LWN: Comments on "Nottingham: Internet protocols are changing"

Nottingham: Internet protocols are changing

flussence — Thu, 18 Jan 2018 02:32:11 +0000

This whole line of logic is going a bit off course, but there *is* a mechanism for suggesting different servers to clients (the Alt-Svc HTTP header, fairly recent addition too).

Nottingham: Internet protocols are changing

immibis — Mon, 08 Jan 2018 00:55:37 +0000

To mitigate that, either the client could look up the host itself and validate the result using a key encode in the URL -or it could just ask the server at the specified IP whether there's a better IP (distributed DNS?).

Nottingham: Internet protocols are changing

nix — Thu, 04 Jan 2018 11:59:19 +0000

As I already wrote: Your unbacked assertion that "I" must be involved in this is both irrelvant and wrong.

Of course I wasn't implying any such thing: 'you' in English can be used to collectively refer to people that do not necessarily include the interlocutor.

Google will burn money trying to stop this from working because politicians will cause a PR disaster if they don't appear to do something. "For the chiilldren" is a very effective rallying cry, even when it relates to matters that children don't care about, or that adolescents care very much about and have diametrically opposing views to their parents on.

Nottingham: Internet protocols are changing

smurf — Fri, 22 Dec 2017 08:25:20 +0000

Well, sometimes the only choice is between a filtered Internet and no Internet at all. The former at least allows you to employ creative solutions to circumvent the stuff.

Nottingham: Internet protocols are changing

Cyberax — Thu, 21 Dec 2017 22:52:31 +0000

I personally have no problems with making life more difficult for third parties that live off Internet censorship. The same technology that is being promoted for "the kids" is also used for everything else.

Nottingham: Internet protocols are changing

rweikusat2 — Thu, 21 Dec 2017 22:25:46 +0000

Always using the same old tricks, are we?

My original statement was that these "internet innovations by Google" would be motivated by making life more difficult for third parties with a good reason to enforce usage policies as enforcement of usage policies would be detrimental to Google revenue. "Parties with a good reason to enforce usage policies" might be "the evil Chineses government" (Google likes talking about that) or "the association of head teachers tasked with preventing porn consumption by minors" (Google likes talking about that much less).

Nottingham: Internet protocols are changing

Cyberax — Thu, 21 Dec 2017 22:13:45 +0000

> As to the "it doesn't work": If it really wouldn't work, why would Google burn money trying to stop it from working?
So that it won't work at all.

Nottingham: Internet protocols are changing

rweikusat2 — Thu, 21 Dec 2017 21:31:11 +0000

As I already wrote: Your unbacked assertion that "I" must be involved in this is both irrelvant and wrong.

Further, your beliefs about the futility of ... are also irrelevant. There are legitmate uses case for what Google would prefer to be referred as "DNS interference".

As to the "it doesn't work": If it really wouldn't work, why would Google burn money trying to stop it from working?

Nottingham: Internet protocols are changing

Cyberax — Sun, 17 Dec 2017 08:15:59 +0000

With the recent migration to secured protocols, ISPs can't do much short of a complete block by an IP address. Nor should they do it.

encryption is a multidimensional spectrum of utilitarian trade-offs

josh — Sun, 17 Dec 2017 03:01:57 +0000

> And to be honest I've seen use cases where http is better than https (mostly a large volume of static pages, iirc).

HTTPS is, at this point, down in the noise with respect to computation. You're certainly not going to become CPU-bound serving static pages over HTTPS.

> If other people secure their networks with the result that I can't communicate

What is preventing you from communicating using encryption? You seem to be phrasing your responses as if HTTPS is a non-starter for you.

> (I regularly come across reference to "security theatre" - actions that LOOK like they improve matters, until you actually look carefully and realise that they do very little, or even make matters worse!)

HTTPS is not one of those things, however.

DOH

scientes — Sun, 17 Dec 2017 02:02:50 +0000

ssh over port 443 https://github.com/shawnl/nginx-ssh

also Tor goes over port 443 for obvious reasons, and has an identical handshake to firefox

encryption is a multidimensional spectrum of utilitarian trade-offs

pizza — Sun, 17 Dec 2017 01:12:58 +0000

> would you recommend that everyone keeps their doors locked to keep strangers out? Sounds like a good idea, until you realise that the whole point of a shop is to welcome random strangers ...

.... during "normal business hours". And said doors will be locked during other times.

You picked a rather poor analogy.

encryption is a multidimensional spectrum of utilitarian trade-offs

Wol — Sun, 17 Dec 2017 00:49:21 +0000

Sorry, I'm not trying to force a confrontation or anything.

If you actually look, you will see all along that I am merely reacting to other people telling me what I should or should not do. You were telling me I should not be using plain http. Why not? And to be honest I've seen use cases where http is better than https (mostly a large volume of static pages, iirc).

If other people secure their networks with the result that I can't communicate, well, I'll cross that bridge when I come to it. But to give a silly example of "security is a bad thing", would you recommend that everyone keeps their doors locked to keep strangers out? Sounds like a good idea, until you realise that the whole point of a shop is to welcome random strangers ...

(I regularly come across reference to "security theatre" - actions that LOOK like they improve matters, until you actually look carefully and realise that they do very little, or even make matters worse!)

Cheers,
Wol

Nottingham: Internet protocols are changing

marcH — Sat, 16 Dec 2017 22:04:51 +0000

> Entirely unsurprisingly, Google is very much interested in ensuring that nobody but Google can access or police data Google applications send to Google data centers.
> Now, the news here is what?

The news is: all this work is done in the open, standardized and can be re-used by anyone or anything outside Google. Say thank you?

Spying on data

marcH — Sat, 16 Dec 2017 22:00:03 +0000

> That's assuming you can control your browser, which for mobile apps using embedded browsers or even http client libs is certainly non-trivial.

If the user of the browser is working in a "bank that has regulatory requirements for visibility" then you can take for granted that not just his or her browser but his entire machine is busy running Data Loss Protection and various other keyloggers (in addition to any traffic scanning further in the network)

Nottingham: Internet protocols are changing

marcH — Sat, 16 Dec 2017 21:49:13 +0000

> If you own endpoints then you should just put your policy there.

Agreed - or subscribe to a *per-endpoint and optional* service offered by your provider.

Nottingham: Internet protocols are changing

marcH — Sat, 16 Dec 2017 21:43:03 +0000

> (also, blocking porn is super futile, kids know perfectly well how to work around filters)

Teenagers actively looking for it, probably yes. Youger kids randomly browsing who don't even know what it is, most certainly not.

encryption is a multidimensional spectrum of utilitarian trade-offs

josh — Sat, 16 Dec 2017 17:31:50 +0000

> Except that http(s) is NOT the internet.

I never claimed it was. Please stop making up things I haven't said and then yelling at me about them.

> What about those of us who don't use the web?

I never said anything about non-http protocols. I do think that protocols that don't have end-to-end encryption should be carefully evaluated, and many of them should go away as well, but my previous comment *only* talked about http and https.

> Or are you saying that the ONLY port in use should be (80)80?

I never said that. (And in any case, port 80 is the insecure one, so I certainly wouldn't be saying *that*, for multiple reasons.)

You seem to be attempting to force an angry confrontation, and I'm not interested. If you want to use insecure protocols, you can always find ways to do so; if you control the software on both ends, you can have them communicate by any means you wish. The tools and infrastructure that the majority of people use will continue to steer people towards secure protocols more and more strongly, so that the path of least resistance becomes safer. Security is often a usability problem, and I applaud the many people working to make the defaults both more secure and more usable.

encryption is a multidimensional spectrum of utilitarian trade-offs

Wol — Sat, 16 Dec 2017 12:47:31 +0000

Except that http(s) is NOT the internet.

What about those of us who don't use the web? Or are you saying that the ONLY port in use should be (80)80?

Plus, at the end of the day YOU are DICTATING to ME what I should use. NOT acceptable!

(I may agree with you - I may think https is better than http - but I might think the exact opposite FOR MY USE CASE!)

Cheers,
Wol

DOH

marcH — Sat, 16 Dec 2017 10:27:29 +0000

https://tools.ietf.org/html/rfc3093 Firewall Enhancement Protocol (FEP)

Nottingham: Internet protocols are changing

marcH — Sat, 16 Dec 2017 10:23:40 +0000

> The problem is when (for example, and this bites me regularly) my private network wants to talk SMTP to your private network, and the public network says "oh no, you can't talk SMTP to anyone but me". (I regularly find myself troubleshooting the aged parent-in-law's laptop, and it would be so much easier to do it in my house except we have different ISPs, so my mail doesn't work there, and his mail doesn't work here.)

Please use a real protocol as an example; I mean anything but the SpaM Transfer Protocol.

Spying on data

accumulator — Sat, 16 Dec 2017 08:18:27 +0000

That's assuming you can control your browser, which for mobile apps using embedded browsers or even http client libs is certainly non-trivial.
That said, apps can already hardcode IP addresses or implement their own custom resolvers anyway..

Nottingham: Internet protocols are changing

Wol — Fri, 15 Dec 2017 09:43:07 +0000

Who cares? It's not your problem/decision what I do.

