Internet Architecture Board (IAB)                              R. Barnes
Request for Comments: 7754                                     A. Cooper
Category: Informational                                       O. Kolkman
ISSN: 2070-1721                                                D. Thaler
                                                             E. Nordmark
                                                              March 2016
        
Internet Architecture Board (IAB)                              R. Barnes
Request for Comments: 7754                                     A. Cooper
Category: Informational                                       O. Kolkman
ISSN: 2070-1721                                                D. Thaler
                                                             E. Nordmark
                                                              March 2016
        

Technical Considerations for Internet Service Blocking and Filtering

Internet服务阻塞和过滤的技术考虑

Abstract

摘要

The Internet is structured to be an open communications medium. This openness is one of the key underpinnings of Internet innovation, but it can also allow communications that may be viewed as undesirable by certain parties. Thus, as the Internet has grown, so have mechanisms to limit the extent and impact of abusive or objectionable communications. Recently, there has been an increasing emphasis on "blocking" and "filtering", the active prevention of such communications. This document examines several technical approaches to Internet blocking and filtering in terms of their alignment with the overall Internet architecture. When it is possible to do so, the approach to blocking and filtering that is most coherent with the Internet architecture is to inform endpoints about potentially undesirable services, so that the communicants can avoid engaging in abusive or objectionable communications. We observe that certain filtering and blocking approaches can cause unintended consequences to third parties, and we discuss the limits of efficacy of various approaches.

互联网是一种开放的通信媒介。这种开放性是互联网创新的关键基础之一,但它也允许某些方面认为不可取的交流。因此,随着互联网的发展,限制滥用或令人反感的通信的范围和影响的机制也在发展。最近,人们越来越强调“阻止”和“过滤”,即积极防止此类通信。本文档从与整个互联网体系结构的一致性方面探讨了几种互联网阻塞和过滤的技术方法。当可能这样做时,与因特网架构最一致的阻塞和过滤方法是通知端点关于潜在的不希望的服务,以便通信者可以避免参与滥用或不希望的通信。我们观察到某些过滤和阻止方法可能会对第三方造成意外后果,并讨论了各种方法的有效性限制。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Architecture Board (IAB) and represents information that the IAB has deemed valuable to provide for permanent record. It represents the consensus of the Internet Architecture Board (IAB). Documents approved for publication by the IAB are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网体系结构委员会(IAB)的产品,代表IAB认为有价值提供永久记录的信息。它代表了互联网体系结构委员会(IAB)的共识。IAB批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7754.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7754.

Copyright Notice

版权公告

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Filtering Examples  . . . . . . . . . . . . . . . . . . . . .   5
   3.  Characteristics of Blocking Systems . . . . . . . . . . . . .   7
     3.1.  The Party Who Sets Blocking Policies  . . . . . . . . . .   8
     3.2.  Purposes of Blocking  . . . . . . . . . . . . . . . . . .   8
       3.2.1.  Blacklist vs. Whitelist Model . . . . . . . . . . . .   9
     3.3.  Intended Targets of Blocking  . . . . . . . . . . . . . .   9
     3.4.  Components Used for Blocking  . . . . . . . . . . . . . .  10
   4.  Evaluation of Blocking Design Patterns  . . . . . . . . . . .  11
     4.1.  Criteria for Evaluation . . . . . . . . . . . . . . . . .  11
       4.1.1.  Scope: What set of hosts and users are affected?  . .  12
       4.1.2.  Granularity: How specific is the blocking?  Will
               blocking one service also block others? . . . . . . .  12
       4.1.3.  Efficacy: How easy is it for a resource or service to
               avoid being blocked?  . . . . . . . . . . . . . . . .  13
       4.1.4.  Security: How does the blocking impact existing trust
               infrastructures?  . . . . . . . . . . . . . . . . . .  14
     4.2.  Network-Based Blocking  . . . . . . . . . . . . . . . . .  15
       4.2.1.  Scope . . . . . . . . . . . . . . . . . . . . . . . .  16
       4.2.2.  Granularity . . . . . . . . . . . . . . . . . . . . .  17
       4.2.3.  Efficacy and Security . . . . . . . . . . . . . . . .  17
       4.2.4.  Summary . . . . . . . . . . . . . . . . . . . . . . .  20
     4.3.  Rendezvous-Based Blocking . . . . . . . . . . . . . . . .  20
       4.3.1.  Scope . . . . . . . . . . . . . . . . . . . . . . . .  21
       4.3.2.  Granularity . . . . . . . . . . . . . . . . . . . . .  21
       4.3.3.  Efficacy  . . . . . . . . . . . . . . . . . . . . . .  21
       4.3.4.  Security and Other Implications . . . . . . . . . . .  22
       4.3.5.  Examples  . . . . . . . . . . . . . . . . . . . . . .  22
       4.3.6.  Summary . . . . . . . . . . . . . . . . . . . . . . .  23
     4.4.  Endpoint-Based Blocking . . . . . . . . . . . . . . . . .  24
       4.4.1.  Scope . . . . . . . . . . . . . . . . . . . . . . . .  24
       4.4.2.  Granularity . . . . . . . . . . . . . . . . . . . . .  24
       4.4.3.  Efficacy  . . . . . . . . . . . . . . . . . . . . . .  25
       4.4.4.  Security  . . . . . . . . . . . . . . . . . . . . . .  25
       4.4.5.  Server Endpoints  . . . . . . . . . . . . . . . . . .  25
       4.4.6.  Summary . . . . . . . . . . . . . . . . . . . . . . .  26
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  26
   6.  Conclusion  . . . . . . . . . . . . . . . . . . . . . . . . .  27
   7.  Informative References  . . . . . . . . . . . . . . . . . . .  28
   IAB Members at the Time of Approval . . . . . . . . . . . . . . .  32
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  33
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  33
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Filtering Examples  . . . . . . . . . . . . . . . . . . . . .   5
   3.  Characteristics of Blocking Systems . . . . . . . . . . . . .   7
     3.1.  The Party Who Sets Blocking Policies  . . . . . . . . . .   8
     3.2.  Purposes of Blocking  . . . . . . . . . . . . . . . . . .   8
       3.2.1.  Blacklist vs. Whitelist Model . . . . . . . . . . . .   9
     3.3.  Intended Targets of Blocking  . . . . . . . . . . . . . .   9
     3.4.  Components Used for Blocking  . . . . . . . . . . . . . .  10
   4.  Evaluation of Blocking Design Patterns  . . . . . . . . . . .  11
     4.1.  Criteria for Evaluation . . . . . . . . . . . . . . . . .  11
       4.1.1.  Scope: What set of hosts and users are affected?  . .  12
       4.1.2.  Granularity: How specific is the blocking?  Will
               blocking one service also block others? . . . . . . .  12
       4.1.3.  Efficacy: How easy is it for a resource or service to
               avoid being blocked?  . . . . . . . . . . . . . . . .  13
       4.1.4.  Security: How does the blocking impact existing trust
               infrastructures?  . . . . . . . . . . . . . . . . . .  14
     4.2.  Network-Based Blocking  . . . . . . . . . . . . . . . . .  15
       4.2.1.  Scope . . . . . . . . . . . . . . . . . . . . . . . .  16
       4.2.2.  Granularity . . . . . . . . . . . . . . . . . . . . .  17
       4.2.3.  Efficacy and Security . . . . . . . . . . . . . . . .  17
       4.2.4.  Summary . . . . . . . . . . . . . . . . . . . . . . .  20
     4.3.  Rendezvous-Based Blocking . . . . . . . . . . . . . . . .  20
       4.3.1.  Scope . . . . . . . . . . . . . . . . . . . . . . . .  21
       4.3.2.  Granularity . . . . . . . . . . . . . . . . . . . . .  21
       4.3.3.  Efficacy  . . . . . . . . . . . . . . . . . . . . . .  21
       4.3.4.  Security and Other Implications . . . . . . . . . . .  22
       4.3.5.  Examples  . . . . . . . . . . . . . . . . . . . . . .  22
       4.3.6.  Summary . . . . . . . . . . . . . . . . . . . . . . .  23
     4.4.  Endpoint-Based Blocking . . . . . . . . . . . . . . . . .  24
       4.4.1.  Scope . . . . . . . . . . . . . . . . . . . . . . . .  24
       4.4.2.  Granularity . . . . . . . . . . . . . . . . . . . . .  24
       4.4.3.  Efficacy  . . . . . . . . . . . . . . . . . . . . . .  25
       4.4.4.  Security  . . . . . . . . . . . . . . . . . . . . . .  25
       4.4.5.  Server Endpoints  . . . . . . . . . . . . . . . . . .  25
       4.4.6.  Summary . . . . . . . . . . . . . . . . . . . . . . .  26
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  26
   6.  Conclusion  . . . . . . . . . . . . . . . . . . . . . . . . .  27
   7.  Informative References  . . . . . . . . . . . . . . . . . . .  28
   IAB Members at the Time of Approval . . . . . . . . . . . . . . .  32
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  33
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  33
        
1. Introduction
1. 介绍

The original design goal of the Internet was to enable communications between hosts. As this goal was met and people started using the Internet to communicate, however, it became apparent that some hosts were engaging in communications that were viewed as undesirable by certain parties. The most famous early example of undesirable communications was the Morris worm [Morris], which used the Internet to infect many hosts in 1988. As the Internet has evolved into a rich communications medium, so too have mechanisms to restrict communications viewed as undesirable, ranging from acceptable use policies enforced through informal channels to technical blocking mechanisms.

互联网最初的设计目标是实现主机之间的通信。然而,随着这一目标的实现,人们开始使用互联网进行交流,很明显,一些主机正在进行某些方面认为不可取的交流。最著名的早期不良通信示例是莫里斯蠕虫[Morris],它在1988年利用互联网感染了许多主机。随着互联网发展成为一种丰富的通信媒介,限制被视为不可取的通信的机制也在发展,从通过非正式渠道实施的可接受的使用政策到技术封锁机制。

Efforts to restrict or deny access to Internet resources and services have evolved over time. As noted in [RFC4084], some Internet service providers perform filtering to restrict which applications their customers may use and which traffic they allow on their networks. These restrictions are often imposed with customer consent, where customers may be enterprises or individuals. However, governments, service providers, and enterprises are increasingly seeking to block or filter access to certain content, traffic, or services without the knowledge or agreement of affected users. Where these organizations do not directly control networks themselves, they commonly aim to make use of intermediary systems to implement the blocking or filtering.

限制或拒绝访问互联网资源和服务的努力随着时间的推移而发展。如[RFC4084]中所述,一些互联网服务提供商执行过滤,以限制其客户可能使用的应用程序以及其网络上允许的流量。这些限制通常是在客户同意的情况下实施的,客户可能是企业或个人。然而,政府、服务提供商和企业越来越多地试图在未经受影响用户知情或同意的情况下阻止或过滤对某些内容、流量或服务的访问。如果这些组织本身不直接控制网络,它们通常会利用中间系统来实现阻塞或过滤。

While blocking and filtering remain highly contentious in many cases, the desire to restrict communications or access to content will likely continue to exist.

虽然在许多情况下,屏蔽和过滤仍然存在高度争议,但限制通信或内容访问的愿望可能会继续存在。

The difference between "blocking" and "filtering" is a matter of scale and perspective. "Blocking" often refers to preventing access to resources in the aggregate, while "filtering" refers to preventing access to specific resources within an aggregate. Both blocking and filtering can be implemented at the level of "services" (web hosting or video streaming, for example) or at the level of particular "content." For the analysis presented in this document, the distinction between blocking and filtering does not create meaningfully different conclusions. Hence, in the remainder of this document, we will treat the terms as being generally equivalent and applicable to restrictions on both content and services.

“阻塞”和“过滤”的区别在于规模和视角。“阻塞”通常指阻止访问聚合中的资源,“过滤”指阻止访问聚合中的特定资源。阻塞和过滤都可以在“服务”级别(例如,web托管或视频流)或特定“内容”级别上实现。对于本文档中的分析,阻塞和过滤之间的区别不会产生有意义的不同结论。因此,在本文件的其余部分中,我们将把这些条款视为一般等同的条款,并适用于对内容和服务的限制。

This document aims to clarify the technical implications and trade-offs of various blocking strategies and to identify the potential for different strategies to potentially cause harmful side effects ("collateral damage") for Internet users and the overall Internet architecture. This analysis is limited to technical blocking

本文件旨在澄清各种封锁策略的技术影响和权衡,并确定不同策略对互联网用户和整个互联网架构可能造成有害副作用(“附带损害”)的可能性。此分析仅限于技术阻塞

mechanisms. The scope of the analyzed blocking is limited to intentional blocking, not accidental blocking due to misconfiguration or as an unintentional side effect of something else.

