Hi Juliusz,
On Tue, 10 Oct 2023 at 03:04, Juliusz Chroboczek <jch@xxxxxxx> wrote:
Thanks, Shivan.
> From reading the Security Considerations of RFC 8966 (last para), it
> seems that geolocation privacy was a concern with the original Babel
> spec. Allowing extremely-fine-grained (1 microsecond) RTT measurements
> makes that infinitely worse, especially for users on mobile or behind
> VPNs, who typically have special privacy needs.
I agree. I'll add some wording to that effect to the Security Considerations.
> The IETF has thought a lot about privacy concerns with RTT measurement and how
> to balance them with operational needs,
I'll be grateful for a reference.
https://datatracker.ietf.org/doc/html/rfc9312#section-3.8.2 talks about how QUIC makes RTT measurement via spin bit optional, and to avoid outing those devices, "all endpoints randomly disable "spinning" for at least one eighth of connections, even if otherwise enabled by default".
Thanks again,
-- Juliusz
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
