses for that interface. Note that DAD MUST be 516 performed on every unicast address generated from this randomized 517 interface identifier. 519 3.4. Expiration of Temporary Addresses 521 When a temporary address becomes deprecated, a new one MUST be 522 generated. This is done by repeating the actions described in 523 Section 3.3, starting at step 4). Note that, except for the 524 transient period when a temporary address is being regenerated, in 525 normal operation at most one temporary address per prefix should be 526 in a non-deprecated state at any given time on a given interface. 527 Note that if a temporary address becomes deprecated as result of 528 processing a Prefix Information Option with a zero Preferred 529 Lifetime, then a new temporary address MUST NOT be generated. To 530 ensure that a preferred temporary address is always available, a new 531 temporary address SHOULD be regenerated slightly before its 532 predecessor is deprecated. This is to allow sufficient time to avoid 533 race conditions in the case where generating a new temporary address 534 is not instantaneous, such as when duplicate address detection must 535 be run. The node SHOULD start the address regeneration process 536 REGEN_ADVANCE time units before a temporary address would actually be 537 deprecated. 539 As an optional optimization, an implementation MAY remove a 540 deprecated temporary address that is not in use by applications or 541 upper layers as detailed in Section 6. 543 3.5. Regeneration of Randomized Interface Identifiers 545 The frequency at which temporary addresses change depends on how a 546 device is being used (e.g., how frequently it initiates new 547 communication) and the concerns of the end user. The most egregious 548 privacy concerns appear to involve addresses used for long periods of 549 time (weeks to months to years). The more frequently an address 550 changes, the less feasible collecting or coordinating information 551 keyed on interface identifiers becomes. Moreover, the cost of 552 collecting information and attempting to correlate it based on 553 interface identifiers will only be justified if enough addresses 554 contain non-changing identifiers to make it worthwhile. Thus, having 555 large numbers of clients change their address on a daily or weekly 556 basis is likely to be sufficient to alleviate most privacy concerns. 558 There are also client costs associated with having a large number of 559 addresses associated with a node (e.g., in doing address lookups, the 560 need to join many multicast groups, etc.). Thus, changing addresses 561 frequently (e.g., every few minutes) may have performance 562 implications. 564 Nodes following this specification SHOULD generate new temporary 565 addresses on a periodic basis. This can be achieved automatically by 566 generating a new randomized interface identifier at least once every 567 (TEMP_PREFERRED_LIFETIME - REGEN_ADVANCE - DESYNC_FACTOR) time units. 568 As described above, generating a new temporary address REGEN_ADVANCE 569 time units before a temporary address becomes deprecated produces 570 addresses with a preferred lifetime no larger than 571 TEMP_PREFERRED_LIFETIME. The value DESYNC_FACTOR is a random value 572 (different for each client) that ensures that clients don't 573 synchronize with each other and generate new addresses at exactly the 574 same time. When the preferred lifetime expires, a new temporary 575 address MUST be generated using the new randomized interface 576 identifier. 578 Because the precise frequency at which it is appropriate to generate 579 new addresses varies from one environment to another, implementations 580 SHOULD provide end users with the ability to change the frequency at 581 which addresses are regenerated. The default value is given in 582 TEMP_PREFERRED_LIFETIME and is one day. In addition, the exact time 583 at which to invalidate a temporary address depends on how 584 applications are used by end users. Thus, the suggested default 585 value of one week (TEMP_VALID_LIFETIME) may not be appropriate in all 586 environments. Implementations SHOULD provide end users with the 587 ability to override both of these default values. 