Re: [Pearg] draft-irtf-pearg-censorship review

Joseph Lorenzo Hall <> Sun, 12 April 2020 18:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A5983A2493 for <>; Sun, 12 Apr 2020 11:25:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nuF1HjRnt-4y for <>; Sun, 12 Apr 2020 11:25:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 257583A0D8D for <>; Sun, 12 Apr 2020 11:25:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=YXKvZA+GL53hjM2qeHewdVhcC3eR2f9LsF1rp3UuReZRa6TimTIkpTgc9XqQtrIQWXUBxuUBLtL33wAIqBkqKzkebYMP8nSXg0wi9bpOlsGBzaldWoxxJU2oHKokNQNfYwgBp9r0Jyc23+fRB3+sqN5CgEYWL8iqLzGGr04sCO733hJ4bEiO3MG8GzxexgZIVCpDJ+x8UxTY7lZgB+pj/7/p+J7vvt8NH78378FV/0ubNA2cjTquchrgpH4P6FxAb2sAbE22oQYsJVRocJpirmj3ir+tbx77ObtchXTfDJLPazvACgXMHw3jzkFSt6973aD3kxAkvQrKphpRdSuRqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bOkqDeVGvm6R8v+Ux0WTwi65CYxwLc1O4lw0ZS+ajK0=; b=HHuB7FtT2Sc/I/IpBzkcRBCQ1jaVHkxqO+0+q5Kpq+RM8ETLsY6JHOJ2A4j7RW336Nu0SoNuRdOPBl1x2ukzj4klcTwjbH2zzbIss8h70JsfoIYDD3dYiOijqr0+CqUqsevNit1tDwj0aIWga3TCp6lz6tdy4dBwysbFYlqDzm9wCILlrAhvN0bfYjJjO+Hk9LM6kK2naYeWmp3h5bREgzL/Zf6Ti6ju6Lj20DdWCpbfRrWSmxiTXiNkFXHTH8guUbUPEBvvmOjddlIT7jnluEbCYfBCfQi9soKxZL8O/+Ada6Kyc/bxg7zDc5v73Q8KdIJIiNDCAnrS/CnenO6ueA==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bOkqDeVGvm6R8v+Ux0WTwi65CYxwLc1O4lw0ZS+ajK0=; b=R1vxV1e7pZzY7r7Utth79eEkKUrESzxhKdPwBjqdw9T+RoPiCg0zJy6HptjoZelUDOY1wdZpIE7Xp2EidZGLZMEi0bCpvZFlznwGgGGPDvWTxwfa9YJJllFU3TBwbEtjtqx38udBWc12tch082Ef8Ml8NqOzokHX0FeX7UE49SY=
Received: from (2603:10b6:a03:21e::20) by (2603:10b6:a03:21e::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.20; Sun, 12 Apr 2020 18:25:31 +0000
Received: from ([fe80::3891:1ca6:1667:cbd]) by ([fe80::3891:1ca6:1667:cbd%2]) with mapi id 15.20.2900.026; Sun, 12 Apr 2020 18:25:31 +0000
From: Joseph Lorenzo Hall <>
To: Christopher Wood <>, "" <>
Thread-Topic: [Pearg] draft-irtf-pearg-censorship review
Thread-Index: AQHWD6u84dP2BqvmUU+akQqO5soH/ah1z/vm
Date: Sun, 12 Apr 2020 18:25:31 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 48cedace-5a56-4cb9-6d94-08d7df0ee255
x-ms-traffictypediagnostic: BY5PR06MB6593:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0371762FE7
x-forefront-antispam-report: CIP:; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM;; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(346002)(136003)(39840400004)(366004)(396003)(376002)(86362001)(15974865002)(52536014)(8676002)(110136005)(8936002)(316002)(55016002)(9686003)(478600001)(19627405001)(81156014)(71200400001)(186003)(66574012)(966005)(2906002)(33656002)(7696005)(66446008)(66556008)(64756008)(66946007)(76116006)(26005)(5660300002)(66476007)(6506007); DIR:OUT; SFP:1101;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OmS3zvzXwqSRzfWTIsONp9wUcL8eCbU50e2i4D+WA0anImXwXtwn42vgYPViHujJ4Vl8J7CPRuXH063reeRDCeH7GKQ+Pa/VLX8mN5gVnixZNk64XvsXvqGOyxAQhdVG9CPHPpU630lo2i6gaYrqK97elBJOdRLETq6fqu5JxKH3eafYAj8CA65dHCd9+Nmvv2c+YokoxYHVe1p2brOi6AmeMT7oLk2MmMsUthdI8e70s5JkifD8DRPUSoZFMSR+10rRxqQA/GEF82sEH5glO4wHbksOvPPGUAVKc/JYGJ544UUQAxKP/Mw76QpQOBPWp6thL2YxjuGdcFuI3zjl295hbHVR3Zwh44THIkqgd7Wde8QM+cpyJGvK0qmlTkKe4AczaRNui5o0ShnXJ/+RPKXQr9UgzanU97bYJVlUJOQszCTFZGBb/zd65iUOivx9SYzNkYPgz2LOa0OUDnBbVmeOUWmVF92x88iYujdZ2Tz7+IVao4w25PW+CP31TyGSblJCHyoFVZ822G0lQkSuzA==
x-ms-exchange-antispam-messagedata: FbY02jXqcfMBMip+xZ2IFu/6INJWDo95bhd3fAgJxT6y7VGRqtnHnHud+UbI2B+ycWCOmNjeIe/VH4+Xbb3HYkekLNICBg/QmckBBZ/EkAJFEv49GYpannj3xPAd5QrGNeaSNR77+qbszCexGdD0vw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR06MB6451E16F6DDCE49B3444ECCFB1DC0BY5PR06MB6451namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 48cedace-5a56-4cb9-6d94-08d7df0ee255
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Apr 2020 18:25:31.3670 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: p8Y5a3ZVAM1+coHVOFe/8+TSxF8uQ2M6sQluiFqxTh7jdItkUHFBlBFTRX6/P2VC
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR06MB6593
Archived-At: <>
Subject: Re: [Pearg] draft-irtf-pearg-censorship review
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 12 Apr 2020 18:25:45 -0000

