Sabahattin Gucukoglu wrote: > > 1. If you just want to camouflage internal clients, > do it with privacy addresses or a socks proxy and clients. I don't see a purpose to camouflage internal clients from internal peers. And my ISP would probably and rightfully refuse to route my IP datagrams if he could not recognize me as a peer and paying customer. But there is regularly no need that anybody else besides my ISP can distinguish my IP datagrams from those of other customers of this ISP. The typical residential/home internet access is like a 1-family home, and this is even explicit part of many ISPs home DSL subscriber contracts. In real life, all members of a household typically have a key to the outer door, and that outer door is usually closed or locked most of the time, while most doors within the house are not locked most of the time. It is very desirable to have as much privacy as achievable from the rest of the world at the network layer, because it is the ultimate prerequisite for application and user to control and limit disclosure of ones identity to network peers. When a sufficient part of the network address that your peers on the internet see when you talk to them, is sufficiently unique and constant over time, then privacy is *completely* impossible. A network address with a prefix that uniquely idenfies individual subscribers over a prolonged time amounts to a pseudonym. RFIDs with unique IDs and biometrics have the very similar problems. Since there _are_ going to be situations when your identity is visible along with the IP address that was used to convey your identity, this information will spread within a matter of at most days. SMTP-Servers regularly write the sender's IP-Address into rfc(2)822 Received:-headers of EMails they forward and distributed to all receipients. In case of EMail lists, this informatio may end up in public Email archives and easily accessible through Internet search engines for everyone as a result. A logical step for muggers would be to profile prospective victims with a smart phone by covertly take a photo, try Facebooks face recognition, use peoplefinders, and then google streetview in order to assess the amount of money someone might be capable and willing to spend on _not_ getting harmed when being assaulted. Profiling people is fairly easy when there are no privacy protection laws, as in the US, and more and more common for businesses on employees and customers. Crooks might appreciate a level playing field. I don't! The problem with biometrics, when they're abused, is that they're regularly difficult to change (face recognition, retina scan, fingerprint). Over here, in old Europe, we believe that privacy is a basic human right and that implies that each person must have ultimate control over all collection, use and distribution of PII. Which means an explicit opt-in prerequisite, that is voluntary and revocable anytime, precise and clearly limited about collectors, data items, purposes&use cases for all PII about oneself -- backed laws to enforce data privacy and punish violators. > > 2. If you want to hide, do it with proper means, i.e., tor. Tor is of limited usefulness, at least for me. I can not think of a single reasonable use case for myself (I do not have any stuff for upload to any *leaks places). > > You needn't suppose that the one agent who has the most insight into > your network traffic, that being your ISP, is trustworthy. My neighbours are the ones who know best at what time I go on vacation, and I even leave the key to my house with one of them while I'm away. You are implying, that particular neighbour should be my real and only concern and everybody&everthing else should be irrelevant in comparison. Fortunately, the real world where I live is quite different from yours. I'm not afraid of my neighbor and neither of my ISP. It would be a felony with serious consequences for my ISP to listen into communication of its customers (even when it is cleartext). While keeping the shutters on ones windows firmly locked 24/7 might be "safer", it believe the benefits of opening the shutters during the day outweigh the risks...at least where I live. > > Especially true given that it's the one agent with the highest > likelihood of actually succeeding in the intercept of your Internet > traffic. I'm much more worried about other threat scenarios. By your logic, it would be a bad idea for banks and shop owners to let bank clerks and armoured car personnel touch any of their cash money, because those would be the folks with the highest likelyhood in succeeding to steal it. I believe this amounts to flawed logic. One will need to deal with that kind of risk in a different fashion. > > Or that it often has controls over its routers which allow > monitoring beyond rightful boundaries. Best intentions aside. So what? Google probably stores and anylyzes more about google searches and more about @gmail.com EMail contents than all of the ISPs in Europe combined. And Facebook is at least a magnitude worse about the data that they get their hands on. Fortunately, I live in a jurisdiction and country where constitution, laws and justice will protect and enforce civil liberties, human rights and privacy against all perpetrators alike: private, law enforcement, governmental and legislators. The last time when our national legislator enacted a law to have ISPs collect data for law enforcement without probable cause, although limited to connection data and excluding communication content, that law was quickly provisionally neutered and later nixed by our constitutional court. The technical part about peer authentication and data confidentiality, for sensible communication content while traversing the ISPs network, can be mitigated with protocols&software like TLS/HTTPS and SSH. > > 3. If you've got to have dynamic external IP addresses > (note, not address; for that, see 1 above), we'll have to find > a way to renumber your network so applications running on your hosts > know what their new addresses are while keeping your preferred > topological configuration, every time your PD lease is due *. That sound like a weird design. Whatever the solution will be, it will have to be without renumbering. Hosts must not care about the temporary dynamic external IPv6 address at all. Only a very small number (if any) of applications might need to know, and those will have to ask the home gateway for it exactly when they need it. The home gatway might need a NAT66, and for the remaining lifetime of IPv4 a NAT44 in combination with an IPv4<->IPv6 protocol translation (maybe something like rfc6052). The use of seperate routing tables for IPv4 and IPv6 looks more like part of the problem to me rather than part of any solution. -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf