Skip to main content

Minutes interim-2023-iab-28: Wed 14:00

Meeting Minutes Internet Architecture Board (iab) IETF
Date and time 2023-08-30 14:00
Title Minutes interim-2023-iab-28: Wed 14:00
State Active
Other versions plain text
Last updated 2023-09-13

Minutes of the 2023-08-30 IAB Technical Discussion

1. Administrivia 

1.1. Attendance 


  Roman Danyliw (IESG Liaison)
  Dhruv Dhody
  Liz Flynn (IETF Secretariat)
  Wes Hardaker 
  Cullen Jennings
  Mallory Knodel 
  Suresh Krishnan 
  Mirja Kühlewind (IAB Chair)
  Cindy Morgan (IAB Executive Administrative Manager)
  Karen O'Donoghue (ISOC Liaison)
  Tommy Pauly 
  Colin Perkins (IRTF Chair)Alvaro Retana 
  Qin Wu 
  Jiankang Yao 

  Lars Eggert (IETF Chair)
  David Schinazi
  Christopher Wood 
  Greg Wood (IETF Director of Communications and Operations)


  Samuele Kaplun
  Laurent Fasnacht


  Genevieve Bartlett
  Paul Wouters

1.2. Agenda bash and announcements 

2. Technical Discussion: Censorship 

  Samuele Kaplun presented a talk titled "Proton VPN." Proton VPN 
  sends Internet traffic through an encrypted VPN tunnel and keeps 
  browsing history private. It was created to protect the 
  journalists and activists who use Proton Mail. Proton VPN has  
  been documenting all significant spikes in usage through 
  geopolitical events like protests, contested elections, and 
  government crackdowns. 

  To bootstrap a Proton VPN client, a valid authenticated API 
  session must be instantiated, allowing to fetch information on 
  available VPN servers and valid certificates to connect to these 
  VPN servers. When is unreachable, Proton VPN 
  clients attempt to reach it through temporary rotating proxies 
  discovered on the fly through DOH requests to major DOH 
  providers. If this fails, clients are failing back to using 
  build-time based list of Proton VPN IPs, and connecting to them 
  using guest-credentials that authorizes the VPN connection to 
  reach the Proton API (and nothing more) thus allowing the 
  bootstrapping of the authenticated session. Traditional VPN 
  protocols are not censorship resistant and most deployments are 
  on the same list of ports, so censors without DPI capabilities 
  can still block them. They now have Wire Guard and OpenVPN 
  listening on many UDP and TCP ports, but this is not resistant 
  to DPI. They have introduced Stealth which is basically 
  WireGuard TCP wrapped in a TLS tunnel over port 443 using clever 
  fingerprint that mimics very common browsers’ signatures. Smart 
  Protocol implements an auto- discovery phase in order to select 
  the fastest protocol/port combination that is able to deliver a
  successful VPN connection sufficient to bypass VPN protocol 

  If DPI is not capable of recognizing traffic as VPN in a 
  scalable way, what could work is a statistical analysis of 
  overall network traffic within your country. If you see IPs 
  outside of your country having long-term obfuscated connections 
  by IPs within your country, that is screaming VPN. A Censor can 
  build a list of suspected IPs and start to probe them, e.g. for 
  open-ports, and for standard protocol answers. Currently they 
  distribute relay information via their API, i.e. IP addresses of 
  simple TLS proxies that clients would connect to and that would 
  automatically redirect traffic to and from a destination server. 
  Such relays have only TCP port 443 open and if probed, answer  
  with simple web- server setup in order to disguise their  
  presence. As of today this solution is not scalable because one 
  proxy server is able to forward traffic to one and only one VPN 
  server - relays are still recognizable through careful 
  statistical analysis. In the future they plan to extend them to 
  be able to forward to any arbitrary VPN server, and at the same 
  time extend clients to use multiple relays, to serve a single 
  VPN connection: that would break the statistical analysis 
  algorithm. Another expansion would be to further break the 
  statistics of the traffic by introducing randomization of dummy 

  Some challenges are that the business-case of censorship 
  circumvention is not very strong, because the people that need 
  this the most are not able to pay for the R&D. The technique 
  used must be cheaper to implement than it is for the Censor to 
  block it. The Censor is hiding among our users. And, the Censor 
  could also be part of censorship circumvention forums and 
  researchers, therefore it’s really difficult to openly talk 
  about technique in details.

  Cullen Jennings asked if there is anything the IETF could do to 
  make it easier to build VPNs for these purposes. Laurent 
  Fasnacht said that protocols designed to have strong privacy are 
  a good basis, and they don't want to have to fallback to 
  protocols that are less encrypted. 

  The IAB thanked Samuele Kaplun and Laurent Fasnacht for their 
  presentation. Mallory Knodel said that any other questions can 
  be routed through her. 

3. Next IAB Meeting

  The next IAB Business Meeting meeting will be in one week, on