[Int-area] 202201241417.AYC Re: Where/How is the features innovation, happening? Re: 202201152233.AYC
"Abraham Y. Chen" <aychen@avinta.com> Mon, 24 January 2022 19:31 UTC
Return-Path: <aychen@avinta.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02373A110B for <int-area@ietfa.amsl.com>; Mon, 24 Jan 2022 11:31:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=avinta.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q1-ALeBgjMmP for <int-area@ietfa.amsl.com>; Mon, 24 Jan 2022 11:30:58 -0800 (PST)
Received: from mx22-1.lowesthosting.com (cp22.lowesthosting.com [23.111.133.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90FCB3A1109 for <int-area@ietf.org>; Mon, 24 Jan 2022 11:30:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=avinta.com; s=default; h=In-Reply-To:References:Cc:To:Subject:From:MIME-Version:Date: Message-ID:Content-Type:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gd27Uakv1lr0MPJMmWsFiG6vZBhpeR//aVuOpoLyDj8=; b=PrmuU/zC8P2knR4Z4aFGLsKJu3 XGVIAcF2rYk/uT4RqbkA/U3AnFj4DPpXBExq7SYd5rOsCurSQWSFiqqv0YqkVwe15j3+UukfzWmmy P/xHCMApETeLYtIlWbPUPHpwPNxMBCawPVs2VCfy+FMS2V3SQ4XLzOICa4K21CUCXm63acg1QFuju CEGfm+krRxLRAyeC3YXINN2h92EuP2RH9wZGx1vTJkBmBYlZ+VbZTFDoW3RzMf/01LxMDDcecEMqe ynwD8BNDR/JAu8x15spBIh7IzL543iWeyYaAamO+NZascf5859RJ7iUgn4Qv3LgiQf7sxDpKwRqgx RFFTd3Lw==;
Received: from cpe-24-193-166-56.nyc.res.rr.com ([24.193.166.56]:63811 helo=[192.168.1.142]) by mx22-1.lowesthosting.com with esmtpa (Exim 4.94.2) (envelope-from <aychen@avinta.com>) id 1nC53I-0005oI-4I; Mon, 24 Jan 2022 14:30:56 -0500
Content-Type: multipart/alternative; boundary="------------yJW0Iq3E6NnlV8MvnIde0UC5"
Message-ID: <aefc6979-5549-4c98-f081-8ef688c348a5@avinta.com>
Date: Mon, 24 Jan 2022 14:30:54 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
From: "Abraham Y. Chen" <aychen@avinta.com>
To: Jiayihao <jiayihao@huawei.com>
Cc: "int-area@ietf.org" <int-area@ietf.org>, Tom Herbert <tom@herbertland.com>
References: <7c509337-31b5-c0d2-020e-aca6fc9d344e@avinta.com> <ce16122f3387479ca4456325a6fb0a6b@huawei.com> <0a3711b9-0969-2eb1-15e6-3aa8354901d0@avinta.com> <CALx6S37zAk-hdk-a5PGnFYaow9mhb1XmC=4PpqMkdVredq8Zhg@mail.gmail.com> <0dd628bc-d779-46d0-ada3-601295e21c12@avinta.com> <e6d10cda6fd241539051ef209a4a952a@huawei.com> <9dc26758-7fd6-5657-edac-95441869544d@avinta.com> <8e12137b7ad743ee9da01826bdf978d6@huawei.com> <0f0780f9-785e-d561-33c3-93feceb2906b@avinta.com> <086e751e63d7491fb03f44f7b93496b2@huawei.com>
Content-Language: en-US
X-Priority: 1 (Highest)
In-Reply-To: <086e751e63d7491fb03f44f7b93496b2@huawei.com>
X-Antivirus: Avast (VPS 220124-2, 1/24/2022), Outbound message
X-Antivirus-Status: Clean
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mx22-1.lowesthosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - avinta.com
X-Get-Message-Sender-Via: mx22-1.lowesthosting.com: authenticated_id: aychen@avinta.com
X-Authenticated-Sender: mx22-1.lowesthosting.com: aychen@avinta.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/meYluBlV5iEzstxZgNChTc-xMO4>
Subject: [Int-area] 202201241417.AYC Re: Where/How is the features innovation, happening? Re: 202201152233.AYC
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area WG Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2022 19:31:07 -0000
Hi, YiHao: 1) Re: Ur. Pt. 0): I am getting curious. May I ask where are you and how old are you? May be not landline. But, cellular mobile phone services always have at least the numerical part of the Caller-ID function, due to concerns such as who is going to pay for the air-time. 2) Re: Ur. Pts. 1) & 3): Good analysis. As to DNS, it is an unnecessary "reverse" effort relative to the white-book practice in the PSTN field. 3) Re: Ur. Pts. 2) & 4): " ... PKI/Certificate ... ": I do not believe this is necessary if we review the subject from the ground up. Regards, Abe (2022-01-24 14:30 EST) On 2022-01-23 22:11, Jiayihao wrote: > > Hello Abe, > > 0) Really appreciate sharing the story of Call-ID. It is really a > fresh term and tech to me, and seems I haven’t got a chance to > experience the Call-ID time. Really good to learn. > > 1) Based on my rough understanding of Call-ID, it is a classical > example of how we choice to name an object. Assuming we want to visit > the Apple Campus (the Headquarters of Apple Inc.) with our Google map, > we can type a) Apple Campus (Name); b) 1 Infinite Loop, Cupertino, CA > 95014 (Locator 1); c) 37.33182°N 122.03118°W(Locator 2). The only > difference is which one people would like to use, or which one is more > friendly to human in their practice. My understanding is that people > prefer Name while computer prefer Locator, so usually a system would > like to provide the Name to users and build a subordinate Mapping > system as while to corelate the name and the locator. DNS is just a > good example we use