idnits 2.17.1 draft-ietf-6man-stable-privacy-addresses-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 27, 2014) is 3704 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 4941 (Obsoleted by RFC 8981) -- Obsolete informational reference (is this intentional?): RFC 1948 (Obsoleted by RFC 6528) == Outdated reference: A later version (-08) exists of draft-ietf-opsec-ipv6-host-scanning-02 == Outdated reference: A later version (-08) exists of draft-ietf-6man-ipv6-address-generation-privacy-00 Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPv6 maintenance Working Group (6man) F. Gont 3 Internet-Draft SI6 Networks / UTN-FRH 4 Intended status: Standards Track January 27, 2014 5 Expires: July 31, 2014 7 A Method for Generating Semantically Opaque Interface Identifiers with 8 IPv6 Stateless Address Autoconfiguration (SLAAC) 9 draft-ietf-6man-stable-privacy-addresses-17 11 Abstract 13 This document specifies a method for generating IPv6 Interface 14 Identifiers to be used with IPv6 Stateless Address Autoconfiguration 15 (SLAAC), such that addresses configured using this method are stable 16 within each subnet, but the Interface Identifier changes when hosts 17 move from one network to another. This method is meant to be an 18 alternative to generating Interface Identifiers based on hardware 19 addresses (e.g., IEEE LAN MAC addresses), such that the benefits of 20 stable addresses can be achieved without sacrificing the privacy of 21 users. The method specified in this document applies to all prefixes 22 a host may be employing, including link-local, global, and unique- 23 local addresses. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on July 31, 2014. 42 Copyright Notice 44 Copyright (c) 2014 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 3. Relationship to Other standards . . . . . . . . . . . . . . . 5 62 4. Design goals . . . . . . . . . . . . . . . . . . . . . . . . 5 63 5. Algorithm specification . . . . . . . . . . . . . . . . . . . 6 64 6. Resolving Duplicate Address Detection (DAD) conflicts . . . . 11 65 7. Specified Constants . . . . . . . . . . . . . . . . . . . . . 12 66 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 67 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 68 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 69 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 70 11.1. Normative References . . . . . . . . . . . . . . . . . . 15 71 11.2. Informative References . . . . . . . . . . . . . . . . . 16 72 Appendix A. Possible sources for the Net_Iface parameter . . . . 18 73 A.1. Interface Index . . . . . . . . . . . . . . . . . . . . . 18 74 A.2. Interface Name . . . . . . . . . . . . . . . . . . . . . 18 75 A.3. Link-layer Addresses . . . . . . . . . . . . . . . . . . 19 76 A.4. Logical Network Service Identity . . . . . . . . . . . . 19 77 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 19 79 1. Introduction 81 [RFC4862] specifies Stateless Address Autoconfiguration (SLAAC) for 82 IPv6 [RFC2460], which typically results in hosts configuring one or 83 more "stable" addresses composed of a network prefix advertised by a 84 local router, and an Interface Identifier (IID) that typically embeds 85 a hardware address (e.g., an IEEE LAN MAC address) [RFC4291]. 86 Cryptographically Generated Addresses (CGAs) [RFC3972] are yet 87 another method for generating Interface Identifiers, which bind a 88 public signature key to an IPv6 address in the SEcure Neighbor 89 Discovery (SEND) [RFC3971] protocol. 91 Generally, the traditional SLAAC addresses are thought to simplify 92 network management, since they simplify Access Control Lists (ACLs) 93 and logging. However, they have a number of drawbacks: 95 o since the resulting Interface Identifiers do not vary over time, 96 they allow correlation of node activities within the same network, 97 thus negatively affecting the privacy of users (see 98 [I-D.ietf-6man-ipv6-address-generation-privacy] and 99 [IAB-PRIVACY]). 101 o since the resulting Interface Identifiers are constant across 102 networks, the resulting IPv6 addresses can be leveraged to track 103 and correlate the activity of a node across multiple networks 104 (e.g. track and correlate the activities of a typical client 105 connecting to the public Internet from different locations), thus 106 negatively affecting the privacy of users. 108 o since embedding the underlying link-layer address in the Interface 109 Identifier will result in specific address patterns, such patterns 110 may be leveraged by attackers to reduce the search space when 111 performing address scanning attacks 112 [I-D.ietf-opsec-ipv6-host-scanning]. For example, the IPv6 113 addresses of all nodes manufactured by the same vendor (within a 114 given time frame) will likely contain the same IEEE 115 Organizationally Unique Identifier (OUI) in the Interface 116 Identifier. 118 o embedding the underlying hardware address in the Interface 119 Identifier leaks device-specific information that could be 120 leveraged to launch device-specific attacks. 122 o embedding the underlying link-layer address in the Interface 123 Identifier means that replacement of the underlying interface 124 hardware will result in a change of the IPv6 address(es) assigned 125 to that interface. 