IETF Logo Mail Archive

Re: [Ila] [5gangip] PS draft: New Version Notification for draft-hspab-5gangip-atticps-00.txt

Ca By <cb.list6@gmail.com> Wed, 31 January 2018 23:51 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: ila@ietfa.amsl.com
Delivered-To: ila@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB8B812E3AE; Wed, 31 Jan 2018 15:51:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXzo8LgPpyNm; Wed, 31 Jan 2018 15:51:11 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7657120726; Wed, 31 Jan 2018 15:51:10 -0800 (PST)
Received: by mail-wm0-x233.google.com with SMTP id f3so2340497wmc.1; Wed, 31 Jan 2018 15:51:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LR5V1ESzaBVlW3eLQWr+QabReDu6o9gKnp6agIRJXmg=; b=D8fk8EVPuJPl344dmyPuOFpHLhpow+aAc0sT1VwQ00oPr04TOQLqwlrg1r/upINyur 3bHbC9O8YKfIP7hTo+oW0qjajiNSqar49Btz5tszysiLuAgLE3dG1FIKPaJQcaO0ffKq MN3GaoosEflfwKMEMCoKfJSRvm22p9XhL8ffctJkTefuURiGpiUsNAU+qz2al+zbcvk/ YduwZK+Tew3SihkDkAD/Py4DUAL2s4M1S4luuZIfpVCYJcmp8RDR5kf3v/ZQ19BH8b0d GLzFv8+7+H8Q8lQqA61M3JbOC3GwRCHvP+jI3+XvZAAV97RzPQaLx9M2kBgHuv23VmPO LEHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LR5V1ESzaBVlW3eLQWr+QabReDu6o9gKnp6agIRJXmg=; b=RY6Pkj4h5FaiT5DARwNnr/avoERMdiSTR/LkT3JhukqAgQn1dYaD6zSMqqaqcLs6xn 9GiQPQ7e2NH49r85DmDB+/NRXEBfzSAqWN1pCvVGd11UIIXX39arJ2jmvP2oJ9PfBEjQ Cpci81gWaEVpZ8ygpVCDcoaNPoKOkgxlEK/loEW6v1lvxi9lWxwYx6EsxADxN3SpyekJ xeRpQd2thGal4+eDOlilU7Uz2bfK4U1CBMnF/cH4cDMVgqi3gRJzJMPFwi+1EiPlv/Sm EDynhzKDYeXtTtleBAVYgKgDS7eoZFFhUEX8mk9SkJ93cK25B7TXT8PGVy7lpIWg6CVz 7M+g==
X-Gm-Message-State: AKwxytdeniqW9BSSdJhPPzEsg48NeY24H+RCp+tlpsEZsWIIL7BE0+U4 zyvUqJ0n+BBJTgtq5XXS7JZum6z+OATAto6bcMQ=
X-Google-Smtp-Source: AH8x226B67slUVeHn0w8vyJ80EhS9OdJns6NFJLdHP0GztjNAz4kP/qPS1RLnklD09G8S2Ex+xMUPlZFw5K6F/Pywt0=
X-Received: by 10.28.194.2 with SMTP id s2mr24023448wmf.55.1517442669399; Wed, 31 Jan 2018 15:51:09 -0800 (PST)
MIME-Version: 1.0
References: <CAC8QAceokC+Fv5AV5KG7fB1CamstqOomOyFrNeKRQ5+sgb3T4Q@mail.gmail.com> <CALx6S34GoMbt=HqHRjt_N7ZUqk=L6YNjK8qChL9oHLoFTO2hfw@mail.gmail.com> <CAC8QAccoZ9mcweHc-pqNqtsR7PRamVFaTL2_G4fJ1YTZ6gu=zw@mail.gmail.com> <CALx6S34gEVLKzxvf08-JfvSCtptPXXi-4Qkew19JeO8fcu0+HQ@mail.gmail.com> <84E8607E-06E2-41DA-A1F6-1123E87F1E11@gmail.com>
In-Reply-To: <84E8607E-06E2-41DA-A1F6-1123E87F1E11@gmail.com>
From: Ca By <cb.list6@gmail.com>
Date: Wed, 31 Jan 2018 23:50:58 +0000
Message-ID: <CAD6AjGQeDymd1006Bfo1oQjqs8RySAiPBPKWJGfRRDP20TWXnw@mail.gmail.com>
To: Dino Farinacci <farinacci@gmail.com>
Cc: 5GANGIP <5gangip@ietf.org>, Behcet Sarikaya <sarikaya@ieee.org>, Tom Herbert <tom@herbertland.com>, ila@ietf.org
Content-Type: multipart/alternative; boundary="001a114a64c646d42705641b27f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ila/UbqGRi3F9ANceH0X0W-BHr33FtE>
Subject: Re: [Ila] [5gangip] PS draft: New Version Notification for draft-hspab-5gangip-atticps-00.txt
X-BeenThere: ila@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Identifier Locator Addressing <ila.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ila>, <mailto:ila-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ila/>
List-Post: <mailto:ila@ietf.org>
List-Help: <mailto:ila-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ila>, <mailto:ila-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jan 2018 23:51:16 -0000

