draft-ietf-6man-default-iids-00.txt   draft-ietf-6man-default-iids-01.txt 
IPv6 maintenance Working Group (6man) F. Gont IPv6 maintenance Working Group (6man) F. Gont
Internet-Draft SI6 Networks / UTN-FRH Internet-Draft SI6 Networks / UTN-FRH
Updates: 2464, 2467, 2470, 4291 A. Cooper Updates: 2464, 2467, 2470, 2491, 2492, A. Cooper
(if approved) Cisco 2497, 2590, 3146, 3572, 4291, Cisco
Intended status: Standards Track D. Thaler 4338, 4391, 5072, 5121 (if D. Thaler
Expires: July 28, 2014 Microsoft approved) Microsoft
W. Liu Intended status: Standards Track W. Liu
Huawei Technologies Expires: April 11, 2015 Huawei Technologies
January 24, 2014 October 8, 2014
Recommendation on Stable IPv6 Interface Identifiers Recommendation on Stable IPv6 Interface Identifiers
draft-ietf-6man-default-iids-00 draft-ietf-6man-default-iids-01
Abstract Abstract
Stateless Address Autoconfiguration (SLAAC) for IPv6 typically The IPv6 addressing architecture defines Modified EUI-64 format
results in hosts configuring one or more stable addresses composed of Interface Identifiers, and the existing IPv6 over various link-layers
a network prefix advertised by a local router, and an Interface specify how such identifiers are derived from the underlying link-
Identifier that typically embeds a hardware address (e.g., an IEEE layer address (e.g., an IEEE LAN MAC address) when employing IPv6
LAN MAC address). The security and privacy implications of embedding Stateless Address Autoconfiguration (SLAAC). The security and
hardware addresses in the Interface Identifier have been known and privacy implications of embedding hardware addresses in the Interface
understood for some time now, and some popular IPv6 implementations Identifier have been known and understood for some time now, and some
have already deviated from such schemes to mitigate these issues. popular IPv6 implementations have already deviated from such schemes
This document recommends [I-D.ietf-6man-stable-privacy-addresses] as to mitigate these issues. This document changes the recommended
the default scheme for the generating stable IPv6 addresses and default Interface Identifier generation scheme to that specified in
recommends against embedding hardware addresses in IPv6 Interface RFC7217, and recommends against embedding hardware addresses in IPv6
Identifiers. Interface Identifiers. It formally updates RFC2464, RFC2467,
RFC2470, RFC2491, RFC2492, RFC2497, RFC2590, RFC3146, RFC3572,
RFC4291, RFC4338, RFC4391, RFC5072, and RFC5121, wihch require IPv6
Interface Identifiers to be derived from the underlying link-layer
address.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 11, 2015.
This Internet-Draft will expire on July 28, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
skipping to change at page 2, line 19 skipping to change at page 2, line 23
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Generation of IPv6 Interface Identifiers . . . . . . . . . . . 5 3. Generation of IPv6 Interface Identifiers . . . . . . . . . . 3
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 4. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
7.1. Normative References . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
[RFC4862] specifies Stateless Address Autoconfiguration (SLAAC) for [RFC4862] specifies Stateless Address Autoconfiguration (SLAAC) for
IPv6 [RFC2460], which typically results in hosts configuring one or IPv6 [RFC2460], which typically results in hosts configuring one or
more "stable" addresses composed of a network prefix advertised by a more "stable" addresses composed of a network prefix advertised by a
local router, and an Interface Identifier (IID) [RFC4291] that local router, and an Interface Identifier (IID) [RFC4291] that
typically embeds a hardware address (e.g., an IEEE LAN MAC address). typically embeds a hardware address (e.g., an IEEE LAN MAC address).
The security and privacy implications of embedding a hardware address The security and privacy implications of embedding a hardware address
skipping to change at page 3, line 21 skipping to change at page 3, line 4
typically embeds a hardware address (e.g., an IEEE LAN MAC address). typically embeds a hardware address (e.g., an IEEE LAN MAC address).
The security and privacy implications of embedding a hardware address The security and privacy implications of embedding a hardware address
in an IPv6 Interface ID have been known for some time now, and are in an IPv6 Interface ID have been known for some time now, and are
discussed in great detail in discussed in great detail in
[I-D.ietf-6man-ipv6-address-generation-privacy]; they include: [I-D.ietf-6man-ipv6-address-generation-privacy]; they include:
o Network activity correlation o Network activity correlation
o Location tracking o Location tracking
o Address scanning o Address scanning
o Device-specific vulnerability exploitation o Device-specific vulnerability exploitation
Some popular IPv6 implementations have already deviated from the Some popular IPv6 implementations have already deviated from the
traditional stable IID generation scheme to mitigate the traditional stable IID generation scheme to mitigate the
aforementioned security and privacy implications [Microsoft]. aforementioned security and privacy implications [Microsoft].
