The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec). In order to make a good submission to government, once has to boil it donw to simple enough arguments that clueless politicians can understand. And for me to do that, I want to make sure I understand this correctly. I have tried to research DNSSEC and while I understand how a proper DNS server can validate the chain from the - root server - TLD server - authoritative DNS server for that domain I remain in dark with regartds to clients, namely clients who cannot trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses. Say a consumer wants to connect to lottery.com, which, from the world outside the ISP, would result in a signed, verifiable response. Can't the ISP's DNS server just pretend it is authoritative for lottery.com and return to client a non-DNSSEC response that points to a fake IP address ? If the client gets an unsigned response for lottery.com from its ISP's DNS server, how can it know it is a fake response, how can it know that lottery.com should have generated a signed DNSSEC response ? It seems to me that unless each client goes to the tld servers (they already have root signatures), get signature of the tld server and signed response of where "lotery.com" can be found, they have no way to know whether lottery.com should be signed or not, and whether the answer they got from their ISP is good or not. Is that a proper understanding ? So far, I have seen good explanations of what happens between DNS servers and the servers that are authoritative for domain, TLD and root. But I have seen nothing about clients who only have a resolver that talks to a DNS server. And while I am at it: when a client gets a legit response from ISP's DNS server with RRSIG records, how does the client obtain the public key against which to run the record to ensure its calculated signature matches that provided in RRSIG ? or do DNS servers return the full chain of records so that a request for lottery.com returns not only record for lottery.com but also .com,s reply on where lottery.com is and root's reply of where .com is ? Hopefully, I am only missing a small bit that would explain everything that happens at the client side. But as long as I am told that the client only talks to the ISP's DNS server, I am at a loss. Any help appreciated. (I just watched an hour long youtube on subject which didn't deal with client much).
This will only create an new private (non-public) DNS service in China or Romania for Canadians to use. Imagine that someone in China starts a business to help people get around censorship in countries other than China. You nailed it - "clueless politicians". Bob Evans CTO
The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec).
In order to make a good submission to government, once has to boil it donw to simple enough arguments that clueless politicians can understand. And for me to do that, I want to make sure I understand this correctly.
I have tried to research DNSSEC and while I understand how a proper DNS server can validate the chain from the - root server - TLD server - authoritative DNS server for that domain
I remain in dark with regartds to clients, namely clients who cannot trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses.
Say a consumer wants to connect to lottery.com, which, from the world outside the ISP, would result in a signed, verifiable response.
Can't the ISP's DNS server just pretend it is authoritative for lottery.com and return to client a non-DNSSEC response that points to a fake IP address ?
If the client gets an unsigned response for lottery.com from its ISP's DNS server, how can it know it is a fake response, how can it know that lottery.com should have generated a signed DNSSEC response ?
It seems to me that unless each client goes to the tld servers (they already have root signatures), get signature of the tld server and signed response of where "lotery.com" can be found, they have no way to know whether lottery.com should be signed or not, and whether the answer they got from their ISP is good or not.
Is that a proper understanding ?
So far, I have seen good explanations of what happens between DNS servers and the servers that are authoritative for domain, TLD and root. But I have seen nothing about clients who only have a resolver that talks to a DNS server.
And while I am at it: when a client gets a legit response from ISP's DNS server with RRSIG records, how does the client obtain the public key against which to run the record to ensure its calculated signature matches that provided in RRSIG ?
or do DNS servers return the full chain of records so that a request for lottery.com returns not only record for lottery.com but also .com,s reply on where lottery.com is and root's reply of where .com is ?
Hopefully, I am only missing a small bit that would explain everything that happens at the client side. But as long as I am told that the client only talks to the ISP's DNS server, I am at a loss.
Any help appreciated. (I just watched an hour long youtube on subject which didn't deal with client much).
In message <56455885.8090409@vaxination.ca>, Jean-Francois Mezei writes:
The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec).
In order to make a good submission to government, once has to boil it donw to simple enough arguments that clueless politicians can understand. And for me to do that, I want to make sure I understand this correctly.
I have tried to research DNSSEC and while I understand how a proper DNS server can validate the chain from the - root server - TLD server - authoritative DNS server for that domain
I remain in dark with regartds to clients, namely clients who cannot trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses.
Say a consumer wants to connect to lottery.com, which, from the world outside the ISP, would result in a signed, verifiable response.
Can't the ISP's DNS server just pretend it is authoritative for lottery.com and return to client a non-DNSSEC response that points to a fake IP address ?
No. If the client is validating the response it will fail validation.
If the client gets an unsigned response for lottery.com from its ISP's DNS server, how can it know it is a fake response, how can it know that lottery.com should have generated a signed DNSSEC response ?
Because it asks the ISP for DS lottery.com and that response tells the client if it should be getting a signed response or not and which DNSKEYs to trust.
It seems to me that unless each client goes to the tld servers (they already have root signatures), get signature of the tld server and signed response of where "lotery.com" can be found, they have no way to know whether lottery.com should be signed or not, and whether the answer they got from their ISP is good or not.
Is that a proper understanding ?
DNSSEC was designed to allow a client to get answers from a recursive server it does not trust and verify that the answer has not been tampered with. There are not many clients that do this yet but that was the design goal and yes it was achieved.
So far, I have seen good explanations of what happens between DNS servers and the servers that are authoritative for domain, TLD and root. But I have seen nothing about clients who only have a resolver that talks to a DNS server.
They make the same queries and verify the answers the same way. For lottery.com they would ask for the DNSKEY records for lottery.com, the DS records for lottery.com, the DNSKEY records for com, the DS records for com and the DNSKEY records for the root. It doesn't matter if these come from a cache or directly from the authoritative servers. The crypto to verify the answers is the same.
And while I am at it: when a client gets a legit response from ISP's DNS server with RRSIG records, how does the client obtain the public key against which to run the record to ensure its calculated signature matches that provided in RRSIG ?
It asks for the DNSKEY records and RRSIGs. Verifies them against the DS records whick it asks for. Repeat all the way to the root.
or do DNS servers return the full chain of records so that a request for lottery.com returns not only record for lottery.com but also .com,s reply on where lottery.com is and root's reply of where .com is ?
Hopefully, I am only missing a small bit that would explain everything that happens at the client side. But as long as I am told that the client only talks to the ISP's DNS server, I am at a loss.
Any help appreciated. (I just watched an hour long youtube on subject which didn't deal with client much). -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On 2015-11-12 23:07, Mark Andrews wrote:
They make the same queries and verify the answers the same way.
It asks for the DNSKEY records and RRSIGs. Verifies them against the DS records whick it asks for. Repeat all the way to the root.
Is it correct to state that clients, instead of issuing a single request to the ISP's DNS server and let it do the recursion, will request (if not cached already) records from the root, the tld and the domain's authoritative server to get the DNSSEC records for each in order to be able to "walk" the path and verify each signature ? So this would result in significant increase in number of transactions between clients and ISP DNS servers, correct ? If the above is correct, then it provides me with the missing link to my understanbding. BTW, the proposed law, being done by lawyers, will have the list of sites to be banned distributed to ISPs via REGISTERED MAIL. (there are two means to have "legal" documents served, registered mail and by bailiffs in Québec). (there are to be financial penalties to ISPs who do not comply, so govt needs proof of delivery). I'll have to research how other countries tried to implement similar schemes (I believe the UK has with some of the popular torrent sites. I know the Australian attempt to filter porn failed miserably.
Hi,
BTW, the proposed law, being done by lawyers, will have the list of
you say law.... but this idea of blocking all competitors to the states lotto sounds very unlawful and anti-competitive - yes, I can understand states or countries blocking ALL gambling , thats a simple 'we dont allow it here' , but to say 'yes, you can access just ours' well, in EU I dont think that would ever fly.
