IETF Logo Mail Archive

Re: [perpass] DNS confidentiality

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 13 November 2013 14:05 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97EE921E80D3 for <perpass@ietfa.amsl.com>; Wed, 13 Nov 2013 06:05:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.058
X-Spam-Level:
X-Spam-Status: No, score=-2.058 tagged_above=-999 required=5 tests=[AWL=-0.059, BAYES_00=-2.599, J_CHICKENPOX_21=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HpGK2+rzOJF9 for <perpass@ietfa.amsl.com>; Wed, 13 Nov 2013 06:05:30 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) by ietfa.amsl.com (Postfix) with ESMTP id 337EC11E815E for <perpass@ietf.org>; Wed, 13 Nov 2013 06:05:30 -0800 (PST)
Received: from sandelman.ca (desk.marajade.sandelman.ca [209.87.252.247]) by tuna.sandelman.ca (Postfix) with ESMTP id 27E3020343; Wed, 13 Nov 2013 10:17:33 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 473EC63B88; Wed, 13 Nov 2013 09:05:20 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 36B4E63AEF; Wed, 13 Nov 2013 09:05:20 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <5282EC17.5060808@cs.tcd.ie>
References: <20131111121027.GA31723@sources.org> <CEA6999F.25B2C%gwiley@verisign.com> <CA+9kkMDTYZ8tKnGigojWQDuDM3K0uPyoW2fesH1ueAFbTZMBrQ@mail.gmail.com> <CABkgnnVuX3bV1XMKsY1g6GOkZmhfxo=Zt9iUryt0wt+9K8tFkA@mail.gmail.com> <5282D6A3.5060205@cs.tcd.ie> <4AE06389-A46C-4F14-849E-62DC9FA7F128@fugue.com> <5282EC17.5060808@cs.tcd.ie>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Wed, 13 Nov 2013 09:05:20 -0500
Message-ID: <5468.1384351520@sandelman.ca>
Sender: mcr@sandelman.ca
Cc: Ted Hardie <ted.ietf@gmail.com>, Ted Lemon <mellon@fugue.com>, perpass <perpass@ietf.org>, Stephane Bortzmeyer <bortzmeyer@nic.fr>, Andy Wilson <andrewgwilson@gmail.com>, "Wiley, Glen" <gwiley@verisign.com>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2013 14:05:39 -0000

On the subject of SNI itself.... lack of support for SNI for a number of
legacy browsers still in use means that few sites using SSL can do it any way
other than the one-IP(port) per certificate.  This is a tragedy in the IPv4
world, but really hardly merits even a shrug in an IPv6 world.

On the other hand, with a 1:1 mapping between IPv6 and DNS name (and
certificate), you don't need to see/capture the transport or session(ssl)
layer at all to know do the traffic analysis.  So one gets the traffic
analysis at the DNS name from the netflow (aka "Pen Registry") records
without eating any multi-gigabite firehoses.

If TLS could become more IKE-like, leaving the SNI and the authentication
until after the PFS (maybe it can do this already now), then traffic analysis
would be defeated by putting as many sites on the same IP address as
possible.   
(Possibly, this also interacts poorly with some of the various netnanny
software, which has unfairly prevented teens from learning enough to protect
themselves from STD in the name of protecting them from pr0n. )

My take is that any mechanism (legal and technological) which keeps the
middle boxes on a need to know basis only,  is good.  It might not prevent
traffic analysis, but it does help maintain the end to end.
(Imagine the state of the world of TCP cryptographically secured the port
numbers, or if HTTPS had done that, and NAPTs simply couldn't have worked)

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email