Pseudonyms in IPv6 ITS Communications: Use of Pseudonyms, Performance Degradation, and Optimal Pseudonym Change

IPv6 developed as a next generation Internet protocol will provide us with safer and more efficient driving environments as well as convenient and infotainment features in cooperative intelligent transportation systems (ITS). In this paper, we introduce the use of pseudonyms in IPv6 ITS communications for preserving location privacy. We conduct qualitative study on the performance degradation due to the use of pseudonyms and quantitative analysis on the optimal pseudonym change interval. Numerical results demonstrate that an appropriate pseudonym change interval should be changed depending on the packet arrival rate, mobility rate, and security level.


Introduction
Cooperative intelligent transportation systems (ITS) aim at providing new advanced solutions to today's transport problems.Communications among ITS stations (e.g., cars and roadside infrastructures) are essential parts of the cooperative ITS for improving road safety, efficiency, and comfort during driving.As the communications between ITS stations are the heart of the cooperative ITS, it is important to correctly understand how the deployment of cooperative ITS will affect an individual's privacy during his/her driving.
Privacy is one of the fundamental rights of human being.In particular, location privacy is a specific type of privacy that can be defined as follows [1]: "the ability to prevent other parties from learning one's current or past location." Imagine your car as a vehicle ITS station constantly communicating with other nearby ITS stations, for example, cars and roadside infrastructures.Your car emits its location (e.g., GPS position information), speed, heading direction, and even identity 10 times per second.Thus, anyone that has a wireless radio receiver system (e.g., wireless access point) within the wireless radio transmission range (probably in 500 meters or 1,000 meters) is able to capture all messages sent out from your car.Now imagine the ability to set up a set of wide-range wireless radio receiver systems in a city.It means that the activity of every single car in the city can be surveilled including yours.In other words, without sophisticated skills, communications among ITS stations, for example, vehicle, roadside, and personal ITS stations, are exposed to an observer in a wireless radio transmission range because of the nature of wireless communications.As the observer extracts identifiers from a message such as addresses in each protocol layer in transmissions, he/she could link messages and track a vehicle ITS station emitting the messages having the same identifiers.
To address location privacy in cooperative ITS, the use of pseudonyms has been chosen as a baseline approach for preserving location privacy.A pseudonym, which is an arbitrary bit string to generate a temporary identifier in each protocol layer, is used with an appropriate changing scheme [2].For instance, a vehicle ITS station uses a pseudonym   in a short period    and changes   to a new pseudonym  +1 for the next short period   +1 .By using a pseudonym only in a short period, observers are only able to link messages sent in the 2 International Journal of Distributed Sensor Networks  [5] suggested that a simple pseudonym change does not effectively preserve location privacy but it does not mean that the pseudonym change is ineffective.In this paper, which is an extension of the paper published in [6], we focus on the use of pseudonyms in IPv6 ITS communications for preserving location privacy.In particular, we present an IPv6 address configuration with pseudonyms and then study a performance degradation issue due to frequent pseudonym changes at the IPv6 layer.We also investigate the optimal pseudonym change algorithm that makes a balance between communication overhead and location privacy at the IPv6 layer.

IPv6 Communications in Cooperative ITS
2.1.IPv6 Communications and Applications.The ISO/ETSI ITS station reference architecture specified in [7,8] introduces various communication protocols designed to meet specific requirements for cooperative ITS.However, among communication protocols in the network layer, IPv6 is a major communication protocol as it provides Internet connectivity and communication capacity for various applications.The use of IPv6 especially satisfies the addressing needs of a growing number of vehicles and personal devices [9] and provides session continuity between heterogeneous networks, thanks to a mobility support extension, that is, NEtwork MObility (NEMO) [10].
Various ITS applications have been investigated and studied with respect to their functionalities: safety, efficiency, and infotainment applications [11].At the beginning of ITS research, most of studies focused on the road safety applications that are basic and essential applications as those applications aim at minimizing the risk of accidents.However, cooperative ITS does not only provide such limited functionalities.It also provides advanced applications such as traffic efficiency and infotainment applications.In particular, as shown in Table 1, IPv6 communications can be applied into the traffic efficiency and infotainment ITS applications that do not require strict message transmission and very low latency.Then, among the road safety applications, some applications like road sign notifications and incident management are possibly supported by IPv6 communications.For instance, messages of road sign notifications and incident management may be delivered to specific vehicles via roadside infrastructures that use IPv6 communications.

