Hi, YiHao:
0) Hope you had a Merry Christmas as well!
1) Re: Ur. Pts 1) & 2): Allow me to modify and expand your
definitions of the abbreviations, ICP & ISP, a bit to streamline our
discussion, then focusing on related meanings of the two keyword
prefixes, "C" and "A" in the middle of them:
A. ICP (Internet Content Provider): This is the same as you
are using.
B. IAP (Internet Access Provider): This will represent the
ISP that you are referring to.
C. ISP (Internet Service Provider): This will be used as the
general expression that covers both ICP and IAP above.
With these, I agree in general with your analysis.
2) From the above, there is a simpler (layman's instead of
engineer's) way to look at this riddle. Let's consider the old fashioned
postal service. A letter itself is the "Content". The envelop has the
"Address". The postal service cares only what is on the envelop. In
fact, it is commonly practiced without explicitly identified that one
letter may have multiple layers of envelops that each is opened by the
"Addressee" who then forward the next "Addressee" according to the
"Address" on the inside envelop, accordingly. To a larger scale, postal
services put envelops destined to the same city in one bag. Then, bags
destined to the same country in one container, etc. This process is
refined to multiple levels depending on the volume of the mail and the
facility (routes) available for delivery. Then, the containers are
opened progressively along the destination route. No wonder that the US
Postal Service claimed (during the early days of the Internet) that the
mail system was the fist "packet switching" system.
3) So, in this analogy, the "Address" on each and every envelop has
to be in the clear (not coded or encrypted in any sense) for the mail
handlers to work with. It is only the most inner "Content", the letter
itself, can have Confidential information (or encrypted if the sender
wishes). Under this scenario, the LE (Law Enforcement) is allowed only
to track suspected mail by the "Addresses". And, any specific
surveillance is only authorized by court, case by case. While no one can
prevent LE bypassing this procedure, cases built by violating this
requirement would be the ground for being thrown out of the court.
4) However, in the Internet environment, largely, if not most,
Addresses are dynamic. There is no way to specify an IP Address for
surveillance of a suspect. This gives the LE the perfect excuse to scoop
up everything and then analyze offline. This gives them plenty of time
to try various ways to decrypt the encoded messages and the opportunity
to sift through everything for incidental "surprise bonus finds". The
result is that practically no privacy is left for anyone. is means that
all of the schemes of scrambling IP Addresses are useless at the end.
So, why do we bother with doing so, at all?
Happy New Year!
Abe (2021-12-27 21:59)
On 2021-12-23 22:26, Jiayihao wrote:
Hello Abe,
Users are unwilling to be watched by any parties(ISP, and ICP also)
excepts users themselves. Actually I would like to divide the
arguments into 2 case: network layers and below (not completely but
mostly controlled by ISP); transport layers and above (not completely
but mostly controlled by ICP).
1) For transport layers and above, Encryption Everywhere (like TLS) is
a good tool to provide user privacy. However, it is only a tool
against ISPs, while ICPs survive and keep gaining revenue (even by
selling data like the negative news of Facebook, or Meta, whatever you
call it). As discussed, it is not networks faults because IP provides
peer-to-peer already. You may blame CGNAT in ISP increasingly
contributes to a C/S mode in replacing P2P, like in China where IPv4
addresses are scare and CGNAT is almost everywhere. However, I don’t
find the situation any better in U.S. where most of IPv4 address are
located. It is a business choice to overwrite the mode to be
peer-ICP-peer(C/S mode) at application layer, other than utilize the
P2P mode that natively provided by IP.
In this case, there are trust points and they are ICPs.
2) For network layers and below, ISP and IP still provide a pure P2P
network, and Encryption in TLS do not blind ISP in IP layer since IP
header is still in plaintext and almost controlled by ISP. That is to
say, in an access network scenario, the access network provide can see
every trace of every user at network layer level (although exclude the
encrypted payload). To against this, one can use Proxy(i.e., VPN, Tor)
to bypass the trace analysis just like the CGNAT does. The only
difference is that detour points (Proxies) belong to a third party,
not ISP.
In this case, there are trust points and they are third party proxies.
