Ephemeral node identifiers for enhanced flow privacy

The Internet Protocol (IP) uses numerical address values carried in IP packets at the network layer to allow correct forwarding of packets between source and destination. Those address values must be kept visible in all parts of the network. By definition, those addresses must carry enough information to identify the source and destination for the communication. This means that successive flows of IP packets can be correlated - it is possible for an observer of the flows to easily link them to an individual source and so, potentially, to an individual user. To alleviate this privacy concern, it is desirable to have ephemeral address values - values that have a limited lifespan and so make flow correlation more difficult for an attacker. However, the IP address is also used in the end-to-end communication state for transport layer flows so must remain consistent to allow correct operation at the transport layer. We present a solution to this tension in requirements by the use of ephemeral Node Identifier (eNID) values in IP packets as part of the address value. We have implemented our approach as an extension to IPv6 in the FreeBSD14 operating system kernel. We have evaluated the implementation with existing applications over both a testbed network in a controlled environment, as well as with global IPv6 network connectivity. Our results show that eNIDs work with existing applications and over existing IPv6 networks. Our analyses shows that using eNIDs creates a disruption to the correlation of flows and so effectively perturbs linkability. As our approach is a network layer (layer 3) mechanism, it is usable by any transport layer (layer 4) protocol, improving privacy for all applications and all users.