Cryptographically Protected Prefixes for Location Privacy in IPv6

1
Cryptographically Protected Prefixesfor Location
Privacy in IPv6

• Jonathan Trostle, Hosei Matsuoka,
• Muhammad Mukarram Bin Tariq, James Kempf,
• Toshiro Kawahara and Ravi Jain

DoCoMo Communications Laboratories USA, Inc.
Multimedia Laboratories, NTT DoCoMo, Inc.
2
Outline

• Location Privacy Problem in IP networks
• Related Works
• Proposal of Cryptographically Protected Prefixes
  (CPP)
• Simple Architecture (easily understandable)
• Secure Architecture
• Security Considerations
• Implementation and Performance Measurements
• Conclusions

3
Location Privacy Problems in IP Networks
Just as our postal addresses are hierarchically
arranged with country, state, city, , the IP
addresses are also structured for routing
efficiency.
IP networks use prefix based routing
All hosts in a subnet have same subnet prefix
Subnets often have geographical correspondence
IP address shows your geographical location
IP address shows whom you are together with
4
Related Works

• Network Layer Solutions
• Mobile IPv6
• Hierarchical Mobile IPv6 (HMIPv6)
• Application Layer (Overlay) Solutions
• Onion Routing
• Freedom Network
• Crowds, Tarzan, etc.

5
How do they provide Location Privacy
Overlay Approaches (Onion routing, Freedom)
Mobile IP with Home Agent
This user does not know the correspondents
care-of-address which shows the users
actual location.
Internet
Care-of-Address
Home Address
HA
Foreign Network
Onion/Freedom Overlay Routers
Home Network
Both approaches cannot provide communications
with the optimal route between two endpoints
6
Qualitative Comparison of Related Works
Desired Location Privacy, Comparable with
todays CS Telecom
Goal of our project
No Additional Routing Delay
Optimal
Quality of Service
Mobile IPv6 Route Optimization
Limited Triangular Routing
HMIPv6
Triangular
Mobile IP Home Agent
Huge Routing/ Performance Overhead
App Overlay (Onion, Freedom)
Several Subnets
Subnet Level
Visited Domain
Home Domain
Global
Degree of Location Privacy
7
Design Policies of Our Approach (CPP)

• Provide Location Privacy within a domain
• Optimal Routing (No additional Routing Delay)
• It is important for some real-time applications.
• Full Compatibility with other Internet Protocols
• (Mobile IP, IPsec, Diffserv, etc.)
• No Single Point of Failure

8
Structure of IP address
IPv4 Address
Both IPv4 and IPv6 addresses have the similar
structure consisting of Network Prefix and Host
Suffix, and the Network Prefix is related to the
geographical location.
32bits
Network Prefix
Host Suffix
IPv6 Address
128bits
Network Prefix
Host Suffix
typically 64bits
typically 64bits
Advantages of applying to IPv6

• Large space of network prefix provides strong
  anonymity of the location.
• The fixed boundary between prefix and suffix can
  simplify the system.

9
Basic Concept
Replacing the actual prefix with a host-specific
encrypted prefix
Routable IPv6 address
P0
PR
Mi
Prefix Encryption
Prefix-encrypted IPv6 address
P(R,i)
Mi
P0
Prefix Decryption
Routable IPv6 address
P0
PR
Mi

• End-hosts use prefix-encrypted IPv6 address for
  their communications.
• Routers obtain the routable IPv6 address through
  the decryption of the
• encrypted prefix. (Routers have the key for
  decryption.)

10
Simple Architecture (easily understandable)
Routers inside Privacy Domain share the secret
key and obtain the routable prefix prior to
routing table searches.
P0
P(R,i)
Mi
Privacy Domain
0
1
P0
P(R,i)
Mi
P0
P(R,i)
Mi
P0
P(R,i)
Mi
P0
P(R,i)
Mi
2
4
PR
Routers outside Privacy Domain look at the prefix
P0 and route the packet to the privacy domain,
there are no longer matches than P0 outside
privacy domain
3
PR
P0
P(R,i)
Mi
PR
5
PR
Routers inside Privacy Domain decrypt the
secondary prefix P(R, i) to find the actual
routing prefix and route the packet accordingly
until the packet reaches the desired destination
11
What changes in the Routers
Prefix Of Destination
DestinationRoute
Destination Address
Conventional Routers
Dispatcher
Extract Prefix
Longest Prefix Match
Pre Processing
Packet
Packet
Packet
Prefix ofDestination
DestinationRoute
Destination Address
Key
Routers Modified for Location Privacy
Dispatcher
Decrypt
Longest Prefix Match
PreProcessing
Small change, can be implemented in hardware for
acceleration
Packet
Packet
Packet
There is no change in conventional routing
protocols (RIP, OSPF, etc.)
12
Secure Architecture
Routers are assigned levels based on their
hop-count from the border router.
Border Gateway
Level 1
R1
Router
Level 2
R7
R2
Routers at different level use different key and
decrypt different part of prefix which is
necessary and sufficient for routing table
searches.
Level 3
R8
R3
R4
Level 4
R5
R6
A compromised router cannot get all users
location.
Host
13
Structure of IP addresses with CPP
Common Prefix for Global Routing
The Prefix consists of several small encrypted
components one corresponding to each level
Key version bit for key rotation
M (the suffix)
P0
V
X1
X2
X3