every day. > > 2) Agree on your insight that authentication to just Call-ID(phone > number) do not make much sense because it only provide the > authentication of Locator, while leave the Name, which users are more > willing to perceive, unauthenticated. I find that IETF STIR wg is > working on this topic. Although I am not familiar right now, I feel a > PKI/Certificate should be involved in order to gain practical value. > > 3) In a peer to peer context, IMHO, the Name based interface is more > practically valuable compared to Locator based one, just like the name > instead of phone number in the Call-ID case because the numbers do not > offer any meaning even it is authenticated. > > 4) Agree on “….that we must have a "system view"….” and “…Some are not > based on technology, but business practices or just mentality….”. But > I feel there is no Silver Bullet and I don’t have an answer yet. It is > really enjoyable to discuss and I will keep thinking on this. > > Many thanks, Abe, > > Yihao > > *From:* Abraham Y. Chen <aychen@avinta.com> > *Sent:* 2022年1月17日 1:21 > *To:* Jiayihao <jiayihao@huawei.com> > *Cc:* int-area@ietf.org; Tom Herbert <tom@herbertland.com> > *Subject:* Re: [Int-area] Where/How is the features innovation, > happening? Re: 202201152233.AYC > *Importance:* High > > Hi, YiHao: > > 1) "... I am curious how we can step back a bit as you said. ... > current privacy are ultimately rely on trust point. ...": I have > already outlined (perhaps hinted) what is needed to deal with this > issue. That is, we have to look at the overall environment, not just > keep digging deeper into the technology itself. No matter how great > the technology is, there are always ways to get around or to defeat > it. Some are not based on technology, but business practices or just > mentality. In the case of the APPLE refusing to support LE, it was the > combination of business decision (The LE decided to do it by > themselves and to look for help from "volunteers") and the technical > challenge (viewed by "hackers" as fun with reward) that bypassed the > "trust point". > > 2) To demonstrate my point, I would like to share a brief history > of a related topic, although based on an opposite initial intention, > for you to compare and to figure out how to deal with the incident > privacy / security goal. It was a service started with great results, > but deteriorated by various business considerations and other > influences to a point of nearly useless. The service was called > Caller-ID. When it was first introduced to identify the caller for the > convenience of the called party, it also put a big dent on > telemarketers. That was because the capability was based on a facility > inherent in the telephone system that no outsiders could touch. With > the breakup of the Bell System, the Baby-Bells (There were seven to > start with. They have gone through the M&A processes to become one > AT&T again!) started to compete against one another. Some marketing > genius invented the idea of offering (of course with compensation in > return) big subscribers to customize their Caller-ID messages for > various purposes, such as announcing sales. -- Note: Thanks to digital > technology, the telephone switching equipment used by big business > (called PABX) had become just as powerful as those used by local > telcos (COs - Central Offices) where Caller-ID information originated. > This allowed telemarketers (pretty big operations) to masquerade > behind any phone number desired, such as using the same local exchange > prefix number as that of the target subscribers to pretend being a > neighbor. Still, a called could pick out welcomed callers by paying > some attention to the message displayed. After VoIP became widely > used, rather than mimicking the practice employed by cellular phone > industry, making sense out of the VoIP based phone numbers became > mind-boggling for practically everyone. No wonder that Robocalls > became much prevalent than the past telemarketer calls. > > > https://en.wikipedia.org/wiki/Caller_ID#History > > 3) With the FCC's Authentication program, the Robocalls may be > tempered for awhile. But, the caller name has been dropped out of the > Caller-ID message, because the carriers now treat such as their own > valuable merchandise that the called party has to pay to receive it > (Try figuring out how to identify such relationships and then to > establish agreements?) An incoming call now may have a "[V]" prefix > indicating it has passed the "Stir/Shaken" Verification process, > followed by only a caller phone number without name which becomes > pretty much the same challenge for most people to begin with. So, the > Caller-ID service has pretty much lost its original intended main > purpose. > > https://www.fcc.gov/call-authentication > > 