(as sent to the cryptography mailing list)

In light of the NSA achievements, a few people asked about the FreeS/WAN IPsec OE efforts and whatever happened to it.

The short answer is, we failed and got distracted. The long answer follows below. At the end I will talk about the current plans that have lingered in the last two years to revive this initiative. Below I will use the word “we” a lot. Its meaning changes based on the context as various communities touched, merged, intersected and drifted apart.

NOTE: On September 28, 2013 there is be a memorial service in Ann Arbour for Hugh Daniel, manager of the old IPsec FreeS/WAN Project. Various crypto people will attend, including a bunch of us from freeswan. Hugh would have loved nothing better than his memorial service being used as a focal point to talk about “new OE”, so that’s what we will do on Saturday and Sunday. If you are interested in attending, feel free to contact me.

OE in a nutshell

For those not familiar with IPsec OE as per FreeS/WAN implementation. When activated, a host would install a blocking policy for 0.0.0.0/0. Every packet to an IP address would trigger the kernel to hold the packet and signal the IKE daemon to go find an IPsec policy for that destination. If found, the tunnel would be build, and an IPsec tunnel to the remote IP would be established, and packets would flow. If no policy was found, a “pass” hole was poked so packets would go out unencrypted. Public keys for IP addresses were looked up in the reverse DNS by the IKE daemon based on the destination address. To help with roaming clients (roadwarriors), initiators could store their public key in their FQDN, and convey their FQDN as ID when performing IKE so the remote peer could look up their public key in the forward DNS. This came at the price of two dynamic clients not being able to do OE to each other. (turns out they couldn’t anyway, because of NAT)

What were the reasons for failing to encrypt the internet with OE IPsec (in no particular order):

1) Fragmentation of IPsec kernel stacks

In part due to the early history of FreeS/WAN combined with the export restrictions at the time. Instead of spending more time on IKE and key management for large scale enduser IPsec, we ended up wasting a lot of time fixing the FreeS/WAN KLIPS IPsec stack module for each Linux release. Another IPsec stack, which we dubbed XFRM/NETKEY appeared around 2.6.9 and was backported to 2.4.x. It was terribly incomplete and severely broken. With KLIPS not being within the kernel tree, it was never taken into account. XFRM/NETKEY remained totally unsuitable for OE for a decade. XFRM/NETKEY now has almost all functionality needed – I found out today it shoudl finally have first+last packet caching for dynamic tunnels, which are essential for OE. Since the application’s first packet triggered the IKE mechanism, the application would start retransmitting before IKE was completed. Even when the tunnel finally came up, the application was usually still waiting on that TCP retransmit. David McCullough and I still spend a lot of time fixing up KLIPS to work with the current Linux kernel. Look at ipsec_kversion.h just to see what a nightmare it has been to support Linux 2.0 to 2.6 (libreswan removed support for anything lower then recent 2.4.x kernels)

Linux IPsec Crypto hardware acceleration in practise is only possible with KLIPS + OCF, as the mainstraim async crypto is lacking in hardware driver support. If you want to build OE into people’s router/modem/setup box, this is important, though admittingly less so as time has moved on and even embedded hardware and phones are multicore or have special crypto CPU instructions.

An effort to make the kernel the sole provider of crypto algorithms that everyone could use also failed, and the idea was abandoned when CPU crypto instructions appeared directly accessable from userland.

2) US citizens could not contribute code or patches to FreeS/WAN

This was John Gilmore’s policy to ensure the software remained free for US citizens. If no US citizen touched the code, it would be immune to any presidential National Security Letter. I believe this was actually the main reason for KLIPS not going in mainstream kernel, although personal egos of kernel people seemed to have played a role here as well. Freeswan people really tried had in 2000/2001 to hook KLIPS into the kernel just the way the kernel people wanted. (Ironically, the XFRM/NETKEY hook so bad, it even confuses tcpdump and with it every sysadmin trying to see whether or not their traffic is encrypted) I still don’t fully understand why it was never merged, as the code was GPL, and it should have just been merged in, even against John’s wishes. Someone would have stepped in as maintainer – after all the initial brunt of the work had been done and we had a functional IPsec stack.

