idnits 2.17.1 draft-ietf-6man-stable-privacy-addresses-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 11, 2013) is 3851 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 4941 (Obsoleted by RFC 8981) -- Obsolete informational reference (is this intentional?): RFC 1948 (Obsoleted by RFC 6528) == Outdated reference: A later version (-08) exists of draft-ietf-opsec-ipv6-host-scanning-02 Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPv6 maintenance Working Group (6man) F. Gont 3 Internet-Draft SI6 Networks / UTN-FRH 4 Intended status: Standards Track October 11, 2013 5 Expires: April 14, 2014 7 A Method for Generating Semantically Opaque Interface Identifiers with 8 IPv6 Stateless Address Autoconfiguration (SLAAC) 9 draft-ietf-6man-stable-privacy-addresses-14 11 Abstract 13 This document specifies a method for generating IPv6 Interface 14 Identifiers to be used with IPv6 Stateless Address Autoconfiguration 15 (SLAAC), such that addresses configured using this method are stable 16 within each subnet, but the Interface Identifier changes when hosts 17 move from one network to another. This method is meant to be an 18 alternative to generating Interface Identifiers based on hardware 19 addresses (e.g., IEEE LAN MAC addresses), such that the benefits of 20 stable addresses can be achieved without sacrificing the privacy of 21 users. The method specified in this document applies to all prefixes 22 a host may be employing, including link-local, global, and unique- 23 local addresses. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on April 14, 2014. 42 Copyright Notice 44 Copyright (c) 2013 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 61 3. Relationship to Other standards . . . . . . . . . . . . . . . 7 62 4. Design goals . . . . . . . . . . . . . . . . . . . . . . . . . 8 63 5. Algorithm specification . . . . . . . . . . . . . . . . . . . 10 64 6. Resolving Duplicate Address Detection (DAD) conflicts . . . . 15 65 7. Specified Constants . . . . . . . . . . . . . . . . . . . . . 16 66 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 67 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 68 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20 69 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 70 11.1. Normative References . . . . . . . . . . . . . . . . . . 21 71 11.2. Informative References . . . . . . . . . . . . . . . . . 21 72 Appendix A. Possible sources for the Net_Iface parameter . . . . 24 73 A.1. Interface Index . . . . . . . . . . . . . . . . . . . . . 24 74 A.2. Interface Name . . . . . . . . . . . . . . . . . . . . . 24 75 A.3. Link-layer Addresses . . . . . . . . . . . . . . . . . . 24 76 A.4. Logical Network Service Identity . . . . . . . . . . . . 25 77 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 26 79 1. Introduction 81 [RFC4862] specifies Stateless Address Autoconfiguration (SLAAC) for 82 IPv6 [RFC2460], which typically results in hosts configuring one or 83 more "stable" addresses composed of a network prefix advertised by a 84 local router, and an Interface Identifier (IID) that typically embeds 85 a hardware address (e.g., an IEEE LAN MAC address) [RFC4291]. 86 Cryptographically Generated Addresses (CGAs) [RFC3972] are yet 87 another method for generating Interface Identifiers, which bind a 88 public signature key to an IPv6 address in the SEcure Neighbor 89 Discovery (SEND) [RFC3971] protocol. 91 Generally, the traditional SLAAC addresses are thought to simplify 92 network management, since they simplify Access Control Lists (ACLs) 93 and logging. However, they have a number of drawbacks: 95 o since the resulting Interface Identifiers do not vary over time, 96 they allow correlation of node activities within the same network, 97 thus negatively affecting the privacy of users (see 98 [I-D.cooper-6man-ipv6-address-generation-privacy] and 99 [IAB-PRIVACY]). 101 o since the resulting Interface Identifiers are constant across 102 networks, the resulting IPv6 addresses can be leveraged to track 103 and correlate the activity of a node across multiple networks 104 (e.g. track and correlate the activities of a typical client 105 connecting to the public Internet from different locations), thus 106 negatively affecting the privacy of users. 108 o since embedding the underlying link-layer address in the Interface 109 Identifier will result in specific address patterns, such patterns 110 may be leveraged by attackers to reduce the search space when 111 performing address scanning attacks 112 [I-D.ietf-opsec-ipv6-host-scanning]. For example, the IPv6 113 addresses of all nodes manufactured by the same vendor (within a 114 given time frame) will likely contain the same IEEE 115 Organizationally Unique Identifier (OUI) in the Interface 116 Identifier. 118 o embedding the underlying hardware address in the Interface 119 Identifier leaks device-specific information that could be 120 leveraged to launch device-specific attacks. 