IETF Logo Mail Archive

Re: [Pearg] Responding to "Concerns over DNS Blocking" technical error(s)

Marwan Fayed <marwan@cloudflare.com> Mon, 07 August 2023 12:38 UTC

Return-Path: <marwan@cloudflare.com>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B206CC1519A2 for <pearg@ietfa.amsl.com>; Mon, 7 Aug 2023 05:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ayrfTVcwY6Ki for <pearg@ietfa.amsl.com>; Mon, 7 Aug 2023 05:38:36 -0700 (PDT)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F137C1519A0 for <pearg@irtf.org>; Mon, 7 Aug 2023 05:38:36 -0700 (PDT)
Received: by mail-pj1-x102b.google.com with SMTP id 98e67ed59e1d1-2685102cd16so2257548a91.1 for <pearg@irtf.org>; Mon, 07 Aug 2023 05:38:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; t=1691411916; x=1692016716; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SWFjsBIij35o4jmNlg6msEYGZxLj7/Kf7s8z3TT1P/k=; b=VUZsXvL0GC/hNy/Nz8xmOa5Zf6qROiChGSwNY6SuUk2n72WAW48CB5De1UMn5e3Ovo vOvxiv6llgpTI+NOHfxmsHoy+7Q/+rpEQ/jxD6aUgNeU3DKYCVUOWSOwKDQnM6NIAtsD /69W720jl1VIVM17SuROEX9VI/KhZx+rCoBKI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691411916; x=1692016716; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SWFjsBIij35o4jmNlg6msEYGZxLj7/Kf7s8z3TT1P/k=; b=ZTd3k9tnnLVCVhoirIox0X+cURzm36pVcwthIMUWxtaFdWKyMDOlBWB2U4t2FHW3oU dozDZI5NKF8K7D3rVrMsyLKiafJ4oknBTyUFBzsO1R+pZMZbuEdi5oOshrSuRX8CqmZ7 24xNTfQ7zZkpCr1K65BlcXbDUDM4VyFy42/PtI2hYEJdOnvVj96t58OYGUzMHC8KAhat Td5ZVYQZsnkeZmFj3asWPPc5d44A5YoF28FYODdNSypSTimpDaBVJT+L+auTeLt0Fqo6 hNiXFMN6BZqVCm1kh0js2kHoYOmlduX0fd8ekSBPIg3vWwU77BfUSE+QSJ1JK3uXkwUW tqqA==
X-Gm-Message-State: AOJu0YxYMEd/fQT6Y5kMap2YhbNQ3ywrecGEYh5b5u4fs3Xl312+qdeZ dqSMJ+cPK0H/N4gEWd+pbFmqRIk7JwIz8aBEqnLlgA==
X-Google-Smtp-Source: AGHT+IEzS6mjeZ/XpnyN4lxlOi4nAQnG/KUcqWWMQluZAYjHIoCIWq0nCb6TPJT358AmIgObPGSXzUB5q1fMA4ezyoE=
X-Received: by 2002:a17:90b:4a47:b0:268:29a3:bd05 with SMTP id lb7-20020a17090b4a4700b0026829a3bd05mr6082456pjb.48.1691411915626; Mon, 07 Aug 2023 05:38:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAMgphBBYNMqiwg=SkZmh6s8gCfVoFp8zmwHNCiVYzqnBwyzKNA@mail.gmail.com> <1FA02373-5569-447B-83FA-112A0FB008A5@ericsson.com>
In-Reply-To: <1FA02373-5569-447B-83FA-112A0FB008A5@ericsson.com>
From: Marwan Fayed <marwan@cloudflare.com>
Date: Mon, 07 Aug 2023 13:37:59 +0100
Message-ID: <CAMgphBBQ-yLfTrBLCvGxgX=C=ijPG4DnAfK2nyH_Ufv_WpyVjw@mail.gmail.com>
To: Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org>
Cc: "pearg@irtf.org" <pearg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000067044006025486a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/OM-RwkMuG_iVvSObIMknlHw6qd0>
Subject: Re: [Pearg] Responding to "Concerns over DNS Blocking" technical error(s)
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2023 12:38:40 -0000

Mirja,

Fantastic, and agreed on all points. This is a great outcome, and very much
the one I'd hoped for. I am happy to help advance the conversation with
Vint, or otherwise, as appropriate.

I'll only add or reiterate the following (for list readership as much as
anything else):

On pt 1: The very nature of IP's design means that it is *always*
inappropriate to use IP addresses for content filtering. It is non-trivial
to know what lies behind an IP address (content, machines, other networks),
and so content-blocking via IP should be disqualified from the conversation
--- including in IPv6 that, just like IPv4, is about addressing and routing
to interfaces, that themselves may or may not be associated with (still
many) server or content names.

On pt 2: To clarify, the DNS is the only 'network layer' control that
provides any transparency to the user. Indeed, yes, there are
"higher-layer" alternatives that come with their own challenges, e.g.,
whether they are implemented, inter-op, etc. However, at network layers,
there is only DNS, SNI, and (shouldn't be, as above) IP. Since DNS is
_really_ an application, it is the only one of the three that can give
_meaningful_ feedback to the user --- i.e. some transparency (via return
codes).

Also a general note for the wider readership that is known to many but
worth restating: With respect to 'regional' qualities, not all recursive
resolvers can be treated as equal. Specifically, private in-network
resolvers have finely granular knowledge about their stubs' locations and
operating environments. In contrast, open public resolvers have no such
knowledge and are routed to via public BGP routing outside of the public
resolver's control. Any attempt to geo-gate service is subject to open
routing behaviour and/or the inaccuracy of IP geo-localization (that we
know is highly problematic) --- even ignoring performance penalties and
engineering challenges.

I claim that this distinction is a feature of the Internet's reliable and
resilient design --- an amazing engineering and interoperability feat that,
40+ years on, is worth celebrating.

Thanks all, for the feedback; also Mirja again for the positive and
constructive engagement.

--marwan

On Thu, 3 Aug 2023 at 15:12, Mirja Kuehlewind <mirja.kuehlewind=
40ericsson.com@dmarc.ietf.org> wrote:

> Hi Marwan,
>
>
>
> thanks for your feedback. This is really good input for me. Please see my
> replies.
>
>
>
> On your point 1: The sentence about content filtering and IP blocking has
> to be seen in context. The context of this whole letter is that the
> proposed regulation would impact DNS providers globally (not only regional
> ISPs). I believe the regulators see a need for this as more user have
> switched to open DNS providers and therefore ISP-level filter isn’t seen as
> sufficient. The letter argues against measure that have such global impact
> and in this context points out that other regional, ISP-level measures
> exists. I never read it, when I was co-signing, as endorsing these
> techniques. However, you are right that it can be interpreted that way, and
> I will relay this to Vint and the other co-signers.
>
>
>
> On your point 2: I agree that DNS filtering or other blocking and
> filtering techniques are generally problematic. I’m not sure about your
> point about transparency; you can also design mechanisms to provide
> feedback about the blocking on other layers; however, if these things get
> implement is a different question. Still, for this letter it wasn’t the
> intention discuss blocking and filtering generally but point of the global
> implication of this proposed regulation. I find that even more problematic
> because there is always the option for a global/non-regional to not comply
> with a regulation (and depending on the market condition) not serve a
> certain service in a certain region anymore, which finally can really
> “break” the Internet. We don’t see this for DNS (yet) but we already see it
> e.g. in the regulatory “fights” about news content.
>
>
>
> Mirja
>
>
>
>
>
>
>
> *From: *Pearg <pearg-bounces@irtf.org> on behalf of Marwan Fayed <marwan=
> 40cloudflare.com@dmarc.ietf.org>
> *Date: *Monday, 31. July 2023 at 13:37
> *To: *"pearg@irtf.org" <pearg@irtf.org>
> *Subject: *[Pearg] Responding to "Concerns over DNS Blocking" technical
> error(s)
>
>
>
> Dear wg, and more--
>
>
>
> There is a just-published open letter [1], also summarized at 117's pearg
> [2] in response to a proposed initiative that (as is summarized) can
> require ISPs to block domains via DNS without a court order.
>
>
>
> This is no doubt a concern for all, but the open letter has two
> significant problems, one of which is a factual and technical error that
> would be great to correct, and another that merits wider conversation:
>
>
>
> 1. [Technical Error] The open letter suggests that IP blocking is a viable
> and less harmful alternative to blocking content via DNS. This is patently
> false because the consequence of blocking via DNS is all content at a
> domain name; an IP address block, by the very design of the Internet
> Protocol itself, could affect (and has affected) many more domains than
> intended [3]. For example, a block of 11 addresses in Austria last year
> affected thousands of domains and websites [4]. (As an aside, the lack of
> transparency about the practice is a particular concern, at least as much
> as the practice itself.)
>
>
>
> How best to address the error in the open letter? Ideally we can find a
> fix as a community, and one that involves the signatories (and their
> organizations, despite having signed in a personal capacity).
>
>
>
> The text of concern that needs redress reads, "Several alternatives exist
> which would avoid the concerning implications mentioned above. Domestic
> Internet Service Providers (ISPs) have a number of tools at their disposal
> to block infrastructure deemed malicious by French authorities. This
> includes blocking HTTP/HTTPS connections to the offending site, and
> blocking the IP addresses." [1]
>
>
>
> 2. [Wider conversation] The idea that the use of the DNS deserves more
> attention than simply being "blanket bad." There are no doubt challenges,
> not least that the DNS is composed of many role-types, namely recursive
> resolvers and authoritative servers, also local-network private resolvers
> and open-public resolvers. Each of these entities in the DNS are different
> and warrant separate consideration.
>
> However, when thinking about 'in-network' controls, the DNS has one very
> large and important advantage that is unavailable when blocking by name or
> address: The DNS offers **transparency**, which is not available when
> blocking via name or address. From RFC 8914 [5], recently introduced codes
> in sections 4.16 to 4.19 are useful, to start. At a minimum, support from
> resolvers and clients means that users could get insight into service
> interruptions, and the reasons for them.
>
>
>
> If blocking in the network has to happen, the transparency offered by DNS
> in RFC 8914 should be considered when engaging in the wider discussions.
>
>
>
> Hopefully these comments help contribute to a positive and productive
> discussion.
>
>
>
> Many thanks,
>
> --marwan
>
>
>
> [1] https://medium.com/@vgcerf/concerns-over-dns-blocking-988ef546a100
>
>
>
> [2]
> https://datatracker.ietf.org/meeting/117/materials/slides-117-pearg-proposed-laws-on-dns-blocking-00
>
>
>
> [3] https://blog.cloudflare.com/consequences-of-ip-blocking/
>
>
>
> [4]
> https://www.derstandard.de/story/2000138619757/ueberzogene-netzsperre-sorgt-fuer-probleme-im-oesterreichischen-internet
>
>
>
> [5] https://www.rfc-editor.org/rfc/rfc8914.html
>
>
>

v2.23.0 | Report a Bug | By Email