D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication

Title: INTERNET LAYER PROTOCOLS

Internet layer protocols

The Internet layer, also called network layer, responds to service requests from the transport layer (e.g., from TCP) and issues service requests to the host-to-network layer. Simply put, the Internet layer is responsible for end-to-end packet delivery. In contrast, the host-to-network layer is responsible for node-to-node (also called hop-to-hop) delivery. The Internet layer is the first layer which implements from the data carrier independent services. 

The Internet layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks while maintaining the quality of service requested by the transport layer. The Internet layer performs network routing, flow control, network segmentation/desegmentation, and error control functions (Wikipedia: Network layer 2007). 

The most important protocol on the Internet layer is the IP protocol. In order to protect the packets, IPSec can be used at this layer. 

IP

The Internet Protocol (IP) is a stateless, data-oriented protocol, which is used to route data with the help of IP addresses and subnet masks to the intended destination. The data is encapsulated into packets (as shown in Figure 11: application layer (1), transport layer (2), Internet layer (3) and physical layer (4)) and sent through a so called packet-switched network. This means that there is no circuit setup of some kind before one host can send data to another host. The Public Switched Telephone Network (PSTN) works differently; here a circuit must be set up before a call can be established. 

Figure : Data encapsulation over the four layers

Because of the abstraction of the Internet protocol, which is depicted in Figure 11, an IP packet can be sent independently of the underlying physical layer, thus the networks in between can be a mixture of different types, like Ethernet, WLAN, ATM, etc. 

The Internet protocol is unreliable, thus making best-effort delivery without any guarantees. Possible errors are duplication, lost or corrupted packets, among others. The header is protected by a checksum, preventing corrupted headers resulting from network errors, but not active attacks by adversaries. It has to be noted that IP packets with a corrupted header are discarded on the spot (e.g., by a router) without notification to either the sender or receiver. 

As stated above, packets are routed with the help of IP addresses. There are two versions used in parallel now, IPv4 and IPv6. The following sections will differentiate between these two protocols because there are some vital differences between both of them. 

Both protocols have in common the need for unique addresses within any given subnet. A subnet is a set of devices which use one router in order to communicate with the rest of the network. A device in a subnet can be a computer or another router. To the rest of the network, all devices in a subnet are “represented” with the same external IP address. Within the subnet, the devices are differentiated by internal IP addresses, which depend on the subnet mask applied. Figure 12 illustrates a simple private network (the subnet) which is connected to the Internet by a router. Note that the router has an external IP address, to which devices from the Internet (like servers) connect. The computers in the subnet do not connect directly to the Internet, the router routes the requests and responses, thus “hiding” the infrastructure of the subnet from other hosts. 

Figure : Subnet with three hosts connected to the Internet by a router

IPv4

An IPv4 address consists of 32 bits. The most common representation of an IPv4 address is in the form of four dot separated numbers in the range from 0 to 255 each. For example, the IP address of the domain http://www.fidis.net is 80.237.131.150. 

The structure of an IPv4 packet is shown in Table 9. 

Table : IP packet structure

The Type of Service can be used for the prioritisation of the packet, which is useful for quality of service. The Total Length field contains the entire length (header and data) of the IP packet. The fields Identification, Flags and Fragment Offset are used for the reassembly of fragmented packets. The Time to Live indicates how long a packet is valid, whereas the Protocol specifies the protocol which is contained in the data section, e.g., TCP if the IP packet contains such a payload. The Checksum protects the header against network data corruption. The Source and Destination Address are both IPv4 addresses. The Options field contains mostly information about routing. The Data field contains the payload - the maximum is 65,515 bytes of content.

Identifiers and their uniqueness

The primary identifiers are the source and the destination addresses. Both are IPv4 addresses, i.e., 32 bit identifiers of the sending and receiving host. If the sending hosts uses a network address translation (NAT) service, the source address is the IP address of the NAT device, e.g., a router. 

