Re: [Int-area] Where/How is the features innovation, happening? Re: 202201250721.AYC
"Abraham Y. Chen" <aychen@avinta.com> Tue, 25 January 2022 12:29 UTC
Return-Path: <aychen@avinta.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 177773A0A5E for <int-area@ietfa.amsl.com>; Tue, 25 Jan 2022 04:29:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=avinta.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHhqUSYJoBr5 for <int-area@ietfa.amsl.com>; Tue, 25 Jan 2022 04:29:43 -0800 (PST)
Received: from mx22-1.lowesthosting.com (cp22.lowesthosting.com [23.111.133.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BB9F3A0A6D for <int-area@ietf.org>; Tue, 25 Jan 2022 04:29:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=avinta.com; s=default; h=In-Reply-To:References:Cc:To:Subject:From:MIME-Version:Date: Message-ID:Content-Type:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KIzr2d2CbIfsSY6Z/1Cha4Fgfg7nheR/0ODm5fincBc=; b=rbzOPzzxTz9WbFP/tDouhtXI+8 /Hf0AF/lwiz76ywVNk5OEp98A8LplfMWBtV6BfUvje7GeoOGCt2Q2tOrpYRsVsgWHar2Edp/u4yl1 U9YiNZXTdKv54imWNXkE3bIiPOHJ6gEMrny0MOlm7fRtFTjo1iCwF4nryESPYP/CVpMKzE2BDwwzY a6FhbhsJWk85lo80N037ku3TgPFLDUXIGmmW5WNMuxksLzo6nAVvBdcP2DXrcfDdQW0NxG8aXiV9n OAPoOKoeMhFAiNDfWvxWi0/VdXlaTLR8a56wcZIK3lN2U9S/HmdIeuUPaitZEFyvwFhQEsaaFhK0+ lQ/Oh3+Q==;
Received: from cpe-24-193-166-56.nyc.res.rr.com ([24.193.166.56]:60354 helo=[192.168.1.142]) by mx22-1.lowesthosting.com with esmtpa (Exim 4.94.2) (envelope-from <aychen@avinta.com>) id 1nCKx8-00078A-4p; Tue, 25 Jan 2022 07:29:38 -0500
Content-Type: multipart/alternative; boundary="------------nMe0PRaSMqHOe2dAQXebAUSx"
Message-ID: <c506d7c6-9ce6-08a0-ee40-941c637264cc@avinta.com>
Date: Tue, 25 Jan 2022 07:29:33 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
From: "Abraham Y. Chen" <aychen@avinta.com>
To: Jiayihao <jiayihao@huawei.com>
Cc: "int-area@ietf.org" <int-area@ietf.org>, Tom Herbert <tom@herbertland.com>
References: <7c509337-31b5-c0d2-020e-aca6fc9d344e@avinta.com> <ce16122f3387479ca4456325a6fb0a6b@huawei.com> <0a3711b9-0969-2eb1-15e6-3aa8354901d0@avinta.com> <CALx6S37zAk-hdk-a5PGnFYaow9mhb1XmC=4PpqMkdVredq8Zhg@mail.gmail.com> <0dd628bc-d779-46d0-ada3-601295e21c12@avinta.com> <e6d10cda6fd241539051ef209a4a952a@huawei.com> <9dc26758-7fd6-5657-edac-95441869544d@avinta.com> <8e12137b7ad743ee9da01826bdf978d6@huawei.com> <0f0780f9-785e-d561-33c3-93feceb2906b@avinta.com> <086e751e63d7491fb03f44f7b93496b2@huawei.com> <aefc6979-5549-4c98-f081-8ef688c348a5@avinta.com> <f062e65c6ded41768b3133afbefbbe5e@huawei.com>
Content-Language: en-US
X-Priority: 1 (Highest)
In-Reply-To: <f062e65c6ded41768b3133afbefbbe5e@huawei.com>
X-Antivirus: Avast (VPS 220125-2, 1/25/2022), Outbound message
X-Antivirus-Status: Clean
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mx22-1.lowesthosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - avinta.com
X-Get-Message-Sender-Via: mx22-1.lowesthosting.com: authenticated_id: aychen@avinta.com
X-Authenticated-Sender: mx22-1.lowesthosting.com: aychen@avinta.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/BMJrLauFSvNqiKuIlIKCpGPSCt0>
Subject: Re: [Int-area] Where/How is the features innovation, happening? Re: 202201250721.AYC
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area WG Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2022 12:29:50 -0000
Hi, YiHao: 0) Re: Ur. Pt. 0): Correct. However, the Caller-ID terminology was introduced when the caller's name was displayed on Called's phone. So, when only b) is shown, it is at best a subset, or the minor part, of the Caller-ID service. 1) Re: Ur. Pt. 1): Why do you need a way to certify / authenticate a caller if a system is set up with explicit originator identification in the first place? Regards, Abe (2022-01-25 07:29) On 2022-01-24 22:42, Jiayihao wrote: > > Hello Abe, > > 0) Sorry I get it confused and assume that the a) Caller-ID and b) > “incoming caller number” are different things. If b) is part of a), I > get it wrong. I currently living in China, and my carrier always bring > the b) “incoming caller number” each time I get a call, so probably > still a modern life style : ) > > 1) "... PKI/Certificate ..." is a patch-style tech and it works quite > well, ant it is true things are different if we built a system from > scratch. But is there anything you mean behind it that preform equally > or better compare to " ... PKI/Certificate ... " (in the context of > Caller-ID or others)? > > Thanks, > > Yihao > > *From:* Abraham Y. Chen <aychen@avinta.com> > *Sent:* 2022年1月25日 3:31 > *To:* Jiayihao <jiayihao@huawei.com> > *Cc:* int-area@ietf.org; Tom Herbert <tom@herbertland.com> > *Subject:* 202201241417.AYC Re: [Int-area] Where/How is the features > innovation, happening? Re: 202201152233.AYC > *Importance:* High > > Hi, YiHao: > > 1) Re: Ur. Pt. 0): I am getting curious. May I ask where are you > and how old are you? May be not landline. But, cellular mobile phone > services always have at least the numerical part of the Caller-ID > function, due to concerns such as who is going to pay for the air-time. > > 2) Re: Ur. Pts. 1) & 3): Good analysis. As to DNS, it is an > unnecessary "reverse" effort relative to the white-book practice in > the PSTN field. > > 3) Re: Ur. Pts. 2) & 4): " ... PKI/Certificate ... ": I do > not believe this is necessary if we review the subject from the ground up. > > Regards, > > Abe (2022-01-24 14:30 EST) > > On 2022-01-23 22:11, Jiayihao wrote: > > Hello Abe, > > 0) Really appreciate sharing the story of Call-ID. It is really a > fresh term and tech to me, and seems I haven’t got a chance to > experience the Call-ID time. Really good to learn. > > 1) Based on my rough understanding of Call-ID, it is a classical > example of how we choice to name an object. Assuming we want to > visit the Apple Campus (the Headquarters of Apple Inc.) with our > Google map, we can type a) Apple Campus (Name); b) 1 Infinite > Loop, Cupertino, CA 95014 (Locator 1); c) 37.33182°N > 122.03118°W(Locator 2). The only difference is which one people > would like to use, or which one is more friendly to human in their > practice. My understanding is that people prefer Name while > computer prefer Locator, so usually a system would like to provide > the Name to users and build a subordinate Mapping system as while > to corelate the name and the locator. DNS is just a good example > we use every day. > > 2) Agree on your insight that authentication to just Call-ID(phone > number) do not make much sense because it only provide the > authentication of Locator, while leave the Name, which users are > more willing to perceive, unauthenticated. I find that IETF STIR > wg is working on this topic. Although I am not familiar right now, > I feel a PKI/Certificate should be involved in order to gain > practical value. > > 3) In a peer to peer context, IMHO, the Name based interface is > more practically valuable compared to Locator based one, just like > the name instead of phone number in the Call-ID case because the > numbers do not offer any meaning even it is authenticated. > > 4) Agree on “….that we must have a "system view"….” and “…Some are > not based on technology, but business practices or just > mentality….”. But I feel there is no Silver Bullet and I don’t > have an answer yet. It is really enjoyable to discuss and I will > keep thinking on this. > > Many thanks, Abe, > > Yihao > > *From:* Abraham Y. Chen <aychen@avinta.com> > <mailto:aychen@avinta.com> > *Sent:* 2022年1月17日 1:21 > *To:* Jiayihao <jiayihao@huawei.com> <mailto:jiayihao@huawei.com> > *Cc:* int-area@ietf.org; Tom Herbert <tom@herbertland.com> > <mailto:tom@herbertland.com> > *Subject:* Re: [Int-area] Where/How is the features innovation, > happening? Re: 202201152233.AYC > *Importance:* High > > Hi, YiHao: > > 1) "... I am curious how we can step back a bit as you said. ... > current privacy are ultimately rely on trust point. ...": I > have already outlined (perhaps hinted) what is needed to deal with > this issue. That is, we have to look at the overall environment, > not just keep digging deeper into the technology itself. No matter > how great the technology is, there are always ways to get around > or to defeat it. Some are not based on technology, but business > practices or just mentality. In the case of the APPLE refusing to > support LE, it was the combination of business decision (The LE > decided to do it by themselves and to look for help from > "volunteers") and the technical challenge (viewed by "hackers" as > fun with reward) that bypassed the "trust point". > > 2) To demonstrate my point, I would like to share a brief > history of a related topic, although based on an opposite initial > intention, for you to compare and to figure out how to deal with > the incident privacy / security goal. It was a service started > with great