IETF Logo Mail Archive

Re: Address privacy

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 27 January 2020 18:40 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5C703A08EC for <ipv6@ietfa.amsl.com>; Mon, 27 Jan 2020 10:40:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1AH7iS2UfrC for <ipv6@ietfa.amsl.com>; Mon, 27 Jan 2020 10:40:19 -0800 (PST)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05B043A095A for <ipv6@ietf.org>; Mon, 27 Jan 2020 10:38:23 -0800 (PST)
Received: by mail-pl1-x629.google.com with SMTP id q13so4063282pls.1 for <ipv6@ietf.org>; Mon, 27 Jan 2020 10:38:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Yl+J6QC7vVUlrL69BWJVVs+kb9+iUPaMtRHZKmY96hM=; b=Qp860LFdVNufHb9B7y3d8UQ6acqpjk1z7hlfD1POJpOExb/KNt+99fuimjPwhDExwJ 1pMtZ3iN82bqSkSc53HqA3SEzdysfcd82cD4pmN4rhkGcMCi+uf6fqwvMEedxZPVQ4Cg w06Lh5wDnGLcYMDTVMTY8IEdC12XjKJixYdY6gy9LaNsMPFv6ltv80WRqw1IUZcL1NxY +V3eG1JeG3AiLI4XP5qMtghVi0iHwZ/jMWOqyG5GULypuRVhfAW2ExHcbVlyDmOwVW9E w9H7VsGYYjPlBe8SyLAndh//zRfOOFMsVt0cYE2HCcS7EQGzsJxt/BcM02MHXYSZz1F+ 6Sbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Yl+J6QC7vVUlrL69BWJVVs+kb9+iUPaMtRHZKmY96hM=; b=lth/WWRAQXAQCpbFKW9ulv1zEGUJd36VyRzk6MQaw+K3ZIDrUEBIa85gl48JB6xhzQ OgeTqMj+bIQoCkE3Tc7FpVp7zx5GfwjXWN6+Yx01J9/Gb7lWOFXddAWEYE6lj/pZeHDP aFMZ5sKE/g5Ac9Eck1vzn5YOlh6rkc3RawQpgvU7uFDoBS4ggIIo/UjttuqxLc1FJSZ4 lhA34AckN1ykEW1ncYzr8pX8gsOO+VdlPWKKTtLPiUmvtZPGP9NydRuACU+LmUz//Ubg 2C8gRSEb2ioGP92aveqBuTxhtgU+wav4XAahgkekb9yz+taoAqHO2emqQ251ReS1zVXc NYIQ==
X-Gm-Message-State: APjAAAX+zGGuAId4f3qOLC8bb974hUpLxFg1Z7dq7wOF5F3JL/o7PoVj epKQ+uhfUzDNycNgc/vt/TNilh36
X-Google-Smtp-Source: APXvYqyKEB431oy99GR/Xx3pXT2EZw4EwTaZVJ1mv5g6EVat21lXveu8rbh8LKVqP8+rFVUGSk8gBQ==
X-Received: by 2002:a17:902:9f88:: with SMTP id g8mr19215550plq.100.1580150297314; Mon, 27 Jan 2020 10:38:17 -0800 (PST)
Received: from [10.1.2.245] ([43.251.155.206]) by smtp.gmail.com with ESMTPSA id l9sm16321181pgh.34.2020.01.27.10.38.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Jan 2020 10:38:16 -0800 (PST)
Subject: Re: Address privacy
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Tom Herbert <tom@herbertland.com>
Cc: 6man <ipv6@ietf.org>
References: <CALx6S36802oDaEgojAPq2c6hM_s1BayidXPh1Sc6RZmZa9UHpQ@mail.gmail.com> <89CDA9FE-6C41-4A5E-B6CD-ECC367DFDABA@employees.org> <1220b074-c7f5-bbc8-2991-a9af66caf8b7@gmail.com> <CALx6S35oHgGDxa6014HB8UCYct0V9hcPFWqhiRM2kCgaPMtyqQ@mail.gmail.com> <MN2PR11MB35650E5E30B8A9B6F685880ED80B0@MN2PR11MB3565.namprd11.prod.outlook.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <b9b4f6a9-627c-a3f0-fb01-331232e28417@gmail.com>
Date: Tue, 28 Jan 2020 07:38:15 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <MN2PR11MB35650E5E30B8A9B6F685880ED80B0@MN2PR11MB3565.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/pgo6PA6KnGa3KWVTEicq6-oej_8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 18:40:29 -0000

