draft-ietf-mip6-location-privacy-ps-02.txt   draft-ietf-mip6-location-privacy-ps-03.txt 
MIP6 Working Group Rajeev Koodli MIP6 Working Group Rajeev Koodli
INTERNET DRAFT Nokia Research Center INTERNET DRAFT Nokia Research Center
Informational Informational
23 October 2006
IP Address Location Privacy and Mobile IPv6: Problem Statement IP Address Location Privacy and Mobile IPv6: Problem Statement
draft-ietf-mip6-location-privacy-ps-02.txt draft-ietf-mip6-location-privacy-ps-03.txt
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note Task Force (IETF), its areas, and its working groups. Note
that other groups may also distribute working documents as that other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 48 skipping to change at page 1, line 50
Contents Contents
Abstract i Abstract i
1. Introduction 1 1. Introduction 1
2. Problem Definition 2 2. Problem Definition 2
2.1. Disclosing the Care of Address to the Correspondent Node 2 2.1. Disclosing the Care of Address to the Correspondent Node 2
2.2. Revealing the Home Address to On-lookers . . . . . . . . 3 2.2. Revealing the Home Address to On-lookers . . . . . . . . 3
2.3. Problem Scope . . . . . . . . . . . . . . . . . . . . . . 3
3. Problem Illustration 3 3. Problem Illustration 3
4. Conclusion 5 4. Conclusion 5
5. IANA Considerations 5 5. IANA Considerations 6
6. Security Considerations 5 6. Security Considerations 6
7. Acknowledgment 6 7. Acknowledgment 6
8. Author's Address 6 8. Author's Address 6
A. Background 6 A. Background 7
Intellectual Property Statement 7 Intellectual Property Statement 7
Disclaimer of Validity 7 Disclaimer of Validity 8
Copyright Statement 7 Copyright Statement 8
Acknowledgment 8 Acknowledgment 8
1. Introduction 1. Introduction
The problems of location privacy, and privacy when using IP for The problems of location privacy, and privacy when using IP for
communication have become important. IP privacy is broadly concerned communication have become important. IP privacy is broadly concerned
with protecting user communication from unwittingly revealing with protecting user communication from unwittingly revealing
information that could be used to analyze and gather sensitive user information that could be used to analyze and gather sensitive user
data. Examples include gathering data at certain vantage points, data. Examples include gathering data at certain vantage points,
skipping to change at page 2, line 35 skipping to change at page 2, line 35
of Care of Address. As with Home Address, the Care of Address can of Care of Address. As with Home Address, the Care of Address can
also reveal the topological location of the Mobile Node. also reveal the topological location of the Mobile Node.
In this document, the concerns arising from the use of a globally In this document, the concerns arising from the use of a globally
visible identifier, such as a Home Address, when roaming are visible identifier, such as a Home Address, when roaming are
described. Similarly, the concerns from revealing a Care of Address described. Similarly, the concerns from revealing a Care of Address
to a correspondent are also outlined. The solutions to these to a correspondent are also outlined. The solutions to these
problems are meant to be specified in a separate document. problems are meant to be specified in a separate document.
This document is only concerned with IP Address Location Privacy in This document is only concerned with IP Address Location Privacy in
the presence of IP Mobility, as applied to Mobile IPv6. It does not the context of Mobile IPv6. It does not address the overall privacy
address the overall profiling problem. Specifically, it does not problem. For instance, it does not address privacy issues related to
concern itself with MAC addresses. Some other work may address the MAC addresses or the relationship of IP and MAC addresses [1].
problem of profiling IP and MAC identifiers (see for instance [1]).
2. Problem Definition 2. Problem Definition
2.1. Disclosing the Care of Address to the Correspondent Node 2.1. Disclosing the Care of Address to the Correspondent Node
When a Mobile IP MN roams from its home network to a visited network When a Mobile IP MN roams from its home network to a visited network
or from one visited network to another, use of Care of Address in or from one visited network to another, use of Care of Address in
communication with a correspondent reveals that the MN has roamed. communication with a correspondent reveals that the MN has roamed.
