Re: Request for Authenticated but not Encrypted Traffic
Lucas Pardue <lucaspardue.24.7@gmail.com> Sat, 01 October 2022 08:42 UTC
Return-Path: <lucaspardue.24.7@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 839CEC14F739 for <quic@ietfa.amsl.com>; Sat, 1 Oct 2022 01:42:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8kXX05mjv8N0 for <quic@ietfa.amsl.com>; Sat, 1 Oct 2022 01:42:06 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1F19C14F737 for <quic@ietf.org>; Sat, 1 Oct 2022 01:42:06 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id v130so6998690oie.2 for <quic@ietf.org>; Sat, 01 Oct 2022 01:42:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=HYoAKgxUd8O8hDDn/IEjbfXNboNubRzwnq/pzWPwgIg=; b=Rir5xd5VSBTHi7/P0Ud4YyZrWksrbUHiDWcswJ/nOhHTlf2cxoop4gFGrEms4cuGmv YM7E+O1OGVvjLswWZhLCoaqxucDqSyLdrZetqU5ktbDP+kUCQYyTAZoIR5O0zVk851J7 0tFYbgyvr+tdt3MJCtrYrtddGkRC4lNOceThIJ/VlMhQjcuPeuJT51CryW432z8CsQSv +gglf/fHKp4uj+6AgltzdcEYjODtrQ06NZ3tp4r+XEba0aiQv9ptXxSBMWzIPiCjlIbH bKeQVuGV8vHpTUMkMb5XTZVVTdQCjddgCBYQj2X38HgSnLe7UCMUExylB6xarpxzuDVL OmfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=HYoAKgxUd8O8hDDn/IEjbfXNboNubRzwnq/pzWPwgIg=; b=jZG/RBBqnEXUY0pRrsJJGiraSMRySxuBB03XADdpfV7VT88Lu9e3pWVcdmndOdxBVA OJk78j2SQPltQ62uBx6XsCog7tDyPs0/MGBXPLoB5OnkRPPID6Nli6YA1SfKEfGb9Ory TvI7bwUg+QphrEhdqU2plwRhi/7fqA9+g32eaLbk6/3Zi039FRNaD/zGhIsXOZ6Jsqo7 lA2FFsAo9S/TBkcUFLvJQbaa5ejxOzRoEmoBFKjRf7V01kuMAumid0/EAEfF4MhmmgIV RTMP38j/XwWhvUvff5/BLgwg/gFozj0pfE6jn/IFxdWcd/drX9J4nXRL/KYE2omIhPoW v9bQ==
X-Gm-Message-State: ACrzQf01QY4tiJuOqDlKwtbJjKbyTSWOYmmg1zNe2WMAZckdFaX+37pg UIKpBgSy3kWVvdgmw3+fod/4lkL2+kjKTxdJIIshb9WB
X-Google-Smtp-Source: AMsMyM6wSYq8jODMdE/EMKnOFLO2l2rIwhvh2Y51BR8y6Ux4rzYojckRVUExdsXsFS51TgH6pjAKSeEVzyC/c3WTpXE=
X-Received: by 2002:a05:6808:14cf:b0:350:b76b:cf9a with SMTP id f15-20020a05680814cf00b00350b76bcf9amr731372oiw.249.1664613725572; Sat, 01 Oct 2022 01:42:05 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR08MB82889F488CCA7D8FC4997ACEFA579@SJ0PR08MB8288.namprd08.prod.outlook.com> <CAMm+Lwh1DWyVNL7M6q0gAS77HyN5KXRa3cNn732ivbAMGSFVDg@mail.gmail.com> <SJ0PR08MB82888EE2140D219EF758CF76FA569@SJ0PR08MB8288.namprd08.prod.outlook.com> <da161bf2-2eea-77b9-c96f-e391fe867c3b@lear.ch> <fb875699-312a-497d-0b5c-2da95b26268c@redbarn.org> <140CFDE5-B5AC-4342-8A5D-41D7EE92B43E@tzi.org> <1b7329fd-d447-fb76-9d3c-4e09f58ee0f0@redbarn.org> <18756B86-A5A9-4166-B5D1-8C26C0FA4371@tzi.org> <5b02b637-c005-1414-cd0a-117fa74e55ee@redbarn.org> <CALGR9obigX=_S1Oi26MNZ1EBLkPt=X-W5uFA3D8wu9ZaA1D7xQ@mail.gmail.com> <f44e6fbf-8cfa-0867-1d73-414d124349a2@redbarn.org>
In-Reply-To: <f44e6fbf-8cfa-0867-1d73-414d124349a2@redbarn.org>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Sat, 01 Oct 2022 09:41:47 +0100
Message-ID: <CALGR9oaS6HHcmsP1nhOzDyhh3+49FMdeKKga=NQXPYdM8rmS8Q@mail.gmail.com>
Subject: Re: Request for Authenticated but not Encrypted Traffic
To: Paul Vixie <paul@redbarn.org>
Cc: QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cd119a05e9f5152c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/7YlmBV0vK24z_05kn9hlMzixr2Y>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Oct 2022 08:42:08 -0000