The source and destination addresses are unique within the network used. For the Internet, both addresses must be unique with respect to all addresses within the Internet. Normally Internet service providers assign unique IP addresses to each of their customers. 

Personal data

An IP packet contains personal data in the form of the source and destination addresses, since both addresses in conjunction provide information about a communication relationship. Furthermore, with the help of the IP address in many cases the location of the user can be determined. At least the country and town can be read out of an IP address. So location privacy is not given. 

Personal information can be contained in the data field of the packet. If the payload is not encrypted, i.e., the contents are sent in plain text, an eavesdropper can access all information contained in the packet. 

Linkability: identifiability and profiling

An unsecured IP packet can be identified by its source address. The receiver of the packet can be identified by the destination address. Both properties can be used for profiling of an on going communication. The profile can contain a wealth of information, like the communicating partners, the time, the used protocol and the amount of data sent. All these single fields can give away information about the content of the communication and other interesting information. 

Furthermore, if not encrypted, the content of the data field can contain identifiable information about the sending and receiving host. 

Avoidance or circumvention of information disclosure

Sending the content in clear-text can be avoided by using encryption, either application level encryption or network layer encryption like IPSec. Traffic analysis can take place even if network layer encryption is used. Detailed information on IPSec is given in Section 2.4.2.

By the usage of IPSec one can try to hide the communication partner. This is possible if the user communicates with at least one proxy. The communication between sender and proxy must be secured by IPSec, thus providing a tunnel which hides the contents of the packet. The proxy relays the packets to the intended destination, after decrypting the IPSec packets. Still better, the proxy re-encrypts the packets and relays them to another proxy. Thus a proxy chain can be created. Likely designed as anonymous remailers, which were introduced in Section 2.2.4.4, this can help to give receiver, and also sender anonymity. Care has to be taken that an eavesdropper cannot link the incoming with the outgoing traffic at a proxy, and vice versa. Remailer networks for normal Internet traffic are called mix networks. Two popular Mix technologies are AN.ON and Tor. Both route traffic through a series of servers. Each message is decrypted and re-encrypted at each server. Sophisticated techniques try to hide the relation between incoming and outgoing traffic. Because of these complex principles Mix networks are rather slow and cannot be used for real-time applications like VoIP right now. But they are sufficiently fast to protect the privacy of, e.g., users surfing the web. 

IPv6

The IPv4 address space is quite limited. Although the 32 bit from IPv4 addresses result in a theoretical number of approx. 4.3∙109 (with 109 being 1 billion) possible addresses, in reality it is much less because of reserved, private and multicast addresses. This results in a serious “IP address starvation”, meaning that the number of publicly available addresses is very limited. Therefore a next generation protocol, the IPv6 protocol has been developed. IPv6 uses 128 bits for addresses, which results in over 3.4∙1038 available addresses.

The main advantages of IPv6 compared to IPv4 are: 

1. Larger address space as described above, 

2. simplified header format, 

3. optional extension header, 

4. authentication and encryption built in, 

5. auto configuration via the Stateless Address Autoconfiguration (SLAAC) and 

6. support for Quality of Service (QoS). 

An IPv6 packet is shown in Table 10. Noticeable is that the header structure is simplified compared to the one of IPv4 packets. The source and destination address now use 128 bits. Additional fields contain information about the version, the Traffic Class (packet priority), Flow Label for QoS, Payload Length and Hop Limit to control the time to live of the packet. Noteworthy is the field Next Header. The header structure of an IPv6 packet could be simplified because of this field.

Table : IPv6 packet structure

The Next Header element points to an additional header, thus enabling a header structure which adapts to the current needs of the sent packet. For example, the next header element could point to a TCP header if the payload of the IPv6 packet is a TCP packet. This feature enables routers to process packets faster and with less power, since routers only need to check and adjust header fields which are really needed. The additional headers are contained in the Extension Header field, which has a variable length. Figure 13 illustrates three different IP packets, the first without any extension header, the next with an extension header containing a TCP header and finally the third package has a TCP header as well as a routing header. 