127 [I-D.ietf-6man-ipv6-address-generation-privacy] provides additional 128 details regarding how these vulnerabilities could be exploited, and 129 the extent to which the method discussed in this document mitigates 130 them. 132 The "Privacy Extensions for Stateless Address Autoconfiguration in 133 IPv6" [RFC4941] (henceforth referred to as "temporary addresses") 134 were introduced to complicate the task of eavesdroppers and other 135 information collectors (e.g., IPv6 addresses in web server logs or 136 email headers, etc.) to correlate the activities of a node, and 137 basically result in temporary (and random) Interface Identifiers. 138 These temporary addresses are generated in addition to the 139 traditional IPv6 addresses based on IEEE LAN MAC addresses, with the 140 "temporary addresses" being employed for "outgoing communications", 141 and the traditional SLAAC addresses being employed for "server" 142 functions (i.e., receiving incoming connections). 144 It should be noted that temporary addresses can be challenging in a 145 number of areas. For example, from a network-management point of 146 view, they tend to increase the complexity of event logging, trouble- 147 shooting, enforcement of access controls and quality of service, etc. 148 As a result, some organizations disable the use of temporary 149 addresses even at the expense of reduced privacy [Broersma]. 150 Temporary addresses may also result in increased implementation 151 complexity, which might not be possible or desirable in some 152 implementations (e.g., some embedded devices). 154 In scenarios in which temporary addresses are deliberately not used 155 (possibly for any of the aforementioned reasons), all a host is left 156 with is the stable addresses that have typically been generated from 157 the underlying hardware addresses. In such scenarios, it may still 158 be desirable to have addresses that mitigate address scanning 159 attacks, and that at the very least do not reveal the node's identity 160 when roaming from one network to another -- without complicating the 161 operation of the corresponding networks. 163 However, even with "temporary addresses" in place, a number of issues 164 remain to be mitigated. Namely, 166 o since "temporary addresses" [RFC4941] do not eliminate the use of 167 fixed identifiers for server-like functions, they only partially 168 mitigate host-tracking and activity correlation across networks 169 (see [I-D.ietf-6man-ipv6-address-generation-privacy] for some 170 example attacks that are still possible with temporary addresses). 172 o since "temporary addresses" [RFC4941] do not replace the 173 traditional SLAAC addresses, an attacker can still leverage 174 patterns in SLAAC addresses to greatly reduce the search space for 175 "alive" nodes [Gont-DEEPSEC2011] [CPNI-IPv6] 176 [I-D.ietf-opsec-ipv6-host-scanning]. 178 Hence, there is a motivation to improve the properties of "stable" 179 addresses regardless of whether temporary addresses are employed or 180 not. 182 This document specifies a method to generate Interface Identifiers 183 that are stable/constant for each network interface within each 184 subnet, but that change as hosts move from one network to another, 185 thus keeping the "stability" properties of the Interface Identifiers 186 specified in [RFC4291], while still mitigating address-scanning 187 attacks and preventing correlation of the activities of a node as it 188 moves from one network to another. 190 2. Terminology 192 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 193 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 194 document are to be interpreted as described in RFC 2119 [RFC2119]. 196 3. Relationship to Other standards 198 The method specified in this document is orthogonal to the use of 199 "temporary" addresses [RFC4941], since it is meant to improve the 200 security and privacy properties of the stable addresses that are 201 employed along with the aforementioned "temporary" addresses. In 202 scenarios in which "temporary addresses" are employed, implementation 203 of the mechanism described in this document (in replacement of stable 204 addresses based on e.g., IEEE LAN MAC addresses) will mitigate 205 address-scanning attacks and also mitigate the remaining vectors for 206 correlating host activities based on the node's constant (i.e. stable 207 across networks) Interface Identifiers. On the other hand, for nodes 208 that currently disable "temporary addresses" [RFC4941], 209 implementation of this mechanism would mitigate the host-tracking and 210 address scanning issues discussed in Section 1. 212 While the method specified in this document is meant to be used with 213 SLAAC, this does not preclude this algorithm from being used with 214 other address configuration mechanisms, such as DHCPv6 [RFC3315] or 215 manual address configuration. 217 4. Design goals 219 This document specifies a method for generating Interface Identifiers 220 to be used with IPv6 SLAAC, with the following goals: 222 o The resulting Interface Identifiers remain stable for each prefix 223 used with SLAAC within each subnet for the same network interface. 224 That is, the algorithm generates the same Interface Identifier 225 when configuring an address (for the same interface) belonging to 226 the same prefix within the same subnet. 