Re: [liberationtech] IPv6 good for anonymity
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi David, On 18 Jun 2012, at 21:23, David Conrad wrote: Bernard, On Jun 18, 2012, at 1:05 PM, ei8...@ei8fdb.org wrote: I'm not an IPv6 expert, but any technical courses I have done on IPv6 have promoted the complete trackability and full audit-trail possible with IPv6 - each unique IPv6 host makes a direct connection to the other host, which simplifies security, and routing. This assumes statically assigned, non-varying, and non-NAT'd addresses. None of these are a requirement with IPv6 (and, in fact, significant effort has been expended to not require the first two). Interesting, I did not know about this. However, whenever a data connection is made to a mobile network, a PDP context is created (the logical association between mobile device and the public data network). This has a record of your IMSI (subscriber ID), you MSIDSN (your telephone number), your allocated IP address, and other location related information. If you're IP address is dynamic or static, it doesn't really matter as the operator has your MSISDN + IP address. From this they know the identity of the device used for that particular connection. This will be made easier particularly in LTE networks where IPv6 is native and DPI is built into the technology from the beginning. A lot of the operators I work with are sounding positive about using statically assigned IPv6 addresses for devices like dongles (which are used to make more permanent data connections rather than mobile devices like phone handsets). It makes their lives easier as they now don't have to worry about a PDP context (plus valuable IP address) being active for days, weeks on end. There are already live trials of LTE networks being rolled out in the UK where I am currently living using static addressing for some devices. There is no need to carry out NAT (Network Address Translation), or IP Masquerading, which is great news for ISPs or mobile operators. While it is true there is no need to perform NAT, it remains to be seen whether this model is acceptable to Internet users. The problem is that, as with IPv4, if you don't do NAT, you must either take your addresses with you if you change providers (aka, 'address portability') or renumber your network from your old provider's address space to your new provider's address space. Address portability has risks to the routing system (specifically, it requires the 'core' routers to know/understand each of the portable blocks of addresses and this will be a problem if too many sites try to do this) and also requires organizations to get address space from the regional registries which requires a yearly fee to be paid. Renumbering also has its obvious costs. NAT for IPv6 removes both of these concerns, but does impact the end-to-end architecture of the Internet the exact same way IPv4 does. Interesting, I hadn't even thought of that. This sounds similar to the idea of telephone number portability. Of course IP and circuit switched portability operate completely differently, this feature has (I think) been successful, once its finished. A pointer is entered into the original mobile network home location register database (a large database of all subscribers) pointing towards the new home network HLR of the ported number. Obviously timing is not as critical in voice call connections as in IP, so I guess those concerns aren't as visible. It isn't clear to me how this is 'great news' to ISPs or Mobile operators. Firstly, I'm using the words ISP and mobile operators synonymously as to me they are becoming the same entity - IP based data pipe providers, no different from electricity, or water providers. It's great news for mobile operators for a few reasons. One being IP address allocation (either dynamic or static) is currently translated into cost for licenses. You purchase a piece of equipment for X (with a theoretical maximum capacity of 1, 000, 000 active subscribers), then you have to purchase the licensing files to enable capacity on that box - 10k/100k/1, 000, 000 active subs or possibly 1, 000, 000 active PDP contexts. This model will have to change when IPv6 is adopted as it won't make sense anymore. Also, it will (might?) do away with the carrier grade NATing equipment/features used to translate all of the private IP space of mobile devices. This will make network planning much easier. The time it takes to expand user IP ranges on mobile networks when it outgrows whats configured takes a lot of time, and hence money. There will be less equipment, which will manage more. It will be more complicated in software, but simpler in hardware - essentially becoming a box with lots of switching resources and inputs/outputs. All IP no circuit switching interface, so again essentially cheaper hardware. The equipment I work with has to currently do a lot of management of PDP contexts, also
[liberationtech] Briar hackathon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, If you're in London next Friday, I'll be hosting a Briar hackathon at London Hackspace: http://wiki.london.hackspace.org.uk/view/Workshops/Briar_hackathon Please spread the word! The event's timed to coincide with Google's Develop for Good challenge to develop conflict reporting tools for blackout situations in repressive regimes: https://sites.google.com/site/ioextended12/agenda-overview/hackathons/googleideas Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP4HbVAAoJEBEET9GfxSfMj1kH/jCzI+8xGLlIDfIcdpximIM0 chINFYOn/rVIUQ7kWy6brpDCqJVcaShD1kHOeWvw/txvylHp2xLOfJLSFjSI7zaF BizKr5kDi7uIltX/PUcWmEHjNK06wd09nTvCEXiMfCI2LezLMOOIIDh8tZqmXStA gGeCwbxX421s92qUKVZ5qpc+xATNEq4S/PFS3s58+3xq6+nftC+H1qzrFVhhXEKs wupAPSCtqZQjco3kcrBq4+AynsQnEwD5qCzp/uGZyaIDSMsJQFJmsR/KGOiI7Dy0 eAahHALiBJNVdRLkv5sVe+spoe0XFXFSS5bKxC8kwm6o5AHpEah4NwE0+V9cSrU= =OGzI -END PGP SIGNATURE- ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Julian Assange is seeking asylum
hai, On 06/19/2012 09:09 PM, Frank Corrigan wrote: Wikileaks founder Julian Assange is seeking asylum at Ecuador's embassy in London, says Ecuador foreign minister. http://www.bbc.co.uk/news/uk-18514726 It looks like Assange has a huge sense of trolling. :) Cheers, KheOps signature.asc Description: OpenPGP digital signature ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Julian Assange is seeking asylum
I would have thought it was more like a huge fear of being (unreasonably) trolled. M -Original Message- From: liberationtech-boun...@lists.stanford.edu [mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of KheOps Sent: Tuesday, June 19, 2012 1:24 PM To: liberationtech@lists.stanford.edu Subject: Re: [liberationtech] Julian Assange is seeking asylum hai, On 06/19/2012 09:09 PM, Frank Corrigan wrote: Wikileaks founder Julian Assange is seeking asylum at Ecuador's embassy in London, says Ecuador foreign minister. http://www.bbc.co.uk/news/uk-18514726 It looks like Assange has a huge sense of trolling. :) Cheers, KheOps ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Julian Assange is seeking asylum
On 06/19/2012 01:37 PM, michael gurstein wrote: I would have thought it was more like a huge fear of being (unreasonably) trolled. For those that wish to send their support, I suggest using this contact form for the Ecuadorian mission in the UK: http://www.ecuadorembassyuk.org.uk/contact I wrote a rather long letter in support of his request for asylum. Important background here: http://wlcentral.org/node/1418 All the best, Jacob ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] IPv6 good for anonymity
Something I'm not seeing discussed much is that the fundamental shift of Who has this IP doesn't change. Right now my ISP gives me a single IPv4 address and I NAT behind it. If someone asks them Who has IP X at this time? they can answer. That doesn't change with IPv6. They assign me a /64. And while it's true that I have 18,446,744,073,709,551,616 I can choose from to assign to myself in crazy ways (one per new connection? one per minute?) - when someone asks them, Who had IP X at this time? they just look up who was assigned that /64 IPv6 block. Networking tools have to adapt to handle reputation on a /64 (I'm presenting about this at Black Hat in Vegas next month), and it will be a slow shift to upgrade everything that filters/whitelists/blacklists/searches/etc to do so on a subnet scale, but it will happen. And we're not any better off. On 17 June 2012 15:31, Walid AL-SAQAF alkasir admin ad...@alkasir.com wrote: See: http://news.cnet.com/8301-1009_3-57453738-83/fbi-dea-warn-ipv6-could-shield-criminals-from-police/ This says they're worried that RIRs, LIRs, and ISPs may not keep records of who is assigned what addresses. This doesn't strike me as a boon for privacy. It might be an incidental benefit - but it's not something anyone should rely on, advertise, or be joyous about. On 17 June 2012 15:58, Seth David Schoen sch...@eff.org wrote: - The original addressing scheme for IPv6 suggested using individual devices' MAC addresses as (the basis for) the lower-order 64 bits of the public IP address. This is catastrophic for privacy because then you can recognize and track individual devices all around the world, like an indelible cross-site cookie for each device. (What's more, if you seize the device, you can confirm that it was the actual device that was used to send some particular communications at some point in the past.) However, we don't have to use this scheme for assigning IP addresses. It depends on how our individual operating systems are configured, and it's unlikely that ISPs or anyone could somehow force us to use the privacy-invasive style. Absolutely, this is a huge deal, and it's not solved. Look up draft-gont-6man-stable-privacy-addresses and http://void.gr/kargig/presentations/athcon_2012_kargig.pdf for some pointers into this. I can't understate this: this is an open research project, and we need solutions. We don't want to wind up in a scenario where the lower 64 bits of my address stay with me across networks. Very, very bad. - Having plentiful IP addresses means that we don't have to use network address translation (NAT) anymore, at least not for IP address scarcity reasons. This could actually be bad for privacy because there is less ambiguity about which user of a network was responsible for particular communications; NAT can create ambiguity from the outside world's point of view about who at a particular institution actually sent some network traffic, and if we get rid of NAT, we reduce that uncertainty. While true, I view this in the same category as the first link. We may get incidental benefits from NAT, but it shouldn't be relied on for strong anonymity. University or ISP level NAT is out of your control and they're usually happy to turn over information to whoever asks. - Having plentiful IP addresses means that ISPs could choose to give end-users more dynamic IP addresses, without re-use. It's easier to imagine using highly ephemeral IP addresses, like using a new source address for each and every connection (!) or having one's home network address change every day or every hour. In that case, it would be harder to make associations between users or to track users based on their IP addresses. Disagree, for the points I put in the beginning. As long as I'm changing my IP inside the /64 I'm assigned, I'm easily to correlate. And AFAIK there's been no plans for ISPs to do anything other than the recommendation of giving each user a /64 to play with. - With more plentiful public IP addresses, it would be easier and for more people to start to run publicly-useful proxy services like Tor entry nodes. It will also be somewhat harder for censors to enumerate and block secret bridge-style proxy nodes ahead of time because it will be far more difficult to port-scan the larger address space. (It was traditionally thought to be impossible, but there is a paper showing it may not be impossible in practice.) Yes. Right now, portscanning in IPv6 is still possible in a number of ways: reverse mapping .arpa, invalid multicast pings, and others. (See the source in http://thc.org/thc-ipv6/ for a lot of IPv6 attacks) However I believe/hope that we will solve most of these in the next 5 years so port scanning will not be feasible in IPv6. However, I don't know if anyone is actively pushing to fix these things, so if anyone has a grad student free... - With reduced use of NAT, we
