rfc3041.txt

最新的RFC

Network Working Group                                          T. Narten
Request for Comments: 3041                                           IBM
Category: Standards Track                                      R. Draves
                                                      Microsoft Research
                                                            January 2001


   Privacy Extensions for Stateless Address Autoconfiguration in IPv6

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   Nodes use IPv6 stateless address autoconfiguration to generate
   addresses without the necessity of a Dynamic Host Configuration
   Protocol (DHCP) server.  Addresses are formed by combining network
   prefixes with an interface identifier.  On interfaces that contain
   embedded IEEE Identifiers, the interface identifier is typically
   derived from it.  On other interface types, the interface identifier
   is generated through other means, for example, via random number
   generation.  This document describes an extension to IPv6 stateless
   address autoconfiguration for interfaces whose interface identifier
   is derived from an IEEE identifier.  Use of the extension causes
   nodes to generate global-scope addresses from interface identifiers
   that change over time, even in cases where the interface contains an
   embedded IEEE identifier.  Changing the interface identifier (and the
   global-scope addresses generated from it) over time makes it more
   difficult for eavesdroppers and other information collectors to
   identify when different addresses used in different transactions
   actually correspond to the same node.











Narten & Draves             Standards Track                     [Page 1]

RFC 3041      Extensions to IPv6 Address Autoconfiguration  January 2001


Table of Contents

   1.  Introduction.............................................    2
   2.  Background...............................................    3
      2.1.  Extended Use of the Same Identifier.................    3
      2.2.  Address Usage in IPv4 Today.........................    4
      2.3.  The Concern With IPv6 Addresses.....................    5
      2.4.  Possible Approaches.................................    6
   3.  Protocol Description.....................................    7
      3.1.  Assumptions.........................................    8
      3.2.  Generation Of Randomized Interface Identifiers......    9
      3.3.  Generating Temporary Addresses......................   10
      3.4.  Expiration of Temporary Addresses...................   11
      3.5.  Regeneration of Randomized Interface Identifiers....   12
   4.  Implications of Changing Interface Identifiers...........   13
   5.  Defined Constants........................................   14
   6.  Future Work..............................................   14
   7.  Security Considerations..................................   15
   8.  Acknowledgments..........................................   15
   9.  References...............................................   15
   10. Authors' Addresses.......................................   16
   11. Full Copyright Statement.................................   17

1.  Introduction

   Stateless address autoconfiguration [ADDRCONF] defines how an IPv6
   node generates addresses without the need for a DHCP server.  Some
   types of network interfaces come with an embedded IEEE Identifier
   (i.e., a link-layer MAC address), and in those cases stateless
   address autoconfiguration uses the IEEE identifier to generate a 64-
   bit interface identifier [ADDRARCH].  By design, the interface
   identifier is likely to be globally unique when generated in this
   fashion.  The interface identifier is in turn appended to a prefix to
   form a 128-bit IPv6 address.

   All nodes combine interface identifiers (whether derived from an IEEE
   identifier or generated through some other technique) with the
   reserved link-local prefix to generate link-local addresses for their
   attached interfaces.  Additional addresses, including site-local and
   global-scope addresses, are then created by combining prefixes
   advertised in Router Advertisements via Neighbor Discovery
   [DISCOVERY] with the interface identifier.

   Not all nodes and interfaces contain IEEE identifiers.  In such
   cases, an interface identifier is generated through some other means
   (e.g., at random), and the resultant interface identifier is not
   globally unique and may also change over time.  The focus of this
   document is on addresses derived from IEEE identifiers, as the



Narten & Draves             Standards Track                     [Page 2]

RFC 3041      Extensions to IPv6 Address Autoconfiguration  January 2001


   concern being addressed exists only in those cases where the
   interface identifier is globally unique and non-changing.  The rest
   of this document assumes that IEEE identifiers are being used, but
   the techniques described may also apply to interfaces with other
   types of globally unique and/or persistent identifiers.