228 o The resulting Interface Identifiers must change when addresses are 229 configured for different prefixes. That is, if different 230 autoconfiguration prefixes are used to configure addresses for the 231 same network interface card, the resulting Interface Identifiers 232 must be (statistically) different. This means that, given two 233 addresses produced by the method specified in this document, it 234 must be difficult for an attacker tell whether the addresses have 235 been generated/used by the same node. 237 o It must be difficult for an outsider to predict the Interface 238 Identifiers that will be generated by the algorithm, even with 239 knowledge of the Interface Identifiers generated for configuring 240 other addresses. 242 o Depending on the specific implementation approach (see Section 5 243 and Appendix A), the resulting Interface Identifiers may be 244 independent of the underlying hardware (e.g. IEEE LAN MAC 245 address). This means that e.g. replacing a Network Interface Card 246 (NIC) or adding links dynamically to a Link Aggregation Group 247 (LAG) will not have the (generally undesirable) effect of changing 248 the IPv6 addresses used for that network interface. 250 o The method specified in this document is meant to be an 251 alternative to producing IPv6 addresses based hardware addresses 252 (e.g. IEEE LAN MAC addresses, as specified in [RFC2464]). That 253 is, this document does not formally obsolete or deprecate any of 254 the existing algorithms to generate Interface Identifiers. It is 255 meant to be employed for all of the stable (i.e. non-temporary) 256 IPv6 addresses configured with SLAAC for a given interface, 257 including global, link-local, and unique-local IPv6 addresses. 259 We note that this method is incrementally deployable, since it does 260 not pose any interoperability implications when deployed on networks 261 where other nodes do not implement or employ it. Additionally, we 262 note that this document does not update or modify IPv6 StateLess 263 Address Auto-Configuration (SLAAC) [RFC4862] itself, but rather only 264 specifies an alternative algorithm to generate Interface Identifiers. 265 Therefore, the usual address lifetime properties (as specified in the 266 corresponding Prefix Information Options) apply when IPv6 addresses 267 are generated as a result of employing the algorithm specified in 268 this document with SLAAC [RFC4862]. Additionally, from the point of 269 view of renumbering, we note that these addresses behave like the 270 traditional IPv6 addresses (that embed a hardware address) resulting 271 from SLAAC [RFC4862]. 273 5. Algorithm specification 275 IPv6 implementations conforming to this specification MUST generate 276 Interface Identifiers using the algorithm specified in this section 277 in replacement of any other algorithms used for generating "stable" 278 addresses with SLAAC (such as those specified in [RFC2464], 279 [RFC2467], and [RFC2470]). However, implementations conforming to 280 this specification MAY employ the algorithm specified in [RFC4941] to 281 generate temporary addresses in addition to the addresses generated 282 with the algorithm specified in this document. The method specified 283 in this document MUST be employed for generating the Interface 284 Identifiers with SLAAC for all the stable addresses, including IPv6 285 global, link-local, and unique-local addresses. 287 Implementations conforming to this specification SHOULD provide the 288 means for a system administrator to enable or disable the use of this 289 algorithm for generating Interface Identifiers. 291 Unless otherwise noted, all of the parameters included in the 292 expression below MUST be included when generating an Interface 293 Identifier. 295 1. Compute a random (but stable) identifier with the expression: 297 RID = F(Prefix, Net_Iface, Network_ID, DAD_Counter, secret_key) 299 Where: 301 RID: 302 Random (but stable) Identifier 304 F(): 305 A pseudorandom function (PRF) that MUST NOT be computable from 306 the outside (without knowledge of the secret key). F() MUST 307 also be difficult to reverse, such that it resists attempts to 308 obtain the secret_key, even when given samples of the output 309 of F() and knowledge or control of the other input parameters. 310 F() SHOULD produce an output of at least 64 bits. F() could 311 be implemented as a cryptographic hash of the concatenation of 312 each of the function parameters. SHA-1 [FIPS-SHS] and SHA-256 313 are two possible options for F(). Note: MD5 [RFC1321] is 314 considered unacceptable for F() [RFC6151]. 316 Prefix: 317 The prefix to be used for SLAAC, as learned from an ICMPv6 318 Router Advertisement message, or the link-local IPv6 unicast 319 prefix [RFC4291]. 321 Net_Iface: 322 An implementation-dependent stable identifier associated with 323 the network interface for which the RID is being generated. 324 An implementation MAY provide a configuration option to select 325 the source of the identifier to be used for the Net_Iface 326 parameter. A discussion of possible sources for this value 327 (along with the corresponding trade-offs) can be found in 328 Appendix A. 330 Network_ID: 332 Some network specific data that identifies the subnet to which 333 this interface is attached. For example the IEEE 802.11 334 Service Set Identifier (SSID) corresponding to the network to 335 which this interface is associated. Additionally, Simple DNA 336 [RFC6059] describes ideas that could be leveraged to generate 337 a Network_ID parameter. This parameter is OPTIONAL. 