[GRLUG] NOT LINUX

Michael Mol mikemol at gmail.com
Tue Sep 11 08:28:57 EDT 2012


On Tue, Sep 11, 2012 at 3:08 AM, Thad Ward <coderjoe69 at yahoo.com> wrote:

> On Mon, Sept 10, 2012 at 3:53 PM, Michael Mol <mikemol at gmail.com> wrote:
> > Familiarize yourself with IPv6 Privacy Extensions. Essentially, your
> source IP address is randomized every five minutes. (You maintain a
> long-term IP address, too, but the temporary address is used for most
> outbound connections.)
>
>
> And those privacy extensions prevent the provider of the IPs from knowing
> which prefix was given to which of their customers how?


I misread Mike's post as focusing on having multiple people coming out
through one IP, as opposed to multiple people coming through the same
subnet.


> Plus, if you have multiple systems on your network, you would need to
> subdivide your space,


Absolutely not true.

First, if your ISP is giving you a routed /64, then the /64 you place your
computers on is distinct from the /64 your router's IP has (for
communicating between itself and your ISP). Just take your /64 and apply it
to your local network.

Second, if your ISP is stupid (and some have been...I don't think any of
the major IPv6-supporting major consumer carriers (such as AT&T and
Comcast) have been, though), they'll give you an *on-link* /64, which means
your router has an IP on the same subnet as the rest of your network, the
solution is to use ND-proxy.

Either way, if you have a /64 (which is the minimum size ISPs are supposed
to allocate to end-users), then you can have as many machines on your
network as you can stand to have on the same subnet.


> and some data analysis could provide evidence that certain prefixes are
> being used by different systems with different users on them.
>

If you subnet (and I think you should), sure. I think you're being hyper
paranoid (or are in an environment with some pretty strict security
requirements) if this is something you're worried about, but in such a case
you probably should be using a proxy server on your network gateway.


>
> On other points mentioned, your DNS queries could give you away, even if
> you are using SSL. Also, if you are using SSL, if your browser does Server
> Name Indication, someone can still tell what site you're visiting, even if
> they can't see what you're accessing on that site.
>

There are people who have legitimate worries about things of this nature.
Mostly missionaries and volunteers in charitable NGOs in countries without
religious freedom.

If your worries really do extend this far, you need to be using IPSec and
tunnels. Worse, you need to start looking at things like packet fill,
because packet timings and entropy measurements can still tell useful
information about an encrypted packet stream.


>
> If your ISP derives their primary income from the sale of advertising,
> they have a strong incentive to do whatever they need to do to see what
> you're doing in order to target ads at you.
>

The only advantage they could have for doing it at layer 3 is geographical
targeting. And, honestly, they already have enough information for good
results there, from the people who don't block ads, cookies, etc. If they
want better, they need only get their anycast DNS servers closer to the
edge of each neighborhood they're interested in, and then correlate server
addresses and DNS queries with source IP addresses. That also ignores that
web pages can now ask for geolocation details from browsers, and that
people with smartphones are actively ceeding this information in the name
of convenient services.

If you think they're going to set up an ISP with gigabit network access for
end-users just for the purpose of getting at that last half a percent of
people who use the Internet, but take active measures to clear cookies and
employ anonymization techniques, then I think you missed the point of
diminishing returns. There are plenty of volunteers, at this point, and
Google doesn't need to actively chase the rest.

No, the only real reason I can see for Google to be setting up their own
ISP is because they have a *crapton* of content (Youtube, mostly) they need
to get to the edge, and ISPs like Comcast and AT&T aren't going to let them
drop their own CDN nodes into their networks without charging for it.
(Remember that? It was one of the things that sparked off the net
neutrality debate last decade.) This is Google's way of telling them,
"look, we're not going to pay the rates you're asking for, and we're not
going to put up with you lowering priority on our traffic, either. Instead,
we're going to set up a loss-leader ISP and put our content cache ten miles
away from each customer. Their end experience looking for cute kittens on
our network is going to blow away the same on yours, and it'll be cheaper
to boot."

In short, this is Google's big stick for dealing with any ISP that wants to
play hardball with network ingress and colocation.

-- 
:wq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shinobu.grlug.org/pipermail/grlug/attachments/20120911/2eb313f1/attachment-0001.html>


More information about the grlug mailing list