122 o embedding the underlying link-layer address in the Interface 123 Identifier means that replacement of the underlying interface 124 hardware will result in a change of the IPv6 address(es) assigned 125 to that interface. 127 [I-D.cooper-6man-ipv6-address-generation-privacy] provides additional 128 details regarding how these vulnerabilities could be exploited, and 129 the extent to which the method discussed in this document mitigates 130 them. 132 The "Privacy Extensions for Stateless Address Autoconfiguration in 133 IPv6" [RFC4941] (henceforth referred to as "temporary addresses") 134 were introduced to complicate the task of eavesdroppers and other 135 information collectors (e.g., IPv6 addresses in web server logs or 136 email headers, etc.) to correlate the activities of a node, and 137 basically result in temporary (and random) Interface Identifiers. 138 These temporary addresses are generated in addition to the 139 traditional IPv6 addresses based on IEEE LAC MAC addresses, with the 140 "temporary addresses" being employed for "outgoing communications", 141 and the traditional SLAAC addresses being employed for "server" 142 functions (i.e., receiving incoming connections). 144 It should be noted that temporary addresses can be challenging in a 145 number of areas. For example, from a network-management point of 146 view, they tend to increase the complexity of event logging, trouble- 147 shooting, enforcement of access controls and quality of service, etc. 148 As a result, some organizations disable the use of temporary 149 addresses even at the expense of reduced privacy [Broersma]. 150 Temporary addresses may also result in increased implementation 151 complexity, which might not be possible or desirable in some 152 implementations (e.g., some embedded devices). 154 In scenarios in which temporary addresses are deliberately not used 155 (possibly for any of the aforementioned reasons), all a host is left 156 with is the stable addresses that have typically been generated from 157 the underlying hardware addresses. In such scenarios, it may still 158 be desirable to have addresses that mitigate address scanning 159 attacks, and that at the very least do not reveal the node's identity 160 when roaming from one network to another -- without complicating the 161 operation of the corresponding networks. 163 However, even with "temporary addresses" in place, a number of issues 164 remain to be mitigated. Namely, 166 o since "temporary addresses" [RFC4941] do not eliminate the use of 167 fixed identifiers for server-like functions, they only partially 168 mitigate host-tracking and activity correlation across networks 169 (see [I-D.cooper-6man-ipv6-address-generation-privacy] for some 170 example attacks that are still possible with temporary addresses). 172 o since "temporary addresses" [RFC4941] do not replace the 173 traditional SLAAC addresses, an attacker can still leverage 174 patterns in SLAAC addresses to greatly reduce the search space for 175 "alive" nodes [Gont-DEEPSEC2011] [CPNI-IPv6] 176 [I-D.ietf-opsec-ipv6-host-scanning]. 178 Hence, there is a motivation to improve the properties of "stable" 179 addresses regardless of whether temporary addresses are employed or 180 not. 182 This document specifies a method to generate Interface Identifiers 183 that are stable/constant for each network interface within each 184 subnet, but that change as hosts move from one network to another, 185 thus keeping the "stability" properties of the Interface Identifiers 186 specified in [RFC4291], while still mitigating address-scanning 187 attacks and preventing correlation of the activities of a node as it 188 moves from one network to another. 190 2. Terminology 192 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 193 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 194 document are to be interpreted as described in RFC 2119 [RFC2119]. 196 3. Relationship to Other standards 198 The method specified in this document is orthogonal to the use of 199 "temporary" addresses [RFC4941], since it is meant to improve the 200 security and privacy properties of the stable addresses that are 201 employed along with the aforementioned "temporary" addresses. In 202 scenarios in which "temporary addresses" are employed, implementation 203 of the mechanism described in this document (in replacement of stable 204 addresses based on e.g., IEEE LAN MAC addresses) will mitigate 205 address-scanning attacks and also mitigate the remaining vectors for 206 correlating host activities based on the node's constant (i.e. stable 207 across networks) Interface Identifiers. On the other hand, for nodes 208 that currently disable "temporary addresses" [RFC4941], 209 implementation of this mechanism would mitigate the host-tracking and 210 address scanning issues discussed in Section 1. 212 While the method specified in this document is meant to be used with 213 SLAAC, this does not preclude this algorithm from being used with 214 other address configuration mechanisms, such as DHCPv6 [RFC3315] or 215 manual address configuration. 