ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: The P in NAPT != Privacy was Re: Time to move beyond the 32 bit Internet.

2014-06-25 03:45:46
from [Floris Van den Abeele] [Permanent Link] 
FWIW, in Flanders (Northern region of Belgium) the two largest ISPs
(Telenet and Belgacom) have been enabling IPv6 for their customers for
the last year or so. Unfortunately, this only includes residential
customers that got the latest CPE model (though luck if you're stuck
with an older model). In the case of Telenet (monopoly ISP on HFC
network) every customer gets a /56 subnet.

This is just to say that (some) ISPs are actually rolling out IPv6. I
would imagine the situation to be similar in other regions of the world.

Floris

On wo 25 jun 2014 07:55:22 CEST, Brian Trammell wrote:


hi Martin, all,

On 25 Jun 2014, at 01:55, Martin Rex <mrex(_at_)sap(_dot_)com> wrote:



Why would any private individual want to get an IPv6 address?
With DHCP IPv4 + NAT (on your Home router) and even more so with CGN,
you may have at least a vague chance that your ID doesn't stick out
of every IP datagram like a sore thumb. With IPv6, you're stripped
naked for traffic analysis by every governmental agency worldwide, no
matter
how strong you encrypt your traffic.



There is an incredibly dubious assumption hidden in this statement
that it's hard to map NATted addresses to user and session
identifiers. Not only is it not particularly hard, it's actually
_required_ in certain jurisdictions for ISPs to keep this mapping
information to respond to LE requests.

Even if you're _not_ the ISP or (quasi-)legally empowered to compel it
to give you this information, there's enough information radiated by
application layer protocols that you can tease session identifiers
back out of traces even without payload and with addressing
information *purposefully* destroyed, as opposed to merely tweaked for
operational expediency. See e.g. Coull et al "Playing Devil's
Advocate: Inferring Sensitive Information from Anonymized Network
Traces" NDSS 2007; Wright et al "On Inferring Application Protocol
Behaviors in Encrypted Network Traffic" Journal of Machine Learning
Research 2006; and the citation trees rooted at those two papers.

Network address translation is simply an expedient technique to tease
a few more bits out of the address space by hiding those bits in
transient state kept along the path. The assumption that it is somehow
hard to store or reconstruct that transient state is simply incorrect.

As a method for protecting privacy, NAT is privacy theater, full stop.



The end-2-end principle is equivalent to a fairly complete loss of
privacy.
Really, I'm glad that I can use IPv4 and get a new IPv4 address assigned
several times a day.



I'm pretty sure I read somewhere that we're out of "new" IPv4
addresses. :) So those addresses aren't new, they're reused. So the
important metric here isn't the frequency of change, but (1) the size
of the set of addresses and (2) the predictability of that set. Unless
you're changing your ISP several times a day, NAT serves only to
"hide" you in a pool of a very small number of bits of address entropy.

Regards,

Brian

Attachment: signature.asc
Description: OpenPGP digital signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Gen-ART LC review of draft-ietf-netext-wifi-epc-eap-attributes-08, Peter Yee
Next by Date:  Re: Time to move beyond the 32 bit Internet., Masataka Ohta
Previous by Thread:  The P in NAPT != Privacy was Re: Time to move beyond the 32 bit Internet., Brian Trammell
Next by Thread:  Re: The P in NAPT != Privacy was Re: Time to move beyond the 32 bit Internet., Fred Baker (fred)
Indexes:  [Date] [Thread] [Top] [All Lists]