Anonymous Identifiers BOF (alien)

Wednesday, August 3 at 1400-1630
================================

CHAIRS: James Kempf <kempf@docomolabs-usa.com>
        Pekka Nikander <pekka.nikander@nomadiclab.com>
 
DESCRIPTION:

Privacy is becoming a more pressing issue in the Internet
architecture. There are several reasons for this, including
new or proposed legistlation in various countries, the
Internet becoming more ubiquitous and mobile, and changes in
people's expectations. Furthermore, there are many different
perspectives on network-related privacy, and some of these
are based on different expectations with respect to privacy
in different countries and cultures.


The BOF has three distinct goals:

1. To initiate long-term architectural discussion on privacy
within the community. One possible outcome of this would
be chartering of a privacy research group at the IRTF.
The goal of this work is to define exactly what
network-related privacy means and to understand the
breadth and depth of the problem.

2. To initiate shorter-term work to define how to implement
and use the existing protocols in such a way that the
privacy-sensitive information, such as a user's
more-permanent network-layer identity, is not
unnecessarily revealed, thereby compromising their network
privacy. It is envisioned that a new working group
crossing the Security and Internet Areas might be a
suitable forum for this work, and that if such a working
group is formed, it could also act as a common discussion
forum to help in co-ordinating protocol-specific work; see
the next item.

3. To briefly discuss some specific needs to modify existing
protocols, such as Mobile IP, in order to improve their
privacy properties. As a baseline, it is assumed that
such work would probably be best conveyed in existing
working or research groups, such as MIP4, MIP6 or MOBOPTS,
whenever there is an active group for the protocol at
hand.

The focus of the proposed work will be on protecting
communicating parties' privacy against eavesdroppers and
other third parties. Therefore, unlinkability of various
identifiers used in protocols is an important matter; see
below. Focus will be on the internetworking layer (IP
protocols) and layers close to it, with less attention paid
to specific applications or physical layer issues. While it
is necessary to understand link layer issues, proposals to
change existing link layer protocols or to define new link
layer protocols is explicitly out of scope.

Location privacy in the sense of keeping location related
information, such as the IP address, of a mobile host private
from its active peers is explicitly out of scope. However,
location privacy in the sense of keeping a given mobile
user's location-related information private from third
parties, i.e. hosts and nodes with which the node does *not*
have active communication with, falls within the proposed
scope.

MAILING LIST:
-------------
momipriv@lacnic.net

To subscribe, visit http://lacnic.net/mailman/listinfo/momipriv

BACKGROUND:
-----------

Privacy is a multifaceted phenomenon with many different
definitions of what it exactly means. Obviously, in this
work the aim is to have a look on privacy issues in Intenet
protocols and architecture, including all protocols from
sub-IP to application layer aspects. However, focus will be
on the IP layer; see below. A basic approach in addressing
privacy in protocols is unlinkablity, denoting that an
eavesdropper is unable to link together identifiers and other
data with the aim of tracking the behaviour, location, and
other sensitive information about a user.

A more pressing need faces the IP and in some cases the
layers below it. The IETF has developed and is still working
on a various multi-homing and mobility solutions. These
solutions aim to target various goals, including keeping
ongoing sessions alive while switching between different IP
addresses. In these protocols, IP-layer identifiers that
remains stable even though underlying IP addresses (i.e.,
locators) change is an important building block. However,
the currently standardized and proposed mobility and
multi-homing solutions allow eavesdroppers and correspondent
nodes to easily identify, locate, and trace nodes in a mobile
and multi-homed environment.

Among these protocol identifiers, the stable IP address, and
in some cases link layer identifiers, are the most valuable
ones since they make tracking easy. However, also other
pieces of information such as security-repated identifiers
(e.g. IPsec SPIs), transport layer identifiers (e.g. TCP port
and sequence numbers), and even application-specific data
need to be considered.

As argued in the drafts (see below), addressing these privacy
issues, separately on the IP and link layers is insufficient,
especially in that sense that it does not take the
unlinkability aspect into account. Hence, a solution which
addresses the anonymity and unlinkability at all layers and
takes into consideration the synchronisation problem between
the various layers is needed.

Related drafts:

draft-haddad-momipriv-problem-statement-01.txt
draft-haddad-momipriv-threat-model-00.txt
draft-ietf-multi6-hba-00.txt
draft-dupont-mip6-privacyext-01.txt
draft-koodli-mip6-location-privacy-00.txt
draft-koodli-mip6-location-privacy-solutions-00.txt
draft-qiu-mip6-mnprivacy-00.txt

Other relevant information, as background for the example approach
to be presented by Pekka Nikander:

Farber, D. J., Larson, K. C.: Network Security Via Dynamic Process
Renaming. Fourth Data Communications Symposium, Quebec City, Canada
(1977, October) 8-13 -- 8-1

Dogan Kesdogan, Peter Reichl, Klaus Junghartchen, Distributed
Temporary Pseudonyms: A New Approach for Protecting Location
Information in Mobile Communication Networks, ESORICS 1998.
http://userver.ftw.at/~reichl/publications/ESORICS98.pdf

Jukka Ylitalo and Pekka Nikander, "BLIND: A Complete Identity
Protection Framework for End-points", to appear in Security
Protocols, Twelfth International Workshop, Cambridge, 24-28 April,
2004.
http://www.tml.hut.fi/~pnr/publications/cam2004.pdf

Jari Arkko, Pekka Nikander, and Mats Naslund, Enhancing Privacy
with Shared Pseudo Random Sequences (preliminary version),
to appear in Security Protocols, 13rd International Workshop,
Cambridge, 20-22 April, 2005.
http://www.tml.hut.fi/~pnr/publications/cam2005-pre.pdf