draft-ietf-dhc-anonymity-profile-07.txt   draft-ietf-dhc-anonymity-profile-08.txt 
Network Working Group C. Huitema Network Working Group C. Huitema
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track T. Mrugalski Intended status: Standards Track T. Mrugalski
Expires: August 18, 2016 ISC Expires: August 22, 2016 ISC
S. Krishnan S. Krishnan
Ericsson Ericsson
February 15, 2016 February 19, 2016
Anonymity profile for DHCP clients Anonymity profile for DHCP clients
draft-ietf-dhc-anonymity-profile-07.txt draft-ietf-dhc-anonymity-profile-08.txt
Abstract Abstract
Some DHCP options carry unique identifiers. These identifiers can Some DHCP options carry unique identifiers. These identifiers can
enable device tracking even if the device administrator takes care of enable device tracking even if the device administrator takes care of
randomizing other potential identifications like link-layer addresses randomizing other potential identifications like link-layer addresses
or IPv6 addresses. The anonymity profile is designed for clients or IPv6 addresses. The anonymity profile is designed for clients
that wish to remain anonymous to the visited network. The profile that wish to remain anonymous to the visited network. The profile
provides guidelines on the composition of DHCP or DHCPv6 requests, provides guidelines on the composition of DHCP or DHCPv6 requests,
designed to minimize disclosure of identifying information. designed to minimize disclosure of identifying information.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2016. This Internet-Draft will expire on August 22, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 4 skipping to change at page 3, line 4
4.6. Option Request Option . . . . . . . . . . . . . . . . . . 19 4.6. Option Request Option . . . . . . . . . . . . . . . . . . 19
4.6.1. Previous option values . . . . . . . . . . . . . . . 19 4.6.1. Previous option values . . . . . . . . . . . . . . . 19
4.7. Authentication Option . . . . . . . . . . . . . . . . . . 19 4.7. Authentication Option . . . . . . . . . . . . . . . . . . 19
4.8. User and Vendor Class DHCPv6 options . . . . . . . . . . 19 4.8. User and Vendor Class DHCPv6 options . . . . . . . . . . 19
4.9. Client FQDN Option . . . . . . . . . . . . . . . . . . . 20 4.9. Client FQDN Option . . . . . . . . . . . . . . . . . . . 20
5. Operational Considerations . . . . . . . . . . . . . . . . . 20 5. Operational Considerations . . . . . . . . . . . . . . . . . 20
6. Security Considerations . . . . . . . . . . . . . . . . . . . 20 6. Security Considerations . . . . . . . . . . . . . . . . . . . 20
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20
9. Changes from previous versions . . . . . . . . . . . . . . . 21 9. Changes from previous versions . . . . . . . . . . . . . . . 21
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
10.1. Normative References . . . . . . . . . . . . . . . . . . 23 10.1. Normative References . . . . . . . . . . . . . . . . . . 24
10.2. Informative References . . . . . . . . . . . . . . . . . 24 10.2. Informative References . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction 1. Introduction
Reports surfaced recently of systems that would monitor the wireless There have been reports of systems that would monitor the wireless
connections of passengers at Canadian airports [CNBC]. We can assume connections of passengers at Canadian airports [CNBC]. We can assume
that these are either fragments or trial runs of a wider system that that these are either fragments or trial runs of a wider system that
would attempt to monitor Internet users as they roam through wireless would attempt to monitor Internet users as they roam through wireless
access points and other temporary network attachments. We can also access points and other temporary network attachments. We can also
assume that privacy conscious users will attempt to evade this assume that privacy conscious users will attempt to evade this
monitoring, for example by ensuring that low level identifiers such monitoring, for example by ensuring that low level identifiers such
as link-layer addresses are "randomized," so that the devices do not as link-layer addresses are "randomized," so that the devices do not
broadcast a unique identifier in every location that they visit. broadcast the same unique identifier in every location that they
visit.
Of course, link layer "MAC" addresses are not the only way to Of course, link layer "MAC" addresses are not the only way to
identify a device. As soon as it connects to a remote network, the identify a device. As soon as it connects to a remote network, the
device may use DHCP and DHCPv6 to obtain network parameters. The device may use DHCP and DHCPv6 to obtain network parameters. The
analysis of DHCP and DHCPv6 options shows that parameters of these analysis of DHCP and DHCPv6 options shows that parameters of these
protocols can reveal identifiers of the device, negating the benefits protocols can reveal identifiers of the device, negating the benefits
of link-layer address randomization. This is documented in detail in of link-layer address randomization. This is documented in detail in
[I-D.ietf-dhc-dhcp-privacy] and [I-D.ietf-dhc-dhcpv6-privacy]. The [I-D.ietf-dhc-dhcp-privacy] and [I-D.ietf-dhc-dhcpv6-privacy]. The
natural reaction is to restrict the number and values of such natural reaction is to restrict the number and values of such
parameters in order to minimize disclosure. parameters in order to minimize disclosure.
skipping to change at page 4, line 23 skipping to change at page 4, line 24
individual people, even when all application data sent from the individual people, even when all application data sent from the
devices is encrypted. link-layer addresses can also be correlated devices is encrypted. link-layer addresses can also be correlated
with IP addresses of devices, negating potential privacy benefits of with IP addresses of devices, negating potential privacy benefits of
IPv6 "privacy" addresses. Privacy advocates have reasons to be IPv6 "privacy" addresses. Privacy advocates have reasons to be
concerned. concerned.
