Measured Approaches to IPv6 Address Anonymization and Identity Association

IPv6-based attacks in the Internet today pose challenges that differ substantially from IPv4-based attacks in two facets of attack response: (1) sharing IP address-related information to inform coordinated efforts, while still protecting the privacy of victims and possible attackers, and (2) mitigating abuse by altering treatment, e.g., dropping or rate-limiting, of only victim’s and/or attacker’s packets. Meeting these challenges depends on knowledge or assumptions about IP address identities, typically in the form of a public, globallyrouted IP address prefix – the Identity Associations (or IAs) – of the victimized or attacking parties. IA discovery, especially remotely, is complicated by the ephemeral nature of many active IPv6 addresses and the freedom operators have in associating identities given the unconstrained IPv6 address resource. Recent research reports introduce IPv6-specific approaches to address anonymization and address association identification. We propose these methods as preferred practices in coordinated attack response and invite community feedback. 1. MOTIVATION & INTRODUCTION Both protecting personally identifiable information (PII) in the form of IP addresses and identifying IP address associations, e.g., with operators, users, or network elements, in the face of attack, warrants special attention with IPv6 due (a) to nascent privacy concerns and mandates, e.g., in the European Union, and (b) to increased IPv6 use, worldwide. Given today’s significant IPv6 deployment and dual-stack operation, the IPv6 address may be the identifier most likely to be unique to a client or server on the World-Wide Web (WWW). While individual IPv4 addresses are increasingly shared due to address exhaustion, such sharing is neither intended nor commonplace with IPv6 which offers unique, globally-routed addresses end-to-end. This note involves two recent research results that introduce IPv6-specific approaches to address anonymization and, conversely, address association. While these have quite different applications, we wish to highlight how the two are interrelated and how they are pertinent to coordinated response to network abuse or attacks. We propose the reader join in considering these questions: First, how can passive and active Internet measurements inform decisions about address anonymization and identity association? Second, is there reason to believe that any one IP prefix length would perform satisfactorily for either? Third, in the face of attack, when, where, and how should IP addresses be deaggregated or coalesced to effectively associate them with victims or attackers? 1.1 Address Anonymization As a privacy measure, such as kIP presented by Plonka and Berger [6], anonymization by address truncation means simply to delete a set of contiguous low (rightmost) bits, i.e., to remove a suffix from an input address. Typically the suffix’ bits are replaced with zeroes so that the anonymized output is an address-sized value. While more complex anonymization techniques have been implemented and are well-studied, e.g., [8], they anonymize addresses in a way that prevents the result from being used for standard security, operations, and research tasks. Specifically, they prevent correlation with network topology, routing, service providers, and locations. For these purposes, truncation-based anonymization is ideal if, and only if, it can be guaranteed to improve privacy. Such anonymization is typically performed by truncating input addresses to one fixed length. Consider, for instance, a WWW analytic system employing truncation-based IP address anonymization; e.g., zeroing the last 8 bits of a user’s IPv4 IP address and the last 80 bits of an IPv6 address [3]. Essentially, this is equivalent to masking or aggregating to /24 and /48 prefixes, respectively, perhaps combining information about as many as 256 IPv4 addresses or 64K IPv6 /64 prefixes. Of course, the utilization of the IPv4 and IPv6 address spaces differ dramatically. A central problem is how to decide at what prefix (bit) length(s) real addresses should be cleaved into a “public,” suitably anonymous prefix to be reported as is and a private suffix to be discarded or obscured, except when necessary in network operations and abuse mitigation. To tackle the problem of determining whether