Re: Structuring the BKK spin bit discussion

Roland Zink <roland@zinks.de> Wed, 31 October 2018 18:25 UTC

Return-Path: <roland@zinks.de>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60DA8128BCC for <quic@ietfa.amsl.com>; Wed, 31 Oct 2018 11:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zinks.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTZP3I4QQBsU for <quic@ietfa.amsl.com>; Wed, 31 Oct 2018 11:25:30 -0700 (PDT)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE38412D4F2 for <quic@ietf.org>; Wed, 31 Oct 2018 11:25:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1541010326; s=strato-dkim-0002; d=zinks.de; h=In-Reply-To:Date:Message-ID:From:References:To:Subject: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=CJCTdG6YQm3gpPlmPzBV+zvAvWhwSE+MKo6z5bgvBzk=; b=inXfZrYBK/czH8TovEvgwOuhJXtAOEO5y9Xw1cx9NTtodnXSczKP2d1ojBUxShefkE y4bOceFZYcS9R/rOjhhR32t3XAiEg/0oCYHmwILSqTrJUOgbprFJtO8DdS6zgfaHINzW Y/I/wWcZ+x0hBeAE8Snsy2NqZgfj1dFKhyF2Afr4Z/7JKK2GCfCld5I91s8dFXLTbOUE WJtNeJuvLAPTw2CuTxKnO6Zd+8+zaBgEfLDFVS6of6X5+/MmgJFzm5gndYwRu7yiiD/c 4KOQOqbtno5j5TUsrD2rZAfAZBnX95CmqfQJyZmlKdUydEgCqHKqhlaNKfwOqlif72as WzNA==
X-RZG-AUTH: ":PmMIdE6sW+WWP9q/oR3Lt+I+9LAZzXrcq8knhvfmBiJzkmKn1YaZ2OgvlDQJHaS2TOg="
X-RZG-CLASS-ID: mo00
Received: from [10.10.10.82] by smtp.strato.de (RZmta 44.3 DYNA|AUTH) with ESMTPSA id R07dc3u9VIPQ49e (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for <quic@ietf.org>; Wed, 31 Oct 2018 19:25:26 +0100 (CET)
Subject: Re: Structuring the BKK spin bit discussion
To: quic@ietf.org
References: <18A2F994-0E82-48E4-875D-93C674483D49@eggert.org> <20181029160802.GD7258@ubuntu-dmitri> <8268B90E-F109-424C-91A8-DB7BFE208F53@huitema.net> <CANatvzxt-QBmeJUwp+MjtbpYXstPiEigDzQe0KfWJN+q0XR4Kg@mail.gmail.com> <HE1PR0701MB23938B01BC31888DAC3629B8E2CD0@HE1PR0701MB2393.eurprd07.prod.outlook.com> <D8BB0373-FDEB-4312-94E6-BBA304D595BE@trammell.ch> <DM5PR2101MB10464C5346F73F83CAC25BD1B6CD0@DM5PR2101MB1046.namprd21.prod.outlook.com> <1F53D383-37C1-430B-8CC4-416CD5749A2D@trammell.ch>
From: Roland Zink <roland@zinks.de>
Message-ID: <eafbabf7-5eb7-cb57-db96-7d1539691f76@zinks.de>
Date: Wed, 31 Oct 2018 19:25:27 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <1F53D383-37C1-430B-8CC4-416CD5749A2D@trammell.ch>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/IEfm3BCwQvh1VMFyS8Z21zkmLoU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 18:25:34 -0000

