draft-ietf-mip6-location-privacy-ps-01.txt   draft-ietf-mip6-location-privacy-ps-02.txt 
MIP6 Working Group Rajeev Koodli MIP6 Working Group Rajeev Koodli
INTERNET DRAFT Nokia Research Center INTERNET DRAFT Nokia Research Center
Informational Informational
IP Address Location Privacy and Mobile IPv6: Problem Statement IP Address Location Privacy and Mobile IPv6: Problem Statement
draft-ietf-mip6-location-privacy-ps-01.txt draft-ietf-mip6-location-privacy-ps-02.txt
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note Task Force (IETF), its areas, and its working groups. Note
that other groups may also distribute working documents as that other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Address to an on-looker and from disclosing Care of Address to a Address to an on-looker and from disclosing Care of Address to a
correspondent. correspondent.
Contents Contents
Abstract i Abstract i
1. Introduction 1 1. Introduction 1
2. Problem Definition 2 2. Problem Definition 2
2.1. Disclosing the Care of Address . . . . . . . . . . . . . 2 2.1. Disclosing the Care of Address to the Correspondent Node 2
2.2. Revealing the Home Address . . . . . . . . . . . . . . . 3 2.2. Revealing the Home Address to On-lookers . . . . . . . . 3
3. Problem Illustration 3 3. Problem Illustration 3
4. Conclusion 5 4. Conclusion 5
5. IANA Considerations 5 5. IANA Considerations 5
6. Security Considerations 5 6. Security Considerations 5
7. Acknowledgment 5 7. Acknowledgment 6
8. Author's Address 5 8. Author's Address 6
A. Background 6 A. Background 6
Intellectual Property Statement 6 Intellectual Property Statement 7
Disclaimer of Validity 7 Disclaimer of Validity 7
Copyright Statement 7 Copyright Statement 7
Acknowledgment 7 Acknowledgment 8
1. Introduction 1. Introduction
The problems of location privacy, and privacy when using IP for The problems of location privacy, and privacy when using IP for
communication have become important. IP privacy is broadly concerned communication have become important. IP privacy is broadly concerned
with protecting user communication from unwittingly revealing with protecting user communication from unwittingly revealing
information that could be used to analyze and gather sensitive user information that could be used to analyze and gather sensitive user
data. Examples include gathering data at certain vantage points, data. Examples include gathering data at certain vantage points,
collecting information related to specific traffic, and monitoring collecting information related to specific traffic, and monitoring
(perhaps) certain populations of users for activity during specific (perhaps) certain populations of users for activity during specific
times of the day, etc. In this document, we refer to this as the times of the day, etc. In this document, we refer to this as the
"profiling" problem. "profiling" problem.
Location privacy is concerned with the problem of revealing roaming. Location privacy is concerned with the problem of revealing roaming,
A constant identifier with global scope can reveal roaming. Such which we define here as the process of a Mobile Node moving from one
a global scope identifier could be a device identifier or a user network to another with or without on-going sessions. A constant
identifier. Often, a binding between these two identifiers is identifier with global scope can reveal roaming. Such a global scope
also available, e.g., through DNS. The location privacy problem identifier could be a device identifier or a user identifier. Often,
is particularly applicable to Mobile IP where the Home Address on a binding between these two identifiers is also available, e.g.,
a visited network can reveal device roaming and, together with a through DNS. The location privacy problem is particularly applicable
user identifier (such as a SIP URI), can reveal user roaming. Even to Mobile IP where the Home Address on a visited network can reveal
when the binding between a user identifier and the Home Address is device roaming and, together with a user identifier (such as a SIP
unavailable, freely available tools on the Internet can map the URI), can reveal user roaming. Even when the binding between a user
Home Address to the owner of the Home Prefix, which can reveal that identifier and the Home Address is unavailable, freely available
a user from a particular ISP has roamed. So, the location privacy tools on the Internet can map the Home Address to the owner of the
problem is a subset of the profiling problem in which revealing a Home Prefix, which can reveal that a user from a particular ISP
globally visible identifier compromises a user's location privacy. has roamed. So, the location privacy problem is a subset of the
When location privacy is compromised, it could lead to more targetted profiling problem in which revealing a globally visible identifier
profiling. compromises a user's location privacy. When location privacy is
compromised, it could lead to more targetted profiling.
Furthermore, a user may not wish to reveal roaming to Furthermore, a user may not wish to reveal roaming to
correspondent(s). In Mobile IP, this translates to the use correspondent(s). In Mobile IP, this translates to the use
of Care of Address. of Care of Address. As with Home Address, the Care of Address can
also reveal the topological location of the Mobile Node.
In this document, the concerns arising from the use of a globally In this document, the concerns arising from the use of a globally
visible identifier, such as a Home Address, when roaming are visible identifier, such as a Home Address, when roaming are
described. Similarly, the concerns from revealing a Care of Address described. Similarly, the concerns from revealing a Care of Address
to a correspondent are also outlined. The solutions to these to a correspondent are also outlined. The solutions to these
problems are meant to be specified in a separate document. problems are meant to be specified in a separate document.
This document is only concerned with IP Address Location Privacy in This document is only concerned with IP Address Location Privacy in
the presence of IP Mobility, as applied to Mobile IPv6. It does not the presence of IP Mobility, as applied to Mobile IPv6. It does not
address the overall profiling problem. Specifically, it does not address the overall profiling problem. Specifically, it does not
concern itself with MAC addresses. Some other work may address the concern itself with MAC addresses. Some other work may address the
problem of profiling IP and MAC identifiers (see for instance [1]). problem of profiling IP and MAC identifiers (see for instance [1]).
2. Problem Definition 2. Problem Definition
2.1. Disclosing the Care of Address 2.1. Disclosing the Care of Address to the Correspondent Node
When a Mobile IP MN roams from its home network to a visited network, When a Mobile IP MN roams from its home network to a visited network
use of Care of Address in communication with a correspondent reveals or from one visited network to another, use of Care of Address in
that the MN has roamed. This assumes that the correspondent is able communication with a correspondent reveals that the MN has roamed.
to associate the CoA to HoA, for instance by inspecting the Binding This assumes that the correspondent is able to associate the CoA to
Cache Entry. The HoA itself is assumed to have been obtained by HoA, for instance by inspecting the Binding Cache Entry. The HoA
whatever means (e.g., through DNS lookup). itself is assumed to have been obtained by whatever means (e.g.,
through DNS lookup).
2.2. Revealing the Home Address 2.2. Revealing the Home Address to On-lookers
When a Mobile IP MN roams from its home network to a visited network, When a Mobile IP MN roams from its home network to a visited network
use of Home Address in communication reveals to an on-looker that the or from one visited network to another, use of Home Address in
MN has roamed. When a binding of Home Address to a user identifier communication reveals to an on-looker that the MN has roamed. When
(such as a SIP URI or NAI) is available, the Home Address can be a binding of Home Address to a user identifier (such as a SIP
used to also determine that the user has roamed. This problem is URI or NAI) is available, the Home Address can be used to also
independent of whether the MN uses Care of Address to communicate determine that the user has roamed. This problem is independent of
directly with the correspondent (i.e., uses route optimization), whether the MN uses Care of Address to communicate directly with the
or the MN communicates via the Home Agent (i.e., uses reverse correspondent (i.e., uses route optimization), or the MN communicates
tunneling). via the Home Agent (i.e., uses reverse tunneling).
Location privacy may be compromised if an on-looker is present on
the MN - HA path (when bidirectional tunneling is used), or when the
on-looker is present on the MN and CN path (when route optimization
is used).
3. Problem Illustration 3. Problem Illustration
This section is intended to provide the overall scope under which the This section is intended to provide the overall scope under which the
above problems are applicable. above problems are applicable.
Consider a Mobile Node at its home network. Whenever it is involved Consider a Mobile Node at its home network. Whenever it is involved
in IP communication, its correspondents can see an IP address valid in IP communication, its correspondents can see an IP address valid
on the home network. Elaborating further, the users involved in peer on the home network. Elaborating further, the users involved in peer
- peer communication are likely to see a user-friendly identifier - peer communication are likely to see a user-friendly identifier
skipping to change at page 3, line 47 skipping to change at page 3, line 52
how sophisticated the available tools are, how often an ISP conducts how sophisticated the available tools are, how often an ISP conducts
its network re-numbering, etc. its network re-numbering, etc.
When the MN roams to another network, the location privacy problem When the MN roams to another network, the location privacy problem
consists of two parts: revealing information to its correspondents consists of two parts: revealing information to its correspondents
and to on-lookers. and to on-lookers.
With its correspondents, the MN can either communicate directly or With its correspondents, the MN can either communicate directly or
reverse tunnel its packets through the Home Agent. Using reverse reverse tunnel its packets through the Home Agent. Using reverse
tunneling does not reveal the new IP address of the MN, although tunneling does not reveal the new IP address of the MN, although
performance may vary depending on the particular scenario. In some end-to-end delay may vary depending on the particular scenario. The
instances, the performance difference could be noticeable enough to difference in delay may be noticeable enough to serve as a hint to
serve as a hint to the correspondent. With those correspondents with the correspondent, but such a hint cannot always be used to infer
which it can disclose its new IP address ``on the wire'', the MN has that the MN has roamed. With those correspondents with which it can
the option of using route-optimized communication. The transport disclose its new IP address ``on the wire'', the MN has the option
protocol still sees the Home Address with route optimization. Unless of using route-optimized communication. The transport protocol
the correspondent runs some packet capturing utility, the user cannot still sees the Home Address with route optimization. Unless the
see which mode (reverse tunneling or route optimization) is being correspondent runs some packet capturing utility, the user cannot see
used, but knows that it is communicating with the same peer whose URI which mode (reverse tunneling or route optimization) is being used,
it knows. This is similar to conversing with a roaming cellphone but knows that it is communicating with the same peer whose URI it
user whose phone number, like the URI, remains unchanged. knows. This is similar to conversing with a roaming cellphone user
whose phone number, like the URI, remains unchanged.
Regardless of whether the MN uses route optimization or reverse Regardless of whether the MN uses route optimization or reverse
tunneling, its Home Address is revealed in data packets. When tunneling, its Home Address is revealed in data packets. When
equipped with an ability to inspect packets ``on the wire'', an equipped with an ability to inspect packets ``on the wire'', an
on-looker can determine that the MN has roamed and could possibly on-looker can determine that the MN has roamed and could possibly
also determine that the user has roamed. This could compromise also determine that the user has roamed. This could compromise
the location privacy even if the MN took steps to hide its roaming the location privacy even if the MN took steps to hide its roaming
information from a correspondent. information from a correspondent.
The above description is valid regardless of whether a Home Address The above description is valid regardless of whether a Home Address
skipping to change at page 4, line 42 skipping to change at page 4, line 48
traffic containing the Home Address, and monitor the movement of the traffic containing the Home Address, and monitor the movement of the
Mobile Node with changing Care of Address. The profiling problem is Mobile Node with changing Care of Address. The profiling problem is
not specific to Mobile IPv6, but could be triggered by a compromise not specific to Mobile IPv6, but could be triggered by a compromise
in location privacy due to revealing the Home Address. in location privacy due to revealing the Home Address.
A correspondent may take advantage of the knowledge that a user A correspondent may take advantage of the knowledge that a user
has roamed when Care of Address is revealed, and modulate actions has roamed when Care of Address is revealed, and modulate actions
based on such a knowledge. Such an information could cause concern based on such a knowledge. Such an information could cause concern
to a mobile user especially when the correspondent turns out be to a mobile user especially when the correspondent turns out be
untrustworthy. untrustworthy.
