Re: [dane] Network errors ARE attacks - on the end-to-end-principle

[Martin Rex <mrex@sap.com>]

John Gilmore wrote:
> 
> > But it's better then disabling TLSA at all in the face
> > of DNS errors (where we assume most errors are genuine network errors
> > and not attacks).
> 
> "Genuine network errors" from buggy proxies or intentional firewalls
> or intentional or accidental censorship systems ARE attacks.  They are
> attacks on the fundamental end-to-end premise of the Internet.

Where have you been during the last 10 years?
There is no such thing an a "fundamental end-to-end premise" on the
Internet.  And if it ever existed, it ceased to exist ~10 years ago.
(and for good, because it would entirely preclude privacy).


> 
> The Internet changed all that, making it clear what a huge benefit the
> public could derive from a system that delivered end-users' data
> end-to-end, unmodified, from anywhere, to anywhere.

That is not the case here.  Telco's providing Internet Access for
mobile devices regulary block traffic to VoiP providers _and_
regularly prevent your smartphone or tablet from forwarding
IP datagrams to other devices ("tethering") unless you pay extra.


>
> Or shipping buggy DNS proxies that mess up Port 53 UDP traffic in
> their subnet.  Most users didn't notice, which allowed the providers
> to often get away with censoring the ones who did notice.

You seem to be unaware of the IETF full Standard "STD-13"

   http://tools.ietf.org/html/std13#section-2.3.4

Those DNS proxies are perfectly Standards-compliant.

Maybe the IETF should come around to merging contents of later documents
with STD-13 and work this successor through document maturity levels to
full standard in order to replace the *CURRENT* STD-13, similar to what
has been done with 821->2821->5321 and 822->2822->5322, so that when
implementations of the *current* STD-13 in the installed base have
died off, one can start complaining about non-support of DNSSEC.


-Martin