4) In brief, Caller-ID was designed under an environment of > uniformly structured system (the PSTN). Even so, it quickly degraded > to a service with minimal residual value when system fragmentation, > diverse marketing incentives, narrow-mindedness (individual's > "freedom"?), etc. came into play. With distributed network > architecture and operation philosophy as the foundation, I will > venture to say that the Internet would have a hard time to just mimic > the identification of the "well-behaved" subscribers like the original > Caller-ID service, let alone hiding their identity and providing > security. What I am saying is that we must have a "system view" of all > parameters involved in an issue, before we could define what we can do > and which we want to do. Then, the chosen technology may have a chance > to deliver the expected goal. Otherwise, we will be just spinning the > wheels on partial solutions from the diverse individualized perspectives. > > Regards, > > Abe (2022-01-16 12:20 EST) > > On 2022-01-13 01:33, Jiayihao wrote: > > Hello Abe, > > I think we agree on that it is hard for sender to "hide" the > identities in terms of IP. > > And I am curious how we can step back a bit as you said. My > concerns focus on that if we want improve the privacy (even if one > step further), what direction could we head? I embrace any insight > that can enlighten me. > > As for the event you mentioned about Apple, Apple is just another > trust point a lot of us trust. So back to the case that current > privacy are ultimately rely on trust point. Whether we could > remove the trust point is indeed a question for me. > > Maybe Tor network provide an good example for the volunteer mode > rather than trust point. > > Thanks, > > Yihao > > *From:* Abraham Y. Chen <aychen@avinta.com> > <mailto:aychen@avinta.com> > *Sent:* 2022年1月12日 0:22 > *To:* Jiayihao <jiayihao@huawei.com> <mailto:jiayihao@huawei.com> > *Cc:* int-area@ietf.org; Tom Herbert <tom@herbertland.com> > <mailto:tom@herbertland.com> > *Subject:* Re: [Int-area] Where/How is the features innovation, > happening? Re: 202201111037.AYC > *Importance:* High > > Hi, YiHao: > > 0) It appears to me that you are still applying your own > technical considerations around the subject. Doing so will > perpetuate the current stalemate. What I suggested was to step > back a bit, in order to visualize an overall picture of the logic > and interactions among the parties involved. > > 1) " ... I would say the current countermeasures are designed > for anyone except the LE because LE can force any part to disclose > specific data ... ": Then, make this an explicit statement > as the design criterion for the privacy measures, so that the LEs > will not have the excuses to do mass surveillance. Bragging there > is no back-door, or even refusing to support LE when requested, > such as Apple's position on a criminal case sometime ago as I > heard, LEs will get it done anyway by looking for "volunteers" > from third-party encryption crackers when their internal resources > could not. Then, the solution to the secret is out in the hacker > community. > > 2) I learned a long time ago that a sophisticated lock is out > there for challenging a hacker to figure out a way to break into > it. Way back when, a chemist told me that even Epoxies had > solvents. So, we should not stretch our energy to cover too much > aspects that some tend to be counterproductive for the society as > a whole, in the long run. > > Regards, > > Abe (2022-01-11 11:22) > > On 2022-01-07 02:29, Jiayihao wrote: > > Hello Abe, > > Happy new year! > > The postal system analogy is a good story to understand IP, > but not equal to the pessimistic conclusion you made. For the > conclusion part, I am fully agree with Tom’s arguments. > > As you focus on IP(v4/v6) specifically, we more or less follow > the logic of How TCP/IP works. Within TCP/IP, privacy can be > divided into content encryption (A) and content delivery (B). > A and B both belong to user privacy. However, A and B are > different things. > > For A, Tom’s arguments is good enough. As for B, same as Tom’s > but one more thing to point. Since you care more about the LE, > I would say the current countermeasures are designed for > anyone except the LE because LE can force any part to disclose > specific data that should be uncovered under its design > philosophy. > > In short, in IP ecosystem, both A and B is still worth doing. > However, as I mentioned in my last mail, any design > philosophy/architecture has somehow implicit **trust party**. > But a LE could be All-powerful because the fundament of > **trust party** is break and no **trust party** anymore if you > put LE into consideration. > > As you mentioned in your last email that there are conflicts > requirements, it happens all