IETF Logo Mail Archive

Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH is Politically Motivated"

Eric Rescorla <ekr@rtfm.com> Mon, 15 November 2021 19:21 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D8B3A03F8 for <hrpc@ietfa.amsl.com>; Mon, 15 Nov 2021 11:21:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKHmfkLJN9cv for <hrpc@ietfa.amsl.com>; Mon, 15 Nov 2021 11:21:04 -0800 (PST)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 323743A0407 for <hrpc@irtf.org>; Mon, 15 Nov 2021 11:21:04 -0800 (PST)
Received: by mail-il1-x133.google.com with SMTP id l19so17863112ilk.0 for <hrpc@irtf.org>; Mon, 15 Nov 2021 11:21:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QMqTo9pQmPsqQ74AeYO0dGHfOhFr8fJnjeMWpecvVrc=; b=5Ups6uuq+cJiykGCO4zi1iuxAG9C3naUVjOA79jlaxHdurYkbQxFaGoic5jvqW8/jZ nvlTpSAyJRIcnA3EDjLL+4PWiVzJ2A6ugho4kqBCfo7YUmJsGlsEJ5S0X9t2C8grdPTx q3Pf7FkZXsyOhatryf9fESULUbUrt76nEFSuG8Bgc4QRJJr5uqZ6ni5TflF5UCvIPjZ3 9K5FKlHP5kUOFCNCgFqKyPyz1pCt26vpo+2aUxH9o1XOhee6BFn2u1dXiPJAgx09L3c/ IWpSZuyLRI9dt8MCoV0CshPqK+yXpoSNjF8aHhhtDNY3/cOSMua86/oibuDIshMULjh9 ysiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QMqTo9pQmPsqQ74AeYO0dGHfOhFr8fJnjeMWpecvVrc=; b=z6+JRbg5FP044d3jjCFEzmRHSu1QBU3aCualU1RAoYNd/MDLT1B1F9SDE6l6naefYT gV3YJYQDMgIZUdV9r9CtewPrFYTwJtnyaznlaBnzsqSo3GSN1NnnKey4+yzV1c3e/GFg 8ae0xaxO3HD6uB+zD8LsJHujAfvAHZEZIC6i3UZMhrB1zm8AkgpyfTxo8sfS5mW5rqZz 4Zbz76/XP0ci9+U9IEr4/ULJmI9h8ALCssXdaAswIOnUq+exOwuK9feQQg+iVNjAGDl3 FmSi/QhNVTSVmXPhWgIHS656swQ8N7lt9vt3l2rRrTFLYo62qTIwHv2Ov4+1Paq7Nz5j n6qw==
X-Gm-Message-State: AOAM532tLVZRZIVjt1VmIT1aKp6xZAoEep2/GnyhqkzhTKj1qIv1V8gs Cb7h2cYdZ76zh5d6nNsjcirotS0LfJ+cruSLJihrdQ==
X-Google-Smtp-Source: ABdhPJx+N9UqdhexEFkoqLAzU/YwSTURlTHkn1ysluuAUQzGiyNT7nbJrX8SsYeWX4UB7uR7pFg39DVlEJ9kcfYjKgw=
X-Received: by 2002:a05:6e02:1b8a:: with SMTP id h10mr796804ili.219.1637004062585; Mon, 15 Nov 2021 11:21:02 -0800 (PST)
MIME-Version: 1.0
References: <YZJPwEUqvCvCUVRz@sources.org> <9AB66003-9285-4418-9BC4-9A415F033F26@pch.net> <CABcZeBOoxRMNBwMCMSsTGM_3YgbZs15ZAyxwd61=PhM05QCTRQ@mail.gmail.com> <1440178333.50167.1636999766064@appsuite-gw2.open-xchange.com>
In-Reply-To: <1440178333.50167.1636999766064@appsuite-gw2.open-xchange.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 15 Nov 2021 11:20:26 -0800
Message-ID: <CABcZeBMFsozNWN-Stcctr-i=xGd0OchJZj_6szazYAPVdygk8Q@mail.gmail.com>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
Cc: hrpc@irtf.org
Content-Type: multipart/alternative; boundary="000000000000a58d5105d0d8b590"
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/8Dbae_rTnMLPfmDSlg-In0aa6-k>
Subject: Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH is Politically Motivated"
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2021 19:21:10 -0000

On Mon, Nov 15, 2021 at 10:09 AM Vittorio Bertola <
vittorio.bertola@open-xchange.com> wrote:
> Not really - DoT is a protocol designed to operate in the clear and
> to be easily detected and controlled, while DoH was designed with
> the explicit objective of masquerading the traffic within other
> HTTPS exchanges and make it impossible to block or even detect the
> communication.

I don't think responding to the broader points you are making is
likely to get us anywhere productive, but I did want to respond
to your comparison of DoH and DoT, which I don't think is really
that accurate.

The usual reasoning here is that it's hard to filter DoH because
it shares the same ALPN and port number with HTTPS, whereas
DoT does not. However, this is misleading in several respects.

However, at present, it is generally possible to filter DoH because
DoH and ordinary HTTPS are usually on different hosts and therefore
you can use SNI. It's true that it's possible to co-host DoH in such a
way that it is indistinguishable from non-DoH HTTPS traffic, but it is
*also* possible to co-host DoT and HTTPS in this way, provided that
(1) you use a non-standard port and (2) you use ECH. The point here is
that either DoH or DoT can be run in a way that makes it hard to filter
if that's what you're trying to do.

-Ekr

v2.23.0 | Report a Bug | By Email