Post on 01-Jan-2016
description
transcript
IPv6 and Privacy
Alper YeginDoCoMo USA Labs
2
Privacy
• Right to privacy: Right of an individual to decide for himself/herself when and on what terms his or her attributes should be revealed.
• You don’t have to be a criminal to care about privacy.
• Companies and organizations are willing to pay $$$ to invade “your privacy”
• Privacy aspects of a new technology– Must not degrade privacy– Enhancing privacy is highly desirable
3
Types of Privacy
• Privacy is jeopardized when the correlation between user identity, location, data content, etc. is revealed
• Identity privacy• Data privacy• Location privacy
– www.isoc.org/briefings/015/index.shtml
4
Identity Privacy
• Broken if user cannot perform anonymous IP communication
• Hide identity from– The access network (e.g., access point/router)– On-link (neighbor) hosts– Intermediaries (e.g., web proxy, ALGs, ISP)– Correspondents (e.g., web servers)
5
IPv6 and Identity Privacy
• Stateless address auto-configuration (RFC2462) and address architecture (RFC3513) caused privacy issues
IPv6 prefix = 3ffe:501:8:0/64MAC address = 00:60:1d:23:4e:fa
IPv6 address = 3ffe:501:8:0:0260:1dff:fe23:4efa
6
Autoconfiguration
• Embedded HW address in IPv6 address
• Peer can tie IP traffic to a (known) user
• Similar to Pentium serial number issue
• Profiling is even easier than using cookies
• Serious issue, but simple solution– http://playground.sun.com/pub/ipng/html/
specs/ipv6-address-privacy.html
7
Privacy Extensions
• Privacy extensions for stateless address auto-configuration in IPv6 (RFC3041)– Use a random suffix
• Observable privacy– http://www.it.kth.se/~aep/ (Alberto Escudero-Pascual)
• HW addresses are still observable on the link– Vulnerable to on-link hosts
– Not an “IP” problem!
8
IPv6 and Data Privacy
• End-to-end IPsec is “the” solution– Not last-hop link-layer ciphering– Not VPNs, TLS, HTTPS
• IPv6 enables end-to-end IPsec
Internet
“you”
your peer
NAP
ISPIX
ISPneighbor
9
Secure Channels
• Zeroknowledge, Anonymizer.com– Limited applicability
• Use IPsec tunnels
Internet “you”
ISPIX
ISP
neighbor
web server
IPsec gateway
10
IPv6 and Location Privacy
• Mobile IPv6 and route optimization
Internet
web server
home agent
accessrouter
accessrouter
accessrouter
“you”
HAddr->CoA
HAddr->CoA
CoAHAddr
11
IP Address to Location
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
12
Graphical Traceroute
13
Approaches
• (Selectively) disable route optimization
• Integration of Geopriv extensions to Mobile IPv6
• Mobile IPv6 for location privacy– Home agent is a redirection server
• Another issue: Movement privacy
14
Fine Tuning• Compromise between location privacy and route
optimization: HMIPv6
• Same level of privacy as NATs, without breaking Internet architecture
Internet
web server
home agent
MAP
accessrouter
accessrouter
accessrouter
“you”
HAddr->RCoA
HAddr->RCoA
LCoAHAddr
RCoARCoA->LCoA
15
Privacy-aware Applications
• Logic to select source IP addresses– Default Address Selection for Internet Protocol
version 6 (RFC 3484)– “public addresses preferred over temporary
(RFC 3041) addresses”
• Application control– IPv6 Socket API for Address Selection (draft-
chakrabarti-ipv6-addrselect-api-02)
16
IPv6 Addresses
• Fixed IP address is a handle to correlate various data streams– Traffic analysis
• One IP address per application can prevent this– Take advantage of abundance of IPv6 addresses
17
Summary
• “Privacy” is a big deal
• IP communication comes with its own privacy considerations
• None of the IPv6 features degrade privacy
• IPsec and address management related features of IPv6 enhance privacy