The bottom line is that trust points are everywhere explicitly or
implicitly, and privacy can be leaked from every (trust) point that
you trust (or have business with). No matter what network system you
have, no matter it is PSTN or ATM, these trust points are just the
weak points for your privacy, and the only things users can beg is
that **ALL** trust points are 1) well behave/don’t be evil; 2)system
is advanced enough that can’t be hacked by any others; 3) protected by
law.
I would say pretty challenging and also expecting to reach that.
Network itself just cannot be bypassed in reaching that.
Merry Christmas,
Yihao
*From:* Abraham Y. Chen <ayc...@avinta.com>
*Sent:* 2021年12月23日 10:01
*To:* Jiayihao <jiayi...@huawei.com>
*Cc:* t...@herbertland.com; int-area@ietf.org
*Subject:* Re: [Int-area] Where/How is the features innovation,
happening? Re: 202112221726.AYC
*Importance:* High
Hi, YiHao:
0) I am glad that you distilled the complex and elusive privacy /
security tradeoff issues to a very unique and concise perspective.
1) Yes, the IPv4 CG-NAT and IPv6 Temporary address may seem to
provide some privacy protection. However, with the availability of the
computing power, these (and others such as VPN) approaches may be just
ostrich mentality. On the other hand, they provide the perfect excuse
for the government (at least US) to justify for "mass surveillance".
For example, the following is a recent news report which practically
defeats all current "privacy protection" attempts.
https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/
*/[jiayihao] there is no doubt./*
2) Rather than contradicting efforts, it is time to review whether
any of these schemes such as mapping techniques really is effective
for the perceived "protection". As much of the current science fiction
type crime scene detective novel / movie / TV program hinted, the
government probably has more capability to zero-in on anyone than an
ordinary citizen can imagine, anyway. And, businesses have gathered
more information about us than they will ever admit. Perhaps we should
"think out of the box" by going back to the PSTN days of definitive
subscriber identification systems, so that accordingly we will behave
appropriately on the Internet, and the government will be allowed to
only monitor suspected criminals by filing explicit (although in
secret) requests, case by case, to the court for approval?
Happy Holidays!
Abe (2021-12-22 21:00 EST)
Hello Tom,
The privacy countermeasure for IPv4/IPv6 is interestingly different.
IPv4 usually utilize CGNAT, i.e., M(hosts)-to-N(IPs), where M >> N so that the
host could remain anonymous
IPv6 usually utilize Temporary address, i.e., 1(host)-to-M(IPs[at least suffix
level]), where M >> 1 so that the host could remain anonymous.
HOWEVER, I don't feel any approach reaches privacy perfectly, because access
network have a global perspective on M-to-N or 1-to-M mapping.
For this, it is hard to be convinced that IPv4/6 itself can reach a perfect
privacy.
Thanks,
Yihao Jia
-----------
I believe CGNAT is better than IPv6 in terms of privacy in addressing.
In fact one might argue that IPv4 provides better privacy and security
than IPv6 in this regard. Temporary addresses are not single use which
means the attacker can correlate addresses from a user between
unrelated flows during the quantum the temporary address is used. When
a user changes their address, the attacker can continue monitoring if
it is signaled that the address changed. Here is a fairly simple
exploit I derived to do that (from
draft-herbert-ipv6-prefix-address-privacy-00).
The exploit is:
o An attacker creates an "always connected" app that provides some
seemingly benign service and users download the app.
o The app includes some sort of persistent identity. For instance,
this could be an account login.
o The backend server for the app logs the identity and IP address
of a user each time they connect
o When an address change happens, existing connections on the user
device are disconnected. The app will receive a notification and
immediately attempt to reconnect using the new source address.
o The backend server will see the new connection and log the new
IP address as being associated with the specific user. Thus,
the server has
a real-time record of users and the IP address they are using.
o The attacker intercepts packets at some point in the Internet.
The addresses in the captured packets can be time correlated
with the server database to deduce identities of parties in
communications that are unrelated to the app.
The only way I see to mitigate this sort of surveillance is single use
addresses. That is effectively what CGNAT can provide.
Tom
Image removed by sender.
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>
Virus-free. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
_______________________________________________
Int-area mailing list
Int-area@ietf.org
https://www.ietf.org/mailman/listinfo/int-area
