IETF Logo Mail Archive

Re: Address privacy (was: Re: RFC4941bis: consequences of many addresses for the network)

Tom Herbert <tom@herbertland.com> Sat, 25 January 2020 20:53 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE570120048 for <ipv6@ietfa.amsl.com>; Sat, 25 Jan 2020 12:53:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cNZNUjv1I_Xw for <ipv6@ietfa.amsl.com>; Sat, 25 Jan 2020 12:53:15 -0800 (PST)
Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 137E012001E for <ipv6@ietf.org>; Sat, 25 Jan 2020 12:53:15 -0800 (PST)
Received: by mail-ed1-x543.google.com with SMTP id j17so6713902edp.3 for <ipv6@ietf.org>; Sat, 25 Jan 2020 12:53:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=mfRjM9W+r/79fpZwE3A3FeGYwLhrRp2AeEGoWXisd3o=; b=wmtuggd9ZH2yfNs8MozKwxnzXn7wUlQ4wiNE7brIwCXgphlUu0+RDkOZWXUlrQ7q7Z C1kyVUTBfHUKu/D5Sfb5EGzzQAbd2ISTTzGz3fAWtgE5BDWHljTGs+co9iBRtygYRZC/ ixsLCXBo0nKVirNa6EWlo7O6+mVi01SaNItd9Ykw8DVpdRKjOvhxSJiuLZG+th/zP0bC J7SvuklecakmCyLJsI7uIwAIznjMeHsXyXdcreClSPOTr/SEV8DhBcvNAwoM0qf8nLc4 3ZKBKRujUPPYu3JYb+ukXdXGeh32mpaiKS/p0iDqdLgj88Me8Z6pez1FrF38a5SrbyyL QzIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=mfRjM9W+r/79fpZwE3A3FeGYwLhrRp2AeEGoWXisd3o=; b=gCzQepzc5phYM8QAnRSR5hryShOA8iDo1SShWuMslQVXXFrhkV4+oCSIoseN1mz3ng w6YCvIE1/l8mZvmHyw6iwk9ajIMIbTbymF/90ymGZ9QbxIaJqlLQLfUDfT/FhUKM3pyd xtY+dGgYjEJIrxk9O+gn0aIQlfZiZsZy1m8g8B7L5ziGl6Pse/ex5ex89oGNIomL9Ca9 NX9ldzC0RFttj/W9SZ72jFoZjonniUYJ7y1mBzWv8cD7LQvEHiGTRfwLqDaoq2P1/cUN INkE9DfQfGjuO/JWD1Bry0X+nkiGx8ST5KImo6kQV+41O5q2XXwjq8zpj/hnxWohsmaG ORNw==
X-Gm-Message-State: APjAAAUK5Nw4K/DflGeV9R1Ui9pqaoFMwDjUjmrrKsJ4lb4/AFEiqO9B daetLOvWC5RlTBZgwqoUD8fuhv2dBeCqdtzuRWu2CQ==
X-Google-Smtp-Source: APXvYqwFl3n0g58wk49mDmPeJ7ul+h9L1pvmdOJX7I6kr21uj22N3VJwkWCGw/vEVrvssrXEWfumrOikSoUkCEA2OUk=
X-Received: by 2002:aa7:d505:: with SMTP id y5mr3118783edq.370.1579985593482; Sat, 25 Jan 2020 12:53:13 -0800 (PST)
MIME-Version: 1.0
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <MN2PR11MB3565330989D411525D30B90DD80F0@MN2PR11MB3565.namprd11.prod.outlook.com> <80207E17-AE8E-4D19-B516-D2E6AB70721E@employees.org> <8D5610EA-49D3-483E-BB7A-67D67BC89346@jisc.ac.uk> <DE7B0688-230F-4A5C-8E24-9EAED9FD9FEB@puck.nether.net> <CAO42Z2zXwVnzemRqyqy78czpHjZm0nhkCJgVrx=-fmt+C6MnSA@mail.gmail.com> <1962.1579823388@localhost> <f83ab037-9125-bb74-dbac-68850aeb1020@huitema.net> <CBB23ABE-A7A3-4208-873C-E47EE063E34B@fugue.com> <11855.1579980079@localhost> <CALx6S36V_VjaxhELYcsgDYLWsCkj20p6gtiY9T9Q=9-9Oibyjw@mail.gmail.com> <CAD6AjGSSU5oe7BQo78rGXXF0nwT_8YeVPj71jbujkmcEN4PycQ@mail.gmail.com>
In-Reply-To: <CAD6AjGSSU5oe7BQo78rGXXF0nwT_8YeVPj71jbujkmcEN4PycQ@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Sat, 25 Jan 2020 12:53:02 -0800
Message-ID: <CALx6S34rybXdES7=3EJffpPUrZ+D6rBffk9yJUoMQfsT-BLShQ@mail.gmail.com>
Subject: Re: Address privacy (was: Re: RFC4941bis: consequences of many addresses for the network)
To: Ca By <cb.list6@gmail.com>
Cc: 6man WG <ipv6@ietf.org>, Christian Huitema <huitema@huitema.net>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/dnY2kM_eOuwRTDh1PRCW8y51VQI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2020 20:53:18 -0000

