Re: Inbound Default Deny Policy at Internet Border

[stanislav shalunov <shalunov () INTERNET2 EDU>]

Michael Sinatra <michael () RANCID BERKELEY EDU> writes:

> In response to John's point, I think we'll see most near-term innovation
> directed toward getting around border blocks, via port-80 tunneling, ssh
> tunneling, IPv6, and end-to-end IPSEC.  Terry Gray points out that, in
> such a world, some sites may take the rather bizarre stance of banning
> end-to-end encryption, so they can inspect traffic.  Sigh.

Scary indeed, but probably too difficult.

Then the overlays will hide steganographically.  In the next round,
things conducive for steganography would need to be banned (any
bloated file format is excellent for hiding your encrypted data).
Then, they'd need to ban videoconferencing (same steganography
concerns).  Install Faraday cages around the campus.  Search the
residence halls for pre-Longhorn operating systems.  Deploy hawks to
intercept pigeons.

I don't believe users will need the pigeons.  I don't think the
cat-and-mouse game on the net goes very far.  It has, in essence, two
moves.  Initial position: cat sees mouse and knows what the mouse is
doing; mouse vaguely knows that a cat might exist, but doesn't care.
First move: cat tries to catch the mouse.  Second move: mouse goes
into hiding.  Final position: the cat has no idea where the mouse is
or what it's doing; mouse keeps the cat in mind and modifies its
behavior so that to avoid the cat.

This played out to a significant extent for port-based and other
simple application detection.  Users, until about 2001, were nice
enough to let us see what they were doing.  So, we installed packet
shapers, policy managers, managers of policy managers, and other misc
middleboxes.  Less than a year later, users had applications that
prevented us from even knowing what it was that they were up to (made
for a spectacular bulge in the unidentified portion of the backbone
traffic...).

The default-deny administrative pressure factor is more wasteful than
port snooping: it requires the overlays to become less efficient, keep
connections open, sometimes route around through places with better
connectivity, etc.  But ultimately, all that is doable.  It just means
overhead and complexity.  Things that will suffer most would be
high-performance applications...

--
Stanislav Shalunov              http://www.internet2.edu/~shalunov/

This message is designed to be viewed in boustrophedon.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.