Re: Structuring the BKK spin bit discussion

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Wed, 31 October 2018 18:30 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BCA312F1A5 for <quic@ietfa.amsl.com>; Wed, 31 Oct 2018 11:30:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nzR9i7Ruq53c for <quic@ietfa.amsl.com>; Wed, 31 Oct 2018 11:30:30 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02149128BCC for <quic@ietf.org>; Wed, 31 Oct 2018 11:30:30 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id h19-v6so1749526iog.9 for <quic@ietf.org>; Wed, 31 Oct 2018 11:30:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=Vn7e0H4JNhkrOAsHdPuLc4/ee0HW7j3+Ck/ve0KMimo=; b=iIr9VvTEWarsP5PprhCLLbxPeuMvaLBJzO+fDFOFdP7LsjDh3hVqBumFvzOJ2MEMFu f1Ma+Z1MzwKhahTRYFLzIqG16CjWUqd9WJw/x8o5zvwn4tAmw0SXvnjtNSuC3HqEXPSp H3vb9576iDbOaUPvc+vsRxVQN1wuokaCIS6Ai3cKiRGFNT5BNEcO6oYW4N2woljvJfUN NHlQtrEaqGyUaLpMSizEvqSrAeDtGv4ea1MHkmOMdiODjFiChjRWdCntL4PNc0+HAveG 41MNGn+WEqr0ay2Fev0XiAjuav0Bi1CRl12/1Uap2gir7wbQRo8aQj6K3oBBWYxwaZGU wsVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=Vn7e0H4JNhkrOAsHdPuLc4/ee0HW7j3+Ck/ve0KMimo=; b=c4xHzNOpG1sLxXythIwrfWm2kh/pKqPNxk5oWlDzAztLymkDDjEKxSBQdur2FXnpuf UacpYM1hDiGedblDvVycSZUxuZd4qDxVnwoAmgxUxTWEPnntOLiHn1aZ1oJEyPylt5cN hutNFyWdb6YGEsfTfKWobWR1DD8vSVFzH6Kj3DzGt2uGQ/X2laE35uMzV09HVZany7py pBw5O7j01FAwMET166ITcdG3qtgV3tJ6eOfrzTI/83K/ihraGff0ZRgezKT1gtUc/KL5 zZKeKM2MrklVp8qc+UmfOPNjxbsvYn3zvXr02PN65UVlL/M6AQ/J8NLsd89MankEEUeW mwNQ==
X-Gm-Message-State: AGRZ1gJN7JlQW5o0d8y5d9vjDVBahEKkIlpsEAI4TKDlfH0yFP4yXksh yOtd0WLnLWFhwA3BtQtib+2tYO+TxK+k0ojjlNC2ig==
X-Google-Smtp-Source: AJdET5ecJ8//6bZicKKU8VtXyRIiQR0tDtS3sV0s1ZqGQgXfWdzuuVCLv6NqcUlX1bMZP17l9dV3olF/3+maz1f8FjQ=
X-Received: by 2002:a6b:ed01:: with SMTP id n1-v6mr2889692iog.106.1541010628713; Wed, 31 Oct 2018 11:30:28 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 31 Oct 2018 11:30:27 -0700
From: =?UTF-8?Q?Mikkel_Fahn=C3=B8e_J=C3=B8rgensen?= <mikkelfj@gmail.com>
In-Reply-To: <eafbabf7-5eb7-cb57-db96-7d1539691f76@zinks.de>
References: <18A2F994-0E82-48E4-875D-93C674483D49@eggert.org> <20181029160802.GD7258@ubuntu-dmitri> <8268B90E-F109-424C-91A8-DB7BFE208F53@huitema.net> <CANatvzxt-QBmeJUwp+MjtbpYXstPiEigDzQe0KfWJN+q0XR4Kg@mail.gmail.com> <HE1PR0701MB23938B01BC31888DAC3629B8E2CD0@HE1PR0701MB2393.eurprd07.prod.outlook.com> <D8BB0373-FDEB-4312-94E6-BBA304D595BE@trammell.ch> <DM5PR2101MB10464C5346F73F83CAC25BD1B6CD0@DM5PR2101MB1046.namprd21.prod.outlook.com> <1F53D383-37C1-430B-8CC4-416CD5749A2D@trammell.ch> <eafbabf7-5eb7-cb57-db96-7d1539691f76@zinks.de>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Wed, 31 Oct 2018 11:30:27 -0700
Message-ID: <CAN1APdcRiJcni_K6_bHSvAsWFnTqcn451qnn7oBozD6z=NumPA@mail.gmail.com>
Subject: Re: Structuring the BKK spin bit discussion
To: quic@ietf.org, Roland Zink <roland@zinks.de>
Content-Type: multipart/alternative; boundary="0000000000001ea3ee05798a7fef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/f4pBtO_5R8qY-52b6o7nvPtSHpo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 18:30:33 -0000

Obviously some research effort has been put into this, but I find it hard
to believe that you cannot approximately geolocate within 3000km
considering that you derive an AES key based on remote timing attacks.


