ietf
[Top] [All Lists]

The P in NAPT != Privacy was Re: Time to move beyond the 32 bit Internet.

2014-06-25 00:55:50
hi Martin, all,

On 25 Jun 2014, at 01:55, Martin Rex <mrex(_at_)sap(_dot_)com> wrote:

Why would any private individual want to get an IPv6 address?
With DHCP IPv4 + NAT (on your Home router) and even more so with CGN,
you may have at least a vague chance that your ID doesn't stick out
of every IP datagram like a sore thumb.  With IPv6, you're stripped
naked for traffic analysis by every governmental agency worldwide, no matter
how strong you encrypt your traffic.

There is an incredibly dubious assumption hidden in this statement that it's 
hard to map NATted addresses to user and session identifiers. Not only is it 
not particularly hard, it's actually _required_ in certain jurisdictions for 
ISPs to keep this mapping information to respond to LE requests. 

Even if you're _not_ the ISP or (quasi-)legally empowered to compel it to give 
you this information, there's enough information radiated by application layer 
protocols that you can tease session identifiers back out of traces even 
without payload and with addressing information *purposefully* destroyed, as 
opposed to merely tweaked for operational expediency. See e.g. Coull et al 
"Playing Devil's Advocate: Inferring Sensitive Information from Anonymized 
Network Traces" NDSS 2007; Wright et al "On Inferring Application Protocol 
Behaviors in Encrypted Network Traffic" Journal of Machine Learning Research 
2006; and the citation trees rooted at those two papers.

Network address translation is simply an expedient technique to tease a few 
more bits out of the address space by hiding those bits in transient state kept 
along the path. The assumption that it is somehow hard to store or reconstruct 
that transient state is simply incorrect. 

As a method for protecting privacy, NAT is privacy theater, full stop.

The end-2-end principle is equivalent to a fairly complete loss of privacy.
Really, I'm glad that I can use IPv4 and get a new IPv4 address assigned
several times a day.

I'm pretty sure I read somewhere that we're out of "new" IPv4 addresses. :) So 
those addresses aren't new, they're reused. So the important metric here isn't 
the frequency of change, but (1) the size of the set of addresses and (2) the 
predictability of that set. Unless you're changing your ISP several times a 
day, NAT serves only to "hide" you in a pool of a very small number of bits of 
address entropy.

Regards,

Brian

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

<Prev in Thread] Current Thread [Next in Thread>