On Jul 17, 2017 12:29 PM, "Roland Dobbins" <rdobb...@arbor.net> wrote:
On 17 Jul 2017, at 21:11, Watson Ladd wrote: How do you detect unauthorized access separate from knowing what > authorization is? > I think we're talking at cross purposes, here. Can you clarify? You said you need to look at packets to see unauthorized access. How do you that access is unauthorized unless the authorization system is doing the monitoring? Yes, but you'll rot13 or rot 128 the file first. Why wouldn't you? > Many don't. And being able to see rot(x) in the cryptostream has value. As the IRA pointed out to the Prime Minister, she needed to get lucky every time. And the endpoints taking logs won't be? > Logs are no substitute for seeing the packets on the wire. Then log the raw plaintext stream. Applications can rate-limited their own endpoints. > There's a lot more to DDoS defense than rate-limiting. Rate-limiting often leads to gross overblocking. You're telling me a dedicated out of stream box can handle this but a beefy > server cannot? > Sadly, in all too many cases, yes. ... something is wrong here. No one is taking away the ability to log the PMS to a file. That's the > capacity which exists now. > But the capacity in question here is to see the packets on the wire. Wireshark can use that file to decrypt packets on the wire. Today. What is the problem with that? Alternatively it's because you've decided to run your networks in ways very > different from the public internet and used this as a way to avoid > organizational battles over giving operations the tools they need to work. > I think that some perceptions of how these things are done even on the public Internet may be a bit circumscribed. The tools that network engineers and security personnel need analyze network traffic. Logs are insufficient. ----------------------------------- Roland Dobbins <rdobb...@arbor.net>
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