On 31 October 2018 at 19.25.45, Roland Zink (roland@zinks.de) wrote:


Am 31.10.2018 um 18:16 schrieb Brian Trammell (IETF):
> hi Praveen,
>
>> On 31 Oct 2018, at 17:32, Praveen Balasubramanian <pravb=
40microsoft.com@dmarc.ietf.org>; wrote:
>>
>> Since the handshake exposes the RTT information, what is the geolocation
privacy issue resulting from the spin bit? Brian, what are the edge cases
you refer to where handshake latency will be different than what is
measured by spin bit?
> In the case that...
>
> - ...an end-to-end connection actually terminates at a location different
than the apparent location in the endpoint IP address, because the endpoint
IP address is a VPN tunnel endpoint
> - ...the "hidden" endpoint is very far (> ~3000-5000km) from the apparent
location
> - ...that VPN tunnel exists solely to make the end-to-end association
appear to originate from at or near the VPN tunnel endpoint (e.g.,
anti-geofencing)
>
> then the handshake RTT gives you one sample per flow, and on a per-flow
basis, that is not enough evidence to definitively classify that flow as
having a far hidden endpoint. The spin bit provides more evidence, since
the upper bound on network RTT is the minimum RTT over all samples, and the
spin bit gives you more samples per flow.

Often devices have patterns where the RTT can be determined. Android and
iOS devices (and the Chrome browser) for example keep connections to
push servers and may do periodic keep-alives. Similar when a video is
watched using adaptive bitrate like MPEG DASH then there are
periodically idle times followed by a new request and response. So when
it is only about the privacy of the users RTT then the privacy isn't
very high anyway and detection isn't restricted to the handshake.

