On 10/10/2017 10:14, Alexander Clemm wrote: >> >> I don't believe that is true. There are many examples of deployments that >> have a private mapping system which is not accessible by just anyone, For >> instance, in multi tenant virtualization it is imperative that tenants are not >> able to access the mapping system-- if they were then the whole concept of >> virtual network isolation starts to breaks done. Mapping systems are already >> by protected using ACLs, authentication, network isolation, etc. >> >> Tom >> > > I thought one concern raised here wasn't that the information couldn't be secured, but that the owner or operator of the mapping system could collude with dark forces to turn its information against you, in which case all bets are off. Indeed. There is one possible mitigation, which is that all the central system knows about is the *existence* of a unique ID, not who or what it refers to. In other words the central system creates and hands out IDs, never hands out the same one twice, and keeps no record beyond the value of the ID. Then only the entity that obtained the ID can create mappings to it. That allows knowledge of the mappings to be compartmentalised and decentralised, and the mappings will not be traceable back to the entity that requested the ID itself. Much like trying to ping fd63:46cb:fe17:0:be05:43af:fec1:bad9 Brian > > Assuming for a moment that we have an operator who does not collude with dark forces and does want to secure access to the mapping system and information, one question concerns how the access is controlled - just to the mapping system as a whole, or at the level of individual records. Is this level of differentiation provided (which can be important if I want to protect e.g. my locator information from some, but not all users)? > > --- Alex > >