Figure : The extension header (the middle fields (green)) of IPv6

IPv6 has several ways for obtaining a valid IP address built in. Known from IPv4 are manual configuration and the usage of DHCP. DHCP describes a network service which assigns IP addresses to querying devices. DHCP was built to automate the assignment of network properties like IP addresses for devices as well as to provide protection regarding the multiple assignment of the same IP address to different devices. With IPv6, a device is able to compute its own IP address without the need of a DHCP service. Therefore the device uses its static link identifier, which is built among other things from the (globally unique) MAC address. 

The transition from IPv4 to IPv6 will be a slow one. It is not possible, to switch from IPv4 to IPv6 at once. Thus the designers of IPv6 have taken care to ensure that devices using IPv6 can still be reached with an IPv4 address, and that IPv6 devices can utilise IPv4, called dual-stack devices. 

Identifiers and their uniqueness

The primary identifiers are the source and the destination addresses, which identify the sending and receiving host. Since the IPv6 address space is so huge (128 bit), it is very likely that each and every device will get its own unique IPv6 address - solutions like NAT would not be used in the future. This property removes some of the “hiding capabilities” introduced by NAT routers in order to (unreliably) mask the identity of a host.` 

The source and destination addresses have to be unique within the network used. For the Internet, both addresses must be unique with respect to all addresses within the Internet. It is predictable that Internet service providers will assign unique IPv6 addresses to each of their customers. 

The payload may contain additional identifiers, which may be unique, too. 

The extension headers may contain identifying properties too, it depends on which headers with which fields are used. 

Personal data

An IP packet contains personal data in the form of the source and destination addresses, since both addresses in conjunction provide information about a communication relationship. Furthermore, with the help of the IP address, in many cases the location of the user can be determined. At least the country and town can be read out of an IP address, and so location privacy is not given. 

Personal information can be contained in the data field of the packet. If the payload is not encrypted, i.e., the contents are sent in plain text, an eavesdropper can access all information contained in the packet. 

Linkability: identifiability and profiling

An unsecured IP packet can be identified by its source address. The receiver of the packet can be identified by the destination address. Both properties can be used for profiling of an on going communication. The profile can contain a wealth of information, like the communicating partners, the time, the used protocols and the amount of data sent. All these single fields can give away information about the content of the communication and other useful information. 

Furthermore, if not encrypted, the content of the data field can contain identifiable information about the sending and receiving host. 

Location profiling is an interesting topic for mobile IP scenarios. The term mobile IP covers services which enable users to use IP services like the Internet while being mobile, e.g., while moving around by car or foot. Scenarios of application are Voice over IP or WWW usage with the help of wireless access points. Since the user is moving from one access point to another, his IP address will change according to the current access point. The communication partner must be informed about the IP address change in order to send data to the correct destination. Since the IP address can be used to obtain location information, the knowledge about changing IP addresses can lead to location profiling. 

The number of available IPv6 addresses will lead to the deployment of static IP addresses to many devices which currently either do not have an IP address or are assigned dynamic IP addresses. An example may be the oft proposed fridge which automatically orders new food whenever necessary. Although containing no critical information at first sight, a number of devices like this can lead to serious information leakage, usable for profiling, which can compromise the privacy of its owner. 

Avoidance or circumvention of information disclosure

In order to protect the payload of an IP packet, this payload must be encrypted. This encryption can take place at higher layers (e.g., like the usage of PGP at the application layer for e-mail, or the usage of TLS at the transport layer for HTTP) or the encryption can take place at this layer by using IPSec. IPSec can furthermore protect the header. Further details about IPSec are given in Section 2.4.2. 