the time. RFC 8890 give the > answer and the direction IETF choose. > > So back to the questions I am wondering: If we can upgrade the > architecture somehow, can we enhance the privacy by ways that > more than current countermeasures like RFC7721 can do? > > Have an excellent 2022! > > Best, > > Yihao > > *From:* Abraham Y. Chen <aychen@avinta.com> > <mailto:aychen@avinta.com> > *Sent:* 2022年1月1日 0:58 > *To:* Tom Herbert <tom@herbertland.com> > <mailto:tom@herbertland.com> > *Cc:* Jiayihao <jiayihao@huawei.com> > <mailto:jiayihao@huawei.com>; int-area@ietf.org > *Subject:* Re: [Int-area] Where/How is the features > innovation, happening? Re: 202112301817.AYC > *Importance:* High > > Hi, Tom: > > 1) "Your argument seems to be that we shouldn't bother with > things like security or encryption at all :-) ... ": My > apologies for getting you to an unexpected conclusion. Perhaps > I failed to make an explicit statement because I thought that > I was following a thread about the IPv4 or IPv6 addresses > "scrambling" schemes for protecting the privacy of or > increasing the security to users. That is, we should look at > this subject by the "Divide & Conquer" concept. In other > words, I was saying that encrypting the "Content" part as much > as the sender / receiver pair agrees to. But, keep the > "Address" part mostly clear. This way, the LE parties will not > have the excuse of performing "mass surveillance" by scooping > up everything, then take time to digest and regurgitate the > "Content" for hidden treasures. (Remember the report that the > German Chancellor's telephone calls were picked up by spy > agencies?) Rumors have been, that high performance computer > and large capacity storage device manufacturers are having a > field day supplying equipment to LE organizations such as NSA > because the current Internet trend. > > 2) Since my engineering training started from RF (Radio > Frequency or Wireless -- actually all bands from audio all the > way to 60+ GHz), then telephony, and cellular phone before > getting involved with the Internet, allow me to briefly > describe my understanding of the characteristics of each with > respect to our current discussion. Hopefully, the below can > thread different fields together to clarify my point: > > A. In the RF field, any signal that is transmitted (sent) > into the "ether" is a fair game for everyone. So, there is no > "Address" in the basic RF signal transmission. Most RF > equipment does not transmit its identification by itself > unless the user does so as part of the "Content" on purpose. > For example, a commercial (AM, FM, TV) station announces its > station ID, or call-sign (Address) as part of the broadcast > (Content) according to FCC Rules. So, in RF communication, we > concentrate only on encrypting the "Content" (such as > scrambled / encode speech) for proprietary applications. > > B. For traditional land-line telephony services, the > caller's phone number (Address) is fixed by wiring (nailed up) > upon subscription. Only the called party's phone number > (Addressee) is dialed once to tell the switching system who is > the destination party, so that the switches can make the > connection. Once the called party answers, the actual session > consists of only "Content" exchanges, no more "Address" > information necessary. Speech scramblers may be used on either > end as a pair, for private conversation (Content). > > C. RF signals from cellular mobile phone do carry the > handset (and the cell tower) identifications (Addresses) on > both ends without the user's knowledge to facilitate > establishing and maintaining a connection, while the user > constantly crosses the boundaries between cells. Similarly, > speech scramblers may be used on either end as a pair for > private conversation (Content). Note that since VoIP is behind > the scene these days, cellular mobile service is supported by > a mixture of both the traditional telephony and the Internet > infrastructures. > > D. If we look at the Internet environment itself, it is kind > like the cellular mobile phone service. It is inherently wide > open like RF because packets are forwarded by unstructured > mesh routers allowing everyone to listen in. Yet, each IP > packet header carries the Addresses of both ends for directing > routers to deliver the packet, as well as for the return > packet. So, how much can a sender "hide" the identities of > either or both ends for privacy while still enables the > routers to deliver the packet to its intended destination > effectively is a real challenge. Whatever the scheme chosen, > it can not be too sophisticated to over-burden the routers > which means that it is probably mot much a challenge for a > perpetrator intentionally trying to crack the scheme. > > 3) My sense from the above analysis