Re: [ietf-privacy] [Int-area] NAT Reveal / Host Identifiers

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 11 June 2014 15:18 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBB61A016D; Wed, 11 Jun 2014 08:18:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGKFRn0F2mfe; Wed, 11 Jun 2014 08:18:25 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id D75271A0150; Wed, 11 Jun 2014 08:18:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 25B31BE8E; Wed, 11 Jun 2014 16:18:24 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SETVGr_IJ23h; Wed, 11 Jun 2014 16:18:22 +0100 (IST)
Received: from [192.168.8.110] (217.64.246.66.mactelecom.net [217.64.246.66]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 4E3CBBEA0; Wed, 11 Jun 2014 16:18:22 +0100 (IST)
Message-ID: <5398733E.1030805@cs.tcd.ie>
Date: Wed, 11 Jun 2014 16:18:22 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: mohamed.boucadair@orange.com, Dan Wing <dwing@cisco.com>
References: <E87B771635882B4BA20096B589152EF628724B2C@eusaamb107.ericsson.se> <539016BE.3070008@gmx.net> <53906711.5070406@cs.tcd.ie> <5390CEC9.3000005@isi.edu> <5D2CC7D6-D9E1-49A8-818C-5FB33DC283C0@cisco.com> <5393119F.6050805@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B9330016077@OPEXCLILM23.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B9330016077@OPEXCLILM23.corporate.adroot.infra.ftgroup>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-privacy/IcAvjtk1swdXcE66v5L2XR2ciRc
Cc: "ietf-privacy@ietf.org" <ietf-privacy@ietf.org>, Internet Area <int-area@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [ietf-privacy] [Int-area] NAT Reveal / Host Identifiers
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-privacy/>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 15:18:27 -0000

Hiya,

On 11/06/14 15:38, mohamed.boucadair@orange.com wrote:
> Re-,
> 
> Please see inline.
> 
> Cheers, Med
> 
>> -----Message d'origine----- De : ietf-privacy
>> [mailto:ietf-privacy-bounces@ietf.org] De la part de Stephen
>> Farrell Envoyé : samedi 7 juin 2014 15:21 À : Dan Wing Cc :
>> ietf-privacy@ietf.org; Internet Area; Joe Touch Objet : Re:
>> [ietf-privacy] [Int-area] NAT Reveal / Host Identifiers
>> 
>> 
>> Hi Dan,
>> 
>> On 07/06/14 02:38, Dan Wing wrote:
>>> 
>>> Stephen,
>>> 
>>> It seems NAPT has become IETF's privacy feature of 2014 because 
>>> multiple users are sharing one identifier (IP address and
>>> presumably randomized ports [RFC6056], although many NAPT
>>> deployments use address ranges because of fear of compressing log
>>> files).  As a former co-chair of BEHAVE it is refreshing to see
>>> the IETF embracing NAPT as a desirable feature.
>> 
>> Embracing seems like significant overstatement to me, but maybe 
>> that's understandable given how calmly NAT is generally debated.
>> 
>> NATs have both good and bad properties. The slightly better
>> privacy is one of the good ones.
>> 
>> Recognising that reality is neither embracing nor refreshing IMO, 
>> nor does it mean NAPT is (un)desirable overall. (That's an
>> argument I only ever watch from the side-lines thanks:-)
>> 
>>> However, if NAPT provides privacy and NAT Reveal removes it,
>>> where does that leave a host's IPv6 source address with respect
>>> to BCP188?
>>> 
>>> Afterall, an IPv6 address is quite traceable, even with IPv6
>>> privacy addresses (especially as IPv6 privacy addresses are
>>> currently deployed which only obtain a new IPv6 privacy address
>>> every 24 hours or when attaching to a new network).  If BCP188
>>> does not prevent deployment of IPv6, I would like to understand
>>> the additional privacy leakage of IPv4+NAT+NAT_Reveal compared to
>>> the privacy leakage of IPv6+privacy_address.
>> 
>> I'm frankly amazed that that's not crystal clear to anyone who has
>> read all 2.5 non-boilerplate pages of the BCP. Or even just the
>> last two words of the 1-line abstract (hint: those say "where 
>> possible.")
>> 
>> Yes, source addresses leak information that affects privacy. But we
>> do not have a practical way to mitigate that. So therefore BCP188
>> does not call for doing stupid stuff, nor for new laws of physics
>> (unlike -04 of the draft we're discussing;-)
> 
> [Med] FWIW, this draft does not hint solutions but it aims to
> describe scenarios with problems. I understand you have concerns with
> privacy but this is not an excuse to abuse and characterize this
> effort as "stupid". 

Apologies if you took it that way. What I meant was that BCP188
does not call for stupid stuff, I was not characterising the
draft as stupid, but rather the assertion that BCP188 calls for
such.

> Privacy implications should be assess on a per
> use case basis 

Where do I find the per-use-case analysis of privacy implications?

> (see for example cases where all involved entities
> belong to same administrative entity). Furthermore, the document
> (including -04) says the following : "the document does not elaborate
> whether explicit authentication is enabled or not."
> 
>> 
>> Adding new identifiers with privacy impact, as proposed here, is 
>> quite different.
> 
> [Med] I have already clarified this point: the scenario draft does
> not propose any identifier!

I think its unrealistic to assert that any solution is possible
without such. I would be interested in reading about any proposal
that did not require a new identifier. So yes, I do assert that a
need for a new identifier is implicit in the draft, even if that
is not stated explicitly, and would be interested in arguments as
to why I'm wrong about that.

S.

> 
>> 
>> S.
>> 
>> PS: If someone wants to propose what they think is a practical way
>> to mitigate the privacy issues with source addresses, please write
>> a draft first and then start a separate thread somewhere.
>> 
>> 
>>> 
>>> -d
>>> 
>> 
>> _______________________________________________ ietf-privacy
>> mailing list ietf-privacy@ietf.org 
>> https://www.ietf.org/mailman/listinfo/ietf-privacy
> 
>