Re: Is traffic analysis really a target (was Re: [saag] Is opportunistic unauthenticated encryption a waste of time?)
Nico Williams <nico@cryptonector.com> Tue, 26 August 2014 05:44 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABA251A0487; Mon, 25 Aug 2014 22:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OXaRl5x8N7j6; Mon, 25 Aug 2014 22:44:10 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id C388C1A03EA; Mon, 25 Aug 2014 22:44:10 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id 2F13C20047B88; Mon, 25 Aug 2014 22:44:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=UEOORRp4rCFPgq7oeMO1rioRqaQ=; b=vKqE+DXxaGV xnzByc0QTi+AJt1QjIupKRBezJ86dqWmY7GvRwRxf/QzHjgZYuyGZVREkJHRILWw vrrzLO62TUzJ9gRtovE0WzTZImhN/OIGGl9E/SYGjaAmZJor1lcc28y7FxVyOlHv AahuDtVcyRDQUpbZWV3+KCpVBpPSDg6Q=
Received: from localhost (unknown [38.125.62.68]) (Authenticated sender: nico@cryptonector.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPA id C428D20047B89; Mon, 25 Aug 2014 22:44:09 -0700 (PDT)
Date: Tue, 26 Aug 2014 00:44:08 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Burger <eburger@standardstrack.com>
Subject: Re: Is traffic analysis really a target (was Re: [saag] Is opportunistic unauthenticated encryption a waste of time?)
Message-ID: <20140826054406.GA20264@localhost>
References: <a354d63505924d76a15b505e60e27a16@AMSPR06MB439.eurprd06.prod.outlook.com> <20140822140000.GE14392@mournblade.imrryr.org> <BLU181-W84354FE6BEF12305A2A7DB93D10@phx.gbl> <20140823040550.GQ5909@localhost> <BLU181-W307B52819C577693183E2D93D10@phx.gbl> <53F8FA97.2020607@cs.tcd.ie> <BLU181-W664365D566637BE6D0E67493D10@phx.gbl> <53F908A1.6040207@cs.tcd.ie> <8BBAE4BE-F816-4170-9533-6400ACE463EA@cs.georgetown.edu> <6461D9C5-8B0B-42D3-9877-32DB3E6150C6@standardstrack.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <6461D9C5-8B0B-42D3-9877-32DB3E6150C6@standardstrack.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/u3umhLMdtP6Kc6W-rhv9fF7a7ao
Cc: "saag@ietf.org" <saag@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 05:44:11 -0000
On Sun, Aug 24, 2014 at 12:32:15PM -0400, Eric Burger wrote: > I am concerned with the drive to make all traffic totally opaque. > I’l be brief: we have an existence proof of the mess that happens > when we make all traffic look benign. It is called “everything over > port 80.” That ‘practical’ approach drove the development of deep Benign? No, that's not it. Ports 80 and 443 (*not* just 80) are used for everything for a variety of reasons, one of which is that no one could block them entirely, so every site with a firewall simply had to have the capability to, and processes for permitting HTTP/HTTPS traffic -- they could NOT afford not to! Whereas protocols on other ports... See below. > packet inspection, because everything running over port 80 was no > longer HTTP traffic. It meant we could no longer prioritize traffic > (in a good sense - *I* want to make sure my VoIP gets ahead of my Web > surfing ahead of my FTP). It meant we could no longer apply enterprise > policy on different applications. It drove ‘investment’ in the tools > that today dominate pervasive monitoring. It's true that using HTTP as the IP of the 'Net hurt all sorts of things, but it was driven by the massive adoption of HTTP. Remember the term "application gateway"? What a throwback to the late 80s, early 90s. Application gateways are unheard of now because they're ETOOHARD. Firewalls can't cope with a raft of arbitrary, custom protocols, whether over IP or over HTTP, but with HTTP they get somewhat more metadata to examine. If you really want to draw a lesson here it is this: application protocols need a firewall-friendly substrate of metadata. That's HTTP -- no other such substrate exists. Sure, it's a bit of a mirage: the HTTP metadata can be faked. But at least with HTTP the firewalls^Wproxies can make sure to get hostnames every time, not just IP addresses. That's my take. Maybe it's wrong, but it seems at least plausible. If VoIPs and such used different port numbers but still HTTP... they'd get through firewalls eventually and you could get your traffic prioritization. It's not so much ports 80/443 that matter. It's the HTTP headers request line, status line, and headers that do. You could do WebSockets or otherwise tunnel anything over HTTP and the firewalls will be happy to let you, IF they like your metadata. Nico --
