SlideShare a Scribd company logo

Networking in the Penumbra presented by Geoff Huston at NZNOG

APNIC
APNIC

Geoff Huston, Chief Scientist at APNIC, presents 'Networking in the Penumbra' at NZNOG 2024 in Nelson New Zealand from 8 to 12 April 2024.

Internet
1 of 44
Download to read offline
Networking in the Penumbra Geoff Huston AM APNIC
The Trusted Network Networks enjoyed a privileged position of being able to observe: • Who is communicating with whom • What they are saying to each other
The Trusted Network Users have an expectation of privacy in their communications • This expectation was often reinforced through regulatory measures intended to constrain public network operators from disclosing knowledge gained through network operation
The Erosion of Trust Trust has been eroded by intrusive middleware that collects aggregate (and sometimes specific) data on user behaviours • The general adoption of advertising revenue as a means of funding for service platforms acts as a major incentive to assemble detailed profiles of individual users: age, gender, location, educational level, marital status, income, interest, purchase history,… • The better the profile, the higher the value of the user to the advertiser
The Erosion of Trust This network position of trust was further eroded by leakage of the activities of US state-based actors performing various forms of mass surveillance on network users • The Snowden Papers was a watershed moment for the Internet • But it was by no means the first time, nor was it the last • Large scale state-sponsored surveillance continues
So how did we react?
RFC 7258 Pervasive Monitoring is an attack on privacy: “The IETF community's technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible.” RFC 7258 – May 2014
What did this IETF position mean for the Internet?
Changes to the Applications Hiding Web Traffic • Shift to use TLS for all web transactions – HTTPS • TLS authenticates the identity of the server to the client • Is this service name authentic? Can the service operator demonstrate to the client that is has knowledge of the private part of the key pair that is associated with this DNS service name? • Service transactions are encrypted • TLS generates a session key used to encrypt all subsequent on-the-wire data
HTTPS Today https://radar.cloudflare.com/adoption-and-usage
Changes to the Applications Hiding the DNS • Hide the query and response in DNS resolution transactions from the network • The initial work has concentrated on hiding the DNS query names from the network by encrypting the DNS data exchanged • DNS over TLS • DNS over QUIC • DNS over HTTPS/2 and DNS over HTTPS/3
DoH, DOT Today DNS over HTTPS DNS over TLS https://stats.labs.apnic.net/edns
Can we go further? • Can we hide the two ends from each other such that at no point in the network (and even at the server) are the two ends of the transaction visible at once? • Can we also selectively obscure the content of the transaction such that the endpoints and the content of the transaction are not simultaneously discoverable
MASQUE and Relays • With the use of 2-layer encryption and active relays then its possible to hide the endpoints from the network • There is no single network observation point that can put together the combination of the service identity and the identification of the two endpoints of the service transaction • Only the client endpoint knows its own identity and service, but does not know the identity used by the relay to present the service transaction to the server • The server may use the application-level identity of the client, but does not know the client’s network-level identity (IP address) • This technique can be used in DNS resolution and HTTPS transactions
Apple Private Relay
Sealing up the Peepholes Attention has turned to the Server Name Indication (SNI) field in the TLS handshake • This is the one last part of TLS that is still shown in the clear • Efforts to encrypt this field in a robust manner are being studied • The most effective way to securely communicate the public key that is used to encrypt the SNI (and the entire ClientHello message) appears to be a TLSA record in the DNS (DANE) using DoT or DoH, using a DNSSEC- signed record • A shortcut hack is to use a trusted intermediary (https://blog.cloudflare.com/announcing-encrypted-client-hello/)
Sealing up the Peepholes • And there‘s the the Online Certificate Status Protocol, which can expose the IP address of the client and the name of the service that they are visiting to the CA • Which likely explains why Chrome browsers do not perform“live” certificate revocation checks, and rely instead on short validity periods for certificates* * Which is probably just as bad, but in a different way!
Why are we doing this?
Who wants privacy? Do users really care? • Users cheerfully gave up email privacy in exchange for free email services • Users happily tell Google Search way too much about themselves in exchange for instant answers • In general, users will happily trade off privacy for access to services
If not users, then whom?
If not users, then whom? The folk with the most to gain (or lose)! https://en.wikipedia.org/wiki/List_of_public_corporations_by_market_capitalization
Surveillance Capitalism
Who cares about privacy? • None of the entities who spend large sums to assemble detailed profiles of users want to leak that data to their competitors • So, privacy is about protecting the core asset of gathering individual profiles of users from: • Other services • The common host platform • Common Infrastructure services • The network
Let me rephrase that: We want to allow the application to operate in a mode that obscures its behaviour from: • Other services • The common host platform • Common Infrastructure services • The network
How do you do that? By lifting out as much as you can from the lower levels of the protocol stack that are managed by common services and performing it within the application
So, how do you do that?
Transport Privacy Which means we are looking at how to lift TCP out of the common parts of the host platform and and shift it across to the application We need to change TCP!
Transport Surgery How do you change TCP? • TCP is a kernel function that is defined at the platform level • Applications have no intrinsic ability to alter the TCP characteristics for the application on a customized basis • You could try to define a new transport protocol (such as SCTP) • But the deployed infrastructure (NATs) tends to discard all packets that are not protocol 6 (TCP) or protocol 17 (UDP) • If you want to bypass kernel handling of TCP and get through existing network filters and middleware then you're forced into using UDP • So, you change TCP by using UDP!
QUIC is the new TCP HTTP Multi-stream TLS Session Encryption TCP Data stream integrity Congestion Control HTTP QUIC Multi-stream Encryption Data stream integrity Congestion Control UDP IP HTTP/2 QUIC HTTP/3 e2e encrypted e2e encrypted
QUIC is: • A logical evolutionary step for transport services, providing more flexibility, faster connection setup, and a larger set of transport services • It’s what we should expect from a capable modern transport protocol!
Cloudflare’s Numbers Cloudflare report on observed use levels
APNIC’s Numbers First Fetch – mainly Safari clients Subsequent Fetches – mainly Chrome clients APNIC reports on potential use levels
APNIC’s QUIC Numbers 100
Cisco’s Numbers: Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
Why is QUIC important? Because QUIC is faster Because QUIC encrypts everything • No visible transport control settings • No visible Server Name Indication in the crypto-setup • No visible traffic profile other than inter-packet timing Because QUIC is an application capability • QUIC can interact with the platform through the UDP API, so all of QUIC can be implemented within the application. This gives the application more control over its service outcomes and reduces external dependencies
What does this mean for TCP? It’s not looking all that good for TCP’s prospects • QUIC not only does faster start up, but it supports multi-channel in a frictionless manner • QUIC resists network operator efforts to perform traffic shaping through direct manipulation of TCP control parameters • QUIC allows the application service provider to control the congestion behaviour of its sessions
The new Networking Space QUIC is pushing both network carriage and host platform into commodity roles in networking and allowing applications to effectively customize the way in which they want to deliver services and dominating the entire networked environment QUIC is the application’s view of what Transport should be! media network TCP Transport apps media network UDP Transport apps Internal Transport + session security $$$ QUIC and value transform in the network stack $$$
What does this mean for the Internet? • The relationship between applications, hosts and networks has soured into mutual distrust and suspicion • The application now defends its integrity by wrapping up as much of the service transaction with encryption and indirection • QUIC (and MASQUE) is an intrinsic part of this process of wrapping up traffic in encryption and redirection • For the network operator there is little left to see or do. It’s just packet shovelling! • And I suspect that there is no coming back from here!
What can a Network Operator Do? • When all customer traffic is completely obscured and encrypted? • Traffic Shaping? • Regulatory Requirements for traffic interception? • Load Balancing / ECMP
The new Internet Space “What you can’t dominate, you commoditise*” • Vertically integrated service providers have faded away into history - the deregulated competitive service industry continues to specialize rather than generalize at every level • Carriage is no longer an inescapable monopoly - massively replicated content can be used as a substitute for many carriage service elements • Control over the platform is no longer control over the user. Operating systems have been pushed back into a basic task scheduling role, while functions are being absorbed into the application space * A related quote is Peter Thiel’s “Competition is for Losers!”
The new Internet Space • Each service has an ability to define its own operational behaviours that are intrinsic to that service • Which is the antithesis of “interoperability” • We have managed to minimize and commoditize the common parts of the Internet and push the valued functionality and service delivery up into each application • Which means: • “Standards for Interoperability” is dead! • “Open” is a quaint historic notion!
The New Internet Space The hyperscalers have won everything!
Thanks!
44