   This document discusses concerns associated with the embedding of
   non-changing interface identifiers within IPv6 addresses and
   describes extensions to stateless address autoconfiguration that can
   help mitigate those concerns for individual users and in environments
   where such concerns are significant.  Section 2 provides background
   information on the issue.  Section 3 describes a procedure for
   generating alternate interface identifiers and global-scope
   addresses.  Section 4 discusses implications of changing interface
   identifiers.

2.  Background

   This section discusses the problem in more detail, provides context
   for evaluating the significance of the concerns in specific
   environments and makes comparisons with existing practices.

2.1.  Extended Use of the Same Identifier

   The use of a non-changing interface identifier to form addresses is a
   specific instance of the more general case where a constant
   identifier is reused over an extended period of time and in multiple
   independent activities.  Anytime the same identifier is used in
   multiple contexts, it becomes possible for that identifier to be used
   to correlate seemingly unrelated activity.  For example, a network
   sniffer placed strategically on a link across which all traffic
   to/from a particular host crosses could keep track of which
   destinations a node communicated with and at what times.  Such
   information can in some cases be used to infer things, such as what
   hours an employee was active, when someone is at home, etc.

   One of the requirements for correlating seemingly unrelated
   activities is the use (and reuse) of an identifier that is
   recognizable over time within different contexts.  IP addresses
   provide one obvious example, but there are more.  Many nodes also
   have DNS names associated with their addresses, in which case the DNS
   name serves as a similar identifier.  Although the DNS name
   associated with an address is more work to obtain (it may require a
   DNS query) the information is often readily available.  In such
   cases, changing the address on a machine over time would do little to
   address the concerns raised in this document, unless the DNS name is
   changed as well (see Section 4).




Narten & Draves             Standards Track                     [Page 3]

RFC 3041      Extensions to IPv6 Address Autoconfiguration  January 2001


   Web browsers and servers typically exchange "cookies" with each other
   [COOKIES].  Cookies allow web servers to correlate a current activity
   with a previous activity.  One common usage is to send back targeted
   advertising to a user by using the cookie supplied by the browser to
   identify what earlier queries had been made (e.g., for what type of
   information).  Based on the earlier queries, advertisements can be
   targeted to match the (assumed) interests of the end-user.

   The use of a constant identifier within an address is of special
   concern because addresses are a fundamental requirement of
   communication and cannot easily be hidden from eavesdroppers and
   other parties.  Even when higher layers encrypt their payloads,
   addresses in packet headers appear in the clear.  Consequently, if a
   mobile host (e.g., laptop) accessed the network from several
   different locations, an eavesdropper might be able to track the
   movement of that mobile host from place to place, even if the upper
   layer payloads were encrypted [SERIALNUM].

2.2.  Address Usage in IPv4 Today

   Addresses used in today's Internet are often non-changing in practice
   for extended periods of time, especially in non-home environments
   (e.g., corporations, campuses, etc.).  In such sites, addresses are
   assigned statically and typically change infrequently.  Over the last
   few years, sites have begun moving away from static allocation to
   dynamic allocation via DHCP [DHCP].  In theory, the address a client
   gets via DHCP can change over time, but in practice servers often
   return the same address to the same client (unless addresses are in
   such short supply that they are reused immediately by a different
   node when they become free).  Thus, even within sites using DHCP,
   clients frequently end up using the same address for weeks to months
   at a time.

   For home users accessing the Internet over dialup lines, the
   situation is generally different.  Such users do not have permanent
   connections and are often assigned temporary addresses each time they
   connect to their ISP (e.g., AOL).  Consequently, the addresses they
   use change frequently over time and are shared among a number of
   different users.  Thus, an address does not reliably identify a
   particular device over time spans of more than a few minutes.