The obvious solution is to "randomize" the MAC address. Before The obvious solution is to "randomize" the MAC address. Before
connecting to a particular network, the device replaces the MAC connecting to a particular network, the device replaces the MAC
address with a randomly drawn 48 bit value. Link-layer address address with a randomly drawn 48 bit value. Link-layer address
randomization was successfully tried at the IETF in Honolulu in randomization was successfully tried at the IETF in Honolulu in
November 2014 [IETFMACRandom]. However, we have to consider the November 2014 [IETFMACRandom] and in following meetings
linkage between link-layer addresses, DHCP identifiers and IP [IETFTrialsAndMore]; it is studied in the IEEE 802 EC Privacy
addresses. Recommendation Study Group [IEEE802PRSG]. However, we have to
consider the linkage between link-layer addresses, DHCP identifiers
and IP addresses.
2.1. MAC address Randomization hypotheses 2.1. MAC address Randomization hypotheses
There is not yet an established standard for randomizing link-layer There is not yet an established standard for randomizing link-layer
addresses. Various prototypes have tried different strategies, such addresses. Various prototypes have tried different strategies, such
as: as:
Per connection: Configure a random link-layer address at the time of Per connection: Configure a random link-layer address at the time of
connecting to a network, e.g. to specific Wi-Fi SSID, and keep it connecting to a network, e.g. to specific Wi-Fi SSID, and keep it
for the duration of the connection. for the duration of the connection.
skipping to change at page 5, line 8 skipping to change at page 5, line 11
connection" or "per network" variants. On Wi-Fi networks, changing connection" or "per network" variants. On Wi-Fi networks, changing
the link-layer address requires dropping the existing Wi-Fi the link-layer address requires dropping the existing Wi-Fi
connection and then re-establishing it, which implies repeating the connection and then re-establishing it, which implies repeating the
connection process and associated procedures. The IP addresses will connection process and associated procedures. The IP addresses will
change, which means that all required TCP connections will have to be change, which means that all required TCP connections will have to be
re-established. If the network access is provided through a NAT, re-established. If the network access is provided through a NAT,
changing IP address also means that the NAT traversal procedures will changing IP address also means that the NAT traversal procedures will
have to be restarted. This means a lot of disruption. At the same have to be restarted. This means a lot of disruption. At the same
time, an observer on the network will easily notice that a station time, an observer on the network will easily notice that a station
left, another came in just after that, and that the new one appears left, another came in just after that, and that the new one appears
to be communicating with pretty much the same set of IP addresses as to be communicating with the same set of IP addresses as the old one.
the old one. This provides for easy correlation. This provides for easy correlation.
The anonymity profile pretty much assumes that the link-layer address The anonymity profile pretty much assumes that the link-layer address
randomization follows the "per connection" or "per network" randomization follows the "per connection" or "per network"
strategies, or a variant of the "time interval" strategy in which the strategies, or a variant of the "time interval" strategy in which the
interval has about the same duration as the average connection. interval has about the same duration as the average connection.
2.2. MAC address Randomization and DHCP 2.2. MAC address Randomization and DHCP
From a privacy point of view, it is clear that link-layer address, IP From a privacy point of view, it is clear that link-layer address, IP
address and DHCP identifier shall evolve in synchrony. For example, address and DHCP identifier shall evolve in synchrony. For example,
skipping to change at page 6, line 45 skipping to change at page 6, line 47
anonymous, it would be good if the client told the server about that anonymous, it would be good if the client told the server about that
in case the server is willing to co-operate. Another possibility in case the server is willing to co-operate. Another possibility
would be to use specific privacy-oriented construct, such as for would be to use specific privacy-oriented construct, such as for
example a new type of DUID for a temporary DUID that would be example a new type of DUID for a temporary DUID that would be
changing over time. changing over time.
