[LACNIC/Seguridad] Fwd: Deprecating EUI-64 Based IPv6 Addresses (Fwd: New Version Notification for draft-gont-6man-deprecate-eui64-based-addresses-00.txt)

Iván Arce ivan.w.arce en gmail.com
Vie Oct 25 13:03:12 BRST 2013


On 10/24/13 9:05 PM, Arturo Servin wrote:
> Ya lo lei, aun no estoy muy de acuerdo en obsoleter totalmente la
> generación de IDs de interfaz sin usar la MAC address, sobre todo porque
> aun no tenemos una forma probada de hacerlo de otra forma.

?! Que significa eso? Que actualmente la única forma en que se genera un
IID es embebiendo la MAC? si la respuesta es no, entonces eso constituye
un contra ejemplo que refuta la afirmación.

> 
> Si bien no veo ninguna utilidad de la generacion por MAC, no se si sea
> factible de que el draft diga "MUST NOT" como se ha discutido en 6man. Creo
> que es más realista un documento intermedio que diga "SHOULD NOT" o "SHOULD
> use another mean".

Si, es la diferencia entre prohibir una conducta que filtra información
privada de los endpoints y simplemente sugerirla pero no hacer nada para
evitar activamente el problema.  La segunda posición, que es la
tradicional del IETF, ha derivado en innumerables problemas de seguridad
durante las últimas décadas.

En mi opinión sería preferible que las consideraciones de seguridad y
privacidad de IPv6 estén explícitamente contempladas en los RFC
respectivos o en un solo RFC en lugar de generar una proliferación de un
montón de I-Ds para atender en cada uno detalles puntuales y muy
específicos de los protocolos.
Una solución de compromiso podría ser (si es que no existe ya) un I-D
que mapee todos los I-Ds relacionados con seguridad y privacidad de
IPv6, algo así como un "Security and privacy considerations for IPv6
implementers/developers"


-ivan


> 
> 
> On Thu, Oct 24, 2013 at 4:00 PM, Fernando Gont <fgont en si6networks.com>wrote:
> 
>> Estimados,
>>
>> FYI (ver debajo)
>>
>> Como dice la canción:
>>
>>  "If the evil spirit armed the tiger with claws, Bramhan provided
>>   wings for the dove"
>>
>> Saludos,
>> Fernando
>>
>>
>>
>>
>> -------- Original Message --------
>> Subject: Deprecating EUI-64 Based IPv6 Addresses (Fwd: New Version
>> Notification for draft-gont-6man-deprecate-eui64-based-addresses-00.txt)
>> Date: Thu, 24 Oct 2013 14:50:22 -0300
>> From: Fernando Gont <fernando en gont.com.ar>
>> To: 6man en ietf.org <6man en ietf.org>
>> CC: draft-gont-6man-deprecate-eui64-based-addresses en tools.ietf.org
>>
>> Folks,
>>
>> We have posted a new I-D entitled "Deprecating EUI-64 Based IPv6
>> Addresses"
>> (
>> http://www.ietf.org/internet-drafts/draft-gont-6man-deprecate-eui64-based-addresses-00.txt
>> ).
>>
>> It's a spin-off of the work we've been doing on IPv6 addressing
>> secuity/privacy considerations
>> (draft-ietf-6man-ipv6-address-generation-privacy and
>> draft-ietf-6man-stable-privacy-addresses), and the idea had already been
>> discussed among several folks mstly off-list and at IETF meeting corridors.
>>
>> Any comments will be appreciated.
>>
>> Thanks!
>>
>> Best regards,
>> Fernando
>>
>>
>>
>>
>> -------- Original Message --------
>> Subject: New Version Notification for
>> draft-gont-6man-deprecate-eui64-based-addresses-00.txt
>> Date: Mon, 21 Oct 2013 15:43:46 -0700
>> From: internet-drafts en ietf.org
>> To: Fernando Gont <fgont en si6networks.com>, Will Liu
>> <liushucheng en huawei.com>, Alissa Cooper <acooper en cdt.org>, Dave Thaler
>> <dthaler en microsoft.com>
>>
>>
>> A new version of I-D,
>> draft-gont-6man-deprecate-eui64-based-addresses-00.txt
>> has been successfully submitted by Fernando Gont and posted to the
>> IETF repository.
>>
>> Filename:        draft-gont-6man-deprecate-eui64-based-addresses
>> Revision:        00
>> Title:           Deprecating EUI-64 Based IPv6 Addresses
>> Creation date:   2013-10-22
>> Group:           Individual Submission
>> Number of pages: 6
>> URL:
>>
>> http://www.ietf.org/internet-drafts/draft-gont-6man-deprecate-eui64-based-addresses-00.txt
>> Status:
>>
>> http://datatracker.ietf.org/doc/draft-gont-6man-deprecate-eui64-based-addresses
>> Htmlized:
>>
>> http://tools.ietf.org/html/draft-gont-6man-deprecate-eui64-based-addresses-00
>>
>>
>> Abstract:
>>    Stateless Address Autoconfiguration (SLAAC) for IPv6 typically
>>    results in hosts configuring one or more stable addresses composed of
>>    a network prefix advertised by a local router, and an Interface
>>    Identifier that typically embeds a hardware address (e.g., an IEEE
>>    LAN MAC address).  The security and privacy implications of embedding
>>    hardware addresses in the Interface Identifier have been known and
>>    understood for some time now, and some popular IPv6 implementations
>>    have already deviated from such scheme to mitigate these issues.
>>    This document deprecates the use of hardware addresses in IPv6
>>    Interface Identifiers, and recommends the use of an alternative
>>    scheme ([I-D.ietf-6man-stable-privacy-addresses]) for the generation
>>    of IPv6 stable addresses.
>>
>>
>>
>>
>>




Más información sobre la lista de distribución Seguridad