589 Finally, when an interface connects to a new (different) link, a new 590 set of temporary addresses MUST be generated immediately. If a 591 device moves from one ethernet to another, generating a new set of 592 temporary addresses ensures that the device uses different randomized 593 interface identifiers for the temporary addresses associated with the 594 two links, making it more difficult to correlate addresses from the 595 two different links as being from the same node. The node MAY follow 596 any process available to it, to determine that the link change has 597 occurred. One such process is described by "Simple Procedures for 598 Detecting Network Attachment in IPv6" [RFC6059]. Detecting link 599 changes would prevent link down/up events from causing temporary 600 addresses to be (unnecessarily) regenerated. 602 3.6. Deployment Considerations 604 Devices implementing this specification MUST provide a way for the 605 end user to explicitly enable or disable the use of temporary 606 addresses. In addition, a site might wish to disable the use of 607 temporary addresses in order to simplify network debugging and 608 operations. Consequently, implementations SHOULD provide a way for 609 trusted system administrators to enable or disable the use of 610 temporary addresses. 612 Additionally, sites might wish to selectively enable or disable the 613 use of temporary addresses for some prefixes. For example, a site 614 might wish to disable temporary address generation for "Unique local" 616 [RFC4193] prefixes while still generating temporary addresses for all 617 other global prefixes. Another site might wish to enable temporary 618 address generation only for the prefixes 2001::/16 and 2002::/16 619 while disabling it for all other prefixes. To support this behavior, 620 implementations SHOULD provide a way to enable and disable generation 621 of temporary addresses for specific prefix subranges. This per- 622 prefix setting SHOULD override the global settings on the node with 623 respect to the specified prefix subranges. Note that the per-prefix 624 setting can be applied at any granularity, and not necessarily on a 625 per subnet basis. 627 The use of temporary addresses may cause unexpected difficulties with 628 some applications. As described below, some servers refuse to accept 629 communications from clients for which they cannot map the IP address 630 into a DNS name. In addition, some applications may not behave 631 robustly if temporary addresses are used and an address expires 632 before the application has terminated, or if it opens multiple 633 sessions, but expects them to all use the same addresses. 635 If a very small number of nodes (say, only one) use a given prefix 636 for extended periods of time, just changing the interface identifier 637 part of the address may not be sufficient to ensure privacy, since 638 the prefix acts as a constant identifier. The procedures described 639 in this document are most effective when the prefix is reasonably non 640 static or is used by a fairly large number of nodes. 642 4. Implications of Changing Interface Identifiers 644 The desires of protecting individual privacy versus the desire to 645 effectively maintain and debug a network can conflict with each 646 other. Having clients use addresses that change over time will make 647 it more difficult to track down and isolate operational problems. 648 For example, when looking at packet traces, it could become more 649 difficult to determine whether one is seeing behavior caused by a 650 single errant machine, or by a number of them. 652 Some servers refuse to grant access to clients for which no DNS name 653 exists. That is, they perform a DNS PTR query to determine the DNS 654 name, and may then also perform an AAAA query on the returned name to 655 verify that the returned DNS name maps back into the address being 656 used. Consequently, clients not properly registered in the DNS may 657 be unable to access some services. As noted earlier, however, a 658 node's DNS name (if non-changing) serves as a constant identifier. 659 The wide deployment of the extension described in this document could 660 challenge the practice of inverse-DNS-based "authentication," which 661 has little validity, though it is widely implemented. In order to 662 meet server challenges, nodes could register temporary addresses in 663 the DNS using random names (for example, a string version of the 664 random address itself). 666 Use of the extensions defined in this document may complicate 667 debugging and other operational troubleshooting activities. 668 Consequently, it may be site policy that temporary addresses should 669 not be used. Consequently, implementations MUST provide a method for 670 the end user or trusted administrator to override the use of 671 temporary addresses. 673 5. Defined Constants 675 Constants defined in this document include: 677 TEMP_VALID_LIFETIME -- Default value: 1 week. Users should be able 678 to override the default value. 