This is not workable in a large number of cases as it is possible This is not workable in a large number of cases as it is possible
that the network operator (or other entities that have access to the that the network operator (or other entities that have access to the
operator's network) might be actively participating in surveillance operator's network) might be actively participating in surveillance
and anti-privacy, willingly or not. Declaring a preference for and anti-privacy, willingly or not. Declaring a preference for
anonymity is a bit like walking around with a Guy Fawkes mask. When anonymity is a bit like walking around with a Guy Fawkes mask. (See
anonymity is required, it is generally not a good idea to stick out [GuyFawkesMask] for an explanation of this usage.) When anonymity is
of the crowd. Simply revealing the desire for privacy, could cause required, it is generally not a good idea to stick out of the crowd.
the attacker to react by triggering additional surveillance or Simply revealing the desire for privacy, could cause the attacker to
monitoring mechanisms. Therefore we feel that it is preferable to react by triggering additional surveillance or monitoring mechanisms.
not disclose one's desire for privacy.
Therefore we feel that it is preferable to not disclose one's desire
for privacy.
This preference leads to some important implications. In particular, This preference leads to some important implications. In particular,
we make an effort to make the mitigation techniques difficult to we make an effort to make the mitigation techniques difficult to
distinguish from regular client behaviors, if at all possible. distinguish from regular client behaviors, if at all possible.
2.6. Using the anonymity profiles 2.6. Using the anonymity profiles
There are downsides to randomizing link-layer addresses and DHCP There are downsides to randomizing link-layer addresses and DHCP
identifiers. By definition, randomization will break management identifiers. By definition, randomization will break management
procedures that rely on tracking link-layer addresses. Even if this procedures that rely on tracking link-layer addresses. Even if this
skipping to change at page 7, line 26 skipping to change at page 7, line 29
that many devices would get new random link-layer addresses at short that many devices would get new random link-layer addresses at short
intervals, maybe every few minutes. This would generate new DHCP intervals, maybe every few minutes. This would generate new DHCP
requests in rapid succession, with a high risk of exhausting DHCPv4 requests in rapid succession, with a high risk of exhausting DHCPv4
address pools. Even with IPv6, there would still be a risk of address pools. Even with IPv6, there would still be a risk of
increased neighbor discovery traffic, and bloating of various address increased neighbor discovery traffic, and bloating of various address
tables. Implementers will have to be cautious when programming tables. Implementers will have to be cautious when programming
devices to use randomized MAC addresses. They will have to carefully devices to use randomized MAC addresses. They will have to carefully
chose the frequency with which such addresses will be renewed. chose the frequency with which such addresses will be renewed.
This document only provides guidelines for using DHCP when clients This document only provides guidelines for using DHCP when clients
care about privacy and servers do not object. We assume that the care about privacy. We assume that the request for anonymity is
request for anonymity is materialized by the assignment of a materialized by the assignment of a randomized link-layer address to
randomized link-layer address to the network interface. Once that the network interface. Once that decision is made, the following
decision is made, the following guidelines will avoid leakage of guidelines will avoid leakage of identity in DHCP parameters or in
identity in DHCP parameters or in assigned addresses. assigned addresses.
There may be rare situations where the clients want anonymity to There may be rare situations where the clients want anonymity to
attackers but not to their DHCP server. These clients should still attackers but not to their DHCP server. These clients should still
use link-layer address randomization to hide from observers, and some use link-layer address randomization to hide from observers, and some
form of encrypted communication to the DHCP server. This scenario is form of encrypted communication to the DHCP server. This scenario is
out of scope for this document. out of scope for this document.
To preserve anonymity, the clients need to not use stable values for To preserve anonymity, the clients need to not use stable values for
the client identifiers. This is clearly a tradeoff, because a stable the client identifiers. This is clearly a tradeoff, because a stable
client identifier guarantees that the client will receive consistent client identifier guarantees that the client will receive consistent
skipping to change at page 9, line 35 skipping to change at page 9, line 35
encoding for these options, and transmit options in different orders. encoding for these options, and transmit options in different orders.
These choices can be use to fingerprint the client. These choices can be use to fingerprint the client.
The following sections provide guidance on the encoding of options The following sections provide guidance on the encoding of options
and fields within the packets. However, this guidance alone may not and fields within the packets. However, this guidance alone may not
be sufficient to prevent fingerprinting from revealing information, be sufficient to prevent fingerprinting from revealing information,
such as the device type, vendor type or OS type and in some cases such as the device type, vendor type or OS type and in some cases
specific version, or from revealing whether the client is using the specific version, or from revealing whether the client is using the
anonymity profile. anonymity profile.
The client willing to protect its privacy SHOULD limit the subset of The client intending to protect its privacy SHOULD limit the subset
options sent in messages to the subset listed in the following of options sent in messages to the subset listed in the remaining
sections. subsections.
The client willing to protect its privacy SHOULD randomize options The client intending to protect its privacy SHOULD randomize options
order before sending any DHCPv4 message. If this random ordering order before sending any DHCPv4 message. If this random ordering
cannot be implemented, the client MAY arrange options by increasing cannot be implemented, the client MAY arrange options by increasing
order of option codes. order of option codes.
3.2. Client IP address field 3.2. Client IP address field
Four bytes in the header of the DHCP messages carry the "Client IP Four bytes in the header of the DHCP messages carry the "Client IP
address" (ciaddr) as defined in [RFC2131]. In DHCP, this field is address" (ciaddr) as defined in [RFC2131]. In DHCP, this field is
used by the clients to indicate the address that they used used by the clients to indicate the address that they used
previously, so that as much as possible the server can allocate them previously, so that as much as possible the server can allocate them
the same address. the same address.
There is very little privacy implication of sending this address in There is very little privacy implication of sending this address in
the DHCP messages, except in one case, when connecting to a different the DHCP messages, except in one case, when connecting to a different
network than the last network connected. If the DHCP client somehow network than the last network connected. If the DHCP client somehow
repeated the address used in a previous network attachment, repeated the address used in a previous network attachment,
monitoring services might use the information to tie the two network monitoring services might use the information to tie the two network
locations. DHCP clients should ensure that the field is cleared when locations. DHCP clients SHOULD ensure that the field is cleared when
they know that the network attachment has changed, and in particular they know that the network attachment has changed, and in particular
if the link layer address is reset by the device's administrator. if the link layer address is reset by the device's administrator.
The clients using the anonymity profile MUST NOT include in the The clients using the anonymity profile MUST NOT include in the
message a Client IP Address that has been obtained with a different message a Client IP Address that has been obtained with a different
link-layer address. link-layer address.
3.3. Requested IP address option 3.3. Requested IP address option
The Requested IP address option is defined in [RFC2132] with code 50. The Requested IP address option is defined in [RFC2132] with code 50.
skipping to change at page 11, line 14 skipping to change at page 11, line 14
3.4. Client hardware address field 3.4. Client hardware address field
Sixteen bytes in the header of the DHCP messages carry the "Client Sixteen bytes in the header of the DHCP messages carry the "Client
hardware address" (chaddr) as defined in [RFC2131]. The presence of hardware address" (chaddr) as defined in [RFC2131]. The presence of
this address is necessary for the proper operation of the DHCP this address is necessary for the proper operation of the DHCP
service. service.
Hardware addresses, called "link layer address" in many RFCs, can be Hardware addresses, called "link layer address" in many RFCs, can be
used to uniquely identify a device, especially if they follow the used to uniquely identify a device, especially if they follow the
IEEE 802 recommendations. These unique identifiers can be used by IEEE 802 recommendations. If the hardware address is reset to a new
monitoring services to track the location of the device and its user. value, or randomized, the DHCP client SHOULD use the new randomized
The only plausible defense is to somehow reset the hardware address value in the DHCP messages.
to a random value when visiting an untrusted location, before
transmitting anything at that location with the hardware address. If
the hardware address is reset to a new value, or randomized, the DHCP
client SHOULD use the new randomized value in the DHCP messages.
3.5. Client Identifier Option 3.5. Client Identifier Option
The client identifier option is defined in [RFC2132] with option code The client identifier option is defined in [RFC2132] with option code
61. It is discussed in detail in [RFC4361]. The purpose of the 61. It is discussed in detail in [RFC4361]. The purpose of the
client identifier option is to identify the client in a manner client identifier option is to identify the client in a manner
independent of the link layer address. This is particularly useful independent of the link layer address. This is particularly useful
if the DHCP server is expected to assign the same address to the if the DHCP server is expected to assign the same address to the
client after a network attachment is swapped and the link layer client after a network attachment is swapped and the link layer
address changes. It is also useful when the same node issues address changes. It is also useful when the same node issues
skipping to change at page 12, line 6 skipping to change at page 11, line 51
(e.g., the Ethernet MAC address)." These strong recommendations are (e.g., the Ethernet MAC address)." These strong recommendations are
in fact a tradeoff between ease of management and privacy, and the in fact a tradeoff between ease of management and privacy, and the
tradeoff should depend on the circumstances. tradeoff should depend on the circumstances.
In contradiction to [RFC4361], when using the anonymity profile, DHCP In contradiction to [RFC4361], when using the anonymity profile, DHCP
clients MUST use client identifiers based solely on the link layer clients MUST use client identifiers based solely on the link layer
address that will be used in the underlying connection. This will address that will be used in the underlying connection. This will
ensure that the DHCP client identifier does not leak any information ensure that the DHCP client identifier does not leak any information
that is not already available to entities monitoring the network that is not already available to entities monitoring the network
connection. It will also ensure that a strategy of randomizing the connection. It will also ensure that a strategy of randomizing the
link layer address will not be nullified by DHCP options. link layer address will not be nullified by the Client Identifier
Option.
There are usages of DHCP where the underlying connection is a point There are usages of DHCP where the underlying connection is a point
to point link, in which case there is no link layer address available to point link, in which case there is no link layer address available
to construct a non-revealing identifier. If anonymity is desired in to construct a non-revealing identifier. If anonymity is desired in
such networks, the client SHOULD pick a random identifier that is such networks, the client SHOULD pick a random identifier that is
highly likely to be unique to the current link, using for example a highly likely to be unique to the current link, using for example a
combination of a local secret and an identifier of the connection. combination of a local secret and an identifier of the connection.