217 4. Design goals 219 This document specifies a method for generating Interface Identifiers 220 to be used with IPv6 SLAAC, with the following goals: 222 o The resulting Interface Identifiers remain constant/stable for 223 each prefix used with SLAAC within each subnet. That is, the 224 algorithm generates the same Interface Identifier when configuring 225 an address (for the same interface) belonging to the same prefix 226 within the same subnet. 228 o The resulting Interface Identifiers do change when addresses are 229 configured for different prefixes. That is, if different 230 autoconfiguration prefixes are used to configure addresses for the 231 same network interface card, the resulting Interface Identifiers 232 must be (statistically) different. This means that, given two 233 addresses produced by the method specified in this document, it 234 must be difficult for an attacker tell whether the addresses have 235 been generated/used by the same node. 237 o It must be difficult for an outsider to predict the Interface 238 Identifiers that will be generated by the algorithm, even with 239 knowledge of the Interface Identifiers generated for configuring 240 other addresses. 242 o Depending on the specific implementation approach (see Section 5 243 and Appendix A), the resulting Interface Identifiers may be 244 independent of the underlying hardware (e.g. IEEE LAN MAC 245 address). This means that e.g. replacing a Network Interface Card 246 (NIC) or adding links dynamically to a Link Aggregation Group 247 (LAG) will not have the (generally undesirable) effect of changing 248 the IPv6 addresses used for that network interface. 250 o The method specified in this document is meant to be an 251 alternative to producing IPv6 addresses based hardware addresses 252 (e.g. IEEE LAN MAC addresses, as specified in [RFC2464]). That 253 is, this document does not formally obsolete or deprecate any of 254 the existing algorithms to generate Interface Identifiers. It is 255 meant to be employed for all of the stable (i.e. non-temporary) 256 IPv6 addresses configured with SLAAC for a given interface, 257 including global, link-local, and unique-local IPv6 addresses. 259 We note that this method is incrementally deployable, since it does 260 not pose any interoperability implications when deployed on networks 261 where other nodes do not implement or employ it. Additionally, we 262 note that this document does not update or modify IPv6 StateLess 263 Address Auto-Configuration (SLAAC) [RFC4862] itself, but rather only 264 specifies an alternative algorithm to generate Interface Identifiers. 266 Therefore, the usual address lifetime properties (as specified in the 267 corresponding Prefix Information Options) apply when IPv6 addresses 268 are generated as a result of employing the algorithm specified in 269 this document with SLAAC [RFC4862]. Additionally, from the point of 270 view of renumbering, we note that these addresses behave like the 271 traditional IPv6 addresses (that embed a hardware address) resulting 272 from SLAAC [RFC4862]. 274 5. Algorithm specification 276 IPv6 implementations conforming to this specification MUST generate 277 Interface Identifiers using the algorithm specified in this section 278 in replacement of any other algorithms used for generating "stable" 279 addresses with SLAAC (such as those specified in [RFC2464], 280 [RFC2467], and [RFC2470]). However, implementations conforming to 281 this specification MAY employ the algorithm specified in [RFC4941] to 282 generate temporary addresses in addition to the addresses generated 283 with the algorithm specified in this document. The method specified 284 in this document MUST be employed for generating the Interface 285 Identifiers with SLAAC for all the stable addresses, including IPv6 286 global, link-local, and unique-local addresses. 288 Implementations conforming to this specification SHOULD provide the 289 means for a system administrator to enable or disable the use of this 290 algorithm for generating Interface Identifiers. 292 Unless otherwise noted, all of the parameters included in the 293 expression below MUST be included when generating an Interface 294 Identifier. 296 1. Compute a random (but stable) identifier with the expression: 298 RID = F(Prefix, Net_Iface, Network_ID, DAD_Counter, secret_key) 300 Where: 302 RID: 303 Random (but stable) Identifier 305 F(): 306 A pseudorandom function (PRF) that MUST NOT be computable from 307 the outside (without knowledge of the secret key). F() MUST 308 also be difficult to reverse, such that it resists attempts to 309 obtain the secret_key, even when given samples of the output 310 of F() and knowledge or control of the other input parameters. 311 F() SHOULD produce an output of at least 64 bits. F() could 312 be implemented as a cryptographic hash of the concatenation of 313 each of the function parameters. 