Re: [Ila] [5gangip] PS draft: New Version Notification for draft-hspab-5gangip-atticps-00.txt
Ca By <cb.list6@gmail.com> Wed, 31 January 2018 23:51 UTC
Return-Path: <cb.list6@gmail.com>
X-Original-To: ila@ietfa.amsl.com
Delivered-To: ila@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB8B812E3AE; Wed, 31 Jan 2018 15:51:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXzo8LgPpyNm; Wed, 31 Jan 2018 15:51:11 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7657120726; Wed, 31 Jan 2018 15:51:10 -0800 (PST)
Received: by mail-wm0-x233.google.com with SMTP id f3so2340497wmc.1; Wed, 31 Jan 2018 15:51:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LR5V1ESzaBVlW3eLQWr+QabReDu6o9gKnp6agIRJXmg=; b=D8fk8EVPuJPl344dmyPuOFpHLhpow+aAc0sT1VwQ00oPr04TOQLqwlrg1r/upINyur 3bHbC9O8YKfIP7hTo+oW0qjajiNSqar49Btz5tszysiLuAgLE3dG1FIKPaJQcaO0ffKq MN3GaoosEflfwKMEMCoKfJSRvm22p9XhL8ffctJkTefuURiGpiUsNAU+qz2al+zbcvk/ YduwZK+Tew3SihkDkAD/Py4DUAL2s4M1S4luuZIfpVCYJcmp8RDR5kf3v/ZQ19BH8b0d GLzFv8+7+H8Q8lQqA61M3JbOC3GwRCHvP+jI3+XvZAAV97RzPQaLx9M2kBgHuv23VmPO LEHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LR5V1ESzaBVlW3eLQWr+QabReDu6o9gKnp6agIRJXmg=; b=RY6Pkj4h5FaiT5DARwNnr/avoERMdiSTR/LkT3JhukqAgQn1dYaD6zSMqqaqcLs6xn 9GiQPQ7e2NH49r85DmDB+/NRXEBfzSAqWN1pCvVGd11UIIXX39arJ2jmvP2oJ9PfBEjQ Cpci81gWaEVpZ8ygpVCDcoaNPoKOkgxlEK/loEW6v1lvxi9lWxwYx6EsxADxN3SpyekJ xeRpQd2thGal4+eDOlilU7Uz2bfK4U1CBMnF/cH4cDMVgqi3gRJzJMPFwi+1EiPlv/Sm EDynhzKDYeXtTtleBAVYgKgDS7eoZFFhUEX8mk9SkJ93cK25B7TXT8PGVy7lpIWg6CVz 7M+g==
X-Gm-Message-State: AKwxytdeniqW9BSSdJhPPzEsg48NeY24H+RCp+tlpsEZsWIIL7BE0+U4 zyvUqJ0n+BBJTgtq5XXS7JZum6z+OATAto6bcMQ=
X-Google-Smtp-Source: AH8x226B67slUVeHn0w8vyJ80EhS9OdJns6NFJLdHP0GztjNAz4kP/qPS1RLnklD09G8S2Ex+xMUPlZFw5K6F/Pywt0=
X-Received: by 10.28.194.2 with SMTP id s2mr24023448wmf.55.1517442669399; Wed, 31 Jan 2018 15:51:09 -0800 (PST)
MIME-Version: 1.0
References: <CAC8QAceokC+Fv5AV5KG7fB1CamstqOomOyFrNeKRQ5+sgb3T4Q@mail.gmail.com> <CALx6S34GoMbt=HqHRjt_N7ZUqk=L6YNjK8qChL9oHLoFTO2hfw@mail.gmail.com> <CAC8QAccoZ9mcweHc-pqNqtsR7PRamVFaTL2_G4fJ1YTZ6gu=zw@mail.gmail.com> <CALx6S34gEVLKzxvf08-JfvSCtptPXXi-4Qkew19JeO8fcu0+HQ@mail.gmail.com> <84E8607E-06E2-41DA-A1F6-1123E87F1E11@gmail.com>
In-Reply-To: <84E8607E-06E2-41DA-A1F6-1123E87F1E11@gmail.com>
From: Ca By <cb.list6@gmail.com>
Date: Wed, 31 Jan 2018 23:50:58 +0000
Message-ID: <CAD6AjGQeDymd1006Bfo1oQjqs8RySAiPBPKWJGfRRDP20TWXnw@mail.gmail.com>
To: Dino Farinacci <farinacci@gmail.com>
Cc: 5GANGIP <5gangip@ietf.org>, Behcet Sarikaya <sarikaya@ieee.org>, Tom Herbert <tom@herbertland.com>, ila@ietf.org
Content-Type: multipart/alternative; boundary="001a114a64c646d42705641b27f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ila/UbqGRi3F9ANceH0X0W-BHr33FtE>
Subject: Re: [Ila] [5gangip] PS draft: New Version Notification for draft-hspab-5gangip-atticps-00.txt
X-BeenThere: ila@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Identifier Locator Addressing <ila.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ila>, <mailto:ila-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ila/>
List-Post: <mailto:ila@ietf.org>
List-Help: <mailto:ila-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ila>, <mailto:ila-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jan 2018 23:51:16 -0000
On Wed, Jan 31, 2018 at 2:25 PM Dino Farinacci <farinacci@gmail.com> wrote: > Tom, this is why addresses need to be obfuscated. And you can’t do that > with address translation/transformation. I’m a fan of ILA, but the IPv6 > header must be sent in the clear, and that is problematic for this issue. > > Dino And again, i really have no idea on what problem Tom and Dino are trying solve that they think a mobile operator would want to implement. I see Tom and Dino jockeying their solutions, but they are not solutions to problems that network operators have articulated. I believe at one point this listed agreed to produce requirements but then quickly decided it was better to have secret group (design team?) write a white paper about id / loc. IMHO id / loc has zero traction in mobile , it is not present in any of the well publicized “5G” deployments that are currently going on. On this list, id/loc is a solution looking for a problem. Just $0.02 about the echo chamber we are in. > > > On Jan 31, 2018, at 2:02 PM, Tom Herbert <tom@herbertland.com> wrote:n > > > > > > This is true today when devices have address or assigned a single /64. > > One alternative is gives users thousands or millions of addresses > > (identifier). Identifier/locator split