In the summer of 2003, I talked to John and together we agreed it was time to fork. Openswan was born to clearly indicate US coders could contribute. However, at that point the (then crappy) FRM/NETKEY IPsec stack was there to prevent OE from working due to the missing first+last packet caching. The FreeS/WAN Project ended and Openswan continued. At first in good pace, but that later slowed down and OE was no longer its focal point. (Due to legal reasons, I cannot go into details regarding the openswan history)

3) Not using DNS without DNSSEC

There were various issues that caused DNSSEC to get massively delayed. We needed DNSSEC to secure our DNS based distributed public key platform. Although it would have worked fine to use DNS against passive attackers (NSA trawling), we believed it was principly wrong to trust cryptographic material that was untrusted and vulnerable against active attacks. So while the developers encouraged people to put keys in DNS even without security, no one else picked it up. It sucks to need to say ‘we told you so’. But we should have really not waited on DNSSEC.

4) Dealing with the DNS working groups at IETF

The DNS community is one of the most pedantic group of people I know. They are very smart, often right, and had been known to be extremely defense of their DNS turf. (Note that things have improved considerably and if you think this is still an issue, I’m happy to try and help)

IETF was divided about the convergence of the “security of the DNS” and the “DNS as PKI” despite that this had always been a goal of DNSSEC for a large group of people within the IETF. The FreeS/WAN people were driving DNSSEC not so much for DNS as for the key distribution. After all, you can detect DNS forging if you know your public keys.

When we had the KEY/SIG records ready to go, it was decreed that it could only be used for the DNS itself. Applications could not use this KEY record. To make that distinction more clear, on the next change in the draft protocol, KEY was obsoleted and DNSKEY introduced. So IPsec keys were relegated back to TXT, since at the time we had no Generic Record format (RFC 3597) support, so waiting for any new RRtype to get any deployment to become usuable would take years. Almost everyone was on bind4 and never upgraded left us with no other choice but the TXT. Even though we wrote the OE and IPSECKEY RFCs, OE’s only deployments were done using TXT records.

5) DNSSEC was delayed by a decade

DNSSEC deployment was slowly gaining traction, but I think we really needed the Kaminsky bug to get that extra push for DNSSEC outside the geeks of the IETF. The US government mandate for DNSSEC in .GOV helped as well. But by this time, OE was mostly forgotten.

djb repeatedly tried to peddle his own warez. While not at all realistic, it always gained a lot of hype and media attention and probably did cause delays of DNSSEC deployment.

Kaminsky himself was shooting down DNSSEC too. I personally heckled him at various Black Hat’s and ICANN conferences until we finally sat down for a couple of hours to talk about DNSSEC’s history and design goals. I’ll claim my 15 minutes of fame for having converted him. It helped having Kaminsky say that although he didn’t like the complexity, he couldn’t see anything better. DNSSEC was needed for everyone.

DNSSEC was gaining traction. Then we ran into a bunch of DNSSEC deployment issues. We had the delays due to NSEC vs NSEC3 with OPTIN, and then on top of that in 2008 when the first big ISP in Sweden turned on DNSSEC in their resolvers all that traction was blown away.

Most consumer routers ran DNS proxies that implemented DNS as “known bitstreams” instead of implemeting the actual DNS protocol. The DNSSEC OK bit caused thousands of routers to drop DNSSEC packets as “invalid DNS”. The only realistic solution: Turn it off and wait two years for those routers to get obsoleted by faster wifi standards and talk to those vendors so they would not repeat their mistake with their next generation of routers.

We now have the IPSECKEY record format (though RFC 4025 is not useful, see below) and RFC 3597 for the generic DNS record deployed on all DNS servers. And we’re on our way to have DNSSEC on every end node (see also draft-wouters-edns-tcp-chain-query-00 I just submitted to the IETF)

We have a mostly clean working UDP/TCP port 53 transport for DNSSEC on most networks (in part thanks to Google DNS). Although our hotspot handling is still a little rough, with dnssec-trigger the only tool to hack configurable DNSSEC support into the OS for our coffee shop visits when we need to rely on forged DNS.

6) When you’re NAT on the net, you’re NOT on the net.

