Re: [Int-area] Where/How is the features innovation happening?

[Jiayihao <jiayihao@huawei.com>]

Hello Tom,

Agree on that CGNAT is better on this scenario compared to IPv6 temporary address. (although draft https://datatracker.ietf.org/doc/draft-gont-v6ops-ipv6-addressing-considerations/ is asking for IPv6 improvement)

However it is hard to say CGNAT is better than IPv6 temporary address because IPv6 can deploy CGNAT as well if you like(of course if one decide to embrace IPv6 reflects an preference of P2P other than a C/S mode that NAT contribute to)

Then the final concern goes to - How can we improve privacy under End-to-End Principle?

Thanks,
Yihao

-----Original Message-----
From: Tom Herbert <tom@herbertland.com> 
To: Jiayihao <jiayihao@huawei.com>
Cc: int-area@ietf.org
Subject: Re: Where/How is the features innovation happening?

On Mon, Dec 20, 2021 at 1:27 AM Jiayihao <jiayihao@huawei.com> wrote:
>
> Hello Tom,
>
>
>
> The privacy countermeasure for IPv4/IPv6 is interestingly different.
>
> IPv4 usually utilize CGNAT, i.e., M(hosts)-to-N(IPs), where M >> N so 
> that the host could remain anonymous
>
> IPv6 usually utilize Temporary address, i.e., 1(host)-to-M(IPs[at least suffix level]), where M >> 1 so that the host could remain anonymous.
>
>
>
> HOWEVER, I don’t feel any approach reaches privacy perfectly, because access network have a global perspective on M-to-N or 1-to-M mapping.
>
> For this, it is hard to be convinced that IPv4/6 itself can reach a perfect privacy.
>
Jiayihao,

Yes, the access network might out of necessity maintain the mappings that could correlate users to IP addresses. I would expect that the provider has a contractual agreement with users on how that information is protected. The concern is the rest of the Internet for which users aren't in contract with. For that perfect privacy in flow addressing is achieved if given any two packets for two different flows, no third party passively snooping the Internet would be able to correlate whether they are sourced by the same user. Perfect privacy for addressing in general then would be that a third party couldn't correlate that any two packets were sourced by the same user regardless if they are in the same flow.

As I mentioned, under the right conditions, CGNAT is sufficient to meet the perfect privacy in flow addressing. Temporary addresses can't do it if they are used for more than one connection. This is also why I believe RFC8981 is flawed. It describes the mechanisms for getting temporary addresses nicely, but offers no specific guidance as to how long the quantum for the temporary address should be used for any quantifiable level of privacy for the user.

Tom

>
>
> Thanks,
>
> Yihao Jia
>
>
>
> -----------
>
>
>
> I believe CGNAT is better than IPv6 in terms of privacy in addressing.
>
> In fact one might argue that IPv4 provides better privacy and security
>
> than IPv6 in this regard. Temporary addresses are not single use which
>
> means the attacker can correlate addresses from a user between
>
> unrelated flows during the quantum the temporary address is used. When
>
> a user changes their address, the attacker can continue monitoring if
>
> it is signaled that the address changed. Here is a fairly simple
>
> exploit I derived to do that (from
>
> draft-herbert-ipv6-prefix-address-privacy-00).
>
>
>
> The exploit is:
>
>       o An attacker creates an "always connected" app that provides 
> some
>
>         seemingly benign service and users download the app.
>
>       o The app includes some sort of persistent identity. For 
> instance,
>
>         this could be an account login.
>
>       o The backend server for the app logs the identity and IP 
> address
>
>         of a user each time they connect
>
>       o When an address change happens, existing connections on the 
> user
>
>         device are disconnected. The app will receive a notification 
> and
>
>         immediately attempt to reconnect using the new source address.
>
>       o The backend server will see the new connection and log the new
>
>         IP address as being associated with the specific user. Thus,
>
> the server has
>
>         a real-time record of users and the IP address they are using.
>
>       o The attacker intercepts packets at some point in the Internet.
>
>         The addresses in the captured packets can be time correlated
>
>         with the server database to deduce identities of parties in
>
>         communications that are unrelated to the app.
>
>
>
> The only way I see to mitigate this sort of surveillance is single use
>
> addresses. That is effectively what  CGNAT can provide.
>
>
>
> Tom