Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] IPv6 good for anonymity

Tom Ritter tom at ritter.vg
Tue Jun 19 20:48:44 PDT 2012


Something I'm not seeing discussed much is that the fundamental shift
of "Who has this IP" doesn't change.  Right now my ISP gives me a
single IPv4 address and I NAT behind it.  If someone asks them "Who
has IP X at this time?" they can answer.  That doesn't change with
IPv6.  They assign me a /64.  And while it's true that I have
18,446,744,073,709,551,616 I can choose from to assign to myself in
crazy ways (one per new connection? one per minute?) - when someone
asks them, "Who had IP X at this time?" they just look up who was
assigned that /64 IPv6 block.

Networking tools have to adapt to handle reputation on a /64 (I'm
presenting about this at Black Hat in Vegas next month), and it will
be a slow shift to upgrade everything that
filters/whitelists/blacklists/searches/etc to do so on a subnet scale,
but it will happen.  And we're not any better off.



On 17 June 2012 15:31, Walid AL-SAQAF <alkasir admin> <admin at alkasir.com> wrote:
> See:
> http://news.cnet.com/8301-1009_3-57453738-83/fbi-dea-warn-ipv6-could-shield-criminals-from-police/

This says they're worried that RIRs, LIRs, and ISPs may not keep
records of who is assigned what addresses.  This doesn't strike me as
a boon for privacy.  It might be an incidental benefit - but it's not
something anyone should rely on, advertise, or be joyous about.

On 17 June 2012 15:58, Seth David Schoen <schoen at eff.org> wrote:
> - The original addressing scheme for IPv6 suggested using individual
>  devices' MAC addresses as (the basis for) the lower-order 64 bits of
>  the public IP address.  This is catastrophic for privacy because
>  then you can recognize and track individual devices all around the
>  world, like an indelible cross-site cookie for each device.  (What's
>  more, if you seize the device, you can confirm that it was the actual
>  device that was used to send some particular communications at some
>  point in the past.)  However, we don't have to use this scheme for
>  assigning IP addresses.  It depends on how our individual operating
>  systems are configured, and it's unlikely that ISPs or anyone could
>  somehow force us to use the privacy-invasive style.


Absolutely, this is a huge deal, and it's not solved.  Look up
draft-gont-6man-stable-privacy-addresses and
http://void.gr/kargig/presentations/athcon_2012_kargig.pdf for some
pointers into this.  I can't understate this: this is an open research
project, and we need solutions.  We don't want to wind up in a
scenario where the lower 64 bits of my address stay with me across
networks.  Very, very bad.


> - Having plentiful IP addresses means that we don't have to use network
>  address translation (NAT) anymore, at least not for IP address
>  scarcity reasons.  This could actually be bad for privacy because
>  there is less ambiguity about which user of a network was responsible
>  for particular communications; NAT can create ambiguity from the
>  outside world's point of view about who at a particular institution
>  actually sent some network traffic, and if we get rid of NAT, we
>  reduce that uncertainty.


While true, I view this in the same category as the first link.  We
may get incidental benefits from NAT, but it shouldn't be relied on
for strong anonymity.  University or ISP level NAT is out of your
control and they're usually happy to turn over information to whoever
asks.


> - Having plentiful IP addresses means that ISPs could choose to give
>  end-users more dynamic IP addresses, without re-use.  It's easier
>  to imagine using highly ephemeral IP addresses, like using a new
>  source address for each and every connection (!) or having one's
>  home network address change every day or every hour.  In that case,
>  it would be harder to make associations between users or to track
>  users based on their IP addresses.


Disagree, for the points I put in the beginning.  As long as I'm
changing my IP inside the /64 I'm assigned, I'm easily to correlate.
And AFAIK there's been no plans for ISPs to do anything other than the
recommendation of giving each user a /64 to play with.


> - With more plentiful public IP addresses, it would be easier and
>  for more people to start to run publicly-useful proxy services
>  like Tor entry nodes.  It will also be somewhat harder for
>  censors to enumerate and block secret bridge-style proxy nodes
>  ahead of time because it will be far more difficult to port-scan
>  the larger address space.  (It was traditionally thought to be
>  impossible, but there is a paper showing it may not be impossible
>  in practice.)


Yes.  Right now, portscanning in IPv6 is still possible in a number of
ways: reverse mapping .arpa, invalid multicast pings, and others.
(See the source in http://thc.org/thc-ipv6/ for a lot of IPv6 attacks)
 However I believe/hope that we will solve most of these in the next 5
years so port scanning will not be feasible in IPv6.  However, I don't
know if anyone is actively pushing to fix these things, so if anyone
has a grad student free...


> - With reduced use of NAT, we could more easily implement more
>  things as pure peer-to-peer services, with less intermediation.
>  This is good for users' privacy against service providers and
>  potentially bad for users' privacy against each other.  For
>  example, if you make an intermediated VoIP call, the service
>  provider learns your approximate location from your IP address,
>  but the other party to the call doesn't.  If you make a more
>  disintermediated VoIP call, no service provider learns this
>  information, but the other party can learn it.


I'm in general in favor of end-to-end connections because you can use
end-to-end crypto.  Crypto to an intermediary is near-useless.  But
fair enough, this can go either way.


> - Many network monitoring and logging systems aren't yet correctly
>  set up to log IPv6 addresses, so IPv6 users can't yet be monitored
>  and tracked by them as effectively as IPv4 users can.  That will
>  probably change over time.


I consider this an incidental benefit for now, but not to be relied
on.  Conversly, currently the anonymity set of IPv6 users is so small
it's super-dangerous to use IPv6 for anything like tor.


One other random thing I've come across is Mobile IPv6.  Your phone
gets an IPv6 address it keeps forever, and gets moved around to
different towers.  Always reachable at that address.  Great for
running a service from it, like voip or something.  But seems bad for
privacy!  This is still way out, but something to think about if
you're really into this topic.

Anyway, I think something that's huge that isn't be talked about is
what I said in the beginning: the reputation change from an IPv4
address to an IPv6 subnet.  It will happen in all the legitimate and
less-legitimate tools out there, and when it does, changing your
address to any of the (4 Billion)^(4 Billion) addresses available to
you won't gain you anything.  It won't be any better (or any worse)
than IPv4.

-tom



More information about the liberationtech mailing list