As Internet Protocol (IP)-based data networks become more prevalent for new forms of communication, e.g., for mobile telecommunications traditionally done via Public Switched Telephone Networks (PSTN), location privacy of communicating hosts becomes an important problem to address. In an IP network, each packet carries an IP address corresponding to a source (sender), and an IP address corresponding to a destination (receiver). These IP address are necessary and are used by the network to route the packets from the source to the destination. However, these IP addresses may have a strong correlation with the geographic location where the sender/receiver is currently located. Hence, the current geographic location of sender/receiver can be determined by examining the IP address in the packets.
IP addresses are assigned to users or entities by a centralized source, e.g., in North America, South America, sub-Saharan Africa, and the Caribbean, the American Registry for Internet Numbers (ARIN) assigns IP addresses to various organizations such as enterprises, universities, Internet service providers, wireless network operators etc. Other geographic regions have corresponding assignment entities, for example Asia Pacific Network Information Center (APNIC) for the Asia Pacific region. Because IP addresses, once assigned, are relatively static, a malicious user can almost always determine a sending user's and/or recipient user's general geographic location based on the IP addresses associated with their packets. That is, during a given communication session, a sender/receiver uses an IP address from a pool of IP addresses assigned to the organization from where the user communicates, thus unknowingly revealing the user's geographic location. Publicly available tools, such as ARIN's WHOIS database (publicly searchable by IP address), trace-route, Ethereal, VisualRoute and similar software and in resolving an IP address to a specific entity, and further to a specific location. These publicly and commercially available software packages can pinpoint the location of a user with reasonable accuracy using only the source and/or destination IP address of IP packets.
For example, suppose a malicious user intercepts a message with the destination IP address 64.218.151.200. A search of the ARIN WHOIS database reveals that the IP address is leased by Nokia Inc. from a pool of addresses assigned to the Internet service provider Southwestern Bell Internet Services. Since Southwestern Bell provides service in the USA, an immediate conclusion is that the receiver of the IP packet is in the USA. Further, by searching for Nokia office locations in the country where Southwestern Bell provides Internet services, the location of the receiver can be further pinpointed to Texas. As a further example, ARIN WHOIS search reveals that the address range 18.0.0.0 to 18.255.255.255 is assigned to the Massachusetts Institute of Technology, Cambridge, Mass., USA. Thus, the sender/receiver using an IP address in this range is most likely in Cambridge, Mass. Similar searches, as well as known techniques for monitoring IP address patterns, allow a malicious user to determine a user's general geographic location, which the user may want to keep private.
Many users do not want others to be able to pinpoint their current location and thus track their movement, as this is widely regarded as an invasion of one's privacy. Malicious users who track other users' locations could use the geographic data obtained for inappropriate, unlawful, or undesired purposes, such as by selling a profile of a user's movement to advertisers. It could be also used for criminal purposes. For example, knowing that a person living in the USA is currently calling from Germany implies that he/she cannot return home for at least 8 hours or more. Further, the respective governments may mandate that the end users' location privacy cannot be compromised during communication. Location privacy in the context of the current invention refers to the ability to keep one's geographic location private while communicating over an IP network. Location privacy also includes the ability to mask one's current geographic location from even an authorized recipient of a message. That is, the sender of an IP message might not want the intended recipient of the message to be able to determine the sender's general geographic location, except as desired by the sender.
Several prior solutions have attempted to maintain location privacy, with varying degrees of success. One known solution is the use of reverse tunneling, as taught in the Internet Engineering Task Force's (IETF) specification Request For Comments (RFC) 2344 and RFC 3024. Reverse tunneling in which packets are routed through the respective Home Agents of the sender and the receiver (i.e., routers having Home Agent functionality on their home networks) is an existing methodology to provide end-to-end location privacy. In reverse tunneling, the source address in a packet from a sender host, referred to herein as a mobile node (MN), as received at the correspondent mobile node (CN) is always the MN's home address (i.e., address on the home network). When the MN is roaming in another network (using a “Care of Address,” CoA1, provided by the roaming network), the MN's packets with source and destination addresses as the MN's Home Address (HoA1) and the CN's home address (HoA2) are encapsulated within a packet sent to the MN's Home Agent (HA1). The Home Agent then strips the external headers and forwards the internal packet to the CN's home network. The correspondent node's home agent (HA2) then encapsulates the packet in yet another packet and directs this second encapsulated packet to the CN's current care of address (CoA2), e.g., if the CN is also roaming in yet another network. While this scheme provides location privacy to the nodes involved (they see packets as coming from each others' HoAs), the routing performance suffers as the distance of the two communicating Home Agents increases, e.g., in terms of physical distance or IP hops, from either each other or from the MN's and CN's current locations. Also, if many mobile nodes request privacy, because all packets are routed through the Home Agents, the process might not be economically and/or technologically scalable as the load on each Home Agent may quickly deteriorate the performance of the Home Agent.
