IETF Logo Mail Archive

Re: [dane] Network errors ARE attacks - on the end-to-end-principle

Henry Story <henry.story@bblfish.net> Wed, 16 May 2012 11:55 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C7E21F8700 for <dane@ietfa.amsl.com>; Wed, 16 May 2012 04:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExMEwjh7SD+G for <dane@ietfa.amsl.com>; Wed, 16 May 2012 04:55:49 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id DB6F821F86FD for <dane@ietf.org>; Wed, 16 May 2012 04:55:48 -0700 (PDT)
Received: by wibhn6 with SMTP id hn6so519030wib.13 for <dane@ietf.org>; Wed, 16 May 2012 04:55:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=Ue7W0oMDKwer9PlgeZ058B0POgsfOdp2nvbXcLgAepI=; b=BgD1PmveeZc6FKg0G82yCOzhE0vxE5MsAqvrXKgrlTkt0lochBsE/nELFXd37UrAYb plhHEb2taCWSo4kAQFZMxSRLkh/FjvrTc/ZEyBihtD1HQwRjPUhoeWmvd0wpNPdLe5YB oLld9L75p1tdg+dGNg6TD4JyQcKSO693txoJ8ep/NfI6jxq+rxQwIUVOVNTX1rIZpW4y 9XR3xoJDOb8evSFsk/lnisCPBn+pysCyuon8QbWB7EAjXKMfT5ihyAc/qsQfS8DdXw3J 4Vmf/QyIlvtSX6++VX1rsUpUSsya9cpMUlCdYKab3Zzgu9fJucBTFDAlYzIYJCtbJ+Yw zdPg==
Received: by 10.216.215.194 with SMTP id e44mr1024665wep.61.1337169347916; Wed, 16 May 2012 04:55:47 -0700 (PDT)
Received: from bblfish.home (AAubervilliers-651-1-269-153.w86-212.abo.wanadoo.fr. [86.212.204.153]) by mx.google.com with ESMTPS id r2sm8438427wif.7.2012.05.16.04.55.45 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 16 May 2012 04:55:47 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=us-ascii
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <1C09F467-004B-4EB7-87C2-92CBDF74E967@checkpoint.com>
Date: Wed, 16 May 2012 13:55:44 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A41E2719-EA5D-413F-84F4-A0E70166BF1E@bblfish.net>
References: <201205160943.q4G9hXOJ017665@fs4113.wdf.sap.corp> <1C09F467-004B-4EB7-87C2-92CBDF74E967@checkpoint.com>
To: Yoav Nir <ynir@checkpoint.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQlQ7oFn/BKZo5bSzd+kmiRwLVSno6JUPMzxwi5946z8Gw8beu8+XUsd5GDiE4kH2sTT/RMe
Cc: "dane@ietf.org" <dane@ietf.org>
Subject: Re: [dane] Network errors ARE attacks - on the end-to-end-principle
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 11:55:49 -0000

On 16 May 2012, at 12:31, Yoav Nir wrote:

> 
> On May 16, 2012, at 12:43 PM, Martin Rex wrote:
> 
>> John Gilmore wrote:
>>> 
>>>> But it's better then disabling TLSA at all in the face
>>>> of DNS errors (where we assume most errors are genuine network errors
>>>> and not attacks).
>>> 
>>> "Genuine network errors" from buggy proxies or intentional firewalls
>>> or intentional or accidental censorship systems ARE attacks.  They are
>>> attacks on the fundamental end-to-end premise of the Internet.
>> 
>> Where have you been during the last 10 years?
>> There is no such thing an a "fundamental end-to-end premise" on the
>> Internet.  And if it ever existed, it ceased to exist ~10 years ago.
> 
> 15. Most networks have a NAT, including almost all home networks. Most corporate networks have some kind of firewall. If you want end-to-end, you have to roll your own through IPsec or TLS, and even then you're likely to get load balancers at the server side, and the occasional decrypting proxy on the client side.

The point of John Gilmore's inspirational mail is that end-to-end is the aim of
the architecture of the internet. It is because it was architected for end to 
end communication that it has had such positive effects. The reasons these working
groups exist is to remove the technical reasons for this not always being possible, such
as by for example working on ipv6.  When the technical reasons have been moved out of the
way the network effects and political pressure can be built up to solve the deployment
problems. Luckily the network effect works in favour of those who work for freedom.

Henry

> 
> Yoav
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane

Social Web Architect
http://bblfish.net/

v2.8.7 | Report a Bug | By Email