<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- used by XSLT processors --> <!-- OPTIONS, known as processing instructions (PIs) go here. --> <?rfc toc="yes" ?> <?rfc tocdepth="2" ?> <?rfc symrefs="yes" ?> <?rfc strict="no" ?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IRTF" category="info" consensus="true" docName="draft-irtf-pearg-numeric-ids-generation-12" number="9415" ipr="trust200902"submissionType="IRTF">obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDepth="2" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.15.3 --> <front> <title abbrev="Generation of Transient Numeric IDs">On the Generation of Transient Numeric Identifiers</title> <seriesInfo name="RFC" value="9415"/> <author fullname="Fernando Gont" initials="F." surname="Gont"> <organization abbrev="SI6 Networks">SI6 Networks</organization> <address> <postal> <street>Segurola y Habana 4310 7mo piso</street> <city>Ciudad Autonoma de Buenos Aires</city><region>Buenos Aires</region><country>Argentina</country> </postal><!-- <phone>+54 11 4650 8472</phone> --><email>fgont@si6networks.com</email> <uri>https://www.si6networks.com</uri> </address> </author> <author fullname="Ivan Arce" initials="I." surname="Arce"> <organization abbrev="Quarkslab">Quarkslab</organization> <address> <postal> <street>Segurola y Habana 4310 7mo piso</street> <city>Ciudad Autonoma de Buenos Aires</city><region>Buenos Aires</region><country>Argentina</country> </postal> <email>iarce@quarkslab.com</email> <uri>https://www.quarkslab.com</uri> </address> </author><date/> <workgroup>Internet Research Task Force (IRTF)</workgroup> <!-- <area>Internet</area> <workgroup>Dynamic Host Configuration (dhc)</workgroup> --> <!-- <area/> --> <!-- <workgroup/> --><date year="2023" month="July"/> <workgroup>Privacy Enhancements and Assessments</workgroup> <keyword>security</keyword> <keyword>vulnerability</keyword> <keyword>algorithm</keyword> <keyword>attack</keyword> <keyword>fingerprinting</keyword> <abstract> <t> This document performs an analysis of the security and privacy implications of different types of "transient numeric identifiers" used in IETFprotocols,protocols and tries to categorize them based on their interoperability requirements and their associated failure severity when such requirements are not met. Subsequently, it provides advice on possible algorithms that could be employed to satisfy the interoperability requirements of each identifiercategory,category while minimizing the negative security and privacy implications, thus providing guidance to protocol designers and protocol implementers. Finally, it describes a number of algorithms that have been employed in real implementations to generate transient numericidentifiers,identifiers and analyzes their security and privacy properties. This document is a product of the PrivacyEnhancementEnhancements andAssessmentAssessments Research Group (PEARG) in the IRTF. </t> </abstract> </front> <middle> <sectiontitle="Introduction" anchor="intro"> <t>Networkinganchor="intro" numbered="true" toc="default"> <name>Introduction</name> <t> Networking protocols employ a variety of transient numeric identifiers for different protocol objects, such as IPv4 and IPv6Fragment IdentifiersIdentification values <xreftarget="RFC0791"/>target="RFC0791" format="default"/> <xreftarget="RFC8200"/>,target="RFC8200" format="default"/>, IPv6 Interface Identifiers (IIDs) <xreftarget="RFC4291"/>, transport protocoltarget="RFC4291" format="default"/>, transport-protocol ephemeral port numbers <xreftarget="RFC6056"/>,target="RFC6056" format="default"/>, TCP Initial Sequence Numbers (ISNs) <xreftarget="RFC0793"/>, and DNS Querytarget="RFC9293" format="default"/>, NTP Reference IDs (REFIDs) <xreftarget="RFC1035"/>.<!-- Network protocols employ a variety of transient numeric identifiers for different protocol entities, ranging fromtarget="RFC5905" format="default"/>, and DNSTransactionIDs(TxIDs) to transport protocol ephemeral ports (e.g. TCP ephemeral ports) or IPv6 Interface Identifiers (IIDs).--><xref target="RFC1035" format="default"/>. These identifiersusuallytypically have specificinteroperabilityrequirements(e.g.(e.g., uniqueness during a specified period of time) that must be satisfied such that they do not result in negative interoperabilityimplications,implications and an associated failure severity when such requirements are notmet, ranging from softmet.</t> <aside> <t>NOTE: Some documents refer tohard failures. </t>the DNS ID as the DNS "Query ID" or "TxID".</t> </aside> <t>For more than 30 years, a large number of implementations of IETF protocols have been subject to a variety of attacks, with effects ranging from Denial of Service (DoS) or datainjection,injection to information leakages that could be exploited for pervasive monitoring <xreftarget="RFC7258"/>.target="RFC7258" format="default"/>. The root cause of these issues has been, in many cases, the poor selection of transient numeric identifiers in such protocols, usually as a result of insufficient or misleading specifications. While it is generally trivial to identify an algorithm that can satisfy the interoperability requirements of a given transient numeric identifier, empirical evidence exists that doing so without negatively affecting the security and/or privacy properties of the aforementioned protocols is prone to error <xreftarget="I-D.irtf-pearg-numeric-ids-history"/>.</t>target="RFC9414" format="default"/>.</t> <t>For example, implementations have been subject to security and/or privacy issues resultingfrom: <list style="symbols"> <t>Predictablefrom:</t> <ul spacing="normal"> <li>predictable IPv4 or IPv6Fragment Identifiers (see e.g.Identification values (e.g., see <xreftarget="Sanfilippo1998a"/>,target="Sanfilippo1998a" format="default"/>, <xreftarget="RFC6274"/>,target="RFC6274" format="default"/>, and <xreftarget="RFC7739"/>)</t> <t>Predictabletarget="RFC7739" format="default"/>),</li> <li>predictable IPv6 IIDs(see e.g.(e.g., see <xreftarget="RFC7721"/>,target="RFC7217" format="default"/>, <xreftarget="RFC7707"/>,target="RFC7707" format="default"/>, and <xreftarget="RFC7217"/>)</t> <t>Predictable transport protocoltarget="RFC7721" format="default"/>),</li> <li>predictable transport-protocol ephemeral port numbers(see e.g.(e.g., see <xreftarget="RFC6056"/>target="RFC6056" format="default"/> and <xreftarget="Silbersack2005"/>)</t> <t>Predictabletarget="Silbersack2005" format="default"/>),</li> <li>predictable TCP Initial Sequence Numbers (ISNs)(see e.g.(e.g., see <xreftarget="Morris1985"/>,target="Morris1985" format="default"/>, <xreftarget="Bellovin1989"/>,target="Bellovin1989" format="default"/>, and <xreftarget="RFC6528"/>)</t> <t>Predictabletarget="RFC6528" format="default"/>),</li> <li>predictable initial timestamps in TCP timestampsOptions (see e.g.options (e.g., see <xreftarget="TCPT-uptime"/>target="TCPT-uptime" format="default"/> and <xreftarget="RFC7323"/>)</t> <t>Predictabletarget="RFC7323" format="default"/>), and</li> <li>predictable DNSQueryIDs(see e.g.(see, e.g., <xreftarget="Schuba1993"/>target="Schuba1993" format="default"/> and <xreftarget="Klein2007"/>)</t> </list>target="Klein2007" format="default"/>).</li> </ul> <t> Recent history indicatesthatthat, when new protocols are standardized or new protocol implementations are produced, the security and privacy properties of the associated transient numeric identifiers tend to be overlooked, and inappropriate algorithms to generatetransient numericsuch identifiers are either suggested in the specifications or selected by implementers. As a result,it should be evident thatadvice in this area is warranted. </t> <t>We note that the use of cryptographic techniques may readily mitigate some of the issues arising from predictable transient numeric identifiers. For example, cryptographicintegrity andauthentication can readily mitigate data injection attacks even in the presence of predictable transient numeric identifiers (such as "sequence numbers"). However, use of flawed algorithms (such as global counters) for generating transient numeric identifiers could still result in information leakages even when cryptographic techniques are employed. </t> <t>This document contains a non-exhaustive survey of transient numeric identifiers employed in various IETFprotocols,protocols and aims to categorize such identifiers based on their interoperabilityrequirements,requirements and the associated failure severity when such requirements are not met. Subsequently, it provides advice on possible algorithms that could be employed to satisfy the interoperability requirements of eachcategory,category while minimizing negative security and privacy implications. Finally, it analyzes several algorithms that have been employed in real implementations to meet suchrequirements,requirements and analyzes their security and privacy properties. </t> <t>This document represents the consensus of the PrivacyEnhancementEnhancements andAssessmentAssessments Research Group (PEARG).</t><!-- [fgont] Quite esto, ya que hay mas secciones, y es medio en vano describi que hace cada seccion <t> <xref target="categorizing"/> categorizes identifiers in terms of their interoperability requirements and failure modes, such that possible algorithms for them can be discussed and analyzed. <xref target="timeline"/> provides a non-exhaustive timeline regarding vulnerability disclosures related to predictable identifiers. </t>--></section> <sectiontitle="Terminology" anchor="terminology"> <t> <list style="hanging"> <t hangText="Transientanchor="terminology" numbered="true" toc="default"> <name>Terminology</name> <dl newline="true" spacing="normal"> <dt>Transient NumericIdentifier:"> <vspace blankLines="0" />AIdentifier:</dt> <dd>A data object in a protocol specification that can be used to definitely distinguish a protocol object (a datagram, network interface,transport protocoltransport-protocol endpoint, session, etc.) from all other objects of the same type, in a given context. Transient numeric identifiers are usually defined as a series ofbits,bits and represented using integer values. These identifiers are typically dynamically selected, as opposed tostatically-assignedstatically assigned numeric identifiers(see e.g.(see, e.g., <xreftarget="IANA-PROT"/>).target="IANA-PROT" format="default"/>). We note that different transient numeric identifiers may have additional requirements or properties depending on their specific use in a protocol. We use the term "transient numeric identifier" (or simply "numeric identifier" or "identifier" as short forms) as a generic term to refer to any data object in a protocol specification that satisfies the identification property stated above.</t> <t hangText="Failure Severity:"> <vspace blankLines="0" />The</dd> <dt>Failure Severity:</dt> <dd>The interoperability consequences of a failure to comply with the interoperability requirements of a given identifier. Severity considers the worst potential consequence of a failure, determined by the system damage and/or time lost to repair the failure. In thisdocumentdocument, we define two types of failure severity: "soft failure" and "hard failure".</t> <t hangText="Soft Failure:"> <vspace blankLines="0" />A soft failure is a</dd> <dt>Soft Failure:</dt> <dd>A recoverable condition in which a protocol does not operate in the prescribed manner but normal operation can be resumed automatically in a short period of time. For example, a simple packet-loss event that is subsequently recovered with apacket-retransmissionpacket retransmission can be considered a soft failure.</t> <t hangText="Hard Failure:"> <vspace blankLines="0" />A hard failure is a</dd> <dt>Hard Failure:</dt> <dd>A non-recoverable condition in which a protocol does not operate in the prescribed manner or it operates with excessive degradation of service. For example, an established TCP connection that is aborted due to an error condition constitutes, from the point of view of the transport protocol, a hard failure, since it enters a state from which normal operation cannot be resumed.</t> </list> </t> <!-- <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target='RFC2119' /> <xref target='RFC8174' /> when, and only when, they appear in all capitals, as shown here. </t> --></dd> </dl> </section> <sectiontitle="Threat Model" anchor="threat-model"> <!-- <t>Throughout this document, we assume an attacker does not have physical or logical access to the system(s) being attacked, and cannot necessarily observe all the packets being transferred between the sender and the receiver(s) of the target protocol, but may be able to observe some of them. However, we assume the attacker can send any traffic to the target device(s), to e.g. sample transient numeric identifiers employed by such device(s). </t> -->anchor="threat-model" numbered="true" toc="default"> <name>Threat Model</name> <t>Throughout this document, we do not consider on-path attacks. That is, we assumeanthe attacker does not have physical or logical access to the system(s) beingattacked,attacked and that the attacker can only observe traffic explicitly directed to the attacker. Similarly, an attacker cannot observe traffic transferred betweenathe sender and the receiver(s) of a targetprotocol,protocol but may be able to interact with any of these entities, includingby e.g.by, e.g., sending any traffic to them to sample transient numeric identifiers employed by the targetsystemshosts when communicating with the attacker. </t> <t>For example, when analyzing vulnerabilities associated with TCP Initial Sequence Numbers (ISNs), we consider the attacker is unable to capture network traffic corresponding to a TCP connection between two other hosts. However, we consider the attacker is able to communicate with any of these hosts (e.g., establish a TCP connection with any ofthem), to e.g.them) to, e.g., sample the TCP ISNs employed by thesesystemshosts when communicating with the attacker.</t> <t>Similarly, when considering host-tracking attacks based on IPv6interface identifiers,Interface Identifiers, we consider an attacker may learn the IPv6 address employed by a victimnode if e.g.host if, e.g., the address becomes exposed as a result of the victimnodehost communicating with an attacker-operated server. Subsequently, an attacker may perform host-tracking by probing a set of target addresses composed by a set of target prefixes and the IPv6interface identifierInterface Identifier originally learned by the attacker. Alternatively, an attacker may performhost tracking if e.g.host-tracking if, e.g., the victimnodehost communicates with an attacker-operated server as it moves from one location to another,thosethereby exposing its configured addresses. We note that none of these scenariosrequiresrequire the attacker observe traffic not explicitly directed to the attacker. </t> </section> <sectiontitle="Issuesanchor="issues" numbered="true" toc="default"> <name>Issues with the Specification of Transient NumericIdentifiers" anchor="issues">Identifiers</name> <t>While assessing IETF protocol specifications regarding the use of transient numeric identifiers, we have found that most of the issues discussed in this document arise as a result of one of the following conditions:<list style="symbols"> <t>Protocol</t> <ul spacing="normal"> <li>protocol specifications thatunder-specify the requirements forunder specify their transient numericidentifiers</t> <t>Protocolidentifiers</li> <li>protocol specifications thatover-specifyover specify their transient numericidentifiers</t> <t>Protocolidentifiers</li> <li>protocol implementations that simply fail to comply with the specifiedrequirements</t> </list> </t>requirements</li> </ul> <t>A number of IETF protocol specifications(too many of them) have simply overlooked the security and privacy implications ofunder specified their transient numericidentifiers <xref target="I-D.irtf-pearg-numeric-ids-history"/>.identifiers, thus leading to implementations that were vulnerable to numerous off-path attacks. Examples of them are the specification of TCPephemerallocal ports in <xreftarget="RFC0793"/>, the specification of TCP sequence numbers in <xref target="RFC0793"/>,target="RFC0793" format="default"/> or the specification of the DNSQueryID in <xreftarget="RFC1035"/>.</t>target="RFC1035" format="default"/>.</t> <aside><t>NOTE: The TCP local port in an active OPEN request is commonly known as the "ephemeral port" of the corresponding TCP connection <xref target="RFC6056" format="default"/>.