is that attempting to make > the "Address" part of an IP packet "cryptic" for improving the > privacy / security properties of the "Content" is probably > futile. The more we attempt doing it, the stronger the LEs' > argument for mass surveillance, even though they probably > already knew the solution. > > 4) On the other hand, if we push too hard on strengthening the > encryption of the "Content" without a back door, we > essentially are helping the perpetrators. This is because if > this part worked, the LEs will not be able to monitor and > catch the criminals! > > 5) So, we need to review the pros and cons of the end results, > before jumping into a scheme. > > Happy New Year! > > Abe (2021-12-31 11:57 EST) > > On 2021-12-30 13:29, Tom Herbert wrote: > > On Mon, Dec 27, 2021 at 7:00 PM Abraham Y. Chen > <aychen@avinta.com> wrote: > > Hi, YiHao: > > 0) Hope you had a Merry Christmas as well! > > 1) Re: Ur. Pts 1) & 2): Allow me to modify and > expand your definitions of the abbreviations, ICP & > ISP, a bit to streamline our discussion, then focusing > on related meanings of the two keyword prefixes, "C" > and "A" in the middle of them: > > A. ICP (Internet Content Provider): This is > the same as you are using. > > B. IAP (Internet Access Provider): This will > represent the ISP that you are referring to. > > C. ISP (Internet Service Provider): This > will be used as the general expression that covers > both ICP and IAP above. > > With these, I agree in general with your analysis. > > 2) From the above, there is a simpler (layman's > instead of engineer's) way to look at this riddle. > Let's consider the old fashioned postal service. A > letter itself is the "Content". The envelop has the > "Address". The postal service cares only what is on > the envelop. In fact, it is commonly practiced without > explicitly identified that one letter may have > multiple layers of envelops that each is opened by the > "Addressee" who then forward the next "Addressee" > according to the "Address" on the inside envelop, > accordingly. To a larger scale, postal services put > envelops destined to the same city in one bag. Then, > bags destined to the same country in one container, > etc. This process is refined to multiple levels > depending on the volume of the mail and the facility > (routes) available for delivery. Then, the containers > are opened progressively along the destination route. > No wonder that the US Postal Service claimed (during > the early days of the Internet) that the mail system > was the fist "packet switching" system. > > 3) So, in this analogy, the "Address" on each and > every envelop has to be in the clear (not coded or > encrypted in any sense) for the mail handlers to work > with. It is only the most inner "Content", the letter > itself, can have Confidential information (or > encrypted if the sender wishes). Under this scenario, > the LE (Law Enforcement) is allowed only to track > suspected mail by the "Addresses". And, any specific > surveillance is only authorized by court, case by > case. While no one can prevent LE bypassing this > procedure, cases built by violating this requirement > would be the ground for being thrown out of the court. > > 4) However, in the Internet environment, largely, > if not most, Addresses are dynamic. There is no way to > specify an IP Address for surveillance of a suspect. > This gives the LE the perfect excuse to scoop up > everything and then analyze offline. This gives them > plenty of time to try various ways to decrypt the > encoded messages and the opportunity to sift through > everything for incidental "surprise bonus finds". The > result is that practically no privacy is left for > anyone. is means that all of the schemes of scrambling > IP Addresses are useless at the end. So, why do we > bother with doing so, at all? > > Abe, > > Happy New Year! > > Your argument seems to be that we shouldn't bother with > things like security or encryption at all :-) While it's > true that anything sent into the Internet can be > intercepted and analyzed offline, it's clearly the intent > of security and privacy mechanisms to make offline > analysis of data ineffective or at least cost prohibitive. > For encryption the calculation is pretty straightforward, > the complexity and cost and breaking a cipher is generally > correlated to the key size. So for any given key size, it > can be determined what sort of resources are required to > break the code. This is a continuous escalation as > attackers gain access for more computational resources and > there are breakthroughs like in quantum computing that > require rethinking encryption. But regardless, the > effectiveness of encryption at any given point of time is > quantifiable. > > For security and privacy in IP addresses I believe we > should be