| draft-ietf-dhc-anonymity-profile-03.txt | draft-ietf-dhc-anonymity-profile-04.txt | |||
|---|---|---|---|---|
| Network Working Group C. Huitema | Network Working Group C. Huitema | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track T. Mrugalski | Intended status: Standards Track T. Mrugalski | |||
| Expires: March 4, 2016 ISC | Expires: April 4, 2016 ISC | |||
| S. Krishnan | S. Krishnan | |||
| Ericsson | Ericsson | |||
| September 1, 2015 | October 2, 2015 | |||
| Anonymity profile for DHCP clients | Anonymity profile for DHCP clients | |||
| draft-ietf-dhc-anonymity-profile-03.txt | draft-ietf-dhc-anonymity-profile-04.txt | |||
| Abstract | Abstract | |||
| Some DHCP options carry unique identifiers. These identifiers can | Some DHCP options carry unique identifiers. These identifiers can | |||
| enable device tracking even if the device administrator takes care of | enable device tracking even if the device administrator takes care of | |||
| randomizing other potential identifications like link-layer addresses | randomizing other potential identifications like link-layer addresses | |||
| or IPv6 addresses. The anonymity profile is designed for clients | or IPv6 addresses. The anonymity profile is designed for clients | |||
| that wish to remain anonymous to the visited network. The profile | that wish to remain anonymous to the visited network. The profile | |||
| provides guidelines on the composition of DHCP or DHCPv6 requests, | provides guidelines on the composition of DHCP or DHCPv6 requests, | |||
| designed to minimize disclosure of identifying information. This | designed to minimize disclosure of identifying information. This | |||
| skipping to change at page 1, line 40 | skipping to change at page 1, line 40 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 4, 2016. | This Internet-Draft will expire on April 4, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 24 | skipping to change at page 2, line 24 | |||
| 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Application domain . . . . . . . . . . . . . . . . . . . . . 3 | 2. Application domain . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. MAC address Randomization hypotheses . . . . . . . . . . 4 | 2.1. MAC address Randomization hypotheses . . . . . . . . . . 4 | |||
| 2.2. MAC address Randomization and DHCP . . . . . . . . . . . 5 | 2.2. MAC address Randomization and DHCP . . . . . . . . . . . 5 | |||
| 2.3. Radio fingerprinting . . . . . . . . . . . . . . . . . . 5 | 2.3. Radio fingerprinting . . . . . . . . . . . . . . . . . . 5 | |||
| 2.4. Operating system fingerprinting . . . . . . . . . . . . . 6 | 2.4. Operating system fingerprinting . . . . . . . . . . . . . 6 | |||
| 2.5. No anonymity profile identification . . . . . . . . . . . 6 | 2.5. No anonymity profile identification . . . . . . . . . . . 6 | |||
| 2.6. Using the anonymity profiles . . . . . . . . . . . . . . 7 | 2.6. Using the anonymity profiles . . . . . . . . . . . . . . 7 | |||
| 2.7. What about privacy for DHCP servers . . . . . . . . . . . 8 | 2.7. What about privacy for DHCP servers . . . . . . . . . . . 8 | |||
| 3. Anonymity profile for DHCPv4 . . . . . . . . . . . . . . . . 8 | 3. Anonymity profile for DHCPv4 . . . . . . . . . . . . . . . . 8 | |||
| 3.1. Option encoding and avoiding fingerprinting . . . . . . . 9 | 3.1. Avoiding fingerprinting . . . . . . . . . . . . . . . . . 9 | |||
| 3.2. Client IP address field . . . . . . . . . . . . . . . . . 9 | 3.2. Client IP address field . . . . . . . . . . . . . . . . . 9 | |||
| 3.3. Requested IP address option . . . . . . . . . . . . . . . 10 | 3.3. Requested IP address option . . . . . . . . . . . . . . . 10 | |||
| 3.4. Client hardware address . . . . . . . . . . . . . . . . . 10 | 3.4. Client hardware address field . . . . . . . . . . . . . . 10 | |||
| 3.5. Client Identifier Option . . . . . . . . . . . . . . . . 11 | 3.5. Client Identifier Option . . . . . . . . . . . . . . . . 11 | |||
| 3.6. Parameter Request List . . . . . . . . . . . . . . . . . 11 | 3.6. Parameter Request List Option . . . . . . . . . . . . . . 12 | |||
| 3.7. Host Name Option . . . . . . . . . . . . . . . . . . . . 12 | 3.7. Host Name Option . . . . . . . . . . . . . . . . . . . . 12 | |||
| 3.8. Client FQDN Option . . . . . . . . . . . . . . . . . . . 13 | 3.8. Client FQDN Option . . . . . . . . . . . . . . . . . . . 13 | |||
| 3.9. UUID/GUID-based Client Identifier Option . . . . . . . . 13 | 3.9. UUID/GUID-based Client Identifier Option . . . . . . . . 13 | |||
