The P in NAPT != Privacy was Re: Time to move beyond the 32 bit Internet.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hi Martin, all,

On 25 Jun 2014, at 01:55, Martin Rex <mrex@xxxxxxx> wrote:

> Why would any private individual want to get an IPv6 address?
> With DHCP IPv4 + NAT (on your Home router) and even more so with CGN,
> you may have at least a vague chance that your ID doesn't stick out
> of every IP datagram like a sore thumb.  With IPv6, you're stripped
> naked for traffic analysis by every governmental agency worldwide, no matter
> how strong you encrypt your traffic.

There is an incredibly dubious assumption hidden in this statement that it's hard to map NATted addresses to user and session identifiers. Not only is it not particularly hard, it's actually _required_ in certain jurisdictions for ISPs to keep this mapping information to respond to LE requests. 

Even if you're _not_ the ISP or (quasi-)legally empowered to compel it to give you this information, there's enough information radiated by application layer protocols that you can tease session identifiers back out of traces even without payload and with addressing information *purposefully* destroyed, as opposed to merely tweaked for operational expediency. See e.g. Coull et al "Playing Devil's Advocate: Inferring Sensitive Information from Anonymized Network Traces" NDSS 2007; Wright et al "On Inferring Application Protocol Behaviors in Encrypted Network Traffic" Journal of Machine Learning Research 2006; and the citation trees rooted at those two papers.

Network address translation is simply an expedient technique to tease a few more bits out of the address space by hiding those bits in transient state kept along the path. The assumption that it is somehow hard to store or reconstruct that transient state is simply incorrect. 

As a method for protecting privacy, NAT is privacy theater, full stop.

> The end-2-end principle is equivalent to a fairly complete loss of privacy.
> Really, I'm glad that I can use IPv4 and get a new IPv4 address assigned
> several times a day.

I'm pretty sure I read somewhere that we're out of "new" IPv4 addresses. :) So those addresses aren't new, they're reused. So the important metric here isn't the frequency of change, but (1) the size of the set of addresses and (2) the predictability of that set. Unless you're changing your ISP several times a day, NAT serves only to "hide" you in a pool of a very small number of bits of address entropy.

Regards,

Brian

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]