I know the Australian attempt to filter porn failed miserably.
well, one could say people might be more determined to access porn than gambling sites so this gambling block might be more successful. either way, what you'll get are a host of DNS services based in other countries - some using VPN technology etc so blocking port 53 to other servers isnt going to work on that score either. it wont work. alan
BTW, the proposed law, being done by lawyers, will have the list of
you say law.... but this idea of blocking all competitors to the states lotto sounds very unlawful and anti-competitive
This is Qu�bec, where the rules are not the same as in the UK. The provincial lottery is the only legal gambling in the province, give or take the large amount of online gambling hosted on the Mohawk reservation that's partly in Qu�bec and partly in New York.
either way, what you'll get are a host of DNS services based in other countries - some using VPN technology etc so blocking port 53 to other servers isnt going to work on that score either. it wont work.
Of course not. R's, John
On Fri, Nov 13, 2015 at 09:54:28AM +0000, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> wrote a message of 20 lines which said:
well, in EU I dont think that would ever fly.
It is done in France, for a long time <https://en.wikipedia.org/wiki/ARJEL#Missions>.
On 13/11/15 23:01, Stephane Bortzmeyer wrote:
On Fri, Nov 13, 2015 at 09:54:28AM +0000, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> wrote
well, in EU I dont think that would ever fly.
It is done in France, for a long time
And it is common practice in Belgium as well. http://networkmsg.telenet.be/blocked/fccu/ http://networkmsg.telenet.be/blocked/ksc/ -- Marco
On 13/11/2015 22:10, Marco Davids wrote:
On 13/11/15 23:01, Stephane Bortzmeyer wrote:
On Fri, Nov 13, 2015 at 09:54:28AM +0000, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> wrote
well, in EU I dont think that would ever fly.
It is done in France, for a long time
And it is common practice in Belgium as well.
http://networkmsg.telenet.be/blocked/fccu/ http://networkmsg.telenet.be/blocked/ksc/
A similar law was tacked to the bottom of a finance bill regulating gambling in Ireland a couple of months ago. The first anyone knew of it was when the government department responsible for gambling came knocking on the ISP association's door wanting to talk about implementation details. Nick
On Fri, Nov 13, 2015 at 09:54:28AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
BTW, the proposed law, being done by lawyers, will have the list of
you say law.... but this idea of blocking all competitors to the states lotto sounds very unlawful and anti-competitive - yes, I can understand states or countries blocking ALL gambling , thats a simple 'we dont allow it here' , but to say 'yes, you can access just ours' well, in EU I dont think that would ever fly.
Sweden's still part of the EU, isn't it? ("Systembolaget", if you need a search term). - Matt
On Fri Nov 13 04:27:36 2015, Jean-Francois Mezei wrote:
I'll have to research how other countries tried to implement similar schemes (I believe the UK has with some of the popular torrent sites.
I know the Australian attempt to filter porn failed miserably.
We also have some torrent sites blocked in France, for exemple: alarig@HP-Z210:~$ dig +noall +comments +answer t411.me @193.252.19.3 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38309 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1460 ;; ANSWER SECTION: t411.me. 16418 IN A 127.0.0.1 alarig@HP-Z210:~$ dig +noall +comments +answer t411.me ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41652 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; ANSWER SECTION: t411.me. 70 IN A 104.18.37.180 t411.me. 70 IN A 104.18.36.180 But, if you look at the flags, there’s no ad, so no DNSSEC (my resolver has DNSSEC enabled) -- alarig
On Fri, Nov 13, 2015 at 04:27:36AM -0500, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote a message of 34 lines which said:
I'll have to research how other countries tried to implement similar schemes
https://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-sc...
On 2015-11-13 16:59, Stephane Bortzmeyer wrote:
On Fri, Nov 13, 2015 at 04:27:36AM -0500, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote a message of 34 lines which said:
I'll have to research how other countries tried to implement similar schemes
https://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-sc...
Thanks to Stephane and all the others. The afnic report will be especially usefull because it is in french and thus better understood by Québec politicians. And thank to all those who filled in the gaps for DNSSEC for me. Unfortunately, an ISP can still pretend to be authoritative for the blocked domains and respond with fake unsigned response. The end client that doesn't validate will be gullible and access the redirect side. Those who validate will get SERVFAIL or NXDOMAIN and the end result is that the blocked web site remains blocked. With regards to VPNs: while they may not be very well known in the USA, they are outside the USA where many people need VPNs to access foreign content that is geoblocked in their home country. New Zealand is not alone, the practice is also common in Canada (as well as using pretend DNS servers in USA There are a number of commercial services that provide DNS "faking" that make your canadian requests appear to come from a USA location, so Netflix assumes you are in USA location when resolving whether content is available or not. (ex: https://www.unblock-us.com ) In the case of gambling, anyone with such an addiction will likely feel deprived after a couple of days being blocked and will call on their best friend Mr Google who will quickly provide ways to get around it such as ignoring your own ISP's DNS server and using one outside of Québec. Or using a VPN. This may have interesting implications for Google's 8.8.8.8 which, if I am not mistaken, peers at QIX, the Montréal exchange. Would they be bound by the law (they are not an ISP). Google could simply widthdraw from the QIX echange at which point the Québec government would have 0 jurisdiction. ISPs that serve both Ontario and Québec thorugh Bell's DSL infrastructure will have fun. PPPoE connections arrive to a common connection point via L2TP tunnels, so the ISP would have to determine the person's province based PPPoE login credentials and assign different DNS servers (blocked for QC, unblocked for ON). Loto Québec is supposed to be testing for compliance, and I am not sure how they will do that short of having a subscription to every ISP that sells services in Québec. (Maybe they think they only have to test 3 ISPs, (telcos and cablecos) and don't realise they have over 100 ISPs to test for compliance). And when an ISP in Val D'Or has its DNS set to recurse only for requests that come from its intranet, Loto Québec won't be able to test from its cushy Montréal offices with a simple "set server" command. Ahh... the trouble clueless politicians can cause.
On 14 Nov 2015, at 13:36, Jean-Francois Mezei wrote:
With regards to VPNs: while they may not be very well known in the USA, they are outside the USA where many people need VPNs to access foreign content that is geoblocked in their home country.
I do not live in the United States; I live outside the United States, where many expats and others want to access content from their home countries that is 'geoblocked'. The percentage of the Internet user population who use VPNs is tiny. It is growing a bit, but it isn't even a sizable minority. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Nov 14, 2015, at 00:21 , Roland Dobbins <rdobbins@arbor.net> wrote:
On 14 Nov 2015, at 13:36, Jean-Francois Mezei wrote:
With regards to VPNs: while they may not be very well known in the USA, they are outside the USA where many people need VPNs to access foreign content that is geoblocked in their home country.
I do not live in the United States; I live outside the United States, where many expats and others want to access content from their home countries that is 'geoblocked'.
The percentage of the Internet user population who use VPNs is tiny. It is growing a bit, but it isn't even a sizable minority.
Today. Why on earth do you assume that this will not continue to expand and/or accelerate its rate of expansion as word spreads that it is possible? There was a time when on-line download or streaming was dwarfed by DVDs and Blu-Ray sales. There was a time when DVD/Blu-Ray/other digital formats didn’t represent even 1% of the market vs. VHS. This is a typical adoption rate issue. If people want a functionality that is not currently available to them, they will adopt and adapt technology to meet that desire over time. The adapt part is already mostly done with VPNs as has been pointed out. There are now GeoBlock Bypass services readily available and easily installable. The next step will be growth in adoption. We’ve already seen this occur in NZ. Likely it will spread fairly quickly to other geographies subject to geoblocking. It is unlikely to spread rapidly in the US because the US suffers from very little geoblocking or censorship in general. Likely the first major market where it will see very rapid adoption will be someplace like China where it can be used to circumvent a wide variety of government network restrictions. However, if Quebec and/or NY manage to block gambling as they are currently attempting to do, it’s very likely that such services will also catch on quickly in those localities. Owen
On 14 Nov 2015, at 16:27, Owen DeLong wrote:
Today.
Yes, today, and tomorrow, and next week, and next month, and next year, etc.
Why on earth do you assume that this will not continue to expand and/or accelerate its rate of expansion as word spreads that it is possible?
