Re: [Pidloc] PIdLoc Webex

Tom Herbert <> Fri, 07 December 2018 19:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C5BAF130F9C for <>; Fri, 7 Dec 2018 11:31:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qLoHDFq_wb45 for <>; Fri, 7 Dec 2018 11:31:57 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 71E2F130E96 for <>; Fri, 7 Dec 2018 11:31:57 -0800 (PST)
Received: by with SMTP id h65so8784657ith.3 for <>; Fri, 07 Dec 2018 11:31:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=0GAi81wvc5kjS7/ALplZN0JuKTIm8i9ZgXuC4VRIf7w=; b=yCJQXyW/M973hVB2nW4oeHrPCxe11PiBPokdrvRy/g3lVBzrwx0FLmmhF/RQhP5NXl CiyXU6e6DlYMGqr1x61LKKCRUMn7EkH+3eLZHwXKpHZEV6RjrQSfsfRxqP/TQQMbTPV6 9Gq/jFmzgMWX6k54fH7HDxjiJ2d1OWWIi7gSLDvZU/gefjdOI2a9GZJ5QLDbEbloNszy NiT9lPDOyvuJ4D7S1TMizuj2RK6KGUr7QfMLQOEtZ4nwHaTxok0qE/Tk2MKsVSPEnL8o ekS6Mti8KQq/l2oqPPWzbI3MnkVbmKHdiHN7HmXbBCw82g71DfvGuubmMBKB2UHW93kT 9xjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=0GAi81wvc5kjS7/ALplZN0JuKTIm8i9ZgXuC4VRIf7w=; b=fhveMQI332BvEc6hjHdIVa1MbK7pP8LhhTjBicT8x0HI83ReHs3s7KsbeTJjxJZy5Y 48tG2XlBbq0u0ePNXle4SPwSsbz1VbOqGA4apWET/nCUtK0qNZKUeugcxTlSFc+U8gSY FK4/hgsLMEs9E4XUl65MtXu1vTr1PjqQCymEL+dmSkUU4+O2hGtBoBxzq1lVzOSnTAci L0/kI/3OsLN2EnOBX/L8DGBeqj/wWZriFY482kt9k8gYSCGEpOKmhzx5dvDRbtkxRsB+ +7A7WFTPXzH8sbAxJyY9DzJiLc+YxSLBSbhPmgvOImXA8MLsyHV3BHl7ENg5u019FNAz JZCg==
X-Gm-Message-State: AA+aEWbQMegHBE5E8MtOOU3GlDuccfFzdQosaOp7Zw2vB9KTcm1bvLEH a+5WBcE5rI67eD09P4CI9f4EKMuXKB2BIqZ+EviNbA==
X-Google-Smtp-Source: AFSGD/WNx7pZ8kMp2EnUDFvOuEyikE/oiOWIZxfEZshgUxTNMCzQO99sjJB8YifFKqsOaRy9mWX9kqKINmCytVDf0Vo=
X-Received: by 2002:a02:85ae:: with SMTP id d43mr2984867jai.70.1544211116552; Fri, 07 Dec 2018 11:31:56 -0800 (PST)
MIME-Version: 1.0
References: <FRAPR01MB0801A22EEC0D55414EFFEC2ED1D00@FRAPR01MB0801.DEUPRD01.PROD.OUTLOOK.DE> <FRAPR01MB0801CDFD28647B7A02D700D2D1D00@FRAPR01MB0801.DEUPRD01.PROD.OUTLOOK.DE> <FRAPR01MB0801A452C8111F16940D4D65D1D10@FRAPR01MB0801.DEUPRD01.PROD.OUTLOOK.DE> <FRAPR01MB080121A9C90A6F78BBD7E4B7D1AF0@FRAPR01MB0801.DEUPRD01.PROD.OUTLOOK.DE> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Tom Herbert <>
Date: Fri, 7 Dec 2018 11:31:44 -0800
Message-ID: <>
To: Dino Farinacci <>
Cc:, RJ Atkinson <>, Saleem Bhatti <>, Shunsuke Homma <>, Behcet Sarikaya <>, Luigi Iannone <>,,
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Pidloc] PIdLoc Webex
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Dec 2018 19:31:59 -0000

On Fri, Dec 7, 2018 at 11:08 AM Dino Farinacci <> wrote:
> > Yes, the network should assign ephemeral addresses. Scaling this so
> > that hosts can use a different address per connection is the problem
> > that ensues.
> For the outer (or only header), you cannot get assigned ephemeral addresses. They need to be provider-assigned addresses so routing deeper in the network can aggregate such addresses into coarser prefixes.
> And note ISPs want to use uRPF so another reason for provider-assigned addresses. The best way to solve the *entire* problem is to tunnel with encryption from a point inside the ISP. Then the outer addresses are coarsified and the inner addresses are obfuscated.
> You could solve some of the problem with ILA but you need to keep translating the packet as it goes to the destination. And that will be hard to debug since it breaks traceroute.

You are convoluting the behavior of internal network operations with
the externally visible behavior. Think of it this way, we have end
hosts and we have Internet servers. The desired property wrt privacy
is that any host can use an untrackable source address per connection
to talk to any Internet servers. Servers on the Internet should not be
able to draw any correlation between any two flows, nor should they be
able to deduce geographic location with any accuracy. End hosts and
server only see these assigned addresses. They don't know about
mapping systems, underlays, encapsulation, or what the addresses mean
other. All they know is that the addresses than they identify a
communicating node and are routable in IP packets over the Internet to
some service provider. It is up to the network provider to support
this using mechanisms that scale, but the details of that are not
relevant to privacy as long as the desired external behavior is met
and privacy is maintained.


> Dino