</t></aside> <t>On the other hand, there are a number of IETF protocol specifications thatover-specifyover specify some of their associated transient numeric identifiers. For example, <xreftarget="RFC4291"/>target="RFC4291" format="default"/> essentially overloads the semantics of IPv6 Interface Identifiers (IIDs) by embedding link-layer addresses in the IPv6IIDs,IIDs when the interoperability requirement of uniqueness could be achieved in other ways that do not result in negative security and privacy implications <xreftarget="RFC7721"/>.target="RFC7721" format="default"/>. Similarly, <xreftarget="RFC2460"/> suggestedtarget="RFC2460" format="default"/> suggests the use of a global counter for the generation ofFragmentIdentificationvalues,values when the interoperabilitypropertiesrequirement of uniqueness per {IPv6 Source Address, IPv6 Destination Address} could be achieved with other algorithms that do not result in negative security and privacy implications <xreftarget="RFC7739"/>.</t>target="RFC7739" format="default"/>.</t> <t>Finally, there are protocol implementations that simply fail to comply with existing protocol specifications. For example, some popular operating systems(notably Microsoft Windows)still fail to implementtransport protocoltransport-protocol ephemeral port randomization, as recommended in <xreftarget="RFC6056"/>.</t>target="RFC6056" format="default"/>, or TCP Initial Sequence Number randomization, as recommended in <xref target="RFC9293"/>.</t> </section> <sectiontitle="Protocolanchor="failure-severity" numbered="true" toc="default"> <name>Protocol FailureSeverity" anchor="failure-severity">Severity</name> <t><xreftarget="terminology"/>target="terminology" format="default"/> defines the concept of"Failure Severity","failure severity", along with two types of failure severities that we employ throughout this document: soft and hard.</t> <t>Our analysis of the severity of a failure is performed from the point of view of the protocol in question. However, the corresponding severity on the upper protocol (or application) might not be the same as that of the protocol in question. For example, a TCP connection that is aborted might or might not result in a hard failure of the upperapplication:application, i.e., if the upper application can establish a new TCP connection without any impact on the application, a hard failure at the TCP protocol may have no severity at the applicationlevel.layer. On the other hand, if a hard failure of a TCP connection results in excessive degradation of service at the application layer, it will also result in a hard failure at the application. </t> </section> <sectiontitle="Categorizinganchor="categorizing" numbered="true" toc="default"> <name>Categorizing Transient NumericIdentifiers" anchor="categorizing">Identifiers</name> <t>This section includes a non-exhaustive survey of transient numeric identifiers, which are representative of all the possible combinations of interoperability requirements and failure severities found in popular protocolsfromof different layers. Additionally, it proposes a number of categories that can accommodate these identifiers based on their interoperability requirements and their associated failure severity (soft or hard).<list style="hanging"> <t hangText="NOTE:"> <vspace blankLines="0"/></t> <aside><t>NOTE: All other transient numeric identifiers that were analyzed as part of this effort could be accommodated into one of the existing categories from <xreftarget="survey-table"/>. </t> </list> </t> <!-- [fgont] Basado en el contenido de la seccion anterior, tal vez esta tabla podria contener una columna adicional que indique si el problema es "under-specification", "over-specification", o "implementation-flaw" ? No se si aportaria mucho en terminos de categorizar, aunque si tal vez en el sentido de servir de "sample" de cual es el rigen de los problemas. Ideas? --> <texttable title="Surveytarget="survey-table" format="default"/>. </t></aside> <table anchor="survey-table" align="center"> <name>Survey of Transient NumericIdentifiers" style="all" anchor="survey-table"> <ttcol align="center">Identifier</ttcol> <ttcolIdentifiers</name> <thead> <tr> <th align="center">Identifier</th> <th align="center">InteroperabilityRequirements</ttcol> <ttcolRequirements</th> <th align="center">FailureSeverity</ttcol> <c>IPv6 Frag ID</c> <c>UniquenessSeverity</th> </tr> </thead> <tbody> <tr> <td align="center">IPv6 ID</td> <td align="center">Uniqueness (forIPIPv6 addresspair)</c> <c>Soft/Hard (1)</c> <c>IPv6 IID</c> <c>Uniquenesspair)</td> <td align="center">Soft/Hard (1)</td> </tr> <tr> <td align="center">IPv6 IID</td> <td align="center">Uniqueness (and stable within IPv6 prefix)(2)</c> <c>Soft (3)</c> <c>TCP ISN</c> <c>Monotonically-increasing (4)</c> <c>Hard (4)</c> <c>TCP(2)</td> <td align="center">Soft (3)</td> </tr> <tr> <td align="center">TCP ISN</td> <td align="center">Monotonically increasing (4)</td> <td align="center">Hard (4)</td> </tr> <tr> <td align="center">TCP initialtimestamp</c> <c>Monotonically-increasing (5)</c> <c>Hard (5)</c> <c>TCP eph. port</c><c>Uniquenesstimestamp</td> <td align="center">Monotonically increasing (5)</td> <td align="center">Hard (5)</td> </tr> <tr> <td align="center">TCP ephemeral port</td> <td align="center">Uniqueness (for connectionID)</c> <c>Hard</c> <c>IPv6ID)</td> <td align="center">Hard</td> </tr> <tr> <td align="center">IPv6 FlowLabel</c> <c>Uniqueness</c> <c>None (6)</c> <c>DNS Query ID</c> <c>Uniqueness</c> <c>None (7)</c> </texttable> <t>NOTE: <list style="hanging"> <t hangText="(1)"> <vspace blankLines="0" />WhileLabel</td> <td align="center">Uniqueness</td> <td align="center">None (6)</td> </tr> <tr> <td align="center">DNS ID</td> <td align="center">Uniqueness</td> <td align="center">None (7)</td> </tr> </tbody> </table> <t>NOTE:</t> <ol type="(%d)" spacing="normal"> <li>While a single collision ofFragment IDIPv6 Identification (ID) values would simply lead to a single packet drop (andhencehence, a "soft" failure), repeated collisions at high data rates might result in self-propagating collisions ofFragmentIPv6 IDs, thus possibly leading to a hard failure <xreftarget="RFC4963"/>.</t> <t hangText="(2)"> <vspace blankLines="0" />Whiletarget="RFC4963" format="default"/>.</li> <li>While the interoperability requirements are simply that the InterfaceIDIdentifier results in a unique IPv6 address, for operationalreasonsreasons, it is typically desirable that the resulting IPv6 address (andhencehence, the corresponding InterfaceID)Identifier) be stable within each network <xreftarget="RFC7217"/>target="RFC7217" format="default"/> <xreftarget="RFC8064"/>.</t> <t hangText="(3)"> <vspace blankLines="0" />Whiletarget="RFC8064" format="default"/>.</li> <li>While IPv6 InterfaceIDsIdentifiers must result in unique IPv6 addresses, IPv6 Duplicate Address Detection (DAD) <xreftarget="RFC4862"/>target="RFC4862" format="default"/> allows for the detection of duplicate addresses, andhencehence, such InterfaceIDIdentifier collisions can berecovered.</t> <t hangText="(4)"> <vspace blankLines="0" />Inrecovered.</li> <li>In theory, there are no interoperability requirements for TCP Initial Sequence Numbers (ISNs), since the TIME-WAIT state and TCP's "quiet time" concept take care of old segments from previous incarnations of a connection. However, a widespread optimization allows for a new incarnation of a previous connection to be created if the ISN of the incoming SYN is larger than the last sequence number seen in that direction for the previous incarnation of the connection. Thus,monotonically-increasingmonotonically increasing TCP ISNs allow for such optimization to work as expected <xreftarget="RFC6528"/>,target="RFC6528" format="default"/> and can help avoid connection-establishmentfailures.</t> <t hangText="(5)"> <vspace blankLines="0" />Strictlyfailures.</li> <li>Strictly speaking, there are no interoperability requirements for the*initial*<strong>initial</strong> TCP timestamp employed by a TCP instance (i.e., the TS Value (TSval) in a segment with the SYN bit set). However, some TCP implementations allow a new incarnation of a previous connection to be created if the TSval of the incoming SYN is larger than the last TSval seen in that direction for the previous incarnation of the connection (please see <xreftarget="RFC6191"/>).target="RFC6191" format="default"/>). Thus,monotonically-increasingmonotonically increasing TCP initial timestamps (across connections to the same endpoint) allow for such optimization to work as expected <xreftarget="RFC6191"/>,target="RFC6191" format="default"/> and can help avoid connection-establishmentfailures.</t> <t hangText="(6)"> <vspace blankLines="0" />Thefailures.</li> <li>The IPv6 Flow Label <xreftarget="RFC6437"/>,target="RFC6437" format="default"/>, along with the IPv6 Source Address andDestinationthe IPv6addresses,Destination Address, is typically employed for load sharing <xreftarget="RFC7098"/>.target="RFC7098" format="default"/>. Reuse of a Flow Label value for the same set {Source Address, Destination Address} would typically cause both flows to be multiplexed onto the same link. However, as long as this does not occur deterministically, it will not result in any negativeimplications.</t> <t hangText="(7)"> <vspace blankLines="0" />DNS Queryimplications.</li> <li>DNS IDs are employed, together with the IP Source Address, the IP Destination Address, the transport-protocol Source Port, and the transport-protocol Destination Port, to match DNS requests and responses. However, since an implementation knows which DNS requests were sent for that set of{Source{IP Source Address, IP Destination Address, transport-protocol Source Port,andtransport-protocol Destination Port,QueryDNS ID}, a collision ofQueryDNS IDs would result, if anything, in a small performance penalty (the response would nevertheless be discarded when it is found that it does not answer the query sent in the corresponding DNSquery).</t> </list> </t>query).</li> </ol> <t>Based on the survey above, we can categorize identifiers as follows:</t><texttable title="Identifier Categories" style="all" anchor="cat-table"> <ttcol<table anchor="cat-table" align="center"> <name>Identifier Categories</name> <thead> <tr> <th align="center">Cat#</ttcol><ttcol align="center">Category</ttcol><ttcol#</th> <th align="center">Category</th> <th align="center">SampleProto IDs</ttcol> <c>1</c><c>UniquenessNumeric IDs</th> </tr> </thead> <tbody> <tr> <td align="center">1</td> <td align="center">Uniqueness (softfailure)</c><c>IPv6failure)</td> <td align="center">IPv6 Flow L., DNSQuery ID</c> <c>2</c><c>UniquenessID</td> </tr> <tr> <td align="center">2</td> <td align="center">Uniqueness (hardfailure)</c><c>IPv6 Fragfailure)</td> <td align="center">IPv6 ID, TCP ephemeralport</c> <c>3</c><c>Uniqueness,port</td> </tr> <tr> <td align="center">3</td> <td align="center">Uniqueness, stable within context (softfailure)</c><c>IPv6 IID</c> <c>4</c><c>Uniqueness,failure)</td> <td align="center">IPv6 IID</td> </tr> <tr> <td align="center">4</td> <td align="center">Uniqueness, monotonically increasing within context (hardfailure)</c><c>TCPfailure)</td> <td align="center">TCP ISN, TCP initialtimestamp</c> </texttable>timestamp</td> </tr> </tbody> </table> <t> We note that Category #4 could be considered a generalized case ofcategoryCategory #3, in which a monotonically increasing element is added to a stable (within context) element, such that the resulting identifiers are monotonically increasing within a specified context. That is, the same algorithm could be employed for both #3 and #4, given appropriate parameters. </t> </section> <sectiontitle="Commonanchor="common-algorithms" numbered="true" toc="default"> <name>Common Algorithms for Transient Numeric IdentifierGeneration" anchor="common-algorithms">Generation</name> <t>The following subsections describe some sample algorithms that can be employed for generating transient numeric identifiers for each of the categoriesabove,above while mitigating the vulnerabilities analyzed in <xreftarget="vulns"/>target="vulns" format="default"/> of this document.</t> <t>All of the variables employed in the algorithms of the following subsections are of "unsigned integer" type, except for the "retry" variable,thatwhich is of (signed)"integer""integer" type.</t> <sectiontitle="Categoryanchor="cat-1-alg" numbered="true" toc="default"> <name>Category #1: Uniqueness(soft failure)" anchor="cat-1-alg">(Soft Failure)</name> <t>The requirement of uniqueness with a soft failure severity can be complied with aPseudo-RandomPseudorandom Number Generator (PRNG).<list style="hanging"> <t hangText="NOTE:"> <vspace blankLines="0"/></t> <aside><t>NOTE: Please see <xreftarget="RFC4086"/>target="RFC4086" format="default"/> regarding randomness requirements forsecurity.</t> </list> </t>security.</t></aside> <t>While most systems provide access to a PRNG, many of such PRNG implementations are not cryptographicallysecure,secure and therefore might be statistically biased or subject to adversarial influence. For example, ISO C <xreftarget="C11"/>target="C11" format="default"/> rand(3) implementations are not cryptographically secure.<list style="hanging"> <t hangText="NOTE:"> <vspace blankLines="0"/></t> <aside><t>NOTE: Section 7.1 ("Uniform Deviates") of <xreftarget="Press1992"/>target="Press1992" format="default"/> discusses the underlying issues affecting ISO C <xreftarget="C11"/>target="C11" format="default"/> rand(3) implementations.</t> </list> </t></t></aside> <t>On the other hand, a number of systems provide an interface to a Cryptographically Secure PRNG (CSPRNG) <xreftarget="RFC8937"/>target="RFC4086" format="default"/> <xreftarget="RFC4086"/>,target="RFC8937" format="default"/>, which guarantees high entropy, unpredictability, and good statistical distribution of the random values generated. For example, GNU/Linux's CSPRNG implementation is available via the getentropy(3) interface <xreftarget="GETENTROPY"/>,target="GETENTROPY" format="default"/>, while OpenBSD's CSPRNG implementation is available via the arc4random(3) and arc4random_uniform(3) interfaces <xreftarget="ARC4RANDOM"/>.target="ARC4RANDOM" format="default"/>. Where available, these CSPRNGs should be preferredover e.g.over, e.g., POSIX <xreftarget="POSIX"/>target="POSIX" format="default"/> random(3) or ISO C <xreftarget="C11"/>target="C11" format="default"/> rand(3) implementations.</t> <t>In scenarios where a CSPRNG is not readily available to select transient numeric identifiers of Category #1, a security and privacy assessment of employing a regular PRNG should be performed, supporting the implementation decision.<list style="hanging"> <t hangText="NOTE:"> <vspace blankLines="0"/></t> <aside><t>NOTE: <xreftarget="Aumasson2018"/>,target="Aumasson2018" format="default"/>, <xreftarget="Press1992"/>,target="Press1992" format="default"/>, and <xreftarget="Knuth1983"/>,target="Knuth1983" format="default"/> discuss theoretical and practical aspects of pseudorandomnumbers generation,number generation and provide guidance on how to evaluatePRNGs.</t> </list> </t>PRNGs.</t></aside> <t>We notethatthat, since the premise is that collisions of transient numeric identifiers of this category onlyleadslead to soft failures, in many cases, the algorithm might not need to check the suitability of a selected identifier (i.e., the suitable_id() function, described below, could always return "true").</t> <t>In scenarioswhere e.g.where, e.g., simultaneous use of a given numericIDidentifier is undesirable andthean implementation detects such condition,anthe implementation may opt to select the next available identifier in the samesequence,sequence or select another random number. <xreftarget="simple-randomization"/>target="simple-randomization" format="default"/> is an implementation of the former strategy, while <xreftarget="simple-randomization2"/>target="simple-randomization2" format="default"/> is an implementation of thelater.latter. Typically, the algorithm in <xreftarget="simple-randomization2"/>target="simple-randomization2" format="default"/> results in a more uniform distribution of the generated transient numeric identifiers. However, for transient numeric identifiers where an implementation typically keeps local state about unsuitable/used identifiers, the algorithm in <xreftarget="simple-randomization2"/>target="simple-randomization2" format="default"/> may require many more iterations than the algorithm in <xreftarget="simple-randomization"/>target="simple-randomization" format="default"/> to generate a suitable transient numeric identifier. This will usually be affected by the current usage ratio of transient numeric identifiers (i.e., the number of numeric identifiers considered suitable / total number of numeric identifiers) and other parameters. Therefore, in suchcasescases, many implementations tend to prefer the algorithm in <xreftarget="simple-randomization"/>target="simple-randomization" format="default"/> over the algorithm in <xreftarget="simple-randomization2"/>.target="simple-randomization2" format="default"/>. </t> <sectiontitle="Simpleanchor="simple-randomization" numbered="true" toc="default"> <name>Simple RandomizationAlgorithm" anchor="simple-randomization"> <t> <figure><artwork>Algorithm</name> <sourcecode type="c"><![CDATA[ /* Transient Numeric ID selection function */ id_range = max_id - min_id + 1; next_id = min_id + (random() % id_range); retry = id_range; do { if (suitable_id(next_id)) { return next_id; } if (next_id == max_id) { next_id = min_id; } else { next_id++; } retry--; } while (retry > 0); return ERROR;</artwork> </figure> </t> <!