[rssac-caucus] Handing the anonymization document off to RSSAC

John Heidemann johnh at isi.edu
Wed Apr 11 18:06:13 UTC 2018 

On Mon, 09 Apr 2018 18:34:32 -0000, Paul Hoffman wrote: 
>Greetings again. We've kind of lost momentum on the "Recommendations on Anonymization Processes for Source IP Addresses Submitted for Future Analysis" document. I have made one more round of edits, and think that it is probably ready to send to RSSAC. Please do a final review of:
>   https://docs.google.com/document/d/1jpFcEjlwd11kqbsd1oAUf2Hq3gNskqN595RdmvyKkU8
>and put comments in the document or send them to this list. I propose that next Monday, April 16, we send the document to RSSAC so they can review it before their next workshop.

A couple of questions about our goal, and some comments on the document.

About the goal: implicit in the above proposal is that little bit of
editing will "finish" the document.  Is that true?

My sense is there is interest in larger changes, like trying to make a
specific recommendation.  It seems unlikely that larger changes like
that can be accomplished in only one week.


Putting making a recommendation aside, 
suggested changes to the document:

- section 2.1 and 3: changed "random value" to "secret value".

  Reason: The "random value" is either cryptographic salt or a secret
  crypotgraphic key.  Its important characteristic is that it is secret
  (not public), not that how it is chosen (perhaps randomly).
  Using the term "random" can easily be confused with "changing".

- section 2.1: the text implied using different secret keys "breaks
  harmonization".  This statement is too strong.  There is benefit to
  researchers to knowning the harmonization METHOD if different RSOs use
  different secrets.

- section 4.1: the analysis of collisions was for an average day.
  Collisions are dramatically higher for worst cases, and that's when
  accurate counts most matter for some research.  I suggest this text
  there to address this gap:

          (Although the birthday problem has few collisions when the
          number of active IPv4 address is small, it is much worse when
          the number is large.  For example, reports of the Nov. 30,
          2015 DDoS attack on the roots indicate that roots saw about
          891k unique addresses, and with n=900k, there are 170M
          collisions.  While many of these addresses were spoofed.  This
          count represents one factor in the cost some DDoS-defenses, so
          accuracy is important.).

  I don't want the document to go too far down this one particular
  rathole, BUT presenting only average case data is, I think, misleading.


I made these changes both in the google doc and here.  I'm not sure that
google doc edits alone always get as complete a discussion as mailing
list comments.

   -John Heidemann

More information about the rssac-caucus mailing list