IETF Logo Mail Archive

Re: Address privacy

Tom Herbert <tom@herbertland.com> Sun, 26 January 2020 20:16 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75467120043 for <ipv6@ietfa.amsl.com>; Sun, 26 Jan 2020 12:16:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ukU4Y5budV93 for <ipv6@ietfa.amsl.com>; Sun, 26 Jan 2020 12:16:18 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAA07120071 for <ipv6@ietf.org>; Sun, 26 Jan 2020 12:16:17 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id e10so8674473edv.9 for <ipv6@ietf.org>; Sun, 26 Jan 2020 12:16:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OLhnQQd2QaycbP/58Ljeq2XRadYfbeMP+mfwnRVeW4c=; b=z3xM2OSwKcf5B9J9BgZYWtZoRiIMfGUF16UVXZ4tgRZJgLAhb9i1NW9qzYaVjkusCU zAgOlIU+pR3FhUkxX9lXR2V5/5nGTB1Nd7Fc3LoQp044zr3jvr0YcsRjrC8i1IfXVa2e d8tvLsZnKOJ1qkNGjNH8LHWBvrrlI4qxBS4tupvMvCL+diEo3pWsR7VsA9qGBkqivVOD DYEbKSADE1cJIcsVMbUWOzmZyew2hXE1AlZKjCrmX8OtLnR3XXMxCim7XSHahCZYNgI2 B5m9Z3uAkwR2wrNwliZ0r3EBxvvDRoMQ/53HuKzy735rPJXLLurZW8f/5+SREXQH5UWZ Ar1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OLhnQQd2QaycbP/58Ljeq2XRadYfbeMP+mfwnRVeW4c=; b=L2W9Tv+RsrOMZtWtLLcB+z/5c3y1zXTNXDrRpbFXP2HL+UuS5jQnFlAKxp+tH1KUUT 26tv5IJhQyNqK6sIIedk2IEIWmp1LK4/LZ2qHuncrFJENIzCCPQ7MQZG+rEU/Td24tlg AO13Az5d0RWeIyTjCZKfmBxD1blDKxANkmbgo7HehFqGUKTCEMubz4T7EjaLewr2MaqO kY10wzlkANCmUPh2+VrBEiFGGEx5dTIJo+HbY5vepHhucRJnhV2EtrnExBT48IXr1gQP E6sWeC5HuXFl1LULeuJjFUT4RYZgbJUtlupl+1PG/WDjhlU2pDVJo6y04JQvk06cnPSO Kl3g==
X-Gm-Message-State: APjAAAXw3GSmi2nhOHVj84easwTFVa8uo+qhmxKqlWHhCMRnuWuRiqeI 45GnKn2oOM+cCB1OaTTaJ7KDpPzcuXP6Zj1bBse2JCop
X-Google-Smtp-Source: APXvYqzibha4fl9ia4I/WDzmBktX13R2a+IUtlOniBqW+GFNzm3054T8oJ0yWkGGQl+lHvVaF8+XXx3j5mFMDk/vaTc=
X-Received: by 2002:a50:eb95:: with SMTP id y21mr10888861edr.212.1580069775992; Sun, 26 Jan 2020 12:16:15 -0800 (PST)
MIME-Version: 1.0
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <MN2PR11MB3565330989D411525D30B90DD80F0@MN2PR11MB3565.namprd11.prod.outlook.com> <80207E17-AE8E-4D19-B516-D2E6AB70721E@employees.org> <8D5610EA-49D3-483E-BB7A-67D67BC89346@jisc.ac.uk> <DE7B0688-230F-4A5C-8E24-9EAED9FD9FEB@puck.nether.net> <CAO42Z2zXwVnzemRqyqy78czpHjZm0nhkCJgVrx=-fmt+C6MnSA@mail.gmail.com> <1962.1579823388@localhost> <f83ab037-9125-bb74-dbac-68850aeb1020@huitema.net> <CBB23ABE-A7A3-4208-873C-E47EE063E34B@fugue.com> <11855.1579980079@localhost> <CALx6S36V_VjaxhELYcsgDYLWsCkj20p6gtiY9T9Q=9-9Oibyjw@mail.gmail.com> <32626.1580060558@localhost> <CALx6S37prWACD0jv9c-XHD-JtPqZAcgeT2Ax0EZHkiQaDR4t=g@mail.gmail.com> <419b7c7a-e364-7951-5a44-6c39e1da65fb@joelhalpern.com>
In-Reply-To: <419b7c7a-e364-7951-5a44-6c39e1da65fb@joelhalpern.com>
From: Tom Herbert <tom@herbertland.com>
Date: Sun, 26 Jan 2020 12:16:04 -0800
Message-ID: <CALx6S36802oDaEgojAPq2c6hM_s1BayidXPh1Sc6RZmZa9UHpQ@mail.gmail.com>
Subject: Re: Address privacy
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Cc: 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/21qCVts07UQgViuF6vcZWThgzKo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jan 2020 20:16:21 -0000

On Sun, Jan 26, 2020 at 11:59 AM Joel M. Halpern <jmh@joelhalpern.com> wrote:
>
> Tom, your description is somewhat misleading.
>
> On the one hand, LISP replies on per-flow state only in the mapping
> entity.  Not at arbitrary places in the network.
>
> Secondly, if hosts work in terms of identifiers, and the network works
> in temrs of locators, someone has to map them.  You can cache (including
> caching the whole thing), you can ask the host to hold the cache itself.
>   There are other tradeoffs you can make, moving things around.  But you
> can't just magically make the problem disappear.

Joel,

It comes down to how many addresses need to be mapped. It's intuitive
that a higher frequency of address rotation yields more privacy. But
higher frequency of address rotation means more active addresses in
the network. This degenerates to the greatest frequency of change
which would be to give each flow it's own unique address, and this is
also the one case of temporary addresses where we can quantify the
privacy characteristics.

However, giving each flow its own address quickly becomes a scaling
and management problem-- we're talking several billions of active
addresses in some provider networks. Hence, I believe we need mapping
functions that are more N:1 than 1:1 (the latter doesn't scale).
Similar, the ability of the network to delegate and map bundles of
uncorrelated addresses to devices would be useful.

Tom

>
> Yours,
> Joel
>
> On 1/26/2020 2:51 PM, Tom Herbert wrote:
> > On Sun, Jan 26, 2020 at 9:42 AM Michael Richardson
> > <mcr+ietf@sandelman.ca> wrote:
> >>
> >>
> >> Tom Herbert <tom@herbertland.com> wrote:
> >>      >> Except that instead of doing it at layer 4, you do it with IPsec, and extrude
> >>      >> that /128 to your machine.  This is already a thing :-)
> >>      >>
> >>      >> > Another solution I’ve considered is to have a giant anonymity mesh,
> >>      >> > with every ISP’s user participating, and forward flows through this
> >>      >> > mesh, treating each customer as an anonymity server.   I think this is
> >>      >>
> >>      >> This is also a thing called Tor.
> >>      >>
> >>      > Michael,
> >>
> >>      > Doesn't that require that the users must explicitly configure when
> >>      > they want privacy? I think a general solution should be transparent to
> >>
> >> Yes, I agree, it requires explicit configuration.
> >> I agree that this is not a good thing.
> >>
> >>      > the user and "just works" to ensure their privacy. That in fact is one
> >>      > of the arguments for NAT. If there is a significantly large enough
> >>      > pool of users behind a NAT device, then the obfuscation is transparent
> >>      > to the use and seems to be pretty good privacy (good enough that law
> >>      > enforcement is concerned about NAT). I suppose a similar effect could
> >>      > be achieved with a transparent proxy.
> >>
> >> Yes, and I think that more and more LEA will grow ever concerned about this
> >> situation, and it *is* pushing IPv6 adoption.  So, how can we find a happy medium?
> >>
> >>      > You might want to take a look at draft-herbert-ipv6-prefix-address-privacy-00.
> >>
> >> An interesting read. I'm not sure where it goes.
> >>
> >> I would like Locator/Identifier separation.
> >> I wanted SHIM6. LISP would work, I think.
> >> Then privacy needs don't need to screw up efficient routing at the edge.
> >>
> > Hi Michael,
> >
> > The problem of LISP is that it potentially includes a cache in the
> > operator network that can be driven by downstream untrusted users--
> > hence there is possibility of DOS attack on the cache (this is the
> > primary reason why LISP hasn't been accepted into Linux).
> >
> > What we really want is Identifier/Locator routing that neither
> > requires per flow state to be maintained in the network nor relies on
> > caches to get reasonable performance.
> > draft-herbert-ipv6-prefix-address-privacy suggests crypto functions to
> > map identifiers to locators at the edge.
> >
> > Tom
> >
> >
> >>
> >> --
> >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> >>   -= IPv6 IoT consulting =-
> >>
> >>
> >>
> >> --------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> --------------------------------------------------------------------
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
> >

v2.23.0 | Report a Bug | By Email