Re: [Int-area] Where/How is the features innovation, happening? Re: 202112221726.AYC
"Abraham Y. Chen" <aychen@avinta.com> Thu, 23 December 2021 02:01 UTC
Return-Path: <aychen@avinta.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E2AB3A0FCF for <int-area@ietfa.amsl.com>; Wed, 22 Dec 2021 18:01:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.716
X-Spam-Level:
X-Spam-Status: No, score=-1.716 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HAS_X_OUTGOING_SPAM_STAT=0.382, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=avinta.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0c8wXhNEPK9v for <int-area@ietfa.amsl.com>; Wed, 22 Dec 2021 18:01:46 -0800 (PST)
Received: from mx22-1.lowesthosting.com (cp22.lowesthosting.com [23.111.133.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A9103A0FCE for <int-area@ietf.org>; Wed, 22 Dec 2021 18:01:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=avinta.com; s=default; h=Cc:To:Subject:From:MIME-Version:Date:Message-ID:Content-Type: Sender:Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=oQjjkzvlMQLpuyD+kKL3Fee7yTqQRgywxiFRM6QwhxQ=; b=RQYt3mVBnH3m9d0gYeJP/LVOcX U8+2D/sbfDt1xtIgWnD9yK4kYSrU1xPWCj9hl4eKPRDedGNlwG+XCqaMlkQQeyB86YDxxEdaWuzBW b1OLQGJ2UUn+jfx7VEmtZlkpGw3HjSTM0qBYYQeFK7Rc9424GE9AoLXR1BvQQDrPtTQof2edis3lC Ht1IrHClWKFpdZhfBxxMGRvQ6PxVfaCk33hGy2YuQyqEgD7dfxDceozcX2+l+MXriB3wu9nWGh98Y wZp4/4OtrHgTWQA3976nyN/PK3S/Wn+SuCZoeB0kGNh7pR+8fC0zDg6YNJcsql+YTFtEZ3gMxpRgY pKgeZBmw==;
Received: from cpe-24-193-166-56.nyc.res.rr.com ([24.193.166.56]:53322 helo=[192.168.1.142]) by mx22-1.lowesthosting.com with esmtpa (Exim 4.94.2) (envelope-from <aychen@avinta.com>) id 1n0DQD-0006pq-Ra; Wed, 22 Dec 2021 21:01:39 -0500
Content-Type: multipart/alternative; boundary="------------UoqKBAP0OXudyV5TchpKG1at"
Message-ID: <7c509337-31b5-c0d2-020e-aca6fc9d344e@avinta.com>
Date: Wed, 22 Dec 2021 21:01:28 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.0
From: "Abraham Y. Chen" <aychen@avinta.com>
To: Jiayihao <jiayihao@huawei.com>
Cc: "tom@herbertland.com" <tom@herbertland.com>, "int-area@ietf.org" <int-area@ietf.org>
X-Priority: 1 (Highest)
Content-Language: en-US
X-Antivirus: Avast (VPS 211222-4, 12/22/2021), Outbound message
X-Antivirus-Status: Clean
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mx22-1.lowesthosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - avinta.com
X-Get-Message-Sender-Via: mx22-1.lowesthosting.com: authenticated_id: aychen@avinta.com
X-Authenticated-Sender: mx22-1.lowesthosting.com: aychen@avinta.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/c6bahdVpjgj6D2910KWx3cPuedI>
Subject: Re: [Int-area] Where/How is the features innovation, happening? Re: 202112221726.AYC
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area WG Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Dec 2021 02:01:52 -0000
Hi, YiHao: 0) I am glad that you distilled the complex and elusive privacy / security tradeoff issues to a very unique and concise perspective. 1) Yes, the IPv4 CG-NAT and IPv6 Temporary address may seem to provide some privacy protection. However, with the availability of the computing power, these (and others such as VPN) approaches may be just ostrich mentality. On the other hand, they provide the perfect excuse for the government (at least US) to justify for "mass surveillance". For example, the following is a recent news report which practically defeats all current "privacy protection" attempts. https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/ 2) Rather than contradicting efforts, it is time to review whether any of these schemes such as mapping techniques really is effective for the perceived "protection". As much of the current science fiction type crime scene detective novel / movie / TV program hinted, the government probably has more capability to zero-in on anyone than an ordinary citizen can imagine, anyway. And, businesses have gathered more information about us than they will ever admit. Perhaps we should "think out of the box" by going back to the PSTN days of definitive subscriber identification systems, so that accordingly we will behave appropriately on the Internet, and the government will be allowed to only monitor suspected criminals by filing explicit (although in secret) requests, case by case, to the court for approval? Happy Holidays! Abe (2021-12-22 21:00 EST) Hello Tom, The privacy countermeasure for IPv4/IPv6 is interestingly different. IPv4 usually utilize CGNAT, i.e., M(hosts)-to-N(IPs), where M >> N so that the host could remain anonymous IPv6 usually utilize Temporary address, i.e., 1(host)-to-M(IPs[at least suffix level]), where M >> 1 so that the host could remain anonymous. HOWEVER, I don't feel any approach reaches privacy perfectly, because access network have a global perspective on M-to-N or 1-to-M mapping. For this, it is hard to be convinced that IPv4/6 itself can reach a perfect privacy. Thanks, Yihao Jia ----------- I believe CGNAT is better than IPv6 in terms of privacy in addressing. In fact one might argue that IPv4 provides better privacy and security than IPv6 in this regard. Temporary addresses are not single use which means the attacker can correlate addresses from a user between unrelated flows during the quantum the temporary address is used. When a user changes their address, the attacker can continue monitoring if it is signaled that the address changed. Here is a fairly simple exploit I derived to do that (from draft-herbert-ipv6-prefix-address-privacy-00). The exploit is: o An attacker creates an "always connected" app that provides some seemingly benign service and users download the app. o The app includes some sort of persistent identity. For instance, this could be an account login. o The backend server for the app logs the identity and IP address of a user each time they connect o When an address change happens, existing connections on the user device are disconnected. The app will receive a notification and immediately attempt to reconnect using the new source address. o The backend server will see the new connection and log the new IP address as being associated with the specific user. Thus, the server has a real-time record of users and the IP address they are using. o The attacker intercepts packets at some point in the Internet. The addresses in the captured packets can be time correlated with the server database to deduce identities of parties in communications that are unrelated to the app. The only way I see to mitigate this sort of surveillance is single use addresses. That is effectively what CGNAT can provide. Tom -- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Tom Herbert
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Tom Herbert
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Tom Herbert
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- [Int-area] 202201241417.AYC Re: Where/How is the … Abraham Y. Chen
- Re: [Int-area] 202201241417.AYC Re: Where/How is … Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen