Re: [Spud] Thoughts on the privacy concerns expressed at the BoF

Kyle Rose <krose@krose.org> Wed, 27 July 2016 20:52 UTC

Return-Path: <krose@krose.org>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA9B712DCEE for <spud@ietfa.amsl.com>; Wed, 27 Jul 2016 13:52:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QffSxm9bVjP6 for <spud@ietfa.amsl.com>; Wed, 27 Jul 2016 13:52:46 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0F9112DD01 for <spud@ietf.org>; Wed, 27 Jul 2016 13:52:45 -0700 (PDT)
Received: by mail-qk0-x234.google.com with SMTP id o67so45682287qke.1 for <spud@ietf.org>; Wed, 27 Jul 2016 13:52:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YJO/ej0NZ+kqPaYM39/7C+z9NqaCMbEY2aZ7Pb2ZYzY=; b=CJMK78CgHCoQ63os0r2y08dCR7IBSVKpwU5qWOvVZmprRLHBFVK391dSvG3os2sTNe H+JmQpbRlvQUK+IK9wIGOZJ7vt/qrFlHSY/RU7U63FKcxTBFlSKn1jLQBWN0Y/M7eNWi gIzm4dkFLRhKTRqq3uUtSF5CbWNq7Lp7WGKz8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YJO/ej0NZ+kqPaYM39/7C+z9NqaCMbEY2aZ7Pb2ZYzY=; b=e46uGLHZd4B2K2k0XilPxrkzBiqzGFsY3Q0sU/8G8Mhq72RsSbNG4Z7/3seAxT+mrh N5WwWpyH4AdjDVTWJxQbntnuMg/jRHsH8iMRyuHzvQmzwfjUxdkjFDR21Ol1KeHXXeF1 FxXd4ujQq7ipD+bGVzS3g5jjuodf8fGLhCfKFJvfZTXnAkKhuNwE0+b4nEV7b7vfZwDN sX6oZc40MOxhVR4JiyMst06ycWQJQTrYZX9/CeJS2eRCkkhprpK584lWFB8QMVUVCMM0 0Vj+fpklnBbp6EogYF+Pfm5XlXZYlG2deS+GTY3pODu8g17bX8FkRQ18UycnCyL3IStD dVEw==
X-Gm-Message-State: AEkoouvCijv/E4qVNEUQOl5+TyGygxolx4hJe+YeTlULwzV70441H3Z8wWgdqJMltB9YonlgPlX2dCvrZ0mV1Q==
X-Received: by 10.55.158.139 with SMTP id h133mr6530351qke.51.1469652765007; Wed, 27 Jul 2016 13:52:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.94.70 with HTTP; Wed, 27 Jul 2016 13:52:44 -0700 (PDT)
X-Originating-IP: [72.246.0.14]
In-Reply-To: <E8355113905631478EFF04F5AA706E9831044800@wtl-exchp-2.sandvine.com>
References: <CAJU8_nUDZnYuN0RHHyw0CCoK47mdpJV2OkZTGVeNBa-0p1R0KA@mail.gmail.com> <F6C0D9A5-1E2D-446D-A6E3-9AD148296631@tik.ee.ethz.ch> <CAJU8_nUKL-s0cO3Wn7=B3yZU3-TqWVu8s_ao=rLKnBN9X9vJtg@mail.gmail.com> <E8355113905631478EFF04F5AA706E9831044800@wtl-exchp-2.sandvine.com>
From: Kyle Rose <krose@krose.org>
Date: Wed, 27 Jul 2016 16:52:44 -0400
Message-ID: <CAJU8_nXJRXbYoU8Nb1WWHhViFSvZi3ycwYESA7G1DWMH7nxbTQ@mail.gmail.com>
To: Dave Dolson <ddolson@sandvine.com>
Content-Type: multipart/alternative; boundary=94eb2c075046007da20538a433be
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/daviIjTznJYrKnDr3Y0Qw3TSIMc>
Cc: =?UTF-8?Q?Mirja_K=C3=BChlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] Thoughts on the privacy concerns expressed at the BoF
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 20:52:49 -0000

Funny you should mention that. :-)

When Aaron and I were talking about this earlier, we were basically
throwing ideas around. When we got to this one, I mentioned how it would
neuter BCP 38, but that DoS protection might be achievable via some other
mechanism on a hypothetical future internet (especially since source
address verification only helps with a subset of DoS attacks: the most
difficult kind to deal with are those that are indistinguishable from
legitimate traffic).

At any rate, mentioning obscuring source addresses was not intended as a
well-thought-out proposal to be drafted tomorrow and standardized next
year, only as the kind of thing that might be appealing to privacy
advocates, and possibly feasible on an internet that looks very different
from today's. Just because I can't figure out how to do something doesn't
mean it's impossible.