Because it isn't a simple default. If it ever becomes a simple default, we'll start to see greater adoption. And probably not in the form of 'tunneling-everything' VPNs, but 'application VPNs' which automagically utilize SSL/TLS ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Sat, Nov 14, 2015 at 01:36:06AM -0500, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote a message of 71 lines which said:
Loto Québec is supposed to be testing for compliance, and I am not sure how they will do that short of having a subscription to every ISP that sells services in Québec.
They will simply use RIPE Atlas probes, as we all do to test our networks from the outside. Here, Bulgaria, where the mandatory blocking of gambling Web sites is far from perfect (the right IP address is 5.226.176.16): % python resolve-name.py --requested=500 --country=BG www.bet365.com Measurement #2930308 for www.bet365.com/A uses 94 probes [] : 1 occurrences [193.24.240.122] : 1 occurrences [84.54.148.18] : 1 occurrences [212.73.128.166] : 1 occurrences [212.39.93.34] : 3 occurrences [ERROR: SERVFAIL] : 1 occurrences [5.226.176.16] : 75 occurrences [127.0.0.1] : 4 occurrences Test done at 2015-11-14T17:14:20Z A few lying DNS resolvers but not much.
(Maybe they think they only have to test 3 ISPs, (telcos and cablecos) and don't realise they have over 100 ISPs to test for compliance).
My experience with these sort of organisations is that they don't care about 100 % compliance. They're only interested in "good enough" (the three largest ISPs...)
So when will we see CPE routers with built-in secure resolver and VPN client? Log in to 192.168.1.1 and select your country of the day from a drop down. Regards Baldur
In article <CAPkb-7BSvdY9GTNND_heAjDKwvGhdVcmdpvAkoj0Uoz+=o1yGw@mail.gmail.com> you write:
So when will we see CPE routers with built-in secure resolver and VPN client? Log in to 192.168.1.1 and select your country of the day from a drop down.
VyprVPN has a plug in for Tomato. R's, John
In article <56455885.8090409@vaxination.ca> you write:
The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec).
Blocking is prettty easy, just don't return the result, or fake an NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL instead, but they still won't get a result. Redirecting is much harder -- as others have explained there is a chain of signatures from the root to the desired record, and if the chain isn't intact, it's SERVERFAIL again. Inserting a replacement record with a fake signature into the original chain is intended to be impossible. (If you figure out how, CSIS would really like to talk to you.) It is possible to configure an ISP's DNS caches to trust specific signatures for specific parts of the tree, but that is kludgy and fragile and is likely to break DNS for everyone. And anyway, it's pointless. What they're saying is to take the gambling sites out of the phone book, but this is the Internet and there are a million other phone books available, outside of Quebec, such as Google's 8.8.8.8 located in the US, that people can configure their computers to use with a few mouse clicks. Or you can run your own cache on your home network like I do, just run NSD or BIND on a linux laptop. They could insist that ISPs block the actual web traffic to the sites, by blocking IP ranges, but that is also a losing battle since it's trivial to circumvent with widely available free VPN software. If they want to outlaw VPNs, they're outlawing telework, since VPNs is how remote workers connect to their employers' systems, and the software is identical. R's, John
Hello, El 11/13/2015 a las 12:20 AM, John Levine escribió:
In article <56455885.8090409@vaxination.ca> you write:
The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec). Blocking is prettty easy, just don't return the result, or fake an NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL instead, but they still won't get a result.
Redirecting is much harder -- as others have explained there is a chain of signatures from the root to the desired record, and if the chain isn't intact, it's SERVERFAIL again. Inserting a replacement record with a fake signature into the original chain is intended to be impossible. (If you figure out how, CSIS would really like to talk to you.) It is possible to configure an ISP's DNS caches to trust specific signatures for specific parts of the tree, but that is kludgy and fragile and is likely to break DNS for everyone.
I'm not a DNSSEC expert but I wonder what would be the behavior if the ISP adds a specific trust anchor for the domain they wish to block?
And anyway, it's pointless. What they're saying is to take the gambling sites out of the phone book, but this is the Internet and there are a million other phone books available, outside of Quebec, such as Google's 8.8.8.8 located in the US, that people can configure their computers to use with a few mouse clicks. Or you can run your own cache on your home network like I do, just run NSD or BIND on a linux laptop.
They could insist that ISPs block the actual web traffic to the sites, by blocking IP ranges, but that is also a losing battle since it's trivial to circumvent with widely available free VPN software. If they want to outlaw VPNs, they're outlawing telework, since VPNs is how remote workers connect to their employers' systems, and the software is identical.
R's, John
Thanks, Alejandro,
On Nov 12, 2015, at 20:50 , John Levine <johnl@iecc.com> wrote:
In article <56455885.8090409@vaxination.ca> you write:
The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec).
Blocking is prettty easy, just don't return the result, or fake an NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL instead, but they still won't get a result.
Redirecting is much harder -- as others have explained there is a chain of signatures from the root to the desired record, and if the chain isn't intact, it's SERVERFAIL again. Inserting a replacement record with a fake signature into the original chain is intended to be impossible. (If you figure out how, CSIS would really like to talk to you.) It is possible to configure an ISP's DNS caches to trust specific signatures for specific parts of the tree, but that is kludgy and fragile and is likely to break DNS for everyone.
If you know that the client is using ONLY your resolver(s), couldn’t you simply fake the entire chain and sign everything yourself? Or, alternatively, couldn’t you just fake the answers to all the “is this signed?” requests and say “Nope!” regardless of the state of the authoritative zone in question? Sure, if the client has any sort of independent visibility it can verify that you’re lying, but if it can only talk to your resolvers, doesn’t that pretty much mean it can’t tell that you’re lying to it?
And anyway, it's pointless. What they're saying is to take the gambling sites out of the phone book, but this is the Internet and there are a million other phone books available, outside of Quebec, such as Google's 8.8.8.8 located in the US, that people can configure their computers to use with a few mouse clicks. Or you can run your own cache on your home network like I do, just run NSD or BIND on a linux laptop.
I believe the traditional statement is “This type of regulation is considered damage and will be routed around.”
They could insist that ISPs block the actual web traffic to the sites, by blocking IP ranges, but that is also a losing battle since it's trivial to circumvent with widely available free VPN software. If they want to outlaw VPNs, they're outlawing telework, since VPNs is how remote workers connect to their employers' systems, and the software is identical.
It’s also fairly easy for the gambling sites to become somewhat IP Agile creating a game of Whack-a-mole for the regulators and the ISPs they are inflicting this pain on. Owen
Redirecting is much harder -- ...
If you know that the client is using ONLY your resolver(s), couldn’t you simply fake the entire chain and sign everything yourself?
I suppose, although doing that at scale in a large provider like Videotron (1.5M subscribers) would be quite a challenge.
Or, alternatively, couldn’t you just fake the answers to all the “is this signed?” requests and say “Nope!” regardless of the state of the authoritative zone in question?
No, those responses are signed too.
Sure, if the client has any sort of independent visibility it can verify that you’re lying, but if it can only talk to your resolvers, doesn’t that pretty much mean it can’t tell that you’re lying to it?
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8. R's, John
On Nov 12, 2015, at 21:29 , John Levine <johnl@iecc.com> wrote:
Redirecting is much harder -- ...
If you know that the client is using ONLY your resolver(s), couldn’t you simply fake the entire chain and sign everything yourself?
I suppose, although doing that at scale in a large provider like Videotron (1.5M subscribers) would be quite a challenge.
Or, alternatively, couldn’t you just fake the answers to all the “is this signed?” requests and say “Nope!” regardless of the state of the authoritative zone in question?
No, those responses are signed too.
Only if you pass through the claim that the parent domain is signed. Again, if you’re the only resolver the clients are using, you can claim that nothing from the root down is signed without ever providing any cryptographic anything. Seems to me that wouldn’t be significantly harder than running a resolver at the same scale.
