On the subject of SNI itself.... lack of support for SNI for a number of legacy browsers still in use means that few sites using SSL can do it any way other than the one-IP(port) per certificate. This is a tragedy in the IPv4 world, but really hardly merits even a shrug in an IPv6 world.
On the other hand, with a 1:1 mapping between IPv6 and DNS name (and certificate), you don't need to see/capture the transport or session(ssl) layer at all to know do the traffic analysis. So one gets the traffic analysis at the DNS name from the netflow (aka "Pen Registry") records without eating any multi-gigabite firehoses. If TLS could become more IKE-like, leaving the SNI and the authentication until after the PFS (maybe it can do this already now), then traffic analysis would be defeated by putting as many sites on the same IP address as possible. (Possibly, this also interacts poorly with some of the various netnanny software, which has unfairly prevented teens from learning enough to protect themselves from STD in the name of protecting them from pr0n. ) My take is that any mechanism (legal and technological) which keeps the middle boxes on a need to know basis only, is good. It might not prevent traffic analysis, but it does help maintain the end to end. (Imagine the state of the world of TCP cryptographically secured the port numbers, or if HTTPS had done that, and NAPTs simply couldn't have worked) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] [email protected] http://www.sandelman.ca/ | ruby on rails [
pgpZL8L5NATaU.pgp
Description: PGP signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