Another known approach uses a private address for each of the communicating nodes (MN and CN). The main motivation for the use of private addresses, at least initially, was the lack of sufficient global address space in IPv4. When using private addresses, the gateways (often called as NATs or Network Address Translators) perform conversion from private IP address to public IP address when the packets leave the private network. NATs are usually placed at the edge of the private network or the virtual private network (VPN) of an organization. If the organization is a global entity (for example the Red Cross), it is difficult to pinpoint the actual location of a communicating node by examining the public IP address in the packets. This is because the IP address that appears in the packets when they enter the public Internet is that of the NAT. The packets are routed between the NAT and the communicating node over a VPN before they enter the public Internet, and the VPN may span a large geographical area. Thus a communicating node using a private address can be in one region, while the NAT can be in another region. However, this approach fails if the VPN does not span a large geographic area. This is the case for smaller or regional organizations. Even for those VPNs which span a large geographic area, packets are usually routed from the communicating node to the nearest NAT, and thus the location information can still be revealed. There are also difficulties with respect to different mobility management algorithms and end-to-end security and packet integrity algorithms working with private address spaces. This solution also creates circuitous routes from a mobile node to its correspondent node because all traffic is routed through one or more NATs to translate private addresses to public addresses. Also, the requirement that all traffic must flow through NAT causes overload on NATs and makes them unscalable. This also creates potential single point of failure in the network.
Another known solution, such as is described in S. M. Faccin and F. Le, “Location Privacy for IPv6 nodes”, Internet Draft Document (to be submitted), November 2001, advocates the use of Location Privacy Agents to provide location privacy. In this scheme, the HA of the MN tries to find a router “close” to the CN's current point of attachment to the Internet to act as a Location Privacy Agent (LPA). The address of the LPA is then communicated to the MN. The MN sends packets to LPA and LPA sends them to the CN. This way, to the CN, packets appear to be originating from the LPA. However, since the MN knows the address of LPA and LPA is located close to the CN's point of attachment to the Internet, approximate geographical location of the CN is revealed to the MN. In other words, it is not possible to provide mutual location privacy to communicating nodes with this scheme. Thus this scheme may suffice for client-server applications where the MN is a mobile client node and the CN is a (stationary) server node such as WWW server, but is not sufficient for peer-to-peer applications such as voice calls in which both MN and CN may be mobile and may want to protect their location privacy. Another solution, described in C. Castelluccia and F. Dupont, “A Simple Privacy Extension for Mobile IPv6”, Internet Draft Document (Expires August 2001), February 2001, uses Hierarchical Mobile IPv6 (HMIPv6) Mobile Anchor Points (MAPs) to provide Location Privacy. A MAP acts as a representative for a collection of access routers. In other words, the node's care of address is anchored at a MAP and does not disclose as to which access router or access subnet the node is actually attached to. However, a MAP represents access routers that are in the vicinity of it. The location of a MAP can be determined from the IP address the node is using for communication. Hence, it is possible to locate the MN to the particular region, albeit with reduced granularity of accuracy. While this solution provides better location privacy than traditional Mobile IPv6, it still does not solve the problem completely. Also, this solution suffers from drawbacks such as overload on MAPs and potential single point of network failure at a MAP, due to its centralized approach.
In the future, it is highly probable that IP networks, or IP backbones, will carry a large number of communication sessions between mobile users, e.g., two users communicating via mobile terminals over a wireless telecommunications network. Thus, it would be an advancement in the art to provide a location privacy mechanism to mask a user's general geographic location from others who seek to exploit a location-indicative address associated with the user, where the location privacy mechanism is not limited by the above-mentioned drawbacks and limitations.