Okay, my mail server should be configured for end-to-end encryption, BUT THAT'S MY DECISION NOT YOURS. And if all the ISPs did was to route traffic, they would neither know nor care.

Saying "it's easy enough to set up a VPN", what, with somebody in Oz I hardly know, to send maybe a couple of emails a month? Whatever for?

If the ISPs merely route packets, then I have control of the borders of my network. If I want to encrypt everything then that's my choice. If I DON'T want to encrypt everything that's my choice. If every protocol DEFAULTS to encrypted, then I can over-ride it if I want. The point is, I CHOOSE.

The problem at present, is that I cannot assume that *legal* packets will make their way across the internet from my private network to someone else's private network, without the "postal" service snooping and throwing away stuff it happens to take a dislike to.

Cheers,
Wol

Nottingham: Internet protocols are changing

bronson — Thu, 14 Dec 2017 19:59:19 +0000

Are you sure that you want the public internet to route your unencrypted SMTP traffic (and presumably IMAP etc)? Because, as described, that sounds like a mistake.

It's easy enough to set up a VPN!

Nottingham: Internet protocols are changing

nix — Thu, 14 Dec 2017 13:07:06 +0000

Shame it doesn't work. There is no requirement for porn merchants to carefully partition all their porn into separate domains, so either you end up catching a lot of non-porn in your "porn" filters, or you miss a bunch of porn and all your filtration is for nothing (because there is a finite limit to the amount of porn a human being wants to consume, and the amount on any arbitrarily small sliver of the unfiltered Internet is way higher, so *anything* missed means the whole thing is probably pointless).

Also, humans of a certain age are far more motivated to find the stuff than anyone is likely to be to stop it. This is a race you are bound to lose, with considerable collateral damage being the only outcome.

encryption is a multidimensional spectrum of utilitarian trade-offs

josh — Thu, 14 Dec 2017 09:38:27 +0000

> It is not good to advise using encryption blindly.

All HTTP should go away in favor of HTTPS. That's not "using encryption blindly", that's a reasonable response to established threat models.

encryption is a multidimensional spectrum of utilitarian trade-offs

Garak — Thu, 14 Dec 2017 02:47:57 +0000

Yes, ISPs shouldn't tamper with your insecure traffic, but you also shouldn't have insecure traffic because malicious people do exist. Yes, postal services shouldn't read your postcards, but you should use envelopes.

Going without envelopes is fine in many situations- opted-in coupon mailings from a restaurant. If envelopes truly had zero cost, sure you'd throw one of those magic ones on even then. But there are costs. Likewise there are costs for encryption. And though there are some popular ubiquitous variants, it is an important part of the ecosystem that there are variants. Some variants are more and less suited to various use-cases and threat models. A common situation would be some kinds of games and entertainment where the utility of shaving latency outweighs the threat models that encryption protects against. And threat models and applications (and thus their specific usage of encryption) evolve over time. It is not good to advise using encryption blindly. People that do probably also haven't given proper consideration to the true contingency trees and cost/benefit full analysis. They probably have bought into an over simplification that "it's encrypted, nothing bad will ever happen". It's way more complex than that.

Nottingham: Internet protocols are changing

rweikusat2 — Wed, 13 Dec 2017 22:05:20 +0000

Would you please stop talking me about me?

Beliefs about the "futility" of enforcing applicable laws and/or usage policies are of no technical relevance here: DNS "interference" has legitimate use cases.

Nottingham: Internet protocols are changing

Cyberax — Wed, 13 Dec 2017 21:36:14 +0000

If you own endpoints then you should just put your policy there.

(also, blocking porn is super futile, kids know perfectly well how to work around filters)

Nottingham: Internet protocols are changing

rweikusat2 — Wed, 13 Dec 2017 21:26:46 +0000

An organization I happen to know uses (among other things) DNS filtering to stop minors from accessing porn (using publically provided resources). That's something they're (AFAIK) required to do. It's obviously detrimental to the revenue of Google, hence, Google would prefer if this "DNS interference" wasn't possible.

There are other examples were people have a good reason to enforce a usage policy.

Nottingham: Internet protocols are changing

david.a.wheeler — Wed, 13 Dec 2017 19:15:05 +0000

China already prevents access to google.com and most other Google sites. See: https://en.wikipedia.org/wiki/Google_China

DOH

ballombe — Wed, 13 Dec 2017 16:05:09 +0000

Part of the issue is that even encrypted TCP leaks the port number.
So to avoid that only a single port is used, which then become heavily multiplexed.

Nottingham: Internet protocols are changing

epa — Wed, 13 Dec 2017 14:21:34 +0000

I agree, and perhaps google.com was not the best example. It would make more sense to use it only for hostnames that resolve to a single IP address (or a round-robin set where the particular one to use is arbitrary). Or else to extend it to list multiple addresses separated by commas.