339 DAD_Counter: 340 A counter that is employed to resolve Duplicate Address 341 Detection (DAD) conflicts. It MUST be initialized to 0, and 342 incremented by 1 for each new tentative address that is 343 configured as a result of a DAD conflict. Implementations 344 that record DAD_Counter in non-volatile memory for each 345 {Prefix, Net_Iface, Network_ID} tuple MUST initialize 346 DAD_Counter to the recorded value if such an entry exists in 347 non-volatile memory. See Section 6 for additional details. 349 secret_key: 350 A secret key that is not known by the attacker. The secret 351 key MUST be initialized to a pseudo-random number (see 352 [RFC4086] for randomness requirements for security) at 353 operating system installation time or when the IPv6 protocol 354 stack is initialized for the first time. An implementation 355 MAY provide the means for the the system administrator to 356 display and change the secret key. 358 2. The Interface Identifier is finally obtained by taking as many 359 bits from the RID value (computed in the previous step) as 360 necessary, starting from the least significant bit. 362 We note that [RFC4291] requires that, the Interface IDs of all 363 unicast addresses (except those that start with the binary 364 value 000) be 64-bit long. However, the method discussed in 365 this document could be employed for generating Interface IDs 366 of any arbitrary length, albeit at the expense of reduced 367 entropy (when employing Interface IDs smaller than 64 bits). 369 The resulting Interface Identifier SHOULD be compared against the 370 reserved IPv6 Interface Identifiers [RFC5453] 371 [IANA-RESERVED-IID], and against those Interface Identifiers 372 already employed in an address of the same network interface and 373 the same network prefix. In the event that an unacceptable 374 identifier has been generated, this situation SHOULD be handled 375 in the same way as the case of duplicate addresses (see 376 Section 6). 378 This document does not require the use of any specific PRF for the 379 function F() above, since the choice of such PRF is usually a trade- 380 off between a number of properties (processing requirements, ease of 381 implementation, possible intellectual property rights, etc.), and 382 since the best possible choice for F() might be different for 383 different types of devices (e.g. embedded systems vs. regular 384 servers) and might possibly change over time. 386 Including the SLAAC prefix in the PRF computation causes the 387 Interface Identifier to vary across each prefix (link-local, global, 388 etc.) employed by the node and, as consequently, also across 389 networks. This mitigates the correlation of activities of multi- 390 homed nodes (since each of the corresponding addresses will employ a 391 different Interface ID), host-tracking (since the network prefix will 392 change as the node moves from one network to another), and any other 393 attacks that benefit from predictable Interface Identifiers (such as 394 IPv6 address scanning attacks). 396 The Net_Iface is a value that identifies the network interface for 397 which an IPv6 address is being generated. The following properties 398 are required for the Net_Iface parameter: 400 o it MUST be constant across system bootstrap sequences and other 401 network events (e.g., bringing another interface up or down) 403 o it MUST be different for each network interface simultaneously in 404 use 406 Since the stability of the addresses generated with this method 407 relies on the stability of all arguments of F(), it is key that the 408 Net_Iface be constant across system bootstrap sequences and other 409 network events. Additionally, the Net_Iface must uniquely identify 410 an interface within the node, such that two interfaces connecting to 411 the same network do not result in duplicate addresses. Different 412 types of operating systems might benefit from different stability 413 properties of the Net_Iface parameter. For example, a client- 414 oriented operating system might want to employ Net_Iface identifiers 415 that are attached to the NIC, such that a removable NIC always gets 416 the same IPv6 address, irrespective of the system communications port 417 to which it is attached. On the other hand, a server-oriented 418 operating system might prefer Net_Iface identifiers that are attached 419 to system slots/ports, such that replacement of a network interface 420 card does not result in an IPv6 address change. Appendix A discusses 421 possible sources for the Net_Iface, along with their pros and cons. 423 Including the optional Network_ID parameter when computing the RID 424 value above causes the algorithm to produce a different Interface 425 Identifier when connecting to different networks, even when 426 configuring addresses belonging to the same prefix. This means that 427 a host would employ a different Interface Identifier as it moves from 428 one network to another even for IPv6 link-local addresses or Unique 429 Local Addresses (ULAs) [RFC4193]. In those scenarios where the 430 Network_ID is unknown to the attacker, including this parameter might 431 help mitigate attacks where a victim node connects to the same subnet 432 as the attacker, and the attacker tries to learn the Interface 433 Identifier used by the victim node for a remote network (see 434 Section 9 for further details). 