IETF Logo Mail Archive

Re: Address privacy

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 27 January 2020 23:07 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49D6E3A100B for <ipv6@ietfa.amsl.com>; Mon, 27 Jan 2020 15:07:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PkcOkhdpp5im for <ipv6@ietfa.amsl.com>; Mon, 27 Jan 2020 15:07:31 -0800 (PST)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20C343A100D for <ipv6@ietf.org>; Mon, 27 Jan 2020 15:07:30 -0800 (PST)
Received: by mail-pl1-x634.google.com with SMTP id p9so4313995plk.9 for <ipv6@ietf.org>; Mon, 27 Jan 2020 15:07:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=6/VmkZibGo0jfppKEXFy8L6TA2XPWVBSTuijsc+obF4=; b=J8JjuehAkKqI8T8Mw9GY1wiIuek3XAVGahVesSsGZOzR2TF1MEn63CQ8ESBnAN3pqv CH33XwSw/YLiscSakMVPNjkSFd7Iogn9wLiHkwYiiVlccOIL0jrTs6oxT4A8mSImpfT4 H/6Xi2fT4jEyOTVZebFAWtsRZs0QBse7lSTH1H9Gv5MeBRKZKeTSocaSrIJs/C15mRWE ClWa46Mepp5OBwAINtjnaY771JXrTcoC0aeuRx0qZHyEO8KGO5DVdAttLbZ4s9pRrJwD gL7AFmgcKLqOxkvyj738aA/XHnfeY5DTQ0Mw7sC2SC1EMLKaL6ZT8O/sDe3Yhm6mgpbq 8egA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=6/VmkZibGo0jfppKEXFy8L6TA2XPWVBSTuijsc+obF4=; b=dQlHDJWxxZekkzamOS4gbOlBuNSX04gdbbtQvaT9LaWkEYgqDzqkBfNt7I8McE1KAn iewAih30t1VK3pad4B5FcHTnRTIP+LONsnNPq8UDxJ5VqpQdCkA3imem5FNz6yvtVgjJ ZNc/I7YHlAu1F2mUjvzgVsn26KjUpH5P1vseWiLobBkkrgo7L6C14lIQuW0G6p8oweBx /e2W5P/etuNU4KMNoBj2+c+6xbeIH+uYCukpM0qQUvrAazdw1bpGwe8liq0ZpBv8y4XL LzhZuygKFSllkg/fk5cCo6EZx0dz/9EYuKQZYt+ER4W7eTW12QNDYykQNnQC54Xm21dW cnEQ==
X-Gm-Message-State: APjAAAUtDGknfgPAAHb52a/kPqNfkdapFOItGLUVzSflceJYQL3pserE XQnMXqAL81NodF+DHYijtAoMRtF1
X-Google-Smtp-Source: APXvYqyWZUokLheDlU03VTXiOBwlAsDZ/divw51bjz1d6jXsPEFzEU5jRz0bsbFMrKjHFWnEV8wRlA==
X-Received: by 2002:a17:90a:6545:: with SMTP id f5mr1228355pjs.42.1580166449994; Mon, 27 Jan 2020 15:07:29 -0800 (PST)
Received: from [10.1.2.245] ([43.251.155.206]) by smtp.gmail.com with ESMTPSA id az9sm171371pjb.3.2020.01.27.15.07.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Jan 2020 15:07:29 -0800 (PST)
Subject: Re: Address privacy
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Cc: Tom Herbert <tom@herbertland.com>, 6man <ipv6@ietf.org>
References: <CALx6S36802oDaEgojAPq2c6hM_s1BayidXPh1Sc6RZmZa9UHpQ@mail.gmail.com> <89CDA9FE-6C41-4A5E-B6CD-ECC367DFDABA@employees.org> <1220b074-c7f5-bbc8-2991-a9af66caf8b7@gmail.com> <CALx6S35oHgGDxa6014HB8UCYct0V9hcPFWqhiRM2kCgaPMtyqQ@mail.gmail.com> <MN2PR11MB35650E5E30B8A9B6F685880ED80B0@MN2PR11MB3565.namprd11.prod.outlook.com> <b9b4f6a9-627c-a3f0-fb01-331232e28417@gmail.com> <0761F118-D862-42C5-BD32-B37207E9CEB6@cisco.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <b5a270ae-3675-6efd-6f0b-a7af86d8d4fb@gmail.com>
Date: Tue, 28 Jan 2020 12:07:27 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <0761F118-D862-42C5-BD32-B37207E9CEB6@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/w2uzUw7XxQMcYWJmnE7DGF1lKhM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 23:07:34 -0000

On 28-Jan-20 09:40, Pascal Thubert (pthubert) wrote:
> Yes, Brian,
> 
> and I must admit it’s encumbered by Cisco IPR but I doubt it’s the reason why it was not used that much. Any clue?

No idea. The IPR disclosure offers "reciprocal RAND" and that applies to so many protocols that I doubt if it had any specific effect here (even if the patent is applicable, which I have not checked). I think the idea probably got lost because of more pressing issues in v6 deployment.