When roaming, a MN may treat its home network nodes as any other
correspondents. Reverse tunneling is perhaps sufficient for home
network communication, since route-optimized communication will
traverse the identical path. Hence, a MN can avoid revealing its
Care of Address to its home network correspondents simply by using
reverse tunneling. The Proxy Neighbor Advertisements from the Home
Agent could serve as hints to the home network nodes that the Mobile
Node is away. However, they won't be able to know the Mobile Node's
current point of attachment unless the MN uses route optimization
with them.
Finally, it is also worthwhile to note that both the Home Address Finally, it is also worthwhile to note that both the Home Address
and the Care of Address could be subject to profiling, just as and the Care of Address could be subject to profiling, just as
any other user traffic. However, applying existing techniques to any other user traffic. However, applying existing techniques to
thwart profiling may have implications to Mobile IPv6 signaling thwart profiling may have implications to Mobile IPv6 signaling
performance. For instance, changing the Care of Address often would performance. For instance, changing the Care of Address often would
cause additional Return Routability and binding management signaling. cause additional Return Routability and binding management signaling.
And, changing the Home Address often has implications on IPSec And, changing the Home Address often has implications on IPSec
security association management. These issues need to be addressed security association management. These issues need to be addressed
in the solutions. in the solutions.
4. Conclusion 4. Conclusion
In this document, we have formulated the IP Location Privacy problem In this document, we have formulated the IP Location Privacy problem
in the presence of Mobile IPv6. The problem can be summarized as in the presence of Mobile IPv6. The problem can be summarized as
follows: disclosing Care of Address to a correspondent and revealing follows: disclosing Care of Address to a correspondent and revealing
Home Address to an on-looker can compromise the location privacy of a Home Address to an on-looker can compromise the location privacy of a
Mobile Node, and hence that of a user. Solutions to this problem are Mobile Node, and hence that of a user. Solutions to this problem are
expected to specifically address the use of Mobile IPv6 addresses, expected to specifically address the use of Mobile IPv6 addresses,
and not other identifiers (such as MAC addresses). and not other identifiers (such as MAC addresses).
Perhaps it is also worthwhile to consider implications of revealing The solutions to the location privacy problem described in this
roaming information to the home network itself. This problem will document are expected to be protocol specifications assuming the
likely have much larger implications on the Mobile IPv6 operation, existing Mobile IPv6 functional entities, namely, the Mobile Node,
and may be investigated in the future versions of this document. its Home Agent and the Correspondent Node.
5. IANA Considerations 5. IANA Considerations
There are no IANA considerations introduced by this draft. There are no IANA considerations introduced by this draft.
6. Security Considerations 6. Security Considerations
This document discusses location privacy because of IP mobility. This document discusses location privacy because of IP mobility.
Solutions to provide location privacy, especially any signaling over Solutions to provide location privacy, especially any signaling over
the Internet, must be secure in order to be effective. Individual the Internet, must be secure in order to be effective. Individual
solutions must describe the security implications. solutions must describe the security implications.
7. Acknowledgment 7. Acknowledgment
Thanks to Jari Arkko, James Kempf and Qiu Ying for the review and Thanks to Jari Arkko, James Kempf, Qiu Ying and Sam Xia for the
feedback. review and feedback. Thanks to Kilian Weniger for the last call
review and for suggesting improvements.
References References
[1] W. Haddad and et al. Privacy for Mobile and Multi-homed Nodes: [1] W. Haddad and et al. Privacy for Mobile and Multi-homed Nodes:
MoMiPriv Problem Statement (work in progress). Internet Draft, MoMiPriv Problem Statement (work in progress). Internet Draft,
Internet Engineering Task Force, October 2004. Internet Engineering Task Force, October 2004.
[2] J. Polk, J. Schnizlein, and M. Linsner. DHCP Option for [2] J. Polk, J. Schnizlein, and M. Linsner. DHCP Option for
Coordinate-based Location Configuration Information. Request for Coordinate-based Location Configuration Information. Request for
Comments 3825, Internet Engineering Task Force, July 2004. Comments 3825, Internet Engineering Task Force, July 2004.
 End of changes. 16 change blocks. 
58 lines changed or deleted 79 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/