| 3.10. User and Vendor Class DHCP options . . . . . . . . . . . 14 | 3.10. User and Vendor Class DHCP options . . . . . . . . . . . 14 | |||
| 4. Anonymity profile for DHCPv6 . . . . . . . . . . . . . . . . 14 | 4. Anonymity profile for DHCPv6 . . . . . . . . . . . . . . . . 14 | |||
| 4.1. Option encoding and avoiding fingerprinting . . . . . . . 14 | 4.1. Option encoding and avoiding fingerprinting . . . . . . . 15 | |||
| 4.2. Do not send Confirm messages, unless really sure where . 15 | 4.2. Do not send Confirm messages, unless really sure where . 15 | |||
| 4.3. Client Identifier DHCPv6 Option . . . . . . . . . . . . . 15 | 4.3. Client Identifier DHCPv6 Option . . . . . . . . . . . . . 16 | |||
| 4.3.1. Anonymous Information-Request . . . . . . . . . . . . 16 | 4.3.1. Anonymous Information-Request . . . . . . . . . . . . 16 | |||
| 4.4. Server Identifier Option . . . . . . . . . . . . . . . . 16 | 4.4. Server Identifier Option . . . . . . . . . . . . . . . . 16 | |||
| 4.5. Address assignment options . . . . . . . . . . . . . . . 16 | 4.5. Address assignment options . . . . . . . . . . . . . . . 17 | |||
| 4.5.1. Obtain temporary addresses . . . . . . . . . . . . . 17 | 4.5.1. Obtain temporary addresses . . . . . . . . . . . . . 17 | |||
| 4.6. Option Request Option . . . . . . . . . . . . . . . . . . 17 | 4.5.2. Prefix delegation . . . . . . . . . . . . . . . . . . 18 | |||
| 4.6. Option Request Option . . . . . . . . . . . . . . . . . . 18 | ||||
| 4.6.1. Previous option values . . . . . . . . . . . . . . . 18 | 4.6.1. Previous option values . . . . . . . . . . . . . . . 18 | |||
| 4.7. Authentication Option . . . . . . . . . . . . . . . . . . 18 | 4.7. Authentication Option . . . . . . . . . . . . . . . . . . 19 | |||
| 4.8. User and Vendor Class DHCPv6 options . . . . . . . . . . 18 | 4.8. User and Vendor Class DHCPv6 options . . . . . . . . . . 19 | |||
| 4.9. Client FQDN Option . . . . . . . . . . . . . . . . . . . 18 | 4.9. Client FQDN Option . . . . . . . . . . . . . . . . . . . 19 | |||
| 5. Operational Considerations . . . . . . . . . . . . . . . . . 19 | 5. Operational Considerations . . . . . . . . . . . . . . . . . 19 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 9. Changes from previous versions . . . . . . . . . . . . . . . 19 | 9. Changes from previous versions . . . . . . . . . . . . . . . 20 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 21 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 22 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 22 | 10.2. Informative References . . . . . . . . . . . . . . . . . 23 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 1. Introduction | 1. Introduction | |||
| Reports surfaced recently of systems that would monitor the wireless | Reports surfaced recently of systems that would monitor the wireless | |||
| connections of passengers at Canadian airports [CNBC]. We can assume | connections of passengers at Canadian airports [CNBC]. We can assume | |||
| that these are either fragments or trial runs of a wider system that | that these are either fragments or trial runs of a wider system that | |||
| would attempt to monitor Internet users as they roam through wireless | would attempt to monitor Internet users as they roam through wireless | |||
| access points and other temporary network attachments. We can also | access points and other temporary network attachments. We can also | |||
| assume that privacy conscious users will attempt to evade this | assume that privacy conscious users will attempt to evade this | |||
| monitoring, for example by ensuring that low level identifiers such | monitoring, for example by ensuring that low level identifiers such | |||
| skipping to change at page 5, line 33 | skipping to change at page 5, line 34 | |||
| the IP address remains constant, since it is tied to the DHCP | the IP address remains constant, since it is tied to the DHCP | |||
| identifier. Conversely, if the DHCP identifier changes but the link- | identifier. Conversely, if the DHCP identifier changes but the link- | |||
| layer address remains constant, the old and new identifiers and | layer address remains constant, the old and new identifiers and | |||
| addresses can be correlated by listening to L2 traffic. The | addresses can be correlated by listening to L2 traffic. The | |||
| procedures documented in the following sections construct DHCP | procedures documented in the following sections construct DHCP | |||
| identifiers from the current link-layer address, automatically | identifiers from the current link-layer address, automatically | |||
