Cryptographically Protected Prefixesfor Location Privacy in IPv6

Jonathan Trostle, Hosei Matsuoka*,

Muhammad Mukarram Bin Tariq, James Kempf,

Toshiro Kawahara and Ravi Jain

DoCoMo Communications Laboratories USA, Inc.* Multimedia Laboratories, NTT DoCoMo, Inc.

Outline

Location Privacy Problem in IP networks Related Works Proposal of Cryptographically Protected Prefixes (CPP)

Simple Architecture (easily understandable) Secure Architecture

Security Considerations Implementation and Performance Measurements Conclusions

Location Privacy Problems in IP Networks

Prefix (es) Suffix

IP networks use prefix based routingIP networks use prefix based routing

All hosts in a subnet have same subnet

prefix

All hosts in a subnet have same subnet

prefix

Subnets often have

geographical correspondence

Subnets often have

geographical correspondence

IP address shows your

geographical location

IP address shows your

geographical location

IP address shows whom

you are together with

IP address shows whom

you are together with

Just as our postal addresses arehierarchically arranged with country, state, city, …, the IP addresses are also structured for routing efficiency.

Related Works

Network Layer Solutions Mobile IPv6 Hierarchical Mobile IPv6 (HMIPv6)

Application Layer (Overlay) Solutions Onion Routing Freedom Network Crowds, Tarzan, etc.

How do they provide Location Privacy

Mobile IP with Home AgentOverlay Approaches(Onion routing, Freedom)

Both approaches cannot provide communications with the optimal route between two endpoints

HAForeign Network

Home Network

Home Address Care-of-Address

This user does not know the correspondent’s care-of-address which shows the user’s actual location.

　　 Internet　　 Internet

Onion/FreedomOverlay Routers

Mobile IP with Route Optimization

Qualitative Comparison of Related Works

Degree of Location Privacy

Qua

lity

of

Ser

vice

Mobile IP Home Agent

App Overlay (Onion, Freedom)

Mobile IPv6 Route Optimization

HMIPv6

Desired Location Privacy, Comparable with today’s CS Telecom

No Additional Routing Delay

Subnet Level

Several Subnets

Visited Domain

Home Domain

Global

Optimal

Limited Triangular

Routing

Triangular

Huge Routing/ Performance

Overhead

Goal of our project

Design Policies of Our Approach (CPP)

Provide Location Privacy within a domain

Optimal Routing (No additional Routing Delay)It is important for some real-time applications.

Full Compatibility with other Internet Protocols (Mobile IP, IPsec, Diffserv, etc.)

No Single Point of Failure

Structure of IP address

Network Prefix

IPv4 Address

Host Suffix

32bits

IPv6 Address

Network Prefix Host Suffix

128bits

typically 64bits typically 64bits

Both IPv4 and IPv6 addresses have the similar structure consisting ofNetwork Prefix and Host Suffix,and the Network Prefix is related tothe geographical location.

Advantages of applying to IPv6 Large space of network prefix provides strong anonymity of the location. The fixed boundary between prefix and suffix can simplify the system.

Basic Concept

Replacing the actual prefix with a host-specific encrypted prefix

P`(R,i) Mi

P0 PR Mi

),(' ),( iRiR MKeyEncryptPP

),(' ),( iiRR MKeyEncryptPP

PrefixEncryption

PrefixDecryption

Routable IPv6 address

End-hosts use prefix-encrypted IPv6 address for their communications.

Routers obtain the routable IPv6 address through the decryption of theencrypted prefix. (Routers have the key for decryption.)

Prefix-encrypted IPv6 address

Routable IPv6 address

P0

P0 PR Mi

Simple Architecture (easily understandable)

Privacy Domain

Routers outside Privacy Domain look at the prefix P0 and route the packet to the privacy domain, there are no longer matches than P0 outside privacy domain

P0 P’(R,i) Mi

0

1

Routers inside Privacy Domain decrypt the secondary prefix P`(R, i) to find the actual routing prefix and route the packet accordingly until the packet reaches the desired destination

2

3

4

5

Routers inside Privacy Domain share the secret key and obtain the routable prefix prior to routing table searches.

P0 P’(R,i) Mi

P0 P’(R,i) MiP0 P’(R,i) Mi

P0 P’(R,i) Mi

P0 P’(R,i) Mi

PR

PR

PR

PR

What changes in the Routers

Pre

Processin

g

Destination Address

Packet

Longest Prefix Match

Prefix Of Destination

DestinationRoute

Packet

Disp

atcher

Extract

Prefix

Packet

Destination Address

Packet

Prefix ofDestination

DestinationRoute

Packet

Dispatche

r

Decrypt Packet

Key

Conventional Routers

Longest Prefix Match

Pre

Processing

Small change, can be implemented in hardware

for acceleration

Routers Modifiedfor Location Privacy

There is no change in conventional routing protocols (RIP, OSPF, etc.)

Secure Architecture

R1

R7

R8

R2

R3

R5 R6

R4

Host

Router

Border GatewayRouters are assigned levels based on their “hop-count” from the border router.

Routers are assigned levels based on their “hop-count” from the border router.

Level 1

Level 2

Level 3

Level 4

Routers at different level use different key and decrypt different part of prefix which is necessary and sufficient for routing table searches.

Routers at different level use different key and decrypt different part of prefix which is necessary and sufficient for routing table searches.

A compromised router cannot get all user’s location.