机制。分析阻塞的范围仅限于故意阻塞,而不是由于错误配置或其他原因的意外副作用而导致的意外阻塞。

Filtering may be considered legal, illegal, ethical, or unethical in different places, at different times, and by different parties. This document is intended for those who are conducting filtering or are considering conducting filtering and want to understand the implications of their decisions with respect to the Internet architecture and the trade-offs that come with each type of filtering strategy. This document does not present formulas on how to make those trade-offs; it is likely that filtering decisions require knowledge of context-specific details. Whether particular forms of filtering are lawful in particular jurisdictions raises complicated legal questions that are outside the scope of this document. For similar reasons, questions about the ethics of particular forms of filtering are also out of scope.

在不同的地方、不同的时间、不同的当事人可能认为过滤是合法的、非法的、道德的或不道德的。本文档适用于正在进行过滤或正在考虑进行过滤的人员,他们希望了解他们的决定对互联网架构的影响以及每种过滤策略的利弊。本文件不提供如何进行这些权衡的公式;筛选决策可能需要了解特定于上下文的细节。特定形式的过滤在特定司法管辖区是否合法会引发复杂的法律问题,超出了本文件的范围。出于类似的原因,关于特定过滤形式的道德问题也超出了范围。

2. Filtering Examples
2. 过滤示例

Blocking systems have evolved alongside the Internet technologies they seek to restrict. Looking back at the history of the Internet, there have been several such systems deployed by different parties and for different purposes.

封锁系统与他们试图限制的互联网技术一起发展。回顾互联网的历史,不同的方面为不同的目的部署了若干这样的系统。

Firewalls: Firewalls of various sorts are very commonly employed at many points in today's Internet [RFC2979]. They can be deployed either on end hosts (under user or administrator control) or in the network, typically at network boundaries. While the Internet Security Glossary [RFC4949] contains an extended definition of a firewall, informally, most people would tend to think of a firewall as simply "something that blocks unwanted traffic" (see [RFC4948] for a discussion on many types of unwanted traffic). While there are many sorts of firewalls, there are several specific types of firewall functionality worth noting.

防火墙:在当今互联网的许多地方,各种各样的防火墙非常普遍[RFC2979]。它们可以部署在终端主机(在用户或管理员控制下)或网络中,通常部署在网络边界。虽然互联网安全术语表[RFC4949]包含了防火墙的扩展定义,但大多数人通常认为防火墙只是“阻止不需要的流量的东西”(有关许多类型的不需要的流量的讨论,请参见[RFC4948])。虽然防火墙有很多种,但有几种特定类型的防火墙功能值得注意。

o Stateless Packet Filtering: Stateless packet filters block according to content-neutral rules, e.g., blocking all inbound connections or outbound connections on certain ports, protocols, or network-layer addresses. For example, blocking outbound connections to port 25.

o 无状态数据包过滤:无状态数据包过滤器根据与内容无关的规则进行阻止,例如,阻止某些端口、协议或网络层地址上的所有入站连接或出站连接。例如,阻止到端口25的出站连接。

o Stateful Packet Filtering: More advanced configurations require keeping state used to enforce flow-based policies, e.g., blocking inbound traffic for flows that have not been established.

o 有状态数据包过滤:更高级的配置要求保持状态,以强制实施基于流的策略,例如,阻止尚未建立的流的入站流量。

o Deep Packet Inspection: Yet more advanced configurations perform deep packet inspection and filter or block based on the content carried. Many firewalls include web filtering capabilities (see below).

o 深度包检查:更高级的配置执行深度包检查,并根据所携带的内容进行过滤或阻止。许多防火墙包括web过滤功能(见下文)。

Web Filtering: HTTP and HTTPS are common targets for blocking and filtering, typically targeted at specific URIs. Some enterprises use HTTP blocking to block non-work-appropriate web sites, and several nations require HTTP and HTTPS filtering by their ISPs in order to block content deemed illegal. HTTPS is a challenge for these systems, because the URI in an HTTPS request is carried inside the encrypted channel. To block access to content made accessible via HTTPS, filtering systems thus must either block based on network- and transport-layer headers (IP address and/or port), or else obtain a trust anchor certificate that is trusted by endpoints (and thus act as a man in the middle). These filtering systems often take the form of "portals" or "enterprise proxies" presenting their own, dynamically generated HTTPS certificates. (See further discussion in Section 5.)

Web过滤:HTTP和HTTPS是阻止和过滤的常见目标,通常针对特定的URI。一些企业使用HTTP阻止来阻止不适合工作的网站,一些国家要求ISP对HTTP和HTTPS进行过滤,以阻止被视为非法的内容。HTTPS对于这些系统来说是一个挑战,因为HTTPS请求中的URI是在加密通道中传输的。为了阻止对通过HTTPS访问的内容的访问,过滤系统必须基于网络和传输层头(IP地址和/或端口)进行阻止,或者获得端点信任的信任锚证书(并因此充当中间人)。这些过滤系统通常采用“门户”或“企业代理”的形式,呈现自己的动态生成的HTTPS证书。(详见第5节的进一步讨论。)

Spam Filtering: Spam filtering is one of the oldest forms of content filtering. Spam filters evaluate messages based on a variety of criteria and information sources to decide whether a given message is spam. For example, DNS Blacklists use the reverse DNS to flag whether an IP address is a known spam source [RFC5782]. Spam filters can be installed on user devices (e.g., in a mail client), operated by a mail domain on behalf of users, or outsourced to a third party that acts as an intermediate MX proxy.

垃圾邮件过滤:垃圾邮件过滤是最古老的内容过滤形式之一。垃圾邮件过滤器根据各种标准和信息源评估邮件,以确定给定邮件是否为垃圾邮件。例如,DNS黑名单使用反向DNS标记IP地址是否为已知垃圾邮件源[RFC5782]。垃圾邮件过滤器可以安装在用户设备上(例如,在邮件客户端中),由邮件域代表用户操作,或者外包给充当中间MX代理的第三方。

Domain Name Seizure: A number of approaches are used to block or modify resolution of a domain name. One approach is to make use of ICANN's Uniform Dispute Resolution Policy (URDP) for the purposes of dealing with fraudulent use of a name. Other authorities may require that domains be blocked within their jurisdictions. Substantial research has been performed on the value and efficacy of such seizures [Takedown08] [BlackLists14].

域名查封:有许多方法用于阻止或修改域名的解析。一种方法是利用ICANN的统一争议解决政策(URDP)处理欺诈性使用名称的行为。其他当局可能要求在其管辖范围内封锁域名。已经对此类癫痫发作的价值和疗效进行了大量研究[Takedown08][黑名单14]。

The precise method of how domain names are seized will vary from place to place. One approach in use is for queries to be redirected to resolve to IP addresses of the authority that hosts information about the seizure. The effectiveness of domain seizures will similarly vary based on the method. In some cases, the person whose name was seized will simply use a new name. In other cases, the block may only be effective within a region or when specific name service infrastructure is used.

查封域名的确切方法因地而异。使用的一种方法是将查询重定向到承载有关扣押信息的机构的IP地址。域名查封的有效性也会因方法的不同而有所不同。在某些情况下,被查封姓名的人只会使用新姓名。在其他情况下,该块可能仅在区域内或在使用特定名称服务基础设施时有效。

Seizures can also have overbroad effects, since access to content is blocked not only within the jurisdiction of the seizure, but globally, even when it may be affirmatively legal elsewhere [RojaDirecta]. When domain redirection is effected via redirections at intermediate resolvers rather than at authoritative servers, it directly contradicts end-to-end assumptions in the DNS security architecture [RFC4033], potentially causing validation failures by validating end-nodes.

查封也可能产生越界效应,因为内容的访问不仅在查封管辖区内被阻止,而且在全球范围内也被阻止,即使在其他地方可能是肯定合法的[Rojadirta]。当域重定向通过中间解析程序(而不是权威服务器)上的重定向实现时,它直接与DNS安全体系结构[RFC4033]中的端到端假设相矛盾,可能通过验证端节点导致验证失败。

Safe Browsing: Modern web browsers provide some measures to prevent users from accessing malicious web sites. For instance, before loading a URI, current versions of Google Chrome and Firefox use the Google Safe Browsing service to determine whether or not a given URI is safe to load [SafeBrowsing]. The DNS can also be used to store third party information that mark domains as safe or unsafe [RFC5782].

安全浏览:现代网络浏览器提供了一些防止用户访问恶意网站的措施。例如,在加载URI之前,Google Chrome和Firefox的当前版本使用Google安全浏览服务来确定给定URI是否可以安全加载[SafeBrowsing]。DNS还可用于存储将域标记为安全或不安全的第三方信息[RFC5782]。

Manipulation of routing and addressing data: Governments have recently intervened in the management of IP addressing and routing information in order to maintain control over a specific set of DNS servers. As part of an internationally coordinated response to the DNSChanger malware, a Dutch court ordered the RIPE NCC to freeze the accounts of several resource holders as a means to limit the resource holders' ability to use certain address blocks [GhostClickRIPE] (also see Section 4.3). These actions have led to concerns that the number resource certification system and related secure routing technologies developed by the IETF's SIDR working group might be subject to government manipulation as well [RFC6480], potentially for the purpose of denying targeted networks access to the Internet.

路由和寻址数据的操作:政府最近干预了IP寻址和路由信息的管理,以保持对特定DNS服务器集的控制。作为对Dnshanger恶意软件的国际协调响应的一部分,荷兰法院命令成熟的NCC冻结几个资源持有者的账户,以此限制资源持有者使用某些地址块的能力[GhostClickRime](另见第4.3节)。这些行动引起了人们的担忧,即IETF的SIDR工作组开发的数字资源认证系统和相关安全路由技术也可能受到政府操纵[RFC6480],可能是为了拒绝目标网络访问互联网。

Ingress filtering: Network service providers use ingress filtering [RFC2827] [RFC3704] as a means to prevent source address spoofing which is used as a part of other attacks.

入口过滤:网络服务提供商使用入口过滤[RFC2827][RFC3704]作为防止源地址欺骗的手段,源地址欺骗被用作其他攻击的一部分。

Data loss prevention (DLP): Enterprise and other networks are concerned with potential leaking of confidential information, whether accidental or intentional. Some of the tools used for this are similar to the main subject of this document of blocking and filtering. In particular, enterprise proxies might be part of a DLP solution.

数据丢失预防(DLP):企业和其他网络关注机密信息的潜在泄漏,无论是意外的还是故意的。用于此目的的一些工具类似于本文档中关于阻塞和过滤的主要主题。特别是,企业代理可能是DLP解决方案的一部分。

3. Characteristics of Blocking Systems
3. 阻塞系统的特性

At a generic level, blocking systems can be characterized by four attributes: the party who sets the blocking policy, the purpose of the blocking, the intended target of the blocking, and the Internet component(s) used as the basis of the blocking system.

在一般级别上,阻塞系统可以由四个属性描述:设置阻塞策略的一方、阻塞的目的、阻塞的预期目标以及用作阻塞系统基础的Internet组件。

3.1. The Party Who Sets Blocking Policies
3.1. 制定封锁政策的政党

Parties that institute blocking policies include governments, courts, enterprises, network operators, reputation trackers, application providers, and individual end users. A government might create laws based on cultural norms and/or their elected mandate. Enterprises might use cultural, industry, or legal norms to guide their policies.

制定封锁政策的各方包括政府、法院、企业、网络运营商、声誉追踪者、应用程序提供商和个人最终用户。政府可以根据文化规范和/或其民选授权制定法律。企业可以使用文化、行业或法律规范来指导其政策。

There can be several steps of translation and transformation from the original intended purpose -- first to laws, then to (government) regulation, followed by high-level policies in, e.g., network operators, and from those policies to filtering architecture and implementation. Each of those steps is a potential source of unintended consequences as discussed in this document.

从最初的预期目的到法律,再到(政府)监管,再到网络运营商等的高层政策,以及从这些政策到过滤体系结构和实施,可以通过几个步骤进行转换和转化。如本文件所述,这些步骤中的每一步都可能导致意外后果。

In some cases, the policy setting entity is the same as the entity that enforces the policy. For example, a network operator might install a firewall in its own networking equipment, or a web application provider might block responses between its web server and certain clients.

