Re: [STDS-802-Privacy] 802c - Local address management presentation

Thread Links	Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Dan

How does a local administrator control whether devices assign themselves random addresses? There is no mechanism defined for a network to tell a device it doesn’t accept random addresses. If a network could disable random address use, then it would bypass the effectiveness of random addresses for privacy.

Your proposal conflicts with local address administration use of the space because it provides no separation between the random address use and locally administered use. You need to show how that is compatible.

Sincerely,

Pat

From: Dan Harkins [mailto:dharkins@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, October 28, 2014 12:40 PM
To: Pat Thaler; STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-Privacy] 802c - Local address management presentation

Hi Pat,

The thing is I'm not "glomming onto the whole space." I'm not partitioning it and

I'm not assigning portions or reserving portions of it for some application. I'm

advocating that it just be left alone. I'm advocating that the 802c PAR not be

approved and we are left with the status quo— a space of 2^46 addresses that

do not have global uniqueness, that are not reserved for any particular purpose,

and whose use is up to the local administrator.

You want to partition it and allocate portions of it so I think it's you that needs to

make a compelling case (i.e. clear the bar) to do that.

regards,

Dan.

On 10/28/14 12:20 PM, "Pat Thaler" <pthaler@xxxxxxxxxxxx> wrote:

Dan,

You talk about it like random address assignment using the whole space is already an established standard that has been vetted and is being displaced. There has been no broad discussion of your random address proposal in IEEE 802. There are valid concerns with it. I’ve raised some and seen no response to them.

· Conflict with existing use for assignments by a local administrator.

· Duplicate address detection – not currently specified how to do it and there are technical feasibility issues (e.g. networks where nodes don’t receive frames from all other nodes) – relying on low probability of conflict is not enough.

If there is a high bar for using part of the local address space to address a broad market, there is an even higher bar for glomming onto the whole space.

Sincerely,

Pat

From: Roger Marks [mailto:r.b.marks@xxxxxxxx]
Sent: Thursday, October 23, 2014 4:51 PM
To: STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-Privacy] 802c - Local address management presentation
Dan,

I'm hopeful that we'll have a better understanding of the intention of 802c after the meeting that (it seems) will happen the night of Nov 3.

I think that we need to work toward a common understanding and see if it's possible to find a way to reach an agreement.

Roger

Dan Harkins wrote:

Hi Roger,

It would help if Pat provided some reasonable justification for wanting those 2 bits,

which reduces the amount of available addresses by 75%.

Regardless of whether we think it's a good idea or not, there are today public wi-fi

deployments that have gotten over 30,000 simultaneous associations. I'm not sure

how much bigger they could get before they need the relief of a router somewhere

but I have no reason to think that is a hard limit (I'm not advocating anyone build

large flat networks, only pessimistically noting that it is done today and there is no

reason to believe it won't be done tomorrow). With 32k STAs we get this probability

of collision:

- 2^46 addresses: 0.00000762, or about 1:131076

- 2^44 addresses: 0.0000305, or about 1:32769

That's getting uncomfortably close and it's already with networks we see today, this

isn't hypothetical. The impact of a collision on a network is bad. Connectivity is lost and

there's thrashing on the switched network. And it's the vendor of the wi-fi infrastructure

that gets blamed whenever there are problems on the network. (Note: I work for a wi-fi

infrastructure vendor).

I think Pat has a high bar to clear to justify reducing the available address space and

so far she hasn't even made an attempt.

regards,

Dan.

On 10/23/14 3:23 PM, "Roger Marks" <r.b.marks@xxxxxxxx> wrote:
It certainly helps to have a lot of bits. But Pat is talking about providing 44, rather than 46, for this kind of usage. That increases the collision probability by a factor of about 4. It would help to see some analysis that would help to clarify the significance of that change.

Roger

Christian Huitema wrote:

I am very skeptical of the “24+24” approach.

One of the major privacy cases is “Wi-Fi scanning.” When not connected, the smart phone in your pocket will send a set of “probes” every few minutes – depending on the system, we see values like every 1, 2 or 5 minutes. These probe messages carry the MAC address, and if an access point is present it will respond, allowing the smart phone to discover potential connectivity. These probes are a major target of various monitoring system, and indeed one of the first “privacy bug” that we have to fix, and the obvious fix is to use a randomized MAC address when scanning. However, when scanning, there is no option whatsoever to perform duplicate address detection. There is no active connection. The phone is probing all available radio channels, but will only listen briefly on each channel, just enough to receive an access point response to the probe if it is present.

We know that if there is no explicit duplicate address detection, the birthday paradox applies. It clearly will apply to the scanning case, and there is a strong case to use all 46 available bits to construct a random scanning address.

Even in the connected case, I have a hard time figuring out how duplicate address detection might work. The average phone will go to sleep at the first opportunity, to save battery. At that point, it is not really listening to the radio, and cannot respond to a duplicate address detection request. That means that a “distributed” duplicate address detection is probably not going to be very reliable. I would much prefer rely on 46 bits and probabilities!

From: Pat Thaler [mailto:pthaler@xxxxxxxxxxxx]
Sent: Wednesday, October 22, 2014 6:11 PM
To: STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-Privacy] 802c - Local address management presentation

See below for my responses bracketed by my initials: pat

From: Paul Nikolich [mailto:paul.nikolich@xxxxxxx]
Sent: Wednesday, October 22, 2014 2:11 PM
To: Pat Thaler
Subject: Fw: Re: [STDS-802-Privacy] 802c - Local address management presentation

Pat, fyi in case you're not on this mailing list. This just came in. --Paul

------ Forwarded Message ------

From: "Rene Struik" <rstruik.ext@xxxxxxxxx>

To: STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx

Sent: 10/22/2014 5:06:59 PM

Subject: Re: [STDS-802-Privacy] 802c - Local address management presentation
Hi Juan Carlos:

Thanks for providing the link.

I had a brief look at the presentation by Pat Thaler (first weblink below):
1) Slide 5:
Somehow, I still do not understand the need for partitioning of the address space, where part is for "local administration". This seems to be the crux of the 24/24 address partitioning debate triggered by the 802.c PAR, so important to understand better. What is the concern/use case that I am missing?

[pat] In some environments such as a data center, some addresses may be configured by an administrator. This was the initial use envisioned for local MAC addresses. Many 802.5 nodes used configured local addresses). Some DEC devices Such nodes generally don’t “know” that their address is configured. They are just using what was set in their address register. They won’t be participating in any address acquisition protocol so they won’t participate in a duplicate address check and they have no ability to change addresses if there is a duplicate.

This kind of use has been allowed since the beginning of IEEE 802 and we need to allow for it to continue. It would be nice for administrators going forward to be able to know what address range to use without conflicting with other newer ways to get addresses.

Also, some data centers can have a large number of entities on the network. Virtualization and cloud increases this number quite a lot. An address acquisition protocol such as distribution of address by a hypervisor orchestration system might have a default block in the CID space, but for cases where 2^24 addresses aren’t enough additional space might be assigned from the local administration block by the administrator to the orchestration system. [pat]

2) Slide 12:
Pseudo-random address generation with 24 bits of freedom easily leads to clashes well before ~1000 devices (due to the so-called birthday paradox);

[pat] In an address claiming protocol (i.e. a protocol where a device randomly generates part of the address and then checks for duplicates before using), the birthday paradox doesn’t matter. When a device needs an address, it sends a claim frame to see if the address is in use. If the address is in use, it will get a response to its claim, choose another address and repeat the process. So yes, the birthday paradox says that one or even a few may need to try more than once.

For 1000 devices and 24 bits, there is about a probability of 3% that at least one of the devices fails to get a unique address on the first try. The important thing is that At that point one has ~999 devices that have successfully chosen an address.

The device that failed (or perhaps in a very unlucky case 2 or 3 devices) will repeat the process of generating a new address. It has a probability of less than 0.006% that the second attempt fails.

If making 2 or 3 attempts is unacceptable in a particular application or if you want unique addresses for a stadium full of people, then use an server-based protocol instead of a claiming protocol. [pat]

Partitioning of address space accross multiple servers, with pre-assigned ranges, seems wasteful, since in practice the requirements per server may not be the same.

[pat] The 2^24 blocks are intended to be per protocol. The protocol would use that as its default block in all its deployments. There might be multiple servers on a given network. For instance, in the FCoE server-based case, each Fibre Channel Forwarder (the FC switch protocol running as layer 3 over 802.1Q bridges) is a server and the block is divided amongst the servers.

There are 16 million addresses available in a CID block for a server based protocol so that should provide plenty for dividing amongst the servers. But if there is a concern about having enough addresses, a protocol doesn’t have to allocate a fixed range to each server. A protocol could run between servers with each server requesting the quantity of addresses it initially needs. [pat]

Overall, it is hard to see what the downside would be to having pseudo-random addresses of 48 (well: 46 bits) in the sketched scenario, except perhaps for network segregation. If address generation is local (ethernet in cars, etc.) and messaging would use authentication, one does not need to worry about this segregation issue. Moreover, (as Dan Harkins already pointed out before), the probability of clashes is quite low with 46 bits of freedom for pseudo-random address generation. One can implement DAD or use server-allocation addresses (Slide 15) to mitigate potential clashes, should these still occur.

[pat] The downside is that occasional clashes will occur. A pseudo-random address scheme using the whole local address space assumes that all devices and all servers participate in duplicate address detection to identify and resolve the duplicate addresses. Duplicate address detection also assumes that all devices can see all other devices or at least see something that will proxy for addresses on the network that it can’t see. If that isn’t the case, duplicate addresses can go undetected.

There isn’t a universal duplicate address detection protocol. As I’ve mentioned above and before, devices using administrator configured local addresses (devices that already exist) won’t be participating in a duplicate address detection protocol. Nor will the existing VMs with local addresses assigned by a virtualization orchestration system.

Partitioning allows each protocol to use a duplicate address detection that is appropriate for the protocol while not conflicting with other protocols. [pat]

3) Slide 17:
Not sure whether one does not need a unique id for IoT devices. In many settings, one may want this, e.g., for white listing and configuration purposes. This does not have to be a burned in address at manufacturing, since recoverability hereof by the device, e.g., at start-up, does suffice. So, even if one has a unique id, this does not necessarily result in increased manufacturing cost.

[pat] I expect that some but not all devices using local addresses will need a unique ID – in some cases an EUI-64. In any case, that was a minor point. [pat]

Best regards, Rene

On 10/22/2014 3:02 PM, Zuniga, Juan Carlos wrote:

Hi all,

During our call Rene asked for a link to a presentation describing the reasoning behind the 802c PAR.

Here is a link to the latest 802c presentation that I’m aware of, which was presented by Pat Thaler at the last IAB/IESG (IETF) – IEEE 802 F2F coordination meeting on Sep 29:

http://www.iab.org/wp-content/IAB-uploads/2013/01/new-addresses-thaler-local-address-acquisition-0914-v1.pdf

The rest of the presentations from the meeting can be found here:

http://www.iab.org/activities/joint-activities/iab-ieee-coordination/

Regards,

Juan Carlos
-- 
email: rstruik.ext@xxxxxxxxx | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363