IETF Logo Mail Archive

Re: Is traffic analysis really a target (was Re: [saag] Is opportunistic unauthenticated encryption a waste of time?)

Nico Williams <nico@cryptonector.com> Tue, 26 August 2014 05:44 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABA251A0487; Mon, 25 Aug 2014 22:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OXaRl5x8N7j6; Mon, 25 Aug 2014 22:44:10 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id C388C1A03EA; Mon, 25 Aug 2014 22:44:10 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id 2F13C20047B88; Mon, 25 Aug 2014 22:44:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=UEOORRp4rCFPgq7oeMO1rioRqaQ=; b=vKqE+DXxaGV xnzByc0QTi+AJt1QjIupKRBezJ86dqWmY7GvRwRxf/QzHjgZYuyGZVREkJHRILWw vrrzLO62TUzJ9gRtovE0WzTZImhN/OIGGl9E/SYGjaAmZJor1lcc28y7FxVyOlHv AahuDtVcyRDQUpbZWV3+KCpVBpPSDg6Q=
Received: from localhost (unknown [38.125.62.68]) (Authenticated sender: nico@cryptonector.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPA id C428D20047B89; Mon, 25 Aug 2014 22:44:09 -0700 (PDT)
Date: Tue, 26 Aug 2014 00:44:08 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Burger <eburger@standardstrack.com>
Subject: Re: Is traffic analysis really a target (was Re: [saag] Is opportunistic unauthenticated encryption a waste of time?)
Message-ID: <20140826054406.GA20264@localhost>
References: <a354d63505924d76a15b505e60e27a16@AMSPR06MB439.eurprd06.prod.outlook.com> <20140822140000.GE14392@mournblade.imrryr.org> <BLU181-W84354FE6BEF12305A2A7DB93D10@phx.gbl> <20140823040550.GQ5909@localhost> <BLU181-W307B52819C577693183E2D93D10@phx.gbl> <53F8FA97.2020607@cs.tcd.ie> <BLU181-W664365D566637BE6D0E67493D10@phx.gbl> <53F908A1.6040207@cs.tcd.ie> <8BBAE4BE-F816-4170-9533-6400ACE463EA@cs.georgetown.edu> <6461D9C5-8B0B-42D3-9877-32DB3E6150C6@standardstrack.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <6461D9C5-8B0B-42D3-9877-32DB3E6150C6@standardstrack.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/u3umhLMdtP6Kc6W-rhv9fF7a7ao
Cc: "saag@ietf.org" <saag@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 05:44:11 -0000

On Sun, Aug 24, 2014 at 12:32:15PM -0400, Eric Burger wrote:
> I am concerned with the drive to make all traffic totally opaque.
> I’l be brief: we have an existence proof of the mess that happens
> when we make all traffic look benign. It is called “everything over
> port 80.” That ‘practical’ approach drove the development of deep

Benign?  No, that's not it.  Ports 80 and 443 (*not* just 80) are used
for everything for a variety of reasons, one of which is that no one
could block them entirely, so every site with a firewall simply had to
have the capability to, and processes for permitting HTTP/HTTPS traffic
-- they could NOT afford not to!

Whereas protocols on other ports...  See below.

> packet inspection, because everything running over port 80 was no
> longer HTTP traffic. It meant we could no longer prioritize traffic
> (in a good sense - *I* want to make sure my VoIP gets ahead of my Web
> surfing ahead of my FTP). It meant we could no longer apply enterprise
> policy on different applications. It drove ‘investment’ in the tools
> that today dominate pervasive monitoring.

It's true that using HTTP as the IP of the 'Net hurt all sorts of
things, but it was driven by the massive adoption of HTTP.  Remember the
term "application gateway"?  What a throwback to the late 80s, early
90s.  Application gateways are unheard of now because they're ETOOHARD.

Firewalls can't cope with a raft of arbitrary, custom protocols, whether
over IP or over HTTP, but with HTTP they get somewhat more metadata to
examine.  If you really want to draw a lesson here it is this:
application protocols need a firewall-friendly substrate of metadata.
That's HTTP -- no other such substrate exists.

Sure, it's a bit of a mirage: the HTTP metadata can be faked.  But at
least with HTTP the firewalls^Wproxies can make sure to get hostnames
every time, not just IP addresses.

That's my take.  Maybe it's wrong, but it seems at least plausible.

If VoIPs and such used different port numbers but still HTTP... they'd
get through firewalls eventually and you could get your traffic
prioritization.  It's not so much ports 80/443 that matter.  It's the
HTTP headers request line, status line, and headers that do.  You could
do WebSockets or otherwise tunnel anything over HTTP and the firewalls
will be happy to let you, IF they like your metadata.

Nico
--

v2.23.0 | Report a Bug | By Email