在某些情况下,策略设置实体与实施策略的实体相同。例如,网络运营商可能会在其自己的网络设备中安装防火墙,或者web应用程序提供商可能会阻止其web服务器和某些客户端之间的响应。

In other cases, the policy setting entity is different from the entity that enforces the policy. Such policy might be imposed upon the enforcing entity, such as in the case of blocking initiated by governments, or the enforcing entity might explicitly choose to use policy set by others, such as in the case of a reputation system used by a spam filter or safe browsing service. Because a policy might be enforced by others, it is best if it can be expressed in a form that is independent of the enforcing technology.

在其他情况下,策略设置实体与实施策略的实体不同。这种政策可能会强加给执行实体,例如在政府发起封锁的情况下,或者执行实体可能会明确选择使用其他人设置的政策,例如在垃圾邮件过滤器或安全浏览服务使用信誉系统的情况下。因为一个策略可能由其他人强制执行,所以最好能够以独立于强制技术的形式来表达它。

3.2. Purposes of Blocking
3.2. 封锁的目的

There are a variety of motivations to filter:

要过滤的动机多种多样:

o Preventing or responding to security threats. Network operators, enterprises, application providers, and end users often block communications that are believed to be associated with security threats or network attacks.

o 防止或应对安全威胁。网络运营商、企业、应用程序提供商和最终用户通常会阻止被认为与安全威胁或网络攻击有关的通信。

o Restricting objectionable content or services. Certain communications may be viewed as undesirable, harmful, or illegal by particular governments, enterprises, or users. Governments may seek to block communications that are deemed to be defamation, hate speech, obscenity, intellectual property infringement, or otherwise objectionable. Enterprises may seek to restrict employees from accessing content that is not deemed to be work appropriate. Parents may restrict their children from accessing content or services targeted for adults.

o 限制令人反感的内容或服务。某些通信可能被特定政府、企业或用户视为不受欢迎、有害或非法。政府可能试图阻止被视为诽谤、仇恨言论、淫秽、侵犯知识产权或其他令人反感的通信。企业可能会试图限制员工访问不适合工作的内容。家长可能会限制孩子访问面向成人的内容或服务。

o Restricting access based on business arrangements. Some networks are designed so as to only provide access to certain content or services ("walled gardens"), or to only provide limited access until end users pay for full Internet services (captive portals provided by hotspot operators, for example).

o 根据业务安排限制访问。有些网络设计为仅提供对某些内容或服务的访问(“围墙花园”),或仅提供有限的访问,直到最终用户支付全部互联网服务的费用(例如,热点运营商提供的专属门户)。

3.2.1. Blacklist vs. Whitelist Model
3.2.1. 黑名单与白名单模型

Note that the purpose for which blocking occurs often dictates whether the blocking system operates on a blacklist model, where communications are allowed by default but a subset are blocked, or a whitelist model, where communications are blocked by default with only a subset allowed. Captive portals, walled gardens, and sandboxes used for security or network endpoint assessment usually require a whitelist model since the scope of communications allowed is narrow. Blocking for other purposes often uses a blacklist model since only individual content or traffic is intended to be blocked.

请注意,阻塞发生的目的通常决定阻塞系统是在黑名单模式下运行,默认情况下允许通信,但阻止了一个子集,还是在白名单模式下运行,默认情况下仅允许一个子集来阻止通信。用于安全或网络端点评估的受控门户、围墙花园和沙箱通常需要白名单模型,因为允许的通信范围很窄。出于其他目的的阻止通常使用黑名单模型,因为只有单个内容或流量打算被阻止。

3.3. Intended Targets of Blocking
3.3. 封锁的预期目标

Blocking systems are instituted so as to target particular content, services, endpoints, or some combination of these. For example, a "content" filtering system used by an enterprise might block access to specific URIs whose content is deemed by the enterprise to be inappropriate for the workplace. This is distinct from a "service" filtering system that blocks all web traffic (perhaps as part of a parental control system on an end-user device) and also distinct from an "endpoint" filtering system in which a web application blocks traffic from specific endpoints that are suspected of malicious activity.

建立阻塞系统是为了针对特定的内容、服务、端点或它们的某种组合。例如,企业使用的“内容”过滤系统可能会阻止对特定URI的访问,这些URI的内容被企业认为不适合工作场所。这不同于阻止所有web流量的“服务”过滤系统(可能是最终用户设备上的家长控制系统的一部分),也不同于“端点”过滤系统,其中web应用程序阻止来自怀疑存在恶意活动的特定端点的流量。

As discussed in Section 4, the design of a blocking system may affect content, services, or endpoints other than those that are the intended targets. For example, when domain name seizures described above are intended to address specific web pages associated with illegal activity, by removing the domains from use, they affect all services made available by the hosts associated with those names, including mail services and web services that may be unrelated to the illegal activity. Depending on where the block is imposed within the DNS hierarchy, entirely unrelated organizations may be impacted.

如第4节所述,阻塞系统的设计可能会影响除预期目标之外的内容、服务或端点。例如,当上述域名查封旨在通过删除与非法活动相关的特定网页来解决这些问题时,它们会影响与这些名称相关的主机提供的所有服务,包括可能与非法活动无关的邮件服务和web服务。根据在DNS层次结构中施加阻止的位置,完全不相关的组织可能会受到影响。

3.4. Components Used for Blocking
3.4. 用于阻塞的组件

Broadly speaking, the process of delivering an Internet service involves three different components:

广义而言,提供互联网服务的过程包括三个不同的组成部分:

1. Endpoints: The actual content of the service is typically an application-layer protocol between two or more Internet hosts. In many protocols, there are two endpoints, a client and a server.

1. 端点:服务的实际内容通常是两个或多个Internet主机之间的应用层协议。在许多协议中,有两个端点,一个客户端和一个服务器。

2. Network services: The endpoints communicate by way of a collection of IP networks that use routing protocols to determine how to deliver packets between the endpoints.

2. 网络服务:端点通过使用路由协议确定如何在端点之间传递数据包的IP网络集合进行通信。

3. Rendezvous services: Service endpoints are typically identified by identifiers that are more "human-friendly" than IP addresses. Rendezvous services allow one endpoint to figure out how to contact another endpoint based on an identifier. An example of a rendezvous service is the domain name system. Distributed Hash Tables (DHTs) have also been used as rendezvous services.

3. 集合服务:服务端点通常由比IP地址更“人性化”的标识符标识。集合服务允许一个端点根据标识符确定如何联系另一个端点。集合服务的一个例子是域名系统。分布式哈希表(DHT)也被用作集合服务。

Consider, for example, an HTTP transaction fetching the content of the URI <http://example.com/index.html>. The client endpoint is an end host running a browser. The client uses the DNS as a rendezvous service when it performs a AAAA query to obtain the IP address for the server name "example.com". The client then establishes a connection to the server, and sends the actual HTTP request. The server endpoint then responds to the HTTP request.

例如,考虑获取URI的内容的HTTP事务。http://example.com/index.html>. 客户端端点是运行浏览器的终端主机。客户端在执行AAAA查询以获取服务器名“example.com”的IP地址时,将DNS用作会合服务。然后,客户端建立到服务器的连接,并发送实际的HTTP请求。然后,服务器端点响应HTTP请求。

As another example, in the SIP protocol, the two endpoints communicating are IP phones, and the rendezvous service is provided by an application-layer SIP proxy as well as the DNS.

作为另一个示例,在SIP协议中,通信的两个端点是IP电话,并且集合服务由应用层SIP代理以及DNS提供。

Blocking access to Internet content, services, or endpoints is done by controlling one or more of the components involved in the provision of the communications involved in accessing the content, services, or endpoints. In the HTTP example above, the successful completion of the HTTP request could have been prevented in several ways:

阻止对Internet内容、服务或端点的访问是通过控制提供访问内容、服务或端点所涉及的通信所涉及的一个或多个组件来完成的。在上面的HTTP示例中,可以通过以下几种方式阻止HTTP请求的成功完成:

o [Endpoint] Preventing the client from making the request

o [Endpoint]阻止客户端发出请求

o [Endpoint] Preventing the server from responding to the request

o [Endpoint]阻止服务器响应请求

o [Endpoint] Preventing the client from making the DNS request needed to resolve example.com

o [Endpoint]阻止客户端发出解析example.com所需的DNS请求

o [Network] Preventing the request from reaching the server

o [网络]阻止请求到达服务器

o [Network] Preventing the response from reaching the client

o [网络]阻止响应到达客户端

o [Network] Preventing the client from reaching the DNS servers

o [网络]阻止客户端访问DNS服务器

o [Network] Preventing the DNS responses from reaching the client

o [网络]阻止DNS响应到达客户端

o [Rendezvous] Preventing the DNS servers from providing the client the correct IP address of the server

o [会合]阻止DNS服务器向客户端提供正确的服务器IP地址

Those who desire to block communications will typically have access to only one or two components; therefore their choices for how to perform blocking will be limited. End users and application providers can usually only control their own software and hardware, which means that they are limited to endpoint-based filtering. Some network operators offer filtering services that their customers can activate individually, in which case end users might have network-based filtering systems available to them. Network operators can control their own networks and the rendezvous services for which they provide infrastructure support (e.g., DNS resolvers) or to which they may have access (e.g., SIP proxies), but not usually endpoints. Enterprises usually have access to their own networks and endpoints for filtering purposes. Governments might make arrangements with the operators or owners of any of the three components that exist within their jurisdictions to perform filtering.

那些想要阻止通信的人通常只能访问一个或两个组件;因此,他们对如何执行阻塞的选择将受到限制。最终用户和应用程序提供商通常只能控制自己的软件和硬件,这意味着他们仅限于基于端点的过滤。一些网络运营商提供过滤服务,其客户可以单独激活这些服务,在这种情况下,最终用户可能可以使用基于网络的过滤系统。网络运营商可以控制自己的网络和会合服务,为其提供基础设施支持(例如DNS解析程序),或者可以访问(例如SIP代理),但通常不包括端点。企业通常可以访问自己的网络和端点进行过滤。政府可能会与在其管辖范围内存在的三个组成部分中的任何一个的运营商或所有者安排进行过滤。

In the next section, blocking systems designed according to each of the three patterns -- network services, rendezvous services, and endpoints -- are evaluated for their technical and architectural implications. The analysis is as agnostic as possible as to who sets the blocking policy (government, end user, network operator, application provider, or enterprise), but in some cases the way in which a particular blocking design pattern is used might differ, depending on the who desires a block. For example, a network-based firewall provided by an ISP that parents can elect to use for parental control purposes will likely function differently from one that all ISPs in a particular jurisdiction are required to use by the local government, even though in both cases the same component (network) forms the basis of the blocking system.

在下一节中,将评估根据三种模式(网络服务、会合服务和端点)设计的阻塞系统的技术和架构含义。分析尽可能不确定谁设置了阻塞策略(政府、最终用户、网络运营商、应用程序提供商或企业),但在某些情况下,特定阻塞设计模式的使用方式可能会有所不同,具体取决于谁想要阻塞。例如,由ISP提供的基于网络的防火墙,家长可以选择将其用于家长控制目的,其功能可能与当地政府要求特定管辖区内的所有ISP使用的防火墙不同,即使在这两种情况下,相同的组件(网络)构成封锁系统的基础。

4. Evaluation of Blocking Design Patterns
4. 分块设计模式的评价
4.1. Criteria for Evaluation
4.1. 评价标准

To evaluate the technical implications of each of the blocking design patterns, we compare them based on four criteria: scope, granularity, efficacy, and security.

为了评估每个模块化设计模式的技术含义,我们基于四个标准对它们进行比较:范围、粒度、有效性和安全性。

4.1.1. Scope: What set of hosts and users are affected?
4.1.1. 范围:哪一组主机和用户受到影响?

The Internet is comprised of many distinct autonomous networks and applications, which means that the impact of a blocking system will only be within a defined topological scope. For example, blocking within an access network will only affect a well-defined set of users (namely, those connected to the access network). Blocking performed by an application provider can affect users across the entire Internet.

互联网由许多不同的自治网络和应用程序组成,这意味着阻塞系统的影响将仅在定义的拓扑范围内。例如,接入网络内的阻塞只会影响定义良好的用户集(即连接到接入网络的用户)。应用程序提供商执行的阻止可能会影响整个Internet上的用户。

Blocking systems are generally viewed as less objectionable if the scope of their impact is as narrow as possible while still being effective, and as long as the impact of the blocking is within the administrative realm of the policy setting entity. As mentioned previously, enterprise blocking systems are commonly deployed, and will generally have impact on enterprise users. However, design flaws in blocking systems may cause the effects of blocking to be overbroad. For example, at least one service provider blocking content in accordance with a regulation has ended up blocking content for downstream service providers because it filtered routes to particular systems and did not distribute the original information to downstream service providers in other jurisdictions [IN-OM-filtering]. Other service providers have accidentally leaked such black hole routes beyond the jurisdiction [NW08]. A substantial amount of work has gone into BGP security to avoid such attacks, but deployment of such systems lags.

