On 2018-09-06 14:01, Stephen Farrell wrote:
>
> Hiya,
>
> (cc'ing ietf@xxxxxxxx - I'm not keen that discussion of such
> IAB drafts be banished to architecture-discuss@xxxxxxxx:-)
I haven't changed the Cc list, but I respectfully disagree.
I don't see that list as banishment; anyone can join and it's
archived, but it doesn't suffer the noise level of ietf@xxxxxxxx
As a technical comment, I'd like to mention an extreme version
of wire image. The only thing needed to deliver an IP packet
to its destination is the destination address. So the minimal
wire image of a packet is the destination address followed
by some number of encrypted bits.
[Not my invention: Jon Crowcroft's unpublished article on
Sourceless Network Architecture points out that the IP source
address is redundant for the delivery of packets.]
Now this has some minor disadvantages (no diffserv field,
no flow label, no intermediate ICMP replies, etc.) but from the
privacy point of view, it's hard to do better at the single
packet level. You can still do some temporal analysis, but
most of the normal clues are missing since you have no tuple
to track, so it will be extremely hard to assign packets
to flows.
Also, with the message body being pseudorandom, you cannot
deduce anything about the protocol, ports, or payload size,
or even whether the packet is just noise to confuse temporal
analysis.
I think this sets a baseline for discussion of wire images:
you can't have *less* of an image than this. How much do we
sacrifice of this baseline privacy by not encrypting other
parts of the IP header, for example?
(I do wonder about this as RFC material. Somehow it seems
a bit more like a CCR paper to me.)
Brian