| providing for this synchronization. | providing for this synchronization. | |||
| The proposed anonymity profiles solve this synchronization issues by | The proposed anonymity profiles solve this synchronization issues by | |||
| deriving most identifiers from the link-layer address, and generally | deriving most identifiers from the link-layer address, and generally | |||
| by making making sure that DHCP parameter values do not remain | by making sure that DHCP parameter values do not remain constant | |||
| constant after an address change. | after an address change. | |||
| 2.3. Radio fingerprinting | 2.3. Radio fingerprinting | |||
| MAC address randomization solves the trivial monitoring problem in | MAC address randomization solves the trivial monitoring problem in | |||
| which someone just uses a Wi-Fi scanner and records the MAC addresses | which someone just uses a Wi-Fi scanner and records the MAC addresses | |||
| seen on the air. DHCP anonymity solves the more elaborated scenario | seen on the air. DHCP anonymity solves the more elaborated scenario | |||
| in which someone monitor link-layer addresses and identities used in | in which someone monitor link-layer addresses and identities used in | |||
| DHCP at the access point or DHCP server. But these are not the only | DHCP at the access point or DHCP server. But these are not the only | |||
| ways to track a mobile device. | ways to track a mobile device. | |||
| skipping to change at page 7, line 36 | skipping to change at page 7, line 36 | |||
| care about privacy and servers do not object. We assume that the | care about privacy and servers do not object. We assume that the | |||
| request for anonymity is materialized by the assignment of a | request for anonymity is materialized by the assignment of a | |||
| randomized link-layer address to the network interface. Once that | randomized link-layer address to the network interface. Once that | |||
| decision is made, the following guidelines will avoid leakage of | decision is made, the following guidelines will avoid leakage of | |||
| identity in DHCP parameters or in assigned addresses. | identity in DHCP parameters or in assigned addresses. | |||
| There may be rare situations where the clients want anonymity to | There may be rare situations where the clients want anonymity to | |||
| attackers but not to their DHCP server. These clients should still | attackers but not to their DHCP server. These clients should still | |||
| use link-layer address randomization to hide from observers, and some | use link-layer address randomization to hide from observers, and some | |||
| form of encrypted communication to the DHCP server. This scenario is | form of encrypted communication to the DHCP server. This scenario is | |||
| not yet supported in this document. | out of scope for this document. | |||
| To preserve anonymity, the clients need to not use stable values for | To preserve anonymity, the clients need to not use stable values for | |||
| the client identifiers. This is clearly a tradeoff, because a stable | the client identifiers. This is clearly a tradeoff, because a stable | |||
| client identifier guarantees that the client will receive consistent | client identifier guarantees that the client will receive consistent | |||
| parameters over time. An example is given in [RFC7618], where the | parameters over time. An example is given in [RFC7618], where the | |||
| client identifier is used to guarantee that the same client will | client identifier is used to guarantee that the same client will | |||
| always get the same combination of IP address and port range. Static | always get the same combination of IP address and port range. Static | |||
| clients benefit most from stable parameters, and can often be already | clients benefit most from stable parameters, and can often be already | |||
| identified by physical connection layer parameters. These static | identified by physical connection layer parameters. These static | |||
| clients will normally not use the anonymity profile. Mobile clients, | clients will normally not use the anonymity profile. Mobile clients, | |||
| skipping to change at page 8, line 33 | skipping to change at page 8, line 33 | |||
| and [I-D.ietf-dhc-dhcpv6-privacy]. Mitigation of these issues is | and [I-D.ietf-dhc-dhcpv6-privacy]. Mitigation of these issues is | |||
| left to further study. | left to further study. | |||
| 3. Anonymity profile for DHCPv4 | 3. Anonymity profile for DHCPv4 | |||