results, but deteriorated by various business > considerations and other influences to a point of nearly useless. > The service was called Caller-ID. When it was first introduced to > identify the caller for the convenience of the called party, it > also put a big dent on telemarketers. That was because the > capability was based on a facility inherent in the telephone > system that no outsiders could touch. With the breakup of the Bell > System, the Baby-Bells (There were seven to start with. They have > gone through the M&A processes to become one AT&T again!) started > to compete against one another. Some marketing genius invented the > idea of offering (of course with compensation in return) big > subscribers to customize their Caller-ID messages for various > purposes, such as announcing sales. -- Note: Thanks to digital > technology, the telephone switching equipment used by big business > (called PABX) had become just as powerful as those used by local > telcos (COs - Central Offices) where Caller-ID information > originated. This allowed telemarketers (pretty big operations) to > masquerade behind any phone number desired, such as using the same > local exchange prefix number as that of the target subscribers to > pretend being a neighbor. Still, a called could pick out welcomed > callers by paying some attention to the message displayed. After > VoIP became widely used, rather than mimicking the practice > employed by cellular phone industry, making sense out of the VoIP > based phone numbers became mind-boggling for practically everyone. > No wonder that Robocalls became much prevalent than the past > telemarketer calls. > > > https://en.wikipedia.org/wiki/Caller_ID#History > > 3) With the FCC's Authentication program, the Robocalls may be > tempered for awhile. But, the caller name has been dropped out of > the Caller-ID message, because the carriers now treat such as > their own valuable merchandise that the called party has to pay to > receive it (Try figuring out how to identify such relationships > and then to establish agreements?) An incoming call now may have a > "[V]" prefix indicating it has passed the "Stir/Shaken" > Verification process, followed by only a caller phone number > without name which becomes pretty much the same challenge for most > people to begin with. So, the Caller-ID service has pretty much > lost its original intended main purpose. > > https://www.fcc.gov/call-authentication > > 4) In brief, Caller-ID was designed under an environment of > uniformly structured system (the PSTN). Even so, it quickly > degraded to a service with minimal residual value when system > fragmentation, diverse marketing incentives, narrow-mindedness > (individual's "freedom"?), etc. came into play. With distributed > network architecture and operation philosophy as the foundation, I > will venture to say that the Internet would have a hard time to > just mimic the identification of the "well-behaved" subscribers > like the original Caller-ID service, let alone hiding their > identity and providing security. What I am saying is that we must > have a "system view" of all parameters involved in an issue, > before we could define what we can do and which we want to do. > Then, the chosen technology may have a chance to deliver the > expected goal. Otherwise, we will be just spinning the wheels on > partial solutions from the diverse individualized perspectives. > > Regards, > > Abe (2022-01-16 12:20 EST) > > On 2022-01-13 01:33, Jiayihao wrote: > > Hello Abe, > > I think we agree on that it is hard for sender to "hide" the > identities in terms of IP. > > And I am curious how we can step back a bit as you said. My > concerns focus on that if we want improve the privacy (even if > one step further), what direction could we head? I embrace any > insight that can enlighten me. > > As for the event you mentioned about Apple, Apple is just > another trust point a lot of us trust. So back to the case > that current privacy are ultimately rely on trust point. > Whether we could remove the trust point is indeed a question > for me. > > Maybe Tor network provide an good example for the volunteer > mode rather than trust point. > > Thanks, > > Yihao > > *From:* Abraham Y. Chen <aychen@avinta.com> > <mailto:aychen@avinta.com> > *Sent:* 2022年1月12日 0:22 > *To:* Jiayihao <jiayihao@huawei.com> <mailto:jiayihao@huawei.com> > *Cc:* int-area@ietf.org; Tom