On 27-Jan-20 20:43, Pascal Thubert (pthubert) wrote:
> Hello Tom
> 
> This looks similar to the idea of using Mobile IPv6 inside a domain: 

Yes, we proposed that as long ago as https://tools.ietf.org/html/rfc4864

   Brian

> Hosts in the domain get only ULAs buy default. 
> Hosts that need reach back from outside the domain obtain GUAs from common Home Agent that serves the domain.
> That GUA becomes their home address. The ULA is the CareOf.
> The MIP tunnel happens within the domain unbeknownst of the outside
> 
> This way:
> - you get a better aggregation factor for privacy, mixed amongst the other devices in the domain.
> - the network structure is hidden from the outside observer. It effectively appears as a flat /64.
> 
> Cheers,
> 
> Pascal
> 
>> -----Original Message-----
>> From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Tom Herbert
>> Sent: dimanche 26 janvier 2020 22:35
>> To: Brian E Carpenter <brian.e.carpenter@gmail.com>
>> Cc: 6man <ipv6@ietf.org>
>> Subject: Re: Address privacy
>>
>> On Sun, Jan 26, 2020 at 12:53 PM Brian E Carpenter
>> <brian.e.carpenter@gmail.com> wrote:
>>>
>>> On 27-Jan-20 09:20, Ole Troan wrote:
>>>> The obvious answer is to put the source address in the encrypted payload. It
>> does not have to be in the core header.
>>>> There’s a paper on it somewhere, although I am not sure if that’s where the
>> idea originated.
>>>
>>> Google "SNA: Sourceless Network Architecture" and "IPv6 source addresses
>> considered harmful"
>>>
>>
>> There's also the possibility of putting location information into a modifiable HBH
>> option (part of draft-herbert-fast-04). Something like:
>>
>> - End host sends packet with HBH option for location
>> - First hop in network writes its location into the HBH option. The location
>> information identifies the hop (e.g. base station in a mobile
>> network) and is only interpretable in the local network (encrypted for instance).
>> - Packet is routed to destination with HBH option in tact.
>> - At the destination, the HBH option is reflected on return packets for a flow.
>> End host doesn't do anything else than just reflect.
>> - At the ingress node to the network, the location information is decoded. Given
>> this, the ingress forwards the packet to the locator node by address translation
>> of encapsulation.
>> - At the locator node, i.e. first network hop upstream of destination node, the
>> encapsulation or translation is undone and packet is forwarded to the final
>> destination.
>>
>> I think this method was first proposed to ensure consistent routing to the same
>> backend in L4 load balancing. Obvious downsides are the we need EH to work in
>> the network and there are changes needed in the hosts.
>>
>> Tom
>>
>>>    Brian
>>>
>>>>
>>>> Cheers
>>>> Ole
>>>>
>>>>> On 26 Jan 2020, at 21:16, Tom Herbert <tom@herbertland.com> wrote:
>>>>>
>>>>> On Sun, Jan 26, 2020 at 11:59 AM Joel M. Halpern
>> <jmh@joelhalpern.com> wrote:
>>>>>>
>>>>>> Tom, your description is somewhat misleading.
>>>>>>
>>>>>> On the one hand, LISP replies on per-flow state only in the
>>>>>> mapping entity.  Not at arbitrary places in the network.
>>>>>>
>>>>>> Secondly, if hosts work in terms of identifiers, and the network
>>>>>> works in temrs of locators, someone has to map them.  You can
>>>>>> cache (including caching the whole thing), you can ask the host to hold
>> the cache itself.
>>>>>>  There are other tradeoffs you can make, moving things around.
>>>>>> But you can't just magically make the problem disappear.
>>>>>
>>>>> Joel,
>>>>>
>>>>> It comes down to how many addresses need to be mapped. It's
>>>>> intuitive that a higher frequency of address rotation yields more
>>>>> privacy. But higher frequency of address rotation means more active
>>>>> addresses in the network. This degenerates to the greatest
>>>>> frequency of change which would be to give each flow it's own
>>>>> unique address, and this is also the one case of temporary
>>>>> addresses where we can quantify the privacy characteristics.
>>>>>
>>>>> However, giving each flow its own address quickly becomes a scaling
>>>>> and management problem-- we're talking several billions of active
