[AusNOG] Consensus from the IETF 88 Technical Plenary - Internet hardening

Dobbins, Roland rdobbins at arbor.net
Sat Nov 9 01:05:21 EST 2013 

On Nov 8, 2013, at 8:11 PM, Damian Guppy <the.damo at gmail.com> wrote:

> I was under the impression that encryption (IPSEC) did not hide the source and destination in the header? I was also unaware that it randomized the size of the packets?

If you configure and deploy and use IPSEC correctly, it provides some obfuscations of traffic patterns.

So, you're arguing that using a cryptosystem which is vulnerable to external traffic analysis somehow provides ordinary citizens with protection from intelligence agencies with multi-zillion-dollar budgets?

You're making my point for me - encryption everywhere, all the time, is security theater, not real security. 

> It would still be trivial to identify a syn flood by seeing a lot of new source addresses sending packets with no payload.

There're other DDoS vectors which use minimum packet-sizes than SYN-floods.

And how do you mitigate it, whatever 'it' is?

It isn't 'trivial', or it would already have been accomplished, let me assure you.

> Heaven forbid some one would actually have to create this new set of rules though.

I've spent a lot of time on these issues, and there are no simple, obvious solutions to them.  

> Personally if i was paying some one to DDoS mitigate for me I wouldn't have a problem providing them with a key to be able to terminate the traffic. 

And you'd be happy if your bank did the same, yes?  And the bank regulators would turn a blind eye to the blatant violation of various regulations that this would entail, wouldn't they?

And of course, any governmental bureaux wanting to snoop the traffic would never get hold of those keys and certs by pwning the middlebox, or bribing an ISP employee, or doing a black-bag job and using any number of side-channels to get at the middlebox, would they?

This isn't a serious discussion, as it seems that there isn't an appreciation of the entire problem-space.  No more replies, and this time, I really mean it.

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the AusNOG mailing list