Am 31.10.2018 um 18:16 schrieb Brian Trammell (IETF):
> hi Praveen,
>
>> On 31 Oct 2018, at 17:32, Praveen Balasubramanian <pravb=40microsoft.com@dmarc.ietf.org>; wrote:
>>
>> Since the handshake exposes the RTT information, what is the geolocation privacy issue resulting from the spin bit? Brian, what are the edge cases you refer to where handshake latency will be different than what is measured by spin bit?
> In the case that...
>
> - ...an end-to-end connection actually terminates at a location different than the apparent location in the endpoint IP address, because the endpoint IP address is a VPN tunnel endpoint
> - ...the "hidden" endpoint is very far (> ~3000-5000km) from the apparent location
> - ...that VPN tunnel exists solely to make the end-to-end association appear to originate from at or near the VPN tunnel endpoint (e.g., anti-geofencing)
>
> then the handshake RTT gives you one sample per flow, and on a per-flow basis, that is not enough evidence to definitively classify that flow as having a far hidden endpoint. The spin bit provides more evidence, since the upper bound on network RTT is the minimum RTT over all samples, and the spin bit gives you more samples per flow.

Often devices have patterns where the RTT can be determined. Android and 
iOS devices (and the Chrome browser) for example keep connections to 
push servers and may do periodic keep-alives. Similar when a video is 
watched using adaptive bitrate like MPEG DASH then there are 
periodically idle times followed by a new request and response. So when 
it is only about the privacy of the users RTT then the privacy isn't 
very high anyway and detection isn't restricted to the handshake.

