[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 RFC 4882

MIP6 Working Group                                         Rajeev Koodli
INTERNET DRAFT                                     Nokia Research Center
Informational
6 March 2006


    IP Address Location Privacy and Mobile IPv6: Problem Statement
               draft-ietf-mip6-location-privacy-ps-01.txt

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note
   that other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at
   any time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This document is a submission of the IETF MIP6 WG. Comments should be
   directed to the MIP6 WG mailing list, mip6@ietf.org.


   Abstract

   In this document, we discuss Location Privacy as applicable to
   Mobile IPv6.  We document the concerns arising from revealing Home
   Address to an on-looker and from disclosing Care of Address to a
   correspondent.













Koodli                 Expires 6 September 2006                 [Page i]

Internet Draft         IP Location Privacy Problem          6 March 2006




                                 Contents


Abstract                                                               i

 1. Introduction                                                       1

 2. Problem Definition                                                 2
     2.1. Disclosing the Care of Address  . . . . . . . . . . . . .    2
     2.2. Revealing the Home Address  . . . . . . . . . . . . . . .    3

 3. Problem Illustration                                               3

 4. Conclusion                                                         5

 5. IANA Considerations                                                5

 6. Security Considerations                                            5

 7. Acknowledgment                                                     5

 8. Author's Address                                                   5

 A. Background                                                         6

Intellectual Property Statement                                        6

Disclaimer of Validity                                                 7

Copyright Statement                                                    7

Acknowledgment                                                         7


   1. Introduction

   The problems of location privacy, and privacy when using IP for
   communication have become important.  IP privacy is broadly concerned
   with protecting user communication from unwittingly revealing
   information that could be used to analyze and gather sensitive user
   data.  Examples include gathering data at certain vantage points,
   collecting information related to specific traffic, and monitoring
   (perhaps) certain populations of users for activity during specific
   times of the day, etc.  In this document, we refer to this as the
   "profiling" problem.





Koodli                 Expires 6 September 2006                 [Page 1]

Internet Draft         IP Location Privacy Problem          6 March 2006


   Location privacy is concerned with the problem of revealing roaming.
   A constant identifier with global scope can reveal roaming.  Such
   a global scope identifier could be a device identifier or a user
   identifier.  Often, a binding between these two identifiers is
   also available, e.g., through DNS. The location privacy problem
   is particularly applicable to Mobile IP where the Home Address on
   a visited network can reveal device roaming and, together with a
   user identifier (such as a SIP URI), can reveal user roaming.  Even
   when the binding between a user identifier and the Home Address is
   unavailable, freely available tools on the Internet can map the
   Home Address to the owner of the Home Prefix, which can reveal that
   a user from a particular ISP has roamed.  So, the location privacy
   problem is a subset of the profiling problem in which revealing a
   globally visible identifier compromises a user's location privacy.
   When location privacy is compromised, it could lead to more targetted
   profiling.

   Furthermore, a user may not wish to reveal roaming to
   correspondent(s).  In Mobile IP, this translates to the use
   of Care of Address.

   In this document, the concerns arising from the use of a globally
   visible identifier, such as a Home Address, when roaming are
   described.  Similarly, the concerns from revealing a Care of Address
   to a correspondent are also outlined.  The solutions to these
   problems are meant to be specified in a separate document.

   This document is only concerned with IP Address Location Privacy in
   the presence of IP Mobility, as applied to Mobile IPv6.  It does not
   address the overall profiling problem.  Specifically, it does not
   concern itself with MAC addresses.  Some other work may address the
   problem of profiling IP and MAC identifiers (see for instance [1]).


   2. Problem Definition

   2.1. Disclosing the Care of Address

   When a Mobile IP MN roams from its home network to a visited network,
   use of Care of Address in communication with a correspondent reveals
   that the MN has roamed.  This assumes that the correspondent is able
   to associate the CoA to HoA, for instance by inspecting the Binding
   Cache Entry.  The HoA itself is assumed to have been obtained by
   whatever means (e.g., through DNS lookup).