Recommended

AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
D1-3-Signaling
D1-3-SignalingD1-3-Signaling
D1-3-SignalingOleg Levy
 
40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUIC40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUICAPNIC
 
APPLICATION LAYER PROTOCOLS .pptx
APPLICATION LAYER PROTOCOLS .pptxAPPLICATION LAYER PROTOCOLS .pptx
APPLICATION LAYER PROTOCOLS .pptxArnavPlayz
 
Application Layer.pptx
Application Layer.pptxApplication Layer.pptx
Application Layer.pptxLalanFakir1
 
Computer Networks
Computer NetworksComputer Networks
Computer NetworksShylesh BC
 
Cable Europe factsheet - Internet and traffic management
Cable Europe factsheet - Internet and traffic managementCable Europe factsheet - Internet and traffic management
Cable Europe factsheet - Internet and traffic managementPaulo Valente
 
Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachSarah R. Dowlath
 

Recommended

AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
D1-3-Signaling
D1-3-SignalingD1-3-Signaling
D1-3-SignalingOleg Levy
 
40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUIC40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUICAPNIC
 
APPLICATION LAYER PROTOCOLS .pptx
APPLICATION LAYER PROTOCOLS .pptxAPPLICATION LAYER PROTOCOLS .pptx
APPLICATION LAYER PROTOCOLS .pptxArnavPlayz
 
Application Layer.pptx
Application Layer.pptxApplication Layer.pptx
Application Layer.pptxLalanFakir1
 
Computer Networks
Computer NetworksComputer Networks
Computer NetworksShylesh BC
 
Cable Europe factsheet - Internet and traffic management
Cable Europe factsheet - Internet and traffic managementCable Europe factsheet - Internet and traffic management
Cable Europe factsheet - Internet and traffic managementPaulo Valente
 
Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachSarah R. Dowlath
 
Sntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyreSntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyreJonathan Habicht
 
38th TWNIC OPM: Future network needs
38th TWNIC OPM: Future network needs38th TWNIC OPM: Future network needs
38th TWNIC OPM: Future network needsAPNIC
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information TransparencyUsman Arshad
 
It nv51 instructor_ppt_ch9
It nv51 instructor_ppt_ch9It nv51 instructor_ppt_ch9
It nv51 instructor_ppt_ch9newbie2019
 
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaSDr. Shivashankar
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IPPiero Fraternali
 
08 coms 525 tcpip - tcp 1
08 coms 525 tcpip - tcp 108 coms 525 tcpip - tcp 1
08 coms 525 tcpip - tcp 1Palanivel Kuppusamy
 
SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure APNIC
 
VNNIC Internet Conference 2022: The Future of the Internet
VNNIC Internet Conference 2022: The Future of the InternetVNNIC Internet Conference 2022: The Future of the Internet
VNNIC Internet Conference 2022: The Future of the InternetAPNIC
 
Individual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docxIndividual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docxdirkrplav
 
MVA slides lesson 8
MVA slides lesson 8MVA slides lesson 8
MVA slides lesson 8Fabio Almeida- Oficina Eletrônica
 
98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8suddenven
 
Transport layer
Transport layer Transport layer
Transport layer Mukesh Chinta
 
Unit 1 web technology uptu slide
Unit 1 web technology uptu slideUnit 1 web technology uptu slide
Unit 1 web technology uptu slideAbhishek Kesharwani
 
QLC Chain--2018
QLC Chain--2018QLC Chain--2018
QLC Chain--2018Toya, Xiaoduo Zhang
 
uniti-websitebasics-230517110223-12e31dbc (1).pptx
uniti-websitebasics-230517110223-12e31dbc (1).pptxuniti-websitebasics-230517110223-12e31dbc (1).pptx
uniti-websitebasics-230517110223-12e31dbc (1).pptxbmit1
 
WebRTC DataChannels demystified
WebRTC DataChannels demystifiedWebRTC DataChannels demystified
WebRTC DataChannels demystifiedVictor Pascual Ávila
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingAPNIC
 
wireless application protocol
wireless application protocol wireless application protocol
wireless application protocol Smriti Agrawal
 
Network protocols
Network protocolsNetwork protocols
Network protocolsAbiud Orina
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 

More Related Content

Similar to Networking in the Penumbra presented by Geoff Huston at NZNOG

Sntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyreSntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyreJonathan Habicht
 
38th TWNIC OPM: Future network needs
38th TWNIC OPM: Future network needs38th TWNIC OPM: Future network needs
38th TWNIC OPM: Future network needsAPNIC
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information TransparencyUsman Arshad
 
It nv51 instructor_ppt_ch9
It nv51 instructor_ppt_ch9It nv51 instructor_ppt_ch9
It nv51 instructor_ppt_ch9newbie2019
 
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaSDr. Shivashankar
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IPPiero Fraternali
 
SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure APNIC
 
VNNIC Internet Conference 2022: The Future of the Internet
VNNIC Internet Conference 2022: The Future of the InternetVNNIC Internet Conference 2022: The Future of the Internet
VNNIC Internet Conference 2022: The Future of the InternetAPNIC
 
Individual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docxIndividual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docxdirkrplav
 
98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8suddenven
 
Unit 1 web technology uptu slide
Unit 1 web technology uptu slideUnit 1 web technology uptu slide
Unit 1 web technology uptu slideAbhishek Kesharwani
 
uniti-websitebasics-230517110223-12e31dbc (1).pptx
uniti-websitebasics-230517110223-12e31dbc (1).pptxuniti-websitebasics-230517110223-12e31dbc (1).pptx
uniti-websitebasics-230517110223-12e31dbc (1).pptxbmit1
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingAPNIC
 
wireless application protocol
wireless application protocol wireless application protocol
wireless application protocol Smriti Agrawal
 
Network protocols
Network protocolsNetwork protocols
Network protocolsAbiud Orina
 

Similar to Networking in the Penumbra presented by Geoff Huston at NZNOG (20)

Sntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyreSntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyre
 
38th TWNIC OPM: Future network needs
38th TWNIC OPM: Future network needs38th TWNIC OPM: Future network needs
38th TWNIC OPM: Future network needs
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information Transparency
 
It nv51 instructor_ppt_ch9
It nv51 instructor_ppt_ch9It nv51 instructor_ppt_ch9
It nv51 instructor_ppt_ch9
 
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IP
 
08 coms 525 tcpip - tcp 1
08 coms 525 tcpip - tcp 108 coms 525 tcpip - tcp 1
08 coms 525 tcpip - tcp 1
 
SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure
 
VNNIC Internet Conference 2022: The Future of the Internet
VNNIC Internet Conference 2022: The Future of the InternetVNNIC Internet Conference 2022: The Future of the Internet
VNNIC Internet Conference 2022: The Future of the Internet
 
Individual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docxIndividual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docx
 
MVA slides lesson 8
MVA slides lesson 8MVA slides lesson 8
MVA slides lesson 8
 
98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8
 
Transport layer
Transport layer Transport layer
Transport layer
 
Unit 1 web technology uptu slide
Unit 1 web technology uptu slideUnit 1 web technology uptu slide
Unit 1 web technology uptu slide
 
QLC Chain--2018
QLC Chain--2018QLC Chain--2018
QLC Chain--2018
 
uniti-websitebasics-230517110223-12e31dbc (1).pptx
uniti-websitebasics-230517110223-12e31dbc (1).pptxuniti-websitebasics-230517110223-12e31dbc (1).pptx
uniti-websitebasics-230517110223-12e31dbc (1).pptx
 
WebRTC DataChannels demystified
WebRTC DataChannels demystifiedWebRTC DataChannels demystified
WebRTC DataChannels demystified
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routing
 
wireless application protocol
wireless application protocol wireless application protocol
wireless application protocol
 
Network protocols
Network protocolsNetwork protocols
Network protocols
 

More from APNIC

APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 

More from APNIC (20)

APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 

Recently uploaded

一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New GirlfriendDubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriendkajalvid75
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理SS
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Local Call Girls in Jharsuguda 9332606886 HOT & SEXY Models beautiful and ch...
Local Call Girls in Jharsuguda 9332606886 HOT & SEXY Models beautiful and ch...Local Call Girls in Jharsuguda 9332606886 HOT & SEXY Models beautiful and ch...
Local Call Girls in Jharsuguda 9332606886 HOT & SEXY Models beautiful and ch...Sareena Khatun
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
Delivery in 20 Mins Call Girls Cuttack 9332606886 HOT & SEXY Models beautifu...
Delivery in 20 Mins Call Girls Cuttack 9332606886 HOT & SEXY Models beautifu...Delivery in 20 Mins Call Girls Cuttack 9332606886 HOT & SEXY Models beautifu...
Delivery in 20 Mins Call Girls Cuttack 9332606886 HOT & SEXY Models beautifu...Sareena Khatun
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 

Recently uploaded (20)

一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New GirlfriendDubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Local Call Girls in Jharsuguda 9332606886 HOT & SEXY Models beautiful and ch...
Local Call Girls in Jharsuguda 9332606886 HOT & SEXY Models beautiful and ch...Local Call Girls in Jharsuguda 9332606886 HOT & SEXY Models beautiful and ch...
Local Call Girls in Jharsuguda 9332606886 HOT & SEXY Models beautiful and ch...
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
Delivery in 20 Mins Call Girls Cuttack 9332606886 HOT & SEXY Models beautifu...
Delivery in 20 Mins Call Girls Cuttack 9332606886 HOT & SEXY Models beautifu...Delivery in 20 Mins Call Girls Cuttack 9332606886 HOT & SEXY Models beautifu...
Delivery in 20 Mins Call Girls Cuttack 9332606886 HOT & SEXY Models beautifu...
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 

Networking in the Penumbra presented by Geoff Huston at NZNOG

  • 2. The Trusted Network Networks enjoyed a privileged position of being able to observe: • Who is communicating with whom • What they are saying to each other
  • 3. The Trusted Network Users have an expectation of privacy in their communications • This expectation was often reinforced through regulatory measures intended to constrain public network operators from disclosing knowledge gained through network operation
  • 4. The Erosion of Trust Trust has been eroded by intrusive middleware that collects aggregate (and sometimes specific) data on user behaviours • The general adoption of advertising revenue as a means of funding for service platforms acts as a major incentive to assemble detailed profiles of individual users: age, gender, location, educational level, marital status, income, interest, purchase history,… • The better the profile, the higher the value of the user to the advertiser
  • 5. The Erosion of Trust This network position of trust was further eroded by leakage of the activities of US state-based actors performing various forms of mass surveillance on network users • The Snowden Papers was a watershed moment for the Internet • But it was by no means the first time, nor was it the last • Large scale state-sponsored surveillance continues
  • 6. So how did we react?
  • 7. RFC 7258 Pervasive Monitoring is an attack on privacy: “The IETF community's technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible.” RFC 7258 – May 2014
  • 8. What did this IETF position mean for the Internet?
  • 9. Changes to the Applications Hiding Web Traffic • Shift to use TLS for all web transactions – HTTPS • TLS authenticates the identity of the server to the client • Is this service name authentic? Can the service operator demonstrate to the client that is has knowledge of the private part of the key pair that is associated with this DNS service name? • Service transactions are encrypted • TLS generates a session key used to encrypt all subsequent on-the-wire data
  • 11. Changes to the Applications Hiding the DNS • Hide the query and response in DNS resolution transactions from the network • The initial work has concentrated on hiding the DNS query names from the network by encrypting the DNS data exchanged • DNS over TLS • DNS over QUIC • DNS over HTTPS/2 and DNS over HTTPS/3
  • 12. DoH, DOT Today DNS over HTTPS DNS over TLS https://stats.labs.apnic.net/edns
  • 13. Can we go further? • Can we hide the two ends from each other such that at no point in the network (and even at the server) are the two ends of the transaction visible at once? • Can we also selectively obscure the content of the transaction such that the endpoints and the content of the transaction are not simultaneously discoverable
  • 14. MASQUE and Relays • With the use of 2-layer encryption and active relays then its possible to hide the endpoints from the network • There is no single network observation point that can put together the combination of the service identity and the identification of the two endpoints of the service transaction • Only the client endpoint knows its own identity and service, but does not know the identity used by the relay to present the service transaction to the server • The server may use the application-level identity of the client, but does not know the client’s network-level identity (IP address) • This technique can be used in DNS resolution and HTTPS transactions
  • 16. Sealing up the Peepholes Attention has turned to the Server Name Indication (SNI) field in the TLS handshake • This is the one last part of TLS that is still shown in the clear • Efforts to encrypt this field in a robust manner are being studied • The most effective way to securely communicate the public key that is used to encrypt the SNI (and the entire ClientHello message) appears to be a TLSA record in the DNS (DANE) using DoT or DoH, using a DNSSEC- signed record • A shortcut hack is to use a trusted intermediary (https://blog.cloudflare.com/announcing-encrypted-client-hello/)
  • 17. Sealing up the Peepholes • And there‘s the the Online Certificate Status Protocol, which can expose the IP address of the client and the name of the service that they are visiting to the CA • Which likely explains why Chrome browsers do not perform“live” certificate revocation checks, and rely instead on short validity periods for certificates* * Which is probably just as bad, but in a different way!
  • 18. Why are we doing this?
  • 19. Who wants privacy? Do users really care? • Users cheerfully gave up email privacy in exchange for free email services • Users happily tell Google Search way too much about themselves in exchange for instant answers • In general, users will happily trade off privacy for access to services
