[dane] Network errors ARE attacks - on the end-to-end-principle

[John Gilmore <gnu@toad.com>]

> But it's better then disabling TLSA at all in the face
> of DNS errors (where we assume most errors are genuine network errors
> and not attacks).

"Genuine network errors" from buggy proxies or intentional firewalls
or intentional or accidental censorship systems ARE attacks.  They are
attacks on the fundamental end-to-end premise of the Internet.

The default state of the networking world, pre-Internet, is that
network providers felt free to block or modify data in transit, for
their own convenience, profit, whim, or by accident.  They'd control
what services you could access, what channels you could watch, etc,
etc, etc.  It was assumed that the owner of the communications channel
had every right and every business reason to limit who you were allowed
to talk to, and on what topics.

The Internet changed all that, making it clear what a huge benefit the
public could derive from a system that delivered end-users' data
end-to-end, unmodified, from anywhere, to anywhere.  Finally you could
access YOUR CHOICE of data and services from anywhere -- not "this
service is only available on France Telecom's Teletext system" and
"You can't email that guy because he's on MCI Mail and you're on The
Source".  Now that Moore's Law's newly available crunchons enabled
today's complex radio modulations and equally complex presentation
protocols, you can get all those same services wirelessly, instead of
what the incumbent providers kept designing over and over ("You can
only get this WAP-based information service on AT&T mobile phones" and
"To watch this TV show that you've already paid for, you have to be
physically plugged into this coaxial cable.")

Since the public rise of the Internet in the '90s was not
cryptographically secured end-to-end, providers eventually realized
that they could somewhat go back to their old ways of messing with
end-users' data for their own convenience, profit, whim, or by
accident.  Like Comcast blocking BitTorrent traffic by forging RST
packets, AT&T Mobile deliberately dropping packets when it had the
capacity to carry them, just to discourage "unlimited" usage, or
certain carriers declining to carry packets for "over the top" video.
Or shipping buggy DNS proxies that mess up Port 53 UDP traffic in
their subnet.  Most users didn't notice, which allowed the providers
to often get away with censoring the ones who did notice.

DNSSEC and DANE are just part of the leading edge of a trend to secure
Internet traffic end-to-end.  This will make more such blockages and
modifications much more apparent -- turning them from
possibly-unnoticed inconveniences into denial-of-service failures.

But the end result will be that (1) users will realize they are being
censored; (2) providers will clean up the accidental and whim-related
censorship; and (3) users will migrate to providers who offer them
reliable end-to-end service without interruptions for the provider's
convenience or profit.

And in that way, the Internet will route around these attacks on the
end-to-end principle.

This is a good thing, despite the distributed pain involved in fixing
all those broken devices and misguided providers.

	John