IETF Logo Mail Archive

Re: Request for Authenticated but not Encrypted Traffic

Lucas Pardue <lucaspardue.24.7@gmail.com> Fri, 30 September 2022 17:03 UTC

Return-Path: <lucaspardue.24.7@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF1EC14F613 for <quic@ietfa.amsl.com>; Fri, 30 Sep 2022 10:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.856
X-Spam-Level:
X-Spam-Status: No, score=-1.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hg-Oi-HHnI9 for <quic@ietfa.amsl.com>; Fri, 30 Sep 2022 10:03:15 -0700 (PDT)
Received: from mail-oa1-x36.google.com (mail-oa1-x36.google.com [IPv6:2001:4860:4864:20::36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2EF3C14F6E7 for <quic@ietf.org>; Fri, 30 Sep 2022 10:03:15 -0700 (PDT)
Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-1318106fe2cso6108620fac.13 for <quic@ietf.org>; Fri, 30 Sep 2022 10:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=8pwx9C1FXdD9/hWYyGKJ/WrpXQF1u4kxW2rxj9ttVbc=; b=dLjvolXhifwV/2OBKhR/v0wnybNP1/SAm23P+9o74vdgwrNhhrxG9RFRx2Vk/ckn4W Fx2a/K9Xwe0pNvD/e9SYTzlX2S4M6lQWXOtCt0go/EvwZPwW7UtCDB3mMFPmPaWgSw+Q zS4tKuOqFeMRIGbXQoik6HOqsym+X/03mLMw9oJjIXgefAx9bMuIC3lKbJ8NkA/e0dfv dZn46wbhPyD6iFHlEvVIBxnpgxolr23sLw43oPknuBuPkeYNkpnHbkEJAnZyAPNcde4j 86cBvGJA5EpDY4i1zxOUQHnXnUKGTrTFT6lNPBGmF7JKjKSqHASDyrCpucVU3Cfm67tk 6unQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=8pwx9C1FXdD9/hWYyGKJ/WrpXQF1u4kxW2rxj9ttVbc=; b=rbgtJpEXCiDBIUQh/QAvPzf/V3cgmiuo+qgAHoYiBxXVYUH85JqQRh8/itHK4FXaWl KaeMYDovMqS/k0W8Ek8C3nDKeBaj1Hte0aJbuJvbvZ8TYB2ndIlJPUd5GALZ75zTcAKB CLjmvnaulF6e9SX2fXIsGFNfLlvBUHMraeDwoyUlAvQ/D+Ls1l8+ziZma4X4N/y1tOwe FoGtjcvQrpwi5hgimQM6KcRnFhQVUmioQYyvLxm6hyyY9Lv6QfZ6721OcK6cdvxjBu24 S3vm4vrsVV7ke5NV/CJ3ia73xEvZgnpwqkNb6pU7zngdIP4ork4m6xkF8MBFwUBFfTPc +Ymg==
X-Gm-Message-State: ACrzQf3/8r9FcWB05Tzj9/dx49+jPcVQPKJ9c5nT8dbAHoOzh4esW1p2 xdxv6WwKpJyr/WE6VH+OhDGebT5QEqOK5NmIV+oZSfjh
X-Google-Smtp-Source: AMsMyM6ziVTLvyqH0UYq6w7HovoQ0k04efMxMlMOK/MbYaM7Bg2t6xrgKMMXOI8oT+Y6N+QO73WccyQqzRfiz6Io/Ic=
X-Received: by 2002:a05:6870:630b:b0:128:828:5ec0 with SMTP id s11-20020a056870630b00b0012808285ec0mr5060690oao.249.1664557394337; Fri, 30 Sep 2022 10:03:14 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR08MB82889F488CCA7D8FC4997ACEFA579@SJ0PR08MB8288.namprd08.prod.outlook.com> <CAMm+Lwh1DWyVNL7M6q0gAS77HyN5KXRa3cNn732ivbAMGSFVDg@mail.gmail.com> <SJ0PR08MB82888EE2140D219EF758CF76FA569@SJ0PR08MB8288.namprd08.prod.outlook.com> <da161bf2-2eea-77b9-c96f-e391fe867c3b@lear.ch> <fb875699-312a-497d-0b5c-2da95b26268c@redbarn.org> <140CFDE5-B5AC-4342-8A5D-41D7EE92B43E@tzi.org> <1b7329fd-d447-fb76-9d3c-4e09f58ee0f0@redbarn.org> <18756B86-A5A9-4166-B5D1-8C26C0FA4371@tzi.org> <5b02b637-c005-1414-cd0a-117fa74e55ee@redbarn.org>
In-Reply-To: <5b02b637-c005-1414-cd0a-117fa74e55ee@redbarn.org>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Fri, 30 Sep 2022 18:03:02 +0100
Message-ID: <CALGR9obigX=_S1Oi26MNZ1EBLkPt=X-W5uFA3D8wu9ZaA1D7xQ@mail.gmail.com>
Subject: Re: Request for Authenticated but not Encrypted Traffic
To: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>
Cc: Carsten Bormann <cabo@tzi.org>, "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000032a5c105e9e7f80b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ypca6dC6VNuU4VZK4WpCQ-BVyb4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 17:03:16 -0000

Hi,

On Fri, Sep 30, 2022 at 5:51 PM Paul Vixie <paul=
40redbarn.org@dmarc.ietf.org> wrote:

> see inline.
>
> Carsten Bormann wrote on 2022-09-30 00:37:
> > On 2022-09-30, at 09:25, Paul Vixie <paul@redbarn.org> wrote:
> >>
> >> what did you have in mind as an example of this, that i might not
> dislike?
> >
> > ...
> >
> > The part I do not understand is why this is always framed in terms of
> > uncontrolled (unrestricted) visibility, i.e., everybody who manages to
> > get hold of a packet has full visibility.
>
> i could live with uncontrolled visibility on my own VM server's internal
> networks, or on my datacenter or home LAN. i am open to other ways to
> achieve the nec'y visibility -- i don't require that it be uncontrolled.
>
> > ...
> >
> > Instead, I'd prefer to pursue something that I'd call Authorized
> > Visibility (AV).  Here, the communication actors explicitly provide
> > visibility to additional justified parties, not simply to any
> > eavesdropper that comes along.  ...
>
> i'd be fine with this, as long as it was possible for my gateway to
> determine at line rate whether each packet trying to get through was
> participating in the Authorized Visibility regime you're describing.
>

The action seems pretty trivial for QUIC. Endpoints share with trusted
parties (e.g. a gateway) the TLS session keys and how they are associated
with one or more QUIC connection IDs. Then it's a simple lookup when a
packet arrives. If there's no match then, log, alert, drop etc. We might
debate about packet decryption performance, i'm not sure how much margin
you have on line rate or how much processing time you are willing to throw
at it.

On my local machine, Wireshark can do these kinds of lookups via
SSLKEYLOGFILE files. It would require effort to build a distributed system
to achieve the same but the technical barriers seem low and solvable.

Cheers
Lucas


> > Grüße, Carsten
> and you.
>
> --
> P Vixie
>
>

v2.23.0 | Report a Bug | By Email