Re: Structuring the BKK spin bit discussion

Kazuho Oku <kazuhooku@gmail.com> Wed, 31 October 2018 22:06 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E91B130DD6 for <quic@ietfa.amsl.com>; Wed, 31 Oct 2018 15:06:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id heM4q-LBmuZf for <quic@ietfa.amsl.com>; Wed, 31 Oct 2018 15:06:41 -0700 (PDT)
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6D09130DD4 for <quic@ietf.org>; Wed, 31 Oct 2018 15:06:40 -0700 (PDT)
Received: by mail-lf1-x143.google.com with SMTP id n18so4503909lfh.6 for <quic@ietf.org>; Wed, 31 Oct 2018 15:06:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=isHLNyJkXZvM+FiTCS6+Q2XiLitjMQzM4Wei3lKk6no=; b=JZIfwPg6xw8ivqQNEFJD9i076iHg1WIIjN5yZdt+TFz0yBxlWIEpofON3rhV7oRYIm VYwGXhiUUidv9XcLEfLO8xqzCwnEAt8off0Qk9yW8YqSodjoogPjuxFOy7DAnYsB9HUS h0Hy33PH+8V8CurthwB43TtrwRZCre7834s6RXViHRe5LjTZE37Wq+QD3MvmYLA7Myxd bdzyz68b3HjlyNGgZUWdsYM1/hsCUXQvi3W9nxGWLylP0GcRHMnTzvQqzJE4/36AcwBA sYGB4+cQD9vV2I+3Ec2EEk/VhNKjQ2IXSs5yvEPzbCjCVfr9bt8qOLrFlSkz5Gk2rG1E C2gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=isHLNyJkXZvM+FiTCS6+Q2XiLitjMQzM4Wei3lKk6no=; b=g8YbLB5udeItjHXkvKQBKeRmDxZNotz97L42Tb9efq0IX2MCiHosUsKpD107zvByTu Z0aRqrJsecIFM/Ab0+eIbJF9CiPCIJhi7nwsku4no1GCPQunW3dPAZs1Ka6wwfv5wuCb 6xTQSz43UDdBaxd1UuRxug55HlF3ysQtkqVkgOglT9eceKJ1PiHP0fDEEmf0ULuNUDqC zaX685hzirkwMD7WjFkvt/RryglmiseCaU2aldBR6PHEFkUJKUmnVt/MThtNujDRRxzA pIp2EPMvH3vYQeP3Imigu71aFEgv+zdqxKFIXo9bUkbZJnDn2qGoNp5jcHGXWVV5vEy+ 9QJQ==
X-Gm-Message-State: AGRZ1gIhNf7bNA//jVlIReLambzWvMa6ocGKaZv2cUd4DC4EKOcLdg71 odW2t6dkLk4ng0sk9muP/0vIJOvEjYYuodYl9QI=
X-Google-Smtp-Source: AJdET5e8mbYv3A16rze+mt76DwcCBEqpNu1KJ7yUgewv7fCpk0RSksli2Wk16zhRQkbOgVm8XmoogITeGe0pKSGXV2s=
X-Received: by 2002:a19:9b50:: with SMTP id d77mr3011000lfe.137.1541023598708; Wed, 31 Oct 2018 15:06:38 -0700 (PDT)
MIME-Version: 1.0
References: <18A2F994-0E82-48E4-875D-93C674483D49@eggert.org> <20181029160802.GD7258@ubuntu-dmitri> <8268B90E-F109-424C-91A8-DB7BFE208F53@huitema.net> <CANatvzxt-QBmeJUwp+MjtbpYXstPiEigDzQe0KfWJN+q0XR4Kg@mail.gmail.com> <HE1PR0701MB23938B01BC31888DAC3629B8E2CD0@HE1PR0701MB2393.eurprd07.prod.outlook.com> <D8BB0373-FDEB-4312-94E6-BBA304D595BE@trammell.ch>
In-Reply-To: <D8BB0373-FDEB-4312-94E6-BBA304D595BE@trammell.ch>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Thu, 1 Nov 2018 07:06:27 +0900
Message-ID: <CANatvzwZZXB4d43N6g+jJ=HeTEzgdDK5KQVPKVdKDb=kBZzfpw@mail.gmail.com>
Subject: Re: Structuring the BKK spin bit discussion
To: Brian Trammell <ietf@trammell.ch>
Cc: marcus.ihlar@ericsson.com, Christian Huitema <huitema@huitema.net>, Lars Eggert <lars@eggert.org>, IETF QUIC WG <quic@ietf.org>, Dmitri Tikhonov <dtikhonov@litespeedtech.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/XvMg0br4wx8ZrwQmCyxEwQVPJx0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 22:06:44 -0000

Hi,

Marcus, Alexandre, Brian, thank you for the responses. My comments below.