A problem is that a client IPv6 address computed with SLAAC and the static MAC address of the network adapter results in a static and unique identifier. This could be prevented by changing this identifier repeatedly, thus gaining a dynamic instead of a static identifier. Concepts for this are discussed in RFC 3041 (“Privacy Extensions for Stateless Address Autoconfiguration in IPv6”), for example, where randomised IPv6 addresses are used, and in (Escudero Pascual 2002) where the concept of randomised addresses is analysed with respect to unobservability. 

Changing the link identifier (IPv6 address) would make it more difficult to relate separate transactions to each other by using the given IP address. The rate of identifier changes must be balanced between the wish for (strong) privacy and the added load changing identifiers puts on the network device and the network itself. 

In order to get sender and/or receiver privacy, concepts like Mix networks can be used. The concept does not change compared to its usage with IPv4, thus we refer the reader to the section above where Mix networks have been introduced. 

In order to prevent the linking of IPv6 addresses across different web requests, Aura and Zugenmaier suggest using a new IP address for each TCP connection (Aura, Zugenmaier 2004). This is possible since one IPv6 enabled network device can control an arbitrary number of IP address: “Using a new random or pseudo-random address for each connection makes it more difficult for an observer on the Internet to correlate two connections from the same host.” (Aura, Zugenmaier 2004)

IPSec

Internet Protocol Security (IPSec) provides the following security functions in the IP layer:  

1. Data origin authentication; 

2. Data integrity; 

3. Replay detection; 

4. Data confidentiality; 

5. Limited traffic confidentiality; 

6. Access control. 

IPSec also provides management services for the negotiation of sessions and session parameters. These parameters and security services are stored for each secured IP path in so called security associations (SA). Additionally, IPSec handles the key exchange between the communicating parties. IPSec itself is algorithm independent, although default algorithms are defined in the specification. 

There are two basic security mechanisms built into IPSec. IP Authentication Header (AH) provides authenticated headers, i.e., headers for which the receiver can detect manipulations by an attacker. The second security mechanism is IP Encapsulated Payload (ESP), which secures the payload of IP packets, thus providing confidentiality. IP AH and IP ESP may be applied alone or in combination with each other. 

There are two distinct modes which can be used for AH as well as ESP. The first mode is the transport mode. In this mode the data field and the transport protocol field (e.g., TCP or UDP headers) are encrypted. The original IP header is sent unencrypted. This mode can be used with IPSec unaware routers since the IP headers are not touched. The implementation and configuration of IPSec must take place at the client (and server) system. Thus the use of IPSec in transport mode is not transparent to the client and server system but to the routers in between. This method is usually used when people want to use a private network (like a corporate intranet) via a public network like the Internet. 

In the second mode, called tunnel mode, IPSec encapsulates the complete original IP packet into a new IP packet, providing more communication privacy (see Figure 14). The original IP packet is encrypted, but the new IP header is not. Since tunnel mode IPSec can be implemented between cooperating IPSec enabled routers, the usage of this system can be transparent to the client system (Molva 1999). 

Figure : Packet structure of IPSec ESP packets in transport and tunnel mode

Identifiers and their uniqueness

If IPSec is used in the AH mode then no encryption of the encapsulated IP packet is done. Thus these types of IPSec packets contain all the identifying information contained in the IP packet transported in the payload of the IPSec packet. This can be avoided if IPSec ESP packets are used which provide mechanisms to encrypt the payload data. 

Nevertheless, both IPSec AH headers contain a 32 bit Security Parameter Index (SPI) and a 32 bit sequence number. Both in conjunction could be used to reason whether two IPSec packets belong to the same communication or not. 

Personal data

IPSec does not introduce any new personal data compared to the personal data included in the IP packets which IPSec tries to protect. Moreover, if IPSec is used for confidentiality, it can even protect personal data. 

Linkability: identifiability and profiling

As already stated in Section 2.2.4.4, there is no additional information, but the data can be better protected than in the usual IP protocol.