436 The DAD_Counter parameter provides the means to intentionally cause 437 this algorithm to produce a different IPv6 addresses (all other 438 parameters being the same). This could be necessary to resolve 439 Duplicate Address Detection (DAD) conflicts, as discussed in detail 440 in Section 6. 442 Note that the result of F() in the algorithm above is no more secure 443 than the secret key. If an attacker is aware of the PRF that is 444 being used by the victim (which we should expect), and the attacker 445 can obtain enough material (i.e. addresses configured by the victim), 446 the attacker may simply search the entire secret-key space to find 447 matches. To protect against this, the secret key SHOULD be of at 448 least 128 bits. Key lengths of at least 128 bits should be adequate. 449 The secret key is initialized at system installation time to a 450 pseudo-random number, thus allowing this mechanism to be enabled/used 451 automatically, without user intervention. Providing a mechanism to 452 display and change the secret_key would allow and administrator to 453 cause a replaced system (with the same implementation of this 454 document) to generate the same IPv6 addresses as the system being 455 replaced. We note that since the privacy of the scheme specified in 456 this document relies on the secrecy of the secret_key parameter, 457 implementations should constrain access to the secret_key parameter 458 to the extent practicable (e.g., require superuser privileges to 459 access it). Furthermore, in order to prevent leakages of the 460 secret_key parameter, it should not be used for any other purposes 461 than being a parameter to the scheme specified in this document. 463 We note that all of the bits in the resulting Interface IDs are 464 treated as "opaque" bits [I-D.ietf-6man-ug]. For example, the 465 universal/local bit of Modified EUI-64 format identifiers is treated 466 as any other bit of such identifier. In theory, this might result in 467 IPv6 address collisions and Duplicate Address Detection (DAD) 468 failures that would otherwise not be encountered. However, this is 469 not deemed as a likely issue, because of the following 470 considerations: 472 o The interface IDs of all addresses (except those of addresses that 473 that start with the binary value 000) are 64-bit long. Since the 474 method specified in this document results in random Interface IDs, 475 the probability of DAD failures is very small. 477 o Real world data indicates that MAC address reuse is far more 478 common than assumed [HDMoore]. This means that even IPv6 479 addresses that employ (allegedly) unique identifiers (such as IEEE 480 LAN MAC addresses) might result in DAD failures, and hence 481 implementations should be prepared to gracefully handle such 482 occurrences. Additionally, some virtualization technologies 483 already employ hardware addresses that are randomly selected, and 484 hence cannot be guaranteed to be unique 485 [I-D.ietf-opsec-ipv6-host-scanning]. 487 o Since some popular and widely-deployed operating systems (such as 488 Microsoft Windows) do not embed hardware addresses in the 489 Interface IDs of their stable addresses, reliance on such unique 490 identifiers is more reduced in the deployed world (fewer deployed 491 systems rely on them for the avoidance of address collisions). 493 Finally, that since different implementation are likely to use 494 different values for the secret_key parameter, and may also employ 495 different PRFs for F() and different sources for the Net_Iface 496 parameter, the addresses generated by this scheme should not expected 497 to be stable across different operating system installations. For 498 example, a host that is dual-boot or that is reinstalled may result 499 in different IPv6 addresses for each operating system and/or 500 installation. 502 6. Resolving Duplicate Address Detection (DAD) conflicts 504 If as a result of performing Duplicate Address Detection (DAD) 505 [RFC4862] a host finds that the tentative address generated with the 506 algorithm specified in Section 5 is a duplicate address, it SHOULD 507 resolve the address conflict by trying a new tentative address as 508 follows: 510 o DAD_Counter is incremented by 1. 512 o A new Interface Identifier is generated with the algorithm 513 specified in Section 5, using the incremented DAD_Counter value. 515 Hosts SHOULD introduce a random delay between 0 and IDGEN_DELAY 516 seconds (see Section 7) before trying a new tentative address, to 517 avoid lock-step behavior of multiple hosts. 519 This procedure may be repeated a number of times until the address 520 conflict is resolved. Hosts SHOULD try at least IDGEN_RETRIES (see 521 Section 7) tentative addresses if DAD fails for successive generated 522 addresses, in the hopes of resolving the address conflict. We also 523 note that hosts MUST limit the number of tentative addresses that are 524 tried (rather than indefinitely try a new tentative address until the 525 conflict is resolved). 