| Clients using the DHCPv4 anonymity profile limit the disclosure of | Clients using the DHCPv4 anonymity profile limit the disclosure of | |||
| information by controlling the header parameters and by limiting the | information by controlling the header parameters and by limiting the | |||
| number and values of options. The number of options depend on the | number and values of options. The number of options depend on the | |||
| specific DHCP message: | specific DHCP message: | |||
| DISCOVER: The anonymized DISCOVER messages MUST contain the Message | DHCPDISCOVER: The anonymized DHCPDISCOVER messages MUST contain the | |||
| Type, Client Identifier, and Parameter Request List options. It | Message Type, MAY contain the Client Identifier, and MAY contain | |||
| SHOULD NOT contain any other option. | the Parameter Request List options. It SHOULD NOT contain any | |||
| other option. | ||||
| REQUEST: The anonymized REQUEST messages SHOULD contain the Message | DHCPREQUEST: The anonymized DHCPREQUEST messages MUST contain the | |||
| Type, Client Identifier, Requested IP address and Parameter | Message Type, MAY contain the Client Identifier, and MAY contain | |||
| Request List options. If the message is in response to an OFFER, | the Parameter Request List options. If the message is in response | |||
| it SHOULD contain the corresponding Server Identifier option. It | to a DHCPOFFER, it MUST contain the corresponding Server | |||
| SHOULD NOT contain any other option. | Identifier option and the Requested IP address. If the message is | |||
| not in response to a DHCPOFFER, it MAY contain a Requested IP | ||||
| address as explained in Section 3.3. It SHOULD NOT contain any | ||||
| other option. | ||||
| DECLINE: The anonymized DECLINE messages SHOULD contain the Message | DHCPDECLINE: The anonymized DHCPDECLINE messages MUST contain the | |||
| Type, Client Identifier and Server Identifier options. | Message Type, Server Identifier, and Requested IP address options, | |||
| and MAY contain the Client Identifier options. | ||||
| RELEASE: The anonymized RELEASE messages SHOULD contain the Message | DHCPRELEASE: The anonymized DHCPRELEASE messages MUST contain the | |||
| Type, Client Identifier and Server Identifier options. | Message Type and Server Identifier options, and MAY contain the | |||
| Client Identifier option. | ||||
| INFORM: The anonymized INFORM messages MUST contain the Message | DHCPINFORM: The anonymized DHCPINFORM messages MUST contain the | |||
| Type, Client Identifier, and Parameter Request List options. It | Message Type, and MAY contain the Client Identifier and Parameter | |||
| SHOULD NOT contain any other option. | Request List options. It SHOULD NOT contain any other option. | |||
| Header fields and option values SHOULD be set in accordance with the | Header fields and option values SHOULD be set in accordance with the | |||
| DHCP specification, but some header fields and option values SHOULD | DHCP specification, but some header fields and option values SHOULD | |||
| be constructed per the following guidelines. | be constructed per the following guidelines. | |||
| The inclusion of HostName and FQDN options in DISCOVER, REQUEST or | The inclusion of HostName and FQDN options in DHCPDISCOVER, | |||
| INFORM messages is discussed in Section 3.7 and Section 3.8. | DHCPREQUEST or DHCPINFORM messages is discussed in Section 3.7 and | |||
| Section 3.8. | ||||
| 3.1. Option encoding and avoiding fingerprinting | 3.1. Avoiding fingerprinting | |||
| There are many choices for implementing DHCPv4 messages. Clients can | There are many choices for implementing DHCPv4 messages. Clients can | |||
| choose to transmit a specific set of options, pick particular | choose to transmit a specific set of options, pick particular | |||
| encoding for these options, and transmit options in different orders. | encoding for these options, and transmit options in different orders. | |||
| These choices can be use to fingerprint the client. | These choices can be use to fingerprint the client. | |||
| The following sections provide guidance on the encoding of options. | The following sections provide guidance on the encoding of options | |||
| However, this guidance alone may not be sufficient to prevent | and fields within the packets. However, this guidance alone may not | |||
| fingerprinting from revealing information, such as the device type, | be sufficient to prevent fingerprinting from revealing information, | |||
| vendor type or OS type and in some cases specific version, or from | such as the device type, vendor type or OS type and in some cases | |||