315 Prefix: 316 The prefix to be used for SLAAC, as learned from an ICMPv6 317 Router Advertisement message, or the link-local IPv6 unicast 318 prefix [RFC4291]. 320 Net_Iface: 321 An implementation-dependent stable identifier associated with 322 the network interface for which the RID is being generated. 323 An implementation MAY provide a configuration option to select 324 the source of the identifier to be used for the Net_Iface 325 parameter. A discussion of possible sources for this value 326 (along with the corresponding trade-offs) can be found in 327 Appendix A. 329 Network_ID: 330 Some network specific data that identifies the subnet to which 331 this interface is attached. For example the IEEE 802.11 332 Service Set Identifier (SSID) corresponding to the network to 333 which this interface is associated. This parameter is 334 OPTIONAL. 336 DAD_Counter: 337 A counter that is employed to resolve Duplicate Address 338 Detection (DAD) conflicts. It MUST be initialized to 0, and 339 incremented by 1 for each new tentative address that is 340 configured as a result of a DAD conflict. Implementations 341 that record DAD_Counter in non-volatile memory for each 342 {Prefix, Net_Iface, Network_ID} tuple MUST initialize 343 DAD_Counter to the recorded value if such an entry exists in 344 non-volatile memory. See Section 6 for additional details. 346 secret_key: 347 A secret key that is not known by the attacker. The secret 348 key MUST be initialized to a pseudo-random number (see 349 [RFC4086] for randomness requirements for security) at 350 operating system installation time or when the IPv6 protocol 351 stack is initialized for the first time. An implementation 352 MAY provide the means for the the system administrator to 353 change or display the secret key. 355 2. The Interface Identifier is finally obtained by taking as many 356 bits from the RID value (computed in the previous step) as 357 necessary, starting from the least significant bit. 359 We note that [RFC4291] requires that, the Interface IDs of all 360 unicast addresses (except those that start with the binary 361 value 000) be 64-bit long. However, the method discussed in 362 this document could be employed for generating Interface IDs 363 of any arbitrary length, albeit at the expense of reduced 364 entropy (when employing Interface IDs smaller than 64 bits). 366 The resulting Interface Identifier SHOULD be compared against the 367 Subnet-Router Anycast [RFC4291] and the Reserved Subnet Anycast 368 Addresses [RFC2526], and against those Interface Identifiers 369 already employed in an address of the same network interface and 370 the same network prefix. In the event that an unacceptable 371 identifier has been generated, this situation SHOULD be handled 372 in the same way as the case of duplicate addresses (see 373 Section 6). 375 This document does not require the use of any specific PRF for the 376 function F() above, since the choice of such PRF is usually a trade- 377 off between a number of properties (processing requirements, ease of 378 implementation, possible intellectual property rights, etc.), and 379 since the best possible choice for F() might be different for 380 different types of devices (e.g. embedded systems vs. regular 381 servers) and might possibly change over time. 383 Note that the result of F() in the algorithm above is no more secure 384 than the secret key. If an attacker is aware of the PRF that is 385 being used by the victim (which we should expect), and the attacker 386 can obtain enough material (i.e. addresses configured by the victim), 387 the attacker may simply search the entire secret-key space to find 388 matches. To protect against this, the secret key should be of a 389 reasonable length. Key lengths of at least 128 bits should be 390 adequate. The secret key is initialized at system installation time 391 to a pseudo-random number, thus allowing this mechanism to be 392 enabled/used automatically, without user intervention. 394 Including the SLAAC prefix in the PRF computation causes the 395 Interface Identifier to vary across each prefix (link-local, global, 396 etc.) employed by the node and, as consequently, also across 397 networks. This mitigates the correlation of activities of multi- 398 homed nodes (since each of the corresponding addresses will employ a 399 different Interface ID), host-tracking (since the network prefix will 400 change as the node moves from one network to another), and any other 401 attacks that benefit from predictable Interface Identifiers (such as 402 IPv6 address scanning attacks). 