I envisaged that if your machine already has a cached IP address for that hostname, you use that as normal. Only if you don't currently have the hostname resolved would you have the option of saving a round trip (or bypassing hostile DNS blocking) by using the address embedded in the URI.

Nottingham: Internet protocols are changing

Wol — Wed, 13 Dec 2017 13:42:15 +0000

But that's down to the private network. The public network should accept/transmit anything it's given.

If the private network doesn't want to receive UDP, that's its decision. If the private network doesn't want outbound DNS queries, that's its decision. If the private network falls over in a heap thanks to stupid decisions, that's its problem.

The problem is when (for example, and this bites me regularly) my private network wants to talk SMTP to your private network, and the public network says "oh no, you can't talk SMTP to anyone but me". (I regularly find myself troubleshooting the aged parent-in-law's laptop, and it would be so much easier to do it in my house except we have different ISPs, so my mail doesn't work there, and his mail doesn't work here.)

Cheers,
Wol

Nottingham: Internet protocols are changing

buchanmilne — Wed, 13 Dec 2017 10:59:16 +0000

The URI specification should allow the hostname to be given as both IP address and name at the same time. https://{google.com:172.217.23.46:ZLgE36lVHk}/ where the last bit is some cryptographic signature from the original nameserver (so if you trust that nameserver with DNSSEC, you will trust that the new name/address pair seen in the URI is correct). That would reduce round trips still further.

But now you've made the experience worse for everyone for whom the best Google PoP or Edge PoP (and of course any other CDN) isn't the same as yours. For example, for me, google.com is one of 6 addresses in 108.177.119/24, but from home it's a totally different range. For people who live 500ms away from you on a slow-ish link (e.g < 1Mbps), this could be the difference between the internet working, and not working (e.g. Youtube doesn't play, Netflix doesn't work, Google images take forever to load, Android App Updates fail).

Nottingham: Internet protocols are changing

tialaramex — Wed, 13 Dec 2017 09:53:30 +0000

I suspect the obvious thing you're missing is that this situation is nothing like either of the stapling mechanisms currently in play?

With OCSP stapling when I connect to a server, and it is going to show me the certificate saying "I'm server A" it can staple the OCSP response which says "I, the OCSP server, promise this certificate for server A is still good". It is trivially able to obtain this response because it has the certificate already, and the response is signed, so it doesn't matter how it is delivered [Yet despite this two of the world's most popular web servers can't get this right...]

With CT stapling when I connect to an OCSP server to ask about server A and it's going to provide an OCSP response "I, the OCSP server, promise this certificate for server A is still good" it can also staple the SCT which says "I, a CT log server promise this certificate was logged at a specific moment of time T", it knows the full set of certificates it cares about [that's what OCSP is for] and so it also has all the SCTs for them if it wants. This too is signed and so it doesn't matter how it's delivered [Although details of how exactly we ensure that bogus proofs are detected are still up in the air]

But with "Flussence DNS Stapling" how does this work? What's signed? Who am I connecting to that knows I need this?

The user just typed bimble.example.com into my browser. I want to use "Flussence DNS Stapling" which I've heard is great and will speed things up. What do I do now? I need to start sending a packet immediately. I don't know where to send it, what should I put in it - the "Flussence DNS Stapling" needs to have fast, reliable answers for both those things or it's useless, because in just a few milliseconds a traditional DNS would probably have an answer.

DOH

jezuch — Wed, 13 Dec 2017 09:52:44 +0000

Well, already 10 years ago I half-jokingly wrote in my master's thesis that HTTP is becoming the 8th layer of the 7 layer OSI model :) That's the ultimate symptom of network ossification. I still hope that can be avoided.

Nottingham: Internet protocols are changing

dottedmag — Wed, 13 Dec 2017 09:19:01 +0000

Or, rather, prescribed by law, depending on the country you happen to reside.

Nottingham: Internet protocols are changing

smurf — Wed, 13 Dec 2017 04:43:25 +0000

No it's not fine. The borders between public and "private" infrastructure is exactly the point where the breakage happens (block anything that's not TCP or UDP, block packets with strange bits set [ECN], …). The border between userspace and kernel is next on the list (want to implement SCTP in userspace because the kernel doesn't know how, but no root? no luck). Otherwise we wouldn't need atrocities like HTTP/2 or QUIC.

Yes, the carriers should not block "strange" protocols, but do they really? IME setting up a random GRE tunnel [i.e. not TCP or UDP] just works.

Nottingham: Internet protocols are changing

josh — Wed, 13 Dec 2017 02:56:49 +0000

It is not, however, a price that a random broken IT department will pay.