This assumes that the correspondent is able to associate the CoA to This assumes that the correspondent is able to associate the CoA to
HoA, for instance by inspecting the Binding Cache Entry. The HoA HoA, for instance by inspecting the Binding Cache Entry. The HoA
skipping to change at page 3, line 22 skipping to change at page 3, line 22
determine that the user has roamed. This problem is independent of determine that the user has roamed. This problem is independent of
whether the MN uses Care of Address to communicate directly with the whether the MN uses Care of Address to communicate directly with the
correspondent (i.e., uses route optimization), or the MN communicates correspondent (i.e., uses route optimization), or the MN communicates
via the Home Agent (i.e., uses reverse tunneling). via the Home Agent (i.e., uses reverse tunneling).
Location privacy may be compromised if an on-looker is present on Location privacy may be compromised if an on-looker is present on
the MN - HA path (when bidirectional tunneling is used), or when the the MN - HA path (when bidirectional tunneling is used), or when the
on-looker is present on the MN and CN path (when route optimization on-looker is present on the MN and CN path (when route optimization
is used). is used).
2.3. Problem Scope
With existing Mobile IPv6 solutions, there is some protection against
location privacy. If a Mobile Node uses reverse tunneling with ESP
encryption, then the HoA is not revealed on the MN - HA path. So,
eavesdroppers on the MN - HA path cannot determine roaming. They
could, however, still profile fields in the ESP header; however, this
problem is not specific to Mobile IPv6 location privacy.
When a MN uses reverse tunneling (regardless of ESP encryption),
the correspondent does not have access to the CoA. Hence, it cannot
determine that the MN has roamed.
Hence, the location privacy problem is particularly applicable when
Mobile IPv6 route optimization is used or when reverse tunneling is
used without protecting the inner IP packet containing the HoA.
3. Problem Illustration 3. Problem Illustration
This section is intended to provide the overall scope under which the This section is intended to provide an illustration of the problem
above problems are applicable. defined in the previous section.
Consider a Mobile Node at its home network. Whenever it is involved Consider a Mobile Node at its home network. Whenever it is involved
in IP communication, its correspondents can see an IP address valid in IP communication, its correspondents can see an IP address valid
on the home network. Elaborating further, the users involved in peer on the home network. Elaborating further, the users involved in peer
- peer communication are likely to see a user-friendly identifier - peer communication are likely to see a user-friendly identifier
such as a SIP URI, and the communication end-points in the IP such as a SIP URI, and the communication end-points in the IP
stack will see IP addresses. Users uninterested in or unaware of stack will see IP addresses. Users uninterested in or unaware of
IP communication details will not see any difference when the MN IP communication details will not see any difference when the MN
acquires a new IP address. Of course any user can ``tcpdump'' or acquires a new IP address. Of course any user can ``tcpdump'' or
``ethereal'' a session, capture IP packets and map the MN's IP ``ethereal'' a session, capture IP packets and map the MN's IP
address to an approximate geo-location. When this mapping reveals a address to an approximate geo-location. When this mapping reveals a
``home location'' of the user, the correspondent can conclude that ``home location'' of the user, the correspondent can conclude that
the user has not roamed. Assessing the physical location based on the user has not roamed. Assessing the physical location based on IP
IP addresses is similar to assessing the geographical location based addresses is similar, although there are differences, to assessing
on the area-code of a telephone number. The granularity of the the geographical location based on the area-code of a telephone
physical area corresponding to an IP address can vary depending on number. The granularity of the physical area corresponding to an IP
how sophisticated the available tools are, how often an ISP conducts address can vary depending on how sophisticated the available tools
its network re-numbering, etc. are, how often an ISP conducts its network re-numbering, etc.
When the MN roams to another network, the location privacy problem When the MN roams to another network, the location privacy problem
consists of two parts: revealing information to its correspondents consists of two parts: revealing information to its correspondents
and to on-lookers. and to on-lookers.
With its correspondents, the MN can either communicate directly or With its correspondents, the MN can either communicate directly or
reverse tunnel its packets through the Home Agent. Using reverse reverse tunnel its packets through the Home Agent. Using reverse
tunneling does not reveal the new IP address of the MN, although tunneling does not reveal the new IP address of the MN, although
end-to-end delay may vary depending on the particular scenario. The end-to-end delay may vary depending on the particular scenario. With
difference in delay may be noticeable enough to serve as a hint to those correspondents with which it can disclose its new IP address
the correspondent, but such a hint cannot always be used to infer ``on the wire'', the MN has the option of using route-optimized
that the MN has roamed. With those correspondents with which it can communication. The transport protocol still sees the Home Address
disclose its new IP address ``on the wire'', the MN has the option with route optimization. Unless the correspondent runs some
of using route-optimized communication. The transport protocol packet capturing utility, the user cannot see which mode (reverse
still sees the Home Address with route optimization. Unless the tunneling or route optimization) is being used, but knows that it is
correspondent runs some packet capturing utility, the user cannot see communicating with the same peer whose URI it knows. This is similar
which mode (reverse tunneling or route optimization) is being used, to conversing with a roaming cellphone user whose phone number, like
but knows that it is communicating with the same peer whose URI it the URI, remains unchanged.
