Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[Richard Clayton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In message <20161229054559.31443.qm...@ary.lan>, John Levine
 writes

>>I'm seeing how it really helps governments cheaply create and enforce
>>the creation of national internets -- especially with the walled garden
>>features.  Are those the good guys to you, or are there other benefits?
>
>Please see the previous gazillion messages from people who are using
>RPZ in production to keep malware away from their users.
>
>Also see the previous gazillion messages noting that governments do
>all sorts of DNS censorship now and don't need RPZ.

Much DNS censorship in the UK (regimes vary) is only implemented by the
largest ISPs because only they have been able to find the necessary
engineering time (when you operate at scale it's not just about setting
a config option...)

The UK Government (who pressurise the ISPs to block child sexual abuse
images, some file sharing sites and who have grandiose plans to have a
centralised list of malware URLs) tends to be happy because 5 ISPs
covers about 95% of the population...

Everyone involved understands that there isn't at present a turnkey
application that the other 5% (and indeed all the in-house corporate
systems) could deploy so this also makes the people who don't want
the Government messing with their DNS results happy as well because
anyone who rolls their own system pretty much opts out.

>Could you explain in more detail why you don't believe operators will
>continue to use RPZ to protect their users, and why you think hostile
>actors will do things with RPZ that they couldn't do now?

I can foresee Governments taking IETF standardisation of RPZ (that will
be their words) as a way of pressurising those who have not yet deployed
it to do so -- using lists supplied by them.

So although deploying RPZ does a reasonable job of papering over the
cracks in our response to cybercrime I think that on balance it's too
dangerous a tool for the IETF to wish to bless in any way -- it's poor
social hygiene to standardise these types of tools.

I also note from reading the draft that this blessing will freeze in
some rather ugly design (with the authors arguing that the installed
base cannot adjust to something cleaner). If the IETF must do anything
in this space then documenting an interchange standard for DNS related
badness (with annotations to hint at how this badness might affect a
resolver) would seem better engineering and rather less dangerous.

- -- 
Dr Richard Clayton   
Director, Cambridge Cybercrime Centremobile: +44 (0)7887 794090
Computer Laboratory, University of Cambridge, CB3 0FD   tel: +44 (0)1223 763570

-BEGIN PGP SIGNATURE-
Version: PGPsdk version 1.7.1

iQA/AwUBWGUE4zu8z1Kouez7EQJolQCePA1xB5kCbsbYHxWR5x/yBgRyT8kAn2EW
JhXwn3xxerk+TDrhV3PftL/P
=NInm
-END PGP SIGNATURE-

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[Scott Schmit]

On Thu, Dec 29, 2016 at 05:45:59AM -, John Levine wrote:
> >I'm seeing how it really helps governments cheaply create and enforce
> >the creation of national internets -- especially with the walled garden
> >features.  Are those the good guys to you, or are there other benefits?
> 
> Please see the previous gazillion messages from people who are using
> RPZ in production to keep malware away from their users.
> 
> Also see the previous gazillion messages noting that governments do
> all sorts of DNS censorship now and don't need RPZ.
> 
> Could you explain in more detail why you don't believe operators will
> continue to use RPZ to protect their users, and why you think hostile
> actors will do things with RPZ that they couldn't do now?

I was specifically asking about the redirect/record replacement
behavior, not the nxdomain/blocking behavior.

-- 
Scott Schmit

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[John Levine]

>> Please see the previous gazillion messages from people who are using
>> RPZ in production to keep malware away from their users.
>> 
>> Also see the previous gazillion messages noting that governments do
>> all sorts of DNS censorship now and don't need RPZ.
>> 
>> Could you explain in more detail why you don't believe operators will
>> continue to use RPZ to protect their users, and why you think hostile
>> actors will do things with RPZ that they couldn't do now?
>
>I was specifically asking about the redirect/record replacement
>behavior, not the nxdomain/blocking behavior.

Providers routinely use sandboxing to quarantine infected users both
to protect their other users (malware can't contact C&C) and to force
them to do something about it, since they can't see anything other
than web sites with cleanup tools.  

I've talked to providers who tell me that this is the least bad way
they've found to get their users to clean up infected boxes.  Even if
a provider could afford to calli them on the phone, it doesn't work,
first because users not unreasonably think it's a scam, and second
because the malware doesn't bother them, only other people, so they
blow off advice to fix it.

So I reiterate the same two questions.

R's,
John

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[Vernon Schryver]

> From: Richard Clayton 

> Everyone involved understands that there isn't at present a turnkey
> application that the other 5% (and indeed all the in-house corporate
> systems) could deploy

I do not understand that.
If the command `nslookup -q=txt -class=CHAOS version.bind` to a UNIX
shell or Windows command prompt on your desktop says anything about
BIND, then chances are good that you are already using one of the
turnkey applications that in-house corporate systems and others have
already deployed and could configure.  Even if there is no sign of
BIND9 from that `nslookup` command, the odds are good that the recursive
server you use has an RPZ taint or will have within months.