   A more interesting case concerns always-on connections (e.g., cable
   modems, ISDN, DSL, etc.) that result in a home site using the same
   address for extended periods of time.  This is a scenario that is
   just starting to become common in IPv4 and promises to become more of
   a concern as always-on internet connectivity becomes widely
   available.  Although it might appear that changing an address
   regularly in such environments would be desirable to lessen privacy



Narten & Draves             Standards Track                     [Page 4]

RFC 3041      Extensions to IPv6 Address Autoconfiguration  January 2001


   concerns, it should be noted that the network prefix portion of an
   address also serves as a constant identifier.  All nodes at (say) a
   home, would have the same network prefix, which identifies the
   topological location of those nodes.  This has implications for
   privacy, though not at the same granularity as the concern that this
   document addresses.  Specifically, all nodes within a home would be
   grouped together for the purposes of collecting information.  This
   issue is difficult to address, because the routing prefix part of an
   address contains topology information and cannot contain arbitrary
   values.

   Finally, it should be noted that nodes that need a (non-changing) DNS
   name generally have static addresses assigned to them to simplify the
   configuration of DNS servers.  Although Dynamic DNS [DDNS] can be
   used to update the DNS dynamically, it is not yet widely deployed.
   In addition, changing an address but keeping the same DNS name does
   not really address the underlying concern, since the DNS name becomes
   a non-changing identifier.  Servers generally require a DNS name (so
   clients can connect to them), and clients often do as well (e.g.,
   some servers refuse to speak to a client whose address cannot be
   mapped into a DNS name that also maps back into the same address).
   Section 4 describes one approach to this issue.

2.3.  The Concern With IPv6 Addresses

   The division of IPv6 addresses into distinct topology and interface
   identifier portions raises an issue new to IPv6 in that a fixed
   portion of an IPv6 address (i.e., the interface identifier) can
   contain an identifier that remains constant even when the topology
   portion of an address changes (e.g., as the result of connecting to a
   different part of the Internet).  In IPv4, when an address changes,
   the entire address (including the local part of the address) usually
   changes.  It is this new issue that this document addresses.

   If addresses are generated from an interface identifier, a home
   user's address could contain an interface identifier that remains the
   same from one dialup session to the next, even if the rest of the
   address changes.  The way PPP is used today, however, PPP servers
   typically unilaterally inform the client what address they are to use
   (i.e., the client doesn't generate one on its own).  This practice,
   if continued in IPv6, would avoid the concerns that are the focus of
   this document.

   A more troubling case concerns mobile devices (e.g., laptops, PDAs,
   etc.) that move topologically within the Internet.  Whenever they
   move (in the absence of technology such as mobile IP [MOBILEIP]),
   they form new addresses for their current topological point of
   attachment.  This is typified today by the "road warrior" who has



Narten & Draves             Standards Track                     [Page 5]

RFC 3041      Extensions to IPv6 Address Autoconfiguration  January 2001


   Internet connectivity both at home and at the office.  While the
   node's address changes as it moves, however, the interface identifier
   contained within the address remains the same (when derived from an
   IEEE Identifier).  In such cases, the interface identifier can be
   used to track the movement and usage of a particular machine
   [SERIALNUM].  For example, a server that logs usage information
   together with a source addresses, is also recording the interface
   identifier since it is embedded within an address.  Consequently, any
   data-mining technique that correlates activity based on addresses
   could easily be extended to do the same using the interface
   identifier.  This is of particular concern with the expected
   proliferation of next-generation network-connected devices (e.g.,
   PDAs, cell phones, etc.) in which large numbers of devices are in
   practice associated with individual users (i.e., not shared).  Thus,
   the interface identifier embedded within an address could be used to
   track activities of an individual, even as they move topologically
   within the internet.

   In summary, IPv6 addresses on a given interface generated via
   Stateless Autoconfiguration contain the same interface identifier,
   regardless of where within the Internet the device connects.  This
   facilitates the tracking of individual devices (and thus potentially
   users).  The purpose of this document is to define mechanisms that
   eliminate this issue, in those situations where it is a concern.

2.4.  Possible Approaches

   One way to avoid some of the problems discussed above is to use DHCP
   for obtaining addresses.  With DHCP, the DHCP server could arrange to
   hand out addresses that change over time.

   Another approach, compatible with the stateless address
   autoconfiguration architecture, would be to change the interface id