404 The Net_Iface is a value that identifies the network interface for 405 which an IPv6 address is being generated. The following properties 406 are required for the Net_Iface parameter: 408 o it MUST be constant across system bootstrap sequences and other 409 network events (e.g., bringing another interface up or down) 411 o it MUST be different for each network interface simultaneously in 412 use 414 Since the stability of the addresses generated with this method 415 relies on the stability of all arguments of F(), it is key that the 416 Net_Iface be constant across system bootstrap sequences and other 417 network events. Additionally, the Net_Iface must uniquely identify 418 an interface within the node, such that two interfaces connecting to 419 the same network do not result in duplicate addresses. Different 420 types of operating systems might benefit from different stability 421 properties of the Net_Iface parameter. For example, a client- 422 oriented operating system might want to employ Net_Iface identifiers 423 that are attached to the underlying network interface card (NIC), 424 such that a removable NIC always gets the same IPv6 address, 425 irrespective of the system communications port to which it is 426 attached. On the other hand, a server-oriented operating system 427 might prefer Net_Iface identifiers that are attached to system slots/ 428 ports, such that replacement of a network interface card does not 429 result in an IPv6 address change. Appendix A discusses possible 430 sources for the Net_Iface, along with their pros and cons. 432 Including the optional Network_ID parameter when computing the RID 433 value above causes the algorithm to produce a different Interface 434 Identifier when connecting to different networks, even when 435 configuring addresses belonging to the same prefix. This means that 436 a host would employ a different Interface Identifier as it moves from 437 one network to another even for IPv6 link-local addresses or Unique 438 Local Addresses (ULAs). In those scenarios where the Network_ID is 439 unknown to the attacker, including this parameter might help mitigate 440 attacks where a victim node connects to the same subnet as the 441 attacker, and the attacker tries to learn the Interface Identifier 442 used by the victim node for a remote network (see Section 9 for 443 further details). 445 The DAD_Counter parameter provides the means to intentionally cause 446 this algorithm to produce a different IPv6 addresses (all other 447 parameters being the same). This could be necessary to resolve 448 Duplicate Address Detection (DAD) conflicts, as discussed in detail 449 in Section 6. 451 Finally, we note that all of the bits in the resulting Interface IDs 452 are treated as "opaque" bits. For example, the universal/local bit 453 of Modified EUI-64 format identifiers is treated as any other bit of 454 such identifier. In theory, this might result in Duplicate Address 455 Detection (DAD) failures that would otherwise not be encountered. 456 However, this is not deemed as a real issue, because of the following 457 considerations: 459 o The interface IDs of all addresses (except those of addresses that 460 that start with the binary value 000) are 64-bit long. Since the 461 method specified in this document results in random Interface IDs, 462 the probability of DAD failures is very small. 464 o Real world data indicates that MAC address reuse is far more 465 common than assumed [HDMoore]. This means that even IPv6 466 addresses that employ (allegedly) unique identifiers (such as IEEE 467 LAN MAC addresses) might result in DAD failures, and hence 468 implementations should be prepared to gracefully handle such 469 occurrences. 471 o Since some popular and widely-deployed operating systems (such as 472 Microsoft Windows) do not employ unique hardware addresses for the 473 Interface IDs of their stable addresses, reliance on such unique 474 identifiers is more reduced in the deployed world (fewer deployed 475 systems rely on them for the avoidance of address collisions). 477 6. Resolving Duplicate Address Detection (DAD) conflicts 479 If as a result of performing Duplicate Address Detection (DAD) 480 [RFC4862] a host finds that the tentative address generated with the 481 algorithm specified in Section 5 is a duplicate address, it SHOULD 482 resolve the address conflict by trying a new tentative address as 483 follows: 485 o DAD_Counter is incremented by 1. 487 o A new Interface Identifier is generated with the algorithm 488 specified in Section 5, using the incremented DAD_Counter value. 490 Hosts SHOULD introduce a random delay between 0 and IDGEN_DELAY 491 seconds (see Section 7) before trying a new tentative address, to 492 avoid lock-step behavior of multiple hosts. 494 This procedure may be repeated a number of times until the address 495 conflict is resolved. Hosts SHOULD try at least IDGEN_RETRIES (see 496 Section 7) tentative addresses if DAD fails for successive generated 497 addresses, in the hopes of resolving the address conflict. We also 498 note that hosts MUST limit the number of tentative addresses that are 499 tried (rather than indefinitely try a new tentative address until the 500 conflict is resolved). 502 In those unlikely scenarios in which duplicate addresses are detected 503 and in which the order in which the conflicting nodes configure their 504 addresses may vary (e.g., because they may be bootstrapped in 505 different order), the algorithm specified in this section for 506 resolving DAD conflicts could lead to addresses that are not stable 507 within the same subnet. In order to mitigate this potential problem, 508 nodes MAY record the DAD_Counter value employed for a specific 509 {Prefix, Net_Iface, Network_ID} tuple in non-volatile memory, such 510 that the same DAD_Counter value is employed when configuring an 511 address for the same Prefix and subnet at any other point in time. 512 We note that the use of non-volatile memory is OPTIONAL, and hosts 513 that do not implement this feature are still compliant to this 514 protocol specification. 516 In the event that a DAD conflict cannot be solved (possibly after 517 trying a number of different addresses), address configuration would 518 fail. In those scenarios, nodes MUST NOT automatically fall back to 519 employing other algorithms for generating Interface Identifiers. 521 7. Specified Constants 523 This document specifies the following constant: 525 IDGEN_RETRIES: 526 defaults to 3. 528 IDGEN_DELAY: 529 defaults to 1 second. 531 8. IANA Considerations 533 There are no IANA registries within this document. The RFC-Editor 534 can remove this section before publication of this document as an 535 RFC. 537 9. Security Considerations 539 This document specifies an algorithm for generating Interface 540 Identifiers to be used with IPv6 Stateless Address Autoconfiguration 541 (SLAAC), as an alternative to e.g. Interface Identifiers that embed 542 hardware addresses (such as those specified in [RFC2464], [RFC2467], 543 and [RFC2470]). When compared to such identifiers, the identifiers 544 specified in this document have a number of advantages: 546 o They prevent trivial host-tracking, since when a host moves from 547 one network to another the network prefix used for 548 autoconfiguration and/or the Network ID (e.g., IEEE 802.11 SSID) 549 will typically change, and hence the resulting Interface 550 Identifier will also change (see 551 [I-D.cooper-6man-ipv6-address-generation-privacy]). 553 o They mitigate address-scanning techniques which leverage 554 predictable Interface Identifiers (e.g., known Organizationally 555 Unique Identifiers) [I-D.ietf-opsec-ipv6-host-scanning]. 557 o They may result in IPv6 addresses that are independent of the 558 underlying hardware (i.e. the resulting IPv6 addresses do not 559 change if a network interface card is replaced) if an appropriate 560 source for Net_Iface (Section 5) is employed. 562 o They prevent the information leakage produced by embedding 563 hardware addresses in the Interface Identifier (which could be 564 exploited to launch device-specific attacks). 566 o Since the method specified in this document will result in 567 different Interface Identifiers for each configured address, 568 knowledge/leakage of the Interface Identifier employed for one 569 stable address will not negatively affect the security/privacy of 570 other stable addresses configured for other prefixes (whether at 571 the same time or at some other point in time). 573 We note that while some probing techniques (such as the use of ICMPv6 574 Echo Request and ICMPv6 Echo Response packets) could be mitigated by 575 a personal firewall at the target host, for other probing vectors, 576 such as listening to ICMPv6 "Destination Unreachable, Address 577 Unreachable" (Type 1, Code 3) error messages referring to the target 578 addresses [I-D.ietf-opsec-ipv6-host-scanning], there is nothing a 579 host can do (e.g., a personal firewall at the target host would not 580 be able to mitigate this probing technique). Hence, the method 581 specified in this document is still of value for nodes that employ 582 personal firewalls. 584 In scenarios in which an attacker can connect to the same subnet as a 585 victim node, the attacker might be able to learn the Interface 586 Identifier employed by the victim node for an arbitrary prefix, by 587 simply sending a forged Router Advertisement [RFC4861] for that 588 prefix, and subsequently learning the corresponding address 589 configured by the victim node (either listening to the Duplicate 590 Address Detection packets, or to any other traffic that employs the 591 newly configured address). We note that a number of factors might 592 limit the ability of an attacker to successfully perform such an 593 attack: 595 o First-Hop security mechanisms such as RA-Guard [RFC6105] 596 [I-D.ietf-v6ops-ra-guard-implementation] could prevent the forged 597 Router Advertisement from reaching the victim node 599 o If the victim implementation includes the (optional) Network_ID 600 parameter for computing F() (see Section 5), and the Network_ID 601 employed by the victim for a remote network is unknown to the 602 attacker, the Interface Identifier learned by the attacker would 603 differ from the one used by the victim when connecting to the 604 legitimate network. 