Herbert <tom@herbertland.com> > <mailto:tom@herbertland.com> > *Subject:* Re: [Int-area] Where/How is the features > innovation, happening? Re: 202201111037.AYC > *Importance:* High > > Hi, YiHao: > > 0) It appears to me that you are still applying your own > technical considerations around the subject. Doing so will > perpetuate the current stalemate. What I suggested was to step > back a bit, in order to visualize an overall picture of the > logic and interactions among the parties involved. > > 1) " ... I would say the current countermeasures are designed > for anyone except the LE because LE can force any part to > disclose specific data ... ": Then, make this an > explicit statement as the design criterion for the privacy > measures, so that the LEs will not have the excuses to do mass > surveillance. Bragging there is no back-door, or even refusing > to support LE when requested, such as Apple's position on a > criminal case sometime ago as I heard, LEs will get it done > anyway by looking for "volunteers" from third-party encryption > crackers when their internal resources could not. Then, the > solution to the secret is out in the hacker community. > > 2) I learned a long time ago that a sophisticated lock is out > there for challenging a hacker to figure out a way to break > into it. Way back when, a chemist told me that even Epoxies > had solvents. So, we should not stretch our energy to cover > too much aspects that some tend to be counterproductive for > the society as a whole, in the long run. > > Regards, > > Abe (2022-01-11 11:22) > > On 2022-01-07 02:29, Jiayihao wrote: > > Hello Abe, > > Happy new year! > > The postal system analogy is a good story to understand > IP, but not equal to the pessimistic conclusion you made. > For the conclusion part, I am fully agree with Tom’s > arguments. > > As you focus on IP(v4/v6) specifically, we more or less > follow the logic of How TCP/IP works. Within TCP/IP, > privacy can be divided into content encryption (A) and > content delivery (B). A and B both belong to user privacy. > However, A and B are different things. > > For A, Tom’s arguments is good enough. As for B, same as > Tom’s but one more thing to point. Since you care more > about the LE, I would say the current countermeasures are > designed for anyone except the LE because LE can force any > part to disclose specific data that should be uncovered > under its design philosophy. > > In short, in IP ecosystem, both A and B is still worth > doing. However, as I mentioned in my last mail, any design > philosophy/architecture has somehow implicit **trust > party**. But a LE could be All-powerful because the > fundament of **trust party** is break and no **trust > party** anymore if you put LE into consideration. > > As you mentioned in your last email that there are > conflicts requirements, it happens all the time. RFC 8890 > give the answer and the direction IETF choose. > > So back to the questions I am wondering: If we can upgrade > the architecture somehow, can we enhance the privacy by > ways that more than current countermeasures like RFC7721 > can do? > > Have an excellent 2022! > > Best, > > Yihao > > *From:* Abraham Y. Chen <aychen@avinta.com> > <mailto:aychen@avinta.com> > *Sent:* 2022年1月1日 0:58 > *To:* Tom Herbert <tom@herbertland.com> > <mailto:tom@herbertland.com> > *Cc:* Jiayihao <jiayihao@huawei.com> > <mailto:jiayihao@huawei.com>; int-area@ietf.org > *Subject:* Re: [Int-area] Where/How is the features > innovation, happening? Re: 202112301817.AYC > *Importance:* High > > Hi, Tom: > > 1) "Your argument seems to be that we shouldn't bother > with things like security or encryption at all :-) ... > ": My apologies for getting you to an unexpected > conclusion. Perhaps I failed to make an explicit statement > because I thought that I was following a thread about the > IPv4 or IPv6 addresses "scrambling" schemes for protecting > the privacy of or increasing the security to users. That > is, we should look at this subject by the "Divide & > Conquer" concept. In other words, I was saying that > encrypting the "Content" part as much as the sender / > receiver pair agrees to. But, keep the "Address" part > mostly clear. This way, the LE parties will not have the > excuse of performing "mass surveillance" by scooping up > everything, then take time to digest and regurgitate the > "Content" for hidden treasures. (Remember