| revealing whether the client is using the anonymity profile. | specific version, or from revealing whether the client is using the | |||
| anonymity profile. | ||||
| The client willing to protect its privacy SHOULD limit the subset of | The client willing to protect its privacy SHOULD limit the subset of | |||
| options sent in messages to the subset listed in the following | options sent in messages to the subset listed in the following | |||
| sections. | sections. | |||
| The client willing to protect its privacy SHOULD randomize options | The client willing to protect its privacy SHOULD randomize options | |||
| order before sending any DHCPv4 message. If this random ordering | order before sending any DHCPv4 message. If this random ordering | |||
| cannot be implemented, the client MAY arrange options by increasing | cannot be implemented, the client MAY arrange options by increasing | |||
| order of option codes. | order of option codes. | |||
| skipping to change at page 10, line 27 | skipping to change at page 10, line 36 | |||
| regain the same IP address that was used in a previous connection. | regain the same IP address that was used in a previous connection. | |||
| Doing so entails the risk of disclosing an IP address used by the | Doing so entails the risk of disclosing an IP address used by the | |||
| client at a previous location, or with a different link-layer | client at a previous location, or with a different link-layer | |||
| address. | address. | |||
| When using the anonymity profile, clients SHOULD NOT use the | When using the anonymity profile, clients SHOULD NOT use the | |||
| Requested IP address option in DHCPDISCOVER messages. They MUST use | Requested IP address option in DHCPDISCOVER messages. They MUST use | |||
| the option when mandated by the DHCP protocol, for example in | the option when mandated by the DHCP protocol, for example in | |||
| DHCPREQUEST messages. | DHCPREQUEST messages. | |||
| There are scenarios in which a client connects to a network when a | There are scenarios in which a client connecting to a network | |||
| lease is still valid. In that state, the client that is concerned | remembers previously allocated address, i.e. is in the INIT-REBOOT | |||
| with privacy SHOULD perform a complete four way handshake starting | state. In that state, the client that is concerned with privacy | |||
| with DHCPDISCOVER to obtain a new address lease. If the client can | SHOULD perform a complete four way handshake starting with | |||
| DHCPDISCOVER to obtain a new address lease. If the client can | ||||
| ascertain that this is exactly the same network to which it was | ascertain that this is exactly the same network to which it was | |||
| previously connected, and if the link layer address did not change, | previously connected, and if the link layer address did not change, | |||
| the client MAY issue a DHCPREQUEST to try reclaim the current | the client MAY issue a DHCPREQUEST to try reclaim the current | |||
| address. | address. | |||
| 3.4. Client hardware address | 3.4. Client hardware address field | |||
| Sixteen bytes in the header of the DHCP messages carry the "Client | Sixteen bytes in the header of the DHCP messages carry the "Client | |||
| hardware address" (chaddr) as defined in [RFC2131]. The presence of | hardware address" (chaddr) as defined in [RFC2131]. The presence of | |||
| this address is necessary for the proper operation of the DHCP | this address is necessary for the proper operation of the DHCP | |||
| service. | service. | |||
| Hardware addresses, called "link layer address" in many RFCs, can be | Hardware addresses, called "link layer address" in many RFCs, can be | |||
| used to uniquely identify a device, especially if they follow the | used to uniquely identify a device, especially if they follow the | |||
| IEEE 802 recommendations. These unique identifiers can be used by | IEEE 802 recommendations. These unique identifiers can be used by | |||
| monitoring services to track the location of the device and its user. | monitoring services to track the location of the device and its user. | |||
| skipping to change at page 11, line 47 | skipping to change at page 12, line 8 | |||
| connection. It will also ensure that a strategy of randomizing the | connection. It will also ensure that a strategy of randomizing the | |||
| link layer address will not be nullified by DHCP options. | link layer address will not be nullified by DHCP options. | |||
| There are usages of DHCP where the underlying connection is a point | There are usages of DHCP where the underlying connection is a point | |||
| to point link, in which case there is no link layer address available | to point link, in which case there is no link layer address available | |||
| to construct a non-revealing identifier. If anonymity is desired in | to construct a non-revealing identifier. If anonymity is desired in | |||
| such networks, the client SHOULD pick a random identifier that is | such networks, the client SHOULD pick a random identifier that is | |||
| unique to the current link, using for example a combination of a | unique to the current link, using for example a combination of a | |||
| local secret and an identifier of the connection. | local secret and an identifier of the connection. | |||
| 3.6. Parameter Request List | 3.6. Parameter Request List Option | |||
| The Parameter Request List (PRL) option is defined in [RFC2132] with | The Parameter Request List (PRL) option is defined in [RFC2132] with | |||
| option code 61. It list the parameters requested from the server by | option code 61. It list the parameters requested from the server by | |||
| the client. Different implementations request different | the client. Different implementations request different | |||
| parameters.[RFC2132] specifies that "the client MAY list the options | parameters.[RFC2132] specifies that "the client MAY list the options | |||
| in order of preference." It practice, this means that different | in order of preference." It practice, this means that different | |||
| client implementations will request different parameters, in | client implementations will request different parameters, in | |||
| different orders. | different orders. | |||
| The choice of option numbers and the specific ordering of option | The choice of option numbers and the specific ordering of option | |||
| skipping to change at page 16, line 44 | skipping to change at page 17, line 11 | |||
| When using the anonymity profile, DHCPv6 clients SHOULD use the | When using the anonymity profile, DHCPv6 clients SHOULD use the | |||
| Server Identifier Option (code 2) as specified in [RFC3315]. Clients | Server Identifier Option (code 2) as specified in [RFC3315]. Clients | |||
| MUST only include server identifier values that were received with | MUST only include server identifier values that were received with | |||
| the current link-layer address, because reuse of old values discloses | the current link-layer address, because reuse of old values discloses | |||
| information that can be used to identify the client. | information that can be used to identify the client. | |||
| 4.5. Address assignment options | 4.5. Address assignment options | |||
| When using the anonymity profile, DHCPv6 clients might have to use | When using the anonymity profile, DHCPv6 clients might have to use | |||
| SOLICIT or REQUEST messages to obtain IPv6 addresses through the DHCP | SOLICIT or REQUEST messages to obtain IPv6 addresses through the DHCP | |||
| server. The clients SHOULD only use the options necessary to perform | server. Clients interested in privacy SHOULD request addresses using | |||
| the requested DHCPv6 transactions, such as Identity Association for | the Identity Association for Non-temporary Addresses Option (IA_NA, | |||
| Non-temporary Addresses Option (code 3) or Identity Association for | code 3). | |||
| Temporary Addresses Option (code 4). | ||||
| The IA_NA option includes an IAID parameter that identifies a unique | ||||
| identity association for the interface for which the Address is | ||||
| requested. Clients interested in protecting their privacy MUST | ||||
| ensure that the IAID does not enable client identification. They | ||||
| also need to conform to the requirement of [RFC3315] that the IAID | ||||
| for that IA MUST be consistent across restarts of the DHCP client. | ||||
| We interpret that as requiring that the IAID MUST be constant for the | ||||
| association, as long as the link layer Address remains constant. | ||||
| Clients MAY meet the privacy, uniqueness and stability requirement of | ||||
| the IAID using by constructing it as the combination of one byte | ||||
| encoding the interface number in the system, and three bytes of the | ||||
| link layer address. | ||||
| The clients MAY use the IA Address Option (code 5) but need to | The clients MAY use the IA Address Option (code 5) but need to | |||
| balance the potential advantage of "address continuity" versus the | balance the potential advantage of "address continuity" versus the | |||