606 In any case, we note that at the point in which this kind of attack 607 becomes a concern, a host should consider employing Secure Neighbor 608 Discovery (SEND) [RFC3971] to prevent an attacker from illegitimately 609 claiming authority for a network prefix. 611 We note that this algorithm is meant to be an alternative to 612 Interface Identifiers such as those specified in [RFC2464], but is 613 not meant as an alternative to temporary Interface Identifiers (such 614 as those specified in [RFC4941]). Clearly, temporary addresses may 615 help to mitigate the correlation of activities of a node within the 616 same network, and may also reduce the attack exposure window (since 617 temporary addresses are short-lived when compared to the addresses 618 generated with the method specified in this document). We note that 619 implementation of this algorithm would still benefit those hosts 620 employing "temporary addresses", since it would mitigate host- 621 tracking vectors still present when such addresses are used (see 622 [I-D.cooper-6man-ipv6-address-generation-privacy]), and would also 623 mitigate address-scanning techniques that leverage patterns in IPv6 624 addresses that embed IEEE LAN MAC addresses. Finally, we note that 625 the method described in this document addresses some of the privacy 626 concerns arising from the use of IPv6 addresses that embed IEEE LAN 627 MAC addresses, without the use of temporary addresses, thus possibly 628 offering an interesting trade-off for those scenarios in which the 629 use of temporary addresses is not feasible. 631 10. Acknowledgements 633 The algorithm specified in this document has been inspired by Steven 634 Bellovin's work ([RFC1948]) in the area of TCP sequence numbers. 636 The author would like to thank (in alphabetical order) Mikael 637 Abrahamsson, Ran Atkinson, Karl Auer, Steven Bellovin, Matthias 638 Bethke, Ben Campbell, Brian Carpenter, Tassos Chatzithomaoglou, Tim 639 Chown, Alissa Cooper, Dominik Elsbroek, Eric Gray, Brian Haberman, 640 Bob Hinden, Christian Huitema, Ray Hunter, Jouni Korhonen, Eliot 641 Lear, Jong-Hyouk Lee, Andrew McGregor, Tom Petch, Michael Richardson, 642 Mark Smith, Dave Thaler, Ole Troan, James Woodyatt, and He Xuan, for 643 providing valuable comments on earlier versions of this document. 645 This document is based on the technical report "Security Assessment 646 of the Internet Protocol version 6 (IPv6)" [CPNI-IPv6] authored by 647 Fernando Gont on behalf of the UK Centre for the Protection of 648 National Infrastructure (CPNI). 650 The author would like to thank CPNI (http://www.cpni.gov.uk) for 651 their continued support. 653 11. References 655 11.1. Normative References 657 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 658 (IPv6) Specification", RFC 2460, December 1998. 660 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 661 Requirement Levels", BCP 14, RFC 2119, March 1997. 663 [RFC2526] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast 664 Addresses", RFC 2526, March 1999. 666 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 667 and M. Carney, "Dynamic Host Configuration Protocol for 668 IPv6 (DHCPv6)", RFC 3315, July 2003. 670 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure 671 Neighbor Discovery (SEND)", RFC 3971, March 2005. 673 [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", 674 RFC 3972, March 2005. 676 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 677 Requirements for Security", BCP 106, RFC 4086, June 2005. 679 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 680 Unique IDentifier (UUID) URN Namespace", RFC 4122, 681 July 2005. 683 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 684 Architecture", RFC 4291, February 2006. 686 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 687 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 688 September 2007. 690 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 691 Address Autoconfiguration", RFC 4862, September 2007. 693 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 694 Extensions for Stateless Address Autoconfiguration in 695 IPv6", RFC 4941, September 2007. 697 11.2. Informative References 699 [RFC1948] Bellovin, S., "Defending Against Sequence Number Attacks", 700 RFC 1948, May 1996. 702 [RFC2464] Crawford, M., "Transmission of IPv6 Packets over Ethernet 703 Networks", RFC 2464, December 1998. 705 [RFC2467] Crawford, M., "Transmission of IPv6 Packets over FDDI 706 Networks", RFC 2467, December 1998. 708 [RFC2470] Crawford, M., Narten, T., and S. Thomas, "Transmission of 709 IPv6 Packets over Token Ring Networks", RFC 2470, 710 December 1998. 712 [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. 713 Stevens, "Basic Socket Interface Extensions for IPv6", 714 RFC 3493, February 2003. 716 [RFC3542] Stevens, W., Thomas, M., Nordmark, E., and T. Jinmei, 717 "Advanced Sockets Application Program Interface (API) for 718 IPv6", RFC 3542, May 2003. 720 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. 721 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, 722 February 2011. 724 [I-D.ietf-opsec-ipv6-host-scanning] 725 Gont, F. and T. Chown, "Network Reconnaissance in IPv6 726 Networks", draft-ietf-opsec-ipv6-host-scanning-02 (work in 727 progress), July 2013. 729 [I-D.ietf-v6ops-ra-guard-implementation] 730 Gont, F., "Implementation Advice for IPv6 Router 731 Advertisement Guard (RA-Guard)", 732 draft-ietf-v6ops-ra-guard-implementation-07 (work in 733 progress), November 2012. 735 [I-D.cooper-6man-ipv6-address-generation-privacy] 736 Cooper, A., Gont, F., and D. Thaler, "Privacy 737 Considerations for IPv6 Address Generation Mechanisms", 738 draft-cooper-6man-ipv6-address-generation-privacy-00 (work 739 in progress), July 2013. 741 [HDMoore] HD Moore, "The Wild West", Louisville, Kentucky, U.S.A. 742 September 25-29, 2012, 743 . 745 [Gont-DEEPSEC2011] 746 Gont, "Results of a Security Assessment of the Internet 747 Protocol version 6 (IPv6)", DEEPSEC 2011 Conference, 748 Vienna, Austria, November 2011, . 752 [Broersma] 753 Broersma, R., "IPv6 Everywhere: Living with a Fully IPv6- 754 enabled environment", Australian IPv6 Summit 2010, 755 Melbourne, VIC Australia, October 2010, . 758 [IAB-PRIVACY] 759 IAB, "Privacy and IPv6 Addresses", July 2011, . 763 [CPNI-IPv6] 764 Gont, F., "Security Assessment of the Internet Protocol 765 version 6 (IPv6)", UK Centre for the Protection of 766 National Infrastructure, (available on request). 768 Appendix A. Possible sources for the Net_Iface parameter 770 The following subsections describe a number of possible sources for 771 the Net_Iface parameter employed by the F() function in Section 5. 772 The choice of a specific source for this value represents a number of 773 trade-offs, which may vary from one implementation to another. 775 A.1. Interface Index 777 The Interface Index [RFC3493] [RFC3542] of an interface uniquely 778 identifies an interface within a node. However, these identifiers 779 might or might not have the stability properties required for the 780 Net_Iface value employed by this method. For example, the Interface 781 Index might change upon removal or installation of a network 782 interface (typically one with a smaller value for the Interface 783 Index, when such a naming scheme is used), or when network interfaces 784 happen to be initialized in a different order. We note that some 785 implementations are known to provide configuration knobs to set the 786 Interface Index for a given interface. Such configuration knobs 787 could be employed to prevent the Interface Index from changing (e.g. 788 as a result of the removal of a network interface). 790 A.2. Interface Name 792 The Interface Name (e.g., "eth0", "em0", etc) tends to be more stable 793 than the underlying Interface Index, since such stability is 794 required/desired when interface names are employed in network 795 configuration (firewall rules, etc.). The stability properties of 796 Interface Names depend on implementation details, such as what is the 797 namespace used for Interface Names. For example, "generic" interface 798 names such as "eth0" or "wlan0" will generally be invariant with 799 respect to network interface card replacements. On the other hand, 800 vendor-dependent interface names such as "rtk0" or the like will 801 generally change when a network interface card is replaced with one 802 from a different vendor. 804 We note that Interface Names might still change when network 805 interfaces are added or removed once the system has been bootstrapped 806 (for example, consider Universal Serial Bus-based network interface 807 cards which might be added or removed once the system has been 808 bootstrapped). 810 A.3. Link-layer Addresses 812 Link-layer addresses typically provide for unique identifiers for 813 network interfaces; although, for obvious reasons, they generally 814 change when a network interface card is replaced. In scenarios where 815 neither Interface Indexes nor Interface Names have the stability 816 properties specified in Section 5 for Net_Iface, an implementation 817 might want to employ the link-layer address of the interface for the 818 Net_Iface parameter, albeit at the expense of making the 819 corresponding IPv6 addresses dependent on the underlying network 820 interface card (i.e., the corresponding IPv6 address would typically 821 change upon replacement of the underlying network interface card). 823 A.4. Logical Network Service Identity 825 Host operating systems with a conception of logical network service 826 identity, distinct from network interface identity or index, may keep 827 a Universally Unique Identifier (UUID) [RFC4122] or similar 828 identifier with the stability properties appropriate for use as the 829 Net_Iface parameter. 831 Author's Address 833 Fernando Gont 834 SI6 Networks / UTN-FRH 835 Evaristo Carriego 2644 836 Haedo, Provincia de Buenos Aires 1706 837 Argentina 839 Phone: +54 11 4650 8472 840 Email: fgont@si6networks.com 841 URI: http://www.si6networks.com