| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Jun 2016 10:11:30 -0700 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Tom Herbert <tom@...bertland.com>, David Miller <davem@...emloft.net> Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>, Kernel Team <kernel-team@...com> Subject: Re: [PATCH net-next 0/8] tou: Transports over UDP - part I On 17.06.2016 20:52, Tom Herbert wrote: > >> > Rather, I think people are going to start adding rules to block TOU >> > tunnels entirely because they cannot inspect nor conditionally >> > filter/rewrite the contents. This is even more likely if Joe Random >> > and so easily can do their own userland TCP stack over TOU. >> > > Unfortunately, encryption is the only proven solution to protocol > ossification. If the network doesn't see it, it can't ossify it. DTLS carries still a lot of information, both in its handshake, as well as in the actual framing. The protocol is basically only TLS on top of datagrams and as such implements connection establishment and tear down of connections, which middle boxes can certainly track. It will just be a matter of time until middle boxes and security appliances will be able to track those connections, maybe not being able to inspect the content but at least see the certificates in clear-text and as such also have the common names and other addressing information at hand. The meta-data might certainly be track able. Because of reply protection you actually can infer the number of bytes transferred and someone can end up building congestion control on a middle box based on that, infer retransmissions etc. Bye, Hannes
Powered by blists - more mailing lists