IETF Logo Mail Archive

Re: [Ideas] Addressing the privacy issues exposed by IDEAS

<d.lake@surrey.ac.uk> Wed, 18 October 2017 14:16 UTC

Return-Path: <d.lake@surrey.ac.uk>
X-Original-To: ideas@ietfa.amsl.com
Delivered-To: ideas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BCD6132CE7 for <ideas@ietfa.amsl.com>; Wed, 18 Oct 2017 07:16:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=surrey.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nI84-92UMH6D for <ideas@ietfa.amsl.com>; Wed, 18 Oct 2017 07:15:57 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0104.outbound.protection.outlook.com [104.47.2.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40D0E124B17 for <ideas@ietf.org>; Wed, 18 Oct 2017 07:15:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=surrey.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eD+lJaCmr/3+y9+VRt2+NdvzuFjBXvdpADgzPrG6mOw=; b=B2JNH9nls5nQVNLygUfl0ghJY21m+ACXxZ242wlDNqIsvJq21/zPvNuMqa+sI/MDrD3iDDMNc9pwD5jCO+yJqZcuYSn2rUMWt6hICRHTU9VPpDxdgaH5s4NAsPbDa7vqIFMqQ/hnhX4vvI5U7vqG31ZRyf1o/xoiDCF/BcpQFqs=
Received: from DB3PR0602MB3756.eurprd06.prod.outlook.com (52.134.70.31) by DB3PR0602MB3753.eurprd06.prod.outlook.com (52.134.66.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Wed, 18 Oct 2017 14:15:49 +0000
Received: from DB3PR0602MB3756.eurprd06.prod.outlook.com ([fe80::68b8:8f98:fb4:632]) by DB3PR0602MB3756.eurprd06.prod.outlook.com ([fe80::68b8:8f98:fb4:632%13]) with mapi id 15.20.0077.021; Wed, 18 Oct 2017 14:15:49 +0000
From: d.lake@surrey.ac.uk
To: rgm-ietf@htt-consult.com, ideas@ietf.org
Thread-Topic: [Ideas] Addressing the privacy issues exposed by IDEAS
Thread-Index: AQHTSBGvgANDWu6ZqUSw0oVCV8dWfaLpowMQ
Date: Wed, 18 Oct 2017 14:15:49 +0000
Message-ID: <DB3PR0602MB37564BF38A6638EE375055B4B54D0@DB3PR0602MB3756.eurprd06.prod.outlook.com>
References: <9155d3fe-cbe2-ae2d-9c59-f3dee85b1409@htt-consult.com>
In-Reply-To: <9155d3fe-cbe2-ae2d-9c59-f3dee85b1409@htt-consult.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=d.lake@surrey.ac.uk;
x-originating-ip: [64.134.234.51]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB3PR0602MB3753; 6:2KL75QYmmpVX8x4S3laBtCTegHKc9MY/oKuqmWBUz/d/NkYtCtnr77eigRYo82aLRbsj7EjHAEDVy2rTG2z4kQ6TJZ5FegbS4RUt3h+0UKPZbjskxDoUBNAOQd/G/jop9dB1BvCc32YYIVcnKsF6ts5at3BKF+pMEUsM6cY6RxqrrG5+O+3s96N544zDvb7oxxlON4u+z6/lUxpyhXlnZIY1XGjvwU5lKfsNxo25nIVllqMwNMLGCeq9i2jIZ+tjDGWe6+7dYf6+3sa+DFSni5Zst0Jc2muAj5YQCAA84cyn2PkeG+xlP+r4R7irvd1L0PMbE9+ienFAbfAeXW1X4g==; 5:CZpchyiwm/y+ITY021K/WQnzvfdRBdwk/2l9LrmtTdWrz5Al3RH0GL7cX8zGZv3D5FH92igKQsxWLRVRRMYeA3dqiCr2J2pnVSizlYQW68O3xAZPdtcJR+F9vQbKl39WogClbhjkhE97rTu4uK8gKhLM3CVOUcJhuK7AXs0ZNCk=; 24:hU2BO2LpPNh3je+7FjD/ZHsXf+7NMNwoCyKgCwnp1LYgBCgWteoAnwn1ML1xdvAWq+iysc1pO57oaoGYz7e4YZ1iLQ2FFafhqcavYV/Cdr0=; 7:FmGjaqlzqNZyvKCWOIVq5DHVjvf0ck0SZVGS64F91KvkAQIVc81rfPYff7SLEoqTj69yEVF+Xt0vHgZJDr9GoHwN6AFTHkvFutiK6FnNoDeMSYU3dm4uwzPwonI+3DizjY3CUJR0bG4m6OuDjkYBXQF0+LULFSc33R3JtlLmdxA1PkhbqzjMKKGF4lzhAt8Qs2smNa8F8hirPM+diY8ge0/xgiBoS0ViYbdDT0oKDzQ=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: ab8121ec-79b8-45d8-3b30-08d51632bba8
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(2017052603199)(201703131423075)(201703031133081)(201702281549075); SRVR:DB3PR0602MB3753;
x-ms-traffictypediagnostic: DB3PR0602MB3753:
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-microsoft-antispam-prvs: <DB3PR0602MB3753CBACD14B69C841DCB33DB54D0@DB3PR0602MB3753.eurprd06.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(6041248)(20161123555025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DB3PR0602MB3753; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DB3PR0602MB3753;
x-forefront-prvs: 0464DBBBC4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(346002)(39860400002)(376002)(189002)(199003)(13464003)(53936002)(33656002)(2906002)(786003)(7736002)(229853002)(305945005)(66066001)(3280700002)(9686003)(106356001)(14454004)(316002)(101416001)(6306002)(99286003)(3660700001)(3846002)(102836003)(6436002)(74316002)(55016002)(5660300001)(50986999)(54356999)(76176999)(6246003)(74482002)(7696004)(189998001)(68736007)(6506006)(110136005)(97736004)(966005)(6116002)(2501003)(81166006)(81156014)(105586002)(25786009)(8676002)(42882006)(5250100002)(8936002)(2900100001)(2950100002)(86362001)(478600001)(53546010)(31153001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB3PR0602MB3753; H:DB3PR0602MB3756.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: surrey.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: surrey.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Oct 2017 14:15:49.4864 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6b902693-1074-40aa-9e21-d89446a2ebb5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR0602MB3753
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: DB3PR0602MB3756.eurprd06.prod.outlook.com
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-TransportTrafficSubType:
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 64.134.234.51
X-MS-Exchange-CrossPremises-transporttraffictype: Email
X-MS-Exchange-CrossPremises-transporttrafficsubtype:
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-OrganizationHeadersPreserved: DB3PR0602MB3753.eurprd06.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ideas/pfDFFAepgpmve_xdZi2VIkO6nQI>
Subject: Re: [Ideas] Addressing the privacy issues exposed by IDEAS
X-BeenThere: ideas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <ideas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ideas>, <mailto:ideas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ideas/>
List-Post: <mailto:ideas@ietf.org>
List-Help: <mailto:ideas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ideas>, <mailto:ideas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2017 14:16:04 -0000