the report that > the German Chancellor's telephone calls were picked up by > spy agencies?) Rumors have been, that high performance > computer and large capacity storage device manufacturers > are having a field day supplying equipment to LE > organizations such as NSA because the current Internet trend. > > 2) Since my engineering training started from RF (Radio > Frequency or Wireless -- actually all bands from audio all > the way to 60+ GHz), then telephony, and cellular phone > before getting involved with the Internet, allow me to > briefly describe my understanding of the characteristics > of each with respect to our current discussion. Hopefully, > the below can thread different fields together to clarify > my point: > > A. In the RF field, any signal that is transmitted > (sent) into the "ether" is a fair game for everyone. So, > there is no "Address" in the basic RF signal transmission. > Most RF equipment does not transmit its identification by > itself unless the user does so as part of the "Content" on > purpose. For example, a commercial (AM, FM, TV) station > announces its station ID, or call-sign (Address) as part > of the broadcast (Content) according to FCC Rules. So, in > RF communication, we concentrate only on encrypting the > "Content" (such as scrambled / encode speech) for > proprietary applications. > > B. For traditional land-line telephony services, the > caller's phone number (Address) is fixed by wiring (nailed > up) upon subscription. Only the called party's phone > number (Addressee) is dialed once to tell the switching > system who is the destination party, so that the switches > can make the connection. Once the called party answers, > the actual session consists of only "Content" exchanges, > no more "Address" information necessary. Speech scramblers > may be used on either end as a pair, for private > conversation (Content). > > C. RF signals from cellular mobile phone do carry the > handset (and the cell tower) identifications (Addresses) > on both ends without the user's knowledge to facilitate > establishing and maintaining a connection, while the user > constantly crosses the boundaries between cells. > Similarly, speech scramblers may be used on either end as > a pair for private conversation (Content). Note that since > VoIP is behind the scene these days, cellular mobile > service is supported by a mixture of both the traditional > telephony and the Internet infrastructures. > > D. If we look at the Internet environment itself, it is > kind like the cellular mobile phone service. It is > inherently wide open like RF because packets are forwarded > by unstructured mesh routers allowing everyone to listen > in. Yet, each IP packet header carries the Addresses of > both ends for directing routers to deliver the packet, as > well as for the return packet. So, how much can a sender > "hide" the identities of either or both ends for privacy > while still enables the routers to deliver the packet to > its intended destination effectively is a real challenge. > Whatever the scheme chosen, it can not be too > sophisticated to over-burden the routers which means that > it is probably mot much a challenge for a perpetrator > intentionally trying to crack the scheme. > > 3) My sense from the above analysis is that attempting to > make the "Address" part of an IP packet "cryptic" for > improving the privacy / security properties of the > "Content" is probably futile. The more we attempt doing > it, the stronger the LEs' argument for mass surveillance, > even though they probably already knew the solution. > > 4) On the other hand, if we push too hard on strengthening > the encryption of the "Content" without a back door, we > essentially are helping the perpetrators. This is because > if this part worked, the LEs will not be able to monitor > and catch the criminals! > > 5) So, we need to review the pros and cons of the end > results, before jumping into a scheme. > > Happy New Year! > > Abe (2021-12-31 11:57 EST) > > On 2021-12-30 13:29, Tom Herbert wrote: > > On Mon, Dec 27, 2021 at 7:00 PM Abraham Y. Chen > <aychen@avinta.com> wrote: > > Hi, YiHao: > > 0) Hope you had a Merry Christmas as well! > > 1) Re: Ur. Pts 1) & 2): Allow me to modify > and expand your definitions of the abbreviations, > ICP & ISP, a bit to streamline our discussion, > then focusing on related meanings of the two > keyword prefixes, "C" and "A" in the middle of them: > > A. ICP (Internet Content Provider): This > is the same as you are using. > > B. IAP (Internet Access Provider): This > will represent the ISP that you are referring to. > > C. ISP (Internet Service Provider): This > will be used as the general expression that covers > both ICP and IAP above. > > With these, I agree in general with your analysis. > > 2) From the above, there is a simpler (layman's > instead of engineer's) way to look at this riddle. > Let's consider the old fashioned postal service. A > letter itself is the "Content". The envelop has > the "Address". The postal service cares only what > is on the envelop. In fact, it is commonly > practiced without explicitly identified that one > letter may have multiple layers of envelops that > each is opened by the "Addressee" who then forward > the next "Addressee" according to the "Address" on > the inside envelop, accordingly. To a larger > scale, postal services put envelops destined to > the same city in one bag. Then, bags destined to > the same country in one container, etc. This > process is refined to multiple levels depending on > the volume of the mail and the facility (routes) > available for delivery. Then, the containers are > opened progressively along the destination route. > No wonder that the US Postal Service claimed > (during the early days of the Internet) that the > mail system was the fist "packet switching" system. > > 3) So, in this analogy, the "Address" on each > and every envelop has to be in the clear (not > coded or encrypted in any sense) for the mail > handlers to work with. It is only the most inner > "Content", the letter itself, can have > Confidential information (or encrypted if the > sender wishes). Under this scenario, the LE (Law > Enforcement) is allowed only to track suspected > mail by the "Addresses". And, any specific > surveillance is only authorized by court, case by > case. While no one can prevent LE bypassing this > procedure, cases built by violating this > requirement would be the ground for being thrown > out of the court. > > 4) However, in the Internet environment, > largely, if not most, Addresses are dynamic. There > is no way to specify an IP Address for > surveillance of a suspect. This gives the LE the > perfect excuse to scoop up everything and then > analyze offline. This gives them plenty of time to > try various ways to decrypt the encoded messages > and the opportunity to sift through everything for > incidental "surprise bonus finds". The result is > that practically no privacy is left for anyone. is > means that all of the schemes of scrambling IP > Addresses are useless at the end. So, why do we > bother with doing so, at all? > > Abe, > > Happy New Year! > > Your argument seems to be that we shouldn't bother > with things like security or encryption at all :-) > While it's true that anything sent into the Internet > can be intercepted and analyzed offline, it's clearly > the intent of security and privacy mechanisms to make > offline analysis of data ineffective or at least cost > prohibitive. For encryption the calculation is pretty > straightforward, the complexity and cost and breaking > a cipher is generally correlated to the key size. So > for any given key size, it can be determined what sort > of resources are required to break the code. This is a > continuous escalation as attackers gain access for > more computational resources and there are > breakthroughs like in quantum computing that require > rethinking encryption. But regardless, the > effectiveness of encryption at any given point of time > is quantifiable. > > For security and privacy in IP addresses I believe we > should be similarly taking a quantitative approach. > This is where RFC7721 fails. The recommendation of > RFC7721 is that for better security, use temporary > addresses with shorter lifetimes. But the RFC doesn't > attempt to quantify the relationship between address > lifetime and the security that's offered or even say > what specific lifetime is recommended for optimal > security. For instance, if the user changes their > interface address twice a day instead of once a day > does that halve the chances that some may breach their > security by correlating two different flows that they > source from the user? Probably not. But, what if they > change their address every five minutes? How much > better is