527 In those unlikely scenarios in which duplicate addresses are detected 528 and in which the order in which the conflicting nodes configure their 529 addresses may vary (e.g., because they may be bootstrapped in 530 different order), the algorithm specified in this section for 531 resolving DAD conflicts could lead to addresses that are not stable 532 within the same subnet. In order to mitigate this potential problem, 533 nodes MAY record the DAD_Counter value employed for a specific 534 {Prefix, Net_Iface, Network_ID} tuple in non-volatile memory, such 535 that the same DAD_Counter value is employed when configuring an 536 address for the same Prefix and subnet at any other point in time. 537 We note that the use of non-volatile memory is OPTIONAL, and hosts 538 that do not implement this feature are still compliant to this 539 protocol specification. 541 In the event that a DAD conflict cannot be solved (possibly after 542 trying a number of different addresses), address configuration would 543 fail. In those scenarios, nodes MUST NOT automatically fall back to 544 employing other algorithms for generating Interface Identifiers. 546 7. Specified Constants 548 This document specifies the following constant: 550 IDGEN_RETRIES: 551 defaults to 3. 553 IDGEN_DELAY: 554 defaults to 1 second. 556 8. IANA Considerations 558 There are no IANA registries within this document. The RFC-Editor 559 can remove this section before publication of this document as an 560 RFC. 562 9. Security Considerations 564 This document specifies an algorithm for generating Interface 565 Identifiers to be used with IPv6 Stateless Address Autoconfiguration 566 (SLAAC), as an alternative to e.g. Interface Identifiers that embed 567 hardware addresses (such as those specified in [RFC2464], [RFC2467], 568 and [RFC2470]). When compared to such identifiers, the identifiers 569 specified in this document have a number of advantages: 571 o They prevent trivial host-tracking based on the IPv6 address, 572 since when a host moves from one network to another the network 573 prefix used for autoconfiguration and/or the Network ID (e.g., 574 IEEE 802.11 SSID) will typically change, and hence the resulting 575 Interface Identifier will also change (see 576 [I-D.ietf-6man-ipv6-address-generation-privacy]). 578 o They mitigate address-scanning techniques which leverage 579 predictable Interface Identifiers (e.g., known Organizationally 580 Unique Identifiers) [I-D.ietf-opsec-ipv6-host-scanning]. 582 o They may result in IPv6 addresses that are independent of the 583 underlying hardware (i.e. the resulting IPv6 addresses do not 584 change if a network interface card is replaced) if an appropriate 585 source for Net_Iface (Section 5) is employed. 587 o They prevent the information leakage produced by embedding 588 hardware addresses in the Interface Identifier (which could be 589 exploited to launch device-specific attacks). 591 o Since the method specified in this document will result in 592 different Interface Identifiers for each configured address, 593 knowledge/leakage of the Interface Identifier employed for one 594 stable address will not negatively affect the security/privacy of 595 other stable addresses configured for other prefixes (whether at 596 the same time or at some other point in time). 598 We note that while some probing techniques (such as the use of ICMPv6 599 Echo Request and ICMPv6 Echo Response packets) could be mitigated by 600 a personal firewall at the target host, for other probing vectors, 601 such as listening to ICMPv6 "Destination Unreachable, Address 602 Unreachable" (Type 1, Code 3) error messages referring to the target 603 addresses [I-D.ietf-opsec-ipv6-host-scanning], there is nothing a 604 host can do (e.g., a personal firewall at the target host would not 605 be able to mitigate this probing technique). Hence, the method 606 specified in this document is still of value for nodes that employ 607 personal firewalls. 609 In scenarios in which an attacker can connect to the same subnet as a 610 victim node, the attacker might be able to learn the Interface 611 Identifier employed by the victim node for an arbitrary prefix, by 612 simply sending a forged Router Advertisement [RFC4861] for that 613 prefix, and subsequently learning the corresponding address 614 configured by the victim node (either listening to the Duplicate 615 Address Detection packets, or to any other traffic that employs the 616 newly configured address). We note that a number of factors might 617 limit the ability of an attacker to successfully perform such an 618 attack: 620 o First-Hop security mechanisms such as RA-Guard [RFC6105] 621 [I-D.ietf-v6ops-ra-guard-implementation] could prevent the forged 622 Router Advertisement from reaching the victim node 624 o If the victim implementation includes the (optional) Network_ID 625 parameter for computing F() (see Section 5), and the Network_ID 626 employed by the victim for a remote network is unknown to the 627 attacker, the Interface Identifier learned by the attacker would 628 differ from the one used by the victim when connecting to the 629 legitimate network. 631 In any case, we note that at the point in which this kind of attack 632 becomes a concern, a host should consider employing Secure Neighbor 633 Discovery (SEND) [RFC3971] to prevent an attacker from illegitimately 634 claiming authority for a network prefix. 