Ted Lemon wrote on 2019-02-12 13:00:
...
I still feel like we are talking past each other.
What I am saying is that there are a set of different mechanisms, all of
which use port 443, in order to avoid being subjected to your control
plane. DoH is in principle one of these. We do not disagree about
this, as far as I can tell.
What I think we differ on is the idea that, in the absence of these
“political tacticians” of whom you speak, that this problem would not exist.
What I am trying to point out is that the situation with DoH is a
symptom of the problem you are not talking about, not the only instance
of it.
You seem to be asserting that DoH is special among all other misuses of
port 443. But you haven’t explained why it is special. This is what
I was trying to tease out with my initial response to what you said.
i may have been too brief. however, i reject this false equivalence.
when a new flow or pattern of flows shows up to distant tcp/443
responders, this is detectable. if what's detected exceeds thresholds,
or if it is found to coincide with any other behaviour change, then it
can be investigated, and perhaps made the subject of new policy. no
security is perfect and we can't demand it. what we have is temporary
equilibriums that appropriately match investments and known risks.
DoH _specifically_ evades this, by looking as much as possible like
other traffic to IP addresses shared by a lot of existing traffic. this
means the only way to maintain the risk:cost balance of pre-DoH is to
inspect every flow. many network operators can't afford this or can't
otherwise do it. those who can and do, can be expected to be grumpy
about it having their risks and costs increased for political reasons.
those who can't or don't, can be expected to be grumpy about losing more
of what little control or visibility they had, for political reasons.
google, ibm, cloudflare, cisco, and other so-called "public dns"
providers will at some point choose whether to offer DoH from shared
addresses, making those shared addresses into risks that the rest of us
have to manage differently; or whether to dedicate DoH to well known
addresses that can be outright blocked. in the later case, existing
anomaly detection and post-facto investigations and policy shifts will
continue to be good enough.
and that's why DoH is special.
(five paragraphs elided.)
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop