draft-ietf-mip6-location-privacy-ps-00.txt   draft-ietf-mip6-location-privacy-ps-01.txt 
MIP6 Working Group Rajeev Koodli MIP6 Working Group Rajeev Koodli
INTERNET DRAFT Nokia Research Center INTERNET DRAFT Nokia Research Center
Informational Informational
17 October 2005 6 March 2006
IP Address Location Privacy and Mobile IPv6: Problem Statement IP Address Location Privacy and Mobile IPv6: Problem Statement
draft-ietf-mip6-location-privacy-ps-00.txt draft-ietf-mip6-location-privacy-ps-01.txt
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note Task Force (IETF), its areas, and its working groups. Note
that other groups may also distribute working documents as that other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 49 skipping to change at page 1, line 49
correspondent. correspondent.
Contents Contents
Abstract i Abstract i
1. Introduction 1 1. Introduction 1
2. Problem Definition 2 2. Problem Definition 2
2.1. Disclosing the Care of Address . . . . . . . . . . . . . 2 2.1. Disclosing the Care of Address . . . . . . . . . . . . . 2
2.2. Revealing the Home Address . . . . . . . . . . . . . . . 2 2.2. Revealing the Home Address . . . . . . . . . . . . . . . 3
3. Problem Illustration 3 3. Problem Illustration 3
4. Conclusion 4 4. Conclusion 5
5. IANA Considerations 5 5. IANA Considerations 5
6. Security Considerations 5 6. Security Considerations 5
7. Acknowledgment 5 7. Acknowledgment 5
8. Author's Address 5 8. Author's Address 5
A. Background 5 A. Background 6
Intellectual Property Statement 6 Intellectual Property Statement 6
Disclaimer of Validity 7 Disclaimer of Validity 7
Copyright Statement 7 Copyright Statement 7
Acknowledgment 7 Acknowledgment 7
1. Introduction 1. Introduction
skipping to change at page 2, line 5 skipping to change at page 2, line 5
The problems of location privacy, and privacy when using IP for The problems of location privacy, and privacy when using IP for
communication have become important. IP privacy is broadly concerned communication have become important. IP privacy is broadly concerned
with protecting user communication from unwittingly revealing with protecting user communication from unwittingly revealing
information that could be used to analyze and gather sensitive user information that could be used to analyze and gather sensitive user
data. Examples include gathering data at certain vantage points, data. Examples include gathering data at certain vantage points,
collecting information related to specific traffic, and monitoring collecting information related to specific traffic, and monitoring
(perhaps) certain populations of users for activity during specific (perhaps) certain populations of users for activity during specific
times of the day, etc. In this document, we refer to this as the times of the day, etc. In this document, we refer to this as the
"profiling" problem. "profiling" problem.
Location privacy is concerned with the problem of revealing user Location privacy is concerned with the problem of revealing roaming.
roaming. A constant identifier with global scope can reveal that a A constant identifier with global scope can reveal roaming. Such
user has roamed. The globally visible identifier could be a user a global scope identifier could be a device identifier or a user
identifier or a device identifier, and sometimes a binding between identifier. Often, a binding between these two identifiers is
the two may also be available, e.g., through DNS. This problem is also available, e.g., through DNS. The location privacy problem
particularly applicable to Mobile IP where the Home Address on a is particularly applicable to Mobile IP where the Home Address on
visited network can reveal device roaming and, together with a a visited network can reveal device roaming and, together with a
user identifier (such as an NAI), can reveal user roaming. When user identifier (such as a SIP URI), can reveal user roaming. Even
roaming is revealed, it could lead to more targetted profiling. Even when the binding between a user identifier and the Home Address is
when the binding between user identifier and the Home Address is unavailable, freely available tools on the Internet can map the
unavailable, freely available tools on the Internet can map the Home Home Address to the owner of the Home Prefix, which can reveal that
Address to the owner of the Home Prefix, which can reveal that a user a user from a particular ISP has roamed. So, the location privacy
from a particular ISP has roamed. So, the location privacy problem problem is a subset of the profiling problem in which revealing a
is a subset of the profiling problem in which revealing a globally globally visible identifier compromises a user's location privacy.
visible identifier compromises a user's location privacy. In When location privacy is compromised, it could lead to more targetted
addition, a user may not wish to reveal roaming to correspondent(s). profiling.
In Mobile IP, this translates to the use of Care of Address. In this
document, the concerns arising from the use of a globally visible Furthermore, a user may not wish to reveal roaming to
identifier, such as a Home Address, when roaming outside the home correspondent(s). In Mobile IP, this translates to the use
network are described. Similarly, the concerns from revealing a Care of Care of Address.
of Address to a correspondent are also outlined. The solutions to
these problems are meant to be specified in a separate document. In this document, the concerns arising from the use of a globally
visible identifier, such as a Home Address, when roaming are
described. Similarly, the concerns from revealing a Care of Address
to a correspondent are also outlined. The solutions to these
problems are meant to be specified in a separate document.
This document is only concerned with IP Address Location Privacy in This document is only concerned with IP Address Location Privacy in
the presence of IP Mobility, as applied to Mobile IPv6. It does not the presence of IP Mobility, as applied to Mobile IPv6. It does not
address the overall profiling problem. Specifically, it does not address the overall profiling problem. Specifically, it does not
concern itself with MAC addresses. Some other work may address the concern itself with MAC addresses. Some other work may address the
problem of profiling IP and MAC identifiers (see for instance [1]). problem of profiling IP and MAC identifiers (see for instance [1]).
2. Problem Definition 2. Problem Definition
2.1. Disclosing the Care of Address 2.1. Disclosing the Care of Address
When a Mobile IP MN roams from its home network to a visited When a Mobile IP MN roams from its home network to a visited network,
network, use of Care of Address in communication with a correspondent use of Care of Address in communication with a correspondent reveals
reveals that the MN has roamed. The assumption here is that the that the MN has roamed. This assumes that the correspondent is able
correspondent somehow knows the Home Address of the MN. For instance, to associate the CoA to HoA, for instance by inspecting the Binding
a correspondent may obtain it from DNS, which may contain the Home Cache Entry. The HoA itself is assumed to have been obtained by
Address or the IP address of an agent to which the user identifier whatever means (e.g., through DNS lookup).
(such as a SIP URI) is mapped to.
2.2. Revealing the Home Address 2.2. Revealing the Home Address
When a Mobile IP MN roams from its home network to a visited network, When a Mobile IP MN roams from its home network to a visited network,
use of Home Address in communication with a correspondent reveals to use of Home Address in communication reveals to an on-looker that the
an on-looker that the MN has roamed. When a binding of Home Address MN has roamed. When a binding of Home Address to a user identifier
to a user identifier (such as a SIP URI or NAI) is available, the (such as a SIP URI or NAI) is available, the Home Address can be
Home Address can be used to also determine that the user has roamed. used to also determine that the user has roamed. This problem is
This problem is independent of whether the MN uses Care of Address independent of whether the MN uses Care of Address to communicate
to communicate directly with the correspondent (i.e., uses route directly with the correspondent (i.e., uses route optimization),
optimization), or the MN communicates via the Home Agent (i.e., uses or the MN communicates via the Home Agent (i.e., uses reverse
reverse tunneling). tunneling).
3. Problem Illustration 3. Problem Illustration
This section is intended to provide the overall scope under which the This section is intended to provide the overall scope under which the
above problems are applicable. above problems are applicable.
Consider a Mobile Node at its home network. Whenever it is involved Consider a Mobile Node at its home network. Whenever it is involved
in IP communication, its correspondents can see an IP address valid in IP communication, its correspondents can see an IP address valid
on the home network. Elaborating further, the users involved in peer on the home network. Elaborating further, the users involved in peer
- peer communication are likely to see a user-friendly identifier - peer communication are likely to see a user-friendly identifier
skipping to change at page 3, line 33 skipping to change at page 3, line 40
``ethereal'' a session, capture IP packets and map the MN's IP ``ethereal'' a session, capture IP packets and map the MN's IP
address to an approximate geo-location. When this mapping reveals a address to an approximate geo-location. When this mapping reveals a
``home location'' of the user, the correspondent can conclude that ``home location'' of the user, the correspondent can conclude that
the user has not roamed. Assessing the physical location based on the user has not roamed. Assessing the physical location based on
IP addresses is similar to assessing the geographical location based IP addresses is similar to assessing the geographical location based
on the area-code of a telephone number. The granularity of the on the area-code of a telephone number. The granularity of the
physical area corresponding to an IP address can vary depending on physical area corresponding to an IP address can vary depending on
how sophisticated the available tools are, how often an ISP conducts how sophisticated the available tools are, how often an ISP conducts
its network re-numbering, etc. its network re-numbering, etc.
Now consider that the MN roams to a new IP network, acquires a Care When the MN roams to another network, the location privacy problem
of Address and would like to communicate with its correspondents. consists of two parts: revealing information to its correspondents
It can either communicate directly or reverse tunnel its packets and to on-lookers.
through the Home Agent. Using reverse tunneling does not reveal the
new IP address of the MN, although performance may vary depending
on the particular scenario. In some instances, the performance
difference could be noticeable enough to serve as a hint to the
correspondent. With those correspondents with which it can disclose
its new IP address ``on the wire'', the MN has the option of using
route-optimized communication. The transport protocol still sees
the Home Address with route optimization. Unless the correspondent
runs some packet capturing utility, the user cannot see which mode
(reverse tunneling or route optimization) is being used, but knows
that it is communicating with the same peer whose URI it knows. This
is similar to conversing with a roaming cellphone user whose phone
number, like the URI, remains unchanged.
Let us consider the roaming mobile node again. Regardless of whether With its correspondents, the MN can either communicate directly or
it uses route optimization or reverse tunneling, its Home Address is reverse tunnel its packets through the Home Agent. Using reverse
revealed in data packets. When equipped with an ability to inspect tunneling does not reveal the new IP address of the MN, although
packets ``on the wire'', an on-looker can determine that the MN has performance may vary depending on the particular scenario. In some
roamed and could possibly also determine that the user has roamed. instances, the performance difference could be noticeable enough to
This could compromise the location privacy even if the MN took steps serve as a hint to the correspondent. With those correspondents with
to hide its roaming information from a correspondent. which it can disclose its new IP address ``on the wire'', the MN has
the option of using route-optimized communication. The transport
protocol still sees the Home Address with route optimization. Unless
the correspondent runs some packet capturing utility, the user cannot
see which mode (reverse tunneling or route optimization) is being
used, but knows that it is communicating with the same peer whose URI
it knows. This is similar to conversing with a roaming cellphone
user whose phone number, like the URI, remains unchanged.
Regardless of whether the MN uses route optimization or reverse
tunneling, its Home Address is revealed in data packets. When
equipped with an ability to inspect packets ``on the wire'', an
on-looker can determine that the MN has roamed and could possibly
also determine that the user has roamed. This could compromise
the location privacy even if the MN took steps to hide its roaming
information from a correspondent.
The above description is valid regardless of whether a Home Address The above description is valid regardless of whether a Home Address
is static or is dynamically allocated. In either case, the mapping is static or is dynamically allocated. In either case, the mapping
of IP address to geo-location will most likely yield results with of IP address to geo-location will most likely yield results with
the same level of granularity. With the freely available tools on the same level of granularity. With the freely available tools on
the Internet, this granularity is the physical address of the ISP or the Internet, this granularity is the physical address of the ISP or
the organization which registers ownership of a prefix chunk. Since the organization which registers ownership of a prefix chunk. Since
an ISP or an organization is not, rightly, required to provide a an ISP or an organization is not, rightly, required to provide a
blue-print of its subnets, the granularity remains fairly coarse for blue-print of its subnets, the granularity remains fairly coarse for
a mobile wireless network. However, sophisticated attackers might a mobile wireless network. However, sophisticated attackers might
skipping to change at page 5, line 7 skipping to change at page 5, line 15
4. Conclusion 4. Conclusion
In this document, we have formulated the IP Location Privacy problem In this document, we have formulated the IP Location Privacy problem
in the presence of Mobile IPv6. The problem can be summarized as in the presence of Mobile IPv6. The problem can be summarized as
follows: disclosing Care of Address to a correspondent and revealing follows: disclosing Care of Address to a correspondent and revealing
Home Address to an on-looker can compromise the location privacy of a Home Address to an on-looker can compromise the location privacy of a
Mobile Node, and hence that of a user. Solutions to this problem are Mobile Node, and hence that of a user. Solutions to this problem are
expected to specifically address the use of Mobile IPv6 addresses, expected to specifically address the use of Mobile IPv6 addresses,
and not other identifiers (such as MAC addresses). and not other identifiers (such as MAC addresses).
Perhaps it is also worthwhile to consider implications of revealing
roaming information to the home network itself. This problem will
likely have much larger implications on the Mobile IPv6 operation,
and may be investigated in the future versions of this document.
5. IANA Considerations 5. IANA Considerations
There are no IANA considerations introduced by this draft. There are no IANA considerations introduced by this draft.
6. Security Considerations 6. Security Considerations
This document discusses location privacy because of IP mobility. This document discusses location privacy because of IP mobility.
Solutions to provide location privacy, especially any signaling over Solutions to provide location privacy, especially any signaling over
the Internet, must be secure in order to be effective. Individual the Internet, must be secure in order to be effective. Individual
solutions must describe the security implications. solutions must describe the security implications.
7. Acknowledgment 7. Acknowledgment
James Kempf and Qiu Ying reviewed an earlier version and provided Thanks to Jari Arkko, James Kempf and Qiu Ying for the review and
feedback. feedback.
References References
[1] W. Haddad and et al. Privacy for Mobile and Multi-homed Nodes: [1] W. Haddad and et al. Privacy for Mobile and Multi-homed Nodes:
MoMiPriv Problem Statement (work in progress). Internet Draft, MoMiPriv Problem Statement (work in progress). Internet Draft,
Internet Engineering Task Force, October 2004. Internet Engineering Task Force, October 2004.
[2] J. Polk, J. Schnizlein, and M. Linsner. DHCP Option for [2] J. Polk, J. Schnizlein, and M. Linsner. DHCP Option for
Coordinate-based Location Configuration Information. Request for Coordinate-based Location Configuration Information. Request for
skipping to change at page 7, line 17 skipping to change at page 7, line 27
This document and the information contained herein are provided This document and the information contained herein are provided
on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 13 change blocks. 
67 lines changed or deleted 77 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/