Use case: anonymity

[ckreibich]

A few folks have suggested that one could share the ID as an anonymous/pseudonymous substitute for the flow tuple, to avoid revealing the actual flow. (In analogy to sharing a file hash instead of the actual file, for example.) Applicability here seems much more narrow since the ID would most likely be of value only to the parties able to observe the underlying flow.

It may be of interest to keep the flow endpoints discernible in the ID (as a pair of hashes, perhaps) — doing so would allow checking whether one has also seen a certain endpoint in abusive behavior, etc. But that immediately leads to separating the address from the port, so we're essentially down to rendering each part of the flow tuple separately. Seems in those settings you might as well not use the ID in the first place.

I'm afraid I don't remember all individuals who have brought this up. — @vivekrj asked on Twitter, as did one participant at the 2018 Bro workshop in Karlsruhe, Germany.

Additional thoughts are very welcome.

[adulau]

I think replacing the SHA1 function with a HMAC/CMAC function would solve the issue. Then to reveal the associated flow, the private shared key needs to be known.