IETF Logo Mail Archive

Re: Address privacy

Tom Herbert <tom@herbertland.com> Tue, 28 January 2020 20:57 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF0DA1200C3 for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 12:57:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g7HJNus-X1UD for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 12:57:13 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3281200B2 for <ipv6@ietf.org>; Tue, 28 Jan 2020 12:57:13 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id g19so11929199eds.11 for <ipv6@ietf.org>; Tue, 28 Jan 2020 12:57:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ifw1AGttI8sqflIYChKkJfTL1LgNGqxFDJCWrGtT1Zc=; b=lCqngX6uoV5EiQrRBk9We+Ru+7xczjBdgm5/u6ML0eYm5+ho0lpKNT1mGUktg7zhEV LiMMHF8K0pxCMaGGXN7geazxMbQxvue6o93FAC8SCnz3W5dE3k2dAMGW6sSbj3l1AqHP R0tOV3yqCsCrZShyYN3rUZi4tqOkIHeySIN+eCiufEaG5s9IJvLWwke7cL5khUlZvw7a 9I9klCB8DkhivOLBte4oXas9btACXilQvqT0IpnDguJlnE07UUW2mZTJIIFYNA+9+a6N rS//zO0Si0o69uQh/eGghcFleqCxFuzN14obR+o5Mi6NjrCdoEb2Ai0uqc/oF9GMMqlH SyYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ifw1AGttI8sqflIYChKkJfTL1LgNGqxFDJCWrGtT1Zc=; b=B3Ws9X6ENs8G+txfcqYQohG7lViqmLrhkEEA2zD3wWgcvQrr09QL/ZmfJHdoycRM6o EYviWqSK0LSmuz+GGS2sFw0gsoqnCBtdRpAm9CJV2Z7hXV+gJHosTdfJmsDwsOLJzTgd pQ0ycT+OKFZm/jWV8+48JboSGICyH2uJmApKA0wlDeAmd8fEfTltRmhFxuirr43Pw/yu 8qrA7VDxQ8oVIjTVdg4laeE2+IUWgo7JxQJ5F2CKkZCPXB6cd2u28Ex+/+L/eDe7qajT eISpmy+CFYCUJyfZ/W6g6LuWGzU+e9F12uerVlaasMyJi4NSEwZnK7AR6B3dxQwr146a C6SA==
X-Gm-Message-State: APjAAAUQ9ZR8j+buUeF5l1BvMOtT9jnAiwd9L96V3VWuZfisPMMCx/du kxcTP+P22B8DHdxEg/Zwt6gTpvbWZsJg3QrVniC3gEiS+Nw=
X-Google-Smtp-Source: APXvYqzBJU1ewjDk9FS4cmE84rQAHyG7YSt3VdkOIox6VP1PQn+fJNK15plUDqZF8/O7FNZcsvgylPmqfFsV00pPASE=
X-Received: by 2002:a05:6402:3132:: with SMTP id dd18mr5299099edb.118.1580245031845; Tue, 28 Jan 2020 12:57:11 -0800 (PST)
MIME-Version: 1.0
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <MN2PR11MB3565330989D411525D30B90DD80F0@MN2PR11MB3565.namprd11.prod.outlook.com> <80207E17-AE8E-4D19-B516-D2E6AB70721E@employees.org> <8D5610EA-49D3-483E-BB7A-67D67BC89346@jisc.ac.uk> <DE7B0688-230F-4A5C-8E24-9EAED9FD9FEB@puck.nether.net> <CAO42Z2zXwVnzemRqyqy78czpHjZm0nhkCJgVrx=-fmt+C6MnSA@mail.gmail.com> <1962.1579823388@localhost> <f83ab037-9125-bb74-dbac-68850aeb1020@huitema.net> <CBB23ABE-A7A3-4208-873C-E47EE063E34B@fugue.com> <11855.1579980079@localhost> <CALx6S36V_VjaxhELYcsgDYLWsCkj20p6gtiY9T9Q=9-9Oibyjw@mail.gmail.com> <32626.1580060558@localhost> <CALx6S37prWACD0jv9c-XHD-JtPqZAcgeT2Ax0EZHkiQaDR4t=g@mail.gmail.com> <419b7c7a-e364-7951-5a44-6c39e1da65fb@joelhalpern.com> <CALx6S36802oDaEgojAPq2c6hM_s1BayidXPh1Sc6RZmZa9UHpQ@mail.gmail.com> <6c5ba72d-9289-90ba-a1c9-2307ed29a4da@foobar.org> <a98bf2ab-32e7-459b-14d2-5e0e1c65a229@si6networks.com> <CALx6S36J5TPnXJQyMW2NUbQV6KL_oqUQ01m+BEzBJ+xcHpmQWw@mail.gmail.com> <bc0d1eb8-2301-224d-dc33-19f6a60e593e@si6networks.com> <CALx6S34i67ivt8t1P3omRVzsj9NfxY2t41JLjmjT6X0vtBQHKQ@mail.gmail.com> <CAO42Z2x079xurzjoRkX6kVa6Cc3SkJJH3_RvaTgVyB-sYO6yWg@mail.gmail.com>
In-Reply-To: <CAO42Z2x079xurzjoRkX6kVa6Cc3SkJJH3_RvaTgVyB-sYO6yWg@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 28 Jan 2020 12:57:00 -0800
Message-ID: <CALx6S36ZMH+kBFsMjowQCaYH9YarhmDv_jKieuZ55BtZV_pZmg@mail.gmail.com>
Subject: Re: Address privacy
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Fernando Gont <fgont@si6networks.com>, 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/b_CJSw57iq8ZLXUfGCSuyZI5yjU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 20:57:16 -0000