As a result of the aforementioned issues, this document recommends As a result of the aforementioned issues, this document recommends
the implementation of an alternative scheme the implementation of an alternative scheme ([RFC7217]) as the
([I-D.ietf-6man-stable-privacy-addresses]) as the default stable default stable Interface-ID generation scheme, such that the
Interface-ID generation scheme, such that the aforementioned issues aforementioned issues are mitigated.
are mitigated.
NOTE: [RFC4291] defines the "Modified EUI-64 format" for Interface NOTE: [RFC4291] defines the "Modified EUI-64 format" for Interface
identifiers. Appendix A of [RFC4291] then describes how to transform identifiers. Appendix A of [RFC4291] then describes how to transform
an IEEE EUI-64 identifier, or an IEEE 802 48-bit MAC address from an IEEE EUI-64 identifier, or an IEEE 802 48-bit MAC address from
which an EUI-64 identifier is derived, into an interface identifier which an EUI-64 identifier is derived, into an interface identifier
in the Modified EUI-64 format. in the Modified EUI-64 format.
2. Terminology 2. Terminology
Stable address: Stable address:
skipping to change at page 5, line 10 skipping to change at page 3, line 38
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
3. Generation of IPv6 Interface Identifiers 3. Generation of IPv6 Interface Identifiers
Nodes SHOULD NOT employ IPv6 address generation schemes that embed Nodes SHOULD NOT employ IPv6 address generation schemes that embed
the underlying hardware address in the Interface Identifier. Namely, the underlying hardware address in the Interface Identifier. Namely,
nodes SHOULD NOT generate Interface Identifiers with the schemes nodes SHOULD NOT generate Interface Identifiers with the schemes
specified in [RFC2464], [RFC2467], and [RFC2470]. specified in [RFC2464], [RFC2467], [RFC2470], [RFC2491], [RFC2492],
[RFC2497], [RFC2590], [RFC3146], [RFC3572], [RFC4338], [RFC4391],
[RFC5121], and [RFC5072].
Nodes SHOULD implement and employ Nodes SHOULD implement and employ [RFC7217] as the default scheme for
[I-D.ietf-6man-stable-privacy-addresses] as the default scheme for
generating stable IPv6 addresses with SLAAC. generating stable IPv6 addresses with SLAAC.
4. IANA Considerations Future specifications SHOULD NOT specify IPv6 address generation
schemes that embed the underlying hardware address in the Interface
Identifier.
4. Future Work
At the time of this writing, the mechanisms specified in the
following documents are not compatible with the recommendations in
this document:
o RFC 6282 [RFC6282]
o RFC 4944 [RFC4944]
o RFC 6755 [RFC6775]
It is expected that that future revisions or updates of these
documents will address the aforementioned issues such that the
requirements in this documents can be enforced.
5. IANA Considerations
There are no IANA registries within this document. The RFC-Editor There are no IANA registries within this document. The RFC-Editor
can remove this section before publication of this document as an can remove this section before publication of this document as an
RFC. RFC.
5. Security Considerations 6. Security Considerations
This document recommends [I-D.ietf-6man-stable-privacy-addresses] as This document recommends [RFC7217] as the default scheme for
the default scheme for generating IPv6 stable addresses with SLAAC, generating IPv6 stable addresses with SLAAC, such that the security
such that the security and privacy issues of Interface IDs that embed and privacy issues of Interface IDs that embed hardware addresses are
hardware addresses are mitigated. mitigated.
6. Acknowledgements 7. Acknowledgements
The authors would like to thank (in alphabetical order) Fred Baker, The authors would like to thank Erik Nordmark and Ray Hunter for
Scott Brim, Brian Carpenter, Tim Chown, Lorenzo Colitti, Jean-Michel providing a detailed review of this document.
Combes, Greg Daley, Ralph Droms, David Farmer, Brian Haberman, Bob
Hinden, Jahangir Hossain, Ray Hunter, Sheng Jiang, Roger Jorgensen,
Dan Luedtke, George Mitchel, Erik Nordmark, Simon Perreault, Tom
Petch, Alexandru Petrescu, Michael Richardson, Arturo Servin, Mark
Smith, Tom Taylor, Ole Troan, and Tina Tsou, for providing valuable
comments on earlier versions of this document.
Fernando Gont would like to thank Ray Hunter for providing valuable The authors would like to thank (in alphabetical order) Fred Baker,
input on this topic. Scott Brim, Brian Carpenter, Samita Chakrabarti, Tim Chown, Lorenzo
Colitti, Jean-Michel Combes, Greg Daley, Esko Dijk, Ralph Droms,
David Farmer, Brian Haberman, Ulrich Herberg, Bob Hinden, Jahangir
Hossain, Jonathan Hui, Ray Hunter, Sheng Jiang, Roger Jorgensen, Dan
Luedtke, George Mitchel, Erik Nordmark, Simon Perreault, Tom Petch,
Alexandru Petrescu, Michael Richardson, Arturo Servin, Mark Smith,
Tom Taylor, Ole Troan, Tina Tsou, and Randy Turner, for providing
valuable comments on earlier versions of this document.