knows. This is similar to conversing with a roaming cellphone user
whose phone number, like the URI, remains unchanged.
Regardless of whether the MN uses route optimization or reverse Regardless of whether the MN uses route optimization or reverse
tunneling, its Home Address is revealed in data packets. When tunneling (without ESP encryption), its Home Address is revealed in
equipped with an ability to inspect packets ``on the wire'', an data packets. When equipped with an ability to inspect packets ``on
on-looker can determine that the MN has roamed and could possibly the wire'', an on-looker on the MN - HA path can determine that the
also determine that the user has roamed. This could compromise MN has roamed and could possibly also determine that the user has
the location privacy even if the MN took steps to hide its roaming roamed. This could compromise the location privacy even if the MN
information from a correspondent. took steps to hide its roaming information from a correspondent.
The above description is valid regardless of whether a Home Address The above description is valid regardless of whether a Home Address
is static or is dynamically allocated. In either case, the mapping is statically allocated or is dynamically allocated. In either
of IP address to geo-location will most likely yield results with case, the mapping of IP address to geo-location will most likely
the same level of granularity. With the freely available tools on yield results with the same level of granularity. With the freely
the Internet, this granularity is the physical address of the ISP or available tools on the Internet, this granularity is the physical
the organization which registers ownership of a prefix chunk. Since address of the ISP or the organization which registers ownership of
an ISP or an organization is not, rightly, required to provide a a prefix chunk. Since an ISP or an organization is not, rightly,
blue-print of its subnets, the granularity remains fairly coarse for required to provide a blue-print of its subnets, the granularity
a mobile wireless network. However, sophisticated attackers might remains fairly coarse for a mobile wireless network. However,
be able to conduct site mapping and obtain more fine-grained subnet sophisticated attackers might be able to conduct site mapping and
information. obtain more fine-grained subnet information.
A compromise in location privacy could lead to more targetted A compromise in location privacy could lead to more targetted
profiling of user data. An eavesdropper may specifically track the profiling of user data. An eavesdropper may specifically track the
traffic containing the Home Address, and monitor the movement of the traffic containing the Home Address, and monitor the movement of the
Mobile Node with changing Care of Address. The profiling problem is Mobile Node with changing Care of Address. The profiling problem is
not specific to Mobile IPv6, but could be triggered by a compromise not specific to Mobile IPv6, but could be triggered by a compromise
in location privacy due to revealing the Home Address. in location privacy due to revealing the Home Address.
A correspondent may take advantage of the knowledge that a user A correspondent may take advantage of the knowledge that a user
has roamed when Care of Address is revealed, and modulate actions has roamed when Care of Address is revealed, and modulate actions
based on such a knowledge. Such an information could cause concern based on such a knowledge. Such an information could cause concern
to a mobile user especially when the correspondent turns out be to a mobile user especially when the correspondent turns out be
untrustworthy. untrustworthy.
Applying existing techniques to thwart profiling may have
implications to Mobile IPv6 signaling performance. For instance,
changing the Care of Address often would cause additional Return
Routability and binding management signaling. And, changing the
Home Address often has implications on IPsec security association
management. Solutions should be careful in considering the cost of
change of either CoA or HoA on signaling. For instance, changing the
Care of Address often would cause additional Return Routability and
binding management signaling. And, changing the Home Address often
has implications on IPsec security association management. These
issues need to be addressed in the solutions These issues should be
addressed in the solutions.
