[Ndn-interest] NDN protocol principles: no privacy?

Burke, Jeff jburke at remap.ucla.edu
Mon Mar 14 08:02:18 PDT 2016

>wow - just to be clear:
>On 3/14/16 12:07 AM, GTS wrote:
>> Hi Mark,
>> just to be clear: even if it can't be defined well, I'm all for privacy
>> in any modern network architecture,
>> NDN and CCN included. Note that NDN wouldn't have been funded by the NSF
>> if privacy (and security)
>> weren't prominent in the architecture. (NSF made
>> privacy+security-by-design a major requirement
>> for funding.) And I believe it was/is, indeed, prominent in NDN.
>that is a statement I've heard repeated, but the deeds don't align with 
>the words. NDN has encouraged the use of long-lived public/private key 
>pairs, and that makes individuals highly observable, and vulnerable in 
>the case of key compromise. I don't know whether NSF noticed, but ... 
>you can't do your banking with this stuff yet - and it's been years. and 
>since the folks in charge flat-out reject DH negotiation, it's a little 
>hard to see how they're going to come up with any forward-secure 
>approach. just exactly what privacy-by-design feature are you referring to?


Where are you getting this impression of a lack of interest in security?  Six of the last ten NDN tech reports deal with security-related topics, several of the techniques could be extended to use ephemeral keys, and a few have discussions of forward secrecy.  

>> My analogy was perhaps not the best but I was trying to say that
>> extolling privacy as a principle
>> might be viewed as pollyannish, (sorry for another one) a bit like
>> Google's (in)famous "don't be evil"
>> motto.
>just pointing out that you began by sort of implying that the principle 
>was already in place - and that NSF had approved of the path NDN has 
>taken. I have heard the words you echoed in your email many times - and 
>so I was pointing out the absence of any privacy or confidentiality 
>'principle' in the initial list of six.

Can you give an example or two of what such a satisfactory privacy principle might look like?    (Perhaps there is disagreement about whether this is a principle for the architecture or applications, but articulating it seems valuable. We've certainly set it up as a goal for some of the current applications proposed for the current NSF work.)

I think we were going to present contrasting ideas on all of this (privacy at least) at the upcoming ICNRG meeting. Is that still the plan?  (I think Dirk mentioned you wouldn't be there but perhaps someone else would present?)


>> p.s. I also agree that opportunistic caching is a privacy concern,
>> especially, close to
>> the edges of the network. At the same time, I keep hearing that caching
>> in the network core
>> is unlikely. If that is true, privacy might be hard to achieve. Or,
>> caching might not be used.
>> After all, it's not mandatory, if I recall correctly (i.e., not only a
>> router is not obliged to
>> cache everything, but a producer can request "no caching for specific
>> content).
>the issue is that some of the other NDN mechanisms, like 'sync', rely on 
>broadcasting and shared caching. and then that becomes a fundamental 
>basis for ... every other example - the routing protocol, the NDN-RTC 
>scheme, etc.
>and of course (again, as I'm sure you know) the issue isn't that you 
>can't _ask_ unknown routers controlled by unknown parties _not_ to 
>observe you, or capture/record your communication. the issue is that 
>they may act against you anyway. as an individual user, you can only 
>limit what an adversary can do, and using best-practice communication 
>and crypto techniques is one of the best ways we know of to accomplish that.
>Ndn-interest mailing list
>Ndn-interest at lists.cs.ucla.edu

More information about the Ndn-interest mailing list