RE: Netfilter (Linux) Does IPv6 NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Martin, 

> -----Original Message-----
> From: Martin Rex [mailto:mrex@xxxxxxx]
> Sent: Tuesday, 6 December 2011 1:30 PM
> To: Greg Daley
> Cc: mrex@xxxxxxx; mail-dated-1325290081.a3a4e0@sabahattin-
> gucukoglu.com; ietf@xxxxxxxx
> Subject: Re: Netfilter (Linux) Does IPv6 NAT
> 
> Greg Daley wrote:
> >
> > The assumption that information is present only within the IP address
> > is erroneous.
> > This has been studied for mobile IPv6 users as well, and there is
> > information leakage up and down the stack.
> 
> Your reasoning is obviously flawed.
> 
> Having a temporary dynamic IP address assigned will not prevent any
> negligent or privacy-ignorant protocols and apps higher up the stack to
> reveal identifying information about you.

My point is that it is unhelpful to ignore the principles underpinning IPv6 architecture in order to fail to achieve your privacy goal.

> But _without_ a temporary dynamic IP address, each and every of your
> network communcation will be 100% identifyable as you for everybody
> that can oberserve you IP datagrams floating by, even when you're using
> IPSEC.

Yes, when your outbound sessions hit the internet, devices on the path can see where you come from.

In my world, these people can see what they can already learn from watching my IKEv1 aggressive mode identity (if not using certs) or WWW cookies, or TCP stack behaviour and use profile.

In your world you gave up peer-to-peer IPSec, SIP, etc  initiated from either end to gain a false feeling of privacy.


> I fail to understand what you mean by "randomized IIDs".
> What you need is a temporary network address randomized by you ISP so
> that your address blends within the entire customer base of that ISP.

Please read RFC 4941 "Privacy Extensions for Stateless Address Autoconfiguration".

> >
> > Putting NATs on the path just causes the device inside the network to
> > be unaware of its presented addresses, which means that it will
> impede
> > peer-to-peer communications, as it cannot even describe its available
> > services without external information services.
> 
> Asking your border router for the temporary external IP-Address is
> trivial compared to performing a secure DNS lookup.

I have no interest in comparing apples to oranges.
I have implemented ICE and I can say it is non-trivial.

Sincerely

Greg Daley 

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]