Anonymous Identifiers BOF (alien) Wednesday, August 3 at 1400-1630 ================================ CHAIRS: James Kempf Pekka Nikander DESCRIPTION: Privacy is becoming a more pressing issue in the Internet architecture. There are several reasons for this, including new or proposed legistlation in various countries, the Internet becoming more ubiquitous and mobile, and changes in people's expectations. Furthermore, there are many different perspectives on network-related privacy, and some of these are based on different expectations with respect to privacy in different countries and cultures. The BOF has three distinct goals: 1. To initiate long-term architectural discussion on privacy within the community. One possible outcome of this would be chartering of a privacy research group at the IRTF. The goal of this work is to define exactly what network-related privacy means and to understand the breadth and depth of the problem. 2. To initiate shorter-term work to define how to implement and use the existing protocols in such a way that the privacy-sensitive information, such as a user's more-permanent network-layer identity, is not unnecessarily revealed, thereby compromising their network privacy. It is envisioned that a new working group crossing the Security and Internet Areas might be a suitable forum for this work, and that if such a working group is formed, it could also act as a common discussion forum to help in co-ordinating protocol-specific work; see the next item. 3. To briefly discuss some specific needs to modify existing protocols, such as Mobile IP, in order to improve their privacy properties. As a baseline, it is assumed that such work would probably be best conveyed in existing working or research groups, such as MIP4, MIP6 or MOBOPTS, whenever there is an active group for the protocol at hand. The focus of the proposed work will be on protecting communicating parties' privacy against eavesdroppers and other third parties. Therefore, unlinkability of various identifiers used in protocols is an important matter; see below. Focus will be on the internetworking layer (IP protocols) and layers close to it, with less attention paid to specific applications or physical layer issues. While it is necessary to understand link layer issues, proposals to change existing link layer protocols or to define new link layer protocols is explicitly out of scope. Location privacy in the sense of keeping location related information, such as the IP address, of a mobile host private from its active peers is explicitly out of scope. However, location privacy in the sense of keeping a given mobile user's location-related information private from third parties, i.e. hosts and nodes with which the node does *not* have active communication with, falls within the proposed scope. MAILING LIST: ------------- momipriv@lacnic.net To subscribe, visit http://lacnic.net/mailman/listinfo/momipriv BACKGROUND: ----------- Privacy is a multifaceted phenomenon with many different definitions of what it exactly means. Obviously, in this work the aim is to have a look on privacy issues in Intenet protocols and architecture, including all protocols from sub-IP to application layer aspects. However, focus will be on the IP layer; see below. A basic approach in addressing privacy in protocols is unlinkablity, denoting that an eavesdropper is unable to link together identifiers and other data with the aim of tracking the behaviour, location, and other sensitive information about a user. A more pressing need faces the IP and in some cases the layers below it. The IETF has developed and is still working on a various multi-homing and mobility solutions. These solutions aim to target various goals, including keeping ongoing sessions alive while switching between different IP addresses. In these protocols, IP-layer identifiers that remains stable even though underlying IP addresses (i.e., locators) change is an important building block. However, the currently standardized and proposed mobility and multi-homing solutions allow eavesdroppers and correspondent nodes to easily identify, locate, and trace nodes in a mobile and multi-homed environment. Among these protocol identifiers, the stable IP address, and in some cases link layer identifiers, are the most valuable ones since they make tracking easy. However, also other pieces of information such as security-repated identifiers (e.g. IPsec SPIs), transport layer identifiers (e.g. TCP port and sequence numbers), and even application-specific data need to be considered. As argued in the drafts (see below), addressing these privacy issues, separately on the IP and link layers is insufficient, especially in that sense that it does not take the unlinkability aspect into account. Hence, a solution which addresses the anonymity and unlinkability at all layers and takes into consideration the synchronisation problem between the various layers is needed. Related drafts: draft-haddad-momipriv-problem-statement-01.txt draft-haddad-momipriv-threat-model-00.txt draft-ietf-multi6-hba-00.txt draft-dupont-mip6-privacyext-01.txt draft-koodli-mip6-location-privacy-00.txt draft-koodli-mip6-location-privacy-solutions-00.txt draft-qiu-mip6-mnprivacy-00.txt Other relevant information, as background for the example approach to be presented by Pekka Nikander: Farber, D. J., Larson, K. C.: Network Security Via Dynamic Process Renaming. Fourth Data Communications Symposium, Quebec City, Canada (1977, October) 8-13 -- 8-1 Dogan Kesdogan, Peter Reichl, Klaus Junghartchen, Distributed Temporary Pseudonyms: A New Approach for Protecting Location Information in Mobile Communication Networks, ESORICS 1998. http://userver.ftw.at/~reichl/publications/ESORICS98.pdf Jukka Ylitalo and Pekka Nikander, "BLIND: A Complete Identity Protection Framework for End-points", to appear in Security Protocols, Twelfth International Workshop, Cambridge, 24-28 April, 2004. http://www.tml.hut.fi/~pnr/publications/cam2004.pdf Jari Arkko, Pekka Nikander, and Mats Naslund, Enhancing Privacy with Shared Pseudo Random Sequences (preliminary version), to appear in Security Protocols, 13rd International Workshop, Cambridge, 20-22 April, 2005. http://www.tml.hut.fi/~pnr/publications/cam2005-pre.pdf