similarly taking a quantitative approach. This > is where RFC7721 fails. The recommendation of RFC7721 is > that for better security, use temporary addresses with > shorter lifetimes. But the RFC doesn't attempt to quantify > the relationship between address lifetime and the security > that's offered or even say what specific lifetime is > recommended for optimal security. For instance, if the > user changes their interface address twice a day instead > of once a day does that halve the chances that some may > breach their security by correlating two different flows > that they source from the user? Probably not. But, what if > they change their address every five minutes? How much > better is that than changing the address once a day? It's > intuitive that it should be better security, but is it > _really_ better? And if it is better, are the benefits > worth the aggravation of changing the address. This is > quite similar to some companies that have a policy that > everyone needs to change their passwords periodically. > Studies have shown that there is little quantitative value > in doing this and in fact the net effect is likely less > security and increased user aggravation-- even so, > companies will continue to do this because it's easier to > stick with the inertia of intuition. > > The fix for the password problem is one time passwords > (OTP) and IMO that hints at the fix for the address > security problems described in RFC7712, essentially we > need single use source addresses per each connection. The > security effects of single use addresses are quantifiable, > i.e. given sample packets from independent two flows > generated by the same user, without additional information > it isn't possible for a third party to correlate that they > are sourced by the same user. > > Tom > > Happy New Year! > > Abe (2021-12-27 21:59) > > On 2021-12-23 22:26, Jiayihao wrote: > > Hello Abe, > > Users are unwilling to be watched by any > parties(ISP, and ICP also) excepts users > themselves. Actually I would like to divide the > arguments into 2 case: network layers and below > (not completely but mostly controlled by ISP); > transport layers and above (not completely but > mostly controlled by ICP). > > 1) For transport layers and above, Encryption > Everywhere (like TLS) is a good tool to provide > user privacy. However, it is only a tool against > ISPs, while ICPs survive and keep gaining revenue > (even by selling data like the negative news of > Facebook, or Meta, whatever you call it). As > discussed, it is not networks faults because IP > provides peer-to-peer already. You may blame CGNAT > in ISP increasingly contributes to a C/S mode in > replacing P2P, like in China where IPv4 addresses > are scare and CGNAT is almost everywhere. However, > I don’t find the situation any better in U.S. > where most of IPv4 address are located. It is a > business choice to overwrite the mode to be > peer-ICP-peer(C/S mode) at application layer, > other than utilize the P2P mode that natively > provided by IP. > > In this case, there are trust points and they are > ICPs. > > 2) For network layers and below, ISP and IP still > provide a pure P2P network, and Encryption in TLS > do not blind ISP in IP layer since IP header is > still in plaintext and almost controlled by ISP. > That is to say, in an access network scenario, the > access network provide can see every trace of > every user at network layer level (although > exclude the encrypted payload). To against this, > one can use Proxy(i.e., VPN, Tor) to bypass the > trace analysis just like the CGNAT does. The only > difference is that detour points (Proxies) belong > to a third party, not ISP. > > In this case, there are trust points and they are > third party proxies. > > The bottom line is that trust points are > everywhere explicitly or implicitly, and privacy > can be leaked from every (trust) point that you > trust (or have business with). No matter what > network system you have, no matter it is PSTN or > ATM, these trust points are just the weak points > for your privacy, and the only things users can > beg is that **ALL** trust points are 1) well > behave/don’t be evil; 2)system is advanced enough > that can’t be hacked by any others; 3) protected > by law. > > I would say pretty challenging and also expecting > to reach that. > > Network itself just cannot be bypassed in reaching > that. > > Merry Christmas, > > Yihao > > *From:* Abraham Y. Chen <aychen@avinta.com> > <mailto:aychen@avinta.com> > *Sent:* 2021年12月23日 10:01 > *To:* Jiayihao <jiayihao@huawei.com> > <mailto:jiayihao@huawei.com> > *Cc:* tom@herbertland.com; int-area@ietf.org > *Subject:* Re: [Int-area] Where/How is the > features innovation, happening? Re: 202112221726.AYC > *Importance:* High > > Hi, YiHao: > > 0) I am glad that you