680 TEMP_PREFERRED_LIFETIME -- Default value: 1 day. Users should be 681 able to override the default value. 683 REGEN_ADVANCE -- 5 seconds 685 MAX_DESYNC_FACTOR -- 10 minutes. Upper bound on DESYNC_FACTOR. 687 DESYNC_FACTOR -- A random value within the range 0 - 688 MAX_DESYNC_FACTOR. It is computed once at system start (rather than 689 each time it is used) and must never be greater than 690 (TEMP_VALID_LIFETIME - REGEN_ADVANCE). 692 TEMP_IDGEN_RETRIES -- Default value: 3 694 6. Future Work 696 An implementation might want to keep track of which addresses are 697 being used by upper layers so as to be able to remove a deprecated 698 temporary address from internal data structures once no upper layer 699 protocols are using it (but not before). This is in contrast to 700 current approaches where addresses are removed from an interface when 701 they become invalid [RFC4862], independent of whether or not upper 702 layer protocols are still using them. For TCP connections, such 703 information is available in control blocks. For UDP-based 704 applications, it may be the case that only the applications have 705 knowledge about what addresses are actually in use. Consequently, an 706 implementation generally will need to use heuristics in deciding when 707 an address is no longer in use. 709 Recommendations on DNS practices to avoid the problem described in 710 Section 4 when reverse DNS lookups fail may be needed. [RFC4472] 711 contains a more detailed discussion of the DNS-related issues. 713 While this document discusses ways of obscuring a user's IP address, 714 the method described is believed to be ineffective against 715 sophisticated forms of traffic analysis. To increase effectiveness, 716 one may need to consider use of more advanced techniques, such as 717 Onion Routing [ONION]. 719 7. Security Considerations 721 Ingress filtering has been and is being deployed as a means of 722 preventing the use of spoofed source addresses in Distributed Denial 723 of Service (DDoS) attacks. In a network with a large number of 724 nodes, new temporary addresses are created at a fairly high rate. 725 This might make it difficult for ingress filtering mechanisms to 726 distinguish between legitimately changing temporary addresses and 727 spoofed source addresses, which are "in-prefix" (using a 728 topologically correct prefix and non-existent interface ID). This 729 can be addressed by using access control mechanisms on a per-address 730 basis on the network egress point. 732 8. Significant Changes from RFC4941 734 This section summarizes the changes in this document relative to RFC 735 4941 that an implementer of RFC 4941 should be aware of. 737 1. Discussion of IEEE-based IIDs has been removed, since the current 738 recommendation ([RFC8064]) is to employ [RFC7217]). 740 2. The document employs the terminology from [RFC7721]. 742 3. Sections 2.2 and 2.3 of [RFC4941] have been removed since the 743 topic has been discussed in more detail in e.g. [RFC7721]. 745 4. The algorithm to generate randomized interface identifiers was 746 replaced by two possible alternative algorithms. 748 5. Generation of stable addresses is not implied or required by this 749 document. 751 6. Temporary addresses are *not* disabled by default. 753 7. Section 3.2.1 and 3.2.2 from [RFC4941] were replaced with 754 alternative algorithms. 756 8. Section 3.2.3 from [RFC4941] was removed, based on the 757 explanation of that very section of RFC4941. 759 9. All the verified errata for [RFC4941] has been incorporated. 761 9. Acknowledgments 763 The authors would like to thank (in alphabetical order) Brian 764 Carpenter, Tim Chown, Lorenzo Colitti, David Farmer, Tom Herbert, Bob 765 Hinden, Christian Huitema, Dave Plonka, Michael Richardson, Mark 766 Smith, and Johanna Ullrich for providing valuable comments on earlier 767 versions of this document. 769 This document is based on [RFC4941] (a revision of RFC3041). Suresh 770 Krishnan was the sole author of RFC4941. He would like to 771 acknowledge the contributions of the ipv6 working group and, in 772 particular, Jari Arkko, Pekka Nikander, Pekka Savola, Francis Dupont, 773 Brian Haberman, Tatuya Jinmei, and Margaret Wasserman for their 774 detailed comments. 776 Rich Draves and Thomas Narten were the authors of RFC 3041. They 777 would like to acknowledge the contributions of the ipv6 working group 778 and, in particular, Ran Atkinson, Matt Crawford, Steve Deering, 779 Allison Mankin, and Peter Bieringer. 781 10. References 783 10.1. Normative References 785 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 786 Requirement Levels", BCP 14, RFC 2119, 787 DOI 10.17487/RFC2119, March 1997, 788 . 