Sure, if the client has any sort of independent visibility it can verify that you’re lying, but if it can only talk to your resolvers, doesn’t that pretty much mean it can’t tell that you’re lying to it?
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
If the ISPs don’t start blocking well known public resolvers or even just blocking port 53 in general (which has been known to happen). Owen
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
If the ISPs don’t start blocking well known public resolvers or even just blocking port 53 in general (which has been known to happen).
I doubt the ISPs in Québec would have much sympathy for this proposed law. It makes their life harder and provides them no benefit. Should it pass (remember, it's just proposed), I expect they'd just adjust their DNS caches to block responses for the list of domains that the government mails them and claim they're in full compliance. R's, John
Actually, how are other places implementing these lists? I would have thought to use RPZ, but as far as I know if the blocked DNS domain is using DNSSEC it wouldn't work. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of John R. Levine Sent: Friday, November 13, 2015 12:33 PM To: Owen DeLong Cc: nanog@nanog.org Subject: Re: DNSSEC and ISPs faking DNS responses I doubt the ISPs in Québec would have much sympathy for this proposed law. It makes their life harder and provides them no benefit. Should it pass (remember, it's just proposed), I expect they'd just adjust their DNS caches to block responses for the list of domains that the government mails them and claim they're in full compliance. R's, John
eric-list@truenet.com <eric-list@truenet.com> wrote:
Actually, how are other places implementing these lists? I would have thought to use RPZ, but as far as I know if the blocked DNS domain is using DNSSEC it wouldn't work.
You can configure RPZ with the "break-dnssec" option which means validating clients will fail to resolve the blocked domains. DNSSEC only protects you from getting bad answers. If someone wants you to get no answers at all then DNSSEC cannot help. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Tyne, Dogger, Fisher: Southwest 6 to gale 8, occasionally severe gale 9 at first. Rough or very rough, becoming mainly moderate in Tyne. Rain or showers. Good, occasionally poor.
Owen DeLong <owen@delong.com> wrote:
Again, if you’re the only resolver the clients are using, you can claim that nothing from the root down is signed without ever providing any cryptographic anything.
If the client is validating it will know the root is signed and the ISP resolver will not be able to strip signature without breaking validation. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Thames, Dover, Wight, Portland: Southwest 6 to gale 8, decreasing 5 for a time, perhaps severe gale 9 later. Moderate or rough, occasionally very rough later. Rain at times. Moderate or good, occasionally poor.
On Thu, 13 Nov 2015, John Levine wrote:
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
Except that the ISP can intercept those queries and respond as it likes. Such is already done at all scales. Not that a government generally cares what kind of burden is required once the law is passed, cf CALEA. True, some users would be able to detect such tampering and many of those could work around it. But most will have no way to do either. Would the masses ever replace their stub with a full resolver? Doubtful, unless their OS vendor does it for them. Would that be the right thing to do for a few billion users of Windows and another couple billion using Android most of whose ISPs are providing unfaked answers? Would the various authoritiative operators be happy / agree? How does one fit local zones into the picture? Would the masses setup a VPN to a service provider in a jurisdiction not subject to such foolishness so their resolver, whether stub or full, would have a chance at unfaked answers? Again, I'm thinking most would be entirely ignorant of the issue, and in any case would be hard pressed to set anything up unless it was trivial, e.g., not just part of their OS but also Wizard-like with most answers pre-supplied. /mark
Would the masses setup a VPN to a service provider in a jurisdiction not subject to such foolishness so their resolver, whether stub or full, would have a chance at unfaked answers? Again, I'm thinking most would be entirely ignorant of the issue, and in any case would be hard pressed to set anything up unless it was trivial, e.g., not just part of their OS but also Wizard-like with most answers pre-supplied.
I was at a most interesting session in New Zealand a few months ago, about video streaming in NZ. People want to watch Netflix and Hulu, and are willing to pay for it, but NZ is such a small market that the big providers can't be bothered to license the content for NZ, and by the time local providers make arrangements it's a month later. So everyone buys a Netflix subsription and uses VPNs to pretend to be in the US. Take a look at Vyprvpn, which is pretty much point and install, or even Tunnelblick which is about four clicks to set up with VPN info from any provider. Civilians definitely use these. R's, John
Civilians definitely use these.
A very tiny percentage. The power of the default reigns supreme.
People in New Zealand said differently. It's a small country, but I was impressed how everyone in the session (it was NetHui, not a bunch of geeks) took for granted that you'd use a VPN to get your video fix. Online gamblers can be a very dedicated group. See, for example, these blog posts and online ads about VPNs that circumvent blocks to get to online poker sites: http://securethoughts.com/3-best-vpns-online-poker/ https://www.reddit.com/r/poker/comments/1xu89o/using_a_vpn_to_play_real_mone... http://www.onlinebettingsites.com/vpns-for-online-betting/ https://www.vpnaccounts.com/blog/internet-gambling-using-vpn/ http://calvinayre.com/2014/08/18/poker/using-a-vpn-to-play-online-poker-coul... https://www.cardschat.com/f10/new-york-players-a-vpn-220913/ http://www.billrini.com/2011/04/23/thinking-vpning-poker/ https://www.le-vpn.com/vpn-for-online-poker-and-gambling/ https://vpnuk.net/gambling.html R's, John
On Nov 13, 2015, at 19:09 , Roland Dobbins <rdobbins@arbor.net> wrote:
On 14 Nov 2015, at 10:02, John Levine wrote:
People in New Zealand said differently.
This is a corner-case, however.
Is it really a corner-case, or, is it the first representation of a group of ordinary netizens sufficiently frustrated by policy that they found a workaround? If it’s a corner-case, it’s unlikely to get replicated by a similar level of frustration among a different group of netizens. OTOH, if, as I suspect, it’s merely the first (or first known to us) example of such behavior, then it may be more of a predictive result than a corner case. Every trend starts somewhere. Today, gamblers in Quebec don’t need to work around government stupidity, they can just go gamble. If the government truly manages to implement the proposed stupidity, that might serve as enough motivation to duplicate the “New Zealand Netflix Effect” in Quebec. Surely time will tell, but I would not be so quick to dismiss this as a potential workaround after watching how quickly TOR was adopted to move video around during the Arab Spring. Owen
On 14 Nov 2015, at 10:22, Owen DeLong wrote:
Surely time will tell, but I would not be so quick to dismiss this as a potential workaround after watching how quickly TOR was adopted to move video around during the Arab Spring.
By a tiny minority of people. Selection bias. Most people do not know what a 'VPN' is, or how to install one and get it working. The number of people who do may increase somewhat over time due to various restrictions they seek to overcome, but it will never become anything close to the norm unless it is a default. Go out onto the street and ask a selection of random passers-by if they know what a VPN is, if they know how to install one, if they've installed one. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Nov 13, 2015, at 19:27 , Roland Dobbins <rdobbins@arbor.net> wrote:
On 14 Nov 2015, at 10:22, Owen DeLong wrote:
Surely time will tell, but I would not be so quick to dismiss this as a potential workaround after watching how quickly TOR was adopted to move video around during the Arab Spring.
By a tiny minority of people.
Selection bias.
Most people do not know what a 'VPN' is, or how to install one and get it working. The number of people who do may increase somewhat over time due to various restrictions they seek to overcome, but it will never become anything close to the norm unless it is a default.
20 years ago, most people didn’t know what a URL or a Domain name was. 18 years ago, they were on every billboard. People learn stuff as they need to. Today, the vast majority of people don’t need to know what a VPN is. New Zealand has become a notable exception to this situation as a result of their desire to watch US Netflix programming. I see no reason to believe it would be
Go out onto the street and ask a selection of random passers-by if they know what a VPN is, if they know how to install one, if they've installed one.
Not a valid test… Go out onto the street and ask a random number of people over 30 if they know what a URL is and how to enter one into a browser. Now, ask if they learned that more or less than 20 years ago. In 1930, nobody knew what a television was, let alone a television remote control. Today, the average 6 year old can operate a DirectTV satellite system with a relatively high degree of facility. What the average person knows changes over time. Assuming that it does not strikes me as either (1) ignoring history or (2) underestimating the general public even more than I do, which is saying something. Owen
On 14 Nov 2015, at 11:32, Owen DeLong wrote:
Go out onto the street and ask a random number of people over 30 if they know what a URL is and how to enter one into a browser.
