IETF Logo Mail Archive

Re: [Pearg] I-D Action: draft-irtf-pearg-censorship-04.txt

Joseph Lorenzo Hall <hall@isoc.org> Thu, 23 July 2020 21:46 UTC

Return-Path: <hall@isoc.org>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BDE93A0E27 for <pearg@ietfa.amsl.com>; Thu, 23 Jul 2020 14:46:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLO3vMJvg_zR for <pearg@ietfa.amsl.com>; Thu, 23 Jul 2020 14:46:26 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2048.outbound.protection.outlook.com [40.107.236.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A90123A0E25 for <pearg@irtf.org>; Thu, 23 Jul 2020 14:46:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FPbSE9BRbajMIRWtgT/74nO2FGVxZfx4QdxNRvulQItTUWTfZ52EQCMQVleF1xlHFoh4tHIRcfuLPk5eUK2fTvnDpdyA7l1tGOXSTqonzHmmfrNf0PbSV9Zy7R1Iwj71gQzGap4L3LiapippufYZsTR4DCgywafChJrgZjdouXppVv6aI1Z2XZahbS6NTy70DTP2h9JxX00VjNi8xAD9U2V40JlS++DaNvT6tHzR9LFim2Lr5e8kmSakROpNd9QZ+KWN3HKsnn6YcefFOzWU5AcNf414/prnFauHeGunDtCXK0kleDd3V6FF6kXQW5wN0l6mTY/aJqBsVzc18r/PBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sCodZ2pCGiLQZHH7iufauMM4SxAP6bSAWyHWT4Ow5uw=; b=QF3tiDlabmnwS5708GlhZYMlL55xKHXYhGyv07Og0RjyIqQ6ERBHFvJIDPSQ5JfzrdbW864v6/jORqQwEBN5dpfjXtrKPDeV3c4vCpaln9n2kR16jpHZlNZPe3qYRgHJEjTC5wk+NvLAlK8qzfFDF2UsCmOJt+h2DqCNma3Defjv6uiAsoiDeb55mJbaWvdPvAFCXXYSvQxzUpnlHTnGE4MOaEui6GxXOpdxC5VntWvmlEiyW4JCyTjl6XvMpHDIXrFJ8C3eJ+6fjJxQOtQC+uA/tMYrfQInoyVm6r4/XC/AcrJOhkLDv5mt/uVb7eXP8KykGDmwPZ4rHvf7Og//Ag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isoc.org; dmarc=pass action=none header.from=isoc.org; dkim=pass header.d=isoc.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sCodZ2pCGiLQZHH7iufauMM4SxAP6bSAWyHWT4Ow5uw=; b=sGcTgkoNcluHMQndnwlV4HQw0ELVM/n3aVMvO1zrdqVFsbmqd2DkKfu7EYJDONySfd9W/0A/3uW/4a6J5WZqVLNG1giMA/HI6QAWRaqKb9KPspSrqap3+tOrzNg525+tGmxtwmpvaOTaNheBD8NElU88H++/OrJNcHsiZuKeukg=
Received: from BY5PR06MB6451.namprd06.prod.outlook.com (2603:10b6:a03:21e::20) by BYAPR06MB4087.namprd06.prod.outlook.com (2603:10b6:a02:86::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.24; Thu, 23 Jul 2020 21:46:21 +0000
Received: from BY5PR06MB6451.namprd06.prod.outlook.com ([fe80::6058:ff81:1380:a73c]) by BY5PR06MB6451.namprd06.prod.outlook.com ([fe80::6058:ff81:1380:a73c%3]) with mapi id 15.20.3216.022; Thu, 23 Jul 2020 21:46:21 +0000
From: Joseph Lorenzo Hall <hall@isoc.org>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
CC: "pearg@irtf.org" <pearg@irtf.org>
Thread-Topic: I-D Action: draft-irtf-pearg-censorship-04.txt
Thread-Index: AQHWX3KP3/ygn4i9QUSL7DYCJKdpc6kVtoKA
Date: Thu, 23 Jul 2020 21:46:21 +0000
Message-ID: <3164714D-F19E-4652-B167-43111CE3A376@isoc.org>
References: <159466596628.22724.642459259274073600@ietfa.amsl.com> <BY5PR06MB6451513C274911A1F5897F5CB1600@BY5PR06MB6451.namprd06.prod.outlook.com> <20200721152104.GA26448@nic.fr>
In-Reply-To: <20200721152104.GA26448@nic.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.1)
authentication-results: nic.fr; dkim=none (message not signed) header.d=none;nic.fr; dmarc=none action=none header.from=isoc.org;
x-originating-ip: [108.56.212.130]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a8e8647b-0efd-4925-d809-08d82f51d6f8
x-ms-traffictypediagnostic: BYAPR06MB4087:
x-microsoft-antispam-prvs: <BYAPR06MB4087FEB1E78506EA9C9F2407B1760@BYAPR06MB4087.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qggGy9QCnEnoI7xwByfAMyTbmSkhqDB3ZIPlDZ/Snh/VCbl4n+pWBniUG+qZSUwON7Q3zv/PpQbZLGJ0roN5IFP+q84+ZJUVC2xwEi2ja1q3j3WLlaEcUa8pLGlybxjwtIAPf4JOx+41ouw0rYeZwLXbi1INgB9Vz6aVXssIqwoo2UEfw64wBYyTI1jaLfbCfOKe4pvx1CK8TyMvUEQcBh9O7oRNnEz/cCMF28LNCwsQjdSgUAzkc2NxrPMHe9DN2g4CbINAkfOB36qeT/0JYrMLAxIa8gJPKUnXOpRaMk+b2NPJ88rcnX1ojwiZiUZO2TZ6KtdcLiRXD6e3UvUN7IsRTp1GmlGQrZmvXJToc3esiKTC53cgxBm/018+ZkFtnEXeqpro/W7sTRKa6E1FHw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR06MB6451.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(39850400004)(396003)(366004)(346002)(136003)(376002)(6916009)(6512007)(478600001)(2906002)(186003)(6486002)(33656002)(26005)(86362001)(64756008)(66556008)(66446008)(166002)(91956017)(76116006)(66476007)(66946007)(66574015)(6506007)(83380400001)(2616005)(8676002)(53546011)(4326008)(71200400001)(8936002)(36756003)(5660300002)(316002)(966005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: oVz8VeU7L6iheC/+IdT0ifQxr6gsy6rnHbGnY9eHTitJutjcftgVSdm4Lpd41NbkRInR3prAMDB7uGU6IH8vkrG1DsiD9PzAWOHrkCiAIUvTcFprgbavrzxSmWmRrhBdVqPVMT78cYPqTXO3xxLJugWl0UhnklTRk3t/IgxikIh4EhWQF1Oj32Qdt1K1LL9DxU+vrmwqYTnz2JWw+N/4kt13UsirecI/cuR3dUO4uJmbWM5jfjuBBmLEnSkvX7b7Z8euN4FRN1l2p7cVeWTqhqoLqfsCCBN72Cg/aaXw8Tc6Eu+qsKEl4hqzarbTZ9JB8H15Gvla3+YJ+xfV4G5a1VexJ1n6fA+rYttrcf2ConVPbzG3bQPJZwYZmuAR7IxIE7+5fu/LA9u8HgIHDgM47HlNtdKSntC5jS1SiJzLkuL/9sgat5MVibny3wIl8JQPOHnb3Vmi45D2CbLyDc4qMbmI/SWZVN/nqV9SCaRcTE3y0B4SnqQGiEVAr3icIe1c
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_3164714DF19E4652B16743111CE3A376isocorg_"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR06MB6451.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a8e8647b-0efd-4925-d809-08d82f51d6f8
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2020 21:46:21.6701 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bMKA3tdJzoqSepmH/enrXnXFz2WYnEdbl4osrVZ5ODoFTzUzJUAajTThlSgFfMS3
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR06MB4087
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/Th75cbhdvWr_ZsrlkpR5I0ihOHQ>
Subject: Re: [Pearg] I-D Action: draft-irtf-pearg-censorship-04.txt
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 21:46:28 -0000