that than changing the address once a day? > It's intuitive that it should be better security, but > is it _really_ better? And if it is better, are > the benefits worth the aggravation of changing the > address. This is quite similar to some companies that > have a policy that everyone needs to change their > passwords periodically. Studies have shown that there > is little quantitative value in doing this and in fact > the net effect is likely less security and increased > user aggravation-- even so, companies will continue to > do this because it's easier to stick with the inertia > of intuition. > > The fix for the password problem is one time passwords > (OTP) and IMO that hints at the fix for the address > security problems described in RFC7712, essentially we > need single use source addresses per each connection. > The security effects of single use addresses are > quantifiable, i.e. given sample packets from > independent two flows generated by the same user, > without additional information it isn't possible for a > third party to correlate that they are sourced by the > same user. > > Tom > > Happy New Year! > > Abe (2021-12-27 21:59) > > On 2021-12-23 22:26, Jiayihao wrote: > > Hello Abe, > > Users are unwilling to be watched by any > parties(ISP, and ICP also) excepts users > themselves. Actually I would like to divide > the arguments into 2 case: network layers and > below (not completely but mostly controlled by > ISP); transport layers and above (not > completely but mostly controlled by ICP). > > 1) For transport layers and above, Encryption > Everywhere (like TLS) is a good tool to > provide user privacy. However, it is only a > tool against ISPs, while ICPs survive and keep > gaining revenue (even by selling data like the > negative news of Facebook, or Meta, whatever > you call it). As discussed, it is not networks > faults because IP provides peer-to-peer > already. You may blame CGNAT in ISP > increasingly contributes to a C/S mode in > replacing P2P, like in China where IPv4 > addresses are scare and CGNAT is almost > everywhere. However, I don’t find the > situation any better in U.S. where most of > IPv4 address are located. It is a business > choice to overwrite the mode to be > peer-ICP-peer(C/S mode) at application layer, > other than utilize the P2P mode that natively > provided by IP. > > In this case, there are trust points and they > are ICPs. > > 2) For network layers and below, ISP and IP > still provide a pure P2P network, and > Encryption in TLS do not blind ISP in IP layer > since IP header is still in plaintext and > almost controlled by ISP. That is to say, in > an access network scenario, the access network > provide can see every trace of every user at > network layer level (although exclude the > encrypted payload). To against this, one can > use Proxy(i.e., VPN, Tor) to bypass the trace > analysis just like the CGNAT does. The only > difference is that detour points (Proxies) > belong to a third party, not ISP. > > In this case, there are trust points and they > are third party proxies. > > The bottom line is that trust points are > everywhere explicitly or implicitly, and > privacy can be leaked from every (trust) point > that you trust (or have business with). No > matter what network system you have, no matter > it is PSTN or ATM, these trust points are just > the weak points for your privacy, and the only > things users can beg is that **ALL** trust > points are 1) well behave/don’t be evil; > 2)system is advanced enough that can’t be > hacked by any others; 3) protected by law. > > I would say pretty challenging and also > expecting to reach that. > > Network itself just cannot be bypassed in > reaching that. > > Merry Christmas, > > Yihao > > *From:* Abraham Y. Chen <aychen@avinta.com> > <mailto:aychen@avinta.com> > *Sent:* 2021年12月23日10:01 > *To:* Jiayihao <jiayihao@huawei.com> > <mailto:jiayihao@huawei.com> > *Cc:* tom@herbertland.com; int-area@ietf.org > *Subject:* Re: [Int-area] Where/How is the > features innovation, happening? Re: > 202112221726.AYC > *Importance:* High > > Hi, YiHao: > > 0) I am glad that you distilled the complex > and elusive privacy / security tradeoff issues > to a very unique and concise perspective. > > 1) Yes, the IPv4 CG-NAT and IPv6 Temporary > address may seem to provide some privacy > protection. However, with the availability of > the computing power, these (and