On Sat, Jan 25, 2020 at 11:57 AM Ca By <cb.list6@gmail.com> wrote:
>
>
>
> On Sat, Jan 25, 2020 at 11:48 AM Tom Herbert <tom@herbertland.com> wrote:
>>
>> On Sat, Jan 25, 2020 at 11:21 AM Michael Richardson
>> <mcr+ietf@sandelman.ca> wrote:
>> >
>> >
>> > Ted Lemon <mellon@fugue.com> wrote:
>> >     > Another solution that could be useful is to do connections through an
>> >     > anonymity concentrator that tunnels your flow to the selected server.
>> >     > The idea here is that your ISP (but it doesn’t have to be your ISP!)
>> >     > has a bunch of anonymity boxes sitting in their data centers, and when
>> >     > you want to connect to foo.com <http://foo.com/>, you establish a
>> >     > connection to the anonymity server.   The anonymity server constructs a
>> >     > new 5-tuple using its own fixed IP address.   This is effectively a NAT
>> >     > translation, and of course it can maintain a set of IP addresses large
>> >
>> > Except that instead of doing it at layer 4, you do it with IPsec, and extrude
>> > that /128 to your machine.  This is already a thing :-)
>> >
>> >     > Another solution I’ve considered is to have a giant anonymity mesh,
>> >     > with every ISP’s user participating, and forward flows through this
>> >     > mesh, treating each customer as an anonymity server.   I think this is
>> >
>> > This is also a thing called Tor.
>> >
>
>
> +1, dont re-invent Tor
>
>>
>> Michael,
>>
>> Doesn't that require that the users must explicitly configure when
>> they want privacy? I think a general solution should be transparent to
>> the user and "just works" to ensure their privacy. That in fact is one
>> of the arguments for NAT. If there is a significantly large enough
>> pool of users behind a NAT device, then the obfuscation is transparent
>> to the use and seems to be pretty good privacy (good enough that law
>> enforcement is concerned about NAT). I suppose a similar effect could
>> be achieved with a transparent proxy.
>
>
> CGN/NAT logs all your sources and destinations.
>
> The network operators will say they must do it for LEA compliance.
>
Ca,

Yes, but beyond the operator boundary the addresses are obfuscated. At
some level it seems we need to trust the provider which is the entity
delegating addresses to users.

> But once it is logged and stored it is available for nefarious hackers and big data marketing folks.
>
That's a problem for any collected PII. Those collecting the
information may not implement sufficient safeguards to protect the
information. That's a more general problem that we can't solve in the
context of 6man or probably even IETF.

> That said, most of you in north america have ipv6 on your phones. Do you feel that behavior of cycling addresses is not sufficient (barring ATT which proxies all HTTP afaik) ?

Without a quantitative analysis of the privacy attributes offered to
the user I wouldn't venture to say whether it's sufficient. This is
the problem with RFC 4941 and 4941bis, the techniques for improving
privacy are only described and analyzed in qualitative terms. For
instance, 4941bis states:

"Using temporary address alone may not be sufficient to prevent all
forms of tracking. It is however quite clear that some usage of
temporary addresses is necessary to improve user privacy."

It's intuitive that temporary addresses improve privacy. But the
question quickly becomes _how_ do temporary addresses improve privacy,
and more specifically what is the lifetime of temporary addresses
needed to ensure any level of privacy. For instance, if one user has
an address lifetime of 2 hrs. and one has a lifetime of 1 hr. does
that mean that the user with 1 hr. address has 50% the risk of privacy
being compromised? I very much doubt it works that way, but I'm not
even sure that we can say there's any material difference in user
privacy between them. Without a way to quantify the effects, we're
only left with heuristics and intuition. Note the contrast with
security in this, for instance the effects of crypto algorithms and
correlation between key length and breakability is well studied. I
wish there was an equivalent study of privacy.

Tom

>
>
>
>>
>> You might want to take a look at draft-herbert-ipv6-prefix-address-privacy-00.
>>
>> Tom
>>
>> > --
>> > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>> >  -= IPv6 IoT consulting =-
>> > --------------------------------------------------------------------
>> > IETF IPv6 working group mailing list
>> > ipv6@ietf.org
>> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> > --------------------------------------------------------------------
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email