636 We note that this algorithm is meant to be an alternative to 637 Interface Identifiers such as those specified in [RFC2464], but is 638 not meant as an alternative to temporary Interface Identifiers (such 639 as those specified in [RFC4941]). Clearly, temporary addresses may 640 help to mitigate the correlation of activities of a node within the 641 same network, and may also reduce the attack exposure window (since 642 temporary addresses are short-lived when compared to the addresses 643 generated with the method specified in this document). We note that 644 implementation of this algorithm would still benefit those hosts 645 employing "temporary addresses", since it would mitigate host- 646 tracking vectors still present when such addresses are used (see 647 [I-D.ietf-6man-ipv6-address-generation-privacy]), and would also 648 mitigate address-scanning techniques that leverage patterns in IPv6 649 addresses that embed IEEE LAN MAC addresses. Finally, we note that 650 the method described in this document addresses some of the privacy 651 concerns arising from the use of IPv6 addresses that embed IEEE LAN 652 MAC addresses, without the use of temporary addresses, thus possibly 653 offering an interesting trade-off for those scenarios in which the 654 use of temporary addresses is not feasible. 656 10. Acknowledgements 658 The algorithm specified in this document has been inspired by Steven 659 Bellovin's work ([RFC1948]) in the area of TCP sequence numbers. 661 The author would like to thank (in alphabetical order) Mikael 662 Abrahamsson, Ran Atkinson, Karl Auer, Steven Bellovin, Matthias 663 Bethke, Ben Campbell, Brian Carpenter, Tassos Chatzithomaoglou, Tim 664 Chown, Alissa Cooper, Dominik Elsbroek, Stephen Farrell, Eric Gray, 665 Brian Haberman, Bob Hinden, Christian Huitema, Ray Hunter, Jouni 666 Korhonen, Suresh Krishnan, Eliot Lear, Jong-Hyouk Lee, Andrew 667 McGregor, Thomas Narten, Simon Perreault, Tom Petch, Michael 668 Richardson, Vincent Roca, Mark Smith, Hannes Frederic Sowa, Martin 669 Stiemerling, Dave Thaler, Ole Troan, Lloyd Wood, James Woodyatt, and 670 He Xuan, for providing valuable comments on earlier versions of this 671 document. 673 Hannes Frederic Sowa produced a reference implementation of this 674 specification for the Linux kernel. 676 This document is based on the technical report "Security Assessment 677 of the Internet Protocol version 6 (IPv6)" [CPNI-IPv6] authored by 678 Fernando Gont on behalf of the UK Centre for the Protection of 679 National Infrastructure (CPNI). 681 11. References 683 11.1. Normative References 685 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 686 (IPv6) Specification", RFC 2460, December 1998. 688 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 689 Requirement Levels", BCP 14, RFC 2119, March 1997. 691 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 692 and M. Carney, "Dynamic Host Configuration Protocol for 693 IPv6 (DHCPv6)", RFC 3315, July 2003. 695 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure 696 Neighbor Discovery (SEND)", RFC 3971, March 2005. 698 [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", 699 RFC 3972, March 2005. 701 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 702 Requirements for Security", BCP 106, RFC 4086, June 2005. 704 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 705 Unique IDentifier (UUID) URN Namespace", RFC 4122, July 706 2005. 708 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 709 Addresses", RFC 4193, October 2005. 711 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 712 Architecture", RFC 4291, February 2006. 714 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 715 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 716 September 2007. 718 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 719 Address Autoconfiguration", RFC 4862, September 2007. 721 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 722 Extensions for Stateless Address Autoconfiguration in 723 IPv6", RFC 4941, September 2007. 725 [RFC5453] Krishnan, S., "Reserved IPv6 Interface Identifiers", RFC 726 5453, February 2009. 728 [I-D.ietf-6man-ug] 729 Carpenter, B. and S. Jiang, "Significance of IPv6 730 Interface Identifiers", draft-ietf-6man-ug-06 (work in 731 progress), December 2013. 733 11.2. Informative References 735 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 736 April 1992. 738 [RFC1948] Bellovin, S., "Defending Against Sequence Number Attacks", 739 RFC 1948, May 1996. 741 [RFC2464] Crawford, M., "Transmission of IPv6 Packets over Ethernet 742 Networks", RFC 2464, December 1998. 744 [RFC2467] Crawford, M., "Transmission of IPv6 Packets over FDDI 745 Networks", RFC 2467, December 1998. 747 [RFC2470] Crawford, M., Narten, T., and S. Thomas, "Transmission of 748 IPv6 Packets over Token Ring Networks", RFC 2470, December 749 1998. 751 [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. 752 Stevens, "Basic Socket Interface Extensions for IPv6", RFC 753 3493, February 2003. 755 [RFC3542] Stevens, W., Thomas, M., Nordmark, E., and T. Jinmei, 756 "Advanced Sockets Application Program Interface (API) for 757 IPv6", RFC 3542, May 2003. 759 [RFC6059] Krishnan, S. and G. Daley, "Simple Procedures for 760 Detecting Network Attachment in IPv6", RFC 6059, November 761 2010. 763 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. 764 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, 765 February 2011. 