Re: [perpass] A reminder, the Network is the Enemy...
Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 27 November 2013 15:06 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 294841AE05D for <perpass@ietfa.amsl.com>; Wed, 27 Nov 2013 07:06:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lpu7EeIJJB-M for <perpass@ietfa.amsl.com>; Wed, 27 Nov 2013 07:06:19 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) by ietfa.amsl.com (Postfix) with ESMTP id AF3041ADBE8 for <perpass@ietf.org>; Wed, 27 Nov 2013 07:06:19 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id C09CC28048A; Wed, 27 Nov 2013 16:06:18 +0100 (CET)
Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx4.nic.fr (Postfix) with ESMTP id BBE3628038C; Wed, 27 Nov 2013 16:06:18 +0100 (CET)
Received: from bortzmeyer.nic.fr (batilda.nic.fr [IPv6:2001:67c:1348:8::7:113]) by relay1.nic.fr (Postfix) with ESMTP id B94764C007F; Wed, 27 Nov 2013 16:05:48 +0100 (CET)
Date: Wed, 27 Nov 2013 16:05:48 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Message-ID: <20131127150548.GA25960@nic.fr>
References: <9B79CCC3-853E-42F4-8390-ED0EE019C275@icsi.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9B79CCC3-853E-42F4-8390-ED0EE019C275@icsi.berkeley.edu>
X-Operating-System: Debian GNU/Linux 7.2
X-Kernel: Linux 3.2.0-4-686-pae i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: perpass <perpass@ietf.org>
Subject: Re: [perpass] A reminder, the Network is the Enemy...
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2013 15:06:22 -0000
On Wed, Nov 20, 2013 at 12:42:53PM -0800, Nicholas Weaver <nweaver@icsi.berkeley.edu> wrote a message of 70 lines which said: > http://www.wired.com/opinion/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/ You mention DNSSEC twice, as a solution against some man-on-the-side attacks (injecting false DNS answers). The Schneier paper <https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html> about QUANTUM mentions packet injection but not the DNS. We don't know if the NSA does DNS poisoning (but we may assume they - and other actors - do it). However, if the attacker is the NSA, we have to take into account the possibility that they can sign data with the root's private key, which is under US management. Therefore, is DNSSEC still useful? May be, in these cases: * the attacker may consider that DNSSEC validation is so uncommon today that it is not worth the work to inject spoofed RRSIG * some people may have trust anchors located at lower levels (some registries do publish them for instance <http://www.afnic.fr/fr/certificats/>). Do you think it is technically sound? Many people decided not to publish these trust anchors, because of the management costs and risks, but it was before Snowden. May be we should actively recommend the publication of such "lower" trust anchors now?
- [perpass] A reminder, the Network is the Enemy... Nicholas Weaver
- Re: [perpass] A reminder, the Network is the Enem… Ted Lemon
- Re: [perpass] A reminder, the Network is the Enem… Bjoern Hoehrmann
- Re: [perpass] A reminder, the Network is the Enem… Ted Lemon
- Re: [perpass] A reminder, the Network is the Enem… Bjoern Hoehrmann
- Re: [perpass] A reminder, the Network is the Enem… Ted Lemon
- Re: [perpass] A reminder, the Network is the Enem… Stephane Bortzmeyer
- Re: [perpass] A reminder, the Network is the Enem… Stephane Bortzmeyer
- Re: [perpass] A reminder, the Network is the Enem… Nicholas Weaver
- Re: [perpass] A reminder, the Network is the Enem… David Conrad
- Re: [perpass] A reminder, the Network is the Enem… Matthäus Wander
- Re: [perpass] A reminder, the Network is the Enem… Randy Bush
- Re: [perpass] A reminder, the Network is the Enem… Phillip Hallam-Baker
- Re: [perpass] A reminder, the Network is the Enem… David Conrad
- Re: [perpass] A reminder, the Network is the Enem… Phillip Hallam-Baker
- Re: [perpass] A reminder, the Network is the Enem… Russ Mundy
- Re: [perpass] A reminder, the Network is the Enem… Phillip Hallam-Baker
- Re: [perpass] A reminder, the Network is the Enem… Stephane Bortzmeyer