protocol evolution - ausnog · 2017-09-11 · protocol information & control to networks are...
TRANSCRIPT
![Page 1: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/1.jpg)
Protocol Evolution and its Impact on Network Operators
Mark Nottingham
1
![Page 2: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/2.jpg)
2
https://en.wikipedia.org/wiki/Internet_protocol_suite#/media/File:IP_stack_connections.svg
![Page 3: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/3.jpg)
What Operators Want
3
![Page 4: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/4.jpg)
1.Operate the Network
• Allocate Resources - link capacity, firewall capacity, services like proxy/cache, DNS…
• Resolve Issues - application faults, connectivity problems, excessive latency…
• Assure Availability - failover, redundancy…
4
![Page 5: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/5.jpg)
2. Secure the Network
• Identify anomalous traffic / endpoints
• Mitigate threats
• Scan for virus / malware
5
![Page 6: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/6.jpg)
3. Impose Policy• Data Loss Prevention
• Content Filtering
• Cost Allocation / Charging
• “Quality of Service”
• Audit
• Access Control (e.g., Captive Portals)
• Child / Prisoner / Student / Employee / Citizen Monitoring
6
![Page 7: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/7.jpg)
7
![Page 8: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/8.jpg)
What’s Changing
8
![Page 9: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/9.jpg)
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/felt
9
![Page 10: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/10.jpg)
HTTP/2• Standard in 2015, now in all browsers, 45% of responses
• Major changes:
• Multiplexing
• Header Compression
• Server Push
• Connection Coalescing
• (Practically) Mandatory Encryption
https://http2.github.io10
![Page 11: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/11.jpg)
HTTP/2 Operator Impact
• New wire format - if you intercept, don’t assume 1.1
• One connection/origin - more fair, but loss more evident
• More hosts than just SNI - less fine grained
• Forward Secrecy - passive monitoring doesn’t work
11
![Page 12: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/12.jpg)
TLS 1.3• Finishing touches on standard; support in Firefox Nightly
and Chrome Canary. OpenSSL, et al coming.
• Major changes:
• 1RT or 0RT Handshake
• Pare down / modernise crypto
• SNI still in the clear (for now)
• Operator impact:
• All PFS, all the time - passive monitoring doesn’t work
12
![Page 13: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/13.jpg)
13
![Page 14: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/14.jpg)
ORIGIN + Secondary Certs
• ORIGIN allows a server to specify which hosts a connection can be used for.
• Secondary Certificates allow a server to prove authority for new hosts.
• Use cases:
• Advanced connection coalescing
• Domain fronting
• Operator impact: harder to identify/filter traffic
14
![Page 15: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/15.jpg)
QUIC• Currently deployed by Google, others; in standardisation
• Major changes:
• UDP-based, stream semantics
• Avoids TCP HoL blocking
• Collapses transport/crypto/application protocol stack
• Allows mobility - connection ID
• Encrypt all the things - including transport metadata
https://quicwg.github.io15
![Page 16: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/16.jpg)
https://dl.acm.org/citation.cfm?id=3029821
16
![Page 17: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/17.jpg)
17
![Page 18: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/18.jpg)
QUIC Operator Impact
• New transport protocol - tools, equipment support
• Shift to UDP - breaks assumptions
• Encrypted metadata, incl ACKs, RST
• Passive estimation of latency / loss no longer feasible
• Network can’t just RST conns it doesn’t like
• Connections no longer identified by 5-tuple
• … and connection-ID is optional
18
![Page 19: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/19.jpg)
19
![Page 20: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/20.jpg)
DOH!
• DNS-over-HTTPS
• Some ad hoc deployment (e.g., Google Public DNS)
• Currently being considered for chartering in the IETF
• Use case?
20
![Page 21: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/21.jpg)
Results: Google DNS hijacks (%)
14
MadagascarIraqIndonesiaChina
https://www.ietf.org/proceedings/99/slides/slides-99-maprg-fingerprint-based-detection-of-dns-hijacks-using-ripe-atlas-01.pdf
21
![Page 22: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/22.jpg)
DOH Operator Impact
• Split DNS - doesn’t work (?)
• DNS-based policy enforcement - doesn’t work
• DNS-based data gathering - doesn’t work
22
![Page 23: Protocol Evolution - AusNOG · 2017-09-11 · protocol information & control to networks are likely to be invalidated • Focus on strong encryption, reduction of metadata • Push](https://reader033.vdocuments.us/reader033/viewer/2022050418/5f8e0d263ab3774fb67a7c37/html5/thumbnails/23.jpg)
Summary• The Internet enables permissionless innovation by design;
there’s a lot of recent and ongoing activity
• Assumptions about availability of transport and application protocol information & control to networks are likely to be invalidated
• Focus on strong encryption, reduction of metadata
• Push towards applying policy / mitigations in endpoints
• If this causes issues in operability, please get involved
• … but be aware that there is a healthy amount of skepticism about unsupported claims!
23