Opportunistic Encryption relied on a clear peer to peer connection. But we managed to degrade the internet into servers and clients. NAT was the biggest problem, and with CGN around the corner, it’s not something that is going away despite IPv6 offering enough IPs for everyone. In fact, for our “new OE”, this is the biggest hurdle to overcome. When Alice cannot talk to Bob because she cannot reach him due to a (carrier grade) NAT, we are stuck wildly poking holes and hoping packets flow.

7) The reverse DNS tree is dead Jim

OE depended on the reverse tree as a security mechanism that someone who was claiming a public key for a specific IP range was actually the legitimate owner of that IP space. It was the security method for RFC-4025.

But unless you are running in a datacenter, you do not have access to the reverse DNS. It is useless as key distribtion method. On top of that, large IPv6 deployments don’t even care any more to run any authoritative DNS for their reverse.

8) BTNS

The IETF tried to revive this OE with the Better Then Nothing Security (“BTNS”) working group. Contrary to the name, they also fell into the “perfect is the enemy of good” trap and most discussion seemed to go into “channel binding” to upgrade anonymous IPsec to some kind of authenticated IPsec – at least by the time I became aware of them. In other words, the most important problem of key distribution was left outside the scope and no one actually seemed to have implemented anything. Though I have to admit, I’m behind on reading the VPN auto-discovery drafts. It is just
very discouraging to still be reading problem statement drafts. More over, I don’t think we should setup IPsec tunnels based on packets hitting the kernel. We have better ways now that we can leverage DNSSEC.

9) We were all complacent

The only interest for IPsec was for corporate VPNs. During the above listed problem periods, OE people gave up. Some walked away from IETF. While everyone gained an always-on portable IP device,
their crypto capabilities were practically non-existent. My current iphone 5 can connect to a corporate VPN, but trying to make it _just_ send out encrypted packets is impossible. Some trickery can be used to cause almost any packet to setup the VPN, but while that’s going on it is still leaking like a sieve. VPN is seen by phone vendors as a method to gain some enterprise users, not as the tool to protect the consumer. The Apple VPN client is a 10+ year old patched version of racoon. The only vendor that took VPNs seriously was RIM and we punished them by not buying their products, because we had other priorities like FourSquare, Facebook and Twitter.

We can only hope that those PRISM players are now put under economic pressure by frightened consumers to fix this. But as long as VPNs and DNSSEC is slow and error-prone, it is better for them not to go there.

The New Opportunistic Encryption

I’ve been brainstorming with various people on how to put IPsec OE back on the table. I’ve discussed this with a bunch of people around me, including the late Hugh Daniel, John Gilmore and Hugh Redelmeier of freeswan.

The packet capturing 0.0.0.0/0 policy is not a good method because we cannot make any decision on where to find a public key for an IP address. The reverse is unusable, and IP addresses change often. We used it because we had nothing better. But now we do. Since every (secure) platform now runs DNSSEC on the end node, we can use this as our decision making point. Imagine my phone running a DNSSEC resolver (say unbound) and an IKE daemon (say libreswan). The DNS server has access to the set of DNS name and matching IP address. It can lookup the key in the forward DNS zone, and hand over the public key, dns name and IP address to the IKE daemon!

1) User tells browser to go to www.cypherpunks.ca

2) browser does a lookup for the A/AAAA record of www.cypherpunks.ca

3) DNSSEC resolver performs the lookup/validation for the A/AAAA record of www.cypherpunks.ca and additionally looks up the IPSECKEY record of www.cypherpunks.ca.

4a) The resolver will wait with returning the A/AAAA record to the browser until it knows if the IPSECKEY record exists or not. If not, it releases the A/AAA answer to the application. Packets flow in the clear.

4b) The resolver finds an IPSECKEY record. It sends the pubic key, the FQDN and the IP address(es) to the IKE daemon and waits for a response. Meanwhile it does _not_ release the A/AAAA record to the application.

