Re: [lisp] [5gangip] Fwd: New Version Notification for draft-nordmark-id-loc-privacy-00.txt

Tom Herbert <> Tue, 03 July 2018 15:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4F7D91277CC for <>; Tue, 3 Jul 2018 08:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kMea_-j1SnlW for <>; Tue, 3 Jul 2018 08:15:00 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c0c::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 58773130DCC for <>; Tue, 3 Jul 2018 08:15:00 -0700 (PDT)
Received: by with SMTP id t6-v6so2365154wrn.7 for <>; Tue, 03 Jul 2018 08:15:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1knYTn4Igy2DtGW+jwxLw9hhqA9pKeHHD2etcB6mm9Y=; b=I7aJKjXq3FZCPkt6YH//KB5d14gxTLXAD01CzqPE+FBm4DeArFsNW3WUKBOVev1jLS /rJYDUEiNTqf0/EcwY4v+eZ4HuVfs8OBghEVam4NGKZIq9tIFO6qbUIGMP7xExvb2p/I rqweISc9hG8E6kdGMuMQuvTp8QGUV9+M+w6yaQIE8LLceRO5Guj+5UyRulsaGNV9opFa VbL3AL1LhsI+33MaVxqtECaAvJsawI2MyhuSjzVFqKD/K3QjZVhiOdUAjbaEz0gjAfvT U2sIf2JEG2YVV9mUmAg+OHzi1ooIXOPKu7Ty/PNlPigqbjRwaQbnhYQztWwpZOhRqvfF 7kBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1knYTn4Igy2DtGW+jwxLw9hhqA9pKeHHD2etcB6mm9Y=; b=KjKRsVGzLFfadfRh/HFXo77FPgn4lHa8KL2mJgrOMqUk94j+OZy4T501JK2WPLof5q zBgY0tb8J+8SiJm+ui1Cmw0mSp59JxM4ptUQiBxHALdoA4Bxos2tqYuwPQs8JnyHpbAt Guqhc18JJvwE/c+kIgjeH3+/HYW4fUoaf2EtpWBfdzyDW3b5fnE5CbZGhaekIP9jpxNG hapMcoaf8ljtRD7pa54RBAjrOjsDS8tLNmlAVMvUv5Bi5oBcr2uHBVA6lKEAWVc/0Xd2 BKTZLrNBLiTIsVxUyClsbdxg5ibaR9RwIrOiGcs/XAYFtAK0xGn6fegHf0YAu/ZyOLd7 hiYw==
X-Gm-Message-State: APt69E1NeworTsgzXwbZQDpeU4auDWFJww3kQG0gZ9kVNpvnk038UqM0 s7r7LIu+xlNrr+aL29doOR+mqCcORpCXc3GDghsuCA==
X-Google-Smtp-Source: AAOMgpckblLdPtShOD9e2Vx9m4lU/mP7B7mmgoLYIFzYd+tjg8SphRlhpFqz8i3x4AsOr2t6MKbSpb+18Q5BTV1P44U=
X-Received: by 2002:adf:ecc6:: with SMTP id s6-v6mr11026493wro.160.1530630898640; Tue, 03 Jul 2018 08:14:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:fa86:0:0:0:0:0 with HTTP; Tue, 3 Jul 2018 08:14:58 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Tom Herbert <>
Date: Tue, 3 Jul 2018 08:14:58 -0700
Message-ID: <>
To: Jon Crowcroft <>
Cc: Erik Nordmark <>, 5GANGIP <>,, " list" <>, dmm <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [lisp] [5gangip] Fwd: New Version Notification for draft-nordmark-id-loc-privacy-00.txt
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Jul 2018 15:15:04 -0000

On Mon, Jul 2, 2018 at 10:01 PM, Jon Crowcroft
<> wrote:
> what we need is compact onion routing - maybe we could call it garlic routing.
> in all seriousness, if people are worried about privacy with regards
> network operators, or state actors co-ercing network operators, at
> this level, that is what you want. otherwise forget about efficient
> mobile routing - the fact is that the signature of the set of
> locations you visit is enough to re-identify a node pretty quickly -
> its been done (see wetherall's work on this a few years back on simply
> looking at sequences of wifi AP associations, without bothing with end
> system mac addr, to uniquely matc individual (indeed, find their home)
> - you have to get the threat model appropriately...and proportioately


The threat is not limited to coming from network operators, it is
basically from the whole Internet. IP addresses must be sent as clear
text, and when they encode personally identifiable information then
that can be used by third parties to compromise privacy. In mobile
addresses, the threat is both comprising identity and location of the
user. Identity can be compromised when the same address (or device
specific prefix in case of RFC4941 addresses) is reused for different
flows, location is compromised when an address encodes a locator that
can be used to determine specific location. There are publicized
examples of third parties using IP addresses to expose identity and
location (e.g.

In order to provide privacy in addressing, IP addresses need to be
purged of PII. This likely entails minimizing aggregation and a high
frequency of address change in a host. On the surface, this does seem
to be in conflict with "efficient mobile routing" as you mentioned,
however I don't believe that efficient routing is an acceptable trade
off for not providing adequate privacy to users. Alternatives that
achieve both goals should be investigated.
draft-herbert-ipv6-prefix-address-privacy-00 suggests "hidden
aggregation" as one possibility.


> On Mon, Jul 2, 2018 at 11:42 PM, Erik Nordmark <> wrote:
>> This is a rough draft, but hopefully it can stimulate more discussion around
>> privacy considerations.
>> -------- Forwarded Message --------
>> Subject: New Version Notification for draft-nordmark-id-loc-privacy-00.txt
>> Date: Mon, 02 Jul 2018 15:34:11 -0700
>> From:
>> To: Erik Nordmark <>
>> A new version of I-D, draft-nordmark-id-loc-privacy-00.txt
>> has been successfully submitted by Erik Nordmark and posted to the
>> IETF repository.
>> Name:           draft-nordmark-id-loc-privacy
>> Revision:       00
>> Title:          Privacy issues in ID/locator separation systems
>> Document date:  2018-07-02
>> Group:          Individual Submission
>> Pages:          6
>> URL:
>> Status:
>> Htmlized:
>> Htmlized:
>> Abstract:
>>    There exists several protocols and proposals for identifier/locator
>>    split which have some form of control plane by which participating
>>    nodes can use to share their current id to locator information with
>>    their peers.  This document explores some of the privacy
>>    considerations for such a system.
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at
>> The IETF Secretariat
>> _______________________________________________
>> 5gangip mailing list
> _______________________________________________
> 5gangip mailing list