Skip to content

Commit 4f80863

Browse files
committed
Rework the "Use Cases and Motivations" section
1 parent 317cf3c commit 4f80863

1 file changed

Lines changed: 15 additions & 7 deletions

File tree

draft-denis-ipcrypt.md

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -139,19 +139,27 @@ There are no known patent claims on these methods.
139139

140140
## Use Cases and Motivations
141141

142-
The main motivations include:
142+
IP addresses are personally identifiable information (PII). While generic encryption systems can protect them, the specialized methods described here offer significant advantages with well-defined security guarantees:
143143

144-
- **Privacy Protection:** Encrypting IP addresses prevents the disclosure of user-specific information when data is logged or measured, as discussed in {{!RFC6973}}.
144+
- **Efficiency and Compactness:** All variants operate on exactly 128 bits, providing single-block encryption speed. Non-deterministic variants add only 8-16 bytes of tweak overhead compared to arbitrary expansion in generic encryption systems. This enables processing billions of addresses at network speeds.
145145

146-
- **Format Preservation:** Ensuring that the encrypted output remains a valid IP address allows network devices to process the data without modification. See {{format-preservation}} for details.
146+
- **High Usage Limits:** Non-deterministic variants support extensive operations per key - approximately 4 billion for `ipcrypt-nd` and 18 quintillion for `ipcrypt-ndx` - far exceeding typical cryptographic limits while maintaining compact outputs.
147147

148-
- **Mitigation of Correlation Attacks:** Deterministic encryption reveals repeated inputs; non-deterministic modes use a random tweak to obscure linkability while keeping the underlying input confidential. See {{non-deterministic-encryption}} for implementation details.
148+
- **Format Preservation (Deterministic):** The `ipcrypt-deterministic` variant produces valid IP addresses, enabling seamless integration with existing network tools that validate IP formats (see {{format-preservation}}).
149149

150-
- **Privacy-Preserving Analytics:** Many common operations like counting unique clients or implementing rate limiting can be performed using encrypted IP addresses without ever accessing the original values. This enables privacy-preserving analytics while maintaining functionality.
150+
- **Interoperability:** By following the recommendations from this specification, implementations can reliably encrypt and decrypt IP addresses in a compatible way across different systems and vendors.
151151

152-
- **Third-Party Service Integration:** IP addresses are private information that should not be sent in cleartext to potentially untrusted third-party services or cloud providers. Using encrypted IP addresses as keys or identifiers allows integration with external services while protecting user privacy.
152+
These specialized encryption methods unlock several critical use cases:
153153

154-
For implementation examples, see {{pseudocode-and-examples}}.
154+
- **Privacy Protection:** They prevent the exposure of sensitive user information in logs, analytics data, and network measurements ({{!RFC6973}}).
155+
156+
- **Correlation Attack Resistance:** While deterministic encryption can reveal repeated inputs, the non-deterministic variants leverage random tweaks to hide patterns and enhance confidentiality (see {{non-deterministic-encryption}}).
157+
158+
- **Privacy-Preserving Analytics:** Encrypted IP addresses can be used directly for operations such as counting unique clients, rate limiting, or deduplication—without needing to reveal or access the original values.
159+
160+
- **Seamless Third-Party Integration:** Encrypted IPs can act as privacy-preserving identifiers when interacting with untrusted services, cloud providers, or external platforms.
161+
162+
For implementation guidelines and practical examples, see {{pseudocode-and-examples}}.
155163

156164
## Relationship to IETF Work
157165

0 commit comments

Comments
 (0)