Hello Abe,
Users are unwilling to be watched by any parties(ISP, and ICP also) excepts
users themselves. Actually I would like to divide the arguments into 2 case:
network layers and below (not completely but mostly controlled by ISP);
transport layers and above (not completely but mostly controlled by ICP).
1) For transport layers and above, Encryption Everywhere (like TLS) is a good
tool to provide user privacy. However, it is only a tool against ISPs, while
ICPs survive and keep gaining revenue (even by selling data like the negative
news of Facebook, or Meta, whatever you call it). As discussed, it is not
networks faults because IP provides peer-to-peer already. You may blame CGNAT
in ISP increasingly contributes to a C/S mode in replacing P2P, like in China
where IPv4 addresses are scare and CGNAT is almost everywhere. However, I don’t
find the situation any better in U.S. where most of IPv4 address are located.
It is a business choice to overwrite the mode to be peer-ICP-peer(C/S mode) at
application layer, other than utilize the P2P mode that natively provided by IP.
In this case, there are trust points and they are ICPs.
2) For network layers and below, ISP and IP still provide a pure P2P network,
and Encryption in TLS do not blind ISP in IP layer since IP header is still in
plaintext and almost controlled by ISP. That is to say, in an access network
scenario, the access network provide can see every trace of every user at
network layer level (although exclude the encrypted payload). To against this,
one can use Proxy(i.e., VPN, Tor) to bypass the trace analysis just like the
CGNAT does. The only difference is that detour points (Proxies) belong to a
third party, not ISP.
In this case, there are trust points and they are third party proxies.
The bottom line is that trust points are everywhere explicitly or implicitly,
and privacy can be leaked from every (trust) point that you trust (or have
business with). No matter what network system you have, no matter it is PSTN or
ATM, these trust points are just the weak points for your privacy, and the only
things users can beg is that *ALL* trust points are 1) well behave/don’t be
evil; 2)system is advanced enough that can’t be hacked by any others; 3)
protected by law.
I would say pretty challenging and also expecting to reach that.
Network itself just cannot be bypassed in reaching that.
Merry Christmas,
Yihao
From: Abraham Y. Chen <ayc...@avinta.com>
Sent: 2021年12月23日 10:01
To: Jiayihao <jiayi...@huawei.com>
Cc: t...@herbertland.com; int-area@ietf.org
Subject: Re: [Int-area] Where/How is the features innovation, happening? Re:
202112221726.AYC
Importance: High
Hi, YiHao:
0) I am glad that you distilled the complex and elusive privacy / security
tradeoff issues to a very unique and concise perspective.
1) Yes, the IPv4 CG-NAT and IPv6 Temporary address may seem to provide some
privacy protection. However, with the availability of the computing power,
these (and others such as VPN) approaches may be just ostrich mentality. On
the other hand, they provide the perfect excuse for the government (at least
US) to justify for "mass surveillance". For example, the following is a recent
news report which practically defeats all current "privacy protection" attempts.
https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/
[jiayihao] there is no doubt.
2) Rather than contradicting efforts, it is time to review whether any of
these schemes such as mapping techniques really is effective for the perceived
"protection". As much of the current science fiction type crime scene detective
novel / movie / TV program hinted, the government probably has more capability
to zero-in on anyone than an ordinary citizen can imagine, anyway. And,
businesses have gathered more information about us than they will ever admit.
Perhaps we should "think out of the box" by going back to the PSTN days of
definitive subscriber identification systems, so that accordingly we will
behave appropriately on the Internet, and the government will be allowed to
only monitor suspected criminals by filing explicit (although in secret)
requests, case by case, to the court for approval?
Happy Holidays!
Abe (2021-12-22 21:00 EST)
Hello Tom,
The privacy countermeasure for IPv4/IPv6 is interestingly different.
IPv4 usually utilize CGNAT, i.e., M(hosts)-to-N(IPs), where M >> N so that the
host could remain anonymous
IPv6 usually utilize Temporary address, i.e., 1(host)-to-M(IPs[at least suffix
level]), where M >> 1 so that the host could remain anonymous.
HOWEVER, I don't feel any approach reaches privacy perfectly, because access
network have a global perspective on M-to-N or 1-to-M mapping.
For this, it is hard to be convinced that IPv4/6 itself can reach a perfect
privacy.
Thanks,
Yihao Jia
-----------
I believe CGNAT is better than IPv6 in terms of privacy in addressing.
In fact one might argue that IPv4 provides better privacy and security
than IPv6 in this regard. Temporary addresses are not single use which
means the attacker can correlate addresses from a user between
unrelated flows during the quantum the temporary address is used. When
a user changes their address, the attacker can continue monitoring if
it is signaled that the address changed. Here is a fairly simple
exploit I derived to do that (from
draft-herbert-ipv6-prefix-address-privacy-00).
The exploit is:
o An attacker creates an "always connected" app that provides some
seemingly benign service and users download the app.
o The app includes some sort of persistent identity. For instance,
this could be an account login.
o The backend server for the app logs the identity and IP address
of a user each time they connect
o When an address change happens, existing connections on the user
device are disconnected. The app will receive a notification and
immediately attempt to reconnect using the new source address.
o The backend server will see the new connection and log the new
IP address as being associated with the specific user. Thus,
the server has
a real-time record of users and the IP address they are using.
o The attacker intercepts packets at some point in the Internet.
The addresses in the captured packets can be time correlated
with the server database to deduce identities of parties in
communications that are unrelated to the app.
The only way I see to mitigate this sort of surveillance is single use
addresses. That is effectively what CGNAT can provide.
Tom
[Image removed by
sender.]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>
Virus-free.
www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
_______________________________________________
Int-area mailing list
Int-area@ietf.org
https://www.ietf.org/mailman/listinfo/int-area
