ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Netfilter (Linux) Does IPv6 NAT

2011-12-06 10:43:14
from [Greg Daley] [Permanent Link] 
Hi Martin, 


-----Original Message-----
From: Martin Rex [mailto:mrex(_at_)sap(_dot_)com]
Sent: Tuesday, 6 December 2011 1:30 PM
To: Greg Daley
Cc: mrex(_at_)sap(_dot_)com; mail-dated-1325290081.a3a4e0@sabahattin-
gucukoglu.com; ietf(_at_)ietf(_dot_)org
Subject: Re: Netfilter (Linux) Does IPv6 NAT

Greg Daley wrote:


The assumption that information is present only within the IP address
is erroneous.
This has been studied for mobile IPv6 users as well, and there is
information leakage up and down the stack.


Your reasoning is obviously flawed.

Having a temporary dynamic IP address assigned will not prevent any
negligent or privacy-ignorant protocols and apps higher up the stack to
reveal identifying information about you.


My point is that it is unhelpful to ignore the principles underpinning IPv6 
architecture in order to fail to achieve your privacy goal.


But _without_ a temporary dynamic IP address, each and every of your
network communcation will be 100% identifyable as you for everybody
that can oberserve you IP datagrams floating by, even when you're using
IPSEC.


Yes, when your outbound sessions hit the internet, devices on the path can see 
where you come from.

In my world, these people can see what they can already learn from watching my 
IKEv1 aggressive mode identity (if not using certs) or WWW cookies, or TCP 
stack behaviour and use profile.

In your world you gave up peer-to-peer IPSec, SIP, etc  initiated from either 
end to gain a false feeling of privacy.



I fail to understand what you mean by "randomized IIDs".
What you need is a temporary network address randomized by you ISP so
that your address blends within the entire customer base of that ISP.


Please read RFC 4941 "Privacy Extensions for Stateless Address 
Autoconfiguration".



Putting NATs on the path just causes the device inside the network to
be unaware of its presented addresses, which means that it will

impede

peer-to-peer communications, as it cannot even describe its available
services without external information services.


Asking your border router for the temporary external IP-Address is
trivial compared to performing a secure DNS lookup.


I have no interest in comparing apples to oranges.
I have implemented ICE and I can say it is non-trivial.

Sincerely

Greg Daley 

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Netfilter (Linux) Does IPv6 NAT, Greg Daley
Next by Date:  RE: Netfilter (Linux) Does IPv6 NAT, Greg Daley
Previous by Thread:  Re: Netfilter (Linux) Does IPv6 NAT, Martin Rex
Next by Thread:  Re: Netfilter (Linux) Does IPv6 NAT, Doug Barton
Indexes:  [Date] [Thread] [Top] [All Lists]