5) The IKE daemon sets up the IPsec tunnel. We haven’t reached agreement yet over how this should be done. There are two choices:

a) The client uses an “@anonymous” ID for itself along with sending its public key inline with IKE. The client is responsible for ensuring there is no MITM attack, as it knows the server’s public key (from DNSSEC). The responding server will just use any key it received inline if it was received for the “@anonymous” ID.

b) The initiator (aka client) uses its own FQDN-based ID. It has preconfigured its DNS so that an IPSECKEY record exists for its FQDN (protected by DNSSEC). The key is not send inline with IKE. Instead, when the responder (aka server) sees the non-anonymous ID, it will perform a DNSSEC secured lookup to obtain the IPSECKEY out of band. Both parties confirm there is no MITM.

The advantage of a) is that it leaks less user information and makes tracking users harder. The client can regularly generate another anonymous keypair. The disadvantage of a) is that it turns peers into clients and servers. And two clients cannot initiate OE to each other.

6) The tunnel is established and the IKE daemon notifies the local DNSSEC server that had instructed it to setup the IPsec tunnel.

7) The resolver releases the IP address to the application.

8) The applications starts sending packets and the IPsec policy encrypts them al.

I’m personally in favour of the @anonymous solution. But there is no reason why support for both could not be implemented.

What are some of the obstacles and work to do:

1) writing the unbound plugin

2) writing the support for @anonymous for the server-side. This includes raw keys for IKEv2 (draft-ietf-ipsecme-oob-pubkey)

3) With NAT, the client suggests an inner-IP. This could be abused or clash, We need to ‘contain’ each connection, possibly using generated ipv6 addresses 4) We cannot use the “gateway” field of RFC-4025, or people could trick a server into giving a client all communication to a certain IP address that does not belong to them

5) anonymous connections should generate throw-away keys to remain anonymous

6) implement draft-wouters-edns-tcp-chain or else latency/RTTs will prevent real-life deployment of DNSSEC validated IPSECKEYs on mobile devices.

7) This allows no upgrading from anonymous to mutually authenticated, but IKE policies can be added to the server/client that would match on different IDs (eg X.509) that work independantly of OE without introducing complicated channel binding promotion code. Other IKEv2 extensions could possible be applied to facilitate promotions.

I’m sure more implementation issues will show up once we get this going, but there are no real fundamental issues why we cannot deploy this in a couple of months of time. My plan is to get libreswan to support this version of OE. Additionally, once we use draft-wouters-edns-tcp-chain, it becomes cheap to do these lookups through the tor network. If the tor exit nodes then also feed each other with DNSSEC cache material, it should make tracing individual clients even harder.

(anyone willing to assist, especially with coding, do contact me)

Market researcher Clotaire Rapaille was interviewed for an episode of Frontline on advertising and marketing back in 2003. I like what he had to say about the differences in how the French and Americans think about cheese.

For example, if I know that in America the cheese is dead, which means is pasteurized, which means legally dead and scientifically dead, and we don't want any cheese that is alive, then I have to put that up front. I have to say this cheese is safe, is pasteurized, is wrapped up in plastic. I know that plastic is a body bag. You can put it in the fridge. I know the fridge is the morgue; that's where you put the dead bodies. And so once you know that, this is the way you market cheese in America.

I started working with a French company in America, and they were trying to sell French cheese to the Americans. And they didn't understand, because in France the cheese is alive, which means that you can buy it young, mature or old, and that's why you have to read the age of the cheese when you go to buy the cheese. So you smell, you touch, you poke. If you need cheese for today, you want to buy a mature cheese. If you want cheese for next week, you buy a young cheese. And when you buy young cheese for next week, you go home, [but] you never put the cheese in the refrigerator, because you don't put your cat in the refrigerator. It's the same; it's alive. We are very afraid of getting sick with cheese. By the way, more French people die eating cheese than Americans die. But the priority is different; the logic of emotion is different. The French like the taste before safety. Americans want safety before the taste.

(via @pieratt)

Tags: cheeseClotaire Rapaillefood

Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they’re working on in that country. Having published two reasonably popular MITM tools, it’s not uncommon for me to get emails requesting that I help people with their interception projects. I typically don’t respond, but this one (an email titled “Solution for monitoring encrypted data on telecom”) caught my eye.

Read more...

I remember being endlessly entertained by the adventures of my toys. Some days they died repeated, violent deaths, other days they traveled to space or discussed my swim lessons and how I absolutely should be allowed in the deep end of the pool, especially since I was such a talented doggy-paddler.


I didn't understand why it was fun for me, it just was.


