On 2019-03-12 2:52 p.m., Ted Hardie wrote:
the feasibility of this migration. We also acknowledge that many
network operations activities today, from traffic management and
intrusion detection to spam prevention and policy enforcement, assume
access to cleartext payload. For many of these activities there are no
solutions yet, but the IAB will work with those affected to foster
development of new approaches for these activities which allow us to
move to an Internet where traffic is confidential by default.
So... would someone be able to identify some of the 'new approaches'
which help security practitioners ply their trade?
If these approaches were identified, then perhaps there would be less
resistance to maintaining access to the cleartext flows we use to
maintain security state.
by default. You have been working around that, rather than developing
new practices. I invite you instead to consider how you can accomplish
what you need to in an Internet where all traffic is confidential.
Can some of these new practices be part of the protocol development process?
Enterprises are currently doing that via managed software and
environments, and that approach seems to be well in-line with your
practices below. Using resolution systems for this will not accomplish
Where can I read up on some of these practices?
what you need now, nor will it do so going forward; it is time for a
different approach, rather than seeking to return to cleartext.
The situation that moved this community to that stance was well-laid out
in IETF 88. We must acknowledge that not all devices which are on-path
are controlled by entities known to the user or network operator and not
all of them are acting in the interests of those parties. Protecting
against that threat requires us to change our ways. Please help, rather
than working around the effort.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