| potential risk of "previous address disclosure." A potential | potential risk of "previous address disclosure." A potential | |||
| solution is to remove all stored addresses when a link-layer address | solution is to remove all stored addresses when a link-layer address | |||
| changes, and to only use the IA Address option with addresses that | changes, and to only use the IA Address option with addresses that | |||
| have been explicitly assigned through the current link-layer address. | have been explicitly assigned through the current link-layer address. | |||
| The interaction between prefix delegation and anonymity require | ||||
| further study. For now, the simple solution is to avoid using prefix | ||||
| delegation when striving for anonymity. When using the anonymity | ||||
| profiles, clients SHOULD NOT use IA_PD, the prefix delegation form of | ||||
| address assignment. | ||||
| 4.5.1. Obtain temporary addresses | 4.5.1. Obtain temporary addresses | |||
| [RFC3315] defines a special container (IA_TA) for requesting | [RFC3315] defines a special container (IA_TA, code 4) for requesting | |||
| temporary addresses. This is a good mechanism in principle, but | temporary addresses. This is a good mechanism in principle, but | |||
| there are a number of issues associated with it. First, this is not | there are a number of issues associated with it. First, this is not | |||
| a widely used feature, so clients depending solely on temporary | a widely used feature, so clients depending solely on temporary | |||
| addresses may lock themselves out of service. Secondly, [RFC3315] | addresses may lock themselves out of service. Secondly, [RFC3315] | |||
| does not specify any lifetime or lease length for temporary | does not specify any lifetime or lease length for temporary | |||
| addresses. Therefore support for renewing temporary addresses may | addresses. Therefore support for renewing temporary addresses may | |||
| vary between client implementations, including not being supported at | vary between client implementations, including not being supported at | |||
| all. Finally, by requesting temporary addresses a client reveals its | all. Finally, by requesting temporary addresses a client reveals its | |||
| desire for privacy and potentially risks countermeasures as described | desire for privacy and potentially risks countermeasures as described | |||
| in Section 2.5. | in Section 2.5. | |||
| Clients interested in their privacy SHOULD NOT use IA_TA. They | Because of these Clients interested in their privacy SHOULD NOT use | |||
| should simply send an IA_NA with a randomized IAID. This, along with | IA_TA. | |||
| the mitigation technique discussed in Section 4.4, will ensure that a | ||||
| client will get a new address that can be renewed and can be used as | ||||
| long as needed. To get a new address, it can send Request message | ||||
| with a new randomized IAID before releasing the other one. This will | ||||
| cause the server to assign a new address, as it still has a valid | ||||
| lease for the old IAID value. Once a new address is assigned, the | ||||
| address obtained using the older IAID value can be released safely, | ||||
| using the Release message or it may simply be allowed to time out. | ||||
| This solution may not work if the server enforces specific policies, | The addresses obtained according to Section 4.5 are temporary in | |||
| e.g. only one address per client. If client does not succeed in | nature, and will be discarded when the link layer address is changed. | |||
| receiving a second address using a new IAID, it may release the first | They thus meet most of the use cases of the temporary addresses | |||
| one (using the old IAID) and then retry asking for a new address. | defined in [RFC4941]. Clients interested in their privacy should not | |||
| publish their IPv6 addresses in the DNS or otherwise associate them | ||||
| with name services, and thus do not normally need two classes of | ||||
| addresses, one public, one temporary. | ||||
| From the Operating System perspective, addresses obtained using this | The use of mechanisms to allocate several IPv6 addresses to a client | |||
| technique SHOULD be treated as temporary as specified in [RFC4941]. | while preserving privacy is for further study. | |||
| 4.5.2. Prefix delegation | ||||
| The interaction between prefix delegation and anonymity require | ||||
| further study. For now, the simple solution is to avoid using prefix | ||||
| delegation when striving for anonymity. When using the anonymity | ||||