-- FreeBSD/OpenBSD: in_pcb.c, Linux: tcp_ipv4.c(+grsecurity) --> <t> <list style="hanging">]]></sourcecode> <t>NOTE:</t> <thangText="NOTE:"> <vspace blankLines="0"/> random()indent="3">random() is a PRNG that returns apseudo-randompseudorandom unsigned integer number of appropriate size.<!-- Note that the output needs to be unpredictable, and typical implementations of the POSIX random() function do not necessarily meet this requirement. See <xref target="RFC4086"/> for randomness requirements for security. -->BewareBeware that "adapting" the length of the output of random() with a modulo operator (e.g.,C-language'sC language's "%") may change the distribution of the PRNG. To preserve a uniform distribution, the rejection sampling technique <xreftarget="Romailler2020"/>target="Romailler2020" format="default"/> can be used.</t><t> The<t indent="3">suitable_id() is a functionsuitable_id() can check, whenthat checks, if possible and desirable, whether aselected transientcandidate numeric identifier is suitable(e.g.(e.g., whether it isnot alreadyinuse).use or has been recently employed). Depending on how/where the numeric identifier is used, it may or may not be possible (or even desirable) to check whether the numeric identifier is suitable. </t> <t indent="3">All the variables (in this algorithm and all the others algorithms discussed inuse (or whether it has been recently employed). Whenthis document) are unsigned integers.</t> <t>When an identifier is found to be unsuitable, this algorithm selects the next available numeric identifier in sequence.</t> <t>EvenThus, even when this algorithm selects numericIDsidentifiers randomly, it is biased towards the first available numericIDidentifier after a sequence of unavailable numericIDs.identifiers. For example, if this algorithm is employed fortransport protocoltransport-protocol ephemeral port randomization <xreftarget="RFC6056"/>target="RFC6056" format="default"/> and the local list of unsuitable port numbers (e.g., registered port numbers that should not be used for ephemeral ports) is significant, an attacker may actually have a significantly better chance of guessingaan ephemeral port number. </t><t> All the variables (in this and all the algorithms discussed in this document) are unsigned integers.</t> </list> </t><t>Assuming the randomness requirements for the PRNG are met (see <xreftarget="RFC4086"/>),target="RFC4086" format="default"/>), this algorithm does not suffer from any of the issues discussed in <xreftarget="vulns"/>.</t>target="vulns" format="default"/>.</t> </section> <sectiontitle="Anotheranchor="simple-randomization2" numbered="true" toc="default"> <name>Another Simple RandomizationAlgorithm" anchor="simple-randomization2">Algorithm</name> <t>The followingpseudo-codepseudocode illustrates another algorithm for selecting a random transient numeric identifierwhich,where, in the event a selected identifier is found to be unsuitable (e.g., already in use), another identifier is randomly selected:</t><t> <figure> <artwork><sourcecode type="c"><![CDATA[ /* Transient Numeric ID selection function */ id_range = max_id - min_id + 1; retry = id_range; do { next_id = min_id + (random() % id_range); if (suitable_id(next_id)) { return next_id; } retry--; } while (retry > 0); return ERROR;</artwork> </figure>]]></sourcecode> <t>NOTE:</t> <t indent="3">random() is a PRNG that returns a pseudorandom unsigned integer number of appropriate size. Beware that "adapting" the length of the output of random() with a modulo operator (e.g., C language's "%") may change the distribution of the PRNG. To preserve a uniform distribution, the rejection sampling technique <xref target="Romailler2020" format="default"/> can be used.</t> <t indent="3">suitable_id() is a function that checks, if possible and desirable, whether a candidate numeric identifier is suitable (e.g., if it is not already in use). Depending on how/where the numeric identifier is used, it may or may not be possible (or even desirable) to check whether the numeric identifier is in use (or whether it has been recently employed). </t><t>This<t>When an identifier is found to be unsuitable, this algorithm selects another random numeric identifier. Thus, this algorithm might be unable to select a transient numeric identifier (i.e., return"ERROR")"ERROR"), even if there are suitable identifiers available, in cases where a large number of identifiers are found to be unsuitable(e.g.(e.g., "in use").</t><t>The same considerations from <xref target="simple-randomization"/> with respect to the properties of random() and the adaptation of its output length apply to this algorithm.</t><t>Assuming the randomness requirements for the PRNG are met (see <xreftarget="RFC4086"/>),target="RFC4086" format="default"/>), this algorithm does not suffer from any of the issues discussed in <xreftarget="vulns"/>.</t>target="vulns" format="default"/>.</t> </section> </section> <sectiontitle="Categoryanchor="cat-2-alg" numbered="true" toc="default"> <name>Category #2: Uniqueness(hard failure)" anchor="cat-2-alg">(Hard Failure)</name> <t>One of the most trivial approaches for generating a unique transient numeric identifier (with a hard failure severity) is to reduce the identifier reuse frequency by generating the numeric identifiers with amonotonically-increasingmonotonically increasing function(e.g.(e.g., linear). As a result, any of the algorithms described in <xreftarget="cat-4-alg"/>target="cat-4-alg" format="default"/> ("Category #4: Uniqueness,monotonically increasingMonotonically Increasing withincontext (hard failure)")Context (Hard Failure)") can be readily employed for complying with the requirements of this transient numeric identifier category. </t> <t>In cases where suitability(e.g.(e.g., uniqueness) of the selected identifiers can be definitely assessed by the local system, any of the algorithms described in <xreftarget="cat-1-alg"/>target="cat-1-alg" format="default"/> ("Category #1: Uniqueness(soft failure)")(Soft Failure)") can be readily employed for complying with the requirements of this numeric identifier category.</t><t> <list style="hanging"> <t hangText="NOTE:"> <vspace blankLines="0"/><aside><t>NOTE: In the caseof e.g.of, e.g., TCP ephemeral ports or TCP ISNs, a transient numeric identifier that might seem suitable from the perspective of the localsystem,system might actually be unsuitable from the perspective of the remote system (e.g., because there is state associated with the selected identifier at the remote system). Therefore, in suchcasescases, it is not possible to employ the algorithms from <xreftarget="cat-1-alg"/>target="cat-1-alg" format="default"/> ("Category #1: Uniqueness(soft failure)"). </t> </list> </t>(Soft Failure)"). </t></aside> </section> <sectiontitle="Categoryanchor="cat-3-alg" numbered="true" toc="default"> <name>Category #3: Uniqueness,stableStable withincontext (soft failure)" anchor="cat-3-alg">Context (Soft Failure)</name> <t>The goal of the following algorithm is to produce identifiers that are stable for a given context (identified by"CONTEXT"),"CONTEXT") but that change when the aforementioned context changes.<!--For example, if the identifiers being generated must be unique for each {src IP, dst IP} set, then each possible combination of {src IP, dst IP} should have a corresponding "next_id" value. --></t><t><!--Keeping one value for each possible "context" may in many cases be considered too onerous in terms of memory requirements. -->In<t>In order to avoid storingin memorythe transient numeric identifiers computed for eachCONTEXT,CONTEXT in memory, the following algorithm employs a calculated technique (as opposed to keeping state in memory) to generate a stable transient numeric identifier for each given context. </t><t> <figure><artwork><sourcecode type="c"><![CDATA[ /* Transient Numeric ID selection function */ id_range = max_id - min_id + 1; retry = 0; do { offset = F(CONTEXT, retry, secret_key); next_id = min_id + (offset % id_range); if (suitable_id(next_id)) { return next_id; } retry++; } while (retry<=<= MAX_RETRIES); return ERROR;</artwork> </figure> </t> <!-- <t>F() must be a cryptographically-secure hash function (e.g. SHA-256 <xref target="FIPS-SHS"/>), that is computed over the concatenation of its arguments. --> <t>In this algorithm, the function F() provides a stateless and stable per-CONTEXT offset, where CONTEXT]]></sourcecode> <t>NOTE:</t> <t indent="3">CONTEXT is the concatenation of all the elements that definethea givencontext. <list style="hanging"> <t>For example, if this algorithm is expected to produce IPv6 IIDs that are unique per network interface and SLAAC autoconfiguration prefix, the CONTEXT should be the concatenation of e.g. the network interface index and the SLAAC autoconfiguration prefix (please see <xref target="RFC7217"/> for an implementation of this algorithm for generation of stable IPv6 IIDs). </t> </list> </t> <t>F()context.</t> <t indent="3">F() is a pseudorandom function (PRF). It must not be computable from the outside (without knowledge of the secret key). F() must also be difficult to reverse, such that it resists attempts to obtain thesecret_key,secret key, even when given samples of the output of F() and knowledge or control of the other input parameters. F() should produce an output of at least as many bits as required for the transient numeric identifier. SipHash-2-4 (128-bit key, 64-bit output) <xreftarget="SipHash"/>target="SipHash" format="default"/> and BLAKE3 (256-bit key, arbitrary-length output) <xreftarget="BLAKE3"/>target="BLAKE3" format="default"/> are two possible options for F(). Alternatively, F() could be implemented with akeyed-hashkeyed hash message authentication code (HMAC) <xreftarget="RFC2104"/>.target="RFC2104" format="default"/>. HMAC-SHA-256 <xreftarget="FIPS-SHS"/>target="FIPS-SHS" format="default"/> would be one possible option for such implementation alternative. Note: Use of HMAC-MD5 <xreftarget="RFC1321"/>target="RFC1321" format="default"/> or HMAC-SHA1 <xreftarget="FIPS-SHS"/>target="FIPS-SHS" format="default"/> are not recommended for F() <xreftarget="RFC6151"/>target="RFC6151" format="default"/> <xreftarget="RFC6194"/>.</t> <t>Thetarget="RFC6194" format="default"/>. The result of F() is no more secure than the secret key, andtherefore 'secret_key'therefore, "secret_key" must be unknown to theattacker,attacker and must be of a reasonable length.'secret_key'"secret_key" must remain stable for a given CONTEXT, sinceotherwiseotherwise, the numeric identifiers generated by this algorithm would not have the desired stability properties (i.e., stable for a given CONTEXT). In most cases,'secret_key'"secret_key" should be selected with a PRNG (see <xreftarget="RFC4086"/>target="RFC4086" format="default"/> for recommendations on choosing secrets) at an appropriatetime,time and stored in stable or volatile storage (as necessary) for future use. </t> <t indent="3">suitable_id() checks whether a candidate numeric identifier has suitable uniqueness properties. </t> <t>In this algorithm, the function F() provides a stateless and stable per-CONTEXT offset, where CONTEXT is the concatenation of all the elements that define the given context. </t> <t>For example, if this algorithm is expected to produce IPv6 IIDs that are unique per network interface and Stateless Address Autoconfiguration (SLAAC) prefix, CONTEXT should be the concatenation of, e.g., the network interface index and the SLAAC autoconfiguration prefix (please see <xref target="RFC7217" format="default"/> for an implementation of this algorithm for generation of stable IPv6 addresses). </t> <t>The result of F() is stored in the variable'offset',"offset", which may take any value within the storage type range, since we are restricting the resulting identifier to be in the range [min_id, max_id] in a similar way as in the algorithm described in <xreftarget="simple-randomization"/>.</t> <t>suitable_id()target="simple-randomization" format="default"/>.</t> <t>As noted above, suitable_id() checks whetherthea candidate numeric identifier has suitable uniqueness properties. Collisions (i.e., an identifier that is not unique) are recovered by incrementing the'retry'"retry" variable and recomputing F(), up to a maximum of MAX_RETRIES times. However, recovering from collisions will usually result in identifiers that fail to remain constant for the specified context. This is normally acceptable when the probability of collisions is small, as in the caseof e.g.of, e.g., IPv6 IIDs resulting from SLAAC <xreftarget="RFC7217"/>target="RFC7217" format="default"/> <xreftarget="RFC8981"/>.</t>target="RFC8981" format="default"/>.</t> <t>For obvious reasons, the transient numeric identifiers generated with this algorithm allow for network activity correlation and fingerprinting within "CONTEXT". However, this is essentially a design goal of this category of transient numeric identifiers.</t> </section> <sectiontitle="Categoryanchor="cat-4-alg" numbered="true" toc="default"> <name>Category #4: Uniqueness,monotonically increasingMonotonically Increasing withincontext (hard failure)" anchor="cat-4-alg">Context (Hard Failure)</name> <sectiontitle="Per-contextanchor="per-context-counter" numbered="true" toc="default"> <name>Per-Context CounterAlgorithm" anchor="per-context-counter">Algorithm</name> <t>One possible way of selecting uniquemonotonically-increasingmonotonically increasing identifiers (per context) is to employ a per-context counter. Such an algorithm could be described as follows:</t><t> <figure> <artwork><sourcecode type="c"><![CDATA[ /* Transient Numeric ID selection function */ id_range = max_id - min_id + 1; retry = id_range; id_inc = increment() % id_range; if( (next_id = lookup_counter(CONTEXT)) == ERROR){ next_id = min_id + random() % id_range; } do { if ( (max_id - next_id) >= id_inc){ next_id = next_id + id_inc; } else { next_id = min_id + id_inc - (max_id - next_id); } if (suitable_id(next_id)){ store_counter(CONTEXT, next_id); return next_id; } retry = retry - id_inc; } while (retry > 0); return ERROR;</artwork> </figure> </t> <t> <list style="hanging">]]></sourcecode> <t>NOTE:</t> <thangText="NOTES:"> <vspace blankLines="0"/> increment()indent="3">CONTEXT is the concatenation of all the elements that define a given context.</t> <t indent="3">increment() returns a small integer that is employed to increment the current counter value to obtain the next transient numeric identifier. This value must be larger than or equal to 1, and much smaller than the number of possible values for the numericIDsidentifiers (i.e., "id_range"). Most implementations of this algorithm employ a constant increment of 1. Using a value other than 1 can help mitigate some information leakages (please seebelow),below) at the expense of a possible increase in the numericIDidentifier reusefrequency.</t> <t>Thefrequency. The code above makes sure that the increment employed in the algorithm (id_inc) is always smaller than the number of possible values for the numericIDsidentifiers (i.e., "max_id - min_d + 1"). However, as noted above, this value must also be much smaller than the number of possible values for the numericIDs.</t> <t>lookup_counter()identifiers.</t> <t indent="3">lookup_counter() is a function that returns the current counter for a givencontext,context or an error condition if that counter does not exist.</t><t>store_counter()<t indent="3">random() is a PRNG that returns a pseudorandom unsigned integer number of appropriate size. Beware that "adapting" the length of the output of random() with a modulo operator (e.g., C language's "%") may change the distribution of the PRNG. To preserve a uniform distribution, the rejection sampling technique <xref target="Romailler2020" format="default"/> can be used.</t> <t indent="3">store_counter() is a function that saves a counter value for a given context.</t><t>suitable_id() is a function that<t indent="3">suitable_id() checks whetherthe resultinga candidate numeric identifieris acceptable (e.g., whether it is not already in use, etc.). </t> </list>has suitable uniqueness properties. </t> <t>Essentially, whenever a new identifier is to be selected, the algorithm checks whether a counter for the corresponding context exists. If it does, the value of such counter is incremented to obtain the new transient numeric identifier, and the counter is updated. If no counter exists for such context, a new counter is created and initialized to a randomvalue,value and used as the selected transient numeric identifier. This algorithm produces a per-context counter, which results in onemonotonically-increasingmonotonically increasing function for each context. Since each counter is initialized to a random value, the resulting values are unpredictable by an off-path attacker. </t> <t>The choice of id_inc has implications on both the security and privacy properties of the resultingidentifiers, butidentifiers and also on the corresponding interoperability properties. On one hand, minimizing the increments generally minimizes the identifier reuse frequency, albeit at increased predictability. On the other hand, if the increments are randomized, predictability of the resulting identifiers is reduced, and the information leakage produced by global constant increments is mitigated. However, using larger increments than necessary can result in higher numericIDidentifier reuse frequency. </t> <t>This algorithm has the following drawbacks:<list style="symbols"> <t>It</t> <ul spacing="normal"> <li>It requires an implementation to store eachper-CONTEXTper-context counter in memory. If, as a result of resource management, the counter for a given context must be removed, the last transient numeric identifier value used for that context will be lost. Thus, ifsubsequentlyan identifier subsequently needs to be generated for the same context, the corresponding counter will need to be recreated and reinitialized to a random value, thus possibly leading to reuse/collision of numeric identifiers.</t> <t></li> <li> Keeping one counter for each possible "context" may in some cases be considered too onerous in terms of memory requirements.</t> <!-- <t>An implementation may map more than one context to the same counter, such the amount of memory required to store counters is reduced, at the expense of a possible unnecessary increase in the numeric identifier reuse frequency. In such cases, if the identifiers are predictable by the destination system (in case the destination host represents the "context"), a vulnerable host might possibly leak to third parties the identifiers used by other hosts to send traffic to it (i.e., a vulnerable Host B could leak to Host C the identifier values that Host A is using to send packets to Host B). Appendix A of <xref target="RFC7739"/> describes one possible scenario for such leakage in detail. Employing small random numbers for the increments (i.e., for increment() function) may help mitigate this kind of information leakage. </t> --> </list> </t></li> </ul> <t>Otherwise, the identifiers produced by this algorithm do not suffer from the other issues discussed in <xreftarget="vulns"/>.</t>target="vulns" format="default"/>.</t> </section> <sectiontitle="Simpleanchor="simple-hash" numbered="true" toc="default"> <name>Simple PRF-BasedAlgorithm" anchor="simple-hash">Algorithm</name> <t>The goal of this algorithm is to producemonotonically-increasingmonotonically increasing transient numeric identifiers (for each givencontext),context) with a randomized initial value. For example, if the identifiers being generated must bemonotonically-increasingmonotonically increasing for each{IP Source{Source Address,IPDestination Address} set, then each possible combination of{IP Source{Source Address,IPDestination Address} should have a separatemonotonically-increasing sequence,monotonically increasing sequence that starts at a different random value. </t> <t>Instead of maintaining a per-context counter (as in the algorithm from <xreftarget="per-context-counter"/>),target="per-context-counter" format="default"/>), the following algorithm employs a calculated technique to maintain a random offset for each possible context. </t><t> <figure><artwork><sourcecode type="c"><![CDATA[ /* Initialization code */ counter = 0; /* Transient Numeric ID selection function */ id_range = max_id - min_id + 1; id_inc = increment() % id_range; offset = F(CONTEXT, secret_key); retry = id_range; do { next_id = min_id + (offset + counter) % id_range; counter = counter + id_inc; if (suitable_id(next_id)) { return next_id; } retry = retry - id_inc; } while (retry > 0); return ERROR;</artwork> </figure> </t> <!-- <t> The function F() should be a cryptographically-secure hash function (e.g. SHA-256 <xref target="FIPS-SHS"/>). CONTEXT]]></sourcecode> <t>NOTE:</t> <t indent="3">CONTEXT is the concatenation of all the elements that define a given context. For example, if this algorithm is expected to produce identifiers that aremonotonically-increasingmonotonically increasing for each set(Source IP{Source Address, DestinationIP Address),Address}, CONTEXT should be the concatenation ofthese two IP addresses. </t> --> <!-- Nuevo: <t>F() is a pseudorandom function (PRF) that must not be computable from the outside (without knowledge of the secret key). F() must also be difficult to reverse, such that it resists attempts to obtain the secret_key, even when given samples of the output of F()Source Address andknowledge or control ofDestination Address.</t> <t indent="3">increment() has theother input parameters. F() should produce an output of at least as many bitssame properties and requirements asrequired for the transient numeric identifier. F() could be the result of applying a cryptographic hash over an encoded version of the function parameters. While this document does not recommend a specific mechanismthose specified forencoding the function parameters (or a specific cryptographic hash function),increment() in <xref target="per-context-counter" format="default"/>.</t> <t indent="3">F() is acryptographically robust construction will ensure that the mapping from parameters toPRF, with thehash function input is an injective map,same properties asmight be attained by using fixed-width encodings and/or length-prefixing variable-length parameters. SHA-256 <xref target="FIPS-SHS"/> is one possible option for F(). Note: MD5 <xref target="RFC1321"/> is considered unacceptablethose specified for F() in <xreftarget="RFC6151"/>.</t> -->target="cat-3-alg" format="default"/>.</t> <t indent="3">suitable_id() checks whether a candidate numeric identifier has suitable uniqueness properties.</t> <t>In the algorithm above, the function F() provides a(stateless)stateless, stable, and unpredictable offset for each given context (as identified by'CONTEXT'). </t> <t>F() is a PRF, with the same properties as those specified for F() in <xref target="cat-3-alg"/>.</t> <t>CONTEXT is the concatenation of all the elements that define a given context. For example, if this algorithm is expected to produce identifiers that are monotonically-increasing for each set (Source IP Address, Destination IP Address), CONTEXT should be the concatenation of these two IP addresses.</t> <t> The function F() provides a "per-CONTEXT" fixed offset within the numeric identifier "space"."CONTEXT"). Both the'offset'"offset" and'counter'"counter" variables may take any value within the storage type range since we are restricting the resulting identifier to be in the range [min_id, max_id] in a similar way as in the algorithm described in <xreftarget="simple-randomization"/>.target="simple-randomization" format="default"/>. This allows us to simply increment the'counter'"counter" variable and rely on the unsigned integer to wrap around. </t><!-- <t> The secret should be chosen to be as random as possible (see <xref target="RFC4086"/> for recommendations on choosing secrets). </t> --><t> The result of F() is no more secure than the secret key, andtherefore 'secret_key'therefore, "secret_key" must be unknown to theattacker,attacker and must be of a reasonable length.'secret_key'"secret_key" must remain stable for a given CONTEXT, sinceotherwiseotherwise, the numeric identifiers generated by this algorithm would not have the desiredstabilityproperties (i.e.,monotonically-increasingmonotonically increasing for a given CONTEXT). In most cases,'secret_key'"secret_key" should be selected with a PRNG (see <xreftarget="RFC4086"/>target="RFC4086" format="default"/> for recommendations on choosing secrets) at an appropriatetime,time and stored in stable or volatile storage (as necessary) for future use.</t> <t>It should be noted that, since this algorithm uses a global counter("counter")("counter") for selecting identifiers (i.e., all counters share the sameincrementsincrement space), this algorithm results in an information leakage (as described in <xreftarget="information-leakage"/>).target="information-leakage" format="default"/>). For example, if this algorithmwerewas used for selecting TCP ephemeralports,ports and an attacker could force a client to periodically establish a new TCP connection to an attacker-controlled system (or through an attacker-observable routing path), the attacker could subtract consecutivesource portSource Port values to obtain the number of outgoing TCP connections established globally by the victim host within that time period (up to wrap-around issues and five-tuple collisions, of course). This information leakage could be partially mitigated by employing small random values for the increments (i.e., increment() function), instead of having increment() return the constant "1".</t> <t>We nevertheless note that an improved mitigation of this information leakage could be more successfully achieved by employing the algorithm from <xreftarget="double-hash"/>,target="double-hash" format="default"/>, instead.</t><!-- <t>From a functional perspective, this algorithm results in numeric identifiers with similar properties to those generated with the algorithm specified in <xref target="per-context-counter"/> when multiple --></section> <sectiontitle="Double-PRF Algorithm" anchor="double-hash">anchor="double-hash" numbered="true" toc="default"> <name>Double-PRF Algorithm</name> <t>A trade-off between maintaining a single global'counter'"counter" variable and maintaining 2**N'counter'"counter" variables (where N is the width of the result ofF()),F()) could be achieved as follows. The system would keep an array of TABLE_LENGTH values, which would provide a separation of the increment space into multiple buckets. This improvement could be incorporated into the algorithm from <xreftarget="simple-hash"/>target="simple-hash" format="default"/> as follows:</t><t> <figure> <artwork><sourcecode type="c"><![CDATA[ /* Initialization code */ for(i = 0; i<< TABLE_LENGTH; i++) { table[i] = random(); } /* Transient Numeric ID selection function */ id_range = max_id - min_id + 1; id_inc = increment() % id_range; offset = F(CONTEXT, secret_key1); index = G(CONTEXT, secret_key2) % TABLE_LENGTH; retry = id_range; do { next_id = min_id + (offset + table[index]) % id_range; table[index] = table[index] + id_inc; if (suitable_id(next_id)) { return next_id; } retry = retry - id_inc; } while (retry > 0); return ERROR;</artwork> </figure> </t> <t> 'table[]' could be initialized with random values, as indicated by the initialization code in the pseudo-code above.</t> <!-- <t>Both F() and G() should be cryptographically-secure hash functions (e.g. SHA-256 <xref target="FIPS-SHS"/>) computed over the concatenation of each of their respective arguments. Both F() and G() would employ]]></sourcecode> <t>NOTE:</t> <t indent="3">increment() has the sameCONTEXT (the concatenation of all the elements that define a given context), and would use separate secret keys (secret_key1,properties andsecret_key2, respectively). </t> --> <t>Bothrequirements as those specified for increment() in <xref target="per-context-counter" format="default"/>.</t> <t indent="3">Both F() and G() are PRFs, with the same properties as those required for F() in <xreftarget="cat-3-alg"/>.</t> <t>target="cat-3-alg" format="default"/>. The results of F() and G() are no more secure than their respective secret keys('secret_key1'("secret_key1" and'secret_key2',"secret_key2", respectively), andthereforetherefore, both secret keys must be unknown to theattacker,attacker and must be of a reasonable length. Both secret keys must remain stable for the given CONTEXT, sinceotherwiseotherwise, the transient numeric identifiers generated by this algorithm would not have the desiredstabilityproperties (i.e.,monotonically-increasingmonotonically increasing for a given CONTEXT). In most cases, both secret keys should be selected with a PRNG (see <xreftarget="RFC4086"/>target="RFC4086" format="default"/> for recommendations on choosing secrets) at an appropriatetime,time and stored in stable or volatile storage (as necessary) for future use. </t><!-- <t> The function G() should<t indent="3"> "table[]" could bea cryptographic hash function. It should use the same CONTEXTinitialized with random values, asF(), and a secret key value to compute a value between 0 and (TABLE_LENGTH-1). </t> -->indicated by the initialization code in the pseudocode above.</t> <t>The'table[]'"table[]" array assures that successive transient numeric identifiers for a given context will bemonotonically-increasing.monotonically increasing. Since theincrementsincrement space is separated into TABLE_LENGTH different spaces, the identifier reuse frequency will be (probabilistically) lower than that of the algorithm in <xreftarget="simple-hash"/>.target="simple-hash" format="default"/>. That is, the generation of an identifier for one given context will not necessarily result in increments in the identifier sequence of other contexts. It is interesting to note that the size of'table[]'"table[]" does not limit the number of different identifiersequences,sequences but rather separates the*increment space*<strong>increment space</strong> into TABLE_LENGTH different spaces. The selected transient numeric identifier sequence will be obtained by adding the corresponding entry from'table[]'"table[]" to the value in the'offset'"offset" variable, which selects the actual identifier sequence space (as in the algorithm from <xreftarget="simple-hash"/>).target="simple-hash" format="default"/>). </t> <t>An attacker can perform traffic analysis for any"increment space""increment space" (i.e., context) into which the attacker has"visibility""visibility" -- namely, the attacker can force a system to generate identifiers for G(CONTEXT, secret_key2), where the result of G() identifies the target"increment space"."increment space". However, the attacker's ability to perform traffic analysis is very reduced when compared to the simple PRF-based identifiers (described in <xreftarget="simple-hash"/>)target="simple-hash" format="default"/>) and the predictable linear identifiers (described in <xreftarget="trad_selection"/>).target="trad_selection" format="default"/>). Additionally, an implementation can further limit the attacker's ability to perform traffic analysis by further separating the increment space (that is, using a larger value for TABLE_LENGTH) and/or by randomizing the increments (i.e., increment() returning a small random number as opposed to the constant "1").</t> <t>Otherwise, this algorithm does not suffer from the issues discussed in <xreftarget="vulns"/>.</t>target="vulns" format="default"/>.</t> </section> </section> </section> <sectiontitle="Commonanchor="vulns" numbered="true" toc="default"> <name>Common Vulnerabilities Associated with Transient NumericIdentifiers" anchor="vulns">Identifiers</name> <sectiontitle="Networkanchor="activity-correlation" numbered="true" toc="default"> <name>Network ActivityCorrelation" anchor="activity-correlation">Correlation</name> <t>An identifier that is predictable within a given context allows for network activity correlation within that context.</t> <t>For example, a stable IPv6 Interface Identifier allows for network activity to be correlated within the context in which the Interface Identifier is stable <xreftarget="RFC7721"/>.target="RFC7721" format="default"/>. Astable-per-networkstable per-network IPv6 Interface Identifier (as in <xreftarget="RFC7217"/>)target="RFC7217" format="default"/>) allows for network activity correlation within a network, whereas a constant IPv6 Interface Identifier(that(which remains constant across networks) allows not only network activity correlation within the samenetwork,network but also across networks("host tracking").("host-tracking"). </t> <t>Similarly, an implementation that generates TCP ISNs with a global counter could allow for fingerprinting and network activity correlation across networks, since an attacker could passively infer the identity of the victim based on the TCP ISNs employed for subsequent communication instances. Similarly, an implementation that generates predictable IPv6FragmentIdentification values could be subject to fingerprinting attacks(see e.g.(see, e.g., <xreftarget="Bellovin2002"/>).target="Bellovin2002" format="default"/>). </t> </section> <sectiontitle="Information Leakage" anchor="information-leakage">anchor="information-leakage" numbered="true" toc="default"> <name>Information Leakage</name> <t>Transient numeric identifiers that result in specific patterns can produce an information leakage to other communicating entities. For example, it is common to generate transient numeric identifiers with an algorithm such as:<figure align="center"> <artwork align="center"><![CDATA[</t> <sourcecode type="c"><![CDATA[ ID = offset(CONTEXT) + mono(CONTEXT);]]></artwork> <postamble></postamble> </figure>]]></sourcecode> <t> This generic expression generates identifiers by adding amonotonically-increasingmonotonically increasing function(e.g.(e.g., linear) to a randomized offset. offset() is constant within a given context, whereas mono() produces amonotonically-increasingmonotonically increasing sequence for the given context. Identifiers generated with this expression will generally be predictable within CONTEXT.<!--Additionally, information associated with the increments will be "leaked" within CONTEXT_2. When both CONTEXT_1 and CONTEXT_2 are constant values, then the corresponding transient numeric identifiers become predictable in all contexts.--> <!-- <list style="hanging"> <t> NOTE: If CONTEXT_1 is constant, and an attacker can sample ID values, the resulting identifiers may leak even more information. For example, if Fragment Identification values are generated with the generic function above, CONTEXT_1 is constant, and mono() is a linear function, then the corresponding identifiers will leak the number of fragmented datagrams sent for CONTEXT_2. If both CONTEXT_1 and CONTEXT_2 are constant, and mono() is a linear function, then Fragment Identification values will be generated with a global counter (initialized to offset()), and thus each generated Fragment Identification value will leak the number of fragmented datagrams transmitted by the node since it has been bootstrapped. </t> </list> --></t> <t keepWithPrevious="true"/> <t>The predictability of mono(), irrespective of the predictability of offset(), can leak information that may be of use to attackers. For example, a node that selects transport-protocol ephemeral portnumbersnumbers, asin: <figure align="center"> <artwork align="center"><![CDATA[in:</t> <sourcecode type="c"><![CDATA[ ephemeral_port =offset(Dest_IP)offset(IP_Dst_Addr) + mono()]]></artwork> <postamble></postamble> </figure>]]></sourcecode> <t> that is, with a per-destinationoffset,offset but a global mono() function (e.g., a global counter), will leak information about the total number of outgoing connections that have been issued by the vulnerable implementation.</t> <t keepWithPrevious="true"/> <t>Similarly, a node that generatesFragmentIPv6 Identification values as in:<figure align="center"> <artwork align="center"><![CDATA[ Frag_ID</t> <sourcecode type="c"><![CDATA[ ID =offset(IP_src_addr, IP_dst_addr)offset(IP_Src_Addr, IP_Dst_Addr) + mono()]]></artwork> <postamble></postamble> </figure>]]></sourcecode> <t> will leak out information about the total number of fragmented packets that have been transmitted by the vulnerable implementation. The vulnerabilities described in <xreftarget="Sanfilippo1998a"/>,target="Sanfilippo1998a" format="default"/>, <xreftarget="Sanfilippo1998b"/>,target="Sanfilippo1998b" format="default"/>, and <xreftarget="Sanfilippo1999"/>target="Sanfilippo1999" format="default"/> are all associated with the use of a global mono() function (i.e., with a global and constant"context")"CONTEXT") -- particularly when it is a linear function (constant increments of 1). </t> <t>Predicting transient numeric identifiers can be of help for other types of attacks. For example, predictable TCP ISNs can open the door to trivial connection-reset and data injection attacks (see <xreftarget="injection-attacks"/>).target="injection-attacks" format="default"/>). </t> </section> <sectiontitle="Fingerprinting" anchor="fingerprinting">anchor="fingerprinting" numbered="true" toc="default"> <name>Fingerprinting</name> <t>Fingerprinting is the capability of an attacker to identify orre-identifyreidentify a visiting user, useragentagent, or device via configuration settings or other observable characteristics. Observable protocol objects and characteristics can be employed toidentify/re-identify a variety of entities, rangingidentify/reidentify various entities. These entities can range from the underlying hardware orOperating Systemoperating system (OS) (vendor,typetype, andversion),version) to theuser itself (i.e. his/her identity).user. <xreftarget="EFF"/>target="EFF" format="default"/> illustratesweb browser-basedweb-browser-based fingerprinting, but similar techniques can be applied at other layers and protocols, whether alternatively or in conjunction with it.</t> <t> Transient numeric identifiers are one of the observable protocol components that could be leveraged for fingerprinting purposes. That is, an attacker could sample transient numeric identifiers to infer the algorithm (and its associated parameters, if any) for generating such identifiers, possibly revealing the underlyingOperating System (OS)OS vendor, type, and version. This information could possibly be further leveraged in conjunction with other fingerprinting techniques and sources. </t> <t> Evasion of protocol-stack fingerprinting can prove to be a very difficulttask:task, i.e., most systems make use of a wide variety of protocols, each of which have a large number of parameters that can be set to arbitrary values or generated with a variety of algorithms with multiple parameters.<list style="hanging"> <t hangText="NOTE:"> <vspace blankLines="0"/></t> <aside><t>NOTE: General protocol-based fingerprinting is discussed in <xreftarget="RFC6973"/>,target="RFC6973" format="default"/>, along with guidelines to mitigate the associated vulnerability. <xreftarget="Fyodor1998"/>target="Fyodor1998" format="default"/> and <xreftarget="Fyodor2006"/>target="Fyodor2006" format="default"/> are classic references onOperating SystemOS detection via TCP/IP stack fingerprinting.NmapNetwork Mapper <xreftarget="nmap"/>target="nmap" format="default"/> is probably the most popular tool for remote OS identification via active TCP/IP stack fingerprinting. p0f <xreftarget="Zalewski2012"/>,target="Zalewski2012" format="default"/>, on the other hand, is a tool for performing remote OS detection via passive TCP/IP stack fingerprinting. Finally, <xreftarget="TBIT"/>target="TBIT" format="default"/> is a TCP fingerprinting tool that aims at characterizing thebehaviourbehavior of a remote TCP peer based on active probes,andwhich has been widely used in the research community.</t> </list> </t></t></aside> <t> Algorithms that, from the perspective of an observer (e.g., the legitimate communicating peer), result in specific values orpatterns,patterns will allow for at least some level of fingerprinting. For example, the algorithm from <xreftarget="cat-3-alg"/>target="cat-3-alg" format="default"/> will typically allow fingerprinting within the context where the resulting identifiers are stable. Similarly, the algorithms from <xreftarget="cat-4-alg"/>target="cat-4-alg" format="default"/> will result ina monotonically-increasingmonotonically increasing sequences within a given context, thus allowing for at least some level of fingerprinting (when the other communicating entity can correlate different sampled identifiers as belonging to the samemonotonically-increasingmonotonically increasing sequence). </t> <t> Thus, where possible, algorithms from <xreftarget="cat-1-alg"/>target="cat-1-alg" format="default"/> should be preferred over algorithms that result in specific values or patterns. </t> </section> <sectiontitle="Exploitationanchor="id-semantics" numbered="true" toc="default"> <name>Exploitation of the Semantics of Transient NumericIdentifiers" anchor="id-semantics">Identifiers</name> <t>Identifiers that are not semantically opaque tend to be more predictable thansemantically-opaquesemantically opaque identifiers. For example, aMACMedia Access Control (MAC) address contains anOUI (Organizationally-Unique Identifier)Organizationally Unique Identifier (OUI), which may identify the vendor that manufactured the corresponding network interface card. This can be leveraged by an attacker trying to "guess" MAC addresses, who has some knowledge about the possible Network Interface Card (NIC) vendor.</t> <t><xreftarget="RFC7707"/>target="RFC7707" format="default"/> discusses a number of techniques to reduce the search space when performing IPv6 address-scanning attacks by leveraging the semantics ofthe IIDs produced by traditional SLAAC algorithms (eventually replaced by <xref target="RFC7217"/>) that embed MAC addresses in the IID ofIPv6addresses.IIDs. </t> </section> <sectiontitle="Exploitationanchor="id-collisions" numbered="true" toc="default"> <name>Exploitation of Collisions of Transient NumericIdentifiers" anchor="id-collisions">Identifiers</name> <t>In many cases, the collision of transient network identifiers can have a hard failure severity (or result in a hard failure severity if an attacker can cause multiple collisions deterministically, one after another). For example, predictableFragmentIP Identification values open the door to Denial of Service (DoS) attacks(see e.g.(see, e.g., <xreftarget="RFC5722"/>.).target="RFC5722" format="default"/>.). </t> </section> <sectiontitle="Exploitationanchor="injection-attacks" numbered="true" toc="default"> <name>Exploitation of Predictable Transient Numeric Identifiers for InjectionAttacks" anchor="injection-attacks">Attacks</name> <t>Some protocols rely on "sequence numbers" for the validation of incoming packets. For example, TCP employs sequence numbers for reassembling TCP segments, while IPv4 and IPv6 employFragmentIdentification values for reassembling IPv4 and IPv6 fragments (respectively). Lacking built-in cryptographic mechanisms for validating packets, these protocols are therefore vulnerable to on-path data(see e.g.(see, e.g., <xreftarget="Joncheray1995"/>)target="Joncheray1995" format="default"/>) and/or control-information(see e.g.(see, e.g., <xreftarget="RFC4953"/>target="RFC4953" format="default"/> and <xreftarget="RFC5927"/>)target="RFC5927" format="default"/>) injection attacks. The extent to which these protocols may resist off-path(i.e.(i.e., "blind") injection attacks depends on whether the associated "sequence numbers" arepredictable,predictable and the effort required to successfully predict a valid "sequence number"(see e.g.(see, e.g., <xreftarget="RFC4953"/>target="RFC4953" format="default"/> and <xreftarget="RFC5927"/>).target="RFC5927" format="default"/>). </t> <t>We note that the use of unpredictable "sequence numbers" is acompletely-ineffectivecompletely ineffective mitigation for on-path injectionattacks,attacks and also amostly-ineffectivemostly ineffective mitigation for off-path(i.e.(i.e., "blind") injection attacks. However, many legacy protocols (such as TCP) do notnativelyincorporate cryptographicmitigations,mitigations as part of the core protocol but ratheronlyas optional features(see e.g.(see, e.g., <xreftarget="RFC5925"/>),target="RFC5925" format="default"/>), if available atall available.all. Additionally,ad-hocad hoc use of cryptographic mitigations might not be sufficient to relieve a protocol implementation of generating appropriate transient numeric identifiers. For example, use of the Transport Layer Security (TLS) protocol <xreftarget="RFC8446"/>target="RFC8446" format="default"/> with TCP will protect the applicationprotocol,protocol but will not help tomitigate e.g.mitigate, e.g., TCP-based connection-reset attacks(see e.g.(see, e.g., <xreftarget="RFC4953"/>).target="RFC4953" format="default"/>). Similarly, use of SEcure Neighbor Discovery (SEND) <xreftarget="RFC3971"/>target="RFC3971" format="default"/> will still imply reliance on the successful reassembly of IPv6 fragments in those cases where SEND packets do not fit into the link Maximum Transmission Unit (MTU) (see <xreftarget="RFC6980"/>).</t>target="RFC6980" format="default"/>).</t> </section> <sectiontitle="Cryptanalysis" anchor="crypto-analisis">anchor="crypto-analisis" numbered="true" toc="default"> <name>Cryptanalysis</name> <t>A number of algorithms discussed in this document (such as those described in Sections <xreftarget="simple-hash"/>target="simple-hash" format="counter"/> and <xreftarget="double-hash"/>)target="double-hash" format="counter"/>) rely on PRFs. Implementations that employ weak PRFs or keys of inappropriate size can be subject to cryptanalysis, where an attacker can obtain the secret key employed for the PRF, predict numeric identifiers, etc. </t> <t>Furthermore, an implementation that overloads the semantics of the secret key can result in more trivial cryptanalysis, possibly resulting in the leakage of the value employed for the secret key.<list style="hanging"> <t hangText="NOTE:"> <vspace blankLines="0"/></t> <aside><t>NOTE: <xreftarget="IPID-DEV"/>target="IPID-DEV" format="default"/> describes two vulnerable transient numericIDidentifier generators that employcryptographically-weakcryptographically weak hash functions. Additionally, one of such implementations employs32-bits32 bits of a kernel address as the secret key for a hash function, andthereforetherefore, successful cryptanalysis leaks the aforementioned kernel address, allowing for Kernel Address Space Layout Randomization (KASLR) <xreftarget="KASLR"/> bypass. </t> </list> </t>target="KASLR" format="default"/> bypass.</t></aside> </section> </section> <sectiontitle="Vulnerabilityanchor="vuln-cats" numbered="true" toc="default"> <name>Vulnerability Assessment of Transient NumericIdentifiers" anchor="vuln-cats">Identifiers</name> <t> The following subsections analyze possible vulnerabilities associated with the algorithms described in <xreftarget="common-algorithms"/>.target="common-algorithms" format="default"/>. </t> <sectiontitle="Categoryanchor="cat-1-vuln" numbered="true" toc="default"> <name>Category #1: Uniqueness(soft failure)" anchor="cat-1-vuln">(Soft Failure)</name> <t>Possible vulnerabilities associated with the algorithms from <xreftarget="cat-1-alg"/> include: <list style="symbols"> <t>Usetarget="cat-1-alg" format="default"/> include the following: </t> <ul spacing="normal"> <li>use of flawed PRNGs (pleasesee e.g.see, e.g., <xreftarget="Zalewski2001"/>,target="Zalewski2001" format="default"/>, <xreftarget="Zalewski2002"/>,target="Zalewski2002" format="default"/>, <xreftarget="Klein2007"/>target="Klein2007" format="default"/>, and <xreftarget="CVEs"/>).</t> <t>Inadvertentlytarget="CVEs" format="default"/>)</li> <li>inadvertently affecting the distribution of an otherwise suitable PRNG (pleasesee e.g.see, e.g., <xreftarget="Romailler2020"/>).</t> </list> </t>target="Romailler2020" format="default"/>)</li> </ul> <t>Where available, CSPRNGs should be preferred over regularPRNGsPRNGs, suchas e.g.as, e.g., POSIX random(3) implementations. In scenarios where a CSPRNG is not readily available, a security and privacy assessment of employing a regular PRNG should be performed, supporting the implementation decision.<list style="hanging"> <t hangText="NOTE:"> <vspace blankLines="0"/></t> <aside><t>NOTE: Please see <xreftarget="RFC4086"/>target="RFC4086" format="default"/> regarding randomness requirements for security. <xreftarget="Aumasson2018"/>,target="Aumasson2018" format="default"/>, <xreftarget="Press1992"/>,target="Press1992" format="default"/>, and <xreftarget="Knuth1983"/>,target="Knuth1983" format="default"/> discuss theoretical and practical aspects of randomnumbers generation,number generation and provide guidance on how to evaluatePRNGs.</t> </list> </t>PRNGs.</t></aside> <t>When employing a PRNG, many implementations "adapt" the length of its output with a modulo operator (e.g., C language's "%"), possibly changing the distribution of the output of the PRNG.</t> <t> For example, consider an implementation that employs the following code:<figure align="center"> <artwork align="center"><![CDATA[</t> <sourcecode type="c"><![CDATA[ id = random() % 50000;]]></artwork> <postamble></postamble> </figure>]]></sourcecode> <t> This example implementation means to obtain a transient numeric identifier in the range 0-49999. If random()produces e.g.produces, e.g., a pseudorandom number of 16 bits (with uniform distribution), the selected transient numeric identifier will have anon-uniformnonuniform distribution with the numbers in the range 0-15535 havingdouble-frequencydouble frequency than the numbers in the range 15536-49999.<list style="hanging"></t> <thangText="NOTE:"> <vspace blankLines="0"/>keepWithPrevious="true"/> <aside><t>NOTE: For example, in our samplecodecode, both an output of 10 and output of 50010 from the random() function will result in an'id'"id" value of 10.</t> </list></t></aside> <t> This effect is reduced if the PRNG produces an output that is much longer than the length implied by the modulo operation. We note that to preserve a uniform distribution, the rejection sampling technique <xreftarget="Romailler2020"/>target="Romailler2020" format="default"/> can be used. </t> <t> Use of algorithms other than PRNGs for generating identifiers of this category is discouraged. </t> </section> <sectiontitle="Categoryanchor="cat-2-vuln" numbered="true" toc="default"> <name>Category #2: Uniqueness(hard failure)" anchor="cat-2-vuln">(Hard Failure)</name> <t>As noted in <xreftarget="cat-2-alg"/>,target="cat-2-alg" format="default"/>, this category can employ the same algorithms as Category #4, since amonotonically-increasingmonotonically increasing sequence tends to minimize the transient numeric identifier reuse frequency. Therefore, the vulnerability analysis in <xreftarget="cat-4-vuln"/>target="cat-4-vuln" format="default"/> also applies to this category. </t> <t>Additionally, as noted in <xreftarget="cat-2-alg"/>,target="cat-2-alg" format="default"/>, some transient numeric identifiers of this category might be able to use the algorithms from <xreftarget="cat-1-alg"/>,target="cat-1-alg" format="default"/>, in which case the same considerations as in <xreftarget="cat-1-vuln"/>target="cat-1-vuln" format="default"/> would apply. </t> </section> <sectiontitle="Categoryanchor="cat-3-vuln" numbered="true" toc="default"> <name>Category #3: Uniqueness,stableStable withincontext (soft failure)" anchor="cat-3-vuln"> <!-- <t>There are three main vulnerabilities that may be associated with identifiers of this category: <list style="numbers"> <t>Use algorithms or sources that result in predictable identifiers</t> <t>Use cryptographically-weak hash functions, or inappropriate secret key sizes that allow for cryptanalysis</t> <t>Employing the same identifier across contexts in which stability is not required (overloading the numeric identifier)</t> </list> </t> -->Context (Soft Failure)</name> <t>Possible vulnerabilities associated with the algorithms from <xreftarget="cat-3-alg"/> are: <list style="numbers"> <t>Usetarget="cat-3-alg" format="default"/> are the following: </t> <ul spacing="normal"><li>Use of weakPRFs,PRFs or inappropriate secret keys (whether inappropriate selection or inappropriate size) could allow for cryptanalysis, which could eventually be exploited by an attacker to predict future transient numericidentifiers.</t> <t>Sinceidentifiers.</li> <li>Since the algorithm generates a unique and stable identifier within a specified context, it may allow for network activity correlation and fingerprinting within the specifiedcontext.</t> </list> </t>context.</li> </ul> </section> <sectiontitle="Categoryanchor="cat-4-vuln" numbered="true" toc="default"> <name>Category #4: Uniqueness,monotonically increasingMonotonically Increasing withincontext (hard failure)" anchor="cat-4-vuln">Context (Hard Failure)</name> <t>The algorithm described in <xreftarget="per-context-counter"/>target="per-context-counter" format="default"/> for generating identifiers of Category #4 will result in an identifiable pattern(i.e.(i.e., amonotonically-increasingmonotonically increasing sequence) for the transient numeric identifiers generated for each CONTEXT, and thus will allow for fingerprinting and network activity correlation within each CONTEXT. </t> <t>On the other hand, a simple way to generalize and analyze the algorithms described in Sections <xreftarget="simple-hash"/>target="simple-hash" format="counter"/> and <xreftarget="double-hash"/>target="double-hash" format="counter"/> for generating identifiers of Category#4,#4 is as follows:<figure> <artwork></t> <sourcecode type="c"><![CDATA[ /* Transient Numeric ID selection function */ id_range = max_id - min_id + 1; retry = id_range; id_inc = increment() % id_range; do { update_mono(CONTEXT, id_inc); next_id = min_id + (offset(CONTEXT) + \ mono(CONTEXT)) % id_range; if (suitable_id(next_id)) { return next_id; } retry = retry - id_inc; } while (retry > 0); return ERROR;</artwork> </figure> </t> <t> <list style="hanging">]]></sourcecode> <t>NOTE:</t> <thangText="NOTE:"> <vspace blankLines="0"/> increment()indent="3">increment() returns a small integer that is employed to generate amonotonically-increasingmonotonically increasing function. Most implementations employ a constant value for "increment()" (usually 1). The value returned by increment() must be much smaller than the value computed for "id_range". </t><t> update_mono(CONTEXT,<t indent="3">update_mono(CONTEXT, id_inc) increments the counter corresponding to CONTEXT by "id_inc". </t><t> mono(CONTEXT)<t indent="3">mono(CONTEXT) reads the counter corresponding to CONTEXT. </t></list> </t><t>Essentially, an identifier (next_id) is generated by adding amonotonically-increasingmonotonically increasing function (mono()) to an offset value, which is unknown to the attacker and stable for given context (CONTEXT).</t> <t>The following aspects of the algorithm should be considered:<list style="symbols"> <t>For</t> <ul spacing="normal"> <li>For the most part, it is the offset() function that results in identifiers that are unpredictable by an off-patch attacker. While the resulting sequence is known to bemonotonically-increasing,monotonically increasing, the use of a randomized offset value makes the resulting values unknown to theattacker.</t> <t>Theattacker.</li> <li>The most straightforward "stateless" implementation of offset() is with a PRF that takes the values that identify the context and a"secret_key"secret key (not shown in the figure above) as arguments.</t> <t></li> <li> One possible implementation of mono() would be to have mono() internally employ a single counter (as in the algorithm from <xreftarget="simple-hash"/>),target="simple-hash" format="default"/>) or map the increments for different contexts into a number of counters/buckets, such that the number of counters that need to be maintained in memory is reduced (as in thealgorithm from algorithm in <xref target="double-hash"/>). </t> <!-- <t> One possible implementation approach for mono() is to maintain per-context counters, initialized to random values (as the algorithm from <xref target="per-context-counter"/>). When a new identifier is to be selected, the corresponding counter is looked-up (based on the context) and incremented, to obtain a new transient numeric identifier. For example, the algorithm in <xref target="per-context-counter"/> could be such an implementation of mono(). Another possible implementation of mono() would be to have mono() internally employ a single counter (as in the algorithm from <xref target="simple-hash"/>), or map the increments for different contexts into a number of counters/buckets, such that the number of counters that need to be maintained in memory is reduced (as in the algorithm"Double-PRF Algorithm" fromalgorithm in<xreftarget="double-hash"/>). </t> --> <t>Intarget="double-hash" format="default"/>). </li> <li>In all cases, a monotonically increasing function is implemented by incrementing the previous value of a counter by increment() units. In the most trivial case, increment() could return the constant "1". But increment() could also be implemented to return small random integers such that the increments are unpredictable (seeAppendix A of<xreftarget="RFC7739"/>).target="random-increments"/> of this document). This represents a trade-off between the unpredictability of the resulting transient numericIDsidentifiers and the transient numericIDidentifier reuse frequency.</t> </list> </t></li> </ul> <t>Considering the generic algorithm illustrated above, we can identify the following possible vulnerabilities:<list style="symbols"> <t>Since</t> <ul spacing="normal"> <li>Since the algorithms for this category are similar to those of <xreftarget="cat-3-vuln"/>,target="cat-3-vuln" format="default"/>, with the addition of amonotonically-increasingmonotonically increasing function, all the issues discussed in <xreftarget="cat-3-vuln"/>target="cat-3-vuln" format="default"/> ("Category #3: Uniqueness,stableStable withincontext (soft failure)")Context (Soft Failure)") also apply to this case.</t> <t>mono()</li> <li>mono() can be correlated to the number of identifiers generated for a given context (CONTEXT). Thus, if mono() spans more than the necessary context, the "increments" could be leaked to other parties, thus disclosing information about the number of identifiers that have been generated by the algorithm for all contexts. Thisisinformation disclosure becomes more evident when an implementation employs a constant increment of 1. For example, an implementation where mono() is actually a single globalcounter,counter will unnecessarily leak information about the number of identifiers that have been generated by the algorithm (globally, for all contexts). <xreftarget="Fyodor2003"/> istarget="Fyodor2003" format="default"/> describes one example of how such information leakages can be exploited. We note that limiting the span of theincrementsincrement space will require a larger number of counters to be stored in memory (i.e., a larger value for the TABLE_LENGTH parameter of the algorithm in <xreftarget="double-hash"/>). </t> <t>Transienttarget="double-hash" format="default"/>). </li> <li>Transient numeric identifiers generated with the algorithms described in Sections <xreftarget="simple-hash"/>target="simple-hash" format="counter"/> and <xreftarget="double-hash"/>target="double-hash" format="counter"/> will normally allow for fingerprinting within CONTEXT since, for such context, the resulting identifiers will have an identifiable pattern(i.e.(i.e., amonotonically-increasingmonotonically increasing sequence).</t> </list> </t></li> </ul> </section> </section> <sectiontitle="IANA Considerations" anchor="iana-considerations">anchor="iana-considerations" numbered="true" toc="default"> <name>IANA Considerations</name> <t>This document has no IANA actions.</t> </section> <sectiontitle="Security Considerations"> <t>Thenumbered="true" toc="default"> <name>Security Considerations</name> <t>This entire document is about the security and privacy implications of transient numeric identifiers. <xreftarget="I-D.gont-numeric-ids-sec-considerations"/>target="RFC9416" format="default"/> recommends that protocol specifications specify the interoperability requirements of their transient numeric identifiers, perform a vulnerability assessment of their transient numeric identifiers, andsuggestrecommend an algorithm for generating each of their transient numeric identifiers. This document analyzes possible algorithms (and their implications) that could be employed to comply with the interoperabilitypropertiesrequirements of the most common categories of transient numericidentifiers,identifiers while minimizing the associated negative security and privacy implications.</t> </section><section title="Acknowledgements"> <t>The authors would like to thank (in alphabetical order) Bernard Aboba, Jean-Philippe Aumasson, Steven Bellovin, Luis Leon Cardenas Graide, Spencer Dawkins, Theo de Raadt, Guillermo Gont, Joseph Lorenzo Hall, Gre Norcie, Colin Perkins, Vincent Roca, Shivan Sahib, Rich Salz, Martin Thomson, and Michael Tuexen, for providing valuable comments on earlier versions of this document.</t> <t>The authors would like to thank Shivan Sahib and Christopher Wood, for their guidance during the publication process of this document.</t> <t>The authors would like to thank Jean-Philippe Aumasson and Mathew D. Green (John Hopkins University) for kindly answering a number of questions.</t> <t>The authors would like to thank Diego Armando Maradona for his magic and inspiration.</t> </section></middle> <back><references title='Normative References'> <!-- <?rfc include="reference.RFC.2119" ?> <?rfc include="reference.RFC.8174" ?> --> <!-- TCP sequence numbers --> <?rfc include="reference.RFC.0793" ?> <?rfc include="reference.RFC.6528" ?> <!-- TCP SEQ randomization --> <!-- Port Randomization --> <?rfc include="reference.RFC.6056" ?> <!-- TCP-AO --> <?rfc include="reference.RFC.5925" ?> <!-- IPv4 --> <?rfc include="reference.RFC.0791" ?> <!-- IPv6 --> <?rfc include="reference.RFC.2460" ?> <?rfc include="reference.RFC.8200" ?> <?rfc include="reference.RFC.4086" ?> <?rfc include="reference.RFC.4291" ?> <?rfc include="reference.RFC.8981" ?> <?rfc include="reference.RFC.4862" ?> <?rfc include="reference.RFC.5722" ?> <?rfc include="reference.RFC.7217" ?> <?rfc include="reference.RFC.8064" ?> <!-- IPv6 Flow Label --> <?rfc include="reference.RFC.6437" ?> <!-- TCP timestamps --> <?rfc include="reference.RFC.6191" ?> <?rfc include="reference.RFC.7323" ?> <!-- MD5 --> <?rfc include="reference.RFC.1321" ?> <?rfc include="reference.RFC.6151" ?> <!-- DNS --> <?rfc include="reference.RFC.1035" ?><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.0793.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6528.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6056.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5925.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.0791.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2460.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8200.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4291.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8981.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4862.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5722.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7217.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8064.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6437.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6191.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7323.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1321.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6151.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5905.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9293.xml"/> </references><references title='Informative References'> <!-- Timing attacks --> <!-- <reference anchor="Mayer2014" target="https://www.blackhat.com/docs/us-14/materials/us-14-Mayer-Time-Trial-Racing-Towards-Practical-Timing-Attacks-WP.pdf"> <front> <title>Time Trial: Racing Towards Practical Remote Timing Attacks</title> <author initials="D." surname="Mayer" fullname="Daniel Mayer"> <organization>Matasano</organization> </author> <author initials="J." surname="Sandin" fullname="Joel Sandin"> <organization>Matasano</organization> </author> <date year="2014"/> </front> <seriesInfo name="BlackHat USA 2014 Conference," value="August 6-7"/> </reference> --> <!-- <reference anchor="Crosby2009" target="https://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf"> <front> <title>Opportunities and Limits of Remote Timing Attacks</title> <author initials="S. A." surname="Crosby" fullname="Scott A. Crosby"> <organization>Rice University</organization> </author> <author initials="D. S." surname="Wallach" fullname="Dan S. Wallach"> <organization>Rice University</organization> </author> <author initials="R. H." surname="Riedi" fullname="Rudolf H. Riedi"> <organization>Rice University</organization> </author> <date year="2009"/> </front> <seriesInfo name="ACM Trans. Inf. Syst. Secur. 