But as I grew older, it became harder and harder to access that expansive imaginary space that made my toys fun. I remember looking at them and feeling sort of frustrated and confused that things weren't the same.


I played out all the same story lines that had been fun before, but the meaning had disappeared. Horse's Big Space Adventure transformed into holding a plastic horse in the air, hoping it would somehow be enjoyable for me. Prehistoric Crazy-Bus Death Ride was just smashing a toy bus full of dinosaurs into the wall while feeling sort of bored and unfulfilled.  I could no longer connect to my toys in a way that allowed me to participate in the experience.


Depression feels almost exactly like that, except about everything.

At first, though, the invulnerability that accompanied the detachment was exhilarating. At least as exhilarating as something can be without involving real emotions.


The beginning of my depression had been nothing but feelings, so the emotional deadening that followed was a welcome relief.  I had always wanted to not give a fuck about anything. I viewed feelings as a weakness — annoying obstacles on my quest for total power over myself. And I finally didn't have to feel them anymore.

But my experiences slowly flattened and blended together until it became obvious that there's a huge difference between not giving a fuck and not being able to give a fuck. Cognitively, you might know that different things are happening to you, but they don't feel very different.


Which leads to horrible, soul-decaying boredom.


I tried to get out more, but most fun activities just left me existentially confused or frustrated with my inability to enjoy them.


Months oozed by, and I gradually came to accept that maybe enjoyment was not a thing I got to feel anymore. I didn't want anyone to know, though. I was still sort of uncomfortable about how bored and detached I felt around other people, and I was still holding out hope that the whole thing would spontaneously work itself out. As long as I could manage to not alienate anyone, everything might be okay!

However, I could no longer rely on genuine emotion to generate facial expressions, and when you have to spend every social interaction consciously manipulating your face into shapes that are only approximately the right ones, alienating people is inevitable.


Everyone noticed.


It's weird for people who still have feelings to be around depressed people. They try to help you have feelings again so things can go back to normal, and it's frustrating for them when that doesn't happen. From their perspective, it seems like there has got to be some untapped source of happiness within you that you've simply lost track of, and if you could just see how beautiful things are...


At first, I'd try to explain that it's not really negativity or sadness anymore, it's more just this detached, meaningless fog where you can't feel anything about anything — even the things you love, even fun things — and you're horribly bored and lonely, but since you've lost your ability to connect with any of the things that would normally make you feel less bored and lonely, you're stuck in the boring, lonely, meaningless void without anything to distract you from how boring, lonely, and meaningless it is.


But people want to help. So they try harder to make you feel hopeful and positive about the situation. You explain it again, hoping they'll try a less hope-centric approach, but re-explaining your total inability to experience joy inevitably sounds kind of negative; like maybe you WANT to be depressed. The positivity starts coming out in a spray — a giant, desperate happiness sprinkler pointed directly at your face. And it keeps going like that until you're having this weird argument where you're trying to convince the person that you are far too hopeless for hope just so they'll give up on their optimism crusade and let you go back to feeling bored and lonely by yourself.


And that's the most frustrating thing about depression. It isn't always something you can fight back against with hope. It isn't even something — it's nothing. And you can't combat nothing. You can't fill it up. You can't cover it. It's just there, pulling the meaning out of everything. That being the case, all the hopeful, proactive solutions start to sound completely insane in contrast to the scope of the problem.

It would be like having a bunch of dead fish, but no one around you will acknowledge that the fish are dead. Instead, they offer to help you look for the fish or try to help you figure out why they disappeared.


The problem might not even have a solution. But you aren't necessarily looking for solutions. You're maybe just looking for someone to say "sorry about how dead your fish are" or "wow, those are super dead. I still like you, though."


I started spending more time alone.


Perhaps it was because I lacked the emotional depth necessary to panic, or maybe my predicament didn't feel dramatic enough to make me suspicious, but I somehow managed to convince myself that everything was still under my control right up until I noticed myself wishing that nothing loved me so I wouldn't feel obligated to keep existing.


It's a strange moment when you realize that you don't want to be alive anymore. If I had feelings, I'm sure I would have felt surprised. I have spent the vast majority of my life actively attempting to survive. Ever since my most distant single-celled ancestor squiggled into existence, there has been an unbroken chain of things that wanted to stick around.