On Tue, Jan 28, 2020 at 12:38 PM Mark Smith <markzzzsmith@gmail.com> wrote:
>
>
>
> On Wed, 29 Jan 2020, 08:51 Tom Herbert, <tom@herbertland.com> wrote:
>>
>>
>>
>> On Mon, Jan 27, 2020, 7:57 PM Fernando Gont <fgont@si6networks.com> wrote:
>>>
>>> On 28/1/20 00:10, Tom Herbert wrote:
>>> > On Mon, Jan 27, 2020 at 5:36 PM Fernando Gont <fgont@si6networks.com> wrote:
>>> >>
>>> >> On 26/1/20 18:37, Nick Hilliard wrote:
>>> >>> Tom Herbert wrote on 26/01/2020 20:16:
>>> >>>> It's intuitive
>>> >>>> that a higher frequency of address rotation yields more privacy
>>> >>>
>>> >>> intuitive, but probably inaccurate because of the a priori assumption
>>> >>> that privacy is strongly associated with the endpoint identifier.
>>> >>
>>> >> In many cases, it is: you log in to fb with a given address, and reuse
>>> >> that address to do other stuf
>>> >>
>>> > Yes, that's the "always on" network application that would allow
>>> > address tracking and identification at even high frequency of address
>>> > change. An exploit based on that is described in section 4.4 of
>>> > draft-herbert-ipv6-prefix-address-privacy-00. I believe the only way
>>> > to defeat this exploit would be single use (per flow), uncorrelated
>>> > address.
>>>
>>> Agreed. That said, temporary addresses, for obvious reasons mitigates
>>> activity correlation over time -- certainly not to the same extent that
>>> the paranoid "one address per flow" would.
>>
>>
>> Fernando,
>>
>> The rationale for temporary addresses may be obvious, but I don't believe anyone has yet quantified the effects. For instance, RFC4941 is thirteen years old, is there any evidence that it has materially improved anyone's privacy? (I'm not being cynical, but I think it's a fair question).
>
>
> It depends. What were the privacy goals RFC3041/4241 designed to achieve and does it achieve them?
>
> It isn't reasonable to come up with a different set of privacy goals that RFC3041/4241 weren't designed to satisfy and then declare 3041/4241 is a privacy failure because it doesn't satisfy them.
>
> Privacy isn't binary, there are different privacy threats and different parties to be private from. That means needing different privacy mechanisms to suit the different privacy threat models.
>
Ole,

I think the privacy goals of RFC4941 are clearly articulated as
addressing the problem of correlations that can be made on
identifiers. From the draft:

"
Anytime a fixed identifier is used in multiple contexts, it becomes
possible to correlate seemingly unrelated activity using this
identifier.

   The correlation can be performed by

   o  An attacker who is in the path between the node in question and
      the peer(s) to which it is communicating, and who can view the
      IPv6 addresses present in the datagrams.

   o  An attacker who can access the communication logs of the peers
      with which the node has communicated.
"

I think this should read "Anytime an identifier is used in multiple
contexts", that is drop the "fixed".

The proposed solution is temporary addresses. But then the question
quickly becomes how temporary do those addresses need to be to address
the problem of correlations? The draft only says "Temporary addresses
are used for a short period of time (typically hours to days) and are
subsequently deprecated.". That's pretty vague. For instance, suppose
a specifically user asks "How often do I need to change addresses to
ensure my privacy?".  Section 3.5 tries to address the question, but,
again is non-committal and makes no normative recommendation. I'd also
note that the text in RFC4941 is pretty much unchanged from RFC4941,
however the sophistication and data collection capabilities of would
be attackers surely have changed since 2013 so it seems like this
section should be revisited in light of that.

Tom



>
>>
>> One might compare this to the policy of some sys admins that users need to change passwords regularly. The rationale is similar, but that practice has been most debunked as not improving security and in fact is more of a burden to users that providing any real value.
>>
>> Tom
>>
>>
>>>
>>> Thanks,
>>> --
>>> Fernando Gont
>>> SI6 Networks
>>> e-mail: fgont@si6networks.com
>>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>>
>>>
>>>
>>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email