Hi Shivan,
I'll also note that routing protocol nodes are often border routers that have privacy properties more similar to a web server than to a web client. In other words, the location of a server can be public information without it being a privacy concern, whereas the location of a client can be privacy-sensitive. A good solution here would be to add a note that clarifies this and warns against deploying Babel RTT unencrypted on devices whose network location is privacy-sensitive.
David
On Tue, Oct 10, 2023 at 9:57 AM Shivan Kaul Sahib <shivankaulsahib@xxxxxxxxx> wrote:
_______________________________________________Hi Juliusz,On Tue, 10 Oct 2023 at 03:04, Juliusz Chroboczek <jch@xxxxxxx> wrote:Thanks, Shivan.
> From reading the Security Considerations of RFC 8966 (last para), it
> seems that geolocation privacy was a concern with the original Babel
> spec. Allowing extremely-fine-grained (1 microsecond) RTT measurements
> makes that infinitely worse, especially for users on mobile or behind
> VPNs, who typically have special privacy needs.
I agree. I'll add some wording to that effect to the Security Considerations.
> The IETF has thought a lot about privacy concerns with RTT measurement and how
> to balance them with operational needs,
I'll be grateful for a reference.https://datatracker.ietf.org/doc/html/rfc9312#section-3.8.2 talks about how QUIC makes RTT measurement via spin bit optional, and to avoid outing those devices, "all endpoints randomly disable "spinning" for at least one eighth of connections, even if otherwise enabled by default".
Thanks again,
-- Juliusz
babel mailing list
babel@xxxxxxxx
https://www.ietf.org/mailman/listinfo/babel
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