distilled the complex and > elusive privacy / security tradeoff issues to a > very unique and concise perspective. > > 1) Yes, the IPv4 CG-NAT and IPv6 Temporary > address may seem to provide some privacy > protection. However, with the availability of the > computing power, these (and others such as VPN) > approaches may be just ostrich mentality. On the > other hand, they provide the perfect excuse for > the government (at least US) to justify for "mass > surveillance". For example, the following is a > recent news report which practically defeats all > current "privacy protection" attempts. > > https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/ > <https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/> > > */[jiayihao] there is no doubt./* > > 2) Rather than contradicting efforts, it is > time to review whether any of these schemes such > as mapping techniques really is effective for the > perceived "protection". As much of the current > science fiction type crime scene detective novel / > movie / TV program hinted, the government probably > has more capability to zero-in on anyone than an > ordinary citizen can imagine, anyway. And, > businesses have gathered more information about us > than they will ever admit. Perhaps we should > "think out of the box" by going back to the PSTN > days of definitive subscriber identification > systems, so that accordingly we will behave > appropriately on the Internet, and the government > will be allowed to only monitor suspected > criminals by filing explicit (although in secret) > requests, case by case, to the court for approval? > > Happy Holidays! > > Abe (2021-12-22 21:00 EST) > > Hello Tom, > > > > The privacy countermeasure for IPv4/IPv6 is interestingly different. > > IPv4 usually utilize CGNAT, i.e., M(hosts)-to-N(IPs), where M >> N so that the host could remain anonymous > > IPv6 usually utilize Temporary address, i.e., 1(host)-to-M(IPs[at least suffix level]), where M >> 1 so that the host could remain anonymous. > > > > HOWEVER, I don't feel any approach reaches privacy perfectly, because access network have a global perspective on M-to-N or 1-to-M mapping. > > For this, it is hard to be convinced that IPv4/6 itself can reach a perfect privacy. > > > > Thanks, > > Yihao Jia > > > > ----------- > > > > I believe CGNAT is better than IPv6 in terms of privacy in addressing. > > In fact one might argue that IPv4 provides better privacy and security > > than IPv6 in this regard. Temporary addresses are not single use which > > means the attacker can correlate addresses from a user between > > unrelated flows during the quantum the temporary address is used. When > > a user changes their address, the attacker can continue monitoring if > > it is signaled that the address changed. Here is a fairly simple > > exploit I derived to do that (from > > draft-herbert-ipv6-prefix-address-privacy-00). > > > > The exploit is: > > o An attacker creates an "always connected" app that provides some > > seemingly benign service and users download the app. > > o The app includes some sort of persistent identity. For instance, > > this could be an account login. > > o The backend server for the app logs the identity and IP address > > of a user each time they connect > > o When an address change happens, existing connections on the user > > device are disconnected. The app will receive a notification and > > immediately attempt to reconnect using the new source address. > > o The backend server will see the new connection and log the new > > IP address as being associated with the specific user. Thus, > > the server has > > a real-time record of users and the IP address they are using. > > o The attacker intercepts packets at some point in the Internet. > > The addresses in the captured packets can be time correlated > > with the server database to deduce identities of parties in > > communications that are unrelated to the app. > > > > The only way I see to mitigate this sort of surveillance is single use > > addresses. That is effectively what CGNAT can provide. > > > > Tom > > Image removed by sender. > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon> > > > > Virus-free. www.avast.com > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link> > -- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Tom Herbert
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Tom Herbert
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Tom Herbert
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- [Int-area] 202201241417.AYC Re: Where/How is the … Abraham Y. Chen
- Re: [Int-area] 202201241417.AYC Re: Where/How is … Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen
- Re: [Int-area] Where/How is the features innovati… Jiayihao
- Re: [Int-area] Where/How is the features innovati… Abraham Y. Chen