12, 3, " value="Article 17 "/> </reference> --><references> <name>Informative References</name> <reference anchor="KASLR" target="https://pax.grsecurity.net/docs/aslr.txt"> <front> <title>Address Space Layout Randomization</title><author initials="" surname="PaX Team" fullname="The Pax Team"> <organization></organization><author> <organization>PaX Team</organization> </author><date/></front><!-- <seriesInfo name="" value="Federal Information Processing Standards Publication 180-4"/> --></reference> <reference anchor="IANA-PROT" target="https://www.iana.org/protocols"> <front> <title>Protocol Registries</title><author initials="" surname="IANA" fullname="IANA"> <organization></organization><author> <organization>IANA</organization> </author><date/></front><!-- <seriesInfo name="" value="Federal Information Processing Standards Publication 180-4"/> --></reference><!-- Fingerprinting --> <?rfc include="reference.RFC.6973" ?><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6973.xml"/> <reference anchor="Fyodor1998" target="http://www.phrack.org/archives/issues/54/9.txt"> <front> <title>Remote OSDetectiondetection via TCP/IP StackFingerprinting</title> <author initials="" surname="Fyodor" fullname="Fyodor"> <organization></organization>FingerPrinting</title> <author> <organization>Fyodor</organization> </author> <dateyear="1998"/>year="1998" month="December"/> </front><seriesInfo name="" value="Phrack<refcontent>Phrack Magazine, Volume9,8, Issue54"/>54</refcontent> </reference> <reference anchor="Fyodor2006" target="https://nmap.org/book/osdetect.html"> <front> <title>Chapter 8. Remote OS Detection</title> <author initials="G." surname="Lyon" fullname="Gordon Lyon"><organization></organization><organization/> </author> <dateyear="2006"/>year="2009" month="January"/> </front> </reference> <reference anchor="nmap"target="https://www.insecure.org/nmap">target="https://nmap.org/"> <front> <title>Nmap: Free Security Scanner For Network Exploration and Audit</title> <author> <organization>nmap</organization> </author> <date year="2020"/> </front> </reference> <reference anchor="EFF" target="https://coveryourtracks.eff.org/"> <front> <title>Cover your tracks: See how trackers view your browser</title><author initials="" surname="EFF" fullname="EFF"> <organization></organization><author> <organization>EFF</organization> </author><date year="2020"/></front> </reference> <reference anchor="Schuba1993" target="http://ftp.cerias.purdue.edu/pub/papers/christoph-schuba/schuba-DNS-msthesis.pdf"> <front><title>ADDRESSING WEAKNESSES IN THE DOMAIN NAME SYSTEM PROTOCOL</title><title>Addressing Weakness in the Domain Name System Protocol</title> <author initials="C." surname="Schuba" fullname="Christoph Schuba"><organization></organization><organization/> </author> <dateyear="1993"/>year="1993" month="August"/> </front> </reference> <reference anchor="TBIT" target="https://www.icir.org/tbit/"> <front> <title>TBIT, the TCP Behavior Inference Tool</title><author initials="" surname="TBIT" fullname="TBIT"> <organization></organization><author> <organization>TBIT</organization> </author> <date year="2001"/> </front> </reference> <reference anchor="C11"> <front> <title>Information technology - Programming languages - C</title><author initials="" surname="ISO/IEC" fullname="ISO/IEC"> <organization></organization><author> <organization>ISO/IEC</organization> </author> <dateyear="2011"/>year="2018" month="June"/> </front> <seriesInfoname="" value="ISO/IEC 9899:2011"/>name="ISO/IEC" value="9899:2018"/> </reference> <reference anchor="POSIX"> <front> <title>IEEE Standard for Information Technology -- Portable Operating System Interface(POSIX)</title> <author initials="" surname="IEEE" fullname="IEEE"> <organization></organization>(POSIX(TM)) Base Specifications, Issue 7</title> <author> <organization>IEEE</organization> </author> <dateyear="2017"/>year="2018" month="January"/> </front> <seriesInfoname="" value="IEEE Std 1003.1-2017"/>name="IEEE Std" value="1003.1-2017"/> <seriesInfo name="DOI" value="10.1109/IEEESTD.2018.8277153"/> </reference> <reference anchor="ARC4RANDOM" target="https://man.openbsd.org/arc4random"> <front> <title>arc4random(3)</title><author initials="" surname="OpenBSD" fullname="OpenBSD"> <organization></organization><author> <organization>OpenBSD</organization> </author> <dateyear="Library Functions Manual, 2022"/>month="September" year="2019"/> </front> <refcontent>Library Functions Manual</refcontent> </reference> <reference anchor="GETENTROPY" target="https://man7.org/linux/man-pages/man3/getentropy.3.html"> <front> <title>getentropy(3)</title><author initials="" surname="Linux" fullname="Linux"> <organization></organization><author> <organization>Linux</organization> </author> <dateyear="Linux Programmer's Manual, 2022"/>month="March" year="2021"/> </front> <refcontent>Linux Programmer's Manual</refcontent> </reference> <reference anchor="CVEs" target="https://www.gont.com.ar/miscellanea/prng-cves/"> <front> <title>Vulnerability Advisories forPseudo Random Number Generators</title> <author initials="" surname="NVD" fullname="NVD"> <organization></organization>PRNGs</title> <author> <organization>NVD</organization> </author><date year="2022"/></front> </reference> <reference anchor="Zalewski2012" target="https://lcamtuf.coredump.cx/p0f.shtml"> <front> <title>p0f v3(version 3.09b)</title>(3.09b)</title> <author initials="M." surname="Zalewski"fullname="M.fullname="Michal Zalewski"><organization></organization><organization/> </author><date year="2012"/></front> </reference><!-- HMAC --> <?rfc include="reference.RFC.2104" ?> <!-- md5 --> <!-- <?rfc include="reference.RFC.6151" ?> --> <!-- flow label --> <?rfc include="reference.RFC.7098" ?> <!-- MD5 <?rfc include="reference.RFC.1321" ?> --> <!-- Pervasive Monitoring --> <?rfc include="reference.RFC.7258" ?> <!-- TCP ISNs --> <!-- <?rfc include="reference.RFC.1948" ?> --><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7098.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"/> <reference anchor="CPNI-TCP"target="https://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf">target="https://www.si6networks.com/files/publications/tn-03-09-security-assessment-TCP.pdf"> <front> <title>Security Assessment of the Transmission Control Protocol (TCP)</title><author initials="F." surname="Gont" fullname= "Fernando Gont"> <organization></organization> </author> <date year="2009"/> </front> <seriesInfo name="" value="United Kingdom's Centre<author> <organization>Centre for the Protection of National Infrastructure(CPNI)(CPNI)</organization> </author> <date month="February" year="2009"/> </front> <seriesInfo name="CPNI TechnicalReport"/>Note" value="3/2009"/> </reference> <reference anchor="Zalewski2001" target="https://lcamtuf.coredump.cx/oldtcp/tcpseq.html"> <front> <title>Strange Attractors and TCP/IP Sequence Number Analysis</title> <author initials="M." surname="Zalewski"fullname="M.fullname="Michal Zalewski"><organization></organization><organization/> </author> <dateyear="2001"/>year="2001" month="April"/> </front> </reference> <reference anchor="Zalewski2002" target="https://lcamtuf.coredump.cx/newtcp/"> <front> <title>Strange Attractors and TCP/IP Sequence Number Analysis - One YearLater</title>Later (2002)</title> <author initials="M." surname="Zalewski"fullname="M.fullname="Michal Zalewski"><organization></organization><organization/> </author><date year="2001"/></front> </reference><!-- <reference anchor="Bellovin1989" target="https://www.cs.columbia.edu/~smb/papers/ipext.pdf"> <front> <title>Security Problems in the TCP/IP Protocol Suite</title> <author initials="S." surname="Bellovin" fullname="Bellovin"> <organization></organization> </author> <date year="Computer Communications Review, vol. 19, no. 2, pp. 32-48, 1989"/> </front> </reference> --><reference anchor="Joncheray1995" target="https://www.usenix.org/legacy/publications/library/proceedings/security95/full_papers/joncheray.pdf"> <front><title>A Simple<title>Simple Active Attack Against TCP</title> <author initials="L." surname="Joncheray"fullname="L.fullname="Laurent Joncheray"><organization></organization><organization/> </author> <dateyear="Proc.year="1995" month="June"/> </front> <refcontent>Proceedings of the FifthUsenixUSENIX UNIX SecuritySymposium, 1995"/> </front>Symposium</refcontent> </reference> <reference anchor="Morris1985" target="https://pdos.csail.mit.edu/~rtm/papers/117.pdf"> <front> <title>A Weakness in the 4.2BSD UNIX TCP/IP Software</title> <author initials="R." surname="Morris" fullname="Robert T. Morris"><organization></organization><organization/> </author> <dateyear="1985"/>year="1985" month="February"/> </front><seriesInfo name="CSTR 117," value="AT&T<refcontent>CSTR 117, AT&T Bell Laboratories, Murray Hill,NJ"/>NJ</refcontent> </reference><!-- <reference anchor="USCERT2001" target="https://www.kb.cert.org/vuls/id/498440"> <front> <title>US-CERT Vulnerability Note VU#498440: Multiple TCP/IP implementations may use statistically predictable initial sequence numbers </title> <author initials="" surname="US-CERT" fullname= "US-CERT"> <organization></organization> </author> <date year="2001"/> </front> </reference> --> <!-- <reference anchor="CERT2001" target="https://www.cert.org/advisories/CA-2001-09.html"> <front> <title>CERT Advisory CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence Numbers </title> <author initials="" surname="CERT" fullname= "CERT"> <organization></organization> </author> <date year="2001"/> </front> </reference> --><reference anchor="Shimomura1995"target="https://www.gont.com.ar/docs/post-shimomura-usenet.txt">target="https://www.gont.com.ar/files/post-shimomura-usenet.txt"> <front> <title>Technical details of the attack described by Markoff in NYT</title> <author initials="T." surname="Shimomura"fullname= "Tsutomufullname="Tsutomu Shimomura"><organization></organization><organization/> </author> <dateyear="1995"/>day="25" year="1995" month="January"/> </front><seriesInfo name="Message posted in USENET's<refcontent>message to the USENET comp.security.miscnewsgroup" value=" Message-ID: <3g5gkl$5j1@ariel.sdsc.edu>"/>newsgroup</refcontent> </reference><!-- ICMP attacks --> <?rfc include="reference.RFC.5927" ?> <!-- TCP based attacks --> <?rfc include="reference.RFC.4953" ?> <!-- TLS --> <?rfc include="reference.RFC.8446" ?> <!-- SEND --> <?rfc include="reference.RFC.3971" ?> <!-- Frag con ND --> <?rfc include="reference.RFC.6980" ?> <!-- IPv6 Flow Label --> <!-- <?rfc include="reference.I-D.gont-6man-flowlabel-security" ?> --> <!-- Fragment ID --> <!-- <?rfc include="reference.I-D.ietf-6man-predictable-fragment-id" ?> --> <?rfc include="reference.RFC.7739" ?> <?rfc include="reference.RFC.4963" ?> <!-- IPv4 Reassembly Errors at High Data Rates --> <!-- IPv4 Security Assessment --> <?rfc include="reference.RFC.6274" ?><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5927.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4953.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3971.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6980.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7739.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4963.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6274.xml"/> <reference anchor="Press1992"> <front> <title>Numerical Recipes in C: The Art of Scientific Computing</title> <authorinitials="W. H."initials="W." surname="Press" fullname="William H. Press"><organization></organization><organization/> </author> <authorinitials="S. A."initials="S." surname="Teukolsky" fullname="Saul A. Teukolsky"><organization></organization><organization/> </author> <authorinitials="W. T."initials="W." surname="Vetterling" fullname="William T. Vetterling"><organization></organization><organization/> </author> <authorinitials="B. P."initials="B." surname="Flannery" fullname="Brian P. Flannery"><organization></organization><organization/> </author> <dateyear="2nd ed. ISBN 0-521-43108-5.month="December" year="1992"/> </front> <seriesInfo name="ISBN" value="0-521-43108-5"/> <refcontent>2nd Ed., Cambridge UniversityPress, 1992"/> </front>Press</refcontent> </reference> <reference anchor="Romailler2020" target="https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/"> <front><title>THE DEFINITIVE GUIDE TO "MODULO BIAS AND HOW TO AVOID IT"!</title><title>The Definitive Guide to "Modulo Bias and How to Avoid It"!</title> <author initials="Y." surname="Romailler" fullname="Yolan Romailler"><organization></organization><organization/> </author> <dateyear="Kudelski Security Research, 2020"/>month="July" year="2020"/> </front> <refcontent>Kudelski Security Research</refcontent> </reference> <reference anchor="Aumasson2018"> <front> <title>Serious Cryptography: A Practical Introduction to Modern Encryption</title> <authorinitials="J.P."initials="J-P." surname="Aumasson" fullname="Jean-Philippe Aumasson"><organization></organization><organization/> </author> <dateyear="ISBN-10: 1-59327-826-8, Nomonth="November" year="2017"/> </front> <seriesInfo name="ISBN-10" value="1-59327-826-8"/> <refcontent>No Starch Press,Inc., 2018"/> </front>Inc.</refcontent> </reference> <reference anchor="Knuth1983"> <front> <title>The Art of Computer Programming</title> <author initials="D." surname="Knuth" fullname="Donald Knuth"><organization></organization><organization/> </author> <dateyear="volumeyear="1981" month="January"/> </front> <refcontent>Volume 2 (Seminumerical Algorithms), 2nded.Ed., Reading,Massachusetts:Massachusetts, Addison-Wesley PublishingCompany, 1981"/> </front>Company</refcontent> </reference> <reference anchor="Bellovin1989" target="https://www.cs.columbia.edu/~smb/papers/ipext.pdf"> <front> <title>Security Problems in the TCP/IP Protocol Suite</title> <author initials="S." surname="Bellovin"fullname="Bellovin"> <organization></organization>fullname="Steven M. Bellovin"> <organization/> </author> <dateyear="Computermonth="April" year="1989"/> </front> <refcontent>Computer Communications Review,vol.Vol. 19,no.No. 2, pp.32-48, 1989"/> </front>32-48</refcontent> </reference> <reference anchor="Bellovin2002" target="https://www.cs.columbia.edu/~smb/papers/fnat.pdf"> <front> <title>A Technique for Counting NATted Hosts</title> <authorinitials="S. M."initials="S." surname="Bellovin"fullname= "Bellovin, S. M."> <organization></organization>fullname="Steven M. Bellovin"> <organization/> </author> <dateyear="2002"/>year="2002" month="November"/> </front> <seriesInfoname="IMW'02" value="Nov. 6-8, 2002,name="ISBN" value="1-58113-603-X/02/0011"/> <refcontent>IMW'02, Marseille,France"/>France</refcontent> </reference> <reference anchor="Fyodor2003" target="https://nmap.org/presentations/CanSecWest03/CD_Content/idlescan_paper/idlescan.html"> <front> <title>IdlescanningScanning and relatedIP IDIPID games</title><author initials="" surname="Fyodor" fullname= "Fyodor"> <organization></organization><author> <organization>Fyodor</organization> </author> <date year="2003"/> </front> </reference> <reference anchor="Sanfilippo1998a" target="http://seclists.org/bugtraq/1998/Dec/48"> <front> <title>about the ip header id</title> <author initials="S." surname="Sanfilippo"fullname="S.fullname="Salvatore Sanfilippo"><organization></organization><organization/> </author><date/><date month="December" year="1998"/> </front><seriesInfo name="Post<refcontent>message to the Bugtraqmailing-list," value="Mon Dec 14 1998" />mailing list</refcontent> </reference> <reference anchor="Sanfilippo1998b"target="https://github.com/antirez/hping/raw/master/docs/SPOOFED_SCAN.txt">target="https://seclists.org/bugtraq/1998/Dec/79"> <front><title>Idle scan</title><title>new tcp scan method</title> <author initials="S." surname="Sanfilippo"fullname="S.fullname="Salvatore Sanfilippo"><organization></organization><organization/> </author> <dateyear="1998"/>year="1998" month="December" day="18"/> </front><seriesInfo name="Post<refcontent>message toBugtraq" value="mailing-list" />the Bugtraq mailing list</refcontent> </reference> <reference anchor="Sanfilippo1999" target="https://github.com/antirez/hping/raw/master/docs/MORE-FUN-WITH-IPID"> <front> <title>more ip id</title> <author initials="S." surname="Sanfilippo"fullname="S.fullname="Salvatore Sanfilippo"><organization></organization><organization/> </author> <dateyear="1999"/>year="1999" month="November"/> </front><seriesInfo name="Post<refcontent>message toBugtraq" value="mailing-list" />the Bugtraq mailing list</refcontent> </reference> <reference anchor="Silbersack2005"target="https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.91.4542&rep=rep1&type=pdf">target="https://www.silby.com/eurobsdcon05/eurobsdcon_silbersack.pdf"> <front> <title>Improving TCP/IP security through randomization without sacrificing interoperability</title> <authorinitials="M.J."initials="M." surname="Silbersack" fullname="Michael James Silbersack"> <organization>The FreeBSD Project</organization> </author><date year="2005"/> </front> <seriesInfo name="EuroBSDCon 2005" value="Conference"/> </reference> <!-- <reference anchor="Zalewski2003" target="http://lcamtuf.coredump.cx/ipfrag.txt"> <front> <title>A new TCP/IP blind data injection technique?</title> <author initials="M." surname="Zalewski" fullname="M. Zalewski"> <organization></organization> </author> <date year="2003"/></front> <refcontent>EuroBSDCon 2005 Conference</refcontent> </reference>--><reference anchor="Klein2007" target="https://dl.packetstormsecurity.net/papers/attack/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf"> <front> <title>OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability</title> <author initials="A." surname="Klein" fullname="Amit Klein"><organization></organization><organization/> </author> <date month="November" year="2007"/> </front> </reference> <reference anchor="IPID-DEV" target="https://arxiv.org/pdf/1906.10478.pdf"> <front> <title>From IP ID to Device ID and KASLR Bypass (Extended Version)</title> <author initials="A." surname="Klein" fullname="Amit Klein"><organization></organization><organization/> </author> <author initials="B." surname="Pinkas" fullname="Benny Pinkas"><organization></organization><organization/> </author> <date year="2019"month="June"/>month="October"/> </front><!--<seriesInfoname="Journal of Research of the National Institute of Standards and Technology" value="Volume 121" /> -->name="DOI" value="10.48550/arXiv.1906.10478"/> </reference><!--<referenceanchor="Gont2011">anchor='RFC9414' target='https://www.rfc-editor.org/info/rfc9414'> <front><title>Hacking IPv6 Networks (training course)</title><title>Unfortunate History of Transient Numeric Identifiers</title> <authorinitials="F." surname="Gont" fullname="Fernando Gont"> <organization></organization>initials='F' surname='Gont' fullname='Fernando Gont'> <organization /> </author> <author initials='I' surname='Arce' fullname='Ivan Arce'> <organization /> </author> <datemonth="June" year="2011"/>year='2023' month='July'/> </front> <seriesInfoname="Hack In Paris 2011 Conference" value="Paris, France"/>name="RFC" value="9414"/> <seriesInfo name="DOI" value="10.17487/RFC9414"/> </reference>--> <!--<referenceanchor="Gont2012">anchor='RFC9416' target='https://www.rfc-editor.org/info/rfc9416'> <front><title>Recent Advances<title>Security Considerations for Transient Numeric Identifiers Employed inIPv6 Security</title>Network Protocols</title> <authorinitials="F." surname="Gont" fullname="Fernando Gont"> <organization></organization>initials='F' surname='Gont' fullname='Fernando Gont'> <organization /> </author> <author initials='I' surname='Arce' fullname='Ivan Arce'> <organization /> </author> <datemonth="May" year="2012"/>year='2023' month='July'/> </front> <seriesInfoname="BSDCan 2012 Conference" value="Ottawa, Canada. May 11-12, 2012"/>name="BCP" value="72"/> <seriesInfo name="RFC" value="9416"/> <seriesInfo name="DOI" value="10.17487/RFC9416"/> </reference>--> <!-- IPv6 addresses --> <?rfc include="reference.I-D.irtf-pearg-numeric-ids-history" ?> <?rfc include="reference.I-D.gont-numeric-ids-sec-considerations" ?> <!-- <?rfc include="reference.I-D.ietf-6man-default-iids" ?> --> <?rfc include="reference.RFC.7721" ?> <?rfc include="reference.RFC.7707" ?> <!-- CSPRNG --> <?rfc include="reference.RFC.8937" ?><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7721.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7707.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml"/> <reference anchor="TCPT-uptime"target="https://securiteam.com/securitynews/5np0c153pi/">target="https://seclists.org/bugtraq/2001/Mar/182"> <front> <title>TCP Timestamping - Obtaining System Uptime Remotely</title> <author initials="B." surname="McDanel"fullname="B.fullname="Bret McDanel"> <organization>Securiteam</organization> </author> <date month="March"day="14"year="2001"/> </front> <refcontent>message to the Bugtraq mailing list</refcontent> </reference><!-- SipHash OLD <reference anchor="SipHash" target="https://www.aumasson.jp/siphash/siphash.pdf"> <front> <title>SipHash: a fast short-input PRF</title> <author initials="J. P." surname="Aumasson" fullname="Jean-Philippe Aumasson"> <organization>NAGRA</organization> </author> <author initials="D. J." surname="Bernstein" fullname="Daniel J. Bernstein"> <organization>University of Illinois at Chicago</organization> </author> <date year="2012"/> </front> <seriesInfo name="" value="Indocrypt 2012. 13th International Conference on Cryptology. December 9-12, 2012"/> </reference> --><reference anchor="SipHash" target="https://github.com/veorq/SipHash"> <front> <title>SipHash: a fast short-input PRF</title><author initials="J. P." surname="Aumasson" fullname="Jean-Philippe Aumasson"> <organization>NAGRA</organization> </author> <author initials="D. J." surname="Bernstein" fullname="Daniel J. Bernstein"> <organization>University of Illinois at Chicago</organization><author> <organization/> </author> <dateyear="2012"/>year="2023" month="February"/> </front> </reference> <reference anchor="BLAKE3" target="https://blake3.io/"> <front> <title>BLAKE3: one function, fast everywhere</title><author initials="J." surname="O'Connor" fullname="Jack O'Connor"> <organization></organization> </author> <author initials="J. P." surname="Aumasson" fullname="Jean-Philippe Aumasson"> <organization>NAGRA</organization> </author> <author initials="S." surname="Neves" fullname="Samuel Neves"> <organization></organization> </author> <author initials="Z." surname="Wilcox-O'Hearn" fullname="Zooko Wilcox-O'Hearn"> <organization></organization><author> <organization/> </author> <dateyear="2020"/>year="2022" month="September"/> </front> </reference> <reference anchor="FIPS-SHS" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"> <front> <title>Secure Hash Standard (SHS)</title> <author> <organization>NIST</organization> </author> <date month="August" year="2015"/> </front> <seriesInfoname="" value="Federal Information Processing Standards Publication 180-4"/> </reference> <!-- Deprecate SHA-1 --> <?rfc include="reference.RFC.6194" ?> <!-- <reference anchor="FIPS-HMAC" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf"> <front> <title>The Keyed-Hash Message Authentication Code (HMAC))</title> <author> <organization>NIST</organization> </author> <date month="July" year="2008"/> </front>name="FIPS PUB" value="180-4"/> <seriesInfoname="" value="Federal Information Processing Standards Publication 198-1"/>name="DOI" value="10.6028/NIST.FIPS.180-4"/> </reference>--><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml"/> </references> </references> <sectiontitle="Algorithmsanchor="fawed-algorithms" numbered="true" toc="default"> <name>Algorithms and Techniques with KnownIssues" anchor="fawed-algorithms">Issues</name> <t>The following subsections discuss algorithms and techniques with known negative security and privacy implications.<list style="hanging"> <t hangText="NOTE:"> <vspace blankLines="0"/></t> <aside><t>NOTE: As discussed in <xreftarget="intro"/>,target="intro" format="default"/>, the use of cryptographic techniques might allow for the safe use of some of these algorithms and techniques. However, this should be evaluated on acase by casecase-by-case basis.</t> </list> </t></t></aside> <sectiontitle="Predictableanchor="trad_selection" numbered="true" toc="default"> <name>Predictable Linear IdentifiersAlgorithm" anchor="trad_selection">Algorithm</name> <t>One of the most trivial ways to achieve uniqueness with a low identifier reuse frequency is to produce a linear sequence. This type of algorithm has been employed in the past to generate identifiers of Categories #1, #2, and #4 (please see <xreftarget="categorizing"/>target="categorizing" format="default"/> for an analysis of these categories).<!-- This obviously assumes that each identifier will be used for a similar period of time.--></t></t> <t> For example, the following algorithm has been employed(see e.g.(see, e.g., <xreftarget="Morris1985"/>,target="Morris1985" format="default"/>, <xreftarget="Shimomura1995"/>,target="Shimomura1995" format="default"/>, <xreftarget="Silbersack2005"/>target="Silbersack2005" format="default"/>, and <xreftarget="CPNI-TCP"/>)target="CPNI-TCP" format="default"/>) in a number of operating systems for selecting IPfragmentIDs, TCP ephemeralports,port numbers, etc.:</t><t> <figure> <artwork><sourcecode type="c"><![CDATA[ /* Initialization code */ next_id = min_id; id_inc= 1; /* Transient Numeric ID selection function */ id_range = max_id - min_id + 1; retry = id_range; do { if (next_id == max_id) { next_id = min_id; } else { next_id = next_id + id_inc; } if (suitable_id(next_id)) { return next_id; } retry--; } while (retry > 0); return ERROR;</artwork> </figure> </t> <t> <list style="hanging">]]></sourcecode> <t>NOTE:</t> <thangText="NOTE:"> <vspace blankLines="0"/> suitable_id() is a function thatindent="3">suitable_id() checks whetherthe resultinga candidate numeric identifier isacceptablesuitable (e.g., whetherit's in use, etc.). </t> </list>it is unique or not). </t> <t>For obvious reasons, this algorithm results in predictable sequences. Since a global counter is used to generate the transient numeric identifiers ("next_id" in the example above), an entity that learns one numeric identifier can infer past numeric identifiers and predict future values to be generated by the same algorithm. Since the value employed for the increments is known (such as "1" in this case), an attacker can sample twovalues,values and learn the number of identifiers thathave beenwere generatedin-betweenin between the two sampled values. Furthermore, if the counter isinitialized e.g. when the system its bootstrappedinitialized, to some knownvalue,value (e.g., when the system is bootstrapped), the algorithm will leak additional information, such as the number of transmitted fragmented datagrams in the case of an IP ID generator <xreftarget="Sanfilippo1998a"/>,target="Sanfilippo1998a" format="default"/> or the system uptime in the case of TCP timestamps <xreftarget="TCPT-uptime"/>.target="TCPT-uptime" format="default"/>. </t> </section> <sectiontitle="Random-Increments Algorithm" anchor="random-increments">anchor="random-increments" numbered="true" toc="default"> <name>Random-Increments Algorithm</name> <t>This algorithm offers a middle ground between the algorithms that generate randomized transient numeric identifiers (such as those described in Sections <xreftarget="simple-randomization"/>target="simple-randomization" format="counter"/> and <xreftarget="simple-randomization2"/>),target="simple-randomization2" format="counter"/>) and those that generate identifiers with a predictablemonotonically-increasingmonotonically increasing function (see <xreftarget="trad_selection"/>).target="trad_selection" format="default"/>). </t><t> <figure> <artwork><sourcecode type="c"><![CDATA[ /* Initialization code */ next_id = random(); /* Initialization value */ id_rinc = 500; /* Determines the trade-off */ /* Transient Numeric ID selection function */ id_range = max_id - min_id + 1; retry = id_range; do { /* Random increment */ id_inc = (random() % id_rinc) + 1; if ( (max_id - next_id) >= id_inc){ next_id = next_id + id_inc; } else { next_id = min_id + id_inc - (max_id - next_id); } if (suitable_id(next_id)) { return next_id; } retry = retry - id_inc; } while (retry > 0); return ERROR;</artwork> </figure>]]></sourcecode> <t>NOTE:</t> <t indent="3">random() is a PRNG that returns a pseudorandom unsigned integer number of appropriate size. Beware that "adapting" the length of the output of random() with a modulo operator (e.g., C language's "%") may change the distribution of the PRNG. To preserve a uniform distribution, the rejection sampling technique <xref target="Romailler2020" format="default"/> can be used.</t> <t indent="3">suitable_id() is a function that checks whether a candidate identifier is suitable (e.g., whether it is unique or not). </t> <t> This algorithm aims at producing a globalmonotonically-increasingmonotonically increasing sequence of transient numericidentifiers,identifiers while avoiding the use of fixed increments, which would lead to trivially predictable sequences. The value"id_inc""id_rinc" allows for direct control of the trade-off between unpredictability and identifier reuse frequency. The smaller the value of"id_inc","id_rinc", the more similar this algorithm is to a predicable, global linearIDidentifier generation algorithm (as the one in <xreftarget="trad_selection"/>).target="trad_selection" format="default"/>). The larger the value of"id_inc","id_rinc", the more similar this algorithm is to the algorithm described in <xreftarget="simple-randomization"/>target="simple-randomization" format="default"/> of this document.</t> <t> When the identifiers wrap, there is a risk of collisions of transient numeric identifiers (i.e., identifier reuse). Therefore,"id_inc""id_rinc" should be selected according to the following criteria: </t><t> <list style="symbols"> <t>It<ul spacing="normal"> <li>It should maximize the wrapping time of the identifierspace.</t> <t>Itspace.</li> <li>It should minimize identifier reusefrequency.</t> <t>Itfrequency.</li> <li>It should maximizeunpredictability.</t> </list> </t>unpredictability.</li> </ul> <t> Clearly, these are competing goals, and the decision of which value of"id_inc""id_rinc" to use is a trade-off. Therefore, the value of"id_inc""id_rinc" is at times a configurable parameter so that system administrators can make the trade-off for themselves. We note that the alternative algorithms discussed throughout this document offer better interoperability,securitysecurity, and privacy properties than this algorithm, andhencehence, implementation of this algorithm is discouraged. </t> </section> <sectiontitle="Re-usinganchor="reuse-across-context" numbered="true" toc="default"> <name>Reusing Identifiers Across DifferentContexts" anchor="reuse-across-context">Contexts</name> <t>Employing the same identifier across contexts in which stability is not required(i.e.(i.e., overloading the semantics of transient numericidentifier)identifiers) usually has negative security and privacy implications.</t> <t>For example, in order to generate transient numeric identifiers of Category #2 orCategory#3, an implementation or specification might be tempted to employ a source for the numeric identifierswhichthat is known to provide uniquevalues,values but that may also be predictable or leak information related to the entity generating the identifier. This technique has been employed in the pastfor e.g.for, e.g., generating IPv6 IIDs byre-usingreusing the MAC address of the underlying networkinterface.interface card. However, as noted in <xreftarget="RFC7721"/>target="RFC7721" format="default"/> and <xreftarget="RFC7707"/>,target="RFC7707" format="default"/>, embedding link-layer addresses in IPv6 IIDs not only results in predictablevalues,values but also leaks information about the manufacturer of the underlying network interface card, allows for network activity correlation, and makes address-based scanning attacks feasible. </t> </section> </section> <section numbered="false" toc="default"> <name>Acknowledgements</name> <t>The authors would like to thank (in alphabetical order) <contact fullname="Bernard Aboba"/>, <contact fullname="Jean-Philippe Aumasson"/>, <contact fullname="Steven Bellovin"/>, <contact fullname="Luis León Cárdenas Graide"/>, <contact fullname="Spencer Dawkins"/>, <contact fullname="Theo de Raadt"/>, <contact fullname="Guillermo Gont"/>, <contact fullname="Joseph Lorenzo Hall"/>, <contact fullname="Gre Norcie"/>, <contact fullname="Colin Perkins"/>, <contact fullname="Vincent Roca"/>, <contact fullname="Shivan Sahib"/>, <contact fullname="Rich Salz"/>, <contact fullname="Martin Thomson"/>, and <contact fullname="Michael Tüxen"/> for providing valuable comments on earlier draft versions of this document.</t> <t>The authors would like to thank <contact fullname="Shivan Sahib"/> and <contact fullname="Christopher Wood"/> for their guidance during the publication process of this document.</t> <t>The authors would like to thank <contact fullname="Jean-Philippe Aumasson"/> and <contact fullname="Mathew D. Green"/> (John Hopkins University) for kindly answering a number of questions.</t> <t>The authors would like to thank <contact fullname="Diego Armando Maradona"/> for his magic and inspiration.</t> </section> </back> </rfc>