| profiles, clients SHOULD NOT use IA_PD, the prefix delegation form of | ||||
| address assignment. | ||||
| 4.6. Option Request Option | 4.6. Option Request Option | |||
| The Option Request Option (ORO) is defined in [RFC3315] with option | The Option Request Option (ORO) is defined in [RFC3315] with option | |||
| code 6. It specifies the options that the client is requesting from | code 6. It specifies the options that the client is requesting from | |||
| the server. The choice of requested options and the order of | the server. The choice of requested options and the order of | |||
| encoding of these options in the ORO can be used to fingerprint the | encoding of these options in the ORO can be used to fingerprint the | |||
| client. | client. | |||
| The client willing to protect its privacy SHOULD only request a | The client willing to protect its privacy SHOULD only request a | |||
| skipping to change at page 21, line 9 | skipping to change at page 21, line 38 | |||
| strict ordering. | strict ordering. | |||
| 7. Changed the requirement in Section 4.6 to allow "increasing order | 7. Changed the requirement in Section 4.6 to allow "increasing order | |||
| of option codes" as an alternative to "randomized order of | of option codes" as an alternative to "randomized order of | |||
| options". | options". | |||
| 8. In Section 4.5.1 revised the language stating lack of support for | 8. In Section 4.5.1 revised the language stating lack of support for | |||
| renewing temporary addresses, as RFC 3315 does in fact specify a | renewing temporary addresses, as RFC 3315 does in fact specify a | |||
| mechanism for doing so. | mechanism for doing so. | |||
| Changes from draft-03 to draft-04 address comments received during | ||||
| Working Group Last Call: | ||||
| 1. In Section 3, tightened the normative language and the use of | ||||
| message codes. | ||||
| 2. In Section 3.3, clarified the reference to the INIT-REBOOT | ||||
| scenario. | ||||
| 3. Revised the writing of Section 4.5 for greater clarity. | ||||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [I-D.ietf-dhc-rfc3315bis] | [I-D.ietf-dhc-rfc3315bis] | |||
| Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., | Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., | |||
| Richardson, M., Jiang, S., and T. Lemon, "Dynamic Host | Richardson, M., Jiang, S., and T. Lemon, "Dynamic Host | |||
| Configuration Protocol for IPv6 (DHCPv6) bis", draft-ietf- | Configuration Protocol for IPv6 (DHCPv6) bis", draft-ietf- | |||
| dhc-rfc3315bis-01 (work in progress), July 2015. | dhc-rfc3315bis-01 (work in progress), July 2015. | |||
| skipping to change at page 22, line 37 | skipping to change at page 23, line 32 | |||
| [I-D.ietf-6man-default-iids] | [I-D.ietf-6man-default-iids] | |||
| Gont, F., Cooper, A., Thaler, D., and S. LIU, | Gont, F., Cooper, A., Thaler, D., and S. LIU, | |||
| "Recommendation on Stable IPv6 Interface Identifiers", | "Recommendation on Stable IPv6 Interface Identifiers", | |||
| draft-ietf-6man-default-iids-07 (work in progress), August | draft-ietf-6man-default-iids-07 (work in progress), August | |||
| 2015. | 2015. | |||
| [I-D.ietf-6man-ipv6-address-generation-privacy] | [I-D.ietf-6man-ipv6-address-generation-privacy] | |||
| Cooper, A., Gont, F., and D. Thaler, "Privacy | Cooper, A., Gont, F., and D. Thaler, "Privacy | |||
| Considerations for IPv6 Address Generation Mechanisms", | Considerations for IPv6 Address Generation Mechanisms", | |||
| draft-ietf-6man-ipv6-address-generation-privacy-07 (work | draft-ietf-6man-ipv6-address-generation-privacy-08 (work | |||
| in progress), June 2015. | in progress), September 2015. | |||
| [I-D.ietf-dhc-dhcp-privacy] | [I-D.ietf-dhc-dhcp-privacy] | |||
| Jiang, S., Krishnan, S., and T. Mrugalski, "Privacy | Jiang, S., Krishnan, S., and T. Mrugalski, "Privacy | |||
| considerations for DHCPv4", draft-ietf-dhc-dhcp-privacy-01 | considerations for DHCPv4", draft-ietf-dhc-dhcp-privacy-01 | |||
| (work in progress), August 2015. | (work in progress), August 2015. | |||
| [I-D.ietf-dhc-dhcpv6-privacy] | [I-D.ietf-dhc-dhcpv6-privacy] | |||
| Krishnan, S., Mrugalski, T., and S. Jiang, "Privacy | Krishnan, S., Mrugalski, T., and S. Jiang, "Privacy | |||
| considerations for DHCPv6", draft-ietf-dhc- | considerations for DHCPv6", draft-ietf-dhc- | |||
| dhcpv6-privacy-01 (work in progress), August 2015. | dhcpv6-privacy-01 (work in progress), August 2015. | |||
| End of changes. 34 change blocks. | ||||
| 83 lines changed or deleted | 114 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||