[ipv6hackers] Dynamic prefixes & privacy (was: IPv6 prefix changing)
Alex List
alex.list.gm at googlemail.com
Mon Mar 19 08:47:30 CET 2012
Hello Owen,
first of all, thank you for your participation in this discussion, I
really appreciate it.
> ULA prefixes can't talk to the global internet.
I know, that's the reason why I've mentioned NPTv6 [1]
> Perhaps you should become familiar with the basics of how routing
> actually works before pursuing this further...
Your advice surprised me, but I know it's difficult to estimate how
much a newcomer understand. Well, I myself have difficulties in
figuring out whether I really understand specific topics, thus I'm
very thankful when people tell me when I don't. I made the analogy of
calling my boss in order to illustrate what I want to achieve in terms
of information hiding. I was not thinking about the underlying
switching technology. In fact, in circuit switching I would not have
needed to use the metaphor of calling my colleague, as it's also
possible to disable the caller id [2]. I have no doubt that such level
of information hiding is much harder to achieve in packet switching
networks, especially when we consider the myriad of tracking
techniques available at the application layer. That is the reason why
I have named this thread "Dynamic prefixes and privacy". You may of
course argue that it does not make sense to focus at the network
layer, but that would be another discussion.
> IPv6 privacy extensions prevent one from using someone's MAC
> address to track their mobility across different network segments.
> They do nothing to anonymize your prefix.
Yes, that's clear to me [3].
> Dynamic prefixes aren't exactly deterministic, but, they are what I would
> call long-lived. In most cases to be useful in the routing system, they
> need to be sufficiently long-lived that they can't really offer much in
> the way of anonymitiy.
Interesting point. In your opinion, in the case of DSL residential
customers, what would be the minimum prefix lease time in order to be
useful for the routing system?
> As to your question of "if CGNs are here to stay", well, hopefully they
> are very much not here to stay. CGNs are a really bad hack. A worse
> hack even than existing IPv4 NAT. They severely limit the utility of
> the internet and the applications and innovations that can be
> accomplished while they are in place. Hopefully they will be very
> temporary in nature and will only apply to IPv4.
Actually that was not a question, but rather a premise for the
subsequent statement. If I need a CGN in my infrastructure, and for
whatever reason a customer wants me to do NPTv6 on his behalf, I'd
like to understand whether it would make sense to use the CGN for
that.
> One of the biggest benefits of IPv6 is eliminating NAT. Adding it back
> in is so antithetical to goodness I can only stare at your last sentence
> in dismay and shake my head in disgust.
Sorry, I didn't expect that my last sentence would raise such
feelings. I'll try to be more careful with the language when dealing
with controversial topics next time.
Regards, Alex
Refs:
[1] "NPTv6: The Simplest Case", http://tools.ietf.org/html/rfc6296#section-2.1
[2] http://en.wikipedia.org/wiki/Caller_ID#Disabling
[3] "Privacy Extensions for Stateless Address Autoconfiguration in
IPv6", http://tools.ietf.org/html/rfc4941
Am 16. März 2012 12:20 schrieb Owen DeLong <owend at he.net>:
>
> On Mar 16, 2012, at 1:06 AM, Alex List wrote:
>
>> Hi,
>>
>>> Not exactly, but yes. IPv6 privacy extensions alone would be sufficient to
>>> make IP based tracking a lot harder and too inaccurate for the marketing
>>> company.
>>
>> Due to the /64 bits left I don't agree, but from the discussion so far
>> I understand that:
>>
>> - there is indeed no point in using dynamic prefixes for privacy if
>> they were deterministic
>> - random prefix assignments scary many people
>>
>> But wait, aren't ULA prefixes random? If CGNs were here to stay[1],
>> why couldn't they provide a "network layer privacy" [2] service? If
>> they claim to be so good at NATPT44, NPTv6 should be a piece of cake.
>>
>
> ULA prefixes can't talk to the global internet. If you don't want to talk to
> the global internet and have packets routed back to you, you can be as
> anonymous as you want. If you want the rest of the world to be able to
> answer when you send them a packet, then there has to be a way for
> them to get the answers back to you. Kind of reduces the probability
> of useful anonymity short of using an anonymizing proxy or some other
> such construct.
>
> Perhaps you should become familiar with the basics of how routing
> actually works before pursuing this further.
>
> I wouldn't say that random prefix assignments scare people so much
> as those of us who understand how the internet actually works realize
> that they aren't really technically viable. (see my reference to having
> your phone number randomized).
>
> The difference is that in the phone network, since it is circuit switched,
> the routing is all handled as part of the call setup and there is no need
> for the remote destination to know the source address because the
> destination does not participate at all in the routing decision.
>
> With a packet switched network where each packet of information is
> individually routed on a hop-by-hop basis, the story is a bit different.
> The remote destination has to be able to place the originators source
> address into reply packet headers in order for them to reach the
> originator.
>
> IPv6 privacy extensions prevent one from using someone's MAC
> address to track their mobility across different network segments.
> They do nothing to anonymize your prefix.
>
> Dynamic prefixes aren't exactly deterministic, but, they are what I would
> call long-lived. In most cases to be useful in the routing system, they
> need to be sufficiently long-lived that they can't really offer much in
> the way of anonymitiy.
>
> As to your question of "if CGNs are here to stay", well, hopefully they
> are very much not here to stay. CGNs are a really bad hack. A worse
> hack even than existing IPv4 NAT. They severely limit the utility of
> the internet and the applications and innovations that can be
> accomplished while they are in place. Hopefully they will be very
> temporary in nature and will only apply to IPv4.
>
> One of the biggest benefits of IPv6 is eliminating NAT. Adding it back
> in is so antithetical to goodness I can only stare at your last sentence
> in dismay and shake my head in disgust.
>
> Owen
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list