They don't know what URIs are, nor do they enter them into browsers. They type words into a search engine and then click on the resulting links. [I was shocked when I realized this is how non-specialists access Web sites, about 15 years or so ago.]
Today, the average 6 year old can operate a DirectTV satellite system with a relatively high degree of facility.
And has no idea how it actually works, and can't do anything with it beyond the obvious.
What the average person knows changes over time.
Yes, but not in the way you're thinking. If anything, specialized technical knowledge tends to decrease over time, as technology goes from being used by a relatively few self-selected enthusiasts to becoming more mainstream and accessible to the masses. Auto mechanics is one example from the physical world. Cooking is another. Handwriting is yet another.
Assuming that it does not strikes me as either (1) ignoring history
See above.
or (2) underestimating the general public even more than I do, which is saying something.
Among the population of Internet users, the knowledge of how the Internet actually works has decreased tremendously in the last 20 years, as that population has expanded to include non-specialists - e.g., the majority. Most computer users have no idea how computers actually work. They certainly don't know what a VPN is, or how (or why) to set one up. This state of affairs will continue until VPN technology becomes subsumed into applications and is enabled as a default, if it ever does. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Fri, Nov 13, 2015 at 8:28 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 14 Nov 2015, at 11:32, Owen DeLong wrote:
Go out onto the street and ask a random number of people over 30 if they
know what a URL is and how to enter one into a browser.
They don't know what URIs are, nor do they enter them into browsers. They type words into a search engine and then click on the resulting links.
The don't know what a VPN is ... but when they can't watch the Olympics on the Internet from their own country, a buddy tells them about an "app" that "makes you look like you're coming from a different country." Now they can watch the Olympics. I saw this "one weird trick" spread like wildfire through my non-technical acquaintances. They don't have to know what a VPN is in order to to use it -- and to pass it on to their friends. Royce
On Nov 13, 2015, at 21:28 , Roland Dobbins <rdobbins@arbor.net> wrote:
On 14 Nov 2015, at 11:32, Owen DeLong wrote:
Go out onto the street and ask a random number of people over 30 if they know what a URL is and how to enter one into a browser.
They don't know what URIs are, nor do they enter them into browsers. They type words into a search engine and then click on the resulting links.
If that were true, billboards wouldn’t look like this: http://worthwhileadvertising.com/wp-content/uploads/2010/11/Sandstone-billbo... <http://worthwhileadvertising.com/wp-content/uploads/2010/11/Sandstone-billboard.jpg> (Note randomly chosen billboard image from google image search, not at all tech related and not in silicon valley.)
[I was shocked when I realized this is how non-specialists access Web sites, about 15 years or so ago.]
I’m not surprised… It’s how I access about 30% of the websites I visit. Another 50% or so come from bookmarks/browser history completion. The remaining 20% are URLs I type.
Today, the average 6 year old can operate a DirectTV satellite system with a relatively high degree of facility.
And has no idea how it actually works, and can't do anything with it beyond the obvious.
Sure, but that’s also true of lots of VPNs that people use every day too. The marketing people at Akamai use VPNs routinely. IT has it boiled down to Clicking an ICON in the menu bar and selecting “Akamai->Connect”. Lots of VPN services out there like the ones mentioned earlier in the thread have made it nearly as simple to install and operate a VPN.
What the average person knows changes over time.
Yes, but not in the way you're thinking. If anything, specialized technical knowledge tends to decrease over time, as technology goes from being used by a relatively few self-selected enthusiasts to becoming more mainstream and accessible to the masses.
Auto mechanics is one example from the physical world. Cooking is another. Handwriting is yet another.
Sure, but it used to be that setting up an internet connection on the average computer was a complex technical process that only a few could handle. Today, we take having an internet connection on a system for granted. Why couldn’t things get to a point where we take using VPNs for granted? It’s just a combination of software development and user acceptance. I’m not saying everyone is going to learn how to configure an IPSEC SA set with tunnels on a Juniper. I’m saying that people will learn to use point-click-VPN software which already exists for the most part.
Assuming that it does not strikes me as either (1) ignoring history
See above.
Most people know how to operate a microwave while few are gourmet chefs. I would argue that VPN technology is evolving (has evolved) to a point where it can be more like a microwave.
or (2) underestimating the general public even more than I do, which is saying something.
Among the population of Internet users, the knowledge of how the Internet actually works has decreased tremendously in the last 20 years, as that population has expanded to include non-specialists - e.g., the majority.
Sure… Not particularly relevant to the discussion at hand, however.
Most computer users have no idea how computers actually work. They certainly don't know what a VPN is, or how (or why) to set one up. This state of affairs will continue until VPN technology becomes subsumed into applications and is enabled as a default, if it ever does.
Or until users discover that they can achieve something they want by installing a VPN application and using that, such as happened in New Zealand. Will the understand how said VPN application works or why it makes what they want possible? No. Nor will they care. But they will care that it solves the problem of reaching their gambling sites despite the government interference or that they can use it to get to the Netflix version they want rather than no service in their locality or… Many ways to skin a cat. Owen
On 14 Nov 2015, at 16:05, Owen DeLong wrote:
Lots of VPN services out there like the ones mentioned earlier in the thread have made it nearly as simple to install and operate a VPN.
Until the setup and functionality are automagic, we're not going to see broad use of VPNs by non-specialists. VPN functionality is built into pretty much every mainstream (and many non-mainstream) OS out there, including mobile devices. But it isn't something that's simple; users have to at a minimum install and accept a VPN profile, which means they have to go looking for a service in the first place. I'm wondering if perhaps major OS vendors/developers may start offering/OEMing VPN services, or at least distributing profiles in the same way as browser vendors/developers distribute CA certs? ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Nov 14, 2015, at 03:11 , Roland Dobbins <rdobbins@arbor.net> wrote:
On 14 Nov 2015, at 16:05, Owen DeLong wrote:
Lots of VPN services out there like the ones mentioned earlier in the thread have made it nearly as simple to install and operate a VPN.
Until the setup and functionality are automagic, we're not going to see broad use of VPNs by non-specialists.
The point you seem to be missing is that your “until…” is already met. I know of at least one ISP that is providing CPE with VPN pre-configured and built in. I know of several other software/service solutions that are literally download-launch-subscribe. (download client software, launch installer, supply payment information for subscription).
VPN functionality is built into pretty much every mainstream (and many non-mainstream) OS out there, including mobile devices. But it isn't something that's simple; users have to at a minimum install and accept a VPN profile, which means they have to go looking for a service in the first place.
You’re not looking at the right VPN software. The built-in stuff is crap that is years behind the current state of the art.
I'm wondering if perhaps major OS vendors/developers may start offering/OEMing VPN services, or at least distributing profiles in the same way as browser vendors/developers distribute CA certs?
More likely this is going to be iterations of what is already being more widely accepted. Downloadable pre-configured client software that works with a particular VPN service. Point-click-subscribe model seems to receive fairly wide adoption among people sufficiently interested in bypassing {insert network damage here} to pay a monthly fee for a service that will do it. I think the going rate is something like $5/month for US VPNs last time I looked. Owen
On 14 Nov 2015, at 19:07, Owen DeLong wrote:
The point you seem to be missing is that your “until…” is already met.
Not AFAICT. It isn't a default in the OS and on the window manager/home screen.
I know of at least one ISP that is providing CPE with VPN pre-configured and built in.
That makes one.
I know of several other software/service solutions that are literally download-launch-subscribe. (download client software, launch installer, supply payment information for subscription).
The 'download' part is the main barrier to entry.
You’re not looking at the right VPN software.
I look at VPN software all the time, from many providers.
The built-in stuff is crap that is years behind the current state of the art.
My point is that it's in the OS.