- Adept Encryption: Was: [saag] DANE should be more… Phillip Hallam-Baker
- Re: Adept Encryption: Was: [saag] DANE should be … Paul Wouters
- Re: Adept Encryption: Was: [saag] DANE should be … Stephen Farrell
- Re: Adept Encryption: Was: [saag] DANE should be … Nico Williams
- Re: Adept Encryption: Was: [saag] DANE should be … Dave Crocker
- Re: Adept Encryption: Was: [saag] DANE should be … Scott Kitterman
- RE: Adept Encryption: Was: [saag] DANE should be … l.wood
- Re: Adept Encryption: Was: [saag] DANE should be … Stephen Farrell
- Re: Adept Encryption: Was: [saag] DANE should be … Phillip Hallam-Baker
- Re: Adept Encryption: Was: [saag] DANE should be … Stephen Kent
- Re: Adept Encryption: Was: [saag] DANE should be … Viktor Dukhovni
- Re: Adept Encryption: Was: [saag] DANE should be … Viktor Dukhovni
- Re: [saag] Adept Encryption: Was: DANE should be … Nico Williams
- RE: Adept Encryption: Was: [saag] DANE should be … Christian Huitema
- Re: Adept Encryption: Was: [saag] DANE should be … Nico Williams
- RE: Adept Encryption: Was: [saag] DANE should be … l.wood
- Re: [saag]: Review of: Opportunistic Security -03… Viktor Dukhovni
- Re: [saag] Adept Encryption: Was: DANE should be … Nico Williams
- RE: [saag] Adept Encryption: Was: DANE should be … l.wood
- Re: Adept Encryption: Was: [saag] DANE should be … Stephen Farrell
- Re: [saag] Is opportunistic unauthenticated encry… Viktor Dukhovni
- Re: [saag]: Review of: Opportunistic Security -03… Paul Wouters
- Re: [saag] : Review of: Opportunistic Security -0… Stephen Kent
- Re: [saag] Adept Encryption: Was: DANE should be … Stephen Kent
- RE: [saag] Is opportunistic unauthenticated encry… Bernard Aboba
- Re: [saag] Is opportunistic unauthenticated encry… Theodore Ts'o
- RE: [saag] Is opportunistic unauthenticated encry… Christian Huitema
- Re: [saag] Is opportunistic unauthenticated encry… Nico Williams
- RE: [saag] Is opportunistic unauthenticated encry… Bernard Aboba
- Re: [saag] Is opportunistic unauthenticated encry… Stephen Farrell
- RE: [saag] Is opportunistic unauthenticated encry… Bernard Aboba
- Re: [saag] Is opportunistic unauthenticated encry… Viktor Dukhovni
- Re: [saag] Is opportunistic unauthenticated encry… Stephen Farrell
- Re: [saag] Is opportunistic unauthenticated encry… Fernando Gont
- Re: Is traffic analysis really a target (was Re: … Eric Burger
- Re: Is traffic analysis really a target (was Re: … Michael StJohns
- Re: [saag] Is opportunistic unauthenticated encry… Dave Crocker
- Re: Is traffic analysis really a target (was Re: … Brian E Carpenter
- Re: [saag] Is opportunistic unauthenticated encry… joel jaeggli
- Re: [saag] Is opportunistic unauthenticated encry… Fernando Gont
- Re: [saag] Is opportunistic unauthenticated encry… joel jaeggli
- Re: [saag] Is opportunistic unauthenticated encry… Fernando Gont
- Re: Is traffic analysis really a target (was Re: … Mark Andrews
- Re: [saag] Is traffic analysis really a target (w… Henry B (Hank) Hotz, CISSP
- Re: Is traffic analysis really a target (was Re: … Ted Hardie
- RE: [saag] Is opportunistic unauthenticated encry… Hosnieh Rafiee
- Re: Is traffic analysis really a target (was Re: … Brian E Carpenter
- Re: Is traffic analysis really a target (was Re: … Nico Williams
- Re: Is traffic analysis really a target (was Re: … Eric Burger