On Jul 7, 2014, at 9:52 AM, Paul Vixie <[email protected]> wrote: > i wish it noted that i am responding to the general post-snowden call for > channel secrecy, and that i don't myself see much need for it in the case of > DNS, but that the proposals i've seen come out of the security community for > how to add channel secrecy to DNS are alarming in their lack of understanding > of what DNS is, how large DNS is, and how DNS works. therefore, i'm > attempting to isolate the cases which might be relevant to somebody, i am > drumming up a definition of "dissident", and crafting a proposal that would > protect that mythical person's interests. > > the fact that the QNAME can be recovered in many cases by a well resourced > nation-state actor is meaningless here, since that surveillance would have to > be targeted, and would be both inaccurate and expensive; whereas the > surveillance i'm solving for is the ubquitous kind, which is presently very > accurate and very cheap.
No, its ubiquitous and cheap, and reasonably accurate. This type of traffic analysis correlation is bread and butter for a nation-state adversary running a pretty conventional real-time or even near real time IDS. Doing it on the backbone is not hard, and overall, its no more complex than analysis we know they do like identify ALL users based on cookies and HTTP replies. It is AMAZING the IDS analyses you can run on a 10 Gbps link when you are using a 20-system cluster. -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