More likely this is going to be iterations of what is already being more widely accepted. Downloadable pre-configured client software that works with a particular VPN service.
Again, downloading is a barrier to entry. Don't you remember the browser wars and the Microsoft anti-trust case?
Point-click-subscribe model seems to receive fairly wide adoption among people sufficiently interested in bypassing {insert network damage here} to pay a monthly fee for a service that will do it.
'Sufficiently interested' is a limiting factor. 'Sufficiently interested' to learn that such a thing is possible, and to figure out how to go about doing it. Of course, the other concern is that governments which don't already interfere with VPNs will outlaw VPNs in the name of 'national security'. Answering my own question, the OS/device vendors won't get into the VPN business due to this issue. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Sat, Nov 14, 2015 at 3:34 AM, Roland Dobbins <rdobbins@arbor.net> wrote:
More likely this is going to be iterations of what is already being more
widely accepted. Downloadable pre-configured client software that works with a particular VPN service.
Again, downloading is a barrier to entry. Don't you remember the browser wars and the Microsoft anti-trust case?
That was before the rise of the app. Downloading is now much more common than during the age of the browser wars. As of October 2014, 64% of American adults owned a smartphone [1]. Phones don't usually come with Candy Crush, but somehow, 93 *million* people played it daily at one point. They many not understand that when they installed the app, they were "downloading" it. But the end result is the same. Downloading is now a way of life -- and there are easily downloaded VPN apps. You don't have to know what a VPN is in order to use one. Anecdote != data, but during the 2014 Olympics, Googling for "how to watch the Olympics on the Internet" led many people I know to install one, without asking me for advice like they usually do. :) It sounds like we're arguing about the definition of the word "most". Your thesis appears to be that most people won't use a VPN -- and you're probably right. But what everyone else is saying is that the value of "most" is likely to shrink rapidly. And it may only take a secondary use case to reach critical mass. People I know who use WhatsApp seem to have started using it to avoid per-text charges, not to get end-to-end encrypted messaging. But now, even if Facebook's estimate [2] of 450 million WhatsApp users is 90% inflated, there are 45 million people using encrypted texting, which I would not have predicted. Most of those users probably don't know what "encryption" is. But they're using it. Royce 1. http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/ 2. http://www.forbes.com/sites/georgeanders/2014/02/19/facebook-justifies-19-bi...
On 14 Nov 2015, at 23:39, Royce Williams wrote:
Downloading is now much more common 2than during the age of the browser wars.
Sure, I understand that.
As of October 2014, 64% of American adults owned a smartphone [1]. Phones don't usually come with Candy Crush, but somehow, 93 *million* people played it daily at one point. They many not understand that when they installed the app, they were "downloading" it. But the end result is the same.
Yes, because that leads to them doing something they want to be able to do, that is very tangible. The same motivations spur VPN use (e.g., watching Netflix out-of-region, your example of the Olympics, and so forth). To put that 93 million in context, the most recent estimates I can find of Internet users put their number at about 3.2 billion: <http://time.com/money/3896219/internet-users-worldwide/>
It sounds like we're arguing about the definition of the word "most". Your thesis appears to be that most people won't use a VPN -- and you're probably right.
Yes, we're in agreement.
But what everyone else is saying is that the value of "most" is likely to shrink rapidly.
I don't know about that. It seems to me that most people who're inclined to use a VPN are already using one. Unless one believes that a relatively high percentage of people who don't yet have Internet access will become VPN users once they gain Internet access.
But now, even if Facebook's estimate [2] of 450 million WhatsApp users is 90% inflated, there are 45 million people using encrypted texting, which I would not have predicted.
Sure, and Apple iMessage is somewhat similar in that regard, though it's more susceptible to MITM. Again, as compared to 3.2 billion.
Most of those users probably don't know what "encryption" is. But they're using it.
Sure, via http/s. But VPNs used in the sense of this discussion tend to imply topological masking, as well. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
And it may only take a secondary use case to reach critical mass. People I know who use WhatsApp seem to have started using it to avoid per-text charges, not to get end-to-end encrypted messaging. But now, even if Facebook's estimate [2] of 450 million WhatsApp users is 90% inflated, there are 45 million people using encrypted texting, which I would not have predicted.
I think the number is much higher than that due to Messsages+iCloud usage by iPhone and other Apple products also constituting end-to-end encrypted text. Yep… Just a few years ago, nobody cared about end-to-end encrypted text, today, still most people don’t know or care what it is, but I bet there are enough people using it without even realizing to constitute “most” or something very close to it. (Between Skype, WhatsApp, Messages/iMessage, and others). Owen
On Nov 14, 2015, at 04:34 , Roland Dobbins <rdobbins@arbor.net> wrote:
On 14 Nov 2015, at 19:07, Owen DeLong wrote:
The point you seem to be missing is that your “until…” is already met.
Not AFAICT. It isn't a default in the OS and on the window manager/home screen.
I know of at least one ISP that is providing CPE with VPN pre-configured and built in.
That makes one.
I know of several other software/service solutions that are literally download-launch-subscribe. (download client software, launch installer, supply payment information for subscription).
The 'download' part is the main barrier to entry.
Trust me, this is not a significant barrier to entry. If it were, Chrome would be virtually unused except on Droid.
You’re not looking at the right VPN software.
I look at VPN software all the time, from many providers.
The built-in stuff is crap that is years behind the current state of the art.
My point is that it's in the OS.
Who cares? That’s like saying that Nobody uses a different preference of web browser, they almost all stick to the one that comes with the OS. If that were true, Firefox would only run on Linux and Chrome would only run on Chromebooks and Droids.
More likely this is going to be iterations of what is already being more widely accepted. Downloadable pre-configured client software that works with a particular VPN service.
Again, downloading is a barrier to entry. Don't you remember the browser wars and the Microsoft anti-trust case?
I do. I also note that the issue there wasn’t merely that IE shipped with the OS, but the fact that you could _NOT_ extricate it from the OS and beyond just downloading another browser, it took significant knowledge to make that other browser the preferred browser on the system with any meaningful persistence.
Point-click-subscribe model seems to receive fairly wide adoption among people sufficiently interested in bypassing {insert network damage here} to pay a monthly fee for a service that will do it.
'Sufficiently interested' is a limiting factor. 'Sufficiently interested' to learn that such a thing is possible, and to figure out how to go about doing it.
Among a given community it seems to only take a couple of individuals who figure it out once and if it is sufficiently easy to “show a friend” such that that friend finds it sufficientlly easy to teach others, adoption spreads quite rapidly through said community.
Of course, the other concern is that governments which don't already interfere with VPNs will outlaw VPNs in the name of 'national security'. Answering my own question, the OS/device vendors won't get into the VPN business due to this issue.
Sure, which is why FLOSS or off-shore subscription services will be the likely successful models here and so far, they are succeeding though not to the extent you might consider main stream as yet. Owen
Until the setup and functionality are automagic, we're not going to see broad use of VPNs by non-specialists.
I'm getting the impression you haven't yet gotten around to looking at VPN applications intended for non-specialists. Here's a good one to start with: https://www.goldenfrog.com/vyprvpn They have point'n'click apps for all the usual platforms. The free level of service provides 500MB/mo, plenty for gambling. If you haven't heard of Golden Frog, it is better known as Giganews. R's, John
On 15 Nov 2015, at 2:25, John Levine wrote:
They have point'n'click apps for all the usual platforms.
They are not defaults. I think that many people on this list don't understand that the vast majority of users around the world do not know what a VPN is, do not know why they might need one, and aren't especially adept at installing applications, even from 'apps stores'. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 11/14/2015 16:48, Roland Dobbins wrote:
On 15 Nov 2015, at 2:25, John Levine wrote:
They have point'n'click apps for all the usual platforms.
They are not defaults.
I think that many people on this list don't understand that the vast majority of users around the world do not know what a VPN is, do not know why they might need one, and aren't especially adept at installing applications, even from 'apps stores'.
