Re: [Add] ECS privacy concerns, alternatives?

[Joe Abley <jabley@hopcount.ca>]

On 17 Apr 2019, at 12:04, Erik Nygren <erik+ietf@nygren.org> wrote:

> On Tue, Apr 16, 2019 at 2:31 PM Brian Dickson <brian.peter.dickson@gmail.com <mailto:brian.peter.dickson@gmail.com>> wrote:
> 
> 
> On Tue, Apr 16, 2019 at 9:00 AM Livingood, Jason <Jason_Livingood@comcast..com <mailto:Jason_Livingood@comcast.com>> wrote:
> And for ease of any replies, I have a separate question on CDN localization via ECS. The 6th privacy requirement suggests that ECS cannot be used unless there is encryption between the resolver and the authoritative server, presumably via DoT. This suggests that the privacy concern isn't that the network/geographic hint provided by ECS is problematic in and of itself, but that it should not be observable along the network path used in recursion.
> 
> But if TRR-to-auth recursion is not available via DoT, I wonder what the recommended mechanism is for providing a more privacy-protective network-geographic hint to an authoritative server, in order for example for a CDN to dynamically respond with a localized response. Maybe something new needs to be standardized? What options do folks suggest?
> 
> That's a great question. Apologies in advance for always providing long answers. :-)
> 
> IMHO, the privacy issue is the IP portion, not the geo portion, of geo-ip.
> 
> I may be oversimplifying the situation, but I believe the vast majority of authority DNS services (or proxy services in front of those) structure their internal representation of things as geo->answer mappings, and generally have some flavor of ip->geo mapping on their front-end(s).
> 
> Unfortunately, Geo is only one of the dimensions used.  At least some of the common and heavily used CDNs and other DNS-based routing services also need to use both ASN and in some cases the regional network location within the ASN.  As an example, a CDN or other widely distributed service may have "on-net" deployments located deep within ISP regional networks.  So it's not just a matter of "hand out the London cluster for UK clients".  It's "hand out the right cluster in the UK for the client based on the POP for the ISP/network they are currently connected to, out of a set of well over a hundred distinct UK clusters."

That's what I have heard.

My understanding is that for many commercial applications, knowledge of the city associated with a request is not sufficient to meet CDN performance expectations, and that a (city, provider) pair is the minimum information required to produce a response. Many use more.

On the other side, there are ISPs who use different source addresses for different queries originated by their resolvers in combination with the client-subnet option in order to tilt the decision algorithm at particular CDNs to better match them to particular clients.

It's not reasonable to reduce the dimensions available to make the content steering decision and expect the mechanism to be implemented and used. The amount of complexity that is tolerated in order to make this work today is substantial, which ought to tell us something.


Joe