Network management of encrypted traffic.docx
《Network management of encrypted traffic.docx》由会员分享,可在线阅读,更多相关《Network management of encrypted traffic.docx(16页珍藏版)》请在冰豆网上搜索。
Networkmanagementofencryptedtraffic
Networkmanagementofencryptedtraffic
Technicalmitigationsandbusinessimpacts
GSMAENCRYsub-groupforPSMCEncryptionTaskForce
Draft
Date
Changelog
0.1
28thJuly2014
Initialskeleton
0.2
29thJuly2014
Listofmitigations,Audienceandpurpose
0.3
29thJuly2014
CommentsfromWGcall
0.4
11thAugust2014
Technicalsolutiondetailsadded,usecaseappendixadded
0.5
14thAugust2014
ChangesfollowingENCRY#2call:
changedsectionsto‘Existingmitigations’and‘Mitigationsunderinvestigation’.Addednewmitigations.Removed‘perspectives’sectionandaddedsub-sectionineachmitigationtoindicatetheusecasesaffected.
Contents
Audienceandpurposeofdocument3
What’soutofscope3
Anoteonterminology3
Backgroundreading3
Listofmitigationsandimpactanalysis3
Existingmitigations3
GoogleCanaryURL3
GoogleProxyBypass5
Heuristics6
HTTPSServerNameIndicationextension6
Mobileoperatingsystemfilters7
Filteringapps(device-based)7
Filteringbrowsers8
Trafficmanagementatlowernetworklayers8
Mitigationsunderinvestigation9
Networkproxyproposals9
EncouraginguptakeofHTTP/2withouttransportlayerencryption9
ObjectLevelEncryption:
10
Filtering-apps(centralised)10
Filteringwithper-servicepermission10
Listofstrategiesthatarenotrecommended(outofscope)10
Tableshowingwhichmitigationsapplytowhichusecases11
Recommendations11
AppendixA:
Categorisationofusecases11
Use-casesout-of-scopeforthispaper12
Audienceandpurposeofdocument
Theaudienceofthedocumentisintendedtobetechnicalarchitectswithknowledgeoftheoperatornetworktrafficmanagementfunctions;browservendors;middleware/proxyvendors.Informationonnon-technical(ornon-networkimpacting)workaroundsisalsoprovided.
Thedocumentcapturesthemitigationsidentifiedtoensurethatoperatorscanexecuteontheirtrafficmanagementrequirements,asidentifiedintheproxyusecasedocument,..Theseusecaseshavebeennroadlycategorised,andeachmitigationwillindicatethecategoryofusecasethatisappliesto.Whereamitigationinvolvesatechnicalintegrationatthenetwork,thenthatinformationisdetailed.
What’soutofscope
Arangeofusecasesarelisted,butthisdocumentmakesnoassumptionastowhethertheyarerelevantormandatoryforagivenoperator–thatisaper-operatordecision.
Forthispaper,non-mobilenetworksareoutofscope,howeverafutureversionmayconsiderfixednetworks(whetherdirectlyconnectedorviaaWiFihub).
Anoteonterminology
‘Mitigation’isusedthroughoutthisdocument,andreferstoamethodofsupportingaparticularusecasewhentrafficisencrypted.Tobeclear,wearenottryingtosaythatencryptionis‘bad’orshouldbestopped,ratherthatthereisanimpactonexistingtrafficmanagementpractices.
A‘mitigation’doesnotsimplyimplynetwork-basedsoftwareorpolicyenforcement,itmayalsoincludedevice-basedalternativesorexternalindustryeffortsthatsupportbothencryptionandcertaintrafficmanagementrequirements.
Backgroundreading
Pleasesee
Listofmitigationsandimpactanalysis
Existingmitigations
GoogleCanaryURL
Referencedocumentation:
Description:
asingle,unencryptedHTTPrequestismadebytheChromeforMobilebrowseratstartupandifthedevicechangesnetworks(e.g.fromWiFitocellular).Thisrequestmaybetrappedbythenetwork–dependingonthenetwork’sHTTPresponse,ChromewillorwillnotcreateanencryptedtunneltotheGoogleDCP(DataCompressionProxy).Thereforethenetworkisincontrolofenablingorrejectingencryptionforaspecificuser.
Scope:
GoogleChromeforMobileusersthathaveselected‘ReduceDataUsage’setting,andintendedtoallowencryptiontobedisabledonaper-userbasis..Googledonotdocumentwhenthenetworkmayrejectorenableencryption:
anexampleusageistodisableencryptionforusersnotproventobeadults.NotethatGoogleDataCompressionProxyoptimisationsstilloccurevenifthecontentisnotencrypted.
Integration:
Twoprocessesarerequired
1.DetecttherequestfromtheChromeforMobilebrowser.
TherequestedURLis.ThiswilltravelunencryptedthroughtothePacketDataNetworkGateway(PDN-GWinLTE,orequivalentinothernetworks)thereforecouldbetrappedatseveralnodes,howeverpoint
(2)belowwilldictatetheoptimalnodeforagivennetwork.
2.Determineanypolicyrulesfortherequestinguser
Thisrequiresthatthenodeperforming
(1)abovehasaccesstotherequestinguser’sidentity,andtheabilitytolookuppolicyrulessetforthatidentity(orgroupsthattheidentityisamemberof).