It would be interesting to see a credible, referred study of this. _I_ think the IT world continues to minimize and denigrate the abilities and interests of its customers at its own, great peril. -- sed quis custodiet ipsos custodes? (Juvenal)
On 11/14/2015 16:56, Larry Sheldon wrote:
On 11/14/2015 16:48, Roland Dobbins wrote:
On 15 Nov 2015, at 2:25, John Levine wrote:
They have point'n'click apps for all the usual platforms.
They are not defaults.
I think that many people on this list don't understand that the vast majority of users around the world do not know what a VPN is, do not know why they might need one, and aren't especially adept at installing applications, even from 'apps stores'.
It would be interesting to see a credible, referred study of this.
_I_ think the IT world continues to minimize and denigrate the abilities and interests of its customers at its own, great peril.
Even if the mythical "where is the 'any' key" calls happen at a rate, globally, of one a minute, there are still tens of thousands of customers unheard-from who are devising ways to get their work done in spite of your best attempts to prevent it. -- sed quis custodiet ipsos custodes? (Juvenal)
On 15 Nov 2015, at 6:01, Larry Sheldon wrote:
in spite of your best attempts to prevent it.
My 'best attempts to prevent it'? You're obviously addressing someone else. I'm not trying to prevent anyone accessing anything. On the contrary, I'm very much in favor of making applications and data and services available to people, and keeping them that way. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
In article <339DE9D9-F459-48E3-8D27-94EB76C9044C@arbor.net> you write:
On 15 Nov 2015, at 2:25, John Levine wrote:
They have point'n'click apps for all the usual platforms.
They are not defaults.
The question at hand is whether gamblers faced with government blocking would use VPNS to cirvumvent it. Given that we have ample evidence that gamblers elsewhere do exactly that, it's hard to imagine why anyone would care that it's not the default. R's, John
On Sun, 15 Nov 2015, Roland Dobbins wrote:
On 15 Nov 2015, at 2:25, John Levine wrote:
They have point'n'click apps for all the usual platforms.
They are not defaults.
I think that many people on this list don't understand that the vast majority of users around the world do not know what a VPN is, do not know why they might need one, and aren't especially adept at installing applications, even from 'apps stores'.
Will everyone use VPN? For sure not. But everyone that really wants to access something that he "should not" by local definition. Like the kids in the neighbourhood - the firsts parents gets an invoice ("Abmahnung" in German) for an illegal download of something done by the kid, and watch how fast it goes around all of them that you can avoid such costs (and more important the trouble with the parents) by just installing this "app". Technical details do not matter, a big enough incentive to do something about it matters. c'ya sven-haegar -- Three may keep a secret, if two of them are dead. - Ben F.
"Roland Dobbins" writes:
On 14 Nov 2015, at 10:22, Owen DeLong wrote:
By a tiny minority of people.
Selection bias.
Most people do not know what a 'VPN' is, or how to install one and get it working.
Most people don't need to know. They just buy a cheap (EUR 50 or so seems to be the starting price) application (rasberry Pi or similar stuff based) which gives them what they want. There is now a push to forbid the sales of these thingies. jaap
On Sat, 14 Nov 2015 08:32:51 +0100, Jaap Akkerhuis said:
Most people don't need to know. They just buy a cheap (EUR 50 or so seems to be the starting price) application (rasberry Pi or similar stuff based) which gives them what they want.
There is now a push to forbid the sales of these thingies.
Which won't work as long as a vendor in another country is willing to accept your credit card. But actual reality rarely matters to those who feel They Must Be Seen Doing Something About It.
On Tue, Nov 17, 2015 at 7:21 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 14 Nov 2015, at 14:32, Jaap Akkerhuis wrote:
There is now a push to forbid the sales of these thingies.
A push to forbid the sale of Raspberry Pis, of VPNs, or of both?
*
Where?
elbonia.
Thanks!
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
"Roland Dobbins" writes:
On 14 Nov 2015, at 14:32, Jaap Akkerhuis wrote:
There is now a push to forbid the sales of these thingies.
A push to forbid the sale of Raspberry Pis, of VPNs, or of both?
No, a push on devices which allow access to "illegal" material. The devives might have raspberry pies or similar stuff under the hood wjicj where very likely implementing VPNs.
Where?
Last time I saw this was in the Dutch media; the c9omplains came from the Dutch versions of the copyright lobby. jaap
* rdobbins@arbor.net (Roland Dobbins) [Sat 14 Nov 2015, 04:13 CET]:
On 14 Nov 2015, at 10:02, John Levine wrote:
People in New Zealand said differently.
This is a corner-case, however.
We can continue citing corner cases, like the % of people in Turkey who use Google DNS since their government started censoring web services like Twitter. When will there be enough 'corner cases' to convince you it's business as usual? -- Niels.
On 15 Nov 2015, at 2:08, Niels Bakker wrote:
When will there be enough 'corner cases' to convince you it's business as usual?
The majority of people who use the Internet in Turkey do not in fact use Google DNS. It is an informed and motivated minority. The most recent statistics I can find on estimation of global VPN use put the number at ~25% of Internet users. That number seems high to me, and I've no confidence that the study in question was in fact conducted in a rigorous and scientific manner, so I won't link to it here. But let's assume for the sake of discussion that it's reasonably accurate. Do you believe that percentage is going to significantly increase over time? ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Fri, Nov 13, 2015 at 10:24:27AM -0800, Mark Milhollan <mlm@pixelgate.net> wrote a message of 30 lines which said:
Would the masses ever replace their stub with a full resolver? Doubtful, unless their OS vendor does it for them.
Fedora already does it, apparently, with the excellent dnssec-trigger.
Would the various authoritiative operators be happy / agree?
Wearing my TLD operator hat: yes, we agree and we're ready for that.
On Nov 13, 2015, at 10:24 AM, Mark Milhollan <mlm@pixelgate.net> wrote:
On Thu, 13 Nov 2015, John Levine wrote:
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
Except that the ISP can intercept those queries and respond as it likes.
Thank you. I was wondering if anyone would mention this. DNSSEC only protects the validator's cache. My assumption (which may be wrong) is that for the vast majority of folks, that means the cache that is run by the ISP. How many of the ISPs in Quebec enable DNSSEC? Even if they do, I doubt the government would care: I would presume it would be up to the ISP to implement the law and respond back as the law dictates. How many of the ISPs would continue to enable DNSSEC if the cops show up at their door and turning off DNSSEC is the only way the ISP has to implement the law's requirements? How many applications request DNSSEC related information and validate? The only way DNSSEC matters in this context is if you validate locally. My guess is that the number of folk who do this is so low as to not be of interest to the Quebec government. This may be an argument for folks to run their own validating resolvers, but I'm not sure how you'd do that on your iPhone, iPad, or SmartTV. Regards, -drc
In message <9692ECC6-34AD-49C0-B310-10B8EF8C112C@virtualized.org>, David Conrad writes:
On Nov 13, 2015, at 10:24 AM, Mark Milhollan <mlm@pixelgate.net> wrote:
On Thu, 13 Nov 2015, John Levine wrote:
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
Except that the ISP can intercept those queries and respond as it likes.
Thank you. I was wondering if anyone would mention this.
DNSSEC only protects the validator's cache. My assumption (which may be wrong) is that for the vast majority of folks, that means the cache that is run by the ISP.
How many of the ISPs in Quebec enable DNSSEC?
Even if they do, I doubt the government would care: I would presume it would be up to the ISP to implement the law and respond back as the law dictates. How many of the ISPs would continue to enable DNSSEC if the cops show up at their door and turning off DNSSEC is the only way the ISP has to implement the law's requirements?
Why would the ISP's turn off DNSSEC? It doesn't prevent them sending back NXDOMAIN. The clients will validate or not. If they validate they will get a validation failure. If they don't them the NXDOMAIN will be accepted.
How many applications request DNSSEC related information and validate?
The only way DNSSEC matters in this context is if you validate locally. My guess is that the number of folk who do this is so low as to not be of interest to the Quebec government. This may be an argument for folks to run their own validating resolvers, but I'm not sure how you'd do that on your iPhone, iPad, or SmartTV.