  • 20. If not users, then whom?
  • 21. If not users, then whom? The folk with the most to gain (or lose)! https://en.wikipedia.org/wiki/List_of_public_corporations_by_market_capitalization
  • 23. Who cares about privacy? • None of the entities who spend large sums to assemble detailed profiles of users want to leak that data to their competitors • So, privacy is about protecting the core asset of gathering individual profiles of users from: • Other services • The common host platform • Common Infrastructure services • The network
  • 24. Let me rephrase that: We want to allow the application to operate in a mode that obscures its behaviour from: • Other services • The common host platform • Common Infrastructure services • The network
  • 25. How do you do that? By lifting out as much as you can from the lower levels of the protocol stack that are managed by common services and performing it within the application
  • 26. So, how do you do that?
  • 27. Transport Privacy Which means we are looking at how to lift TCP out of the common parts of the host platform and and shift it across to the application We need to change TCP!
  • 28. Transport Surgery How do you change TCP? • TCP is a kernel function that is defined at the platform level • Applications have no intrinsic ability to alter the TCP characteristics for the application on a customized basis • You could try to define a new transport protocol (such as SCTP) • But the deployed infrastructure (NATs) tends to discard all packets that are not protocol 6 (TCP) or protocol 17 (UDP) • If you want to bypass kernel handling of TCP and get through existing network filters and middleware then you're forced into using UDP • So, you change TCP by using UDP!
  • 29. QUIC is the new TCP HTTP Multi-stream TLS Session Encryption TCP Data stream integrity Congestion Control HTTP QUIC Multi-stream Encryption Data stream integrity Congestion Control UDP IP HTTP/2 QUIC HTTP/3 e2e encrypted e2e encrypted
  • 30. QUIC is: • A logical evolutionary step for transport services, providing more flexibility, faster connection setup, and a larger set of transport services • It’s what we should expect from a capable modern transport protocol!
  • 32. APNIC’s Numbers First Fetch – mainly Safari clients Subsequent Fetches – mainly Chrome clients APNIC reports on potential use levels
  • 34. Cisco’s Numbers: Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
  • 35. Why is QUIC important? Because QUIC is faster Because QUIC encrypts everything • No visible transport control settings • No visible Server Name Indication in the crypto-setup • No visible traffic profile other than inter-packet timing Because QUIC is an application capability • QUIC can interact with the platform through the UDP API, so all of QUIC can be implemented within the application. This gives the application more control over its service outcomes and reduces external dependencies
  • 36. What does this mean for TCP? It’s not looking all that good for TCP’s prospects • QUIC not only does faster start up, but it supports multi-channel in a frictionless manner • QUIC resists network operator efforts to perform traffic shaping through direct manipulation of TCP control parameters • QUIC allows the application service provider to control the congestion behaviour of its sessions
  • 37. The new Networking Space QUIC is pushing both network carriage and host platform into commodity roles in networking and allowing applications to effectively customize the way in which they want to deliver services and dominating the entire networked environment QUIC is the application’s view of what Transport should be! media network TCP Transport apps media network UDP Transport apps Internal Transport + session security $$$ QUIC and value transform in the network stack $$$
  • 38. What does this mean for the Internet? • The relationship between applications, hosts and networks has soured into mutual distrust and suspicion • The application now defends its integrity by wrapping up as much of the service transaction with encryption and indirection • QUIC (and MASQUE) is an intrinsic part of this process of wrapping up traffic in encryption and redirection • For the network operator there is little left to see or do. It’s just packet shovelling! • And I suspect that there is no coming back from here!
  • 39. What can a Network Operator Do? • When all customer traffic is completely obscured and encrypted? • Traffic Shaping? • Regulatory Requirements for traffic interception? • Load Balancing / ECMP
  • 40. The new Internet Space “What you can’t dominate, you commoditise*” • Vertically integrated service providers have faded away into history - the deregulated competitive service industry continues to specialize rather than generalize at every level • Carriage is no longer an inescapable monopoly - massively replicated content can be used as a substitute for many carriage service elements • Control over the platform is no longer control over the user. Operating systems have been pushed back into a basic task scheduling role, while functions are being absorbed into the application space * A related quote is Peter Thiel’s “Competition is for Losers!”
  • 41. The new Internet Space • Each service has an ability to define its own operational behaviours that are intrinsic to that service • Which is the antithesis of “interoperability” • We have managed to minimize and commoditize the common parts of the Internet and push the valued functionality and service delivery up into each application • Which means: • “Standards for Interoperability” is dead! • “Open” is a quaint historic notion!
  • 42. The New Internet Space The hyperscalers have won everything!
  • 44. 44