IPv6 Related Standardization Efforts.
As IPv6 has been originally developed for the Internet, its adaptation into cooperative ITS requires a set of standardizations that do not intend to define new protocols or message modification at the IPv6 layer but define how standard IPv6 protocols developed by the IETF are combined for cooperative ITS.The following are standardization efforts at the ISO and ETSI levels.
(i) ISO 21217 [7] and ETSI EN 302 665 [8]: the ISO/ETSI ITS station reference architecture containing IPv6 communications at the network layer is specified.
(ii) ISO 21210 [9]: IPv6 networking between two or more ITS stations has been specified.
(v) ISO 16788 [14]: as of writing this paper, IPv6 network security is being documented.
(vi) ISO 16789 [15]: as of writing this paper, IPv6 network optimization is being documented.

Use of Pseudonyms in IPv6 ITS Communications
3.1.IPv6 Address and Pseudonym.At the IPv6 layer, the IPv6 address is an identity that is globally unique when the address is a unicast address.In order to provide location privacy at the IPv6 layer, a pseudonym, an arbitrary bit string, is used to generate an arbitrary IPv6 address.Figure 1 shows an example of a pseudonym use in the link and network layers for preserving location privacy.Note that pseudonyms can be used in all communication stacks against observers examining not only one communication layer.In this example, the pseudonym is assumed to be 48 bits long and it thus replaces the 48 bits of MAC address, while a new IPv6 address, which is 128 bits long, is generated based on the supplied pseudonym.More specifically, the rightmost 64 bits of IPv6 address, that is, interface identifier, are generated based on the pseudonym while the leftmost 64 bits of IPv6 address, that is, network prefix, are supplied from a router advertisement (RA) sent from an access router.
As mentioned earlier, the pseudonym is synchronously changed across the entire communication stack in order to make sure that identity information at each layer is changed.For instance, as shown in Figure 1, when a current pseudonym   is changed to a new one  +1 , the whole MAC address is replaced by  +1 , while the IPv6 address is changed accordingly [3].Hereinafter, we focus on the use of pseudonym at the IPv6 layer.

Pseudonym
Change.An example of pseudonym changes at the IPv6 layer is introduced in detail.In particular, we illustrate two specific pseudonym changes similar to [3]: (1) pseudonym change due to a handover and (2) pseudonym change due to a pseudonym expiration.
Figure 2 shows a considered network topology wherein a vehicle ITS station implementing IPv6 mobility, that is, NEMO, changes its attachment point from an access router, AR-1, to a new access router, AR-2.The vehicle ITS station is thus assumed to be equipped with a mobile router (MR) functionality defined in [10].Each access router provides the Internet connectivity to the vehicle in its access network.The home agent (HA) is located at the Internet.
Figure 3 shows pseudonym change procedures.The details of each step are as follows.
(1) First, a pseudonym change due to handover is considered.Suppose that the vehicle ITS station  attaches to a new access network of AR-2.
(2)  receives an RA message from AR-2.The RA message includes the network prefix NP 2 for the new access network of AR-2. ( where  3 is used for generating its new interface identifier, IID  3 .In order to check the uniqueness of CoA 3 , the DAD procedure is performed again. (7)  sends a new BU message containing CoA 3 as a source address.
(8) Upon receiving the BU message, the HA updates its binding cache for  and replies with the BA message.

Qualitative Analysis
In this section, we examine performance degradation with the use of pseudonym at the IPv6 layer.A pseudonym at the IPv6 layer is changed mostly due to the following: (i) the pseudonym change interval, that is, pseudonym expiration, (ii) the change of point-of-attachment, that is, networklevel handover.pseudonym change.At  0 ,   is expired and  +1 is provided to generate a new IPv6 address at an interface.Then, at  1 , the new IPv6 address is generated.In order to use the newly generated IPv6 address for IPv6 ITS communications, it is required to check the IPv6 address uniqueness via the duplicate address detection (DAD) procedure, which is another time-consuming procedure.If the IPv6 address successfully passes the DAD procedure, it is ready to use at  2 .Then, the IPv6 address is used to send a registration message to its HA [9,10].As shown in Figure 4, during the time for the DAD procedure  DAD , outgoing packets are delayed until the DAD procedure is successfully completed.If the outgoing packets are for a session based communication, for example, TCP communication, the session can be disconnected due to the address change.
Figure 5 shows the time diagram on the procedures that occurred when the IPv6 address changed due to the networklevel handover [9,10].At  0 , the link switch occurs and ends at  1 .As the link is changed, the movement detection time is required at the IPv6 layer.Then, as its movement is detected,  +1 is supplied to generate the new IPv6 address at an interface at  2 .The remaining procedures are the same as for the case described in Figure 4.

