[liberationtech] IPv6 good for anonymity

Bernard Tyers - ei8fdb ei8fdb at ei8fdb.org
Tue Jun 19 01:37:26 PDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David,

On 18 Jun 2012, at 21:23, David Conrad wrote:

> Bernard,
> 
> On Jun 18, 2012, at 1:05 PM, ei8fdb at ei8fdb.org wrote:
>> I'm not an IPv6 expert, but any technical courses I have done on IPv6 have promoted the complete trackability and full audit-trail possible with IPv6 - each unique IPv6 host makes a direct connection to the other host, which simplifies security, and routing.
> 
> This assumes statically assigned, non-varying, and non-NAT'd addresses.  None of these are a requirement with IPv6 (and, in fact, significant  effort has been expended to not require the first two).

Interesting, I did not know about this. However, whenever a data connection is made to a mobile network, a PDP context is created (the logical association between mobile device and the public data network). This has a record of your IMSI (subscriber ID), you MSIDSN (your telephone number), your allocated IP address, and other location related information.

If you're IP address is dynamic or static, it doesn't really matter as the operator has your MSISDN + IP address. From this they know the identity of the device used for that particular connection. This will be made easier particularly in LTE networks where IPv6 is native and DPI is built into the technology from the beginning.

A lot of the operators I work with are sounding "positive" about using statically assigned IPv6 addresses for devices like dongles (which are used to make more permanent data connections rather than mobile devices like phone handsets). It makes their lives easier as they now don't have to worry about a PDP context (plus valuable IP address) being active for days, weeks on end. There are already live trials of LTE networks being rolled out in the UK where I am currently living using static addressing for some devices.


>> There is no need to carry out NAT (Network Address Translation), or IP Masquerading, which is great news for ISPs or mobile operators.
> 
> While it is true there is no need to perform NAT, it remains to be seen whether this model is acceptable to Internet users.  The problem is that, as with IPv4, if you don't do NAT, you must either take your addresses with you if you change providers (aka, 'address portability') or renumber your network from your old provider's address space to your new provider's address space.  Address portability has risks to the routing system (specifically, it requires the 'core' routers to know/understand each of the portable blocks of addresses and this will be a problem if too many sites try to do this) and also requires organizations to get address space from the regional registries which requires a yearly fee to be paid.  Renumbering also has its obvious costs. NAT for IPv6 removes both of these concerns, but does impact the end-to-end architecture of the Internet the exact same way IPv4 does.

Interesting, I hadn't even thought of that. This sounds similar to the idea of telephone number portability. Of course IP and circuit switched portability operate completely differently, this feature has (I think) been successful, once its finished. A "pointer" is entered into the original mobile network home location register database (a large database of all subscribers) pointing towards the new "home" network HLR of the ported number. Obviously timing is not as critical in voice call connections as in IP, so I guess those concerns aren't as visible.


> It isn't clear to me how this is 'great news' to ISPs or Mobile operators.

Firstly, I'm using the words "ISP" and mobile operators synonymously as to me they are becoming the same entity - IP based data pipe providers, no different from electricity, or water providers.

It's great news for mobile operators for a few reasons. One being IP address allocation (either dynamic or static)  is currently translated into cost for licenses. You purchase a piece of equipment for X (with a theoretical maximum capacity of 1, 000, 000 active subscribers), then you have to purchase the licensing files to enable capacity on that box - 10k/100k/1, 000, 000 active subs or possibly 1, 000, 000 active PDP contexts. This model will have to change when IPv6 is adopted as it won't make sense anymore.

Also, it will (might?) do away with the carrier grade NATing equipment/features used to translate all of the private IP space of mobile devices. This will make network planning much easier. The time it takes to expand user IP ranges on mobile networks when it outgrows whats configured takes a lot of time, and hence money.

There will be less equipment, which will manage more. It will be more complicated in software, but simpler in hardware - essentially becoming a box with lots of switching resources and inputs/outputs. All IP no circuit switching interface, so again essentially cheaper hardware. The equipment I work with has to currently do a lot of management of PDP contexts, also passes that information to other equipment which replicates the same fuctions. Networks will become cheaper to build (or so is the marketing talk).

It also helps mobile operators as their whole network now becomes IP based. Now more necessity for expensive TDM based circuits, no more need for media conversion between the antenna sites, in the core network etc.

The antenna site is connected either via IPv6 ethernet/microwave (which has inherently higher capacity than traditional TDM 2Mb/s lines), to the core network, which is already IPv6 enabled, which then connects to the Internet which is already IPv6 enabled. All of this added "simplicity" has inherent benefits.


>> Due to this "great" advantage of full audit-trail, it will now be simple to "manage" traffic based on actual addresses, as opposed to blocks of addresses which can be "messy", due to casting such a wide net.
> 
> You might want to read http://en.wikipedia.org/wiki/IPv6#Privacy


Thanks for the link. I've got plenty more to read :) Like I said I'm not an IPv6 expert, but the new features available in IPv6, and their application in mobile networks makes me think auditing will be much easier.

Is anyone else working in mobile/IPv6/ISPs? I'd be happy to hear other points-of-view. 

thanks,
Bernard

- --------------------------------------
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJP4DpGAAoJENsz1IO7MIrrKg8IAKp6m0EgdUmopabNKizA0jKL
sskN+9WK9GvG7qGWDm6WHlqPpJupObKQluRE1BPeeyUGaR5/OZ0R5Rqcl31XrjE0
+EDJiTIwqsK/KDapTZkjm5sLUO7Xy00RAprWWNmTE5d5v/95h61XPvnvCILpKwyE
WudJOf1nXOXlbQekqtgEScSVkhopuMp4SWI2OyAfMTUxJ2Pc+9HKNCcB9H/hgMeh
Skvm3TlsDSIGASMBvWeEw+67noHLR4zkvyaooud2E4JrPVKBn9hH5mdb2/gWJC/K
+lG5LnCZSjNQqy5Wf6ErAaA2vEd7YgKP3arrU4BS5ziWppyknhhCGRgd0/kPqBE=
=O+HI
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list