Re: [Spud] SPUD Scope?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 07 June 2015 21:27 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 4C9661ACE71
for <spud@ietfa.amsl.com>; Sun, 7 Jun 2015 14:27:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8]
autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ZOw6tzwa-b9b for <spud@ietfa.amsl.com>;
Sun, 7 Jun 2015 14:27:47 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108])
by ietfa.amsl.com (Postfix) with ESMTP id 8A94A1ACE6F
for <spud@ietf.org>; Sun, 7 Jun 2015 14:27:47 -0700 (PDT)
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net
[108.58.6.98])
by che.mayfirst.org (Postfix) with ESMTPSA id 6984FF985;
Sun, 7 Jun 2015 17:27:44 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000)
id CB26121C4C; Sun, 7 Jun 2015 14:30:59 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Ken Calvert <calvert@netlab.uky.edu>
In-Reply-To: <1FA5B1A9-6011-4F39-8503-ACAAB5B649A8@netlab.uky.edu>
References: <EA4C43BE752A194597B002779DF69BAE23D47A3E@ESESSMB303.ericsson.se>
<87h9qn1dkr.fsf@alice.fifthhorseman.net>
<DM2PR0301MB0655E175AD817C6D896F7E7DA8B30@DM2PR0301MB0655.namprd03.prod.outlook.com>
<EA4C43BE752A194597B002779DF69BAE23D48602@ESESSMB303.ericsson.se>
<87oaktvjhi.fsf@alice.fifthhorseman.net>
<1FA5B1A9-6011-4F39-8503-ACAAB5B649A8@netlab.uky.edu>
User-Agent: Notmuch/0.20.1 (http://notmuchmail.org) Emacs/24.4.1
(x86_64-pc-linux-gnu)
Date: Sun, 07 Jun 2015 14:30:59 -0400
Message-ID: <87vbeztlp8.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/hkjOQqIy9tXTs2NBrJDI9881cI8>
Cc: "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] SPUD Scope?
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>,
<mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>,
<mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jun 2015 21:27:49 -0000
On Sat 2015-06-06 13:44:33 -0400, Ken Calvert wrote: > Some middleboxes are paranoid for good (or at least understandable) > reason: they are there to implement trust domain boundaries. Because > those boundaries don't exist in the original architecture, firewalls > work by overloading mechanisms that are poorly suited for the job. Maybe. This sounds a lot like someone is still thinking in terms of "perimeter defense", but on most modern, public networks, perimeters are *extremely* porous. And of course, once a threat is inside the perimeter, such a defense is useless. > A well-designed mechanism that enables a packet to certify > policy-compliance in-band, without DPI, would at least help with > firewalls. Maybe we just need to start using "the evil bit" as specified: https://tools.ietf.org/html/rfc3514 ;) Apologies for the snark, but that RFC illuminates the difficulties with providing such an indication in a way that satisfies the security goals you're targeting. Would this be done to implement "trust domain boundaries" securely? > Yes, the path is fraught with challenges; I don't disagree with most > of your points. On the other hand, call me an optimist, but I believe > such a mechanism could not only help break the "ossification" logjam, > but perhaps eventually shift the balance of power back toward the end > users by giving them more choices w.r.t. network services. how would this mechanism give the users more choice w.r.t. network services? It looks lke a way to facilitate additional metadata leakage *to* network providers. are you suggesting that some network providers would require more metadata than others, and users collectively ("the marketplace") could collectively select network providers on the basis of their metadata collection policies? If this is the suggestion, i think it vastly overestimates the average user's (a) knowledge of the underlying mechanism, (b) ability to assess their own risk from particular metadata leakage to a given provider, and (c) time available to deal with the choicepoints presented (by each network connection?) by this scenario. --dkg
- [Spud] SPUD Scope? Szilveszter Nadas
- Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
- Re: [Spud] SPUD Scope? Christian Huitema
- Re: [Spud] SPUD Scope? Szilveszter Nadas
- Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
- Re: [Spud] SPUD Scope? Ken Calvert
- Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
- Re: [Spud] SPUD Scope? Mirja Kühlewind
- Re: [Spud] SPUD Scope? FOSSATI, Thomas (Thomas)
- Re: [Spud] SPUD Scope? Szilveszter Nadas
- Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
- Re: [Spud] SPUD Scope? Tom Herbert