Lucas Pardue wrote on 2022-09-30 10:03:
Hi,
On Fri, Sep 30, 2022 at 5:51 PM Paul Vixie
<[email protected]
<mailto:[email protected]>> wrote:
> ...
i'd be fine with this, as long as it was possible for my gateway to
determine at line rate whether each packet trying to get through was
participating in the Authorized Visibility regime you're describing.
The action seems pretty trivial for QUIC. Endpoints share with trusted
parties (e.g. a gateway) the TLS session keys and how they are
associated with one or more QUIC connection IDs.
i'm pretty sure the chromecast i evicted won't be willing to do that. it
ignored my DHCP assignment of DNS, and insisted on using 8.8.8.8, so i
think google now believes "our device, our rules" which is in stark
opposition to what i believe ("my network, my rules"). just sayin', but,
this should also help explain why i want to observe the devices on my
network and be sure i approve of what they are doing.
Then it's a simple
lookup when a packet arrives. If there's no match then, log, alert, drop
etc. We might debate about packet decryption performance, i'm not sure
how much margin you have on line rate or how much processing time you
are willing to throw at it.
as a rule, observation is harder than reception. decryption performance
is probably where the issues would be. if we can't decrypt all the flows
as fast as the endpoints of each flow can collectively do, we lose. it's
reasonable to do this for all the flows that will fit in 10GBE with
current hardware, but that's a harsh mistress in several likely futures.
an intended receiver has the advantage of being able to slow the sender
down by not answering often enough or soon enough. an observer cannot.
On my local machine, Wireshark can do these kinds of lookups via
SSLKEYLOGFILE files. It would require effort to build a distributed
system to achieve the same but the technical barriers seem low and solvable.
thanks for sharing your experiences. but so far i think i'm going to
have to force the use of a proxy, which will be an intended recipient,
for the reasons given above.
--
P Vixie
