[{"author": "Anthony Somerset", "text": "<p>slightly loud online</p>", "time": "2023-03-30T06:00:14Z"}, {"author": "Kirsty Paine", "text": "<p>Join me on minute taking: <a href=\"https://notes.ietf.org/notes-ietf-116-opsec\">https://notes.ietf.org/notes-ietf-116-opsec</a></p>", "time": "2023-03-30T06:08:31Z"}, {"author": "Warren Kumari", "text": "<p>@Anthony: Yup, but some people like being loud - e.g Randy and Jen. :-P</p>", "time": "2023-03-30T06:08:42Z"}, {"author": "Warren Kumari", "text": "<p>Oh, and me, but I do it by just being fabulous, instead of having to rely on a font choice...</p>", "time": "2023-03-30T06:09:18Z"}, {"author": "Jen Linkova", "text": "<p>It has been working for me so far, so..;))</p>", "time": "2023-03-30T06:09:20Z"}, {"author": "Warren Kumari", "text": "<p>Yup. People who cannot be as fabulous and modest as me (AKA, everyone) have to rely on other solutions... :-)</p>", "time": "2023-03-30T06:10:29Z"}, {"author": "Jen Linkova", "text": "<p>Fortunately there is Comic Sans to rescue</p>", "time": "2023-03-30T06:11:09Z"}, {"author": "Anthony Somerset", "text": "<p>i thought tunnelbroker shutdown?</p>", "time": "2023-03-30T06:13:13Z"}, {"author": "Anthony Somerset", "text": "<p>it seems not</p>", "time": "2023-03-30T06:13:47Z"}, {"author": "\u677e\u672c \u62d3\u4e5f", "text": "<p>Is there a firewall that work with dynamic block-list for IPv6?</p>", "time": "2023-03-30T06:32:19Z"}, {"author": "Mingxing Liu", "text": "<p>emmm, source address validation can support a dynamic block-list for source IPv6 or IPv4 address</p>", "time": "2023-03-30T06:34:28Z"}, {"author": "Anthony Somerset", "text": "<p>define \"dynamic\"</p>\n<p>i deploy netgate pfsense based FW's and it can support \"dynamically\" downloading lists for firewall rules which could be ipv6 addresses</p>", "time": "2023-03-30T06:34:32Z"}, {"author": "Daniel Gillmor", "text": "<p>+1 to Chris Wood's comment: we should absolutely be discouraging use of network addresses for these purposes</p>", "time": "2023-03-30T06:35:42Z"}, {"author": "Daniel Gillmor", "text": "<p>blocking IoT by IP address assumes that each device won't try to just use a different IP address</p>", "time": "2023-03-30T06:36:29Z"}, {"author": "\u677e\u672c \u62d3\u4e5f", "text": "<p>Thx for the info, I mean dynamic in Slide14 which update the ACL lifetime periodically. I'll check.</p>", "time": "2023-03-30T06:37:29Z"}, {"author": "Anthony Somerset", "text": "<p>well done!</p>", "time": "2023-03-30T06:41:39Z"}, {"author": "Anthony Somerset", "text": "<p>Meetecho need a cam move please :)</p>", "time": "2023-03-30T06:41:52Z"}, {"author": "Daniel Gillmor", "text": "<p>slide 6 of <span class=\"user-mention\" data-user-id=\"329\">@Andrew Campling</span> 's slides appears to suggest that use of SNI for filtering is mandatory in schools, but that is not the case.</p>", "time": "2023-03-30T06:51:35Z"}, {"author": "Anthony Somerset", "text": "<p>i've not been in the UK for quite some time but i vaguely recall that internet was largely provided by local authority and filtering done at the local authority level</p>\n<p>and last i recall it was fundamentally SSL proxy/transparent proxy based</p>", "time": "2023-03-30T06:52:26Z"}, {"author": "Daniel Gillmor", "text": "<p>even where filtering regimes are mandatory for schools, i'm unaware of any such regime that mandates the use of SNI</p>", "time": "2023-03-30T06:52:31Z"}, {"author": "Anthony Somerset", "text": "<p><span class=\"user-mention\" data-user-id=\"637\">@Daniel Gillmor</span>  they don't mandate SNI, they mandate that web content filtering takes place</p>", "time": "2023-03-30T06:53:01Z"}, {"author": "Anthony Somerset", "text": "<p>they don't mandate the technology</p>", "time": "2023-03-30T06:53:10Z"}, {"author": "Daniel Gillmor", "text": "<p>right, i'm objecting to the slide which seems to claim otherwise</p>", "time": "2023-03-30T06:53:19Z"}, {"author": "Anthony Somerset", "text": "<p>i posit that <a href=\"https://www.rfc-editor.org/rfc/rfc8914.html\">https://www.rfc-editor.org/rfc/rfc8914.html</a> with DNS based filtering is a more than adequate substitute for SNI based inspection in most cases</p>", "time": "2023-03-30T06:54:19Z"}, {"author": "Anthony Somerset", "text": "<p>also - SNI, does not handle the simple matter of URL filtering, only domains</p>", "time": "2023-03-30T06:57:18Z"}, {"author": "Daniel Gillmor", "text": "<p>so if there is nothing that is reliable, and your legal mandate for filtering demands reliable filtering, you are immediately in violation?</p>", "time": "2023-03-30T06:58:33Z"}, {"author": "Anthony Somerset", "text": "<p>the reality is that pretty much the only reliable means is deploying an agent on hosts and does MITM SSL proxy ultimately - i'm over-simplifying</p>", "time": "2023-03-30T07:00:01Z"}, {"author": "Jen Linkova", "text": "<p>[no hats] I think the question here: shall the message be \"ECH is scary because it doesn't allow you to use a  signal which is already unreliable anyway\"</p>", "time": "2023-03-30T07:00:01Z"}, {"author": "Dan Sexton", "text": "<p>SNI can be useful in triaging traffic to decide, in managed environments, which traffic to decrypt (for URL filtering).</p>", "time": "2023-03-30T07:00:55Z"}, {"author": "Anthony Somerset", "text": "<p>there is no use case that can only be done via SNI<br>\nits just that filtering vendors have made business decisions and assumptions of using SNI and are now crying because their  software breaks</p>", "time": "2023-03-30T07:03:05Z"}]