[AusNOG] Consensus from the IETF 88 Technical Plenary - Internet hardening

Dobbins, Roland rdobbins at arbor.net
Fri Nov 8 15:55:05 EST 2013 

On Nov 8, 2013, at 11:06 AM, David Miller <dmiller at tiggee.com> wrote:

> Perhaps, given the current state of DDoS mitigation hardware.  Build better boxes.

It has nothing to do with building better boxes.  How precisely does one use flow-telemetry to detect, say, a SYN-flood inside an encrypted tunnel?  

And flow telemetry is the only way to do that sort of thing at any kind of scale.

And adding more boxes with more copies of keys and certs is in and of itself a vast expansion of the attack surface (most cryptosystems are actually broken via implementation miscues and side-channel attacks).

> I don't buy that.

Whether you 'buy' it or not, it's already happening.

>  If they could have simply bypassed it all and gotten everything from the endpoints, then why were/are they groping inter-DC traffic and longhaul fiber?

Because it's cheaper and easier to do mass surveillance via the network links, obviously.

But, since we're talking about governments, they've nearly in

> Now that the curtains has been pulled back, I expect to see a large amount of pushback from individuals and from those organizations that manage
> said "endpoints".

It won't matter, unless the issues are resolved at the political level.

> What?  Nobody who sells products or services on the internet would want to do away with HTTPS.

Strawman.  I never proposed doing away with HTTP/S for things like credit card numbers, personal information, VPNs, and whatnot.

>  Encryption is already available in a large number of services without yet degrading the overall security posture of
> the internet.

The vast majority of Internet traffic is unencrypted.

> There have been throughout history, many many technical solutions to social ills.

I suspect we have differing definitions of 'social ills'.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131108/f49bb045/attachment.sig>

More information about the AusNOG mailing list