IP Address Location Privacy and Mobile IPv6: Problem Statement
RFC 4882

 
Document Type RFC - Informational (May 2007; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4882 (Informational)
Telechat date
Responsible AD Jari Arkko
Send notices to mip6-chairs@ietf.org,rajeev.koodli@nokia.com
Network Working Group                                          R. Koodli
Request for Comments: 4882                        Nokia Siemens Networks
Category: Informational                                         May 2007

     IP Address Location Privacy and Mobile IPv6: Problem Statement

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   In this document, we discuss location privacy as applicable to Mobile
   IPv6.  We document the concerns arising from revealing a Home Address
   to an onlooker and from disclosing a Care-of Address to a
   correspondent.

Table of Contents

   1. Introduction ....................................................2
   2. Definitions .....................................................3
   3. Problem Definition ..............................................4
      3.1. Disclosing the Care-of Address to the Correspondent Node ...4
      3.2. Revealing the Home Address to Onlookers ....................4
      3.3. Problem Scope ..............................................4
   4. Problem Illustration ............................................5
   5. Conclusion ......................................................7
   6. Security Considerations .........................................7
   7. Acknowledgments .................................................8
   8. References ......................................................8
      8.1. Normative References .......................................8
      8.2. Informative References .....................................8
   Appendix A. Background ............................................10

Koodli                       Informational                      [Page 1]
RFC 4882                 MIP6 Location Privacy                  May 2007

1.  Introduction

   The problems of location privacy, and privacy when using IP for
   communication, have become important.  IP privacy is broadly
   concerned with protecting user communication from unwittingly
   revealing information that could be used to analyze and gather
   sensitive user data.  Examples include gathering data at certain
   vantage points, collecting information related to specific traffic,
   and monitoring (perhaps) certain populations of users for activity
   during specific times of the day, etc.  In this document, we refer to
   this as the "profiling" problem.

   Location privacy is concerned with the problem of revealing roaming,
   which we define here as the process of a Mobile Node (MN) moving from
   one network to another with or without ongoing sessions.  A constant
   identifier with global scope can reveal roaming.  Examples are a
   device identifier such as an IP address, and a user identifier such
   as a SIP [RFC3261] URI [RFC3986].  Often, a binding between these two
   identifiers is available, e.g., through DNS [RFC1035].  Traffic
   analysis of such IP and Upper Layer Protocol identifiers on a single
   network can indicate device and user roaming.  Roaming could also be
   inferred by means of profiling constant fields in IP communication
   across multiple network movements.  For example, an Interface
   Identifier (IID) [RFC2462] in the IPv6 address that remains unchanged
   across networks could suggest roaming.  The Security Parameter Index
   (SPI) in the IPsec [RFC4301] header is another field that may be
   subject to such profiling and inference.  Inferring roaming in this
   way typically requires traffic analysis across multiple networks, or
   colluding attackers, or both.  When location privacy is compromised,
   it could lead to more targeted profiling of user communication.

   As can be seen, the location privacy problem spans multiple protocol
   layers.  Nevertheless, we can examine problems encountered by nodes
   using a particular protocol layer.  Roaming is particularly important
   to Mobile IP, which defines a global identifier (Home Address) that
   can reveal device roaming, and in conjunction with a corresponding
   user identifier (such as a SIP URI), can also reveal user roaming.
   Furthermore, a user may not wish to reveal roaming to
   correspondent(s), which translates to the use of a Care-of Address.
   As with a Home Address, the Care-of Address can also reveal the
   topological location of the Mobile Node.

   This document scopes the problem of location privacy for the Mobile
   IP protocol.  The primary goal is to prevent attackers on the path
   between the Mobile Node (MN) and the Correspondent Node (CN) from
   detecting roaming due to the disclosure of the Home Address.  The
   attackers are assumed to be able to observe, modify, and inject
Show full document text