The algorithm for combining secret and identifiers described in The algorithm for combining secret and identifiers described in
section 5 of [RFC7217] solves a similar problem. The criteria for section 5 of [RFC7217] solves a similar problem. The criteria for
the generation of random numbers are stated in [RFC4086]. the generation of random numbers are stated in [RFC4086].
skipping to change at page 13, line 17 skipping to change at page 13, line 13
device. Monitoring services could use that information in device. Monitoring services could use that information in
conjunction with traffic analysis and quickly derive the identity of conjunction with traffic analysis and quickly derive the identity of
the device's owner. the device's owner.
When using the anonymity profile, DHCP clients SHOULD NOT send the When using the anonymity profile, DHCP clients SHOULD NOT send the
host name option. If they chose to send the option, DHCP clients host name option. If they chose to send the option, DHCP clients
MUST always send a non-qualified host name instead of a fully MUST always send a non-qualified host name instead of a fully
qualified domain name, and MUST obfuscate the host name value. qualified domain name, and MUST obfuscate the host name value.
There are many ways to obfuscate a host name. The construction rules There are many ways to obfuscate a host name. The construction rules
SOULD guarantee that a different host name is generated each time the SHOULD guarantee that a different host name is generated each time
link-layer address changes and that the obfuscated host name will not the link-layer address changes and that the obfuscated host name will
reveal the underlying link layer address. The construction SHOULD not reveal the underlying link layer address. The construction
generate names that are unique enough to minimize collisions in the SHOULD generate names that are unique enough to minimize collisions
local link. Clients MAY use the following algorithm: compute a in the local link. Clients MAY use the following algorithm: compute
secure hash of a local secret and of the link layer address that will a secure hash of a local secret and of the link layer address that
be used in the underlying connection, and then use the hexadecimal will be used in the underlying connection, and then use the
representation of the first 6 bytes of the hash as the obfuscated hexadecimal representation of the first 6 bytes of the hash as the
host name. obfuscated host name.
There is a potential downside to having a specific name pattern for There is a potential downside to having a specific name pattern for
hosts that require anonymity, as explained in Section 2.5. For this hosts that require anonymity, as explained in Section 2.5. For this
reason, the above algorithm is just a suggestion. reason, the above algorithm is just a suggestion.
3.8. Client FQDN Option 3.8. Client FQDN Option
The Client FQDN option is defined in [RFC4702] with option code 81. The Client FQDN option is defined in [RFC4702] with option code 81.
The option allows the DHCP clients to advertise to the DHCP server The option allows the DHCP clients to advertise to the DHCP server
their fully qualified domain name (FQDN) such as their fully qualified domain name (FQDN) such as
skipping to change at page 14, line 25 skipping to change at page 14, line 23
identifies the device. identifies the device.
The PXE system is clearly designed for devices operating in a The PXE system is clearly designed for devices operating in a
controlled environment. The main usage of the PXE system is to controlled environment. The main usage of the PXE system is to
install a new version of the operating system through a high speed install a new version of the operating system through a high speed
Ethernet connection. The process is typically controlled from the Ethernet connection. The process is typically controlled from the
user interface during the boot process. Common sense seems to user interface during the boot process. Common sense seems to
dictate that getting a new operating system from an unauthenticated dictate that getting a new operating system from an unauthenticated
server at an untrusted location is a really bad idea, and that even server at an untrusted location is a really bad idea, and that even
if the option was available users would not activate it. In any if the option was available users would not activate it. In any
case, the option is only used in the "pre boot" environment, and is case, the option is only used in the "pre boot" environment, and
there is no reason to use it once the system is up and running. If there is no reason to use it once the system is up and running.
only for privacy reasons, nodes visiting untrusted networks MUST NOT Nodes visiting untrusted networks MUST NOT send or use the PXE
send or use the PXE options. options.
3.10. User and Vendor Class DHCP options 3.10. User and Vendor Class DHCP options
Vendor identifying options are defined in [RFC2132] and [RFC3925]. Vendor identifying options are defined in [RFC2132] and [RFC3925].
When using the anonymity profile, DHCP clients SHOULD NOT use the When using the anonymity profile, DHCP clients SHOULD NOT use the
Vendor Specific Information option (code 43), the Vendor Class Vendor Specific Information option (code 43), the Vendor Class
Identifier Option (60), the Vendor Class option (code 124), or the Identifier Option (60), the Vendor Class option (code 124), or the
Vendor Specific Information option (code 125) as these options Vendor Specific Information option (code 125) as these options
potentially reveal identifying information. potentially reveal identifying information.
skipping to change at page 15, line 11 skipping to change at page 15, line 9
constructing these prefixes have different implications on privacy, constructing these prefixes have different implications on privacy,
which are discussed in [I-D.ietf-6man-default-iids] and which are discussed in [I-D.ietf-6man-default-iids] and
[I-D.ietf-6man-ipv6-address-generation-privacy]. In the stateless [I-D.ietf-6man-ipv6-address-generation-privacy]. In the stateless
scenario, clients use DHCPv6 to obtain network configuration scenario, clients use DHCPv6 to obtain network configuration
parameters, through the INFORMATION-REQUEST message. parameters, through the INFORMATION-REQUEST message.
