tag:blogger.com,1999:blog-4088979.post115618165723717697..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Chinese IPv6 in CIORichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4088979.post-85891952934768838192009-02-10T03:39:00.000-05:002009-02-10T03:39:00.000-05:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1156187072500684682006-08-21T15:04:00.000-04:002006-08-21T15:04:00.000-04:00Back in March there was a mailing list discussion ...Back in March there was a mailing list discussion on <A HREF="http://www.iht.com/articles/2006/03/19/business/chinet20.php" REL="nofollow">this article</A> which presented very similar ideas to the one mentioned in your post.<BR/><BR/>This was my response, which seems to be along the same lines as yours.<BR/><BR/>---<BR/>Saying that IPv6 will lead to reduced anonymity seems to me a<BR/>substantial leap. Computers already have several unique identifiers<BR/>(e.g. Ethernet MAC addresses and serial numbers), but these do not<BR/>often escape the local network. What the article appears to be getting<BR/>at is that switching to IPv4 to IPv6 will remove some of the need to<BR/>deploy NAT boxes and proxies. These devices are typically not designed<BR/>to provide anonymity, and don't in any strong sense of the word, but<BR/>in reality they are an obstacle to practical traceability.<BR/><BR/>NAT and proxies perform several main roles:<BR/>- Reduce the number of global IP addresses needed<BR/>- Protect computers on the internal network<BR/>- Hide information about the structure of the internal network<BR/><BR/>Proxies also:<BR/>- Improve performance (in the case of caching proxies)<BR/>- Allow policy restrictions (e.g. blocking certain websites)<BR/><BR/>IPv6 reduces the shortage of global IP addresses, so the first reason<BR/>would no longer be important, but the others stand. For this reason I<BR/>don't think that IPv6 will herald the removal of NAT and proxies.<BR/><BR/>Without NAT and proxies, an IP address will uniquely identify a<BR/>computer at a particular time, but with dynamic addresses, the<BR/>computer using a particular address will change over time. The logs<BR/>for a RADIUS or DHCP server (if present) will say what computer was<BR/>using a particular address at a time, but even then, finding which<BR/>person is using that computer is a further problem.<BR/><BR/>NAT and proxies introduce a similar traceability obstacle to dynamic IP<BR/>addresses. Given an IP address you can still trace the user, but you<BR/>need to look at further information to complete the task. Many proxies<BR/>include the internal IP address of a requestor in the HTTP headers,<BR/>and you can stop there. NAT boxes and some proxies don't do this, but<BR/>might well keep logs, and these can be used to tell which computer<BR/>made a particular connection.<BR/><BR/>Dynamic IP addresses, NAT boxes and proxies do cause a practical<BR/>problem for law enforcement, since it means they have to request logs<BR/>from another party before continuing. Sometimes these logs may be<BR/>incomplete, poorly maintained or even missing. Even so, the anonymity<BR/>that this provides is weaker and more hit-and-miss than what systems<BR/>designed for anonymity (e.g. Tor) give.<BR/><BR/>For the purposes of anonymity, IPv6 just increases the size of the IP<BR/>address space. Whether this decreases anonymity online is more a<BR/>matter for policy than technology. With IPv4, traceability could be<BR/>improved by mandating log retention (as is being proposed by the EU),<BR/>IPv6 simply changes what logs are needed.<BR/><BR/>This and other issues of traceability are dealt with in Richard<BR/>Clayton's PhD thesis and I can recommend it to anyone interested in<BR/>this area:<BR/><BR/> http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-653.html<BR/>---Anonymousnoreply@blogger.com