Heya, I’ve placed your feedback below in the following github issue in our repository for tracking:

https://github.com/IRTF-PEARG/rfc-censorship-tech/issues/82

Comments inline.

On Jul 21, 2020, at 11:21 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr<mailto:bortzmeyer@nic.fr>> wrote:

On Mon, Jul 13, 2020 at 06:51:19PM +0000,
Joseph Lorenzo Hall <hall@isoc.org<mailto:hall@isoc.org>> wrote
a message of 238 lines which said:

       Title           : A Survey of Worldwide Censorship Techniques
       Filename        : draft-irtf-pearg-censorship-04.txt

A general issue with drafts dealing with current techniques is that it
is hard to stay up-to-date (a reason to publish rapidly).

For instance:

For example, a censor could block the default HTTPS port, port 443,
thereby forcing most users to fall back to HTTP.

Is it still true today? With HSTS (RFC 6797) and many Web sites
redirecting unconditionnaly from http: to https: I wonder if it could
still be used.


I suspect it depends on where you are; certainly I believe it is still the case that Iranian networks throttle or block 443 for exactly this purpose (there is a reference in the draft to this). If there is data showing this would be highly unlikely most places, happy to change.

Also:

When in-window sequencing is allowed, it is trivial to conduct a
Blind RST Injection:

Trivial may be too strong, if RFC 5961 is used. Referring to RFC 5961,
section 5.1 may be a good idea (the draft mentions a fixed number of
possible windows, which does not seem true).


Would you recommend “it is possible”? And to what extent do we know that people implement what RFC 5961 describes?

while the term "blind" injection implies the censor doesn't know any
sensitive (encrypted)

? "blind" refers to being off-path, it has nothing to do with
encryption.


Good point, will drop the parenthetical.

authoritative resolvers

There is no such thing as an authoritative resolver. Either it is a
resolver, or it is an authoritative name server. (Source: RFC 8499,
section 6)


Ah yes, will change that.

Editorial:

This in-window recommendation is important, as if it is implemented
it allows for successful Blind RST Injection attacks [Netsec-2011].

Not clear.

Due to the RFC 5961 comment above? Do you want us to put in a “(Note that if [a network? a server?] implements the protections against blind TCP injections in RFC 5961 [it is much harder to accomplish]” or something?


[Bortzmayer-2015]
            Bortzmayer, S., "DNS Censorship (DNS Lies) As Seen By RIPE
            Atlas", 2015,

It's Bortzmeyer :-)

Dang, very sorry about that! Will change.


[Zmijewski-2014]
            Zmijewski, E., "Turkish Internet Censorship Takes a New
            Turn", 2014, <http://www.renesys.com/2014/03/turkish-
            internet-censorship/>.

Moved (without a redirect) with all the Renesys content, after being
bought by Oracle. It is now
<https://blogs.oracle.com/internetintelligence/turkish-internet-censorship-takes-a-new-turn>

Thanks, I’ll update this and the others you noted.

best and thank you, Joe

--
Joseph Lorenzo Hall, Senior Vice President, Strong Internet
hall@isoc.org<mailto:hall@isoc.org> | +1-703-483-9504
internetsociety.org<http://internetsociety.org> | @internetsociety
pgp: https://josephhall.org/gpg-key
3CA28D7B9F6DDBD34B1016075F86698740A9A871

v2.23.0 | Report a Bug | By Email