Regards
    Brian
> 
> 
> Regards,
> 
> Pascal
> 
>> Le 27 janv. 2020 à 19:38, Brian E Carpenter <brian.e.carpenter@gmail.com> a écrit :
>>
>> On 27-Jan-20 20:43, Pascal Thubert (pthubert) wrote:
>>> Hello Tom
>>>
>>> This looks similar to the idea of using Mobile IPv6 inside a domain: 
>>
>> Yes, we proposed that as long ago as https://tools.ietf.org/html/rfc4864
>>
>>   Brian
>>
>>> Hosts in the domain get only ULAs buy default. 
>>> Hosts that need reach back from outside the domain obtain GUAs from common Home Agent that serves the domain.
>>> That GUA becomes their home address. The ULA is the CareOf.
>>> The MIP tunnel happens within the domain unbeknownst of the outside
>>>
>>> This way:
>>> - you get a better aggregation factor for privacy, mixed amongst the other devices in the domain.
>>> - the network structure is hidden from the outside observer. It effectively appears as a flat /64.
>>>
>>> Cheers,
>>>
>>> Pascal
>>>
>>>> -----Original Message-----
>>>> From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Tom Herbert
>>>> Sent: dimanche 26 janvier 2020 22:35
>>>> To: Brian E Carpenter <brian.e.carpenter@gmail.com>
>>>> Cc: 6man <ipv6@ietf.org>
>>>> Subject: Re: Address privacy
>>>>
>>>> On Sun, Jan 26, 2020 at 12:53 PM Brian E Carpenter
>>>> <brian.e.carpenter@gmail.com> wrote:
>>>>>
>>>>>> On 27-Jan-20 09:20, Ole Troan wrote:
>>>>>>> The obvious answer is to put the source address in the encrypted payload. It
>>>> does not have to be in the core header.
>>>>>> There’s a paper on it somewhere, although I am not sure if that’s where the
>>>> idea originated.
>>>>>
>>>>> Google "SNA: Sourceless Network Architecture" and "IPv6 source addresses
>>>> considered harmful"
>>>>>
>>>>
>>>> There's also the possibility of putting location information into a modifiable HBH
>>>> option (part of draft-herbert-fast-04). Something like:
>>>>
>>>> - End host sends packet with HBH option for location
>>>> - First hop in network writes its location into the HBH option. The location
>>>> information identifies the hop (e.g. base station in a mobile
>>>> network) and is only interpretable in the local network (encrypted for instance).
>>>> - Packet is routed to destination with HBH option in tact.
>>>> - At the destination, the HBH option is reflected on return packets for a flow.
>>>> End host doesn't do anything else than just reflect.
>>>> - At the ingress node to the network, the location information is decoded. Given
>>>> this, the ingress forwards the packet to the locator node by address translation
>>>> of encapsulation.
>>>> - At the locator node, i.e. first network hop upstream of destination node, the
>>>> encapsulation or translation is undone and packet is forwarded to the final
>>>> destination.
>>>>
>>>> I think this method was first proposed to ensure consistent routing to the same
>>>> backend in L4 load balancing. Obvious downsides are the we need EH to work in
>>>> the network and there are changes needed in the hosts.
>>>>
>>>> Tom
>>>>
>>>>>   Brian
>>>>>
>>>>>>
>>>>>> Cheers
>>>>>> Ole
>>>>>>
>>>>>>> On 26 Jan 2020, at 21:16, Tom Herbert <tom@herbertland.com> wrote:
>>>>>>>
>>>>>>> On Sun, Jan 26, 2020 at 11:59 AM Joel M. Halpern
>>>> <jmh@joelhalpern.com> wrote:
>>>>>>>>
>>>>>>>> Tom, your description is somewhat misleading.
>>>>>>>>
>>>>>>>> On the one hand, LISP replies on per-flow state only in the
>>>>>>>> mapping entity.  Not at arbitrary places in the network.
>>>>>>>>
>>>>>>>> Secondly, if hosts work in terms of identifiers, and the network
>>>>>>>> works in temrs of locators, someone has to map them.  You can
>>>>>>>> cache (including caching the whole thing), you can ask the host to hold
>>>> the cache itself.
>>>>>>>> There are other tradeoffs you can make, moving things around.
>>>>>>>> But you can't just magically make the problem disappear.
>>>>>>>
>>>>>>> Joel,
>>>>>>>
>>>>>>> It comes down to how many addresses need to be mapped. It's
>>>>>>> intuitive that a higher frequency of address rotation yields more
>>>>>>> privacy. But higher frequency of address rotation means more active
>>>>>>> addresses in the network. This degenerates to the greatest
>>>>>>> frequency of change which would be to give each flow it's own
>>>>>>> unique address, and this is also the one case of temporary
>>>>>>> addresses where we can quantify the privacy characteristics.
>>>>>>>
>>>>>>> However, giving each flow its own address quickly becomes a scaling
>>>>>>> and management problem-- we're talking several billions of active
>>>>>>> addresses in some provider networks. Hence, I believe we need
>>>>>>> mapping functions that are more N:1 than 1:1 (the latter doesn't scale).