如果阻塞系统的影响范围尽可能小,但仍然有效,并且只要阻塞的影响在政策制定实体的管理范围内,则通常认为阻塞系统不那么令人讨厌。如前所述,通常会部署企业阻塞系统,并且通常会对企业用户产生影响。然而,堵塞系统的设计缺陷可能会导致堵塞影响过度。例如,至少有一家服务提供商根据法规屏蔽内容,但最终屏蔽了下游服务提供商的内容,因为它过滤了到特定系统的路由,并且没有将原始信息分发给其他司法管辖区的下游服务提供商[在OM过滤中]。其他服务提供商意外泄漏了管辖范围以外的此类黑洞路径[NW08]。为避免此类攻击,BGP安全方面已经做了大量工作,但此类系统的部署滞后。

4.1.2. Granularity: How specific is the blocking? Will blocking one service also block others?

4.1.2. 粒度:阻塞的具体程度如何?阻止一项服务也会阻止其他服务吗?

Internet applications are built out of a collection of loosely coupled components or "layers". Different layers serve different purposes and rely on or offer different functions such as routing, transport, and naming (see [RFC1122], especially Section 1.1.3). The functions at these layers are developed autonomously and almost always operated by different parties. For example, in many networks, physical and link-layer connectivity is provided by an "access provider", IP routing is performed by an "Internet service provider," and application-layer services are provided by completely separate entities (e.g., web servers). Upper-layer protocols and applications rely on combinations of lower-layer functions in order to work. Functionality at higher layers tends to be more specialized, so that many different specialized applications can make use of the same generic underlying network functions.

Internet应用程序是由一组松散耦合的组件或“层”组成的。不同的层服务于不同的目的,依赖或提供不同的功能,如路由、传输和命名(参见[RFC1122],特别是第1.1.3节)。这些层的功能是自主开发的,几乎总是由不同的方操作。例如,在许多网络中,物理层和链路层连接由“接入提供商”提供,IP路由由“互联网服务提供商”执行,应用层服务由完全独立的实体(例如,web服务器)提供。上层协议和应用程序依赖于下层功能的组合才能工作。更高层的功能趋向于更专业化,因此许多不同的专业化应用程序可以使用相同的通用底层网络功能。

As a result of this structure, actions taken at one layer can affect functionality or applications at other layers. For example, manipulating routing or naming functions to restrict access to a

由于这种结构,在一层采取的行动可能会影响其他层的功能或应用程序。例如,操纵路由或命名函数以限制对

narrow set of resources via specific applications will likely affect all applications that depend on those functions. As with the scope criteria, blocking systems are generally viewed as less objectionable when they are highly granular and do not cause collateral damage to content or services unrelated to the target of the blocking [RFC4924].

通过特定应用程序提供的一组狭窄的资源可能会影响依赖于这些功能的所有应用程序。与范围标准一样,当屏蔽系统高度细粒度且不会对与屏蔽目标无关的内容或服务造成附带损害时,通常认为屏蔽系统不太令人讨厌[RFC4924]。

Even within the application layer, the granularity of blocking can vary depending on how targeted the blocking system is designed to be. Blocking all traffic associated with a particular application protocol is less granular than blocking only traffic associated with a subset of application instances that make use of that protocol. Sophisticated heuristics that make use of information about the application protocol, lower-layer protocols, payload signatures, source and destination addresses, inter-packet timing, packet sizes, and other characteristics are sometimes used to narrow the subset of traffic to be blocked.

即使在应用层内,阻塞的粒度也可能因阻塞系统的设计目标而异。阻止与特定应用程序协议相关联的所有通信比只阻止与使用该协议的应用程序实例子集相关联的通信粒度更小。利用有关应用程序协议、较低层协议、有效负载签名、源地址和目标地址、数据包间定时、数据包大小和其他特征的信息的复杂启发式算法有时用于缩小要阻塞的流量子集。

4.1.3. Efficacy: How easy is it for a resource or service to avoid being blocked?

4.1.3. 功效:资源或服务避免被阻止的容易程度如何?

Although blocking a resource or service might have some immediate effect, efficacy must be evaluated in terms of whether it is easy to circumvent. Simply doing a one-time policy is often unlikely to have lasting efficacy (e.g., see [CleanFeed] and [BlackLists14]). Experience has shown that, in general, blacklisting requires continual maintenance of the blacklist itself, both to add new entries for unwanted traffic and deleting entries when offending content is removed. Experience also shows that, depending on the nature of the block, it may be difficult to determine when to unblock. For instance, if a host is blocked because it has been compromised and used as a source of attack, it may not be plainly evident when that site has been fixed.

虽然封锁资源或服务可能会产生一些即时效果,但必须根据是否容易规避来评估效能。仅仅执行一次性政策通常不太可能产生持久的效果(例如,参见[CleanFeed]和[Blacklists4])。经验表明,一般来说,黑名单需要持续维护黑名单本身,既要为不必要的流量添加新条目,也要在删除违规内容时删除条目。经验还表明,根据阻塞的性质,可能很难确定何时解除阻塞。例如,如果主机被阻止是因为它已被破坏并被用作攻击源,那么当该站点被修复时,它可能并不明显。

For blacklist-style blocking, the distributed and mobile nature of Internet resources limits the effectiveness of blocking actions. A service that is blocked in one jurisdiction can often be moved or re-instantiated in another jurisdiction (see, for example, [Malicious-Resolution]). Likewise, services that rely on blocked resources can often be rapidly reconfigured to use non-blocked resources. If a web site is prevented from using a domain name or set of IP addresses, the content can simply be moved to another domain name or network, or use alternate syntaxes to express the same resource name (see the discussion of false negatives in [RFC6943]).

对于黑名单式的封锁,互联网资源的分布式和移动性限制了封锁行动的有效性。在一个管辖区中被阻止的服务通常可以在另一个管辖区中移动或重新实例化(例如,请参见[恶意解析])。同样,依赖阻塞资源的服务通常可以快速重新配置为使用非阻塞资源。如果网站无法使用域名或一组IP地址,则可以将内容简单地移动到另一个域名或网络,或使用其他语法来表示相同的资源名称(请参阅[RFC6943]中关于误报的讨论)。

In a process known as "snowshoe spamming," a spam originator uses addresses in many different networks as sources for spam. This technique is already widely used to spread spam generation across a variety of resources and jurisdictions to prevent spam blocking from being effective.

在一个被称为“雪鞋式垃圾邮件”的过程中,垃圾邮件发起人使用许多不同网络中的地址作为垃圾邮件的来源。这项技术已经被广泛用于在各种资源和管辖范围内传播垃圾邮件生成,以防止垃圾邮件阻止变得有效。

In the presence of either blacklist or whitelist systems, there are several ways in which a user or application can try to circumvent the filters.

在存在黑名单或白名单系统的情况下,用户或应用程序可以通过多种方式绕过过滤器。

The users may choose to use different sets of protocols or otherwise alter their traffic characteristics to circumvent the filters. In some cases, applications may shift their traffic to port 80 or 443 when other ports are blocked. Or, services may be tunneled within other services, proxied by a collaborating external host (e.g., an anonymous redirector), or simply run over an alternate port (e.g., port 8080 vs port 80 for HTTP). Another means of circumvention is alteration of the service behavior to use a dynamic port negotiation phase, in order to avoid use of a constant port address.

用户可以选择使用不同的协议集或以其他方式改变其流量特性以绕过过滤器。在某些情况下,当其他端口被阻塞时,应用程序可能会将其流量转移到端口80或443。或者,服务可以在其他服务中进行隧道传输,由协作的外部主机(例如,匿名重定向器)代理,或者简单地通过备用端口(例如,端口8080对端口80用于HTTP)运行。另一种规避方法是改变服务行为以使用动态端口协商阶段,以避免使用常量端口地址。

One of the primary motivations for arguing that HTTP/2 should be encrypted by default was that unencrypted HTTP 1.1 traffic was sometimes blocked or improperly processed. Users or applications shifting their traffic to encrypted HTTP has the effect of circumventing filters that depend on the HTTP plaintext payload.

主张默认情况下应加密HTTP/2的主要动机之一是,未加密的HTTP 1.1流量有时会被阻止或处理不当。用户或应用程序将其通信量转移到加密的HTTP会绕过依赖于HTTP明文负载的过滤器。

If voice communication based on SIP [RFC3261] is blocked, users are likely to use applications which use proprietary protocols that allow them to talk to each other.

如果基于SIP[RFC3261]的语音通信被阻止,则用户可能会使用使用专有协议的应用程序,这些协议允许他们相互交谈。

Some filtering systems are only capable of identifying IPv4 traffic and therefore, by shifting to IPv6, users may be able to evade filtering. Using IPv6 with header options, using multiple layers of tunnels, or using encrypted tunnels can also make it more challenging for blocking systems to find transport ports within packets, making port-based blocking more difficult. Thus, distribution and mobility can hamper efforts to block communications in a number of ways.

一些过滤系统只能识别IPv4流量,因此,通过切换到IPv6,用户可能能够逃避过滤。使用带有报头选项的IPv6、使用多层隧道或使用加密隧道也会使阻塞系统更难在数据包中找到传输端口,从而使基于端口的阻塞更加困难。因此,分发和移动可能会以多种方式阻碍通信。

4.1.4. Security: How does the blocking impact existing trust infrastructures?

4.1.4. 安全性:阻塞如何影响现有的信任基础架构?

Modern security mechanisms rely on trusted hosts communicating via a secure channel without intermediary interference. Protocols such as Transport Layer Security (TLS) [RFC5246] and IPsec [RFC4301] are designed to ensure that each endpoint of the communication knows the identity of the other endpoint(s) and that only the endpoints of the communication can access the secured contents of the communication. For example, when a user connects to a bank's web site, TLS ensures

现代安全机制依赖于可信主机通过安全通道进行通信,而不受中间人干扰。诸如传输层安全(TLS)[RFC5246]和IPsec[RFC4301]之类的协议被设计为确保通信的每个端点知道其他端点的身份,并且只有通信的端点可以访问通信的安全内容。例如,当用户连接到银行网站时,TLS确保

that the user's banking information is securely communicated to the bank and nobody else, ensuring the data remains confidential while in transit.

确保用户的银行信息安全地传达给银行而不是其他人,确保数据在传输过程中保持机密。

Some blocking strategies require intermediaries to insert themselves within the end-to-end communications path, potentially breaking security properties of Internet protocols [RFC4924]. In these cases, it can be difficult or impossible for endpoints to distinguish between attackers and "authorized" parties conducting blocking. For example, an enterprise firewall administrator could gain access to users' personal bank accounts when users on the enterprise network connect to bank web sites.

一些阻塞策略要求中介体将自身插入端到端通信路径中,这可能会破坏互联网协议的安全属性[RFC4924]。在这些情况下,端点很难或不可能区分攻击者和执行阻止的“授权”方。例如,当企业网络上的用户连接到银行网站时,企业防火墙管理员可以访问用户的个人银行帐户。

Finally, one needs to evaluate whether a blocking mechanism can be used by an end user to efficiently locate blocked resources that can then be accessed via other mechanisms that circumvent the blocking mechanism. For example, Clayton [CleanFeed] showed how special treatment in one blocking system could be detected by end users in order to efficiently locate illegal web sites, which was thus counterproductive to the policy objective of the blocking mechanism.

最后,需要评估最终用户是否可以使用阻塞机制来有效地定位阻塞的资源,然后可以通过绕过阻塞机制的其他机制访问这些资源。例如,Clayton[CleanFeed]展示了终端用户如何在一个封锁系统中检测到特殊处理,以便有效定位非法网站,从而与封锁机制的政策目标背道而驰。

4.2. Network-Based Blocking
4.2. 基于网络的阻塞

Being able to block access to resources without the consent or cooperation of either endpoint is viewed as a desirable feature by some that deploy blocking systems. Systems that have this property are often implemented using intermediary devices in the network, such as firewalls or filtering systems. These systems inspect traffic as it passes through the network, decide based on the characteristics or content of a given communication whether it should be blocked, and then block or allow the communication as desired. For example, web filtering devices usually inspect HTTP requests to determine the URI being requested, compare that URI to a list of blacklisted or whitelisted URIs, and allow the request to proceed only if it is permitted by policy. Firewalls perform a similar function for other classes of traffic in addition to HTTP. Some blocking systems focus on specific application-layer traffic, while others, such as router Access Control Lists (ACLs), filter traffic based on lower-layer criteria (transport protocol and source or destination addresses or ports).