Hi, On Sat, 1 Oct 2022, 08:37 Paul Vixie, <paul@redbarn.org> wrote: > > > Lucas Pardue wrote on 2022-09-30 10:03: > > Hi, > > > > On Fri, Sep 30, 2022 at 5:51 PM Paul Vixie > > <paul=40redbarn.org@dmarc.ietf.org > > <mailto:40redbarn.org@dmarc.ietf.org>> wrote: > > > > > ... > > > > i'd be fine with this, as long as it was possible for my gateway to > > determine at line rate whether each packet trying to get through was > > participating in the Authorized Visibility regime you're describing. > > > > The action seems pretty trivial for QUIC. Endpoints share with trusted > > parties (e.g. a gateway) the TLS session keys and how they are > > associated with one or more QUIC connection IDs. > > i'm pretty sure the chromecast i evicted won't be willing to do that. it > ignored my DHCP assignment of DNS, and insisted on using 8.8.8.8, so i > think google now believes "our device, our rules" which is in stark > opposition to what i believe ("my network, my rules"). just sayin', but, > this should also help explain why i want to observe the devices on my > network and be sure i approve of what they are doing. > The question was "can you determine at line rate if a packet is from a participant of authorized visibility". The answer is yes you probably could. Devices might not opt into that scheme but that seems to be entirely the point, on your network block things if you can't observe or don't like them. In Randy's case this seems quite practical because it sounds like their networks have further requirements, on top of IETF specs, to participate. > > Then it's a simple > > lookup when a packet arrives. If there's no match then, log, alert, drop > > etc. We might debate about packet decryption performance, i'm not sure > > how much margin you have on line rate or how much processing time you > > are willing to throw at it. > > as a rule, observation is harder than reception. decryption performance > is probably where the issues would be. if we can't decrypt all the flows > as fast as the endpoints of each flow can collectively do, we lose. it's > reasonable to do this for all the flows that will fit in 10GBE with > current hardware, but that's a harsh mistress in several likely futures. > an intended receiver has the advantage of being able to slow the sender > down by not answering often enough or soon enough. an observer cannot. > The requirements here are being underspecified to the point of ineffectual response, and seem to shift on each technical solution that is being provided by folks on the list. Do these observeres want to inspect QUIC packets, the QUIC control data, or application data inside STREAM or DATAGRAM information flows? This matters because it determine the amount of state an observer has to hold. Steganography was mentioned by other in this thread, how far does the threat model extend? An observer can totally slow down a QUIC sender. Drop packets and the congestion controller will drop the rate that packets are sent. If the price of admission to your network is some QUIC data transfer performance overhead, that seems like a fair tradeoff. > > On my local machine, Wireshark can do these kinds of lookups via > > SSLKEYLOGFILE files. It would require effort to build a distributed > > system to achieve the same but the technical barriers seem low and > solvable. > > thanks for sharing your experiences. but so far i think i'm going to > have to force the use of a proxy, which will be an intended recipient, > for the reasons given above. > Using a proxy sounds like a very appropriate solution if the requirements are to inspect QUIC control data or application data flows. The QUIC protocol provides no barriers to the use of proxies. Such an L7-aware proxy can add a lot of value when it comes to access control or other per-application flow observation and enforcement. Whether its via session key share, or an inline proxy, its important for end users to explicitly know if the network is able to introspect information that is confidential at layer 8, and to understand where the boundaries for that information access might reside. If the act of LAN observing means that data is made visibile to the WAN, that might be deemed as a poor tradeoff for end users. My data, my rules, so to say. Cheers Lucas
