[rssac-caucus] Handing the anonymization document off to RSSAC
John Heidemann
johnh at isi.edu
Wed Apr 11 18:06:13 UTC 2018
On Mon, 09 Apr 2018 18:34:32 -0000, Paul Hoffman wrote:
>Greetings again. We've kind of lost momentum on the "Recommendations on Anonymization Processes for Source IP Addresses Submitted for Future Analysis" document. I have made one more round of edits, and think that it is probably ready to send to RSSAC. Please do a final review of:
> https://docs.google.com/document/d/1jpFcEjlwd11kqbsd1oAUf2Hq3gNskqN595RdmvyKkU8
>and put comments in the document or send them to this list. I propose that next Monday, April 16, we send the document to RSSAC so they can review it before their next workshop.
A couple of questions about our goal, and some comments on the document.
About the goal: implicit in the above proposal is that little bit of
editing will "finish" the document. Is that true?
My sense is there is interest in larger changes, like trying to make a
specific recommendation. It seems unlikely that larger changes like
that can be accomplished in only one week.
Putting making a recommendation aside,
suggested changes to the document:
- section 2.1 and 3: changed "random value" to "secret value".
Reason: The "random value" is either cryptographic salt or a secret
crypotgraphic key. Its important characteristic is that it is secret
(not public), not that how it is chosen (perhaps randomly).
Using the term "random" can easily be confused with "changing".
- section 2.1: the text implied using different secret keys "breaks
harmonization". This statement is too strong. There is benefit to
researchers to knowning the harmonization METHOD if different RSOs use
different secrets.
- section 4.1: the analysis of collisions was for an average day.
Collisions are dramatically higher for worst cases, and that's when
accurate counts most matter for some research. I suggest this text
there to address this gap:
(Although the birthday problem has few collisions when the
number of active IPv4 address is small, it is much worse when
the number is large. For example, reports of the Nov. 30,
2015 DDoS attack on the roots indicate that roots saw about
891k unique addresses, and with n=900k, there are 170M
collisions. While many of these addresses were spoofed. This
count represents one factor in the cost some DDoS-defenses, so
accuracy is important.).
I don't want the document to go too far down this one particular
rathole, BUT presenting only average case data is, I think, misleading.
I made these changes both in the google doc and here. I'm not sure that
google doc edits alone always get as complete a discussion as mailing
list comments.
-John Heidemann
More information about the rssac-caucus
mailing list