767 [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations 768 for the MD5 Message-Digest and the HMAC-MD5 Algorithms", 769 RFC 6151, March 2011. 771 [I-D.ietf-opsec-ipv6-host-scanning] 772 Gont, F. and T. Chown, "Network Reconnaissance in IPv6 773 Networks", draft-ietf-opsec-ipv6-host-scanning-02 (work in 774 progress), July 2013. 776 [I-D.ietf-v6ops-ra-guard-implementation] 777 Gont, F., "Implementation Advice for IPv6 Router 778 Advertisement Guard (RA-Guard)", draft-ietf-v6ops-ra- 779 guard-implementation-07 (work in progress), November 2012. 781 [I-D.ietf-6man-ipv6-address-generation-privacy] 782 Cooper, A., Gont, F., and D. Thaler, "Privacy 783 Considerations for IPv6 Address Generation Mechanisms", 784 draft-ietf-6man-ipv6-address-generation-privacy-00 (work 785 in progress), October 2013. 787 [HDMoore] HD Moore, , "The Wild West", Louisville, Kentucky, U.S.A, 788 September 2012, . 791 [IANA-RESERVED-IID] 792 Reserved IPv6 Interface Identifiers, , 793 "http://www.iana.org/assignments/ipv6-interface-ids/ 794 ipv6-interface-ids.xml", . 796 [Gont-DEEPSEC2011] 797 Gont, , "Results of a Security Assessment of the Internet 798 Protocol version 6 (IPv6)", DEEPSEC 2011 Conference, 799 Vienna, Austria, November 2011, 800 . 803 [Broersma] 804 Broersma, R., "IPv6 Everywhere: Living with a Fully 805 IPv6-enabled environment", Australian IPv6 Summit 2010, 806 Melbourne, VIC Australia, October 2010, 807 . 810 [IAB-PRIVACY] 811 IAB, , "Privacy and IPv6 Addresses", July 2011, 812 . 815 [CPNI-IPv6] 816 Gont, F., "Security Assessment of the Internet Protocol 817 version 6 (IPv6)", UK Centre for the Protection of 818 National Infrastructure, (available on request). 820 [FIPS-SHS] 821 FIPS, , "Secure Hash Standard (SHS)", Federal Information 822 Processing Standards Publication 180-4, March 2012, 823 . 826 Appendix A. Possible sources for the Net_Iface parameter 828 The following subsections describe a number of possible sources for 829 the Net_Iface parameter employed by the F() function in Section 5. 830 The choice of a specific source for this value represents a number of 831 trade-offs, which may vary from one implementation to another. 833 A.1. Interface Index 835 The Interface Index [RFC3493] [RFC3542] of an interface uniquely 836 identifies an interface within a node. However, these identifiers 837 might or might not have the stability properties required for the 838 Net_Iface value employed by this method. For example, the Interface 839 Index might change upon removal or installation of a network 840 interface (typically one with a smaller value for the Interface 841 Index, when such a naming scheme is used), or when network interfaces 842 happen to be initialized in a different order. We note that some 843 implementations are known to provide configuration knobs to set the 844 Interface Index for a given interface. Such configuration knobs 845 could be employed to prevent the Interface Index from changing (e.g. 846 as a result of the removal of a network interface). 848 A.2. Interface Name 850 The Interface Name (e.g., "eth0", "em0", etc) tends to be more stable 851 than the underlying Interface Index, since such stability is required 852 /desired when interface names are employed in network configuration 853 (firewall rules, etc.). The stability properties of Interface Names 854 depend on implementation details, such as what is the namespace used 855 for Interface Names. For example, "generic" interface names such as 856 "eth0" or "wlan0" will generally be invariant with respect to network 857 interface card replacements. On the other hand, vendor-dependent 858 interface names such as "rtk0" or the like will generally change when 859 a network interface card is replaced with one from a different 860 vendor. 862 We note that Interface Names might still change when network 863 interfaces are added or removed once the system has been bootstrapped 864 (for example, consider Universal Serial Bus-based network interface 865 cards which might be added or removed once the system has been 866 bootstrapped). 868 A.3. Link-layer Addresses 870 Link-layer addresses typically provide for unique identifiers for 871 network interfaces; although, for obvious reasons, they generally 872 change when a network interface card is replaced. In scenarios where 873 neither Interface Indexes nor Interface Names have the stability 874 properties specified in Section 5 for Net_Iface, an implementation 875 might want to employ the link-layer address of the interface for the 876 Net_Iface parameter, albeit at the expense of making the 877 corresponding IPv6 addresses dependent on the underlying network 878 interface card (i.e., the corresponding IPv6 address would typically 879 change upon replacement of the underlying network interface card). 881 A.4. Logical Network Service Identity 883 Host operating systems with a conception of logical network service 884 identity, distinct from network interface identity or index, may keep 885 a Universally Unique Identifier (UUID) [RFC4122] or similar 886 identifier with the stability properties appropriate for use as the 887 Net_Iface parameter. 889 Author's Address 891 Fernando Gont 892 SI6 Networks / UTN-FRH 893 Evaristo Carriego 2644 894 Haedo, Provincia de Buenos Aires 1706 895 Argentina 897 Phone: +54 11 4650 8472 898 Email: fgont@si6networks.com 899 URI: http://www.si6networks.com