The choice between the stateful and stateless scenarios depends on The choice between the stateful and stateless scenarios depends on
flag and prefix options published by the "Router Advertisement" flag and prefix options published by the "Router Advertisement"
messages of local routers, as specified in [RFC4861]. When these messages of local routers, as specified in [RFC4861]. When these
options enable stateless address configuration hosts using the options enable stateless address configuration hosts using the
anonymity profile SHOULD choose it over stateful address anonymity profile SHOULD use stateless address configuration instead
configuration, because stateless configuration requires fewer of stateful address configuration, because stateless configuration
information disclosures than stateful configuration. requires fewer information disclosures than stateful configuration.
When using the anonymity profile, DHCPv6 clients carefully select When using the anonymity profile, DHCPv6 clients carefully select
DHCPv6 options used in the various messages that they send. The list DHCPv6 options used in the various messages that they send. The list
of options that are mandatory or optional for each message is of options that are mandatory or optional for each message is
specified in [RFC3315]. Some of these options have specific specified in [RFC3315]. Some of these options have specific
implications on anonymity. The following sections provide guidance implications on anonymity. The following sections provide guidance
on the choice of option values when using the anonymity profile. on the choice of option values when using the anonymity profile.
4.1. Avoiding fingerprinting 4.1. Avoiding fingerprinting
There are many choices for implementing DHCPv6 messages. As There are many choices for implementing DHCPv6 messages. As
explained in Section 3.1, these choices can be use to fingerprint the explained in Section 3.1, these choices can be use to fingerprint the
client. client.
The following sections provide guidance on the encoding of options. The following sections provide guidance on the encoding of options.
However, this guidance alone may not be sufficient to prevent However, this guidance alone may not be sufficient to prevent
fingerprinting from revealing information, such as the device type, fingerprinting from revealing information, such as the device type,
vendor type or OS type and in some cases specific version, or from vendor type or OS type and in some cases specific version, or from
revealing whether the client is using the anonymity profile. revealing whether the client is using the anonymity profile.
The client willing to protect its privacy SHOULD limit the subset of The client intending to protect its privacy SHOULD limit the subset
options sent in messages to the subset listed in the following of options sent in messages to the subset listed in the following
sections. sections.
The client willing to protect its privacy SHOULD randomize options The client intending to protect its privacy SHOULD randomize options
order before sending any DHCPv6 message. If this random ordering order before sending any DHCPv6 message. If this random ordering
cannot be implemented, the client MAY arrange options by increasing cannot be implemented, the client MAY arrange options by increasing
order of option codes. order of option codes.
4.2. Do not send Confirm messages, unless really sure where 4.2. Do not send Confirm messages, unless really sure where
[RFC3315] requires clients to send a Confirm message when they attach [RFC3315] requires clients to send a Confirm message when they attach
to a new link to verify whether the addressing and configuration to a new link to verify whether the addressing and configuration
information they previously received is still valid. This information they previously received is still valid. This
requirement was relaxed in [I-D.ietf-dhc-rfc3315bis]. When these requirement was relaxed in [I-D.ietf-dhc-rfc3315bis]. When these
skipping to change at page 17, line 7 skipping to change at page 17, line 7
set to 1 (DUID-LLT). Hardware type SHOULD be set appropriately to set to 1 (DUID-LLT). Hardware type SHOULD be set appropriately to
the hardware type. The link address embedded in the LLT SHOULD be the hardware type. The link address embedded in the LLT SHOULD be
set to a randomized value. Time SHOULD be set to a random timestamp set to a randomized value. Time SHOULD be set to a random timestamp
from the previous year. Time MAY be set to current time, but this from the previous year. Time MAY be set to current time, but this
will reveal the fact that the DUID is newly generated, and could will reveal the fact that the DUID is newly generated, and could
provide information for device fingerprinting. The criteria for provide information for device fingerprinting. The criteria for
generating highly unique random numbers are listed in [RFC4086]. generating highly unique random numbers are listed in [RFC4086].
4.3.1. Anonymous Information-Request 4.3.1. Anonymous Information-Request
According to [RFC3315], a DHCPv6 client typically includes its client According to [RFC3315], a DHCPv6 client includes its client
identifier in most of the messages it sends. There is one exception, identifier in most of the messages it sends. There is one exception,
however. Client is allowed to omit its client identifier when however. Client is allowed to omit its client identifier when
sending Information-Request. sending Information-Request.