Quantitative Analysis
A pseudonym change badly influences communication performance as it yields the IPv6 address change during IPv6 communications.If a pseudonym change interval is long, the privacy exposure time increases.On the other hand, if the pseudonym change interval is short, the overhead due to frequent pseudonym changes increases.Accordingly, an algorithm that finds an optimal pseudonym change interval for making a balance between communication overhead and location privacy is needed.
Figure 6 shows a timing diagram for modeling the privacy exposure time, which is defined as the time until a new pseudonym is set.The following are the used notations with explanations: (i)  0 : subnet enter (come-in) time, With the timing diagram, we model the privacy exposure time and develop the optimal pseudonym change algorithm.After the observation starts at  1 , a pseudonym is changed (updated) either at  2 by a periodical pseudonym change or at  3 by a handover.Therefore, the privacy exposure time  is given by where Then, the probability density function (PDF) of  is given: where  1 () and  2 () are PDFs of  1 and  2 , respectively.Now, we need to find proper distributions for  1 and  2 .The pseudonym change interval   is a constant and  1 is a random observer time epoch.Therefore,  1 follows a uniform distribution in [0,   ] and thus  1 () is obtained as On the other hand, if the subnet residence time   follows an exponential distribution with mean of 1/  ,  2 () is calculated as Then, the PDF of , (), can be expressed as From ( 7), the Laplace transform of (),  * (), can be obtained and the expected privacy exposure time, [], can be obtained from [] = (/) * ()| =0 .
Suppose a vehicle generates packets with rate   (packets/sec).Let  denote the expected number of packets influenced by the privacy exposure.Then,  is calculated as Intuitively, (  ) increases with the increase of   .Therefore, the optimal value of   can be obtained from the following problem: That is, the optimal value of   is the maximum value of   while (  ) does not exceed a predefined threshold value Θ.Note that Θ should be determined depending on the application type, security level, and vehicle's mobility.
Figure 7 shows (  ) as   increases.With the increase of   , the pseudonym is infrequently updated and more packets can be affected by the privacy exposure.In addition, it can be found that low   leads to the increase of (  ).This is because low   or low mobility reduces the number of pseudonym changes due to subnet movements.Figure 7 can be used to determine the optimal   .For example, when   and   are set to 1.0 and 9, respectively, (  ) is 8.89.On the other hand, when   becomes 10, (  ) exceeds 9.00.Therefore, if the threshold (or upper limit) on (  ), that is, Θ, is given by 9.0, the optimal   should be less than 10.From Figure 7, it can be shown that a larger   can be set when   is high under the same threshold Θ.This can be explained as follows.If   or mobility is high, the pseudonym can be frequently updated by subnet changes.Hence, a longer   is allowed to save the pseudonym update cost in such a situation.Figure 8 shows the effect of   .Intuitively, when   is large, more packets can be affected by the privacy exposure.Due to this reason, a smaller   should be set when   is large as shown in Figure 8.

Conclusions
As IPv6 is considered as a main communication protocol for accessing the Internet during driving, location privacy at the IPv6 layer is becoming an important issue in cooperative ITS.In this paper, we have presented an IPv6 address configuration with pseudonyms and then studied a performance degradation issue due to the pseudonym change at the IPv6 layer.We moreover proposed the optimal pseudonym change algorithm that adaptively finds an optimal pseudonym change interval with given parameters.

Figure 1 :
Figure 1: Example of a pseudonym use in the link and network layers.

Figure 6 :
Figure 6: Diagram for the optimal pseudonym change interval.

Table 1 :
Cooperative ITS applications and IPv6 applicability.
)  is required to configure a new address called careof address (CoA) with NP 2 at the new access network.As  2 is provided to the IPv6 layer, it is used to generate CoA 2 with NP 2 :CoA 2 =  − (NP 2 ‖ EUI64 ( 2 )) , Before the use of CoA 2 in unicast communications, the uniqueness is checked via the duplicate address detection (DAD) procedure.Then, if CoA 2 is unique,  uses  2 to inform its new location by sending a BU message to its HA.The new location of  is registered to the binding cache of HA.
However, in this step, a new pseudonym  2 instead of its previous pseudonym  1 or its MAC address is used to generate the CoA CoA 2 with NP 2 .If  1 would be still used at the new access network, an observer who can access both access networks could recognize the vehicle's movement by checking the use of  1 in address generation.The IPv6 layer thus requests  2 to the security entity.(5) The HA replies with the BA message to . (6) A pseudonym change due to pseudonym expiration is now considered.Suppose that the current pseudonym's lifetime   2 has expired.Then,  has to reconfigure its current CoA, CoA 2 , even if it has not moved to another access network.For this, the IPv6 layer requests a new pseudonym to the security entity as in step (3).After a successful provision of the new pseudonym  3 , similar to the previous address generation, a new CoA, CoA 3 , is generated as CoA Figure 4 is the timing diagram showing which procedures are performed when the IPv6 address is changed due to the