Structure of IP addresses with CPP

M (the suffix)P0 V

P1 H(L1, M)P1 H(L1, M)

The Prefix consists of several small encrypted components – one corresponding to each level

Key version bit for key rotation

Common Prefix for Global Routing

Pk H(Ln, M) Pk H(Ln, M) Any router at level “k” can use its level key Lk to decrypt Pk and given P1,…Pk-1 from the upper level router with hop-by-hop option, it obtains routable prefix and forward packets correctly to next hop.

128 Bits

X1 X2 X3 …… Xn

H( ) is a encryption orhash function

Security Considerations Eavesdropping on the same link

Eavesdroppers can realize the location of the other hostson the same network link by snooping the traffic of the link. CPP should use some other techniques to prevent traffic analysis.

Guessing AttackAttackers use connection trials in various subnets and guess H(Li, M)using plain prefixes of the location where the response is received. Privacy Domain changes the secret key for some interval. CPP Extended Address (to be explained next)

ICMP packetsICMP packets from a router in the middle of the connectiongive the sender the hints of the receiver’s location. Router must not use the real source address for ICMP packets. No Traceroute

Guessing Attacks and CPP Extended Address

))0()2((2

1 2 xpsx s

Guessing AttacksAttackers try to obtain H(Li, Mv) for tracking the victim who has the suffix Mv,because once they obtain H(Li, Mv), they can easily track the victim.Reason behind this attack is that H(Li, Mv) is a constant value regardless of its location.

CPP Extended AddressUsing H(Li, <Mv, P1, … , Pi-1, Xi+1, … Xk>) instead of H(Li, Mv) provides more robust security against Guessing Attacks.

Probability that the adversary obtains the prefix components P1 … Pj of the victim’s address is

where

},...,max{ 21 jpppp

j

iip

1

)1(

012

2)( xaxaxax )1/()2(),1/()23(),1/(1 120212 ppxpxxppxxpx

,s is the number of subnets searched

with

Implementation

input queue output queue

ip6intr

ip6_input ip6_forward ip6_output

nd6_output

TransportProtocol

Network Interfaces

routingtable

decrypt & lookup

FreeBSD 4.8 Kernel Structure

start ofmeasure

end ofmeasure

Modified ip6_input() function

Time measurement ofone packet forwarding

Cryptographic Functions used:

AES, SHA-1

Performance Results

Type of Router Unmodified Using SHA-1 Using AES

One Packet Forwarding Time 6 micro sec 11 micro sec 9 micro sec

Packet Rate 166,666 pps 90,909 pps 111, 111 pps

Data Rate

(1Kbyte per packet)

1300 Mbps 727 Mbps 888 Mbps

Software Router Specification:OS: FreeBSD 4.8CPU: 1GHzMemory: 512MB

Conclusions

CPP alleviates IPv6 location privacy problem

Traditional Approaches

Routing Overhead

Stateful and Per-packet processing

CPP

No state, Good Performance

No Routing Overhead

Full Compatibility with otherInternet protocols

Require Small Changes in Routers

Poor Compatibility with otherInternet protocols

Rekey (Backup slides)

Timeline

Key(A) Key(A)

Key(B) Key(B)

Key(A)rekey

rekey

rekey

Scambledaddress (A)

Scambledaddress (B)

Scambledaddress (A)

Scambledaddress (B)

Scambledaddress (A)

Advertised Addresses (encrypted with the newer key)

more thanprefix lifetime

more thanprefix lifetime

more thanprefix lifetime

Routers change the key(A) and the key(B) alternately, and encrypt prefixes with the newer key. The duration from finishing changing the key to startingchanging the other key must be more then the lifetime of prefixes.

rekey is long enough to rekey on all routers even if it is done manually.

Implementation (backup slide)P0(48 bits) Q(16 bits) M(64 bits)

128 bits input message adding zero-padding of 64 bits to M

router’s secret key(128 bits)

128 bits output message

offset targetprefix

Exclusive-ORprefix componentsof higher routers

hop-by-hopoption

concatenation

real prefix componentsneeded for routing table searches

AES or SHA-1(block cipher or Hash)

Inter-domain Extension (Backup slide)

Domain B Domain A

Domain C

Europe USA

Asia

P0 prefix: 2001:1234::AS number: 2

P0 prefix: 2001:1234::AS number: 1

P0 prefix: 2001:1234::AS number: 3

Prefix: 2001:1234AS number: 2

BGP messagePrefix: 2001:1234

AS number: 1

BGP message

Prefix: 2001:1234AS number: 3

BGP message

All domains use the same P0 (2001:1234:). P0 does not reveal the user’s domain. All domains use the different global AS numbers.

Given the multiple BGP messages of the same set of destinations, the one with the highest degree of preference is selected.

Packets destined to P0 would be delivered to the nearest CPP domain

Inter-Domain Extension (Backup slide)

),( MikeyHX1

Domain B Domain A

Domain C

Europe USA

Asia

shows which domain the host(i) resides in.

tunneling

host(i)

Nearestborder gateway

P0 X1 X2 X3 X4 M (Host Suffix)

P1 P2 P3 P4

CPP address

Domestic traffic isalways optimal route

International traffic isslightly triangle route

A little more about CPP (Backup slide)

For optimal routing, the suffix is computed such that any router can determine if it is a cross over router

We use it for optimal routing, but can also be used for other techniques. How do we do this

Each router R in Privacy Domain has a unique key KR

M is chosen for subnet of router “r” such that:

H(KR, M) equals ZERO if R C

H(KR, M) not equals ZERO if R C

Where C is set of all cross over routers for router “r”

Fine Detail: No two cross over routers can have same level,

if they are directly connected

“r”

R1

R2

R3

R4

Set of all cross over routers: ={R1, R2, R3, R4}

R5

R6

R7R8

R9