一些部署阻塞系统的人认为,能够在没有任何一个端点的同意或合作的情况下阻塞对资源的访问是一个理想的特性。具有此属性的系统通常使用网络中的中间设备(如防火墙或过滤系统)实现。这些系统在流量通过网络时对其进行检查,根据给定通信的特征或内容决定是否应阻止,然后根据需要阻止或允许通信。例如,web过滤设备通常检查HTTP请求以确定所请求的URI,将该URI与黑名单或白名单URI进行比较,并仅在策略允许的情况下才允许请求继续。除了HTTP之外,防火墙还对其他类别的流量执行类似的功能。一些阻塞系统侧重于特定的应用层流量,而其他系统,如路由器访问控制列表(ACL),则根据较低层标准(传输协议和源或目标地址或端口)过滤流量。

Intermediary systems used for blocking are often not far from the edge of the network. For example, many enterprise networks operate firewalls that block certain web sites, as do some residential ISPs. In some cases, this filtering is done with the consent or cooperation of the affected endpoints. PCs within an enterprise, for example, might be configured to trust an enterprise proxy, a residential ISP might offer a "safe browsing" service, or mail clients might

用于阻塞的中间系统通常离网络边缘不远。例如,许多企业网络运行防火墙,阻止某些网站,就像一些住宅ISP一样。在某些情况下,此过滤是在受影响端点的同意或合作下完成的。例如,企业内的PC可能会被配置为信任企业代理,住宅ISP可能会提供“安全浏览”服务,或者邮件客户端可能会

authorize mail servers on the local network to filter spam on their behalf. These cases share some of the properties of the "Endpoint-Based Blocking" scenarios discussed in Section 4.4 below, since the endpoint has made an informed decision to authorize the intermediary to block on its behalf and is therefore unlikely to attempt to circumvent the blocking. From an architectural perspective, however, they may create many of the same problems as network-based filtering conducted without consent.

授权本地网络上的邮件服务器代表其过滤垃圾邮件。这些案例具有下文第4.4节中讨论的“基于端点的阻塞”场景的一些特性,因为端点已做出知情决定,授权中介机构代表其进行阻塞,因此不太可能试图绕过阻塞。然而,从体系结构的角度来看,它们可能会产生许多与未经同意进行的基于网络的过滤相同的问题。

4.2.1. Scope
4.2.1. 范围

In the case of government-initiated blocking, network operators subject to a specific jurisdiction may be required to block or filter. Thus, it is possible for laws to be structured to result in blocking by imposing obligations on the operators of networks within a jurisdiction, either via direct government action or by allowing private actors to demand blocking (e.g., through lawsuits).

如果是政府发起的封锁,则可能要求受特定管辖权管辖的网络运营商封锁或过滤。因此,通过直接政府行动或允许私人行为者要求封锁(例如通过诉讼),法律的结构有可能通过对管辖范围内的网络运营商施加义务而导致封锁。

Regardless of who is responsible for a blocking policy, enforcement can be done using Stateless Packet Filtering, Stateful Packet Filtering, or Deep Packet Inspection as defined in Section 2. While network-based Stateless Packet Filtering has granularity issues discussed in Section 4.2.2, network-based Stateful Packet Filtering and Deep Packet Inspection approaches often run into several technical issues that limit their viability in practice. For example, many issues arise from the fact that an intermediary needs to have access to a sufficient amount of traffic to make its blocking determinations.

无论谁负责阻塞策略,都可以使用第2节中定义的无状态数据包过滤、有状态数据包过滤或深度数据包检查来执行。虽然基于网络的无状态数据包过滤在第4.2.2节中讨论了粒度问题,但基于网络的有状态数据包过滤和深度数据包检查方法经常遇到一些技术问题,这些问题限制了它们在实践中的可行性。例如,中间人需要访问足够数量的流量才能做出阻塞决定,这一事实会产生许多问题。

For residential or consumer networks with many egress points, the first step to obtaining this traffic is simply gaining access to the constituent packets. The Internet is designed to deliver packets independently from source to destination -- not to any particular point along the way. Thus, the sequence of packets from the sender can only be reliably reconstructed at the intended receiver. In addition, inter-network routing is often asymmetric, and for sufficiently complex local networks, intra-network traffic flows can be asymmetric as well [asymmetry]. Thus, packets in the reverse direction use a different sent of paths than the forward direction.

对于具有多个出口点的住宅或消费网络,获得该流量的第一步只是获得对组成分组的访问。互联网的设计目的是独立地将数据包从源传送到目的地,而不是传送到沿途的任何特定点。因此,来自发送方的分组序列只能在预期的接收机处可靠地重构。此外,网络间路由通常是不对称的,对于足够复杂的本地网络,网络内流量也可能是不对称的[不对称]。因此,反向的分组使用与正向不同的发送路径。

This asymmetry means that an intermediary in a network with many egress points may, depending on topology and configuration, see only one half of a given communication, which may limit the scope of the communications that it can filter. For example, a filter aimed at requests destined for particular URIs cannot make accurate blocking decisions based on the URI if it is only in the data path for HTTP responses and not requests, since the URI is not included in the responses. Asymmetry may be surmountable given a filtering system

这种不对称性意味着,根据拓扑和配置,具有多个出口点的网络中的中介可能只看到给定通信的一半,这可能会限制其可以过滤的通信范围。例如,针对特定URI的请求的筛选器如果仅位于HTTP响应的数据路径中而不在请求中,则无法基于URI做出准确的阻塞决策,因为URI不包括在响应中。如果有一个过滤系统,不对称性是可以克服的

with enough distributed, interconnected filtering nodes that can coordinate information about flows belonging to the same communication or transaction, but depending on the size of the network this may imply significant complexity in the filtering system. Routing can sometimes be forced to be symmetric within a given network using routing configuration, NAT, or Layer 2 mechanisms (e.g., MPLS), but these mechanisms are frequently brittle, complex, and costly -- and can sometimes result in reduced network performance relative to asymmetric routing. Enterprise networks may also be less susceptible to these problems if they route all traffic through a small number of egress points.

如果有足够多的分布式、互连的过滤节点,这些节点可以协调关于属于同一通信或事务的流的信息,但这取决于网络的大小,这可能意味着过滤系统非常复杂。有时可以使用路由配置、NAT或第2层机制(例如MPLS)强制路由在给定网络内对称,但这些机制通常是脆弱、复杂和昂贵的,并且有时会导致相对于非对称路由的网络性能降低。如果企业网络将所有流量路由到少量出口点,那么它们也可能不太容易受到这些问题的影响。

4.2.2. Granularity
4.2.2. 粒度

Once an intermediary in a network has access to traffic, it must identify which packets must be filtered. This decision is usually based on some combination of information at the network layer (e.g., IP addresses), transport layer (ports), or application layer (URIs or other content). Deep Packet Inspection type blocking based on application-layer attributes can be potentially more granular and less likely to cause collateral damage than blocking all traffic associated with a particular address, which can impact unrelated occupants of the same address. However, more narrowly focused targeting may be more complex, less efficient, or easier to circumvent than filtering that sweeps more broadly, and those who seek to block must balance these attributes against each other when choosing a blocking system.

一旦网络中的中介可以访问流量,它就必须确定必须过滤哪些数据包。此决定通常基于网络层(例如,IP地址)、传输层(端口)或应用层(URI或其他内容)的信息组合。基于应用层属性的深度数据包检查类型阻塞可能比阻塞与特定地址相关的所有通信更细粒度,也不太可能造成附带损害,这可能会影响同一地址的无关占用者。然而,更狭隘的目标定位可能比更广泛的过滤更复杂、效率更低或更容易规避,而那些试图阻止的人在选择阻止系统时必须平衡这些属性。

4.2.3. Efficacy and Security
4.2.3. 功效和安全性

Regardless of the layer at which blocking occurs, it may be open to circumvention, particularly in cases where network endpoints have not authorized the blocking. The communicating endpoints can deny the intermediary access to attributes at any layer by using encryption (see below). IP addresses must be visible, even if packets are protected with IPsec, but blocking based on IP addresses can be trivial to circumvent. A filtered site may be able to quickly change its IP address using only a few simple steps: changing a single DNS record and provisioning the new address on its server or moving its services to the new address [BT-TPB].

无论阻塞发生在哪一层,它都可能受到规避,特别是在网络端点未授权阻塞的情况下。通信端点可以通过使用加密(见下文)拒绝中介对任何层属性的访问。IP地址必须是可见的,即使数据包受IPsec保护,但基于IP地址的阻塞可以避免。经过筛选的站点可能只需几个简单的步骤即可快速更改其IP地址:更改单个DNS记录并在其服务器上设置新地址,或将其服务移动到新地址[BT-TPB]。

Indeed, Poort, et al. [Poort] found that "any behavioural change in response to blocking access to The Pirate Bay has had no lasting net impact on the overall number of downloaders from illegal sources, as new consumers have started downloading from illegal sources and people learn to circumvent the blocking while new illegal sources may be launched, causing file sharing to increase again", and that these

事实上,Poort等人发现“由于新的消费者开始从非法来源下载,人们学会了绕过封锁,而新的非法来源可能会启动,因此,任何针对封锁海盗湾的行为改变都不会对非法来源下载者的总体数量产生持久的净影响,导致文件共享再次增加”,并且

results "are in line with a tendency found in the literature that any effects of legal action against file sharing often fade out after a period of typically six months."

结果“与文献中发现的一种趋势一致,即反对文件共享的法律行动的任何影响通常在六个月后就会消失。”

If application content is encrypted with a security protocol such as IPsec or TLS, then the intermediary will require the ability to decrypt the packets to examine application content, or resort to statistical methods to guess what the content is. Since security protocols are generally designed to provide end-to-end security (i.e., to prevent intermediaries from examining content), the intermediary would need to masquerade as one of the endpoints, breaking the authentication in the security protocol, reducing the security of the users and services affected, and interfering with legitimate private communication. Besides, various techniques that use public databases with whitelisted keys (e.g., DANE [RFC6698]) enable users to detect these sort of intermediaries. Those users are then likely to act as if the service is blocked.

如果应用程序内容是使用安全协议(如IPsec或TLS)加密的,则中介机构将需要解密数据包以检查应用程序内容,或者使用统计方法猜测内容是什么。由于安全协议通常设计为提供端到端安全性(即,防止中介机构检查内容),中介机构将需要伪装成一个端点,破坏安全协议中的身份验证,降低受影响用户和服务的安全性,干扰合法的私人通信。此外,使用带有白名单密钥的公共数据库的各种技术(例如,DANE[RFC6698])使用户能够检测此类中介。这些用户可能会表现得好像服务被阻止了一样。

If the intermediary is unable to decrypt the security protocol, then its blocking determinations for secure sessions can only be based on unprotected attributes, such as IP addresses, protocol IDs, port numbers, packet sizes, and packet timing. Some blocking systems today still attempt to block based on these attributes, for example by blocking TLS traffic to known proxies that could be used to tunnel through the blocking system.

如果中介无法解密安全协议,则其安全会话的阻塞确定只能基于未受保护的属性,如IP地址、协议ID、端口号、数据包大小和数据包定时。今天,一些阻塞系统仍然试图基于这些属性进行阻塞,例如,通过阻塞到已知代理的TLS流量,这些代理可用于通过阻塞系统进行隧道传输。

However, as the Telex project [Telex] recently demonstrated, if an endpoint cooperates with a relay in the network (e.g., a Telex station), it can create a TLS tunnel that is indistinguishable from legitimate traffic. For example, if an ISP used by a banking web site were to operate a Telex station at one of its routers, then a blocking system would be unable to distinguish legitimate encrypted banking traffic from Telex-tunneled traffic (potentially carrying content that would have been filtered).

然而,正如电传项目[Telex]最近展示的那样,如果端点与网络中的中继(例如,电传站)合作,它可以创建与合法通信量无法区分的TLS隧道。例如,如果银行网站使用的ISP在其路由器上操作一个电传站,则阻塞系统将无法区分合法的加密银行流量和电传隧道流量(可能携带已过滤的内容)。

Thus, in principle in a blacklist system it is impossible to block tunneled traffic through an intermediary device without blocking all secure traffic from that system. (The only limitation in practice is the requirement for special software on the client.) Those who require that secure traffic be blocked from such sites risk blocking content that would be valuable to their users, perhaps impeding substantial economic activity. Conversely, those who are hosting a myriad of content have an incentive to see that law abiding content does not end up being blocked.