790 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 791 "Randomness Requirements for Security", BCP 106, RFC 4086, 792 DOI 10.17487/RFC4086, June 2005, 793 . 795 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 796 Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, 797 . 799 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 800 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 801 2006, . 803 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 804 Address Autoconfiguration", RFC 4862, 805 DOI 10.17487/RFC4862, September 2007, 806 . 808 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 809 Extensions for Stateless Address Autoconfiguration in 810 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, 811 . 813 [RFC5453] Krishnan, S., "Reserved IPv6 Interface Identifiers", 814 RFC 5453, DOI 10.17487/RFC5453, February 2009, 815 . 817 [RFC6724] Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown, 818 "Default Address Selection for Internet Protocol Version 6 819 (IPv6)", RFC 6724, DOI 10.17487/RFC6724, September 2012, 820 . 822 [RFC7136] Carpenter, B. and S. Jiang, "Significance of IPv6 823 Interface Identifiers", RFC 7136, DOI 10.17487/RFC7136, 824 February 2014, . 826 [RFC7217] Gont, F., "A Method for Generating Semantically Opaque 827 Interface Identifiers with IPv6 Stateless Address 828 Autoconfiguration (SLAAC)", RFC 7217, 829 DOI 10.17487/RFC7217, April 2014, 830 . 832 [RFC8064] Gont, F., Cooper, A., Thaler, D., and W. Liu, 833 "Recommendation on Stable IPv6 Interface Identifiers", 834 RFC 8064, DOI 10.17487/RFC8064, February 2017, 835 . 837 10.2. Informative References 839 [FIPS-SHS] 840 NIST, "Secure Hash Standard (SHS)", FIPS 841 Publication 180-4, March 2012, 842 . 845 [IANA-RESERVED-IID] 846 IANA, "Reserved IPv6 Interface Identifiers", 847 . 849 [ONION] Reed, MGR., Syverson, PFS., and DMG. Goldschlag, "Proxies 850 for Anonymous Routing", Proceedings of the 12th Annual 851 Computer Security Applications Conference, San Diego, CA, 852 December 1996. 854 [OPEN-GROUP] 855 The Open Group, "The Open Group Base Specifications Issue 856 7 / IEEE Std 1003.1-2008, 2016 Edition", 857 Section 4.16 Seconds Since the Epoch, 2016, 858 . 861 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 862 DOI 10.17487/RFC1321, April 1992, 863 . 865 [RFC4472] Durand, A., Ihren, J., and P. Savola, "Operational 866 Considerations and Issues with IPv6 DNS", RFC 4472, 867 DOI 10.17487/RFC4472, April 2006, 868 . 870 [RFC5014] Nordmark, E., Chakrabarti, S., and J. Laganier, "IPv6 871 Socket API for Source Address Selection", RFC 5014, 872 DOI 10.17487/RFC5014, September 2007, 873 . 875 [RFC6059] Krishnan, S. and G. Daley, "Simple Procedures for 876 Detecting Network Attachment in IPv6", RFC 6059, 877 DOI 10.17487/RFC6059, November 2010, 878 . 880 [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations 881 for the MD5 Message-Digest and the HMAC-MD5 Algorithms", 882 RFC 6151, DOI 10.17487/RFC6151, March 2011, 883 . 885 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 886 DOI 10.17487/RFC6265, April 2011, 887 . 889 [RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T., 890 Trammell, B., Huitema, C., and D. Borkmann, 891 "Confidentiality in the Face of Pervasive Surveillance: A 892 Threat Model and Problem Statement", RFC 7624, 893 DOI 10.17487/RFC7624, August 2015, 894 . 896 [RFC7707] Gont, F. and T. Chown, "Network Reconnaissance in IPv6 897 Networks", RFC 7707, DOI 10.17487/RFC7707, March 2016, 898 . 900 [RFC7721] Cooper, A., Gont, F., and D. Thaler, "Security and Privacy 901 Considerations for IPv6 Address Generation Mechanisms", 902 RFC 7721, DOI 10.17487/RFC7721, March 2016, 903 . 905 [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., 906 Richardson, M., Jiang, S., Lemon, T., and T. Winters, 907 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 908 RFC 8415, DOI 10.17487/RFC8415, November 2018, 909 . 911 Authors' Addresses 913 Fernando Gont 914 SI6 Networks / UTN-FRH 915 Evaristo Carriego 2644 916 Haedo, Provincia de Buenos Aires 1706 917 Argentina 919 Phone: +54 11 4650 8472 920 Email: fgont@si6networks.com 921 URI: http://www.si6networks.com 923 Suresh Krishnan 924 Ericsson Research 925 8400 Decarie Blvd. 926 Town of Mount Royal, QC 927 Canada 929 Email: suresh.krishnan@ericsson.com 931 Thomas Narten 932 IBM Corporation 933 P.O. Box 12195 934 Research Triangle Park, NC 935 USA 937 Email: narten@us.ibm.com 938 Richard Draves 939 Microsoft Research 940 One Microsoft Way 941 Redmond, WA 942 USA 944 Email: richdr@microsoft.com