2018年10月31日(水) 23:18 Brian Trammell (IETF) <ietf@trammell.ch>;:
>
> hi Kazuho, Marcus,
>
> +1 to this; the intra-network latency variation on the mobile segment of the mobile networks we looked at via the MONROE in the testbed in our PAM paper the followed from the RTT DT work (see https://github.com/mami-project/rtt-privacy-paper/blob/master/rtt-privacy.pdf, especially section 3.1 and figure 2(b)) makes RTT measurement on a mobile network useless for geolocation.
>
> We did notice (not shown in the paper) that different carriers (n = 4, if I recall correctly) had distinct latency distributions, so with traffic from all Japanese mobile users you could probably use RTT data in the aggregate to build a "carrier classifier". This is of course a useless exercise because you can already tell which carrier a subscriber is coming from by looking at the IP address of the CGNAT exit.
>
> IMO there are only a few edge cases where there are actual potential geoprivacy issues raised by the spin bit with respect to tunneled VPN traffic. All of these involve trans- or intercontinental tunnels (>30ms of additional RTT, for 3000km of location uncertainty -- how far is it from Okinawa to Hokkaido?). In every case the handshake latency gives you away as well, but in every case long RTTs might also have non-distance related causes. So while I see disabling the spin bit as a necessary feature, especially for clients to have, IMO its utility is more useful for peace of mind and information reduction than for actual information elimination.

Thank you for sharing the research.

FWIW, inhabited islands of Japan span across 3,000km, however the
longest hidden path of the carrier-grade NAT will be around 2,000km
because Tokyo is located near the middle. So it's a bit shorter than
your numbers.

I can understand that there are other factors that have impact on the
RTT exposed by the spin bit, and that might overshadow the distance.

OTOH, I think it's important to remember that the spin bit expose many
RTT samples (every once an RTT) compared to handshake which is a one
time thing for each connection, or compared to other behavior like
client issuing HTTP requests.

For cases like large file download (in which the only output from the
receiver would be ACKs), I would assume that the spin bit would be by
far the most accurate piece of information for an observer to
determine the RTT to the connection.

>
> Cheers,
>
> Brian
>
> > On 31 Oct 2018, at 13:40, Marcus Ihlar <marcus.ihlar@ericsson.com>; wrote:
> >
> > Hi Kazuho,
> > I believe the biggest difference is the size of the hidden network segment.
> > In the NAT case the client and NAT are still in the same country or continent.
> > A quick glacne at distancecalculator.net shows that the city farthest from Tokyo in Japan is Naha-Shi, at 1554 km.
> > That translates to roughly 5ms at the speed of light, so the kinds of measurements to determine distance from Tokyo based on RTT will be extremely sensitive and error prone.
> > Please note that the distance analyis can be performed on handshake RTT as well, for connections where the initial handshake is visible at the measurement point.
> >
> >
> > Från: QUIC <quic-bounces@ietf.org>; för Kazuho Oku <kazuhooku@gmail.com>;
> > Skickat: den 31 oktober 2018 11:20
> > Till: Christian Huitema
> > Kopia: Lars Eggert; IETF QUIC WG; Dmitri Tikhonov
> > Ämne: Re: Structuring the BKK spin bit discussion
> >
> > 2018年10月30日(火) 1:54 Christian Huitema <huitema@huitema.net>;:
> > >
> > >
> > >
> > > > On Oct 29, 2018, at 9:08 AM, Dmitri Tikhonov <dtikhonov@litespeedtech.com>; wrote:
> > > >
> > > >> On Mon, Oct 29, 2018 at 05:26:34PM +0200, Lars Eggert wrote:
> > > >> We'd specifically like to ask client and server implementors with
> > > >> projected sizable deployments to indicate whether they intent to
> > > >> implement and deploy, if the WG decided to include the spin-bit in
> > > >> the spec.
> > > >
> > > > LiteSpeed Technologies will support the spin bit -- both in our
> > > > server and client QUIC implementations -- if it make it into the
> > > > draft.
> > >
> > > My implementation is not used in any large scale deployment, but it does support the spin bit. In fact, it has configuration options to support spin bit variants: node, just spin, spin + vec, spin + QR.
> > >
> > > I think the strongest objection to the spin bit was put up by Marten during the last interim: measuring the RTT with the spin bit discloses the use of hidden path segments like VPN. This issue was not discussed during the privacy analysis.
> >
> > May I ask if the VPN users are the only ones that lose some privacy
> > with spin bits?
> >
> > I ask this because I live in a country where IIUC the mobile carriers
> > place their nation-wide carrier-grade NAT near the capital city (i.e.,
> > Tokyo). That means that for people living in the country, having spin
> > bits turned on could reveal their distance from Tokyo.
> >
> > So the question is: if VPN users need special care, do some NAT users
> > as well? Or if the answer is no, what is the difference from between
> > the two groups?
> >
> > Generally speaking, I am not against giving users the freedom to
> > expose spin bits, however I am wondering how the endpoints should
> > provide the freedom of choice (UI question) as well as what the
> > default should be.
> >
> > >
> > > The privacy issue could be mitigated by turning off the spin bit at privacy sensitive clients, but this would make these clients "stick out".
> > >
> > > One solution would be to remove the spin bit from the spec, trading off better privacy for worse management. I am considering another solution in which privacy sensitive clients hide the RTT by controlling the spin, for example spinning at fixed intervals. I plan testing that option in Picoquic.
> > >
> > > -- Christian Huitema
> > >
> > >
> >
> >
> > --
> > Kazuho Oku
>


-- 
Kazuho Oku