In my latest paper Ephemeral Node Identifiers for Enhanced Flow Privacy, we address the problem of address-based identity tracking in IP networks. Our solution modifies how end systems operating systems manage IPv6 addresses -- specifically the lower 64-bits of the Interface ID (IID) -- to provide stronger privacy guarantees than existing solutions without changing how packets appear on the network, or changing application APIs. So, the solution improves privacy without requiring changes to existing network infrastructure or deployed applications.
Identity Tracking
IP addresses encapsulate both location information and node identity information. This is a widely recognised problem (see RFC4984) impacting Internet infrastructure through routing table scalability problems; endpoint behaviour through mobility and multihoming limitations; and -- as is of interest here -- privacy.
The privacy risk exists because addresses must encode topological (location) information in order to facilitate routing, and must expose this information to the rest of the network (or Internet) for the same reason. As the address also identifies a node on that final network, and is typically reused by different (and unrelated) application connections from that node, the IP address functions as a globally visible identity label that can be used to correlate unrelated packet flows back to a single source node, violating expectations of isolation.
Various efforts have been made to address this problem, most recently with Temporary Addresses, which periodically replace a node's address with a new (random) value. This prevents some long-term correlation attacks, but there remains a period in which the address is reused, and the attack is still possible.
Ephemeral Identifiers
The intuitive solution is to use ephemeral identifiers once, then discard them. As the identity label is never reused, correlation is impossible, and the attack is thwarted. Unfortunately, building such a system is difficult, as IPv6 addresses combine routing prefixes from the network and link layer device IDs to create transport layer address values -- so managing them involves interacting with the local gateway router; the endpoint network device (which is not session-aware), and the operating system's transport protocol state. These components are typically isolated, and combining them adds significant complexity to the protocol stack. So, while the solution is intuitive, the engineering is difficult.
The Identifier-Locator Network Protocol (ILNP) solves a significant part of the engineering problem. In seeking to resolve some of the other problems associated with overloading location and identity semantics in addresses, ILNP splits the address into two distinct components -- one for identity and one for location -- and manages them separately. Rather than deriving identity information from the network interface, the Interface ID is (in effect) dictated by the Node ID (NID). With careful modifications to ILNP's NID state management machine (which in fact simplify it), unique ephemeral NIDs can be mandated for every transport protocol connection. This is the engineering solution to the identity privacy problem that we demonstrate in the paper.