Koodli                 Expires 6 September 2006                 [Page 2]

Internet Draft         IP Location Privacy Problem          6 March 2006


   2.2. Revealing the Home Address

   When a Mobile IP MN roams from its home network to a visited network,
   use of Home Address in communication reveals to an on-looker that the
   MN has roamed.  When a binding of Home Address to a user identifier
   (such as a SIP URI or NAI) is available, the Home Address can be
   used to also determine that the user has roamed.  This problem is
   independent of whether the MN uses Care of Address to communicate
   directly with the correspondent (i.e., uses route optimization),
   or the MN communicates via the Home Agent (i.e., uses reverse
   tunneling).


   3. Problem Illustration

   This section is intended to provide the overall scope under which the
   above problems are applicable.

   Consider a Mobile Node at its home network.  Whenever it is involved
   in IP communication, its correspondents can see an IP address valid
   on the home network.  Elaborating further, the users involved in peer
   - peer communication are likely to see a user-friendly identifier
   such as a SIP URI, and the communication end-points in the IP
   stack will see IP addresses.  Users uninterested in or unaware of
   IP communication details will not see any difference when the MN
   acquires a new IP address.  Of course any user can ``tcpdump'' or
   ``ethereal'' a session, capture IP packets and map the MN's IP
   address to an approximate geo-location.  When this mapping reveals a
   ``home location'' of the user, the correspondent can conclude that
   the user has not roamed.  Assessing the physical location based on
   IP addresses is similar to assessing the geographical location based
   on the area-code of a telephone number.  The granularity of the
   physical area corresponding to an IP address can vary depending on
   how sophisticated the available tools are, how often an ISP conducts
   its network re-numbering, etc.

   When the MN roams to another network, the location privacy problem
   consists of two parts:  revealing information to its correspondents
   and to on-lookers.

   With its correspondents, the MN can either communicate directly or
   reverse tunnel its packets through the Home Agent.  Using reverse
   tunneling does not reveal the new IP address of the MN, although
   performance may vary depending on the particular scenario.  In some
   instances, the performance difference could be noticeable enough to
   serve as a hint to the correspondent.  With those correspondents with
   which it can disclose its new IP address ``on the wire'', the MN has
   the option of using route-optimized communication.  The transport
   protocol still sees the Home Address with route optimization.  Unless



Koodli                 Expires 6 September 2006                 [Page 3]

Internet Draft         IP Location Privacy Problem          6 March 2006


   the correspondent runs some packet capturing utility, the user cannot
   see which mode (reverse tunneling or route optimization) is being
   used, but knows that it is communicating with the same peer whose URI
   it knows.  This is similar to conversing with a roaming cellphone
   user whose phone number, like the URI, remains unchanged.

   Regardless of whether the MN uses route optimization or reverse
   tunneling, its Home Address is revealed in data packets.  When
   equipped with an ability to inspect packets ``on the wire'', an
   on-looker can determine that the MN has roamed and could possibly
   also determine that the user has roamed.  This could compromise
   the location privacy even if the MN took steps to hide its roaming
   information from a correspondent.

   The above description is valid regardless of whether a Home Address
   is static or is dynamically allocated.  In either case, the mapping
   of IP address to geo-location will most likely yield results with
   the same level of granularity.  With the freely available tools on
   the Internet, this granularity is the physical address of the ISP or
   the organization which registers ownership of a prefix chunk.  Since
   an ISP or an organization is not, rightly, required to provide a
   blue-print of its subnets, the granularity remains fairly coarse for
   a mobile wireless network.  However, sophisticated attackers might
   be able to conduct site mapping and obtain more fine-grained subnet
   information.

   A compromise in location privacy could lead to more targetted
   profiling of user data.  An eavesdropper may specifically track the
   traffic containing the Home Address, and monitor the movement of the
   Mobile Node with changing Care of Address.  The profiling problem is
   not specific to Mobile IPv6, but could be triggered by a compromise
   in location privacy due to revealing the Home Address.
   A correspondent may take advantage of the knowledge that a user
   has roamed when Care of Address is revealed, and modulate actions
   based on such a knowledge.  Such an information could cause concern
   to a mobile user especially when the correspondent turns out be
   untrustworthy.

   Finally, it is also worthwhile to note that both the Home Address
   and the Care of Address could be subject to profiling, just as
   any other user traffic.  However, applying existing techniques to
   thwart profiling may have implications to Mobile IPv6 signaling
   performance.  For instance, changing the Care of Address often would
   cause additional Return Routability and binding management signaling.
   And, changing the Home Address often has implications on IPSec
   security association management.  These issues need to be addressed
   in the solutions.





Koodli                 Expires 6 September 2006                 [Page 4]

Internet Draft         IP Location Privacy Problem          6 March 2006


   4. Conclusion

   In this document, we have formulated the IP Location Privacy problem
   in the presence of Mobile IPv6.  The problem can be summarized as
   follows:  disclosing Care of Address to a correspondent and revealing
   Home Address to an on-looker can compromise the location privacy of a
   Mobile Node, and hence that of a user.  Solutions to this problem are
   expected to specifically address the use of Mobile IPv6 addresses,
   and not other identifiers (such as MAC addresses).

   Perhaps it is also worthwhile to consider implications of revealing
   roaming information to the home network itself.  This problem will
   likely have much larger implications on the Mobile IPv6 operation,
   and may be investigated in the future versions of this document.


   5. IANA Considerations

   There are no IANA considerations introduced by this draft.


   6. Security Considerations

   This document discusses location privacy because of IP mobility.
   Solutions to provide location privacy, especially any signaling over
   the Internet, must be secure in order to be effective.  Individual
   solutions must describe the security implications.


   7. Acknowledgment

   Thanks to Jari Arkko, James Kempf and Qiu Ying for the review and
   feedback.


   References

   [1] W. Haddad and et al.  Privacy for Mobile and Multi-homed Nodes:
       MoMiPriv Problem Statement (work in progress).  Internet Draft,
       Internet Engineering Task Force, October 2004.

   [2] J. Polk, J. Schnizlein, and M. Linsner.  DHCP Option for
       Coordinate-based Location Configuration Information.  Request for
       Comments 3825, Internet Engineering Task Force, July 2004.


   8. Author's Address

     Rajeev Koodli



Koodli                 Expires 6 September 2006                 [Page 5]

Internet Draft         IP Location Privacy Problem          6 March 2006


     Nokia Research Center
     313 Fairchild Drive
     Mountain View, CA 94043 USA
     Phone: +1 650 625 2359
     Fax: +1 650 625 2502
     E-Mail: Rajeev.Koodli@nokia.com


   A. Background

   The location privacy topic is broad and often has different
   connotations.  It also spans multiple layers in the OSI reference
   model.  Besides, there are attributes beyond an IP address alone
   that can reveal hints about location.  For instance, even if a
   correspondent is communicating with the same end-point it is used
   to, the ``time of the day'' attribute can reveal a hint to the
   user.  Some roaming cellphone users may have noticed that their SMS
   messages carry a timestamp of their ``home network'' timezone (for
   location privacy or otherwise) which can reveal that the user is in
   a different timezone when messages are sent during ``normal'' time
   of the day.  Furthermore, tools exist on the Internet which can map
   an IP address to the physical address of an ISP or the organization
   which owns the prefix chunk.  Taking this to another step, with
   in-built GPS receivers on IP hosts, applications can be devised
   to map geo-locations to IP network information.  Even without GPS
   receivers, geo-location can also be obtained in environments where
   [Geopriv] is supported, for instance as a DHCP option [2].

   In summary, a user's physical location can be determined or guessed
   with some certainty and with varying levels of granularity by
   different means even though IP addresses themselves do not inherently
   provide any geo-location information.  It is perhaps useful to bear
   this broad scope in mind as the problem of IP address location
   privacy in the presence of IP Mobility is addressed.


   Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an



Koodli                 Expires 6 September 2006                 [Page 6]

Internet Draft         IP Location Privacy Problem          6 March 2006


   attempt made to obtain a general license or permission for the
   use of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


   Disclaimer of Validity

   This document and the information contained herein are provided
   on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


   Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


   Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.


















Koodli                 Expires 6 September 2006                 [Page 7]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/