[rssac-caucus] FOR REVIEW: Harmonizing the Anonymization of Queries to the Root

[John Bond]

Hi Paul, 

Thanks for the response

> 
>>> 3.3 ipcrypt
>> The one-to-one mapping also means it is susceptible to a know plain text attack but to what severity is unknown however the lack of prefix preservation would likely make any attack harder [then Cryptopan attacks]
> 
> A known-plaintext attack returns the key used, or allows the attacker some other way of de-anonymizing other addresses. That is not possible in the methods other than Cryptopan. However, if I can inject a query using a known source address to a particular root using an identifiable QNAME, I can find the result in the anonymized PCAP. What is important is that an attacker cannot use this to then determine the random key that was used.
I don't believe that someone needs to send a specifically crafted DNS query to reveal the true addresses. I suspect many researchers some of whom are on this list can already identify popular resolvers by looking at there DNS traffic signatures.  Further i believe that comparing an anonymised DITL with one from a previous year that had not been anonymised would allow one to start correlating traffic patterns.  Further statistical frequency analysis would likely reverse mappings as well.   These attacks fundamentally rely on statistics and pattern correlation therefore as the dataset grows it becomes easier to reverse the anonymisation.

We should also consider the attack you suggest where a user can poison the dataset by injecting unique qname queries that identify individual users.  I believe this is very similar to how Geoff's ad network research works but also how many ad networks work.  So at the very least geoff and Facebook will be able to reverse a lot of the annoynimsed addresses, rotating the salt would make it make this attack much harder.  i.e.. the Negative TTL in the root is 84600, if we rotated the salt every 5 minutes [and we have a perfect world] then the aforementioned attack would only be able to reverse ~0.3% of a users* traffic

>> 
>>> 4 ASN and recommendation 3
>> I'm strongly apposed to this as i it would make de-annonamising the information and the know text attacks mentioned above much simpler to execute. 
> 
> Are you suggesting that we remove the recommendation (which Geoff Huston made) or simply make it clear that it is optional?
I personally think it should be removed.  At the very least this would allow a research to reverse the IP addresses of most/all ISP and public resolver infrastructure 

Thanks John

* i appreciate in reality that it is more likely the users resolver that is revealed as appose to the user however EDNS client-subnet