On Wed, Jan 31, 2018 at 2:25 PM Dino Farinacci <farinacci@gmail.com> wrote:

> Tom, this is why addresses need to be obfuscated. And you can’t do that
> with address translation/transformation. I’m a fan of ILA, but the IPv6
> header must be sent in the clear, and that is problematic for this issue.
>
> Dino


And again, i really have no idea on what problem Tom and Dino are trying
solve that they think a mobile operator would want to implement.

I see Tom and Dino jockeying their solutions, but they are not solutions to
problems that network operators have articulated.

I believe at one point this listed agreed to produce requirements but then
quickly decided it was better to have secret group (design team?) write a
white paper about  id / loc.

IMHO id / loc has zero traction in mobile , it is not present in any of the
well publicized “5G” deployments that are currently going on.

On this list, id/loc is a solution looking for a problem.

Just $0.02 about the echo chamber we are in.



>
> > On Jan 31, 2018, at 2:02 PM, Tom Herbert <tom@herbertland.com> wrote:n
> >
> >
> > This is true today when devices have address or assigned a single /64.
> > One alternative is gives users thousands or millions of addresses
> > (identifier). Identifier/locator split should facilitate that.
> >
> > Please suggest some text.
> >
> >
> > Here is my postulated privacy exploit that defeats periodic address
> rotation [RFC4951]  and would be solved by single use addresses (a
> different address per connection).
> >
> >       • The attacker creates an “always connected” app that provides
> some seemingly benign service and users download the app.
> >       • The app includes some sort of persistent identity. For instance,
> this could be a login to account.
> >       • The backend server for the app logs the user identity and IP
> address they are using each time they connect.
> >       • When an address change happens, existing connections on the user
> device are disconnected. The app will receive a notification and
> immediately attempt to reconnect using the new source address.
> >       • The backend server will see the new connection and log the new
> IP address as being used by the user.
> >       • Thus, the server has a real-time record of users and the IP
> address they are using.
> >       • The attacker gains access to packet traces taken at some point
> in the Internet. The addresses in the captured packets can be time
> correlated with the server database to deduce the identity of the source of
> packets for flows communications unrelated to the app.
> >
> > Note
> > that this effect is already provided by NAT since every connection
> > through a NAT is translated to non-trackable address/port. NAT has
> > some law enforcement agencies freaking out because of its strong
> > (inadvertent) privacy!
> >
> > This reminds me some people say ILA is a NAT.
> >
> > Mark Smith provided the best explanation as to why ILA is not NAT:
> >
> > "The process ILA performs is a perfect transform, once at ingress to the
> ILA domain, into the ILA domain's address space, and a perfect
> transformation back at ILA egress. If the transformation isn't perfect,
> then a fault has occurred.
> >
> > The other reason I'd avoid "translate" is that it in the IETF it carries
> with it the association with IPv4 NAT and its drawbacks. ILA doesn't suffer
> from these issues because of the full reversal of the address changes upon
> egress from the ILA domain.
> >
> > (So how come I don't like NAT at all, yet am ok with what ILA is doing?
> The full reversal of the address charges at ILA egress is the first reason.
> Secondly, within the ILA domain, the ingress ILA device is a host, that is
> in effect originating the packet within the ILA domain it is sending to the
> egress ILA device, which is also a host or end-point within the ILA domain.
> >
> > The ILA domain is effectively a virtual link layer or an underlay
> network for the traffic being carried between hosts outside of the ILA
> domain. As long as the ILA domain is perfectly transparent to the overlay
> network and its hosts, then what ever happens within the ILA domain doesn't
> matter, similar to how link layer compression, as long as fully and
> perfectly reversed, also doesn't matter.)"
> >
> > "Privacy of identifiers is especially an issue for a UE communication
> > with a server like Google, Facebook, LinkedIn, etc."
> >
> > You might want to mention that simple identifier rotation [RFC4914] is
> > not enough these days..
> >
> > Sure.
> >
> > "Privacy issue can be mitigated only if Id-Loc system has proxy mode