When using stateless DHCPv6, clients wanting to protect their privacy When using stateless DHCPv6, clients wanting to protect their privacy
SHOULD NOT include client identifiers in their Information-Request SHOULD NOT include client identifiers in their Information-Request
messages. This will prevent the server from specifying client- messages. This will prevent the server from specifying client-
specific options if it is configured to do so, but the need for specific options if it is configured to do so, but the need for
anonymity precludes such options anyway. anonymity precludes such options anyway.
skipping to change at page 17, line 31 skipping to change at page 17, line 31
Server Identifier Option (code 2) as specified in [RFC3315]. Clients Server Identifier Option (code 2) as specified in [RFC3315]. Clients
MUST only include server identifier values that were received with MUST only include server identifier values that were received with
the current link-layer address, because reuse of old values discloses the current link-layer address, because reuse of old values discloses
information that can be used to identify the client. information that can be used to identify the client.
4.5. Address assignment options 4.5. Address assignment options
When using the anonymity profile, DHCPv6 clients might have to use When using the anonymity profile, DHCPv6 clients might have to use
SOLICIT or REQUEST messages to obtain IPv6 addresses through the DHCP SOLICIT or REQUEST messages to obtain IPv6 addresses through the DHCP
server. In DHCPv6, the collection of addresses assigned to a client server. In DHCPv6, the collection of addresses assigned to a client
is indemtified by an Identity Association (IA).Clients interested in is identified by an Identity Association (IA).Clients interested in
privacy SHOULD request addresses using the Identity Association for privacy SHOULD request addresses using the Identity Association for
Non-temporary Addresses Option (IA_NA, code 3). Non-temporary Addresses Option (IA_NA, code 3).
The IA_NA option includes an IAID parameter that identifies a unique The IA_NA option includes an IAID parameter that identifies a unique
identity association for the interface for which the Address is identity association for the interface for which the Address is
requested. Clients interested in protecting their privacy MUST requested. Clients interested in protecting their privacy MUST
ensure that the IAID does not enable client identification. They ensure that the IAID does not enable client identification. They
also need to conform to the requirement of [RFC3315] that the IAID also need to conform to the requirement of [RFC3315] that the IAID
for that IA MUST be consistent across restarts of the DHCP client. for that IA MUST be consistent across restarts of the DHCP client.
We interpret that as requiring that the IAID MUST be constant for the We interpret that as requiring that the IAID MUST be constant for the
skipping to change at page 23, line 41 skipping to change at page 23, line 41
2. In Section 4.3, added precision that the generated DUID-LLT are 2. In Section 4.3, added precision that the generated DUID-LLT are
meaningless, and added an informative reference to [RFC4086]. meaningless, and added an informative reference to [RFC4086].
3. In Section 4.5.2, reworked the text to reflect the consensus from 3. In Section 4.5.2, reworked the text to reflect the consensus from
IPv6 experts and provide informed guidance on the use of the IPv6 experts and provide informed guidance on the use of the
option if prefix delegation is required. option if prefix delegation is required.
4. In Section 5, noticed servers that might mandate link layer 4. In Section 5, noticed servers that might mandate link layer
address registration. address registration.
Changes from draft-07 to draft-08 address comments received during
IESG review
1. Corrected a number of typos and applied several minor editing
suggestions.
2. Added reference to IEEE study group and other IETF experiments in
Section 2.
3. Added reference to journal paper on Guy Fawkes mask in
Section 2.5.
4. Removed "if servers do not object" from appliction scope in
Section 2.6.
5. Removed redondant text from Section 3.4.
6. In Section 3.5, say "will not be nullified by the Client
Identifier Option" instead of "will not be nullified by DHCP
options."
7. In Section 3.9, remove the qualification "if only for privacy
reasons."
8. Clarified the preference for stateless address configuration in
Section 4.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", [RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
skipping to change at page 24, line 39 skipping to change at page 25, line 18
<http://www.rfc-editor.org/info/rfc4941>. <http://www.rfc-editor.org/info/rfc4941>.
10.2. Informative References 10.2. Informative References
[CNBC] Weston, G., Greenwald, G., and R. Gallagher, "CBC News: [CNBC] Weston, G., Greenwald, G., and R. Gallagher, "CBC News:
CSEC used airport Wi-Fi to track Canadian travellers", Jan CSEC used airport Wi-Fi to track Canadian travellers", Jan
2014, <http://www.cbc.ca/news/politics/csec-used-airport- 2014, <http://www.cbc.ca/news/politics/csec-used-airport-
wi-fi-to-track-canadian-travellers-edward-snowden- wi-fi-to-track-canadian-travellers-edward-snowden-
documents-1.2517881>. documents-1.2517881>.
