IETF Logo Mail Archive

Re: Address privacy

Ole Troan <otroan@employees.org> Sun, 26 January 2020 20:20 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E9D112006E for <ipv6@ietfa.amsl.com>; Sun, 26 Jan 2020 12:20:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjZ2xfVTO9ZD for <ipv6@ietfa.amsl.com>; Sun, 26 Jan 2020 12:20:27 -0800 (PST)
Received: from clarinet.employees.org (clarinet.employees.org [198.137.202.74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56D0E120043 for <ipv6@ietf.org>; Sun, 26 Jan 2020 12:20:27 -0800 (PST)
Received: from [IPv6:2a01:79d:53aa:d30:a0c6:93d0:21d1:fcd8] (unknown [IPv6:2a01:79d:53aa:d30:a0c6:93d0:21d1:fcd8]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 69D194E11ACC; Sun, 26 Jan 2020 20:20:26 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ole Troan <otroan@employees.org>
Mime-Version: 1.0 (1.0)
Subject: Re: Address privacy
Date: Sun, 26 Jan 2020 21:20:23 +0100
Message-Id: <89CDA9FE-6C41-4A5E-B6CD-ECC367DFDABA@employees.org>
References: <CALx6S36802oDaEgojAPq2c6hM_s1BayidXPh1Sc6RZmZa9UHpQ@mail.gmail.com>
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, 6man WG <ipv6@ietf.org>
In-Reply-To: <CALx6S36802oDaEgojAPq2c6hM_s1BayidXPh1Sc6RZmZa9UHpQ@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: iPhone Mail (17D5026c)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/vGAlvrorJtxwW5udY4C2Fl1T6Js>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jan 2020 20:20:29 -0000

The obvious answer is to put the source address in the encrypted payload. It does not have to be in the core header. 
There’s a paper on it somewhere, although I am not sure if that’s where the idea originated. 

Cheers 
Ole

> On 26 Jan 2020, at 21:16, Tom Herbert <tom@herbertland.com> wrote:
> 
> On Sun, Jan 26, 2020 at 11:59 AM Joel M. Halpern <jmh@joelhalpern.com> wrote:
>> 
>> Tom, your description is somewhat misleading.
>> 
>> On the one hand, LISP replies on per-flow state only in the mapping
>> entity.  Not at arbitrary places in the network.
>> 
>> Secondly, if hosts work in terms of identifiers, and the network works
>> in temrs of locators, someone has to map them.  You can cache (including
>> caching the whole thing), you can ask the host to hold the cache itself.
>>  There are other tradeoffs you can make, moving things around.  But you
>> can't just magically make the problem disappear.
> 
> Joel,
> 
> It comes down to how many addresses need to be mapped. It's intuitive
> that a higher frequency of address rotation yields more privacy. But
> higher frequency of address rotation means more active addresses in
> the network. This degenerates to the greatest frequency of change
> which would be to give each flow it's own unique address, and this is
> also the one case of temporary addresses where we can quantify the
> privacy characteristics.
> 
> However, giving each flow its own address quickly becomes a scaling
> and management problem-- we're talking several billions of active
> addresses in some provider networks. Hence, I believe we need mapping
> functions that are more N:1 than 1:1 (the latter doesn't scale).
> Similar, the ability of the network to delegate and map bundles of
> uncorrelated addresses to devices would be useful.
> 
> Tom
> 
>> 
>> Yours,
>> Joel
>> 
>>> On 1/26/2020 2:51 PM, Tom Herbert wrote:
>>> On Sun, Jan 26, 2020 at 9:42 AM Michael Richardson
>>> <mcr+ietf@sandelman.ca> wrote:
>>>> 
>>>> 
>>>> Tom Herbert <tom@herbertland.com> wrote:
>>>>>> Except that instead of doing it at layer 4, you do it with IPsec, and extrude
>>>>>> that /128 to your machine.  This is already a thing :-)
>>>>>> 
>>>>>>> Another solution I’ve considered is to have a giant anonymity mesh,
>>>>>>> with every ISP’s user participating, and forward flows through this
>>>>>>> mesh, treating each customer as an anonymity server.   I think this is
>>>>>> 
>>>>>> This is also a thing called Tor.
>>>>>> 
>>>>> Michael,
>>>> 
>>>>> Doesn't that require that the users must explicitly configure when
>>>>> they want privacy? I think a general solution should be transparent to
>>>> 
>>>> Yes, I agree, it requires explicit configuration.
>>>> I agree that this is not a good thing.
>>>> 
>>>>> the user and "just works" to ensure their privacy. That in fact is one
>>>>> of the arguments for NAT. If there is a significantly large enough
>>>>> pool of users behind a NAT device, then the obfuscation is transparent
>>>>> to the use and seems to be pretty good privacy (good enough that law
>>>>> enforcement is concerned about NAT). I suppose a similar effect could
>>>>> be achieved with a transparent proxy.
>>>> 
>>>> Yes, and I think that more and more LEA will grow ever concerned about this
>>>> situation, and it *is* pushing IPv6 adoption.  So, how can we find a happy medium?
>>>> 
>>>>> You might want to take a look at draft-herbert-ipv6-prefix-address-privacy-00.
>>>> 
>>>> An interesting read. I'm not sure where it goes.
>>>> 
>>>> I would like Locator/Identifier separation.
>>>> I wanted SHIM6. LISP would work, I think.
>>>> Then privacy needs don't need to screw up efficient routing at the edge.
>>>> 
>>> Hi Michael,
>>> 
>>> The problem of LISP is that it potentially includes a cache in the
>>> operator network that can be driven by downstream untrusted users--
>>> hence there is possibility of DOS attack on the cache (this is the
>>> primary reason why LISP hasn't been accepted into Linux).
>>> 
>>> What we really want is Identifier/Locator routing that neither
>>> requires per flow state to be maintained in the network nor relies on
>>> caches to get reasonable performance.
>>> draft-herbert-ipv6-prefix-address-privacy suggests crypto functions to
>>> map identifiers to locators at the edge.
>>> 
>>> Tom
>>> 
>>> 
>>>> 
>>>> --
>>>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>>>>  -= IPv6 IoT consulting =-
>>>> 
>>>> 
>>>> 
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>> 
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email