Re: [Int-area] Where/How is the features innovation, happening? Re: 202112221726.AYC

[Jiayihao <jiayihao@huawei.com>]

Hello Abe,

Users are unwilling to be watched by any parties(ISP, and ICP also) excepts users themselves. Actually I would like to divide the arguments into 2 case: network layers and below (not completely but mostly controlled by ISP); transport layers and above (not completely but mostly controlled by ICP).

1) For transport layers and above, Encryption Everywhere (like TLS) is a good tool to provide user privacy. However, it is only a tool against ISPs, while ICPs survive and keep gaining revenue (even by selling data like the negative news of Facebook, or Meta, whatever you call it). As discussed, it is not networks faults because IP provides peer-to-peer already. You may blame CGNAT in ISP increasingly contributes to a C/S mode in replacing P2P, like in China where IPv4 addresses are scare and CGNAT is almost everywhere. However, I don’t find the situation any better in U.S. where most of IPv4 address are located. It is a business choice to overwrite the mode to be peer-ICP-peer(C/S mode) at application layer, other than utilize the P2P mode that natively provided by IP.

In this case, there are trust points and they are ICPs.

2) For network layers and below, ISP and IP still provide a pure P2P network, and Encryption in TLS do not blind ISP in IP layer since IP header is still in plaintext and almost controlled by ISP. That is to say, in an access network scenario, the access network provide can see every trace of every user at network layer level (although exclude the encrypted payload). To against this, one can use Proxy(i.e., VPN, Tor) to bypass the trace analysis just like the CGNAT does. The only difference is that detour points (Proxies) belong to a third party, not ISP.

In this case, there are trust points and they are third party proxies.

The bottom line is that trust points are everywhere explicitly or implicitly, and privacy can be leaked from every (trust) point that you trust (or have business with). No matter what network system you have, no matter it is PSTN or ATM, these trust points are just the weak points for your privacy, and the only things users can beg is that *ALL* trust points are 1) well behave/don’t be evil; 2)system is advanced enough that can’t be hacked by any others; 3) protected by law.

I would say pretty challenging and also expecting to reach that.
Network itself just cannot be bypassed in reaching that.

Merry Christmas,
Yihao


From: Abraham Y. Chen <aychen@avinta.com>
Sent: 2021年12月23日 10:01
To: Jiayihao <jiayihao@huawei.com>
Cc: tom@herbertland.com; int-area@ietf.org
Subject: Re: [Int-area] Where/How is the features innovation, happening? Re: 202112221726.AYC
Importance: High


Hi, YiHao:

0)    I am glad that you distilled the complex and elusive privacy / security tradeoff issues to a very unique and concise perspective.

1)    Yes, the IPv4 CG-NAT and IPv6 Temporary address may seem to provide some privacy protection. However, with the availability of the computing power, these (and others such as VPN) approaches may be just ostrich mentality.  On the other hand, they provide the perfect excuse for the government (at least US) to justify for "mass surveillance". For example, the following is a recent news report which practically defeats all current "privacy protection" attempts.

    https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/

[jiayihao] there is no doubt.

2)    Rather than contradicting efforts, it is time to review whether any of these schemes such as mapping techniques really is effective for the perceived "protection". As much of the current science fiction type crime scene detective novel / movie / TV program hinted, the government probably has more capability to zero-in on anyone than an ordinary citizen can imagine, anyway. And, businesses have gathered more information about us than they will ever admit. Perhaps we should "think out of the box" by going back to the PSTN days of definitive subscriber identification systems, so that accordingly we will behave appropriately on the Internet, and the government will be allowed to only monitor suspected criminals by filing explicit (although in secret) requests, case by case, to the court for approval?



Happy Holidays!





Abe (2021-12-22 21:00 EST)



Hello Tom,



The privacy countermeasure for IPv4/IPv6 is interestingly different.

IPv4 usually utilize CGNAT, i.e., M(hosts)-to-N(IPs), where M >> N so that the host could remain anonymous

IPv6 usually utilize Temporary address, i.e., 1(host)-to-M(IPs[at least suffix level]), where M >> 1 so that the host could remain anonymous.



HOWEVER, I don't feel any approach reaches privacy perfectly, because access network have a global perspective on M-to-N or 1-to-M mapping.

For this, it is hard to be convinced that IPv4/6 itself can reach a perfect privacy.



Thanks,

Yihao Jia



-----------



I believe CGNAT is better than IPv6 in terms of privacy in addressing.

In fact one might argue that IPv4 provides better privacy and security

than IPv6 in this regard. Temporary addresses are not single use which

means the attacker can correlate addresses from a user between

unrelated flows during the quantum the temporary address is used. When

a user changes their address, the attacker can continue monitoring if

it is signaled that the address changed. Here is a fairly simple

exploit I derived to do that (from

draft-herbert-ipv6-prefix-address-privacy-00).



The exploit is:

      o An attacker creates an "always connected" app that provides some

        seemingly benign service and users download the app.

      o The app includes some sort of persistent identity. For instance,

        this could be an account login.

      o The backend server for the app logs the identity and IP address

        of a user each time they connect

      o When an address change happens, existing connections on the user

        device are disconnected. The app will receive a notification and

        immediately attempt to reconnect using the new source address.

      o The backend server will see the new connection and log the new

        IP address as being associated with the specific user. Thus,

the server has

        a real-time record of users and the IP address they are using.

      o The attacker intercepts packets at some point in the Internet.

        The addresses in the captured packets can be time correlated

        with the server database to deduce identities of parties in

        communications that are unrelated to the app.



The only way I see to mitigate this sort of surveillance is single use

addresses. That is effectively what  CGNAT can provide.



Tom

[Image removed by sender.]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>

Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>