Re: [ietf-privacy] [Int-area] NAT Reveal / Host Identifiers

Joe Touch <touch@isi.edu> Mon, 09 June 2014 00:27 UTC

Return-Path: <touch@isi.edu>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 999431B279A; Sun, 8 Jun 2014 17:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Level:
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eMd3QEqjuefq; Sun, 8 Jun 2014 17:27:04 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6A271B2799; Sun, 8 Jun 2014 17:27:04 -0700 (PDT)
Received: from [192.168.1.91] (pool-71-105-87-112.lsanca.dsl-w.verizon.net [71.105.87.112]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id s590QD4Z010849 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sun, 8 Jun 2014 17:26:23 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
Content-Type: text/plain; charset=iso-8859-1
From: Joe Touch <touch@isi.edu>
In-Reply-To: <5393119F.6050805@cs.tcd.ie>
Date: Sun, 8 Jun 2014 17:26:13 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <82A0BCB8-F77C-4C8B-9769-BF4EE2F748A0@isi.edu>
References: <E87B771635882B4BA20096B589152EF628724B2C@eusaamb107.ericsson.se> <539016BE.3070008@gmx.net> <53906711.5070406@cs.tcd.ie> <5390CEC9.3000005@isi.edu> <5D2CC7D6-D9E1-49A8-818C-5FB33DC283C0@cisco.com> <5393119F.6050805@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1878.2)
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-privacy/sqlpiVsTFjSLzRSUTv1Itcoudis
Cc: "ietf-privacy@ietf.org" <ietf-privacy@ietf.org>, Internet Area <int-area@ietf.org>
Subject: Re: [ietf-privacy] [Int-area] NAT Reveal / Host Identifiers
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-privacy/>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jun 2014 00:27:05 -0000

On Jun 7, 2014, at 6:20 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

> NATs have both good and bad properties. The slightly better privacy
> is one of the good ones.

Better for the hosts they 'hide'; worse as a common network access point.

Consider an enterprise. There are two things we can learn about it from IP addresses:

	- without a NAT, we learn about activity of individual hosts

	- with a NAT, we learn the common network access point

If I want to track host activity - or attack a host, the former is better.

If I want to know what to DOS to take down the entire enterprise, the latter is better.

Think of it this way: 

	a NAT hides the host *at the expense* of exposing a router

If we're serious about considering privacy issues, there's a LOT more homework to be done.

Joe