others such as > VPN) approaches may be just ostrich > mentality. On the other hand, they provide > the perfect excuse for the government (at > least US) to justify for "mass surveillance". > For example, the following is a recent news > report which practically defeats all current > "privacy protection" attempts. > > https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/ > <https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/> > > */[jiayihao] there is no doubt./* > > 2) Rather than contradicting efforts, it is > time to review whether any of these schemes > such as mapping techniques really is effective > for the perceived "protection". As much of the > current science fiction type crime scene > detective novel / movie / TV program hinted, > the government probably has more capability to > zero-in on anyone than an ordinary citizen can > imagine, anyway. And, businesses have gathered > more information about us than they will ever > admit. Perhaps we should "think out of the > box" by going back to the PSTN days of > definitive subscriber identification systems, > so that accordingly we will behave > appropriately on the Internet, and the > government will be allowed to only monitor > suspected criminals by filing explicit > (although in secret) requests, case by case, > to the court for approval? > > Happy Holidays! > > Abe (2021-12-22 21:00 EST) > > Hello Tom, > > > > The privacy countermeasure for IPv4/IPv6 is interestingly different. > > IPv4 usually utilize CGNAT, i.e., M(hosts)-to-N(IPs), where M >> N so that the host could remain anonymous > > IPv6 usually utilize Temporary address, i.e., 1(host)-to-M(IPs[at least suffix level]), where M >> 1 so that the host could remain anonymous. > > > > HOWEVER, I don't feel any approach reaches privacy perfectly, because access network have a global perspective on M-to-N or 1-to-M mapping. > > For this, it is hard to be convinced that IPv4/6 itself can reach a perfect privacy. > > > > Thanks, > > Yihao Jia > > > > ----------- > > > > I believe CGNAT is better than IPv6 in terms of privacy in addressing. > > In fact one might argue that IPv4 provides better privacy and security > > than IPv6 in this regard. Temporary addresses are not single use which > > means the attacker can correlate addresses from a user between > > unrelated flows during the quantum the temporary address is used. When > > a user changes their address, the attacker can continue monitoring if > > it is signaled that the address changed. Here is a fairly simple > > exploit I derived to do that (from > > draft-herbert-ipv6-prefix-address-privacy-00). > > > > The exploit is: > > o An attacker creates an "always connected" app that provides some > > seemingly benign service and users download the app. > > o The app includes some sort of persistent identity. For instance, > > this could be an account login. > > o The backend server for the app logs the identity and IP address > > of a user each time they connect > > o When an address change happens, existing connections on the user > > device are disconnected. The app will receive a notification and > > immediately attempt to reconnect using the new source address. > > o The backend server will see the new connection and log the new > > IP address as being associated with the specific user. Thus, > > the server has > > a real-time record of users and the IP address they are using. > > o The attacker intercepts packets at some point in the Internet. > > The addresses in the captured packets can be time correlated > > with the server database to deduce identities of parties in > > communications that are unrelated to the app. > > > > The only way I see to mitigate this sort of surveillance is single use > > addresses. That is effectively what CGNAT can provide. > > > > Tom > > Image removed by sender. > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon> > > > > Virus-free. www.avast.com > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link> > -- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Tom Herbert
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Tom Herbert
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Tom Herbert
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- [Int-area] 202201241417.AYC Re: Where/How is the … Abraham Y. Chen
- Re: [Int-area] 202201241417.AYC Re: Where/How is … Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen