[Ndn-interest] NDN protocol principles: no privacy?

Mark Stapp mjs at cisco.com
Tue Mar 15 06:25:59 PDT 2016



On 3/14/16 11:44 PM, Tai-Lin Chu wrote:

I wrote:
>> sure - I don't want to expose names that identify me, or expose my
communication activities. given that, the "network" doesn't have the job
of finding things for me by partial names - I only want to expose the
details of my communication to a service that I have authenticated, and
only when those details are encrypted. the "names" visible to the
network in that sort of world just get the packets moving - and the only
LPM needed is LPM in the FIB to get me to one or more instances of a
service.

then you wrote:
>
> Immutability is related to in-network discovery with LPM. If all
packets are immutable, and there is no in-network discovery, ndn must
rely on some other protocol that cannot not build on top of ndn for
discovery (we should all agree that randomly guessing a version number
or a certain name is not going to work well as “discovery”). This
devalues ndn as an “universal" protocol.
>
>

so ... I absolutely agree that it's not a very useful approach to have 
to randomly guess 'names' in order to use the network. I agree that that 
should be ... strongly questioned, if it is offered as a solution to 
rendezvous.

but I think you're misunderstanding what forward-secure communication 
would (probably) look like. there would not be any in-the-clear exposure 
of the nature of my activities. I would engage with an instance of the 
application I wanted to use, anonymously. that application would 
authenticate to me, so that I would not offer my identity to an 
adversary. I would possibly authenticate to the application, to gain 
access to my personal context, and to allow the application to apply 
access controls to me. the application and I would generate some key 
material, which would then be used to derive symmetric keys. from the 
perspective of the network, nothing about my use of the application 
would be visible - all of the details would be conveyed inside an 
encrypted envelope. the network would only see the routeable name on the 
'outside' of the envelope, and that name would not refer to any 'object' 
- it would just offer enough routeable prefix to reach an instance of 
the application, and enough context identification to allow the 
application to locate the keys to use when communicating with me. how 
the application works, its semantics, would not have to be known to the 
network in any way.

Thanks,
Mark



More information about the Ndn-interest mailing list