Not logged in » Login
May 28 2017

IETF Strives for Metadata Reduction

Along with its huge positive impact, the 'digital revolution' has also produced a number of less desirable side effects. One of these is an increasing lack of privacy that's often induced by all too talkative data transfer protocols. The Internet Engineering Task Force (IETF) has now issued a recommendation (RFC 8165, published under the ISSN 2070-1721) that's supposed to remediate these shortcomings.

The fresh RFC aims to solve a problem that was first brought up some two years ago by the Internet Architecture Board (IAB), a committee within the IETF that's tasked with architectural and standards process oversight. Back then, the IAB had developed a threat model regarding attacks on Internet confidentiality in the wake of the Snowden revelations. The result was RFC 7624, a memo that discussed so-called passive and active pervasive attacks that target the Internet's backbone as well as ways to fend them off. In particular, the authors dealt with the NSA attack schemes Prism and Bullrun and their capabilities for exfiltrating static and dynamic encryption keys as well as communications content. Their ultimate conclusion was that most surveillance operations relied on the open nature of Internet traffic, and that one potentially successful method to block them would be to use and further develop secure variants of communications protocols that already existed, but had hardly been used by ISPs and other content or service providers.

RFC 8165 picks up on these considerations and demands that protocol developers follow a "common design pattern" that "limits the amount of data disclosed to those elements absolutely required to complete the relevant protocol exchange." What's more, it extends the previous recommendations from 2015 insofar as it attempts to limit the (re-)insertion of metadata into the headers of otherwise encrypted data traffic. But while stripping metadata from those headers provides a safe and easy method for protecting confidential communication, it also interferes with certain business models that rely on access to customer-specific information such as IP addresses in order to allow or block the distribution of content and which dominate the media and entertainment industries. To attenuate possible conflicts of interest, developers should tune transfer protocols in such a way as to enable end users to approve the restoration of their personal metadata in the process. This could be achieved by using existing methods like STUN and EDNS, which basically allow client systems to create a subnet for communication with a content provider and add metadata as they see fit. However, what looks simple in theory may still require some effort to be put into practice, so it definitely pays off to study the related RFCs. ISPs and providers of managed services could definitely benefit from providing an extended range of secure communications/data transfer channels.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now