should facilitate that. > > > > Please suggest some text. > > > > > > Here is my postulated privacy exploit that defeats periodic address > rotation [RFC4951] and would be solved by single use addresses (a > different address per connection). > > > > • The attacker creates an “always connected” app that provides > some seemingly benign service and users download the app. > > • The app includes some sort of persistent identity. For instance, > this could be a login to account. > > • The backend server for the app logs the user identity and IP > address they are using each time they connect. > > • When an address change happens, existing connections on the user > device are disconnected. The app will receive a notification and > immediately attempt to reconnect using the new source address. > > • The backend server will see the new connection and log the new > IP address as being used by the user. > > • Thus, the server has a real-time record of users and the IP > address they are using. > > • The attacker gains access to packet traces taken at some point > in the Internet. The addresses in the captured packets can be time > correlated with the server database to deduce the identity of the source of > packets for flows communications unrelated to the app. > > > > Note > > that this effect is already provided by NAT since every connection > > through a NAT is translated to non-trackable address/port. NAT has > > some law enforcement agencies freaking out because of its strong > > (inadvertent) privacy! > > > > This reminds me some people say ILA is a NAT. > > > > Mark Smith provided the best explanation as to why ILA is not NAT: > > > > "The process ILA performs is a perfect transform, once at ingress to the > ILA domain, into the ILA domain's address space, and a perfect > transformation back at ILA egress. If the transformation isn't perfect, > then a fault has occurred. > > > > The other reason I'd avoid "translate" is that it in the IETF it carries > with it the association with IPv4 NAT and its drawbacks. ILA doesn't suffer > from these issues because of the full reversal of the address changes upon > egress from the ILA domain. > > > > (So how come I don't like NAT at all, yet am ok with what ILA is doing? > The full reversal of the address charges at ILA egress is the first reason. > Secondly, within the ILA domain, the ingress ILA device is a host, that is > in effect originating the packet within the ILA domain it is sending to the > egress ILA device, which is also a host or end-point within the ILA domain. > > > > The ILA domain is effectively a virtual link layer or an underlay > network for the traffic being carried between hosts outside of the ILA > domain. As long as the ILA domain is perfectly transparent to the overlay > network and its hosts, then what ever happens within the ILA domain doesn't > matter, similar to how link layer compression, as long as fully and > perfectly reversed, also doesn't matter.)" > > > > "Privacy of identifiers is especially an issue for a UE communication > > with a server like Google, Facebook, LinkedIn, etc." > > > > You might want to mention that simple identifier rotation [RFC4914] is > > not enough these days.. > > > > Sure. > > > > "Privacy issue can be mitigated only if Id-Loc system has proxy mode > > of operation. In proxy mode, user traffic is intercepted by a proxy. > > Proxy node which could be placed at the subnet router or site border > > router. The router tunnels the traffic to the server. In the process > > UE identifier becomes hidden and this hopefully removes privacy > > issues." > > > > > > I'm not sure what this means. Multiple identifiers per deivce should > > address the privacy issue, Maybe a proxy would have the same effect? > > > > Again please provide some text. > > > > As I said, I don't know what this proxy mode of operation is in an idloc > system. > > > > "5G specific identifiers can also used to deal with privacy issues. > > IMSI is known to be 64 bit and unique for each UE. IMSI should not be > > exposed to any entities. It is like 64-identifier. Instead > > identifiers like 5G-GUTI can be used" > > > > I think this is two levels. An identifier in IP identifies a node for > > the purpose of being the endpoint of the communication. Something like > > IMSI identifies a specific device (and hence user). In the best case > > scenario, IP identifiers don't reveal the identity of users and they > > can be made externally visible. > > > > How? > > > > The mapping of an identifier to a user of