(also in the github issues)

> > Comments:
> >
> > * Section 3.2.1: This section describes common ways in which censors use HTTP fields for filtering with a pile of references at the bottom. Upon first read, it seemed to lack relevant citations. (For example, the sentence
> >   > As such, "method" and "host" are the two fields used most often for ubiquitous censorship.
> >
> >
> >   seemed like it could stand to use a reference. However, this seems to be covered by one of the empirical examples at the end of this section. Perhaps Section 3.2 could note this structure for each of its subsections? Perhaps:
> >   > "The following subsections describe properties and tradeoffs of common ways in which censors filter using application-layer information. Each subsection includes empirical examples describing these common behaviors for further reference."

Looks like you did this in PR #53, thanks!

> > * Section should probably reference draft-ietf-tls-sni-encryption or draft-ietf-tls-esni. (I'm happy to help word-smith that text, if you want or need assistance!) Also, the bit about fallback to SSL (pre TLS 1.0) seems a bit outdated. Most TLS stacks no longer implement SSLv3 at all, for example. I might remove this bit. I might also include a reference to [1] as further SNI-based blocking reading.

Ah, we do cite Chai 2019 a bit later but I will elevate that... and have just made changes to highlight ESNI and remove the SSL fallback bit.

> > * Section 3.3.1: Assuming that IP address filtering is efficient, it might be worth citing [2] given that it studies the (often unique) relationship between address and domain. It might also be worth mentioning DoH(443) and noting the challenges it raises for blocking parties.


> > * Section 3.3.2: Is it worth mentioning Pluggable Transports here, especially in the context of blocking Tor?


> > * Section 3.3: I was surprised to see no mention of QUIC in this section. Perhaps we could replace "TCP/IP header" references with "transport header references"? The information about network addresses and ports equally applies to TCP and QUIC, and including both seems prudent so as to not give the wrong impression about what QUIC exposes (or doesn't).


> > * Section 4.4.1: There's no mention of encrypted DNS here. While it's true that "DNS lying" and other examples are not completely mitigated with stub-to-resolver encryption, it does change the threat model slightly. Maybe DoH/DoT are worth including? It might also be worth noting limited client support for DNSSEC, perhaps after this sentence:
> >   "Additionally, the above mechanisms rely on DNSSEC not being deployed or DNSSEC validation not being active on the client or recursive resolver."


> > * Section 4.2.2: Is packet dropping not a form of filtering? I was surprised to see it in the interference section.

You may be hung up on the terminology we use where Identification is doing the technical matching against a set of things one wants to censor and then Interference is actually performing the technincal action to accomplish the censorship or filtering, from the Terminology section:

> Prescription is the process by which censors determine what types of material they should block, i.e., deciding to block a list of pornographic websites. Identification is the process by which censors classify specific traffic to be blocked or impaired, i.e., blocking or impairing all webpages containing “sex” in the title or traffic to Interference is the process by which censors intercede in communication and prevents access to censored materials by blocking access or impairing the connection.

Do we need to make this more clear?

> > * Section 4.2.3: It's probably worth mentioning QUIC here, especially as it complicates this type of attack. It might also be worth citing recent research [3] on off-path TCP attacks, noting that the censor need not be on-path to interfere with service.

(That off-path paper is awesome! Had not seen that.)

Cool, that makes sense about QUIC. I don't have a good feel for what to write here. How does this feel, "Note, the increasingly popular QUIC protocol is based on UDP, a connection-less transport protocol, so cannot be attacked using TCP RST packet injection."

That seems a bit weird... but it sounds like there may be more under the surface to your comment so please suggest how that text above could be better cleaned up?

> > * I was surprised to see this recent SoK paper [4] missing from the references. It has a lot of additional information, particularly in Tables V and VI, about different types of filtration mechanisms and how they impact users (by under or over blocking). That said, integrating this paper will be a chore. So, given that the landscape of relevant research and empirical evidence will undoubtedly continue changing, perhaps we can simply drop a reference somewhere?

That is a monster, and something I'm looking forward to digging into more. I'll drop a reference and add an Issue to read and integrate it.

> > Nits:
> >
> > * Section 2: SmartFilter is missing a reference.


> > * Section 3.1: "Internet Service Providers have until now been the most frequently exploited point of control" probably also warrants a reference, if possible.

Changed to "Internet Service Providers are frequently exploited points of control."

> > * Section 3.2.1: The [Verkamp-2012] reference seems broken.

Hmmm, I don't see this. The link works ( ) and the reference is rendering correctly.