Re: Address privacy

[Tom Herbert <tom@herbertland.com>]

On Tue, Jan 28, 2020 at 4:43 PM Fernando Gont <fgont@si6networks.com> wrote:
>
> On 28/1/20 21:17, Tom Herbert wrote:
> > On Tue, Jan 28, 2020 at 3:45 PM Fernando Gont <fgont@si6networks.com> wrote:
> >>
> >> On 28/1/20 19:45, Tom Herbert wrote:
> >> [...]
> >>>> I don't think you can quantify privacy. What would be the units for that?
> >>>>
> >>>> There's secrecy and not-secrecy. But with these things, you simply
> >>>> mitigate (to some extent) the ability to correlate network activity.
> >>>>
> >>> Fernando,
> >>>
> >>> In the case of single use addresses, that is each flow gets its own
> >>> addresses, the privacy effects are quantifiable. Since each flow has a
> >>> different source address, no two flows or communications can be
> >>> correlated to being sourced from the same user. In this case, the
> >>> identifiers are not reused is used in multiple contexts, so it isn't
> >>> possible to correlate seemingly unrelated activity using an
> >>> identifier. When an identifier is reused for the same node, even once,
> >>> then the possibility of correlations exists.
> >>
> >> You are not quantifying privacy: that's still qualitative description.
> >>
> > It is quantified. If a flow uses a unique address then the risk of
> > using the address of packets in the flow to correlate to other flows
> > is zero.
>
> What are the units? And what would "1" (or for instance "100") of such
> units mean?
>
>
> (for the sake of exercise, even if you were "quantifying" this in terms
> of probability, 0 would be "impossible", 1 would mean 100% chance, and
> the rest would be impossible to specify, given factors such as network
> activity patterns, different kinds of applications, etc.)
>
>
> [...]
> >>> It's a false sense of security. Here's a good analysis:
> >>> https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
> >>
> >> Forcing password changes exacerbate some human aspects, and at times
> >> leads to trouble. That doesn't say it doesn't have a place.
> >>
> >> Folks also argue that firewalls are a false sense of security. Some
> >> argue the same about resistance to address-scan -- even when the #1 task
> >> to hack a system is normally to find it. IMO, whatever makes the
> >> attacker's life harder has a place and a use.
> >
> > For things like address-scan and breaking a key, the risk of attack
> > can be quantified based on existing processing capabilities needed for
> > brute force attack.
>
> I was noting that different people have different views regarding what
> is useful, and what is not. Some discourage address-scan resistance as a
> technique of "security through obscurity".
>
>
>
> > Regardless, I still haven't seen a reasonable answer to user's obvious
> > question regarding temporary address: "What should my frequency of
> > address change be to ensure my privacy?"
>
> If what you want is inability of correlation (and assuming you cannot
> correlate based on the prefix), then it's not a matter of time. It's a
> matter of addresses being bound to flows.
>
Yes, the problem statement in sec. 1.5 in RFC4941bis describes the
address correlation problem and that presumably the intent of
temporary addresses is to prevent unwanted correlation.

> Any other measures depend on so many factors (network activity patterns,
> etc.) that it's virtually impossible to specify.

Those are out of scope of RFC4941.

So, if we restrict the concern to just address correlations, then what
value should be set for the address expiration to achieve privacy in
addressing? Is 1 day, 1 hour, 1 minute, etc. good enough?

Tom

>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>