> On Mar 19, 2019, at 11:17 PM, Brian Dickson <brian.peter.dick...@gmail.com>
> wrote:
>
>
>
> On Tue, Mar 19, 2019 at 6:42 PM Stephen Farrell <stephen.farr...@cs.tcd.ie>
> wrote:
>
> Hiya,
>
> One individualistic data point on this sub-topic, and a real point:
>
> On 20/03/2019 01:13, Jared Mauch wrote:
> > My impression is there are people who will not be satisfied until all
> > traffic looks
> > identical and you have zero way to protect your home,
>
> I do not claim that everyone ought do the same, but I absolutely
> do claim that encouraging voluntary policy adherence by dealing
> with the people using the n/w is preferable to many egregiously
> invasive attempts to force technical policy enforcement on
> unwilling serf-like users.
>
> So, this is the problem:
> - If a network operator has any policy that is enforceable, ONLY the
> technical policy enforcement model scales.
> - In such an environment, there are only, ever, "willing users", because, in
> order to use the network, they are required to agree to the policies.
>
> This makes the argument you have above, a vacuously defined one.
> You want to encourage voluntary policy adherence for a non-existent set of
> otherwise unwilling users.
>
> I understand your position: you would prefer that {some,all} networks were
> not employing policies that {you,some people} disagree with.
> I sympathize, but I disagree. What we need are mechanisms that scale.
> My position (personally) is that we find ways to have scalable, technical
> mechanisms.
> They should allow users (or machine administrators) to be as compliant as
> they are willing, and no more.
> They should allow networks to enforce their policies, while treading as
> lightly as possible.
> It should be possible to use technical means to handle this negotiation with
> little to no user input required.
> The analogy is roughly that of escalation-of-force in law enforcement,
> starting at a level of "polite requests".
>
> You can disagree, but I implore you: please don't stand in the way of those
> wanting to find consensus on scalable, flexible, technical solutions that
> encompass a wide range of network policies and enforcement needs.
>
> The main point is, I believe the end result will be mechanisms that allow you
> to deploy networks that meet your needs, and software that you can configure
> to bypass such controls, but that neither of those should ever be the default
> configurations.
>
> If the results allow you to do what you want/need, and also allow others to
> do what they want/need, everyone should be happy enough with the result.
>
> Can we at least agree on this as a desired goal for this work?
Often as an industry we may discuss various solutions that are great for
oneself but don’t scale when looking at the big picture. I’m of the feeling
that not everything should be a standard, even things that look like they might
be standard-ish. I could encode many things over TCP over TLS over QUIC over
HTTP. I’ve seen unencoded data stored in DNS TXT records that have
sorted/ordered information so you can do interesting things.
Just because one can do these things doesn’t mean one should, or that the
entirety of the industry should (or even will).
Goals and motivations are key here, if the goal is to make it such that
dissidents whose lives may be threatened (this is an example a co-worker always
uses on me in these types of conversations to support their position) by the
local regime may face a threatening situation or die as a result of using
technology, it’s not the fault of the protocol. Should we improve for every
corner case like this? As vixie has pointed it, it may be an innocuous device
like a chromecast where the ISP provided DNS is horrible. (I can think of many
bad devices in the consumer space that break the DNS spec in really unique
ways). It’s entirely possible that the appliance works best when not using
that ISP service, but it is also data leakage to a large global company that
for reasonable or unreasonable purposes he doesn’t want to transact with.
When we create technologies that can bypass and traverse the existing security
posture of networks (evil foreign telecoms, where’s my pitchfork) or a coffee
shop, library, home or large enterprise… expect the work to be held to a higher
standard.
It may be that there’s not consensus on this topic. It may be I’m an outlier
and have been subverted by <insert boogeyman of the week here>, but the most
likely case is there be dragons here and we should tread carefully to not burn
down the entire place.
- Jared
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