>>>>> addresses in some provider networks. Hence, I believe we need
>>>>> mapping functions that are more N:1 than 1:1 (the latter doesn't scale).
>>>>> Similar, the ability of the network to delegate and map bundles of
>>>>> uncorrelated addresses to devices would be useful.
>>>>>
>>>>> Tom
>>>>>
>>>>>>
>>>>>> Yours,
>>>>>> Joel
>>>>>>
>>>>>>> On 1/26/2020 2:51 PM, Tom Herbert wrote:
>>>>>>> On Sun, Jan 26, 2020 at 9:42 AM Michael Richardson
>>>>>>> <mcr+ietf@sandelman.ca> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Tom Herbert <tom@herbertland.com> wrote:
>>>>>>>>>> Except that instead of doing it at layer 4, you do it with
>>>>>>>>>> IPsec, and extrude that /128 to your machine.  This is already
>>>>>>>>>> a thing :-)
>>>>>>>>>>
>>>>>>>>>>> Another solution I’ve considered is to have a giant anonymity
>>>>>>>>>>> mesh, with every ISP’s user participating, and forward flows
>> through this
>>>>>>>>>>> mesh, treating each customer as an anonymity server.   I think this
>> is
>>>>>>>>>>
>>>>>>>>>> This is also a thing called Tor.
>>>>>>>>>>
>>>>>>>>> Michael,
>>>>>>>>
>>>>>>>>> Doesn't that require that the users must explicitly configure
>>>>>>>>> when they want privacy? I think a general solution should be
>>>>>>>>> transparent to
>>>>>>>>
>>>>>>>> Yes, I agree, it requires explicit configuration.
>>>>>>>> I agree that this is not a good thing.
>>>>>>>>
>>>>>>>>> the user and "just works" to ensure their privacy. That in fact
>>>>>>>>> is one of the arguments for NAT. If there is a significantly
>>>>>>>>> large enough pool of users behind a NAT device, then the
>>>>>>>>> obfuscation is transparent to the use and seems to be pretty
>>>>>>>>> good privacy (good enough that law enforcement is concerned
>>>>>>>>> about NAT). I suppose a similar effect could be achieved with a
>> transparent proxy.
>>>>>>>>
>>>>>>>> Yes, and I think that more and more LEA will grow ever concerned
>>>>>>>> about this situation, and it *is* pushing IPv6 adoption.  So, how can we
>> find a happy medium?
>>>>>>>>
>>>>>>>>> You might want to take a look at draft-herbert-ipv6-prefix-address-
>> privacy-00.
>>>>>>>>
>>>>>>>> An interesting read. I'm not sure where it goes.
>>>>>>>>
>>>>>>>> I would like Locator/Identifier separation.
>>>>>>>> I wanted SHIM6. LISP would work, I think.
>>>>>>>> Then privacy needs don't need to screw up efficient routing at the
>> edge.
>>>>>>>>
>>>>>>> Hi Michael,
>>>>>>>
>>>>>>> The problem of LISP is that it potentially includes a cache in
>>>>>>> the operator network that can be driven by downstream untrusted
>>>>>>> users-- hence there is possibility of DOS attack on the cache
>>>>>>> (this is the primary reason why LISP hasn't been accepted into Linux).
>>>>>>>
>>>>>>> What we really want is Identifier/Locator routing that neither
>>>>>>> requires per flow state to be maintained in the network nor
>>>>>>> relies on caches to get reasonable performance.
>>>>>>> draft-herbert-ipv6-prefix-address-privacy suggests crypto
>>>>>>> functions to map identifiers to locators at the edge.
>>>>>>>
>>>>>>> Tom
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software
>>>>>>>> Works  -= IPv6 IoT consulting =-
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------
>>>>>>>> ---- IETF IPv6 working group mailing list ipv6@ietf.org
>>>>>>>> Administrative Requests:
>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>> ----------------------------------------------------------------
>>>>>>>> ----
>>>>>>>
>>>>>>> -----------------------------------------------------------------
>>>>>>> --- IETF IPv6 working group mailing list ipv6@ietf.org
>>>>>>> Administrative Requests:
>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>> -----------------------------------------------------------------
>>>>>>> ---
>>>>>>>
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> - IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>>>>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>> -------------------------------------------------------------------
>>>>> -
>>>>
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>>>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>>>
>>>
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email