[GuyFawkesMask]
Nickelsburg, M., "A brief history of the Guy Fawkes mask",
July 2013, <http://theweek.com/articles/463151/
brief-history-guy-fawkes-mask>.
[I-D.ietf-6man-default-iids] [I-D.ietf-6man-default-iids]
Gont, F., Cooper, A., Thaler, D., and S. LIU, Gont, F., Cooper, A., Thaler, D., and S. LIU,
"Recommendation on Stable IPv6 Interface Identifiers", "Recommendation on Stable IPv6 Interface Identifiers",
draft-ietf-6man-default-iids-09 (work in progress), draft-ietf-6man-default-iids-10 (work in progress),
January 2016. February 2016.
[I-D.ietf-6man-ipv6-address-generation-privacy] [I-D.ietf-6man-ipv6-address-generation-privacy]
Cooper, A., Gont, F., and D. Thaler, "Privacy Cooper, A., Gont, F., and D. Thaler, "Privacy
Considerations for IPv6 Address Generation Mechanisms", Considerations for IPv6 Address Generation Mechanisms",
draft-ietf-6man-ipv6-address-generation-privacy-08 (work draft-ietf-6man-ipv6-address-generation-privacy-08 (work
in progress), September 2015. in progress), September 2015.
[I-D.ietf-dhc-dhcp-privacy] [I-D.ietf-dhc-dhcp-privacy]
Jiang, S., Krishnan, S., and T. Mrugalski, "Privacy Jiang, S., Krishnan, S., and T. Mrugalski, "Privacy
considerations for DHCPv4", draft-ietf-dhc-dhcp-privacy-03 considerations for DHCP", draft-ietf-dhc-dhcp-privacy-04
(work in progress), January 2016. (work in progress), February 2016.
[I-D.ietf-dhc-dhcpv6-privacy] [I-D.ietf-dhc-dhcpv6-privacy]
Krishnan, S., Mrugalski, T., and S. Jiang, "Privacy Krishnan, S., Mrugalski, T., and S. Jiang, "Privacy
considerations for DHCPv6", draft-ietf-dhc- considerations for DHCPv6", draft-ietf-dhc-
dhcpv6-privacy-03 (work in progress), January 2016. dhcpv6-privacy-04 (work in progress), February 2016.
[I-D.ietf-dhc-rfc3315bis] [I-D.ietf-dhc-rfc3315bis]
Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A.,
Richardson, M., Jiang, S., and T. Lemon, "Dynamic Host Richardson, M., Jiang, S., and T. Lemon, "Dynamic Host
Configuration Protocol for IPv6 (DHCPv6) bis", draft-ietf- Configuration Protocol for IPv6 (DHCPv6) bis", draft-ietf-
dhc-rfc3315bis-03 (work in progress), February 2016. dhc-rfc3315bis-03 (work in progress), February 2016.
[IEEE8021X] [IEEE8021X]
IEEE Std 802.1X-2010, "IEEE Standards for Local and IEEE Std 802.1X-2010, "IEEE Standards for Local and
Metropolitan Area Networks: Port based Network Access Metropolitan Area Networks: Port based Network Access
Control", Feb 2010, <http://standards.ieee.org/getieee802/ Control", Feb 2010, <http://standards.ieee.org/getieee802/
download/802.1X-2010.pdf>. download/802.1X-2010.pdf>.
[IEEE802PRSG]
IEEE 802 EC PRSG, "IEEE 802 EC Privacy Recommendation
Study Group", Dec 2015,
<http://www.ieee802.org/PrivRecsg/>.
[IETFMACRandom] [IETFMACRandom]
Zuniga, JC., "MAC Privacy", November 2014, Zuniga, JC., "MAC Privacy", November 2014,
<http://www.ietf.org/blog/2014/11/mac-privacy/>. <http://www.ietf.org/blog/2014/11/mac-privacy/>.
[IETFTrialsAndMore]
Bernardos, CJ., Zuniga, JC., and P. O'Hanlon, "Wi-Fi
Internet connectivity and privacy: hiding your tracks on
the wireless Internet", October 2015,
<http://www.it.uc3m.es/cjbc/papers/
pdf/2015_bernardos_cscn_privacy.pdf>.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
<http://www.rfc-editor.org/info/rfc2132>. <http://www.rfc-editor.org/info/rfc2132>.
[RFC3925] Littlefield, J., "Vendor-Identifying Vendor Options for [RFC3925] Littlefield, J., "Vendor-Identifying Vendor Options for
Dynamic Host Configuration Protocol version 4 (DHCPv4)", Dynamic Host Configuration Protocol version 4 (DHCPv4)",
RFC 3925, DOI 10.17487/RFC3925, October 2004, RFC 3925, DOI 10.17487/RFC3925, October 2004,
<http://www.rfc-editor.org/info/rfc3925>. <http://www.rfc-editor.org/info/rfc3925>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
 End of changes. 30 change blocks. 
65 lines changed or deleted 111 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/