1. IPv6 Privacy Hannes Tschofenig, Tara Whalen

2. Agenda Privacy Threats Layering Addressing Policy Questionnaire

3. Threats 1.Re-identification over time by the other communication partner. 2.Ability to infer geographical location information using 1.third party location services, or 2.routing infrastructure services (utilizing address prefix information) 3.Associating the network layer identifier to subscriber information by the access network provider. 4.Analysis of communication patterns by entities along the communication path 5.Secondary usage without consent.

4. Layering The Internet protocol stack is organized in layers and all layers reveal identifying information. Note: There are multiple protocols on a single layer and tunneling & translation is very common. Physical Layer Link Layer Network Layer Transport Layer Application Layer

5. Addressing Policy Each address configuration procedure comes with its own state machine that describes the procedures for initially allocating, using, renewing, expiring and releasing addresses. For each address a specific instance of such a state machine is created and the values allocated may be different. The policy for choosing the lifetime of a specific address may depend on the context and usage. Recommendations useful?

6. Questionnaire Considering more than specifications requires analysis of implementation and deployment status. Suggest running a short survey to gather feedback about IP stacks used in – Desktop operating systems – Mobile devices – Sensor networks and industrial appliances

7. Example Questions 5) What mechanisms for IPv6 interface identifier configuration do you support? __ Manual configuration __ Link layer identifier, such as MAC address (RFC 1972/RFC 2464) __ Randomly generated temporary addresses (RFC 3041/RFC 4941) __ Cryptographically generated addresses (RFC 3972) __ Network provided interface identifier (e.g., 3GPP networks or PPP provide IID to the end host - RFC 5072) __ DHCPv6 (RFC 3315) / IKEv2 (RFC 5739) 6) Which interface identifier configuration mechanism(s) is(are) set by *default*? _______________

8. Example questions, cont. 8) Which IPv4/IPv6 transition mechanism that embed IPv4 addresses in IPv6 addresses do you implement? __ Teredo based on RFC 4380 __ Teredo based on RFC 5991 __ 6to4 (RFC 3056) __ 6RD (RFC 5569) __ ISATAP (RFC 5214) __ RFC 6052 addresses (as, for example, used by NAT64) __ others, namely ______ 9) Do you have documentation on how an end user can change the interface identifier configuration mechanism, and the default settings? __ yes __ no

9. Example questions, cont. 10) Address Selection Procedure RFC 3484 specifies that public addresses be used for outbound connections unless an application explicitly prefers temporary addresses. The default preference for public addresses was established to avoid applications potentially failing due to the short lifetime of temporary addresses or the possibility of a reverse look-up failure or error. However, RFC 3484 allowed that "implementations for which privacy considerations outweigh these application compatibility concerns MAY reverse the sense of this rule and by default prefer temporary addresses over public addresses.” What is the default policy in your IP stack? __ Prefer temporary addresses over public addresses. __ Prefer public addresses over temporary addresses. 11) Can the default address selection policy be changed by the user? __ yes __ no

10. Broad system-level issues “Everyone is reachable on the Internet.” – Wrong! – Various NATs/firewalls/ALGs complicate end-to-end reachability. – Application protocols often need to establish media communication (e.g., SIP, XMPP, and RTCWeb) Reachability-checking protocols may compromise address privacy – Example: REAP, STUN/ICE For practical purposes the capabilities of application layer protocols have to be considered.