>>>>>>> Similar, the ability of the network to delegate and map bundles of
>>>>>>> uncorrelated addresses to devices would be useful.
>>>>>>>
>>>>>>> Tom
>>>>>>>
>>>>>>>>
>>>>>>>> Yours,
>>>>>>>> Joel
>>>>>>>>
>>>>>>>>> On 1/26/2020 2:51 PM, Tom Herbert wrote:
>>>>>>>>> On Sun, Jan 26, 2020 at 9:42 AM Michael Richardson
>>>>>>>>> <mcr+ietf@sandelman.ca> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Tom Herbert <tom@herbertland.com> wrote:
>>>>>>>>>>>> Except that instead of doing it at layer 4, you do it with
>>>>>>>>>>>> IPsec, and extrude that /128 to your machine.  This is already
>>>>>>>>>>>> a thing :-)
>>>>>>>>>>>>
>>>>>>>>>>>>> Another solution I’ve considered is to have a giant anonymity
>>>>>>>>>>>>> mesh, with every ISP’s user participating, and forward flows
>>>> through this
>>>>>>>>>>>>> mesh, treating each customer as an anonymity server.   I think this
>>>> is
>>>>>>>>>>>>
>>>>>>>>>>>> This is also a thing called Tor.
>>>>>>>>>>>>
>>>>>>>>>>> Michael,
>>>>>>>>>>
>>>>>>>>>>> Doesn't that require that the users must explicitly configure
>>>>>>>>>>> when they want privacy? I think a general solution should be
>>>>>>>>>>> transparent to
>>>>>>>>>>
>>>>>>>>>> Yes, I agree, it requires explicit configuration.
>>>>>>>>>> I agree that this is not a good thing.
>>>>>>>>>>
>>>>>>>>>>> the user and "just works" to ensure their privacy. That in fact
>>>>>>>>>>> is one of the arguments for NAT. If there is a significantly
>>>>>>>>>>> large enough pool of users behind a NAT device, then the
>>>>>>>>>>> obfuscation is transparent to the use and seems to be pretty
>>>>>>>>>>> good privacy (good enough that law enforcement is concerned
>>>>>>>>>>> about NAT). I suppose a similar effect could be achieved with a
>>>> transparent proxy.
>>>>>>>>>>
>>>>>>>>>> Yes, and I think that more and more LEA will grow ever concerned
>>>>>>>>>> about this situation, and it *is* pushing IPv6 adoption.  So, how can we
>>>> find a happy medium?
>>>>>>>>>>
>>>>>>>>>>> You might want to take a look at draft-herbert-ipv6-prefix-address-
>>>> privacy-00.
>>>>>>>>>>
>>>>>>>>>> An interesting read. I'm not sure where it goes.
>>>>>>>>>>
>>>>>>>>>> I would like Locator/Identifier separation.
>>>>>>>>>> I wanted SHIM6. LISP would work, I think.
>>>>>>>>>> Then privacy needs don't need to screw up efficient routing at the
>>>> edge.
>>>>>>>>>>
>>>>>>>>> Hi Michael,
>>>>>>>>>
>>>>>>>>> The problem of LISP is that it potentially includes a cache in
>>>>>>>>> the operator network that can be driven by downstream untrusted
>>>>>>>>> users-- hence there is possibility of DOS attack on the cache
>>>>>>>>> (this is the primary reason why LISP hasn't been accepted into Linux).
>>>>>>>>>
>>>>>>>>> What we really want is Identifier/Locator routing that neither
>>>>>>>>> requires per flow state to be maintained in the network nor
>>>>>>>>> relies on caches to get reasonable performance.
>>>>>>>>> draft-herbert-ipv6-prefix-address-privacy suggests crypto
>>>>>>>>> functions to map identifiers to locators at the edge.
>>>>>>>>>
>>>>>>>>> Tom
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software
>>>>>>>>>> Works  -= IPv6 IoT consulting =-
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ----------------------------------------------------------------
>>>>>>>>>> ---- IETF IPv6 working group mailing list ipv6@ietf.org
>>>>>>>>>> Administrative Requests:
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>> ----------------------------------------------------------------
>>>>>>>>>> ----
>>>>>>>>>
>>>>>>>>> -----------------------------------------------------------------
>>>>>>>>> --- IETF IPv6 working group mailing list ipv6@ietf.org
>>>>>>>>> Administrative Requests:
>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>> -----------------------------------------------------------------
>>>>>>>>> ---
>>>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------
>>>>>>> - IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>>>>>>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>> -------------------------------------------------------------------
>>>>>>> -
>>>>>>
>>>>>> --------------------------------------------------------------------
>>>>>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>>>>>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>> --------------------------------------------------------------------
>>>>>>
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> IETF IPv6 working group mailing list
>>>>> ipv6@ietf.org
>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>> --------------------------------------------------------------------
>>>>
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>

v2.23.0 | Report a Bug | By Email