Re: [v6ops] Are we competitive?

[Tom Herbert <tom@herbertland.com>]

On Mon, Aug 15, 2022 at 4:38 PM Fernando Gont <fgont@si6networks.com> wrote:
>
> Tom,
>
> On 15/8/22 12:27, Tom Herbert wrote:
> [...]
> >
> > The moment someone connects to an external host on the Internet such a
> > number is leaked. For instance, if an attacker has access to an
> > Internet server with a user login, they would have the mapping from
> > address to user PII.
>
> Of course, if/when you authenticate, all bets are of. But for other
> cases, masquerading the the address does help.
>
>
>
> > For real, quantifiable privacy in Internet addressing, we need to give
> > each connection its own unique pseudo random address.
>
> Two things:
>
> 1) You say "quantifiable"... -- what are the metrics/units you are
> considering? How would you measure this quantity?
>

Hi Fernando,

Here are the criteria from draft-herbert-ipv6-prefix-address-privacy
that make good privacy in addressing quantifiable:

* Given two addresses and no other information, the desired properties
of correlating them are:

        *It may be inferred if they belong to the same organization and
          registry. This is true for any two global IP addresses.

       * It may be inferred that they belong to the same broad
          grouping, such as a geographic region, if the information is
          encoded in the organizational bits of the address.

       * No correlation can be made for a user's Personal Identifiable
Information (PII).
         This includes identity of a user as well as location (other
than broad geographic
          location as described above)

      * No topological correlation can be established. It cannot be inferred
          that the IP addresses address the same node, the addressed
          nodes reside in the same subnet, rack, or department, or that
          the nodes for the two addresses have any geographic proximity
          to one another (other than the broad geographic and organizational
          correlations described above)

      * No correlation can be made for a user's Personal Identifiable
Information (PII).
        This includes identity of a user as well as location

 > 2) Other than masquerading, the only part that you can improve in terms
> of privacy is the IID. Because the rest of the address (the prefix) does
> need to leak information about the topology -- that's why the identifier
> is called an address in the first place.

An Internet address encodes both an identifier and location in the
topology. But the problem is probably worse than you think. Some
mobile providers assign a sixty-four bit prefix to each of their
customer devices, so the upper sixty-four bits of such addresses is
sufficient as PII for the user, and RFC8981 offers no benefit for user
privacy. In other cases, a mobile device might be assigned an address
for the local cell they are in thereby encoding the user's location in
the address. If an attacker has access to the user's identity via the
exploit I described, they would also know the user's physical location
as well.

So with respect to privacy in addressing, I believe that IPv6 is
likely worse privacy than IPv4 (with CGNAT). This is bad for users who
are interested in protecting their privacy in communications (and we
should assume that all users need strong privacy in the same way they
need strong security). This is also bad for network providers that
don't want to expose their topology to the world. So IMO, IPv6 is at a
competitive disadvantage to IPv4 in this regard. This liability can be
addressed in IPv6, but we need to use the voluminous IPv6 address to
much better effect than currently done.

Tom

>
> Thanks,
> --
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494