Re: [dane] Network errors ARE attacks - on the end-to-end-principle

Yoav Nir <ynir@checkpoint.com> Wed, 16 May 2012 10:32 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81E9221F8709 for <dane@ietfa.amsl.com>; Wed, 16 May 2012 03:32:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.416
X-Spam-Level:
X-Spam-Status: No, score=-10.416 tagged_above=-999 required=5 tests=[AWL=0.183, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3tSzWflUdG3 for <dane@ietfa.amsl.com>; Wed, 16 May 2012 03:32:00 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 8077E21F8700 for <dane@ietf.org>; Wed, 16 May 2012 03:31:58 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (dlpgw.checkpoint.com [194.29.34.27]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q4GAVu0s017704; Wed, 16 May 2012 13:31:56 +0300
X-CheckPoint: {4FB38F35-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 16 May 2012 13:31:55 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: "mrex@sap.com" <mrex@sap.com>
Date: Wed, 16 May 2012 13:31:50 +0300
Thread-Topic: [dane] Network errors ARE attacks - on the end-to-end-principle
Thread-Index: Ac0zTxzV7uZf/OjoSvqm55aBwXtueg==
Message-ID: <1C09F467-004B-4EB7-87C2-92CBDF74E967@checkpoint.com>
References: <201205160943.q4G9hXOJ017665@fs4113.wdf.sap.corp>
In-Reply-To: <201205160943.q4G9hXOJ017665@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dane@ietf.org" <dane@ietf.org>
Subject: Re: [dane] Network errors ARE attacks - on the end-to-end-principle
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 10:32:00 -0000

On May 16, 2012, at 12:43 PM, Martin Rex wrote:

> John Gilmore wrote:
>> 
>>> But it's better then disabling TLSA at all in the face
>>> of DNS errors (where we assume most errors are genuine network errors
>>> and not attacks).
>> 
>> "Genuine network errors" from buggy proxies or intentional firewalls
>> or intentional or accidental censorship systems ARE attacks.  They are
>> attacks on the fundamental end-to-end premise of the Internet.
> 
> Where have you been during the last 10 years?
> There is no such thing an a "fundamental end-to-end premise" on the
> Internet.  And if it ever existed, it ceased to exist ~10 years ago.

15. Most networks have a NAT, including almost all home networks. Most corporate networks have some kind of firewall. If you want end-to-end, you have to roll your own through IPsec or TLS, and even then you're likely to get load balancers at the server side, and the occasional decrypting proxy on the client side.

Yoav