因此,原则上,在黑名单系统中,在不阻止来自该系统的所有安全通信的情况下,不可能阻止通过中间设备的隧道通信。(实践中唯一的限制是需要在客户机上安装特殊软件。)那些要求阻止来自此类网站的安全流量的人有可能阻止对其用户有价值的内容,可能会阻碍实质性的经济活动。相反,那些拥有大量内容的人有动机看到守法的内容最终不会被屏蔽。

Governments and network operators should, however, take care not to encourage the use of insecure communications in the naming of security, as doing so will invariably expose their users to the various attacks that the security protocols were put in place to prevent.

然而,各国政府和网络运营商应注意不要鼓励在安全命名中使用不安全的通信,因为这样做必然会使其用户遭受安全协议为防止的各种攻击。

Some operators may assume that only blocking access to resources available via unsecure channels is sufficient for their purposes -- i.e., that the size of the user base that will be willing to use secure tunnels and/or special software to circumvent the blocking is low enough to make blocking via intermediaries worthwhile. Under that assumption, one might decide that there is no need to control secure traffic and thus that network-based blocking is an attractive option.

一些运营商可能认为,仅阻止通过不安全通道访问可用资源就足以满足其目的——即,愿意使用安全隧道和/或特殊软件来规避阻止的用户群的规模低到足以使通过中介进行阻止变得值得。在这种假设下,人们可能会认为不需要控制安全流量,因此基于网络的阻塞是一种有吸引力的选择。

However, the longer such blocking systems are in place, the more likely it is that efficient and easy-to-use tunneling tools will become available. The proliferation of the Tor network, for example, and its increasingly sophisticated blocking-avoidance techniques demonstrate that there is energy behind this trend [Tor]. Thus, network-based blocking becomes less effective over time.

然而,这种堵塞系统存在的时间越长,就越有可能出现高效、易于使用的隧道工具。例如,Tor网络的扩散及其日益复杂的阻塞避免技术表明,这一趋势背后有能量[Tor]。因此,基于网络的阻塞随着时间的推移变得不那么有效。

Network-based blocking is a key contributor to the arms race that has led to the development of such tools, the result of which is to create unnecessary layers of complexity in the Internet. Before content-based blocking became common, the next best option for network operators was port blocking, the widespread use of which has driven more applications and services to use ports (80 and 443 most commonly) that are unlikely to be blocked. In turn, network operators shifted to finer-grained content blocking over port 80, content providers shifted to encrypted channels, and operators began seeking to identify those channels (although doing so can be resource-prohibitive, especially if tunnel endpoints begin to change frequently). Because the premise of network-based blocking is that endpoints have incentives to circumvent it, this cat-and-mouse game is an inevitable by-product of this form of blocking.

基于网络的封锁是导致此类工具开发的军备竞赛的关键因素,其结果是在互联网上造成不必要的复杂性。在基于内容的阻塞变得普遍之前,网络运营商的下一个最佳选择是端口阻塞,端口阻塞的广泛使用促使更多的应用程序和服务使用不太可能被阻塞的端口(最常见的是80和443)。反过来,网络运营商通过端口80转向细粒度内容阻塞,内容提供商转向加密通道,运营商开始寻求识别这些通道(尽管这样做可能会导致资源受限,特别是当隧道端点开始频繁更改时)。因为基于网络的阻塞的前提是端点有规避它的动机,所以这种猫捉老鼠的游戏是这种阻塞形式不可避免的副产品。

One reason above all stands as an enormous challenge to network-based blocking: the Internet was designed with the premise that people will want to connect and communicate. IP will run on anything up to and including carrier pigeons [RFC1149]. It often runs atop TLS and has been made to run on other protocols that themselves run atop IP. Because of this fundamental layering approach, nearly any authorized avenue of communication can be used as a transport. This same "problem" permits communications to succeed in the most challenging of environments.

最重要的一个原因是对基于网络的封锁的巨大挑战:互联网的设计前提是人们希望连接和交流。IP将在信鸽[RFC1149]以下的任何设备上运行。它通常在TLS上运行,并已使其在自身在IP上运行的其他协议上运行。由于这种基本的分层方法,几乎任何授权的通信渠道都可以用作传输。同样的“问题”允许通信在最具挑战性的环境中取得成功。

4.2.4. Summary
4.2.4. 总结

In sum, network-based blocking is only effective in a fairly constrained set of circumstances. First, the traffic needs to flow through the network in such a way that the intermediary device has access to any communications it intends to block. Second, the blocking system needs an out-of-band mechanism to mitigate the risk of secure protocols being used to avoid blocking (e.g., human analysts identifying IP addresses of tunnel endpoints). If the network is sufficiently complex, or the risk of tunneling too high, then network-based blocking is unlikely to be effective, and in any case this type of blocking drives the development of increasingly complex layers of circumvention. Network-based blocking can be done without the cooperation of either endpoint to a communication, but it has the serious drawback of breaking end-to-end security assurances in some cases. The fact that network-based blocking is premised on this lack of cooperation results in arms races that increase the complexity of both application design and network design.

总之,基于网络的阻塞仅在相当有限的情况下有效。首先,业务需要以中间设备能够访问其想要阻止的任何通信的方式流经网络。其次,阻塞系统需要带外机制来降低使用安全协议来避免阻塞的风险(例如,人工分析人员识别隧道端点的IP地址)。如果网络足够复杂,或者隧道挖掘的风险太高,那么基于网络的阻塞就不太可能有效,而且在任何情况下,这种类型的阻塞都会导致越来越复杂的规避层的发展。基于网络的阻塞可以在没有任何端点与通信协作的情况下完成,但在某些情况下,它具有破坏端到端安全保证的严重缺点。基于网络的阻塞是以缺乏合作为前提的,这一事实导致军备竞赛,增加了应用程序设计和网络设计的复杂性。

4.3. Rendezvous-Based Blocking
4.3. 基于交会的阻塞

Internet applications often require or rely on support from common, global rendezvous services, including the DNS, certificate authorities, search engines, WHOIS databases, and Internet Route Registries. These services control or register the structure and availability of Internet applications by providing data elements that are used by application code. Some applications also have their own specialized rendezvous services. For example, to establish an end-to-end SIP call, the end-nodes (terminals) rely on presence and session information supplied by SIP servers.

Internet应用程序通常需要或依赖于通用的全球会合服务的支持,包括DNS、证书颁发机构、搜索引擎、WHOIS数据库和Internet路由注册。这些服务通过提供应用程序代码使用的数据元素来控制或注册Internet应用程序的结构和可用性。一些应用程序也有自己的专用会合服务。例如,为了建立端到端SIP呼叫,端节点(终端)依赖于SIP服务器提供的存在和会话信息。

Global rendezvous services are comprised of generic technical databases intended to record certain facts about the network. The DNS, for example, stores information about which servers provide services for a given name, and the Resource Public Key Infrastructure (RPKI) stores information about which organizations have been allocated IP addresses. To offer specialized Internet services and applications, different people rely on these generic records in different ways. Thus, the effects of changes to the databases can be much more difficult to predict than, for example, the effect of shutting down a web server (which fulfills the specific purpose of serving web content).

全球会合服务由通用技术数据库组成,旨在记录有关网络的某些事实。例如,DNS存储关于哪些服务器为给定名称提供服务的信息,而资源公钥基础设施(RPKI)存储关于哪些组织已分配IP地址的信息。为了提供专门的互联网服务和应用程序,不同的人以不同的方式依赖这些通用记录。因此,数据库更改的影响可能比关闭web服务器(实现服务web内容的特定目的)的影响更难预测。

Although rendezvous services are discussed as a single category, the precise characteristics and implications of blocking each kind of rendezvous service are slightly different. This section provides examples to highlight these differences.

虽然会合服务作为一个单独的类别进行讨论,但阻止每种会合服务的确切特征和含义略有不同。本节提供了一些示例来突出这些差异。

4.3.1. Scope
4.3.1. 范围

In the case of government-initiated blocking, the operators of servers used to provide rendezvous service that are subject to a specific jurisdiction may be required to block or filter. Thus, it is possible for laws to be structured to result in blocking by imposing obligations on the operators of rendezvous services within a jurisdiction, either via direct government action or by allowing private actors to demand blocking (e.g., through lawsuits).

在政府发起封锁的情况下,可能要求用于提供特定管辖范围内的会合服务的服务器的运营商封锁或过滤。因此,通过直接的政府行动或允许私人行为者要求封锁(例如通过诉讼),法律的结构可以通过对管辖区内会合服务运营商施加义务而导致封锁。

The scope of blocking conducted by others will depend on which servers they can access. For example, network operators and enterprises may be capable of conducting blocking using their own DNS resolvers or application proxies within their networks, but not authoritative servers controlled by others.

其他人执行的阻止范围将取决于他们可以访问哪些服务器。例如,网络运营商和企业可能能够在其网络中使用自己的DNS解析程序或应用程序代理进行阻止,但不能使用由其他人控制的权威服务器。

However, if a service is hosted and operated within a jurisdiction where it is considered legitimate, then blocking access at a global rendezvous service (e.g., one within a jurisdiction where it is considered illegitimate) might deny services in jurisdictions where they are considered legitimate. This type of collateral damage is lessened when blocking is done at a local rendezvous server that only has local impact, rather than at a global rendezvous server with global impact.

但是,如果服务在其被视为合法的管辖区内托管和运行,则阻止全球会合服务(例如,在其被视为非法的管辖区内的服务)的访问可能会拒绝其被视为合法的管辖区内的服务。当在仅具有本地影响的本地会合服务器上执行阻塞时,而不是在具有全局影响的全局会合服务器上执行阻塞时,这种附带损害会减少。

4.3.2. Granularity
4.3.2. 粒度

Blocking at a global rendezvous service can be overbroad if the resources blocked support multiple services, since blocking service can cause collateral damage to legitimate uses of other services. For example, a given address or domain name might host both legitimate services as well as services that some would desire to block.

如果被阻止的资源支持多个服务,那么在全球会合服务上的阻止可能会被超越,因为阻止服务可能会对其他服务的合法使用造成附带损害。例如,一个给定的地址或域名可能同时承载合法的服务以及一些人希望阻止的服务。

4.3.3. Efficacy
4.3.3. 功效

The distributed nature of the Internet limits the efficacy of blocking based on rendezvous services. If the Internet community realizes that a blocking decision has been made and wishes to counter it, then local networks can "patch" the authoritative data that a global rendezvous service provides to avoid the blocking (although the development of DNSSEC and the RPKI are causing this to change by requiring updates to be authorized). In the DNS case, registrants whose names get blocked can relocate their resources to different names.

互联网的分布式特性限制了基于集合服务的阻塞的有效性。如果互联网社区意识到已经做出了阻止决定,并希望予以反击,则本地网络可以“修补”全球会合服务提供的权威数据,以避免阻止(尽管DNSSEC和RPKI的开发要求授权更新,导致这种情况发生变化)。在DNS案例中,名称被阻止的注册人可以将其资源重新定位到不同的名称。

Endpoints can also choose not to use a particular rendezvous service. They might switch to a competitor or use an alternate mechanism (for example, IP literals in URIs to circumvent DNS filtering).

端点也可以选择不使用特定的集合服务。他们可能会切换到竞争对手或使用其他机制(例如,URI中的IP文本可以绕过DNS过滤)。

4.3.4. Security and Other Implications
4.3.4. 安全和其他影响

Blocking of global rendezvous services also has a variety of other implications that may reduce the stability, accessibility, and usability of the global Internet. Infrastructure-based blocking may erode the trust in the general Internet and encourage the development of parallel or "underground" infrastructures causing forms of Internet fragmentation, for example. This risk may become more acute as the introduction of security infrastructures and mechanisms such as DNSSEC and RPKI "hardens" the authoritative data -- including blocked names or routes -- that the existing infrastructure services provide. Those seeking to circumvent the blocks may opt to use less-secure but unblocked parallel services. As applied to the DNS, these considerations are further discussed in RFC 2826 [RFC2826], in the advisory [SAC-056] from ICANN's Security and Stability Advisory Committee (SSAC), and in the Internet Society's whitepaper on DNS filtering [ISOCFiltering], but they also apply to other global Internet resources.

