IETF Logo Mail Archive

Re: Address privacy (was: Re: RFC4941bis: consequences of many addresses for the network)

Ted Lemon <mellon@fugue.com> Sat, 25 January 2020 12:45 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26BC5120804 for <ipv6@ietfa.amsl.com>; Sat, 25 Jan 2020 04:45:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id neESJyrj2h71 for <ipv6@ietfa.amsl.com>; Sat, 25 Jan 2020 04:45:06 -0800 (PST)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 807DC12006F for <ipv6@ietf.org>; Sat, 25 Jan 2020 04:45:06 -0800 (PST)
Received: by mail-qt1-x835.google.com with SMTP id d18so3772624qtj.10 for <ipv6@ietf.org>; Sat, 25 Jan 2020 04:45:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=bBk4uDgqKnhJ07LG8wmucTpfUbc0VTdeGaXePSlfFnY=; b=KysnoP7qpDBkdDrLfGlYqPiqC/pvymp/dBw4Os9KGAtgjiuIiLzHlFyjqCH6qEGSZb FxMl6gxx4LNyEzAqru/YgnuNx6OxyFZmskPqs29KND+bIRbGIWlERb7O3PXqU0QQ5ymA yHCuYikE49woVL95nWzHuics+F9rl9BSt1+JKl9LepThmchiHlVkVImU0u53ahIV+fZ4 BghVLlFlF2jeID4U9Uw4FeHoSONC2G2379HAiNp4YZjUfnqouv9/AyuP9znmBdgGGHh1 eMoc/FoIQvYrKfINZUini6Dl3s5HFrD+sClEEJuOVRMNkWdFnmrH4ejqxchPmIp1dBed yx9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=bBk4uDgqKnhJ07LG8wmucTpfUbc0VTdeGaXePSlfFnY=; b=tNhHLLRXr4kpBJUMHT+oqtvVDOOMld7B8E9pwPcwofHhCjRg3SOfjLLlRImpMZdcwy YQDbeCQJBiQCb2O+0F4pUXqHTzPRUqV6l9XVRVOlbHD9CJ02c4RLNGpkLbP9pKq4/SW5 23mhU6C3F4p8bHlinGlqh3aALzqvZpMCJsFgbUznXsRrlFlBFObxzloheCLm8fauWkoa SYxpkDCozjVKg09BkPJHMWGaaZDPcEaw7+K1h8NNTurLLRGySAYwkJwsu/5y/hD5JKpK qPD74t6RIqJA68SJR9T5aq5WwdtjCNLcUh8YJD3kquo34MFAQ5fOVThNlWQUvq7C5ztI hxmg==
X-Gm-Message-State: APjAAAXJP8lECl7x7L17ZqvPG6ZKRQRbye4EGMx/ZJiAr3AB6WSR7aB9 lzaXMoUatUnNzCCnmZogSGDcd+BJ/IO+aA==
X-Google-Smtp-Source: APXvYqxJPKHDR5CrWjSTFBNeWrFp4NwQOK6teU2sg8V+jVqOVsH4719LoTw6vv8Bxvd+zZkWmVEQtg==
X-Received: by 2002:aed:2dc2:: with SMTP id i60mr3418238qtd.8.1579956305517; Sat, 25 Jan 2020 04:45:05 -0800 (PST)
Received: from ?IPv6:2601:18b:300:36ee:842c:268f:2f8a:7a59? ([2601:18b:300:36ee:842c:268f:2f8a:7a59]) by smtp.gmail.com with ESMTPSA id t15sm4845144qkg.49.2020.01.25.04.45.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 25 Jan 2020 04:45:05 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <CBB23ABE-A7A3-4208-873C-E47EE063E34B@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CF6E07FA-D9A9-4483-B2B0-2E4FEC8AA805"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.4\))
Subject: Re: Address privacy (was: Re: RFC4941bis: consequences of many addresses for the network)
Date: Sat, 25 Jan 2020 07:45:03 -0500
In-Reply-To: <f83ab037-9125-bb74-dbac-68850aeb1020@huitema.net>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, 6man WG <ipv6@ietf.org>
To: Christian Huitema <huitema@huitema.net>
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <MN2PR11MB3565330989D411525D30B90DD80F0@MN2PR11MB3565.namprd11.prod.outlook.com> <80207E17-AE8E-4D19-B516-D2E6AB70721E@employees.org> <8D5610EA-49D3-483E-BB7A-67D67BC89346@jisc.ac.uk> <DE7B0688-230F-4A5C-8E24-9EAED9FD9FEB@puck.nether.net> <CAO42Z2zXwVnzemRqyqy78czpHjZm0nhkCJgVrx=-fmt+C6MnSA@mail.gmail.com> <1962.1579823388@localhost> <f83ab037-9125-bb74-dbac-68850aeb1020@huitema.net>
X-Mailer: Apple Mail (2.3608.80.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/pzLNXAi75soqLoetFVfeRQEsrEY>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2020 12:45:10 -0000

