IETF Logo Mail Archive

Re: Request for Authenticated but not Encrypted Traffic

Christian Huitema <huitema@huitema.net> Fri, 30 September 2022 23:34 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5450BC14CF0B for <quic@ietfa.amsl.com>; Fri, 30 Sep 2022 16:34:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWaTz2iVk7zH for <quic@ietfa.amsl.com>; Fri, 30 Sep 2022 16:34:03 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E4BC14F74B for <quic@ietf.org>; Fri, 30 Sep 2022 16:34:03 -0700 (PDT)
Received: from [66.113.192.7] (helo=xse.mail2web.com) by mx258.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1oePVo-000B4F-A1 for quic@ietf.org; Sat, 01 Oct 2022 01:33:46 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4MfRPf1cN4z5Sk for <quic@ietf.org>; Fri, 30 Sep 2022 16:33:42 -0700 (PDT)
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1oePVm-0002DS-36 for quic@ietf.org; Fri, 30 Sep 2022 16:33:42 -0700
Received: (qmail 26249 invoked from network); 30 Sep 2022 23:33:41 -0000
Received: from unknown (HELO [10.0.0.80]) (Authenticated-user:_huitema@huitema.net@[98.60.134.179]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <phill@hallambaker.com>; 30 Sep 2022 23:33:41 -0000
Content-Type: multipart/alternative; boundary="------------QytAW8ogMzxILKSV9UMlNwRE"
Message-ID: <dbf9c81b-38f5-2767-1a1b-3309077764aa@huitema.net>
Date: Fri, 30 Sep 2022 16:33:41 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.1
Content-Language: en-US
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: Matt Joras <matt.joras@gmail.com>, "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>, quic@ietf.org
References: <CAMm+Lwgo5i=FD9sMcp+o_N-e5MprDDCDobzjh-FpwGKhiH99iQ@mail.gmail.com> <3C9CC208-E4E1-4F9F-B10A-6ACF485A0CEF@huitema.net> <CAMm+LwhVM+7Db6ZPLuE5A5VLYqocvZWr=hfKcN=HgYhrdLrgTQ@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Subject: Re: Request for Authenticated but not Encrypted Traffic
In-Reply-To: <CAMm+LwhVM+7Db6ZPLuE5A5VLYqocvZWr=hfKcN=HgYhrdLrgTQ@mail.gmail.com>
X-Originating-IP: 66.113.192.7
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.192.0/27
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.192.0/27@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCGc4 eut7ftFk+NSE4QCU5NfmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7Imcau6YoLc4G0fBJNv57OLjy6BQ6V51u76v35b1wNe/MvdJPWWqi c9eoDWW+hxVOsiYx2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEEIgtEXyXj6S3SDvReMcV 8TXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7hMIABpqqRGKyDs8xujM3cq7Rvkiy9CGpqIMbF0Ys3gbZ50v9KIeAjWFOi/IKXn0wfj qjnyAYjx9M/Gf6IqxeumEnFzsC48bTEFY06/YbB87Wnp38A0INTGEpTnXysFLI/tCB3G1CwpaI3Z 4ESkMWDVK+6UwmK1uxM9Nl9rpN4gsudffRpJqkyJFqb3goc+6bFLm+I9562X5bXaoRsZn7x6ctgz cDoFd+96Xw4QUNtTnQ8uRJebFO5xUmk0k9CGxthpgV17oYjDdohgAyaHYTPx86LodOZj79xdSjzK bqR5XHk0qi1hkw/hDGKWkPVYlXF3BhZxGgZFOwvGprxNGaa6/2rAztFeklLxGNN3KHaPkMjB65Ki hPq1I9TXHnOlSkg/OIORZDl9o+TmclcfPTQwNGP0PwcsocAqk8Y/wQ+e4HndwcgUdq9CmjcVQOst ghA=
X-Report-Abuse-To: spam@quarantine14.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/jTGzLmX1jV3Y66MTLlKPG0W1G0M>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 23:34:06 -0000

On 9/30/2022 12:38 PM, Phillip Hallam-Baker wrote:
> On Fri, Sep 30, 2022 at 3:04 PM Christian Huitema<huitema@huitema.net>
> wrote:
>
>> See RFC 9250 for an example of transaction based application using QUIC.
>>
>> -- Christian Huitema
>>
> DNS is an example of an information retrieval service which is the class of
> services that HTTP works for.
>
> What I am looking at are transactions of the form:
>
> Post <EncyclopediaBritannica>
> Analyze <HardProblem>
> Stream <temperatureProbe>
>
> The problem with HTTP for the first is that the receiver doesn't get to
> know how big the data is until the buffer is filled unless Content-Length
> is specified. And that has to be an exact length which kinda makes
> streaming compression hard.

RFC 9250 does not use HTTP. It uses a simple RPC-style interface, 
mapping each RPC transaction to a QUIC stream.

The content length requirement that you cite is entirely an application 
issue. If an application defines its own application level protocol on 
top of QUIC, it can specify messages any which way, including requiring 
explicit message length up front, or in advance.

Of course, this has nothing to do with the claimed requirement to expose 
messages from individual devices to third parties. On that part, the use 
of a Wireshark-style solution appears the most practical, as Martin and 
Lucas pointed out already.

And yes, solutions in which the device being monitored cooperates with 
the monitor don't work if the device does not cooperate. That's a 
generic problem. A compromised device might claim to cooperate, and then 
use some form of steganography to infiltrate or exfiltrate information. 
It could do that even if the transmissions were in clear text. 
Monitoring, in practice, requires cooperation from the monitored device.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email