∙InpracticethiscanmeanalookuptoaPCRF(PolicyChargingRulesFunction)interface,passingtheuseridentity,ortotheHomeLocationRegisteroranyCustomerRelationshipManagementsystemthatcategorisesusers.
∙TheuseridentitymayhavebeenextractedfromeitheranHTTPrequestheader,orfromanadditionallookup(suchasIMSIlookupbasedonallocatedIPaddressoftheterminal).
Shouldthisprocessdetermineanypolicyrulesapplyingtotherequestinguser,thenthesystemwilldecidewhethertherule(s)canallowordisallowencryptiontooccur.
Example:
Example_Operatorcategorisesallcustomersaseither‘child’(thedefault)or‘adult’.Thecustomermustpresentcredentialstotheretailstoretoachieve‘adult’categorisation.
UserChisa‘child’anduserAdisan‘adult’connectedtotheExample_Operatornetwork.BothuseGoogleChromeforMobile,andhaveset‘ReduceDataUsage’intheirsettings.Whentheystartthebrowser,process
(1)and
(2)describedaboveoccurs,withtheresult:
UserChreceivestheHTTPresponse‘403Forbidden’fromtheExample_Operatornetwork.ThismeansthattheChromeforMobiletrafficmaystillutilisetheGoogleDCPbutencryptionwillnotoccur.HenceExample_OperatorhasvisibilityoftheHTTPtrafficenroutetotheGoogleDCP,andcontentfiltersfor‘adultcontent’canbeapplied.
UserAdreceivestheresponseHTTP‘200OK’fromtheExample_Operatornetwork.HenceChromeforMobileinitiatesanencryptedtunneltotheGoogleDCP,andExample_Operatornetworkwillnotfilterforadultcontentdeliveredoverthistunnel.
Notes:
Itisnotclearwhetherablanketruleof‘noencryption’forallusersissupportedbyGoogle(inotherwords,whethertheCanaryURLtestcanbe‘failed’inallcases).
Mitigatestheusecases:
“Regulatoryfiltering”,“parentalcontrol”,“customermalwareprotection”whenappliedtochildvs.adultSIMs,butonlyfortrafficproxiedbytheGoogleDCP.I.e.httpoverTLSrequestsmadebyChromeforMobilebrowserswiththeDCPactivated.
GoogleProxyBypass
Referencedocumentation:
Description:
ablacklisthostedattheGoogleDCP.PopulatedbyGooglebasedonoperatorsubmissions.
Scope:
GoogleChromeforMobileusersthathaveselected‘ReduceDataUsage’setting.DiffersfromtheCanaryURLprocessinthatitisintendedtobeappliedacrossallusers,ratherthanaspecificuserorgroup.
Integration:
TheoperatorisrequiredtosubmitalistofURLstoGooglethattheywishtobypasstheDCP.Thissubmissionisanoffline-process;operatorsshouldsubmitURLstotheirGooglecontactforattentionoftheDCPteamtoimplement.OncethebypassURLshavebeenintegratedatGoogle,thenthefollowingbehaviourisexpected:
1.TheGoogleDCPwilldetectanyrequesttothisURL
2.Googlewillsuspendencryptionforaperiodof1to5minutesbetweentherequestingChromeforMobilebrowserandtheDCP
3.TheDCPwillrespondtotheChromeforMobilebrowserandmakeitreissuetherequestunencrypted.
4.Thiswillallowoperatorfilterstodetecttherequestandactaccordingly.
Example:
Example_Operatorprovidesseveralserviceportalsfortheirmobilecustomers.Thesearehostedwithintheirnetwork(ratherthanthepublicInternet)inordertoprovideseamlessauthenticationandlookupofsensitivecustomerdata.HTTPrequeststotheseportalsareroutedbyExample_Operator’sDNSservice:
thereforetheportalURIsmustbesubmittedtotheGoogleProxyBypasslist,sinceaGoogleDNSwillnotbeabletoroutetothem.
Notes:
NotethatbydefaultGooglebypasstheproxyforinternationalblacklists,namelytheInternetWatchFoundationlist(childabusematerials).Thedocumentationmentionsthatnationalcourtorderlistsarealsoincluded,howevergapshavebeenidentifiedintheselists,possiblybecauseGooglemaynotbepartytoblockingissuedbynationaltelecomsregulators.ThereforeoperatorsareencouragedtodeterminetheresultofGoogleDCPusagewhensuchcourtorderblockedURIsarerequested(forexample,offshoregamblingsites).
Mitigatestheusecases:
“Regulatoryfiltering”,“MNOServices”butonlyfortrafficproxiedbytheGoogleDCP.I.e.httpoverTLSrequestsmadebyChromeforMobilebrowserswiththeDCPactivated.
Heuristics
o[editornote:
volunteerneededforthissection!
]
HTTPSServerNameIndicationextension
Referencedocumentation:
“TransportLayerSecurity(TLS)Extensions:
ExtensionDefinitions”,http:
//tools.ietf.org/html/rfc6066#page-6
Description:
WheninitiatingtheTLShandshake,theClientMAYprovideanextensionfield(server_name)whichindicatestheserveritisattemptingasecureconnectionwith.
Scope:
AllTLSconnectionsthatincludeaserver_nameexten
升级会员 