Regards,

Roland


> This is a contrived example, but the additional marginal geoprivacy risk in this specific instance is nonzero, if epsilon. I don't think it's a practical additional marginal risk, though, because:
>
> - the (non-research) techniques I know of that are deployed to prevent breaking of geofences don't rely on latency measurement, rather on lookups in IP address geolocation databases *.
> - given that one sample per flow in the handshake RTT and the fact that an endpoint will often generate multiple flows, it will eventually be found out anyway. The answer to the question of using a VPN for robust endpoint hiding is "don't do that". a far endpoint actually wants to remain hidden, it should be using a transport-terminating proxy or an anonymity network like Tor, as opposed to a simple L3.5 VPN.
>
> As I said, turning off the spin bit is about peace of mind and information reduction; in my opinion, even in the absence of practical threat, that's reason enough to provide the option.
>
> Cheers,
>
> Brian
>
> * one of the cool things hiding in that IMC paper I cited upthread is the fact that there's at least one anti-geofencing VPN provider that sells the ability to have your traffic appear to come from any country on earth. While the authors do not come right out and say it, it appears that said provider discovered it was sufficient for their business model to have the traffic originate from one of three easy-to-get-to, near-an-IXP datacenters, on three different continents, and to do some Layer 9 work to have the specific IPs labeled as coming from the desired countries in the commercial IP geolocation databases. Hacking the database is way easier than hacking the speed of light. :)
>
>> -----Original Message-----
>> From: QUIC <quic-bounces@ietf.org>; On Behalf Of Brian Trammell (IETF)
>> Sent: Wednesday, October 31, 2018 7:19 AM
>> To: Marcus Ihlar <marcus.ihlar@ericsson.com>;
>> Cc: Lars Eggert <lars@eggert.org>;; IETF QUIC WG <quic@ietf.org>;; huitema <huitema@huitema.net>;; Dmitri Tikhonov <dtikhonov@litespeedtech.com>;; Kazuho Oku <kazuhooku@gmail.com>;
>> Subject: Re: Structuring the BKK spin bit discussion
>>
>> hi Kazuho, Marcus,
>>
>> +1 to this; the intra-network latency variation on the mobile segment of the mobile networks we looked at via the MONROE in the testbed in our PAM paper the followed from the RTT DT work (see https://github.com/mami-project/rtt-privacy-paper/blob/master/rtt-privacy.pdf, especially section 3.1 and figure 2(b)) makes RTT measurement on a mobile network useless for geolocation.
>>
>> We did notice (not shown in the paper) that different carriers (n = 4, if I recall correctly) had distinct latency distributions, so with traffic from all Japanese mobile users you could probably use RTT data in the aggregate to build a "carrier classifier". This is of course a useless exercise because you can already tell which carrier a subscriber is coming from by looking at the IP address of the CGNAT exit.
>>
>> IMO there are only a few edge cases where there are actual potential geoprivacy issues raised by the spin bit with respect to tunneled VPN traffic. All of these involve trans- or intercontinental tunnels (>30ms of additional RTT, for 3000km of location uncertainty -- how far is it from Okinawa to Hokkaido?). In every case the handshake latency gives you away as well, but in every case long RTTs might also have non-distance related causes. So while I see disabling the spin bit as a necessary feature, especially for clients to have, IMO its utility is more useful for peace of mind and information reduction than for actual information elimination.
>>
>> Cheers,
>>
>> Brian
>>
>>> On 31 Oct 2018, at 13:40, Marcus Ihlar <marcus.ihlar@ericsson.com>; wrote:
>>>
>>> Hi Kazuho,
>>> I believe the biggest difference is the size of the hidden network segment.
>>> In the NAT case the client and NAT are still in the same country or continent.
>>> A quick glacne at distancecalculator.net shows that the city farthest from Tokyo in Japan is Naha-Shi, at 1554 km.
>>> That translates to roughly 5ms at the speed of light, so the kinds of measurements to determine distance from Tokyo based on RTT will be extremely sensitive and error prone.
>>> Please note that the distance analyis can be performed on handshake RTT as well, for connections where the initial handshake is visible at the measurement point.
>>>
>>>
>>> Från: QUIC <quic-bounces@ietf.org>; för Kazuho Oku
>>> <kazuhooku@gmail.com>;
>>> Skickat: den 31 oktober 2018 11:20
>>> Till: Christian Huitema
>>> Kopia: Lars Eggert; IETF QUIC WG; Dmitri Tikhonov
>>> Ämne: Re: Structuring the BKK spin bit discussion
>>>
>>> 2018年10月30日(火) 1:54 Christian Huitema <huitema@huitema.net>;:
>>>>
>>>>
>>>>> On Oct 29, 2018, at 9:08 AM, Dmitri Tikhonov <dtikhonov@litespeedtech.com>; wrote:
>>>>>
>>>>>> On Mon, Oct 29, 2018 at 05:26:34PM +0200, Lars Eggert wrote:
>>>>>> We'd specifically like to ask client and server implementors with
>>>>>> projected sizable deployments to indicate whether they intent to
>>>>>> implement and deploy, if the WG decided to include the spin-bit
>>>>>> in the spec.
>>>>> LiteSpeed Technologies will support the spin bit -- both in our
>>>>> server and client QUIC implementations -- if it make it into the
>>>>> draft.
>>>> My implementation is not used in any large scale deployment, but it does support the spin bit. In fact, it has configuration options to support spin bit variants: node, just spin, spin + vec, spin + QR.
>>>>
>>>> I think the strongest objection to the spin bit was put up by Marten during the last interim: measuring the RTT with the spin bit discloses the use of hidden path segments like VPN. This issue was not discussed during the privacy analysis.
>>> May I ask if the VPN users are the only ones that lose some privacy
>>> with spin bits?
>>>
>>> I ask this because I live in a country where IIUC the mobile carriers
>>> place their nation-wide carrier-grade NAT near the capital city (i.e.,
>>> Tokyo). That means that for people living in the country, having spin
>>> bits turned on could reveal their distance from Tokyo.
>>>
>>> So the question is: if VPN users need special care, do some NAT users
>>> as well? Or if the answer is no, what is the difference from between
>>> the two groups?
>>>
>>> Generally speaking, I am not against giving users the freedom to
>>> expose spin bits, however I am wondering how the endpoints should
>>> provide the freedom of choice (UI question) as well as what the
>>> default should be.
>>>
>>>> The privacy issue could be mitigated by turning off the spin bit at privacy sensitive clients, but this would make these clients "stick out".
>>>>
>>>> One solution would be to remove the spin bit from the spec, trading off better privacy for worse management. I am considering another solution in which privacy sensitive clients hide the RTT by controlling the spin, for example spinning at fixed intervals. I plan testing that option in Picoquic.
>>>>
>>>> -- Christian Huitema
>>>>
>>>>
>>>
>>> --
>>> Kazuho Oku