Xn
128 Bits
P1 H(L1, M)
Pk H(Ln, M)
H( ) is a encryption or hash function
Any router at level k can use its level key Lk
to decrypt Pk and given P1,Pk-1 from the upper
level router with hop-by-hop option, it obtains
routable prefix and forward packets correctly to
next hop.
14
Security Considerations

• Eavesdropping on the same link
• Eavesdroppers can realize the location of the
  other hosts
• on the same network link by snooping the traffic
  of the link.
• CPP should use some other techniques to
  prevent traffic analysis.
• Guessing Attack
• Attackers use connection trials in various
  subnets and guess H(Li, M)
• using plain prefixes of the location where the
  response is received.
• Privacy Domain changes the secret key
  for some interval.
• CPP Extended Address (to be explained
  next)
• ICMP packets
• ICMP packets from a router in the middle of the
  connection
• give the sender the hints of the receivers
  location.
• Router must not use the real source
  address for ICMP packets.
• No Traceroute

15
Guessing Attacks and CPP Extended Address
Guessing Attacks
Attackers try to obtain H(Li, Mv) for tracking
the victim who has the suffix Mv, because once
they obtain H(Li, Mv), they can easily track the
victim. Reason behind this attack is that H(Li,
Mv) is a constant value regardless of its
location.
CPP Extended Address
Using H(Li, ltMv, P1, , Pi-1, Xi1, Xkgt)
instead of H(Li, Mv) provides more robust
security against Guessing Attacks.
Probability that the adversary obtains the prefix
components P1 Pj of the victims address is
,
s is the number of subnets searched
where
with
16
Implementation
FreeBSD 4.8 Kernel Structure
Modified ip6_input() function
Transport Protocol
Cryptographic Functions used
AES, SHA-1
Time measurement of one packet forwarding
ip6_input
ip6_forward
ip6_output
decrypt lookup
ip6intr
nd6_output
routing table
start of measure
end of measure
input queue
output queue
Network Interfaces
17
Performance Results
Software Router Specification OS FreeBSD
4.8 CPU 1GHz Memory 512MB
18
Conclusions

• CPP alleviates IPv6 location privacy problem

Traditional Approaches
CPP
Routing Overhead
No Routing Overhead
Full Compatibility with other Internet protocols
Poor Compatibility with other Internet protocols
Stateful and Per-packet processing
No state, Good Performance
Require Small Changes in Routers
19
Rekey (Backup slides)
Routers change the key(A) and the key(B)
alternately, and encrypt prefixes with the newer
key. The duration from finishing changing the key
to starting changing the other key must be more
then the lifetime of prefixes.
more than prefix lifetime
more than prefix lifetime
more than prefix lifetime
Key(B)
Key(B)
rekey
Key(A)
Key(A)
Key(A)
rekey
rekey
Advertised Addresses (encrypted with the newer
key)
Scambled address (A)
Scambled address (B)
Scambled address (A)
Scambled address (B)
Scambled address (A)
Timeline
rekey
is long enough to rekey on all routers even if it
is done manually.
20
Implementation (backup slide)
P0(48 bits)
Q(16 bits)
M(64 bits)
128 bits input message adding zero-padding of 64
bits to M
target prefix
offset
routers secret key (128 bits)
AES or SHA-1 (block cipher or Hash)
128 bits output message
prefix components of higher routers
Exclusive-OR
real prefix components needed for routing table
searches
hop-by-hop option
concatenation
21
Inter-domain Extension (Backup slide)

• All domains use the same P0 (20011234). P0
  does not reveal the users domain.
• All domains use the different global AS numbers.

BGP message
BGP message
Prefix 20011234 AS number 2
Prefix 20011234 AS number 1
Domain A
Domain B
P0 prefix 20011234 AS number 1
P0 prefix 20011234 AS number 2
Europe
USA
Asia
Given the multiple BGP messages of the same set
of destinations, the one with the highest degree
of preference is selected.
Domain C
BGP message
Prefix 20011234 AS number 3
P0 prefix 20011234 AS number 3
Packets destined to P0 would be delivered to the
nearest CPP domain
22
Inter-Domain Extension (Backup slide)
CPP address
P0
X1
X2
X3
X4
M (Host Suffix)
shows which domain the host(i) resides in.
Nearest border gateway
P1
P2
P3
P4
Domain A
Domain B
tunneling
host(i)
Europe
USA
International traffic is slightly triangle route
Asia
Domain C
Domestic traffic is always optimal route
23
A little more about CPP (Backup slide)

• For optimal routing, the suffix is computed such
  that any router can determine if it is a cross
  over router
• We use it for optimal routing, but can also be
  used for other techniques.
• How do we do this
• Each router R in Privacy Domain has a unique key
  KR
• M is chosen for subnet of router r such that
• H(KR, M) equals ZERO if R C
• H(KR, M) not equals ZERO if R C
• Where C is set of all cross over routers for
  router r
• Fine Detail No two cross over routers can have
  same level,
• if they are directly connected

Set of all cross over routers CR1, R2, R3,
R4
R1
R2
R5
R3
R6
R9
R8
R4
R7
r