device is only known by the > local network. Outside of the local trusted network a third party should > not be able to infer identity of geo-location of a user solely based on IP > addresses. For that, something like IMSI can't be used to make addresses > without some sort of mapping or obfuscation. > > > > > > IMSI is by its nature sensitive > > information and only visible in a trusted domain. A mapping system > > will need to map identifiers to identities (like an IMSI) so the > > system needs to be secured. > > > > > > When do you need to access the mapping system is the issue I think. > > We did not want to get into this a lot in the draft it is more control > plane. > > > > IMO, it's going to be hard not to include the control plane in > discussions. That's where most of the major issues of idloc are, > particularly in scaling and securing the mapping database. > > > > A big item missing in this section is locator security. Fine grained > > locators used in cellular system could be used to infer the > > geo-location of devices and hence users, thus enabling stalkers > > everywhere. So locators need restricted visibility somehow.. > > > > > > Good point. But how? Again, some text please. > > > > > > Here is my postulated stalker exploit that illustrates the dangers of > exposed locators to the users: > > > > • Suppose that a user device participates in an identifier/locator > protocol such that they cache locators and use locators to directly send to > peer devices. > > • A hacker might tap all packets sent or received on the network > interfaces which makes locators visible to them. > > • In order to be able to tap packets a user needs root access to > the device. There are instructions on the web to root an Android device. > Similarly, jailbreaking can be done to circumvent restrictions on an iPhone > to gain the equivalent of root access. > > • Once root access has been obtained, packets can be tapped using > tcpdump or similar packet sniffer application. > > • With the tap running and packet addresses being captured, the > hacker just needs to drive around send traffic between two devices in their > car. They can observe the locators that are assigned to the their device, > and from this can create a geo map of locators. > > • Given that one hacker can do this, then thousands will do it and > web sites will spring up that provide locator geo maps. > > • Efforts to obfuscate or rotate identifiers does not help much > here. Obfuscation complicates routing in the network such that more > transformations need to happen there. Locator rotation is defeated if there > are enough devices to keep the maps up to date in a mashup. > > • The net effect is that this enables a stalker attack. An > individual simply initiates a communication with their target. For > instance, this could be a chat or phone call. If in doing this the locators > for the device belonging to the target are made visible to the hacker, then > the physical location of the target can be deduced using the locator geo > maps described above. > > > > Tom > > > > _______________________________________________ > > 5gangip mailing list > > 5gangip@ietf.org > > https://www.ietf.org/mailman/listinfo/5gangip > > _______________________________________________ > 5gangip mailing list > 5gangip@ietf.org > https://www.ietf.org/mailman/listinfo/5gangip >
- Re: [Ila] [5gangip] PS draft: New Version Notific… Tom Herbert
- Re: [Ila] [5gangip] PS draft: New Version Notific… Dino Farinacci
- Re: [Ila] [5gangip] PS draft: New Version Notific… Tom Herbert
- Re: [Ila] [5gangip] PS draft: New Version Notific… Dino Farinacci
- Re: [Ila] [5gangip] PS draft: New Version Notific… Tom Herbert
- Re: [Ila] [5gangip] PS draft: New Version Notific… Dino Farinacci
- Re: [Ila] [5gangip] PS draft: New Version Notific… Ca By
- Re: [Ila] [5gangip] PS draft: New Version Notific… Dino Farinacci
- Re: [Ila] [5gangip] PS draft: New Version Notific… Ca By
- Re: [Ila] [5gangip] PS draft: New Version Notific… Tom Herbert
- Re: [Ila] [5gangip] PS draft: New Version Notific… Tom Herbert
- Re: [Ila] [5gangip] PS draft: New Version Notific… Dino Farinacci
- Re: [Ila] [5gangip] PS draft: New Version Notific… Tom Herbert
- Re: [Ila] [5gangip] PS draft: New Version Notific… Fred Baker
- Re: [Ila] [5gangip] PS draft: New Version Notific… Tom Herbert
- Re: [Ila] [5gangip] PS draft: New Version Notific… Joe Touch
- Re: [Ila] [5gangip] PS draft: New Version Notific… Dino Farinacci
- Re: [Ila] [5gangip] PS draft: New Version Notific… Alexandre Petrescu