I really like this way of thinking about the “anonymity set.”   I’ve been a bit obsessed with this problem for a while; I think that flat routing of a bazillion addresses is probably not an ideal solution, however, because in order to get real anonymity, you have to not reuse addresses, and so now you’re looking at a Carl Sagan worth of addresses (billions and billions) in the routing table.

Another solution that could be useful is to do connections through an anonymity concentrator that tunnels your flow to the selected server.   The idea here is that your ISP (but it doesn’t have to be your ISP!) has a bunch of anonymity boxes sitting in their data centers, and when you want to connect to foo.com <http://foo.com/>, you establish a connection to the anonymity server.   The anonymity server constructs a new 5-tuple using its own fixed IP address.   This is effectively a NAT translation, and of course it can maintain a set of IP addresses large enough that it has enough A+P possibilities to make it work.   Now from the perspective of foo.com <http://foo.com/>, all connections from users at your ISP are coming from a very small number of IPv6 source addresses for which the “anonymity” set is quite large.  You don’t even always use the same anonymity server.

I think this is quite a bit easier to do than flat routing of temporary addresses—it’s more on the scale of CGN, but lacks some of the scaling problems of CGN for IPv4 because we have IPv6 addresses.

Of course, the anonymity server is now a new attack surface to think about when worrying about snooping, so we’ve just changed who we’re trusting, not eliminated a need for trust.

Another solution I’ve considered is to have a giant anonymity mesh, with every ISP’s user participating, and forward flows through this mesh, treating each customer as an anonymity server.   I think this is a bad idea, because it could expose an end user to accusations if someone else connects through their anonymity node and does something nefarious that’s traced back to them and not to the original perpetrator.  It’s also suboptimal from a routing perspective.  But it’s an interesting thought experiment.

> On Jan 25, 2020, at 12:01 AM, Christian Huitema <huitema@huitema.net> wrote:
> 
> On 1/23/2020 3:49 PM, Michael Richardson wrote:
> 
>> I also have doubts about whether the rotating temporary address mechanisms
>> that 4941 provides is useful privacy when the upper-64 bits are unchanging.
> 
> 
> The privacy properties of addresses boil down to the size of the
> anonymity set. How many users share this prefix? If the answer is
> parents and children in the house, then the anonymity set is quite
> small. The observers won't know for sure whether the connection comes
> from little Billy or his mother, but the uncertainty factor has dropped
> from "one billion people on the Internet" to "4 or 5 people behind that
> connection". Changing the bottom 64 bits on that prefix prevent the size
> of the anonymity set from shrinking all the way to 1, but that's not
> entirely satisfactory. This gets of course better if the anonymity set
> is "all students on campus", but campus networks are a bit special. In
> most cases, local networks serve a small number of users. Maybe more
> than a household, but not that much more.
> 
> If we want a privacy preserving address allocation, we have to think
> beyond the local network boundary. The anonymity set is just as large as
> the number of users served by an address prefix. Suppose an ISP who
> really wants to enhance user privacy. Could they make the anonymity set
> as big as all subscribers of the ISP? Or maybe all subscribers of the
> ISP in a given region? I assume that we could do flat routing with
> 10,000 or 100,000 addresses in a  region. Might require some extra
> hardware, but our friendly router vendors could most probably sell that.
> But that would require having a prefix for the region, and doing flat
> routing per address on the last hops. That also mean that the prefix
> will be shared by multiple local area networks.
> 
> Now, what does that do for address allocation?
> 
> -- Christian Huitema
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email