Apple just adds a validator to their stub resolver and installs a root trust anchor. This really isn't conceptually different to how they manage CA's.
Regards, -drc
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Mark,
On Nov 13, 2015, at 4:18 PM, Mark Andrews <marka@isc.org> wrote:
How many of the ISPs would continue to enable DNSSEC if the cops show up at their door and turning off DNSSEC is the only way the ISP has to implement the law's requirements?
Why would the ISP's turn off DNSSEC? It doesn't prevent them sending back NXDOMAIN. The clients will validate or not. If they validate they will get a validation failure. If they don't them the NXDOMAIN will be accepted.
My point was that folks at ISPs tend to prefer not to be thrown in jail.
Apple just adds a validator to their stub resolver and installs a root trust anchor.
Love that plan. Let me know when you've convinced Apple to "just" add a validator to IOS (I'm assuming IOS doesn't currently have that capability).
This really isn't conceptually different to how they manage CA's.
My point was that the vast majority of those affected by this would likely not be in a position to install a validating resolver on their device. Regards, -drc
On 14 Nov 2015, at 7:49, David Conrad wrote:
My point was that the vast majority of those affected by this would likely not be in a position to install a validating resolver on their device.
Correct. Most folks on this list can and will do it if they deem it necessary; but most folks on this list are not representative of the global user base. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
In message <5CA68A46-2F63-466A-B418-30DA71B2BAC5@delong.com>, Owen DeLong write s:
On Nov 12, 2015, at 20:50 , John Levine <johnl@iecc.com> wrote:
In article <56455885.8090409@vaxination.ca> you write:
The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec).
Blocking is prettty easy, just don't return the result, or fake an NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL instead, but they still won't get a result.
Redirecting is much harder -- as others have explained there is a chain of signatures from the root to the desired record, and if the chain isn't intact, it's SERVERFAIL again. Inserting a replacement record with a fake signature into the original chain is intended to be impossible. (If you figure out how, CSIS would really like to talk to you.) It is possible to configure an ISP's DNS caches to trust specific signatures for specific parts of the tree, but that is kludgy and fragile and is likely to break DNS for everyone.
If you know that the client is using ONLY your resolver(s), couldn’t you simply fake the entire chain and sign everything yourself?
Which is exactly how we test validation in nameservers. If you tell the validator to use a bogus trust anchor you get bogus trust.
Or, alternatively, couldn’t you just fake the answers to all the “is this signed?” requests and say “Nope!” regardless of the state of the authoritative zone in question?
No. You can detect that.
Sure, if the client has any sort of independent visibility it can verify that you’re lying, but if it can only talk to your resolvers, doesn’t that pretty much mean it can’t tell that you’re lying to it?
No. The root's trust anchor are published independently of whatever your ISP does. This isn't something you learn via DHCP.
And anyway, it's pointless. What they're saying is to take the gambling sites out of the phone book, but this is the Internet and there are a million other phone books available, outside of Quebec, such as Google's 8.8.8.8 located in the US, that people can configure their computers to use with a few mouse clicks. Or you can run your own cache on your home network like I do, just run NSD or BIND on a linux laptop.
I believe the traditional statement is “This type of regulation is considered damage and will be routed around.”
They could insist that ISPs block the actual web traffic to the sites, by blocking IP ranges, but that is also a losing battle since it's trivial to circumvent with widely available free VPN software. If they want to outlaw VPNs, they're outlawing telework, since VPNs is how remote workers connect to their employers' systems, and the software is identical.
It’s also fairly easy for the gambling sites to become somewhat IP Agile creating a game of Whack-a-mole for the regulators and the ISPs they are inflicting this pain on.
Owen
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> writes:
The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like.
BTDT. See https://torrentfreak.com/pirate-sites-must-pay-legal-costs-of-own-blockade-c... (yes, we could discuss the point of all this - but that is a political discussion, and there are better fora for those. Let's keep this techical here, please) Now, we mostly don't do DNSSEC validation yet, and luckily none of the blocked domains have any DS records either. So DNSSEC is not yet a real problem in this regard. But there is no reason to think this luck will last forever. Given the "success", we can only assume there will be more court orders. And we do want to enable DNSSEC validation everywhere at some point. So what do we do? We currently point the blocked domains to addresses of a web server with a short explanation. But what if the domains were signed? We could let validating servers return SERVFAIL. But I'd really prefer avoiding that for the simple reason that there is no way to distinguish that SERVFAIL from one caused by e.g. a domain owner configuration error. So I'm wondering if DLV might help us here? I imagine it will allow us to return a signed response to the client, with the AD flag, even if we have taken control of the domain. Or won't that work at all if the parent has a DS record? If the DLV strategy works, then the main advantage would be that a validating client could distiguish between a domain owner error and a deliberate "error" added by us as a resolver operator. The DLV signed response will still fail client calidation. And we would of course publish the DLV key, so that anyone wishing to verify the source of the failing signatures could do that (assuming that some clients may accept us as a MITM, but still want to prevent others from the same attack). What do you all think? Is this feasible? Any better solutions? OK, I should probably lab this instead of discussing it... Bjørn (working for Telenor, but definitely not having any role in PR or legal matters)
On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote:
So what do we do? We currently point the blocked domains to addresses of a web server with a short explanation. But what if the domains were signed? We could let validating servers return SERVFAIL. But I'd really prefer avoiding that for the simple reason that there is no way to distinguish that SERVFAIL from one caused by e.g. a domain owner configuration error.
Perhaps we need to expand RCODE to be the full octet, and indicate "blocked for legal reasons" with RCODE value 25. - Matt
In message <20151114044614.GA4973@hezmatt.org>, Matt Palmer writes:
On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote:
So what do we do? We currently point the blocked domains to addresses of a web server with a short explanation. But what if the domains were signed? We could let validating servers return SERVFAIL. But I'd really prefer avoiding that for the simple reason that there is no way to distinguish that SERVFAIL from one caused by e.g. a domain owner configuration error.
Perhaps we need to expand RCODE to be the full octet, and indicate "blocked for legal reasons" with RCODE value 25.
Rcode's were expanded to 12 bits back in 1999. See RFC 2671.
- Matt
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Sat, Nov 14, 2015 at 05:32:41PM +1100, Mark Andrews wrote:
In message <20151114044614.GA4973@hezmatt.org>, Matt Palmer writes:
On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bj�rn Mork wrote:
So what do we do? We currently point the blocked domains to addresses of a web server with a short explanation. But what if the domains were signed? We could let validating servers return SERVFAIL. But I'd really prefer avoiding that for the simple reason that there is no way to distinguish that SERVFAIL from one caused by e.g. a domain owner configuration error.
Perhaps we need to expand RCODE to be the full octet, and indicate "blocked for legal reasons" with RCODE value 25.
Rcode's were expanded to 12 bits back in 1999. See RFC 2671.
I didn't feel it was worth looking beyond RFC1035 for an off-the-cuff joke. - Matt
On Thu, Nov 12, 2015 at 10:27:01PM -0500, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote a message of 66 lines which said:
The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec).
You may be interested in this analysis of DNS censorship in some european countries: https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-se...
participants (27)
-
A.L.M.Buxey@lboro.ac.uk
-
Alarig Le Lay
-
Alejandro Acosta
-
Baldur Norddahl
-
Bjørn Mork
-
Bob Evans
-
Christopher Morrow
-
David Conrad
-
eric-list@truenet.com
-
Jaap Akkerhuis
-
Jean-Francois Mezei
-
John Levine
-
John R. Levine
-
Larry Sheldon
-
Marco Davids
-
Mark Andrews
-
Mark Milhollan
-
Matt Palmer
-
Nick Hilliard
-
Niels Bakker
-
Owen DeLong
-
Roland Dobbins
-
Royce Williams
-
Stephane Bortzmeyer
-
Sven-Haegar Koch
-
Tony Finch
-
Valdis.Kletnieks@vt.edu