Bob

A very interesting discussion and one we need to clear before we can move on IMvHO!

Your comment:

	" ID/Loc technologies, enhanced with IDEAS technology, will make Peer-to-Peer communications without any triangular routing achievable."    

Yes but we need to keep in mind the operation of LI and should be supportive of that.   It can be achieved without triangular routing, but we should not consider it as an after-thought.   It is a regulatory and business requirement for the operators and they will (and have) reject any technology which does not meet these needs.   That is why we are still seeing anchored GTP tunnels in Rel.15.

	Meanwhile, Eve and her cousins are busy watching the network and seeing which IP addresses are communicating with other IP addresses.  Eve and cohorts put their data together with Mal and cohorts' data and then is able to note that:  "Hey look, 	Alice is talking directly with Barb."  

Whilst I love your sarcasm, there is another, less nefarious reason for the interception and that it is to do with allocation of resources and delivery against SLAs in mobile networks.    As mobile becomes the pre-dominant mode of connection to the Internet (driven by the trend to virtually zero cost we are witnessing in most geographies now for mobile packages), given that we have a very limited transport resource (RF spectrum), controlled access to and differentiated services over the Air Interface will be key to new services.  The ONLY reasons VoLTE works is because we have hard allocation of everything from radio bearer to packet-core and back. 

If we imagine a world where services other than default-bearer mobile broadband and dedicated bearer VoLTE exist (and this is the basic premise for 5G), then having knowledge of location, service and end-point is vital so that a) resources can be allocated and b) you (and I) can be billed for it appropriately.

In terms of privacy, one aspect is missing from you critique - location.   A mobile operator will know simply from association of IMSI to IP address to GTP TEID exactly which cell(s) you are on.

David

-----Original Message-----
From: Ideas [mailto:ideas-bounces@ietf.org] On Behalf Of Robert Moskowitz
Sent: 18 October 2017 06:05
To: ideas@ietf.org
Subject: [Ideas] Addressing the privacy issues exposed by IDEAS

I chose the subject line carefully as you will see by my analysis of the privacy issue(s).  I have discussed this with Padma before bringing this up to the list.

Here is the privacy attack, as I see it:

It is fairly well established that web sites collect a lot of personal information and information about the device(s) connected to that personal information.  IP addresses, even the actual address of NATed clients are part of the harvest.  Mal and his cousins are busy stealing this information and putting it all together in their own big data pile.

Meanwhile, Eve and her cousins are busy watching the network and seeing which IP addresses are communicating with other IP addresses.  Eve and cohorts put their data together with Mal and cohorts' data and then is able to note that:  "Hey look, Alice is talking directly with Barb."  
Oh, look, they both moved to new addresses, but we can see it is still Alice and Barb.

What is going on here?

ID/Loc technologies, enhanced with IDEAS technology, will make Peer-to-Peer communications without any triangular routing achievable.  
As long as these P2P communications use the same IP addresses as used in web Client/Server communications, the linkage is there to the privacy leakage occuring through those websites.

Three things have to happen to protect the privacy of P2P communications from the swamp of privacy leakage in C/S communications.

Identities need to be masked/hidden by both the ID/Loc technologies and IDEAS.

Identifiers of all ilk, both in the control channel and the data channel need to change with each move using some Perfect Forward Secrecy (PFS) technology.

Multiple IP addresses MUST be used, at least separating the P2P from C/S communications.  Different addresses for different P2P connections is wise.

Note that if IDEAS-ID/Loc does everything to hide and confuse Identity/Identifier, it is all for naught if multiple IP addresses are not used.  At this point I should mention that TLS 1.3 may have a similar privacy risk, but that is for a different soapbox.

Action plan:

The IDEAS charter should say something like:

"IDEAS will act as an enabling technology for the various ID/Loc technologies currently specified within the IETF.  As such it will result in a wider deployment of, mobile, Peer to Peer communications.  
Care will be taken in the design of the IDEAS technology not to enable the privacy leakage attacks in current Client/Server (predominately
web-based) to be linked to these P2P communications."

This means that whatever technology we come up for IDEAS will mask/hide PII/Identity/Identifier.  So that Eve is in the dark and we need only defend the IDEAS data store from Mal.

Each ID/Loc technolgy (and this means ME with HIP) will need revisions to both their control and data plane (this means ESP for HIP) to change how Indentity and Identifiers are handled to break privacy tracking by Eve.  This may require using IDEAS as an enabler of privacy functions (I suspect I will need it in HIP to deal with the HI in the R1 packet).  
TLS 1.3 may also need revisions with its zero RT method.

The final, and potentially big one that is outside the IETF's control is that OSs and ISPs MUST enable support for multiple addresses per host and let technologies within the hosts (like ID/Loc) to get addresses to provide privacy separation.  This ALSO extends to MAC addresses!  Eve could be tapping into those IPFIX flows (now there is a BIG privacy leakage attack that no one is talking about) and getting all the MAC/IP address mappings!

One caveat that makes the multiple address not so big of a challenge is that ISPs are already providing some level of multiple address support by allowing hotspot usage on the mobile devices.  The IP address seen on the network MAY be from a given device or a device using it as a gateway.  This will become increasingly more common with automotive hotspots.  But this is NOT something we should count on as a mitigation of this privacy attack.

==========

Conclusion

IDEAS will analyse all security and privacy risks and include mitigation approaches in its design.

I will take this attack to the HIP group for revisions there.  I already have some work going (fast moblity draft for one) that I can leverage to this purpose.

I will reach out to the experts of other ID/Loc technologies (including
MobileIKE) to discuss what they can do to ensure privacy as a design goal.

Finally, as some of you know, my suit has a kevlar armor layer.  So have 
at it!   :)

Bob

_______________________________________________
Ideas mailing list
Ideas@ietf.org
https://www.ietf.org/mailman/listinfo/ideas

v2.23.0 | Report a Bug | By Email