Re: Advantages and disadvantages of using CB64 type of identifiers

[Brian E Carpenter <brc@zurich.ibm.com>]

marcelo bagnulo braun wrote:
> El 05/07/2004, a las 8:12, Christian Huitema escribió:
>
> > > i don't fully understand why do you think that having an identifier in
> > > the address is worse than current IPv4 situation (where the id and
> > > locator are one, and multihomed sites have a single address) or the
> > > current IPv6 situation (i guess that something similar to privacy
> > > extensions could be achieved by periodically creating new keys hence
> > > new identifiers)
> >
> >
> > First, I don't believe in arguments such as "this is not worse than what
> > we did in the past" when it comes to security and privacy. We should be
> > on a path to improvement, not a soft descent into complacency.

If we were on that track, we would not have just adopted the threats
draft as a WG document.

> imho it is not the goal of multi6 to improve current security.

Our baseline is "first do no harm", i.e. not create new exposures.

> i do agree that if it is possible to provide an enhanced security, it 
> would be nice.
> But i don't see the fact that a solution does not improve current 
> security as a compelling argument to discard a solution

It isn't, but demonstrating that there are no new exposures is
proving a negative, which is always hard work.

> >  Second,
> > having a unique 64 bit identifier in the addresses is actually worse
> > than the current situation in either IPv4 or IPv6.

For people who believe that such a thing is a privacy issue, yes.
But it may or may not be a security issue - that requires threat
analysis of a specific solution.

> > In IPv4, the addresses are often dynamically affected; it is possible,
> > if a site manager so chooses, to give nodes a different address at each
> > session. Hosts using dial-up connections receive new addresses for each
> > connection. Hosts using broadband connections often receive new
> > addresses every 24 hours. When a host is multi-homed to several
> > networks, it will indeed receive different IPv4 addresses on each of
> > these networks.
>
>
> > The current IPv6 practice is to have the 64 bit identifier be either an
> > IEEE 802 identifier (default) or a random number (temporary addresses,
> > SEND). When a host is multi-homed through several interfaces, the
> > different identifiers are used on different interfaces. When a host
> > configures addresses from multiple prefixes on the same interface, the
> > 802 identifier will often be the same, but the random identifiers will
> > be different. The current ND spec allows for using the same identifier
> > with different prefixes, but it certainly does not mandate it.
>
> Do you think that generating a new identifier every day would do the trick?

It depends what trick you think is needed. If you mean: defeating some
spyware that tracks usage of a given IID, then presumably yes. But if you
are talking about a specific security attack (for example replay) - I don't
know in the abstract.

> i mean it would be possible, as Erik mentions, to create a new crypto 
> based id every day, i guess

Or at whatever frequency you like... every DHCP refresh for example.

The question for us is whether such a mechanism would set bounds on
multihoming sessions. What happens to TCP sessions that live longer
than the IID?

   Brian