Ted Lemon wrote:
On Mon, Aug 20, 2018 at 12:57 PM, Paul Vixie <[email protected]
<mailto:[email protected]>> wrote:
so, their network, but not their rules? when spammers used to tell
me that sending spam wasn't illegal and i had to accept it, i
blackholed them and said, my network, my rules. who has what rights,
and why?
Paul, take a deep breath. I'm paying for my network service.
if the plural of anecdote was data, i'd counter by saying, my family and
my employees and my visitors do not pay for my network service. but that
way lies madness. your network, your rules. if you're paying for it then
you should make the rules. i pay for mine; i make my own rules.
some references i've seen go by in this thread indicate that the DoH
team wants its protocol to be unblockable, ...
I think the DoH team is not quite as cohesive as you think it is,
but yes, that is one implication of the use of DoH. If you find it
problematic, then you need to get your end users to proxy all their
HTTPS traffic through your HTTPS proxy. This will be really obvious
to them, so you won't be able to do it without their agreement.
indeed, DoT was designed to solve this problem -- it can't be
intercepted or blocked without the user become aware of it. but it's
designed to be blockable by network operators who don't want it to be
used. that's better engineering, because it rams nothing down any throat.
This is by design. This situation has existed since HTTPS has
existed—it's not something that DoH invented. You've always been able
to use HTTPS to bypass firewalls; this has good uses and bad. Tough
luck—see Figure One. :)
see also my own prior work in this area:
https://github.com/BII-Lab/DNSoverHTTP
the difference there was, it's ad hoc, intended to solve point problems
for individuals, and it would be very easy to block if it caused new or
worse problems for the coffee shop or hotel room owner.
DOH is designed to be hard to block and to become ubiquitous. that's a
problem that no amount of gaslighting will reduce the relevance of.
if there are use cases beyond violating the law and violating network
operator security policy, then they are obviously secondary, but do
tell-- what do you think those might be?
Preventing user behavior tracking seems like a pretty valid use case.
it would be, if it was cheap to block. that is, on my network, under my
rules, user behaviour tracking may be my policy. a user who wants to
avoid that tracking should ask for non-tracking. if they won't ask, or
if i say no, then the default should be non-functionality.
the DOH people are trying to ram something down the throats of network
operators worldwide, and i'm gagging on it. a deep breath won't help.
i also block tor endpoints. because, my network, my rules. if it's
going to be my network but mozilla's or cloudflare's rules, then this
conversation is going to travel very differently, because i'll still
be paying for it, but it won't be _my_ network any more. would that
sit well with you? it wouldn't with me.
If you think that Mozilla isn't trustworthy, don't use Firefox. It's
all about trust. It's naive to think that you aren't going to have
to trust someone; thinking about trust models is no longer optional
for network operators.
this has nothing to do with trusting mozilla, although in this case,
they are giving me reasons to treat them as a hostile opponent.
this has nothing to do with what i use. for me it's about employees,
family members, and visitors. for turkey and china and others, it's
about national law. the ietf has not been knowingly and deliberately
hostile to local network policy before now. this is a sea change. it
will not end here, and it will escalate.
--
P Vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
