ietf
[Top] [All Lists]

Re: Netfilter (Linux) Does IPv6 NAT

2011-12-07 19:48:06
Sabahattin Gucukoglu wrote:

1.  If you just want to camouflage internal clients,
do it with privacy addresses or a socks proxy and clients.

I don't see a purpose to camouflage internal clients from
internal peers.  And my ISP would probably and rightfully refuse
to route my IP datagrams if he could not recognize me as a peer
and paying customer.  But there is regularly no need that anybody else
besides my ISP can distinguish my IP datagrams from those of other
customers of this ISP.

The typical residential/home internet access is like a
1-family home, and this is even explicit part of many ISPs
home DSL subscriber contracts.

In real life, all members of a household typically have a key to the outer
door, and that outer door is usually closed or locked most of the time,
while most doors within the house are not locked most of the time.

It is very desirable to have as much privacy as achievable
from the rest of the world at the network layer, because it
is the ultimate prerequisite for application and user to control
and limit disclosure of ones identity to network peers.

When a sufficient part of the network address that your peers
on the internet see when you talk to them, is sufficiently unique
and constant over time, then privacy is *completely* impossible.
A network address with a prefix that uniquely idenfies individual
subscribers over a prolonged time amounts to a pseudonym.
RFIDs with unique IDs and biometrics have the very similar problems.


Since there _are_ going to be situations when your identity is visible
along with the IP address that was used to convey your identity,
this information will spread within a matter of at most days.
SMTP-Servers regularly write the sender's IP-Address into
rfc(2)822 Received:-headers of EMails they forward and distributed
to all receipients.  In case of EMail lists, this informatio may end
up in public Email archives and easily accessible through Internet
search engines for everyone as a result.


A logical step for muggers would be to profile prospective victims
with a smart phone by covertly take a photo, try Facebooks face recognition,
use peoplefinders, and then google streetview in order to assess the amount
of money someone might be capable and willing to spend on _not_
getting harmed when being assaulted.


Profiling people is fairly easy when there are no privacy protection laws,
as in the US, and more and more common for businesses on employees and
customers.  Crooks might appreciate a level playing field.  I don't!

The problem with biometrics, when they're abused, is that they're
regularly difficult to change (face recognition, retina scan,
fingerprint).

Over here, in old Europe, we believe that privacy is a basic human
right and that implies that each person must have ultimate control
over all collection, use and distribution of PII.  Which means
an explicit opt-in prerequisite, that is voluntary and revocable anytime,
precise and clearly limited about collectors, data items, purposes&use cases
for all PII about oneself -- backed laws to enforce data privacy and
punish violators.


2.  If you want to hide, do it with proper means, i.e., tor.

Tor is of limited usefulness, at least for me.  I can not think of a
single reasonable use case for myself (I do not have any stuff for
upload to any *leaks places).



You needn't suppose that the one agent who has the most insight into
your network traffic, that being your ISP, is trustworthy.


My neighbours are the ones who know best at what time I go on vacation,
and I even leave the key to my house with one of them while I'm away.

You are implying, that particular neighbour should be my real and only
concern and everybody&everthing else should be irrelevant in comparison.

Fortunately, the real world where I live is quite different from yours.

I'm not afraid of my neighbor and neither of my ISP.

It would be a felony with serious consequences for my ISP to listen into
communication of its customers (even when it is cleartext).
While keeping the shutters on ones windows firmly locked 24/7 might be
"safer", it believe the benefits of opening the shutters during the day
outweigh the risks...at least where I live.



Especially true given that it's the one agent with the highest
likelihood of actually succeeding in the intercept of your Internet
traffic.

I'm much more worried about other threat scenarios.

By your logic, it would be a bad idea for banks and shop owners to
let bank clerks and armoured car personnel touch any of their cash money,
because those would be the folks with the highest likelyhood in
succeeding to steal it.  I believe this amounts to flawed logic.
One will need to deal with that kind of risk in a different fashion.



Or that it often has controls over its routers which allow
monitoring beyond rightful boundaries.  Best intentions aside.

So what?  Google probably stores and anylyzes more about google searches
and more about @gmail.com EMail contents than all of the ISPs in Europe
combined.  And Facebook is at least a magnitude worse about the data that
they get their hands on.

Fortunately, I live in a jurisdiction and country where constitution,
laws and justice will protect and enforce civil liberties, human rights
and privacy against all perpetrators alike: private, law enforcement,
governmental and legislators.  The last time when our national legislator
enacted a law to have ISPs collect data for law enforcement
without probable cause, although limited to connection data and excluding
communication content, that law was quickly provisionally neutered and
later nixed by our constitutional court.

The technical part about peer authentication and data confidentiality,
for sensible communication content while traversing the ISPs network,
can be mitigated with protocols&software like TLS/HTTPS and SSH.



3.  If you've got to have dynamic external IP addresses
(note, not address; for that, see 1 above), we'll have to find
a way to renumber your network so applications running on your hosts
know what their new addresses are while keeping your preferred
topological configuration, every time your PD lease is due *.


That sound like a weird design.  Whatever the solution will be,
it will have to be without renumbering.  Hosts must not care
about the temporary dynamic external IPv6 address at all. 
Only a very small number (if any) of applications might need
to know, and those will have to ask the home gateway for it
exactly when they need it.


The home gatway might need a NAT66, and for the remaining lifetime
of IPv4 a NAT44 in combination with an IPv4<->IPv6 protocol translation
(maybe something like rfc6052).


The use of seperate routing tables for IPv4 and IPv6 looks more like
part of the problem to me rather than part of any solution.

-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf