Requirements to Secure End to End Privacy in IdLoc Systems
Telecom ParisTech
ggx@gigix.net
Deutsche Telekom
Deutsche-Telekom-Allee 7
D-64295 Darmstadt
Germany
Dirk.von-Hugo@telekom.de
Denpel Informatique
sarikaya@ieee.org
Use of Identifier Locator separation systems is proposed for various use cases to allow
for efficient and service aware flexible end-to-end routing. A statement on the issue of
privacy preservation of both users and devices identity and location describes major challenges identified for this problem. This document attempts to derive requirements towards a potential solution space of approaches to preserve privacy in Identifier-Locator
split (PidLoc) protocols.
has identified and described typical use cases for application of privacy preserving Identifier-Locator split (PidLoc) approaches and derived thereof
a problem statement describing corresponding issues and challenges. Privacy in this respect includes prevention of acquisition of personal
information, behavioral details,
and location information by unauthorised parties. This document tries to assess that set of issues and challenges to come up with a set of requirements for approaches towards service specific and optimized packet routing based on Id-Loc principle providing privacy and security.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 and .
This section summarizes the specifics and commonalities of existing Identifier Locator (Id-Loc) Separation Protocols and highlights the corresponding challenges and issues identified in .
This section lists requirements which emerge from the use case analysis and will apply (beside the general requirements to fit with privacy considerations for Internet Protocols as laid down in RFC 6973 and partly also on design criteria for confidentiality in the data plane of LISP described in RFC 8061) for the solution space providing privacy and security in generic Identifier Locator Split Approaches.
The measures to ensure privacy to Id-Loc systems shall not require additional infrastructure and
external third party provided resources to be used nor increase the overall effort such that network
and service performance is strongly degraded. Successful privacy measures shall not impact availability.
Because Id-Loc approaches can be used in mobile environments, flexibility in time and space should be provided. The same Id, associated to a specific device, can move around and at different times can have different privacy requirements, may be depending on the specific connection or provider used. Still because of mobility, a certain device can have different privacy requirements depending of where it is.
Because some of the ID-Loc proposals aim at being deployed in datacenters, the methods to
ensure privacy has to be able to function at very large scale.
The measure shall not rely on a potential single point of failure nor a single mechanism and allow for
automatic rebooting or relying on alternative solutions in case of compromise and attacks.
The Id-Loc system may need to use measures for binding one or more identifiers to one or more locators.
This is usually achieved by a mapping or lookup system (e.g. DNS) which has to be protected against
unauthorised access and may allow for different policy-based chosen levels of security. Like any other
software-based service, the mapping system has to be protected against DDoS attacks and the like.
However, there are specific points to be tackled:
Mapping System Access Control: Who can access the mapping system?
Mapping Access Control: Someone authorized to access the mapping system does not mean
that is authorized to access the mapping of a specific Identifier.
Byzantines Attacks: What if someone is able to inject tempered information to attack either
the mapping system itself of a specific identifier?
The above may be defined on various criteria, like for instance administrative criteria
"devices part of the same company", or geographical criteria "only close by devices", or service-aware
"devices operating the same service".
Anonymizing NYC Taxi Data: Does It Matter?