TELECOM Digest Thu, 14 Oct 99 03:29:00 EDT Volume 19 : Issue 480
Date: Tue, 12 Oct 99 21:04 PDT
From: [EMAIL PROTECTED] (Lauren Weinstein)
Subject: IPv6 Identifier Privacy Issues: The Reality
Greetings. Many of you will by now be aware of all the publicity
surrounding reported privacy problems associated with IPv6 (a new
version of the Internet IP communications protocol) currently being
developed under the auspices of the IETF (Internet Engineering Task
Force).
Executive Summary: "Don't Panic!"
Some Background:
The concerns revolve around the use of hardware identifiers
(e.g. Network Interface Card IDs) as part of IPv6 packet addressing.
It has been asserted that this would enable tracking of individuals'
activities on the net much more easily than is the case today, and
bring forth a new range of privacy problems.
It's of course necessary to have some form of addressing in computer
networks, or you wouldn't be able to read this message right now. The
packets have to know where they're headed. In practice, the existing
Internet protocol (IPv4) provides much the same kind of information in
many cases, particularly when "static" (unchanging) addresses are in
use. Static addresses are the norm for conventional permanent circuit
connections to the net, and increasingly common for DSL and cable
modems.
The IPv6 idea of a unique identifier derived from hardware was
intended to help make sure that address duplication would not occur
between different machines -- a continuing headache for present-day
network administrators. It is also considered important to the
authentication and security improvements of IPv6.
The risk of such data potentially being misused would appear to be
highest in "mobile" applications, significantly less in dialup
Internet access environments (since many such computers wouldn't even
possess the hardware ID), and least important in permanently linked
dedicated circuit situations, where a static address already provides
an essentially unchanging identity, even in today's environment.
The Good News:
To the extent that the permanent IDs are considered to be a privacy
problem, it's obvious that existing technologies such as proxy servers
could be used to wall off identifiers.
This could well prove to be unnecessary, however. It appears that
many of the folks raising the red flag on this issue may be unfamiliar
with the fact that the IETF has been aware of these privacy concerns
regarding the permanent identifier, and that they have been addressed
in the IETF June 1999 Draft:
"Privacy Extensions for Stateless Address Autoconfiguration in IPv6"
http://www.ietf.org/internet-drafts/draft-ietf-ipngwg-addrconf-privacy-00.txt
The above referenced document gives an excellent overview of the
issues involved and a proposed solution to address the privacy
concerns. It would seem prudent to encourage the adoption of this
proposal into the IPv6 specification, and to urge its implementation
by IPv6 developers and vendors, ideally as the default mode under user
control.
--Lauren--
Lauren Weinstein
[EMAIL PROTECTED]
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"
--- http://www.vortex.com/reality