> > of operation.  In proxy mode, user traffic is intercepted by a proxy.
> > Proxy node which could be placed at the subnet router or site border
> > router.  The router tunnels the traffic to the server.  In the process
> > UE identifier becomes hidden and this hopefully removes privacy
> > issues."
> >
> >
> > I'm not sure what this means. Multiple identifiers per deivce should
> > address the privacy issue, Maybe a proxy would have the same effect?
> >
> > Again please provide some text.
> >
> > As I said, I don't know what this proxy mode of operation is in an idloc
> system.
> >
> > "5G specific identifiers can also used to deal with privacy issues.
> > IMSI is known to be 64 bit and unique for each UE.  IMSI should not be
> > exposed to any entities.  It is like 64-identifier.  Instead
> > identifiers like 5G-GUTI can be used"
> >
> > I think this is two levels. An identifier in IP identifies a node for
> > the purpose of being the endpoint of the communication. Something like
> > IMSI identifies a specific device (and hence user). In the best case
> > scenario, IP identifiers don't reveal the identity of users and they
> > can be made externally visible.
> >
> > How?
> >
> > The mapping of an identifier to a user of device is only known by the
> local network. Outside of the local trusted network a third party should
> not be able to infer identity of geo-location of a user solely based on IP
> addresses. For that, something like IMSI can't be used to make addresses
> without some sort of mapping or obfuscation.
> >
> >
> > IMSI is by its nature sensitive
> > information and only visible in a trusted domain. A mapping system
> > will need to map identifiers to identities (like an IMSI) so the
> > system needs to be secured.
> >
> >
> > When do you need to access the mapping system is the issue I think.
> > We did not want to get into this a lot in the draft it is more control
> plane.
> >
> > IMO, it's going to be hard not to include the control plane in
> discussions. That's where most of the major issues of idloc are,
> particularly in scaling and securing the mapping database.
> >
> > A big item missing in this section is locator security. Fine grained
> > locators used in cellular system could be used to infer the
> > geo-location of devices and hence users, thus enabling stalkers
> > everywhere.  So locators need restricted visibility somehow..
> >
> >
> > Good point. But how? Again, some text please.
> >
> >
> > Here is my postulated stalker exploit that illustrates the dangers of
> exposed locators to the users:
> >
> >       • Suppose that a user device participates in an identifier/locator
> protocol such that they cache locators and use locators to directly send to
> peer devices.
> >       • A hacker might tap all packets sent or received on the network
> interfaces which makes locators visible to them.
> >       • In order to be able to tap packets a user needs root access to
> the device. There are instructions on the web to root an Android device.
> Similarly, jailbreaking can be done to circumvent restrictions on an iPhone
> to gain the equivalent of root access.
> >       • Once root access has been obtained, packets can be tapped using
> tcpdump or similar packet sniffer application.
> >       • With the tap running and packet addresses being captured, the
> hacker just needs to drive around send traffic between two devices in their
> car. They can observe the locators that are assigned to the their device,
> and from this can create a geo map of locators.
> >       • Given that one hacker can do this, then thousands will do it and
> web sites will spring up that provide locator geo maps.
> >       • Efforts to obfuscate or rotate identifiers does not help much
> here. Obfuscation complicates routing in the network such that more
> transformations need to happen there. Locator rotation is defeated if there
> are enough devices to keep the maps up to date in a mashup.
> >       • The net effect is that this enables a stalker attack. An
> individual simply initiates a communication with their target. For
> instance, this could be a chat or phone call. If in doing this the locators
> for the device belonging to the target are made visible to the hacker, then
> the physical location of the target can be deduced using the locator geo
> maps described above.
> >
> > Tom
> >
> > _______________________________________________
> > 5gangip mailing list
> > 5gangip@ietf.org
> > https://www.ietf.org/mailman/listinfo/5gangip
>
> _______________________________________________
> 5gangip mailing list
> 5gangip@ietf.org
> https://www.ietf.org/mailman/listinfo/5gangip
>

v2.23.0 | Report a Bug | By Email