Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Enabled Networks (ideas)

On 10/02/2017 11:55 AM, Christian Huitema wrote:
>
> I just realized that I forget to copy this message to the IESG and 
> IDEAS mailing lists. Sorry.
>
>
> -------- Forwarded Message --------
> Subject: 	Fwd: Re: WG Review: IDentity Enabled Networks (ideas)
> Date: 	Sun, 1 Oct 2017 17:06:46 -0700
> From: 	Christian Huitema <huitema@huitema.net>
> To: 	IETF Discussion Mailing List <ietf@ietf.org>
>
>
>
> On 9/29/2017 9:13 AM, The IESG wrote:
>
> > A new IETF WG has been proposed in the Routing Area. The IESG has not made
> > any determination yet. The following draft charter was submitted, and is
> > provided for informational purposes only. Please send your comments to the
> > IESG mailing list (iesg@ietf.org) by 2017-10-09.
> ...
> >
> > Network solutions based on the concept of Identifier-Locator separation are
> > increasingly considered to support mobility, overlay networking for
> > virtualization and multi-homing across heterogeneous access networks.
>
> The problem there is that the same properties that facilitate routing
> also facilitate tracking.
>
> Consider a mobile node that switches from a Wi-Fi network to a cellular
> network. In the current state of the art, there is no relation between
> the Wi-Fi address and the cellular address. Intermediaries cannot
> observe the traffic and deduce that two different flows of IP packets
> originate from the same node. In contrast, with an ID/Loc architecture,
> the two flows are associated with the same identifier, which can then be
> used to track the movements of the device.

I have been thinking about this, Christian, and I have a proposal for 
HIP that I will be starting on shortly that will cripple this tracking 
while not interfering with mobility.  In short, there is a chain of SPIs 
used.  The endpoints know the chain, and no one else. This IS a problem 
with NAT traversal, but what is NOT a problem with NAT traversal?

But as you indicated, we need to think more about privacy, as hard as 
that is...

>
> Similarly, consider a node that connects several times to the same
> network, and each time uses IPv6 temporary addresses. The web servers
> that it contact cannot use the IP addresses to correlate different
> connections that happened at different times. This would change if the
> identifier in an ID/LOC architecture remained constant.
>
> Multipath TCP and planned multipath extensions of QUIC are example of
> transport protocol that allow transport connections to use multiple
> network paths simultaneously. In both cases, there s significant work
> going on to ensure that intermediaries cannot easily associate the
> traffic on the multiple paths with a single connection. If the
> multi-homing function was delegated to an ID/LOC system, intermediaries
> could potentially observe the identifiers and associate these connections.
>
> In short, careless applications of the ID/LOC architecture could easily
> result in serious privacy issues. The proposed charter does include a
> brief statement about privacy:
>
> > - Analysis of the concepts of identity-identifier split and dynamic
> > identifier changes, including their implications on anonymity and privacy.
> > Explicitly, the framework must define privacy requirements and how potential
> > extensions/solutions should meet them.
>
> This is a good start, but the whole concept of "unique identifiers" is
> scary, and I would like to see this expanded. For example, I would like
> to see an explicit reference to a baseline, e.g. assuring no privacy
> downgrade compared to IPv6 temporary addresses, or assuring that hosts
> that elect to not be tracked when roaming across networks will not be. I
> also know that there have been discussions of hiding identifiers from
> intermediaries, and i would like to see that as an explicit goal of the
> proposed WG.
>
> -- 
> Christian Huitema
>
>
>
>
> _______________________________________________
> Ideas mailing list
> Ideas@ietf.org
> https://www.ietf.org/mailman/listinfo/ideas