When roaming, a MN may treat its home network nodes as any other When roaming, a MN may treat its home network nodes as any other
correspondents. Reverse tunneling is perhaps sufficient for home correspondents. Reverse tunneling is perhaps sufficient for home
network communication, since route-optimized communication will network communication, since route-optimized communication will
traverse the identical path. Hence, a MN can avoid revealing its traverse the identical path. Hence, a MN can avoid revealing its
Care of Address to its home network correspondents simply by using Care of Address to its home network correspondents simply by using
reverse tunneling. The Proxy Neighbor Advertisements from the Home reverse tunneling. The Proxy Neighbor Advertisements from the Home
Agent could serve as hints to the home network nodes that the Mobile Agent could serve as hints to the home network nodes that the Mobile
Node is away. However, they won't be able to know the Mobile Node's Node is away. However, they won't be able to know the Mobile Node's
current point of attachment unless the MN uses route optimization current point of attachment unless the MN uses route optimization
with them. with them.
Finally, it is also worthwhile to note that both the Home Address
and the Care of Address could be subject to profiling, just as
any other user traffic. However, applying existing techniques to
thwart profiling may have implications to Mobile IPv6 signaling
performance. For instance, changing the Care of Address often would
cause additional Return Routability and binding management signaling.
And, changing the Home Address often has implications on IPSec
security association management. These issues need to be addressed
in the solutions.
4. Conclusion 4. Conclusion
In this document, we have formulated the IP Location Privacy problem In this document, we have discussed the location privacy problem
in the presence of Mobile IPv6. The problem can be summarized as as applicable to Mobile IPv6. The problem can be summarized as
follows: disclosing Care of Address to a correspondent and revealing follows: disclosing Care of Address to a correspondent and revealing
Home Address to an on-looker can compromise the location privacy of a Home Address to an on-looker can compromise the location privacy
Mobile Node, and hence that of a user. Solutions to this problem are of a Mobile Node, and hence that of a user. We have seen that
expected to specifically address the use of Mobile IPv6 addresses, bidirectional tunneling allows a MN to protect its CoA to the CN, and
and not other identifiers (such as MAC addresses). together with ESP encryption allows the MN to protect its HoA from
the on-lookers on the MN - HA path.
The solutions to the location privacy problem described in this However, with route optimization, the MN will reveal its CoA to the
document are expected to be protocol specifications assuming the CN. Moreover, the HoA is revealed to on-lookers in the data packets
as well as in Mobile IPv6 signaling messages. The solutions to this
problem are expected to be protocol specifications assuming the
existing Mobile IPv6 functional entities, namely, the Mobile Node, existing Mobile IPv6 functional entities, namely, the Mobile Node,
its Home Agent and the Correspondent Node. its Home Agent and the Correspondent Node.
5. IANA Considerations 5. IANA Considerations
There are no IANA considerations introduced by this draft. There are no IANA considerations introduced by this draft.
6. Security Considerations 6. Security Considerations
This document discusses location privacy because of IP mobility. This document discusses location privacy because of IP mobility.
Solutions to provide location privacy, especially any signaling over Solutions to provide location privacy, especially any signaling over
the Internet, must be secure in order to be effective. Individual the Internet, must be secure in order to be effective. Individual
solutions must describe the security implications. solutions must describe the security implications.
7. Acknowledgment 7. Acknowledgment
Thanks to Jari Arkko, James Kempf, Qiu Ying and Sam Xia for the Thanks to James Kempf, Qiu Ying and Sam Xia for the review and
review and feedback. Thanks to Kilian Weniger for the last call feedback. Thanks to Jari Arkko and Kilian Weniger for the last call
review and for suggesting improvements. review and for suggesting improvements and text.
References References
[1] W. Haddad and et al. Privacy for Mobile and Multi-homed Nodes: [1] W. Haddad and et al. Privacy for Mobile and Multi-homed Nodes:
MoMiPriv Problem Statement (work in progress). Internet Draft, MoMiPriv Problem Statement (work in progress). Internet Draft,
Internet Engineering Task Force, October 2004. Internet Engineering Task Force, October 2004.
[2] J. Polk, J. Schnizlein, and M. Linsner. DHCP Option for [2] J. Polk, J. Schnizlein, and M. Linsner. DHCP Option for
Coordinate-based Location Configuration Information. Request for Coordinate-based Location Configuration Information. Request for
Comments 3825, Internet Engineering Task Force, July 2004. Comments 3825, Internet Engineering Task Force, July 2004.
 End of changes. 21 change blocks. 
67 lines changed or deleted 90 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/