Kyle


On Wed, Jul 27, 2016 at 4:31 PM, Dave Dolson <ddolson@sandvine.com> wrote:

> Kyle Rose said:
>
> “…I became hopeful that much more information about data flows could be
> obscured in a PLUS-enabled internet than is possible today, perhaps even to
> the point of obscuring source addresses and making flows and maybe even
> individual packets to busy endpoints hard to correlate…”
>
>
>
> The ability to obscure source addresses opens a huge attack surface for
> DDoS attacks, since there is no way to implement BCP 38 (Network Ingress
> Filtering).
>
>
>
> Furthermore, to my knowledge, DDoS attacks are most effectively scrubbed
> precisely by correlating inbound packets with outbound packets that are
> evidence the protected service desires to communicate with the sender.
>
> (I suppose a scrubber could simply discard most source-obscured traffic.)
>
>
>
> Privacy is one side of security, but the ability to resist attacks is
> another important aspect. As far as I know, no one has figured out how to
> mitigate DDoS attacks at the receiving end-point.
>
>
>
> I’m hoping this group can at least agree that mitigating DDoS attacks is a
> legitimate role of devices in the network.
>
>
>
>
>
> -Dave
>
>
>
>
>
>
>
> *From:* Spud [mailto:spud-bounces@ietf.org] *On Behalf Of *Kyle Rose
> *Sent:* Wednesday, July 27, 2016 10:48 AM
> *To:* Mirja Kühlewind
> *Cc:* spud@ietf.org
> *Subject:* Re: [Spud] Thoughts on the privacy concerns expressed at the
> BoF
>
>
>
> On Mon, Jul 25, 2016 at 4:20 PM, Mirja Kühlewind <
> mirja.kuehlewind@tik.ee.ethz.ch> wrote:
>
> As mentioned by Ted, this is actually not what we propose. The mechanism
> we propose is exposing information under endpoint control which is a very
> important point here. The endpoint has to add an option to send (or
> request) a specific bit of information (which also must be registered by
> IANA with IESG approval). This is just the same as TCP options or IP option
> headers. The only difference is that PLUS has a MAC which allows detection
> of middlebox manipulation (which is not the case for other existing
> protocols such as TCP options). This is another a very big and important
> aspect of what we propose with PLUS as our goal is to encrypt everything
> above PLUS including the TCP header and TCP options in future. Especially
> encrypting TCP option is important because TCP options provide much less
> control than what we propose with PLUS today which is a problem (especially
> as currently still unto 90% of the traffic is TCP). So I actually though we
> are on the same page here and have a common goal.
>
> As you probably know from tcpinc discussions it is today not possible to
> just encrypt the whole TCP header because this will lead to huge deployment
> problem (and incentive people to actively block encryption), however,
> providing a replacement mechanism that actually gives the control really
> back to the endpoint and provides the needed (not privacy sensitive)
> information in the network is the goal here. (This also enables protocol
> innovation again because at this point the network does not need to know
> anymore which protocol is used, which makes it even more save).
>
> Of course this can be used to also add additional information that we
> don’t have today in the TCP header (however, we can also define new TCP
> options or IP headers or HTTP extension... and there are existing bad
> examples… or just use them with out an RFC or simply register an
> experimental TCP Option and use it forever and ship products with it...
> or... or... or…). However, the goals is to provide information which can
> actually be used make the network work better. Similar as some information
> that we are exposing today (such as port numbers and/or timestamps), the
> information we are looking for should in it self not be privacy sensitive
> and by using a new approach for exposing we can even take additional care
> now to make sure this information cannot be used in such a way (which is
> not the case for TCP timestamps today as the clock used might identify the
> client). Designing this now with a strong privacy awareness can also just
> improve the situation compared to what we have right now.
>
>
>
> I totally buy the positives here, and I think maybe more language pitching
> and justifying this as at-worst an even trade of privacy concerns by
> removing some existing, completely-unprotected covert/side channels and
> replacing them with only exactly what the path needs to know (humbly, from
> our always limited technical perspective) in order to manage flows in a
> world in which the entire internet is running over UDP is part of what is
> missing from the proposed charter.
>
> I had a long talk about my post with Aaron Falk on Monday, and as a result
> of that conversation I became hopeful that much more information about data
> flows could be obscured in a PLUS-enabled internet than is possible today,
> perhaps even to the point of obscuring source addresses and making flows
> and maybe even individual packets to busy endpoints hard to correlate
> without tap points at every router on the internet doing collective traffic
> analysis. That's a long way off, but that is a future many would like to
> see.
>
> "We don't think this has any additional privacy impact" is a much weaker
> statement than "This can be the foundation for much greater privacy of
> metadata, not just of payload", and is more prone to FUD because it puts
> you on a defensive footing against many possible (and vague) lines of
> attack, and the burden of proof is always on those proposing changes.
> Thinking ahead to what we want the internet to look like in 20 years is a
> prerequisite to making sure that what we're doing lays just enough
> groundwork to make that possible, and is something that I think many
> privacy advocates could get on board with.
>
> (I do also want to add that I recognize a bit of cognitive dissonance in
> myself, as I've repeatedly expressed skepticism about adding real privacy
> at the routing layers on the public internet, versus private networks on
> top of that, like TOR. That said, the antecedents of that skepticism may
> not be true in a 2036 internet, so systematically strengthening the
> desirable properties of the internet's foundations is likely not to be
> wasted work, as long as we have a reasonable idea of where we're headed.)
>
>
>
> Kyle
>