Yet there I was, casually wishing that I could stop existing in the same way you'd want to leave an empty room or mute an unbearably repetitive noise.


That wasn't the worst part, though. The worst part was deciding to keep going.


When I say that deciding to not kill myself was the worst part, I should clarify that I don't mean it in a retrospective sense. From where I am now, it seems like a solid enough decision. But at the time, it felt like I had been dragging myself through the most miserable, endless wasteland, and — far in the distance — I had seen the promising glimmer of a slightly less miserable wasteland. And for just a moment, I thought maybe I'd be able to stop and rest. But as soon as I arrived at the border of the less miserable wasteland, I found out that I'd have to turn around and walk back the other way.


Soon afterward, I discovered that there's no tactful or comfortable way to inform other people that you might be suicidal. And there's definitely no way to ask for help casually.


I didn't want it to be a big deal. However, it's an alarming subject. Trying to be nonchalant about it just makes it weird for everyone.


I was also extremely ill-prepared for the position of comforting people. The things that seemed reassuring at the time weren't necessarily comforting for others.

I had so very few feelings, and everyone else had so many, and it felt like they were having all of them in front of me at once. I didn't really know what to do, so I agreed to see a doctor so that everyone would stop having all of their feelings at me.


The next few weeks were a haze of talking to relentlessly hopeful people about my feelings that didn't exist so I could be prescribed medication that might help me have them again.


And every direction was bullshit for a really long time, especially up. The absurdity of working so hard to continue doing something you don't like can be overwhelming. And the longer it takes to feel different, the more it starts to seem like everything might actually be hopeless bullshit.


My feelings did start to return eventually. But not all of them came back, and they didn't arrive symmetrically.

I had not been able to care for a very long time, and when I finally started being able to care about things again, I HATED them. But hatred is technically a feeling, and my brain latched onto it like a child learning a new word.


Hating everything made all the positivity and hope feel even more unpalatable. The syrupy, over-simplified optimism started to feel almost offensive.


Thankfully, I rediscovered crying just before I got sick of hating things.  I call this emotion "crying" and not "sadness" because that's all it really was. Just crying for the sake of crying. My brain had partially learned how to be sad again, but it took the feeling out for a joy ride before it had learned how to use the brakes or steer.


At some point during this phase, I was crying on the kitchen floor for no reason. As was common practice during bouts of floor-crying, I was staring straight ahead at nothing in particular and feeling sort of weird about myself. Then, through the film of tears and nothingness, I spotted a tiny, shriveled piece of corn under the refrigerator.


I don't claim to know why this happened, but when I saw the piece of corn, something snapped. And then that thing twisted through a few permutations of logic that I don't understand, and produced the most confusing bout of uncontrollable, debilitating laughter that I have ever experienced.


I had absolutely no idea what was going on.


My brain had apparently been storing every unfelt scrap of happiness from the last nineteen months, and it had impulsively decided to unleash all of it at once in what would appear to be an act of vengeance.


That piece of corn is the funniest thing I have ever seen, and I cannot explain to anyone why it's funny. I don't even know why. If someone ever asks me "what was the exact moment where things started to feel slightly less shitty?" instead of telling a nice, heartwarming story about the support of the people who loved and believed in me, I'm going to have to tell them about the piece of corn. And then I'm going to have to try to explain that no, really, it was funny. Because, see, the way the corn was sitting on the floor... it was so alone... and it was just sitting there! And no matter how I explain it, I'll get the same, confused look. So maybe I'll try to show them the piece of corn - to see if they get it. They won't. Things will get even weirder.


Anyway, I wanted to end this on a hopeful, positive note, but, seeing as how my sense of hope and positivity is still shrouded in a thick layer of feeling like hope and positivity are bullshit, I'll just say this: Nobody can guarantee that it's going to be okay, but — and I don't know if this will be comforting to anyone else — the possibility exists that there's a piece of corn on a floor somewhere that will make you just as confused about why you are laughing as you have ever been about why you are depressed. And even if everything still seems like hopeless bullshit, maybe it's just pointless bullshit or weird bullshit or possibly not even bullshit.