> So although deploying RPZ does a reasonable job of papering over the
> cracks in our response to cybercrime I think that on balance it's too
> dangerous a tool for the IETF to wish to bless in any way -- it's poor
> social hygiene to standardise these types of tools.

While I understand how a reasonable person can hold that position,
I think the papered cracks are not only less bad, but the best that
can be hoped for in the real world.


> I also note from reading the draft that this blessing will freeze in
> some rather ugly design (with the authors arguing that the installed
> base cannot adjust to something cleaner). 

That is not the intended meaning of the draft.  Instead it tried to
acknowledge the extreme difficulty of changing an installed base.
Words that convey that intended meaning would be appreciated.


Vernon Schryverv...@rhyolite.com

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[william manning]

"lets standardize this 'cause everyone does it"  sounds like the medical
community should have standardized on whiskey & leaches & coat hangers
because thats what everyone did.  if this work does proceed, i'd like to
insist that it carry a disclaimer that it is designed specifically for
closed networks and is not to be used in the Internet.
Indeed, thedraft is very clear this is for enclaves and not for open
Internet use.


/Wm

On Thu, Dec 29, 2016 at 10:15 AM, Vernon Schryver  wrote:

> > From: Richard Clayton 
>
> > Everyone involved understands that there isn't at present a turnkey
> > application that the other 5% (and indeed all the in-house corporate
> > systems) could deploy
>
> I do not understand that.
> If the command `nslookup -q=txt -class=CHAOS version.bind` to a UNIX
> shell or Windows command prompt on your desktop says anything about
> BIND, then chances are good that you are already using one of the
> turnkey applications that in-house corporate systems and others have
> already deployed and could configure.  Even if there is no sign of
> BIND9 from that `nslookup` command, the odds are good that the recursive
> server you use has an RPZ taint or will have within months.
>
>
> > So although deploying RPZ does a reasonable job of papering over the
> > cracks in our response to cybercrime I think that on balance it's too
> > dangerous a tool for the IETF to wish to bless in any way -- it's poor
> > social hygiene to standardise these types of tools.
>
> While I understand how a reasonable person can hold that position,
> I think the papered cracks are not only less bad, but the best that
> can be hoped for in the real world.
>
>
> > I also note from reading the draft that this blessing will freeze in
> > some rather ugly design (with the authors arguing that the installed
> > base cannot adjust to something cleaner).
>
> That is not the intended meaning of the draft.  Instead it tried to
> acknowledge the extreme difficulty of changing an installed base.
> Words that convey that intended meaning would be appreciated.
>
>
> Vernon Schryverv...@rhyolite.com
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[Ted Lemon]

On Dec 29, 2016, at 4:51 PM, william manning  wrote:
> i'd like to insist

Can you explain what you mean by this from a process perspective?

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[joel jaeggli]

On 12/29/16 1:51 PM, william manning wrote:
> "lets standardize this 'cause everyone does it"  sounds like the medical
> community should have standardized on whiskey & leaches & coat hangers
> because thats what everyone did.  if this work does proceed, i'd like to
> insist that it carry a disclaimer that it is designed specifically for
> closed networks and is not to be used in the Internet.

this sounds like an aplicability statement to be included in the
introduction.

> Indeed, thedraft is very clear this is for enclaves and not for open
> Internet use.
> 
> 
> /Wm
> 
> On Thu, Dec 29, 2016 at 10:15 AM, Vernon Schryver  > wrote:
> 
> > From: Richard Clayton  >
> 
> > Everyone involved understands that there isn't at present a turnkey
> > application that the other 5% (and indeed all the in-house corporate
> > systems) could deploy
> 
> I do not understand that.
> If the command `nslookup -q=txt -class=CHAOS version.bind` to a UNIX
> shell or Windows command prompt on your desktop says anything about
> BIND, then chances are good that you are already using one of the
> turnkey applications that in-house corporate systems and others have
> already deployed and could configure.  Even if there is no sign of
> BIND9 from that `nslookup` command, the odds are good that the recursive
> server you use has an RPZ taint or will have within months.
> 
> 
> > So although deploying RPZ does a reasonable job of papering over the
> > cracks in our response to cybercrime I think that on balance it's too
> > dangerous a tool for the IETF to wish to bless in any way -- it's poor
> > social hygiene to standardise these types of tools.
> 
> While I understand how a reasonable person can hold that position,
> I think the papered cracks are not only less bad, but the best that
> can be hoped for in the real world.
> 
> 
> > I also note from reading the draft that this blessing will freeze in
> > some rather ugly design (with the authors arguing that the installed
> > base cannot adjust to something cleaner).
> 
> That is not the intended meaning of the draft.  Instead it tried to
> acknowledge the extreme difficulty of changing an installed base.
> Words that convey that intended meaning would be appreciated.
> 
> 
> Vernon Schryverv...@rhyolite.com 
> 
> ___
> DNSOP mailing list
> DNSOP@ietf.org 
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> 
> 
> 
> 
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 




signature.asc
Description: OpenPGP digital signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop