Re: [arch-d] IAB statement on "Avoiding Unintended Harm to Internet Infrastructure"

Mark Nottingham <mnot@mnot.net> Wed, 13 November 2019 23:37 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D49F9120842 for <architecture-discuss@ietfa.amsl.com>; Wed, 13 Nov 2019 15:37:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=2m3Nfr96; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=A6BSUo91
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFiRJf9fd6rs for <architecture-discuss@ietfa.amsl.com>; Wed, 13 Nov 2019 15:37:32 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAA80120837 for <architecture-discuss@ietf.org>; Wed, 13 Nov 2019 15:37:32 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id DC7D7220AF; Wed, 13 Nov 2019 18:37:31 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 13 Nov 2019 18:37:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=2 RHEzPBFSV3pci9CojcMzBmFPx0q2qFMoeBzPsrT7WI=; b=2m3Nfr96suXQd/cY/ iqHEKiyOWqjELImIsV4xxulwNgGCVy+KAWSmz3oO0tYdGAcgbq2Gq7aHFprR+VYE GtTHYj5zW8NiR6y1Tz0MwS8s0C5t4KDvvyCboaW2jpoLj2/s6nVoM7ehVqFk2Zyw oOc/Rb3MtgCefRxO76JNAiJwXMKBkLXsfTOZKv1E2nOkQb91hpZVov8RmHEpKI5Z mNZDOg7TP/K/sTTEQ7dFfbRHpX4+M1fuEVvtsUfdxcJM3qqpd5/raJL9u/oRk8KJ bPBvRKLLGwkAyO4unVZyxfmt0pq33W+I0D4LmCd7dfJgpVNu46sB1V+6IDyoWsFR J8hFg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=2RHEzPBFSV3pci9CojcMzBmFPx0q2qFMoeBzPsrT7 WI=; b=A6BSUo91Dw85fBuwED+mXVu1TwBGUsFwfliKAhZTBXxuyjWZyV0tF3KzK 2uFdWWFZ1Qpo0XRJ48LQTHEWEv+LQWVyPjwWCR0JqbdW7sOEWpVhavOkm9fgphmy RNyYKFJOBKX1RJEkIOs/Mg8EWG1arerf6XoCRnwxOsy0LjEnVHFtd2HJbLrOxrpT w/f2j3eNXeW2aawI8BkevBKriJnqAlT4snB984Z9iQPB/2FMDRLU7Mf4uW4etEw0 cgQWq4zKIcOcp0KXfX2UmpO1xj+1Ll6vNBqq/8bXSL/Hu6VfezhiQIBx5XxoVzrn gkh82G2xsDZY1Wzjm90cLTW0svCzA==
X-ME-Sender: <xms:upPMXb9c-pI2AJsBr6Da9OsRD5Ft8W_5utvDzSlkoeFoac7RgIDBGA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudefvddguddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtvdenucfhrhhomhepofgrrhhk ucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucffohhmrghinh epmhhnohhtrdhnvghtnecukfhppeduudelrddujedrudehkedrvdehudenucfrrghrrghm pehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvthenucevlhhushhtvghrufhiii gvpedt
X-ME-Proxy: <xmx:upPMXTwqFqiWpjoEZP7IXPf72Gm9HnTI41afnVJplvoQ2oXBjA4q2w> <xmx:upPMXSbqTqBYODEev2wZv6eTEzc3x1aCrjp9UAF_atkiYBajG5JyFw> <xmx:upPMXfqsl7phsGr3keirKyzaXnRs2j3sxZ0JnUNV2Ur2IFfG4bXeDg> <xmx:u5PMXXthjElrhnwH08J9w7QkOHxvGB7BbDcfTVTzqzhWCjk561Yaew>
Received: from attitudadjuster.mnot.net (unknown [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id F26FE306005F; Wed, 13 Nov 2019 18:37:27 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20191113222929.E72EC194CFA1@fafnir.remote.dragon.net>
Date: Thu, 14 Nov 2019 10:37:24 +1100
Cc: Andrew Campling <andrew.campling@419.consulting>, "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <89C3177C-5F83-4477-8B9E-7EF6844C7049@mnot.net>
References: <LO2P265MB0573C0D8F8D9D7ECF4E472AFC2760@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <20191113222929.E72EC194CFA1@fafnir.remote.dragon.net>
To: Paul Ebersman <list-architecture-discuss@dragon.net>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/1pgrTvydwmaEh6wphSMYeJHF6gA>
Subject: Re: [arch-d] IAB statement on "Avoiding Unintended Harm to Internet Infrastructure"
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 23:37:36 -0000