- Request for Authenticated but not Encrypted Traff… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Paul Vixie
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Roberto Peon
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Salz, Rich
- Re: Request for Authenticated but not Encrypted T… Paul Vixie
- Re: Request for Authenticated but not Encrypted T… Phillip Hallam-Baker
- Re: Request for Authenticated but not Encrypted T… Martin Thomson
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Eliot Lear
- Re: Request for Authenticated but not Encrypted T… Paul Vixie
- Re: Request for Authenticated but not Encrypted T… Carsten Bormann
- Re: Request for Authenticated but not Encrypted T… Paul Vixie
- Re: Request for Authenticated but not Encrypted T… Carsten Bormann
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Eliot Lear
- Re: Request for Authenticated but not Encrypted T… Lucas Pardue
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Eliot Lear
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Lars Eggert
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Behcet Sarikaya
- Re: Request for Authenticated but not Encrypted T… Phillip Hallam-Baker
- Re: Request for Authenticated but not Encrypted T… Phillip Hallam-Baker
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Matt Joras
- Re: Request for Authenticated but not Encrypted T… Paul Vixie
- Re: Request for Authenticated but not Encrypted T… Dave Taht
- Re: Request for Authenticated but not Encrypted T… Lucas Pardue
- Re: Request for Authenticated but not Encrypted T… Phillip Hallam-Baker
- Re: Request for Authenticated but not Encrypted T… Christian Huitema
- Re: Request for Authenticated but not Encrypted T… Phillip Hallam-Baker
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Christian Huitema
- Re: Request for Authenticated but not Encrypted T… Christian Huitema
- Re: Request for Authenticated but not Encrypted T… Phillip Hallam-Baker
- RE: Request for Authenticated but not Encrypted T… Randy Armstrong (OPC)
- Re: Request for Authenticated but not Encrypted T… Willy Tarreau
- Re: Request for Authenticated but not Encrypted T… Paul Vixie
- Re: Request for Authenticated but not Encrypted T… Lucas Pardue
- Re: Request for Authenticated but not Encrypted T… Phillip Hallam-Baker
- RE: Request for Authenticated but not Encrypted T… Antoine FRESSANCOURT
- Re: Request for Authenticated but not Encrypted T… Dirkjan Ochtman
- Re: Request for Authenticated but not Encrypted T… Behcet Sarikaya
- Re: Request for Authenticated but not Encrypted T… Lucas Pardue
- Re: Request for Authenticated but not Encrypted T… Phillip Hallam-Baker
- Re: Request for Authenticated but not Encrypted T… Lucas Pardue
- Re: Request for Authenticated but not Encrypted T… Martin Duke
- Re: Request for Authenticated but not Encrypted T… Michael Tuexen
- Re: Request for Authenticated but not Encrypted T… Roberto Peon
- Re: Request for Authenticated but not Encrypted T… Behcet Sarikaya
- Re: Request for Authenticated but not Encrypted T… Lucas Pardue
- Re: Request for Authenticated but not Encrypted T… Eliot Lear
- Re: Request for Authenticated but not Encrypted T… Phillip Hallam-Baker