Regards,

Roland


> This is a contrived example, but the additional marginal geoprivacy risk
in this specific instance is nonzero, if epsilon. I don't think it's a
practical additional marginal risk, though, because:
>
> - the (non-research) techniques I know of that are deployed to prevent
breaking of geofences don't rely on latency measurement, rather on lookups
in IP address geolocation databases *.
> - given that one sample per flow in the handshake RTT and the fact that
an endpoint will often generate multiple flows, it will eventually be found
out anyway. The answer to the question of using a VPN for robust endpoint
hiding is "don't do that". a far endpoint actually wants to remain hidden,
it should be using a transport-terminating proxy or an anonymity network
like Tor, as opposed to a simple L3.5 VPN.
>
> As I said, turning off the spin bit is about peace of mind and
information reduction; in my opinion, even in the absence of practical
threat, that's reason enough to provide the option.
>
> Cheers,
>
> Brian
>
> * one of the cool things hiding in that IMC paper I cited upthread is the
fact that there's at least one anti-geofencing VPN provider that sells the
ability to have your traffic appear to come from any country on earth.
While the authors do not come right out and say it, it appears that said
provider discovered it was sufficient for their business model to have the
traffic originate from one of three easy-to-get-to, near-an-IXP
datacenters, on three different continents, and to do some Layer 9 work to
have the specific IPs labeled as coming from the desired countries in the
commercial IP geolocation databases. Hacking the database is way easier
than hacking the speed of light. :)
>
>> -----Original Message-----
>> From: QUIC <quic-bounces@ietf.org>; On Behalf Of Brian Trammell (IETF)
>> Sent: Wednesday, October 31, 2018 7:19 AM
>> To: Marcus Ihlar <marcus.ihlar@ericsson.com>;
>> Cc: Lars Eggert <lars@eggert.org>;; IETF QUIC WG <quic@ietf.org>;; huitema
<huitema@huitema.net>;; Dmitri Tikhonov <dtikhonov@litespeedtech.com>;;
Kazuho Oku <kazuhooku@gmail.com>;
>> Subject: Re: Structuring the BKK spin bit discussion
>>
>> hi Kazuho, Marcus,
>>
>> +1 to this; the intra-network latency variation on the mobile segment of
the mobile networks we looked at via the MONROE in the testbed in our PAM
paper the followed from the RTT DT work (see
https://github.com/mami-project/rtt-privacy-paper/blob/master/rtt-privacy.pdf,
especially section 3.1 and figure 2(b)) makes RTT measurement on a mobile
network useless for geolocation.
>>
>> We did notice (not shown in the paper) that different carriers (n = 4,
if I recall correctly) had distinct latency distributions, so with traffic
from all Japanese mobile users you could probably use RTT data in the
aggregate to build a "carrier classifier". This is of course a useless
exercise because you can already tell which carrier a subscriber is coming
from by looking at the IP address of the CGNAT exit.
>>
>> IMO there are only a few edge cases where there are actual potential
geoprivacy issues raised by the spin bit with respect to tunneled VPN
traffic. All of these involve trans- or intercontinental tunnels (>30ms of
additional RTT, for 3000km of location uncertainty -- how far is it from
Okinawa to Hokkaido?). In every case the handshake latency gives you away
as well, but in every case long RTTs might also have non-distance related
causes. So while I see disabling the spin bit as a necessary feature,
especially for clients to have, IMO its utility is more useful for peace of
mind and information reduction than for actual information elimination.
>>
>> Cheers,
>>
>> Brian
>>
>>> On 31 Oct 2018, at 13:40, Marcus Ihlar <marcus.ihlar@ericsson.com>;
wrote:
>>>
>>> Hi Kazuho,
>>> I believe the biggest difference is the size of the hidden network
segment.
>>> In the NAT case the client and NAT are still in the same country or
continent.
>>> A quick glacne at distancecalculator.net shows that the city farthest
from Tokyo in Japan is Naha-Shi, at 1554 km.
>>> That translates to roughly 5ms at the speed of light, so the kinds of
measurements to determine distance from Tokyo based on RTT will be
extremely sensitive and error prone.
>>> Please note that the distance analyis can be performed on handshake RTT
as well, for connections where the initial handshake is visible at the
measurement point.
>>>
>>>
>>> Från: QUIC <quic-bounces@ietf.org>; för Kazuho Oku
>>> <kazuhooku@gmail.com>;
>>> Skickat: den 31 oktober 2018 11:20
>>> Till: Christian Huitema
>>> Kopia: Lars Eggert; IETF QUIC WG; Dmitri Tikhonov
>>> Ämne: Re: Structuring the BKK spin bit discussion
>>>
>>> 2018年10月30日(火) 1:54 Christian Huitema <huitema@huitema.net>;:
>>>>
>>>>
>>>>> On Oct 29, 2018, at 9:08 AM, Dmitri Tikhonov <
dtikhonov@litespeedtech.com>; wrote:
>>>>>
>>>>>> On Mon, Oct 29, 2018 at 05:26:34PM +0200, Lars Eggert wrote:
>>>>>> We'd specifically like to ask client and server implementors with
>>>>>> projected sizable deployments to indicate whether they intent to
>>>>>> implement and deploy, if the WG decided to include the spin-bit
>>>>>> in the spec.
>>>>> LiteSpeed Technologies will support the spin bit -- both in our
>>>>> server and client QUIC implementations -- if it make it into the
>>>>> draft.
>>>> My implementation is not used in any large scale deployment, but it
does support the spin bit. In fact, it has configuration options to support
spin bit variants: node, just spin, spin + vec, spin + QR.
>>>>
>>>> I think the strongest objection to the spin bit was put up by Marten
during the last interim: measuring the RTT with the spin bit discloses the
use of hidden path segments like VPN. This issue was not discussed during
the privacy analysis.
>>> May I ask if the VPN users are the only ones that lose some privacy
>>> with spin bits?
>>>
>>> I ask this because I live in a country where IIUC the mobile carriers
>>> place their nation-wide carrier-grade NAT near the capital city (i.e.,
>>> Tokyo). That means that for people living in the country, having spin
>>> bits turned on could reveal their distance from Tokyo.
>>>
>>> So the question is: if VPN users need special care, do some NAT users
>>> as well? Or if the answer is no, what is the difference from between
>>> the two groups?
>>>
>>> Generally speaking, I am not against giving users the freedom to
>>> expose spin bits, however I am wondering how the endpoints should
>>> provide the freedom of choice (UI question) as well as what the
>>> default should be.
>>>
>>>> The privacy issue could be mitigated by turning off the spin bit at
privacy sensitive clients, but this would make these clients "stick out".
>>>>
>>>> One solution would be to remove the spin bit from the spec, trading
off better privacy for worse management. I am considering another solution
in which privacy sensitive clients hide the RTT by controlling the spin,
for example spinning at fixed intervals. I plan testing that option in
Picoquic.
>>>>
>>>> -- Christian Huitema
>>>>
>>>>
>>>
>>> --
>>> Kazuho Oku