7. References 8. References
7.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998. (IPv6) Specification", RFC 2460, December 1998.
[RFC2464] Crawford, M., "Transmission of IPv6 Packets over Ethernet [RFC2464] Crawford, M., "Transmission of IPv6 Packets over Ethernet
Networks", RFC 2464, December 1998. Networks", RFC 2464, December 1998.
[RFC2467] Crawford, M., "Transmission of IPv6 Packets over FDDI [RFC2467] Crawford, M., "Transmission of IPv6 Packets over FDDI
Networks", RFC 2467, December 1998. Networks", RFC 2467, December 1998.
[RFC2470] Crawford, M., Narten, T., and S. Thomas, "Transmission of [RFC2470] Crawford, M., Narten, T., and S. Thomas, "Transmission of
IPv6 Packets over Token Ring Networks", RFC 2470, IPv6 Packets over Token Ring Networks", RFC 2470, December
December 1998. 1998.
[RFC2492] Armitage, G., Schulter, P., and M. Jork, "IPv6 over ATM
Networks", RFC 2492, January 1999.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006. Architecture", RFC 4291, February 2006.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, September 2007. Address Autoconfiguration", RFC 4862, September 2007.
[I-D.ietf-6man-stable-privacy-addresses] [RFC7217] Gont, F., "A Method for Generating Semantically Opaque
Gont, F., "A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Interface Identifiers with IPv6 Stateless Address
Autoconfiguration (SLAAC)", Autoconfiguration (SLAAC)", RFC 7217, April 2014.
draft-ietf-6man-stable-privacy-addresses-16 (work in
progress), December 2013.
7.2. Informative References [RFC2491] Armitage, G., Schulter, P., Jork, M., and G. Harter, "IPv6
over Non-Broadcast Multiple Access (NBMA) networks", RFC
2491, January 1999.
[RFC2497] Souvatzis, I., "Transmission of IPv6 Packets over ARCnet
Networks", RFC 2497, January 1999.
[RFC2590] Conta, A., Malis, A., and M. Mueller, "Transmission of
IPv6 Packets over Frame Relay Networks Specification", RFC
2590, May 1999.
[RFC3146] Fujisawa, K. and A. Onoe, "Transmission of IPv6 Packets
over IEEE 1394 Networks", RFC 3146, October 2001.
[RFC3572] Ogura, T., Maruyama, M., and T. Yoshida, "Internet
Protocol Version 6 over MAPOS (Multiple Access Protocol
Over SONET/SDH)", RFC 3572, July 2003.
[RFC4338] DeSanti, C., Carlson, C., and R. Nixon, "Transmission of
IPv6, IPv4, and Address Resolution Protocol (ARP) Packets
over Fibre Channel", RFC 4338, January 2006.
[RFC4391] Chu, J. and V. Kashyap, "Transmission of IP over
InfiniBand (IPoIB)", RFC 4391, April 2006.
[RFC5121] Patil, B., Xia, F., Sarikaya, B., Choi, JH., and S.
Madanapalli, "Transmission of IPv6 via the IPv6
Convergence Sublayer over IEEE 802.16 Networks", RFC 5121,
February 2008.
[RFC5072] Varada, S., Haskins, D., and E. Allen, "IP Version 6 over
PPP", RFC 5072, September 2007.
[RFC6282] Hui, J. and P. Thubert, "Compression Format for IPv6
Datagrams over IEEE 802.15.4-Based Networks", RFC 6282,
September 2011.
[RFC4944] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler,
"Transmission of IPv6 Packets over IEEE 802.15.4
Networks", RFC 4944, September 2007.
[RFC6775] Shelby, Z., Chakrabarti, S., Nordmark, E., and C. Bormann,
"Neighbor Discovery Optimization for IPv6 over Low-Power
Wireless Personal Area Networks (6LoWPANs)", RFC 6775,
November 2012.
8.2. Informative References
[I-D.ietf-6man-ipv6-address-generation-privacy] [I-D.ietf-6man-ipv6-address-generation-privacy]
Cooper, A., Gont, F., and D. Thaler, "Privacy Cooper, A., Gont, F., and D. Thaler, "Privacy
Considerations for IPv6 Address Generation Mechanisms", Considerations for IPv6 Address Generation Mechanisms",
draft-ietf-6man-ipv6-address-generation-privacy-00 (work draft-ietf-6man-ipv6-address-generation-privacy-01 (work
in progress), October 2013. in progress), February 2014.
[Microsoft] [Microsoft]
Davies, J., "Understanding IPv6, 3rd. ed", page 83, Davies, J., "Understanding IPv6, 3rd. ed", page 83,
Microsoft Press, 2012, <http://it-ebooks.info/book/1022/>. Microsoft Press, 2012, <http://it-ebooks.info/book/1022/>.
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
SI6 Networks / UTN-FRH SI6 Networks / UTN-FRH
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
Argentina Argentina
 End of changes. 25 change blocks. 
71 lines changed or deleted 142 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/