On Sun, Aug 24, 2014 at 12:32:15PM -0400, Eric Burger wrote:
I am concerned with the drive to make all traffic totally opaque.
I’l be brief: we have an existence proof of the mess that happens
when we make all traffic look benign. It is called “everything over
port 80.” That ‘practical’ approach drove the development of deep
Benign? No, that's not it. Ports 80 and 443 (*not* just 80) are used
for everything for a variety of reasons, one of which is that no one
could block them entirely, so every site with a firewall simply had to
have the capability to, and processes for permitting HTTP/HTTPS traffic
-- they could NOT afford not to!
Whereas protocols on other ports... See below.
packet inspection, because everything running over port 80 was no
longer HTTP traffic. It meant we could no longer prioritize traffic
(in a good sense - *I* want to make sure my VoIP gets ahead of my Web
surfing ahead of my FTP). It meant we could no longer apply enterprise
policy on different applications. It drove ‘investment’ in the tools
that today dominate pervasive monitoring.
It's true that using HTTP as the IP of the 'Net hurt all sorts of
things, but it was driven by the massive adoption of HTTP. Remember the
term "application gateway"? What a throwback to the late 80s, early
90s. Application gateways are unheard of now because they're ETOOHARD.
Firewalls can't cope with a raft of arbitrary, custom protocols, whether
over IP or over HTTP, but with HTTP they get somewhat more metadata to
examine. If you really want to draw a lesson here it is this:
application protocols need a firewall-friendly substrate of metadata.
That's HTTP -- no other such substrate exists.
Sure, it's a bit of a mirage: the HTTP metadata can be faked. But at
least with HTTP the firewalls^Wproxies can make sure to get hostnames
every time, not just IP addresses.
That's my take. Maybe it's wrong, but it seems at least plausible.
If VoIPs and such used different port numbers but still HTTP... they'd
get through firewalls eventually and you could get your traffic
prioritization. It's not so much ports 80/443 that matter. It's the
HTTP headers request line, status line, and headers that do. You could
do WebSockets or otherwise tunnel anything over HTTP and the firewalls
will be happy to let you, IF they like your metadata.
Nico
--