On 14 Nov 2019, at 9:29 am, Paul Ebersman <list-architecture-discuss@dragon.net> wrote:
> 
> My take from RFC 7258 is that the key differentiator is user knowledge
> and/or consent, i.e. if the user is not aware they are being monitored
> and/or has not consented explicitly to altered data (in this case DNS
> answers), that is what RFC 7258 considers an attack.
> 
> In the use case of DNS filtering, if the user is both aware of the
> alteration of DNS answers (and why/how they might be altered) and has
> consented via opt-in, that is a *service*, not an attack.

7258 doesn't say anything about consent or "user knowledge," so I don't know how you took that away from the document.

Putting that aside, assuming that consent (or its oft-relied upon variant, "informed consent") is adequate to protect users relies on users' ability to understand how the Internet works, how their data will be used, how it could be misused, how changes in policy, law, or entity ownership might affect its handling, the nature of any security vulnerabilities introduced by third parties involvement in their communication. If the consent is long-lived (as it would be with DNS), they have to remember it over that period of time, for each interaction. They also have to intersect this consent with others that they give -- often leading to "consent fatigue" (see: GDPR cookie notices and privacy policy changes).

That doesn't mean that we should never allow a user to make a choice, but we need to think carefully about the systemic effects of the points where we allow such a choice; there is ample evidence that most users _don't_ understand the choice they're making, and can be led into pretty hazardous situations as a result.

Right now, unencrypted DNS via DHCP doesn't give users a choice at all; they use the DNS results returned by their network, without any consent (beyond using the network -- which in most peoples' minds is "the Internet."). They can, however, choose to use a different DNS server by configuring it, or they can choose to configure an encrypted DNS server. 

The sticking point here is that DoH allows someone to avoid their network making that choice for them (with a lot of fuzziness about how consent is obtained). There are user-centred arguments as to why it's necessary to impose that policy at the network level (eg., lack of interfaces to configure IoT devices), but let's not start from the assumption that the best place to interpose those services is by having the network transparently handle them, just because that's how it's been done before. Let's also not assume that obtaining consent explicitly from the user to interpose those services is easy or without risks of various sorts; we have lots of examples where allowing random devices on networks to ask permission to do things ended up badly.

> As Andrew said, we and the IAB should not be making blanket statements
> that "all DNS filtering is wrong" as that doesn't correctly reflect all
> of our stakeholders, considering the use case of user approved
> filtering.

That is not a quote from the document. In context, the statement is cautioning that legislation or regulation that requires DNS servers to give false answers could have systemic effects on trust.

> Agreed. Recent government panels in the UK and Australia on DoH and
> concerns that this will break DNS filtering, even in cases where the
> users wish to have it, shows that governments and law enforcement will
> push back on technical standards.

Australian here; could you point me to the event you're talking about? Because I see no evidence yet that the Australian government will "push back" on DoH. There are some people who are trying to stir up a controversy around it, and a lot of misinformation flying about, but nothing from the government itself, AFAICT.

> This is particularly likely if we
> don't include them as stakeholders in discussions and help them
> understand what these protocols do (and don't do).
> 
> This doesn't mean I'd advocate for government approval of IETF documents
> but avoiding misunderstandings we can predict in advance does make it
> less likely we'll be saddled with excessive and possibly ineffective
> regulation.

I agree that we need to do better in working with the various parts of the Internet community, including governments. I'd be loathe to give them any special status, though, as that would fundamentally change the nature of the IETF, and the Internet.

Chers,


--
Mark Nottingham   https://www.mnot.net/