阻止全球会合服务还具有各种其他影响,可能会降低全球互联网的稳定性、可访问性和可用性。基于基础设施的封锁可能会削弱对一般互联网的信任,并鼓励开发并行或“地下”基础设施,例如,造成各种形式的互联网碎片。随着DNSSEC和RPKI等安全基础设施和机制的引入,“强化”了现有基础设施服务提供的权威数据(包括阻止的名称或路由),这种风险可能会变得更加严重。那些试图绕过封锁的人可能会选择使用不太安全但未被封锁的并行服务。对于DNS,RFC 2826[RFC2826]、ICANN安全与稳定咨询委员会(SSAC)的咨询[SAC-056]和互联网协会的DNS过滤白皮书[ISOCLIFTERING]进一步讨论了这些考虑因素,但它们也适用于其他全球互联网资源。

4.3.5. Examples
4.3.5. 例子

Below we provide a few specific examples for routing, DNS, and WHOIS services. These examples demonstrate that for these types of rendezvous services (services that are often considered a global commons), jurisdiction-specific legal and ethical motivations for blocking can both have collateral effects in other jurisdictions and be circumvented because of the distributed nature of the Internet.

下面我们提供一些路由、DNS和WHOIS服务的具体示例。这些例子表明,对于这些类型的会合服务(通常被视为全球公域的服务),特定于司法管辖区的阻止法律和道德动机可能在其他司法管辖区产生附带影响,并且由于互联网的分布式性质而被规避。

In 2008, Pakistan Telecom attempted to deny access to YouTube within Pakistan by announcing bogus routes for YouTube address space to peers in Pakistan. YouTube was temporarily denied service on a global basis as a result of a route leak beyond the Pakistani ISP's scope, but service was restored in approximately two hours because network operators around the world reconfigured their routers to ignore the bogus routes [RenesysPK]. In the context of SIDR and secure routing, a similar reconfiguration could theoretically be done if a resource certificate were to be revoked in order to block routing to a given network.

2008年,巴基斯坦电信试图通过向巴基斯坦同行公布YouTube地址空间的虚假路线,在巴基斯坦境内拒绝访问YouTube。由于路由泄漏超出了巴基斯坦ISP的范围,YouTube在全球范围内暂时被拒绝服务,但服务在大约两个小时内恢复,因为世界各地的网络运营商重新配置了路由器,忽略了伪造的路由[Renesispk]。在SIDR和安全路由的上下文中,如果为了阻止到给定网络的路由而撤销资源证书,理论上可以进行类似的重新配置。

In the DNS realm, one of the recent cases of U.S. law enforcement seizing domain names involved RojaDirecta, a Spanish web site. Even though several of the affected domain names belonged to Spanish organizations, they were subject to blocking by the U.S. government because certain servers were operated in the United States.

在DNS领域,最近美国执法部门查封域名的案件之一涉及西班牙网站Rojadirta。尽管一些受影响的域名属于西班牙组织,但由于某些服务器是在美国运行的,因此它们受到美国政府的封锁。

Government officials required the operators of the parent zones of a target name (e.g., "com" for "example.com") to direct queries for that name to a set of U.S.-government-operated name servers. Users of other services (e.g., email) under a target name would thus be unable to locate the servers providing services for that name, denying them the ability to access these services.

政府官员要求目标名称父区域(例如,“com”代表“example.com”)的运营商将该名称的查询定向到一组美国政府运营的名称服务器。因此,目标名称下其他服务(如电子邮件)的用户将无法找到为该名称提供服务的服务器,从而使他们无法访问这些服务。

Similar workarounds as those that were used in the Pakistan Telecom case are also available in the DNS case. If a domain name is blocked by changing authoritative records, network operators can restore service simply by extending TTLs on cached pre-blocking records in recursive resolvers, or by statically configuring resolvers to return unblocked results for the affected name. However, depending on the availability of valid signature data, these types of workarounds will not work with DNSSEC-signed data.

DNS案例中也提供了类似于巴基斯坦电信案例中使用的解决方案。如果域名因更改权威记录而被阻止,网络运营商只需在递归解析程序中的缓存预阻止记录上扩展TTL,或静态配置解析程序以返回受影响名称的未阻止结果,即可恢复服务。但是,根据有效签名数据的可用性,这些类型的变通方法将不适用于DNSSEC签名数据。

The action of the Dutch authorities against the RIPE NCC, where RIPE was ordered to freeze the accounts of Internet resource holders, is of a similar character. By controlling the account holders' WHOIS information, this type of action limited the ability of the ISPs in question to manage their Internet resources. This example is slightly different from the others because it does not immediately impact the ability of ISPs to provide connectivity. While ISPs use (and trust) the WHOIS databases to build route filters or use the databases for trouble-shooting information, the use of the WHOIS databases for those purposes is voluntary. Thus, seizure of this sort may not have any immediate effect on network connectivity, but it may impact overall trust in the common infrastructure. It is similar to the other examples in that action in one jurisdiction can have broader effects, and in that the global system may encourage networks to develop their own autonomous solutions.

荷兰当局对RIME NCC采取的行动也具有类似的性质,在该NCC中,RIME被命令冻结互联网资源持有者的账户。通过控制账户持有人的WHOIS信息,此类行为限制了相关ISP管理其互联网资源的能力。此示例与其他示例略有不同,因为它不会立即影响ISP提供连接的能力。虽然ISP使用(并信任)WHOIS数据库来构建路由过滤器或使用数据库来查找故障信息,但出于这些目的使用WHOIS数据库是自愿的。因此,此类扣押可能不会对网络连接产生任何直接影响,但可能会影响对公共基础设施的总体信任。与其他例子类似,在一个管辖区内采取的行动可能产生更广泛的影响,全球系统可能会鼓励网络开发自己的自主解决方案。

4.3.6. Summary
4.3.6. 总结

In summary, rendezvous-based blocking can sometimes be used to immediately block a target service by removing some of the resources it depends on. However, such blocking actions can have harmful side effects due to the global nature of Internet resources and the fact that many different application-layer services rely on generic, global databases for rendezvous purposes. The fact that Internet resources can quickly shift between network locations, names, and addresses, together with the autonomy of the networks that comprise the Internet, can mean that the effects of rendezvous-based blocking can be negated on short order in some cases. For some applications, rendezvous services are optional to use, not mandatory. Hence, they are only effective when the endpoint or the endpoint's network chooses to use them; they can be routed around by choosing not to use

总之,基于集合的阻塞有时可以通过删除目标服务所依赖的一些资源来立即阻塞目标服务。然而,由于互联网资源的全球性质以及许多不同的应用层服务依赖通用的全球数据库进行会合,此类阻止操作可能会产生有害的副作用。互联网资源可以在网络位置、名称和地址之间快速移动,加上组成互联网的网络的自主性,这一事实意味着在某些情况下,基于会合的阻塞效应可以在短时间内消除。对于某些应用程序,会合服务是可选的,而不是强制性的。因此,它们只有在端点或端点的网络选择使用它们时才有效;可以通过选择不使用来路由它们

the rendezvous service or migrating to an alternative one. To adapt a quote by John Gilmore, "The Internet treats blocking as damage and routes around it".

会合服务或迁移到替代服务。根据约翰·吉尔摩(John Gilmore)的一句话,“互联网将阻塞视为损害,并在其周围路由”。

4.4. Endpoint-Based Blocking
4.4. 基于端点的分块

Internet users and their devices constantly make decisions as to whether to engage in particular Internet communications. Users decide whether to click on links in suspect email messages; browsers advise users on sites that have suspicious characteristics; spam filters evaluate the validity of senders and messages. If the hardware and software making these decisions can be instructed not to engage in certain communications, then the communications are effectively blocked because they never happen.

互联网用户及其设备不断做出是否参与特定互联网通信的决定。用户决定是否点击可疑电子邮件中的链接;浏览器建议用户访问具有可疑特征的网站;垃圾邮件过滤器评估发件人和邮件的有效性。如果可以指示做出这些决定的硬件和软件不参与某些通信,则通信将被有效阻止,因为它们从未发生过。

There are several systems in place today that advise user systems about which communications they should engage in. As discussed above, several modern browsers consult with "Safe Browsing" services before loading a web site in order to determine whether the site could potentially be harmful. Spam filtering is one of the oldest types of filtering in the Internet; modern filtering systems typically make use of one or more "reputation" or "blacklist" databases in order to make decisions about whether a given message or sender should be blocked. These systems typically have the property that many filtering systems (browsers, Mail Transfer Agents (MTAs)) share a single reputation service. Even the absence of provisioned PTR records for an IP address may result in email messages not being accepted.

现在有几个系统可以向用户系统建议他们应该进行哪些通信。如上所述,一些现代浏览器在加载网站之前会咨询“安全浏览”服务,以确定该网站是否可能有害。垃圾邮件过滤是互联网上最古老的过滤方式之一;现代过滤系统通常利用一个或多个“声誉”或“黑名单”数据库来决定是否应该阻止给定的消息或发送者。这些系统通常具有许多过滤系统(浏览器、邮件传输代理(MTA))共享单个信誉服务的特性。即使没有为IP地址提供PTR记录,也可能导致电子邮件不被接受。

4.4.1. Scope
4.4.1. 范围

In an endpoint-based blocking system, blocking actions are performed autonomously, by individual endpoints or their delegates. The effects of blocking are thus usually local in scope, minimizing the effects on other users or other, legitimate services.

在基于端点的阻塞系统中,阻塞操作由各个端点或其代理自主执行。因此,阻塞的影响通常是局部的,将对其他用户或其他合法服务的影响降至最低。

4.4.2. Granularity
4.4.2. 粒度

Endpoint-based blocking avoids some of the limitations of rendezvous-based blocking: while rendezvous-based blocking can only see and affect the rendezvous service at hand (e.g., DNS name resolution), endpoint-based blocking can potentially see into the entire application, across all layers and transactions. This visibility can provide endpoint-based blocking systems with a much richer set of information for making narrow blocking decisions. Support for narrow granularity depends on how the application protocol client and server are designed, however. A typical endpoint-based firewall application

基于端点的阻塞避免了基于会合的阻塞的一些限制:虽然基于会合的阻塞只能看到并影响手头的会合服务(例如,DNS名称解析),但基于端点的阻塞可能会看到整个应用程序中的所有层和事务。这种可视性可以为基于端点的阻塞系统提供更丰富的信息集,用于做出狭窄的阻塞决策。然而,对窄粒度的支持取决于应用程序协议客户端和服务器的设计方式。一个典型的基于端点的防火墙应用程序

may have less ability to make fine-grained decisions than an application that does its own blocking (see [RFC7288] for further discussion).

与自行执行阻塞的应用程序相比,可能无法做出细粒度决策(有关进一步讨论,请参阅[RFC7288])。

4.4.3. Efficacy
4.4.3. 功效

Endpoint-based blocking deals well with mobile adversaries. If a blocked service relocates resources or uses different resources, a rendezvous- or network-based blocking approach may not be able to affect the new resources (at least not immediately). A network-based blocking system may not even be able to tell whether the new resources are being used, if the previously blocked service uses secure protocols. By contrast, endpoint-based blocking systems can detect when a blocked service's resources have changed (because of their full visibility into transactions) and adjust blocking as quickly as new blocking data can be sent out through a reputation system.

基于端点的阻塞可以很好地对付移动对手。如果阻塞的服务重新定位资源或使用不同的资源,则基于集合或网络的阻塞方法可能无法影响新资源(至少不能立即影响)。如果先前被阻止的服务使用安全协议,则基于网络的阻止系统甚至可能无法判断是否正在使用新资源。相比之下,基于端点的阻塞系统可以检测被阻塞服务的资源何时发生了变化(因为它们对事务的完全可见性),并在新的阻塞数据可以通过信誉系统发送时尽快调整阻塞。

The primary challenge to endpoint-based blocking is that it requires the cooperation of endpoints. Where this cooperation is willing, this is a fairly low barrier, requiring only reconfiguration or software update. Where cooperation is unwilling, it can be challenging to enforce cooperation for large numbers of endpoints. That challenge is exacerbated when the endpoints are a diverse set of static, mobile, or visiting endpoints. If cooperation can be achieved, endpoint-based blocking can be much more effective than other approaches because it is so coherent with the Internet's architectural principles.

基于端点的阻塞的主要挑战是它需要端点的合作。如果愿意合作,这是一个相当低的障碍,只需要重新配置或软件更新。在不愿意合作的地方,对大量端点实施合作可能是一个挑战。当端点是一组不同的静态、移动或访问端点时,这一挑战就会加剧。如果能够实现合作,那么基于端点的阻塞将比其他方法更加有效,因为它与互联网的架构原则非常一致。

4.4.4. Security
4.4.4. 安全

Endpoint-based blocking is performed at one end of an Internet communication, and thus avoids the problems related to end-to-end security mechanisms that network-based blocking runs into and the challenges to global trust infrastructures that rendezvous-based blocking creates.

基于端点的阻塞在Internet通信的一端执行,因此避免了与基于网络的阻塞遇到的端到端安全机制相关的问题以及基于集合的阻塞对全局信任基础架构造成的挑战。

4.4.5. Server Endpoints
4.4.5. 服务器端点

In this discussion of endpoint-based blocking, the focus has been on the consuming side of the end-to-end communication, mostly the client side of a client-server type connection. However, similar considerations apply to the content-producing side of end-to-end communications, regardless of whether that endpoint is a server in a client-server connection or a peer in a peer-to-peer type of connection.

在这篇关于基于端点的阻塞的讨论中,重点放在端到端通信的消费端,主要是客户端-服务器类型连接的客户端。然而,类似的考虑也适用于端到端通信的内容生成端,而不管该端点是客户端-服务器连接中的服务器还是对等类型的连接中的对等方。

For instance, for blocking of web content, narrow targeting can be achieved through whitelisting methods like password authentication, whereby passwords are available only to authorized clients. For example, a web site might only make adult content available to users who provide credit card information, which is assumed to be a proxy for age.

例如,对于阻止web内容,可以通过白名单方法(如密码身份验证)实现狭义目标,密码仅对授权客户端可用。例如,网站可能只向提供信用卡信息的用户提供成人内容,这被认为是年龄的代表。

The fact that content-producing endpoints often do not take it upon themselves to block particular forms of content in response to requests from governments or other parties can sometimes motivate those latter parties to engage in blocking elsewhere within the Internet.

内容生成端点通常不会自行阻止特定形式的内容以响应政府或其他方的请求,这一事实有时会促使这些后者参与阻止互联网内其他地方的内容。

If a service is to be blocked, the best way of doing that is to disable the service at the server endpoint.

如果要阻止服务,最好的方法是在服务器端点禁用该服务。

4.4.6. Summary
4.4.6. 总结

Out of the three design patterns, endpoint-based blocking is the least likely to cause collateral damage to Internet services or the overall Internet architecture. Endpoint-based blocking systems can potentially see into all layers involved in a communication, allowing blocking to be narrowly targeted and can minimize unintended consequences. Adversary mobility can be accounted for as soon as reputation systems are updated with new adversary information. One potential drawback of endpoint-based blocking is that it requires the endpoint's cooperation; implementing blocking at an endpoint when it is not in the endpoint's interest is therefore difficult to accomplish because the endpoint's user can disable the blocking or switch to a different endpoint.

在三种设计模式中,基于端点的阻塞最不可能对Internet服务或整个Internet架构造成附带损害。基于端点的阻塞系统可以潜在地查看通信中涉及的所有层,允许阻塞的目标范围很窄,并且可以将意外后果降至最低。只要声誉系统更新了新的对手信息,就可以说明对手的机动性。基于端点的阻塞的一个潜在缺点是它需要端点的合作;因此,在端点不感兴趣的情况下实现阻塞很难实现,因为端点的用户可以禁用阻塞或切换到其他端点。

5. Security Considerations
5. 安全考虑

The primary security concern related to Internet service blocking is the effect that it has on the end-to-end security model of many Internet security protocols. When blocking is enforced by an intermediary with respect to a given communication, the blocking system may need to obtain access to confidentiality-protected data to make blocking decisions. Mechanisms for obtaining such access often require the blocking system to defeat the authentication mechanisms built into security protocols.

与Internet服务阻塞相关的主要安全问题是它对许多Internet安全协议的端到端安全模型的影响。当中介对给定通信实施阻塞时,阻塞系统可能需要获得对受保密保护的数据的访问权以做出阻塞决策。获取这种访问的机制通常需要阻塞系统击败安全协议中内置的身份验证机制。

For example, some enterprise firewalls will dynamically create TLS certificates under a trust anchor recognized by endpoints subject to blocking. These certificates allow the firewall to authenticate as any web site, so that it can act as a man-in-the-middle on TLS

例如,一些企业防火墙将在受阻塞的端点识别的信任锚点下动态创建TLS证书。这些证书允许防火墙作为任何网站进行身份验证,以便它可以在TLS上充当中间人

connections passing through the firewall. This is not unlike an external attacker using compromised certificates to intercept TLS connections.

通过防火墙的连接。这与外部攻击者使用受损证书拦截TLS连接没有什么不同。

Modifications such as these obviously make the firewall itself an attack surface. If an attacker can gain control of the firewall or compromise the key pair used by the firewall to sign certificates, the attacker will have access to the unencrypted data of all current and recorded TLS sessions for all users behind that firewall, in a way that is undetectable to users. Besides, if the compromised key-pairs can be extracted from the firewall, all users, not only those behind the firewall, that rely on that public key are vulnerable.

这样的修改显然使防火墙本身成为攻击的表面。如果攻击者可以获得防火墙的控制权,或破坏防火墙用于签署证书的密钥对,则攻击者将以用户无法检测的方式访问该防火墙后面所有用户的所有当前和记录的TLS会话的未加密数据。此外,如果可以从防火墙中提取受损的密钥对,那么依赖该公钥的所有用户(不仅仅是防火墙后面的用户)都会受到攻击。

We must also consider the possibility that a legitimate administrator of such a firewall could gain access to privacy-sensitive information, such as the bank accounts or health records of users who access such secure sites through the firewall. These privacy considerations motivate legitimate use of secure end-to-end protocols that often make it difficult to enforce granular blocking policies.

我们还必须考虑这样一个防火墙的合法管理员可以访问隐私敏感信息的可能性,例如通过防火墙访问这些安全站点的用户的银行账户或健康记录。这些隐私考虑促使合法使用安全的端到端协议,这通常会使执行细粒度阻塞策略变得困难。

When blocking systems are unable to inspect and surgically block secure protocols, it is tempting to completely block those protocols. For example, a web blocking system that is unable to inspect HTTPS connections might simply block any attempted HTTPS connection. However, since Internet security protocols are commonly used for critical services such as online commerce and banking, blocking these protocols would block access to these services as well, or worse, force them to be conducted over insecure communication.

当阻塞系统无法检查和通过外科手术阻塞安全协议时,很容易完全阻塞这些协议。例如,无法检查HTTPS连接的web阻止系统可能只是阻止任何尝试的HTTPS连接。然而,由于互联网安全协议通常用于在线商务和银行等关键服务,因此阻止这些协议也会阻止对这些服务的访问,或者更糟的是,迫使它们通过不安全的通信进行。

Security protocols can, of course, also be used as mechanisms for blocking services. For example, if a blocking system can insert invalid credentials for one party in an authentication protocol, then the other end will typically terminate the connection based on the authentication failure. However, it is typically much simpler to simply block secure protocols than to exploit those protocols for service blocking.

当然,安全协议也可以用作阻止服务的机制。例如,如果阻止系统可以在身份验证协议中为一方插入无效凭据,则另一端通常会基于身份验证失败终止连接。然而,通常简单地阻止安全协议比利用这些协议进行服务阻止要简单得多。

6. Conclusion
6. 结论

Filtering will continue to occur on the Internet. We conclude that, whenever possible, filtering should be done on the endpoint. Cooperative endpoints are most likely to have sufficient contextual knowledge to effectively target blocking; hence, such blocking minimizes unintended consequences. It is realistic to expect that at times filtering will not be done on the endpoints. In these cases, promptly informing the endpoint that blocking has occurred provides necessary transparency to redress any errors, particularly as they relate to any collateral damage introduced by errant filters.

过滤将继续在互联网上进行。我们的结论是,只要有可能,就应该在端点上进行过滤。合作端点最有可能拥有足够的上下文知识来有效地针对阻塞;因此,这种阻塞将意外后果降至最低。期望有时不会在端点上执行过滤是现实的。在这些情况下,及时通知端点已发生阻塞可提供必要的透明度,以纠正任何错误,尤其是与错误过滤器引起的任何附带损害相关的错误。

Blacklist approaches are often a game of "cat and mouse", where those with the content move it around to avoid blocking. Or, the content may even be naturally mirrored or cached at other legitimate sites such as the Internet Archive Wayback Machine [Wayback]. At the same time, whitelists provide similar risks because sites that had "acceptable" content may become targets for "unacceptable content", and similarly, access to perfectly inoffensive and perhaps useful or productive content is unnecessarily blocked.

黑名单方法通常是一种“猫捉老鼠”的游戏,在这种游戏中,有内容的人会移动黑名单以避免阻塞。或者,内容甚至可以自然镜像或缓存在其他合法站点,如Internet Archive Wayback Machine[Wayback]。与此同时,白名单也带来了类似的风险,因为拥有“可接受”内容的网站可能会成为“不可接受内容”的目标,同样,对完全无害的、可能有用的或生产性内容的访问也会被不必要地阻止。

From a technical perspective, there are no perfect or even good solutions -- there is only least bad. On that front, we posit that a hybrid approach that combines endpoint-based filtering with network filtering may prove least damaging. An endpoint may choose to participate in a filtering regime in exchange for the network providing broader unfiltered access.

从技术角度来看,没有完美甚至好的解决方案——只有最不坏的。在这方面,我们假设,将基于端点的过滤与网络过滤相结合的混合方法可能被证明是破坏性最小的。端点可以选择参与过滤机制,以交换提供更广泛的未过滤访问的网络。

Finally, we note that where filtering is occurring to address content that is generally agreed to be inappropriate or illegal, strong cooperation among service providers and governments may provide additional means to identify both the victims and the perpetrators through non-filtering mechanisms, such as partnerships with the finance industry to identify and limit illegal transactions.

最后,我们注意到,如果正在进行过滤以处理普遍认为不适当或非法的内容,服务提供商和政府之间的密切合作可能会提供额外的手段,通过非过滤机制识别受害者和犯罪者,例如与金融业建立伙伴关系,以识别和限制非法交易。

7. Informative References
7. 资料性引用

[asymmetry] John, W., Dusi, M., and K. Claffy, "Estimating routing symmetry on single links by passive flow measurements", Proceedings of the 6th International Wireless Communications and Mobile Computing Conference, IWCMC '10, DOI 10.1145/1815396.1815506, 2010, <http://www.caida.org/publications/papers/2010/ estimating_routing_symmetry/ estimating_routing_symmetry.pdf>.

[不对称性]John,W.,Dusi,M.,和K.Claffy,“通过被动流量测量估计单链路上的路由对称性”,第六届国际无线通信和移动计算会议论文集,IWCM'10,DOI 10.1145/1815396.18155062010, <http://www.caida.org/publications/papers/2010/ 估计路由对称/估计路由对称.pdf>。

[BlackLists14] Chachra, N., McCoy, D., Savage, S., and G. Voelker, "Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting", Workshop on the Economics of Information Security 2014, <http://www.econinfosec.org/archive/weis2014/papers/ Chachra-WEIS2014.pdf>.

[Blacklists4]Chachra,N.,McCoy,D.,Savage,S.,和G.Voelker,“域名滥用和黑名单收入影响的实证特征”,2014年信息安全经济学研讨会<http://www.econinfosec.org/archive/weis2014/papers/ Chachra-WEIS2014.pdf>。

[BT-TPB] Meyer, D., "BT blocks The Pirate Bay", June 2012, <http://www.zdnet.com/ bt-blocks-the-pirate-bay-4010026434/>.

[BT-TPB]Meyer,D.,“BT封锁海盗湾”,2012年6月<http://www.zdnet.com/ bt-blocks-the-pirate-bay-4010026434/>。

[CleanFeed] Clayton, R., "Failures in a Hybrid Content Blocking System", Fifth Privacy Enhancing Technologies Workshop, PET 2005, DOI 10.1007/11767831_6, 2005, <http://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf>.

[CleanFeed]Clayton,R.,“混合内容屏蔽系统的故障”,第五届隐私增强技术研讨会,PET 2005,DOI 10.1007/11767831_6,2005<http://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf>。

[GhostClickRIPE] RIPE NCC, "RIPE NCC Blocks Registration in RIPE Registry Following Order from Dutch Police", 2012, <http://www.ripe.net/internet-coordination/news/ about-ripe-ncc-and-ripe/ripe-ncc-blocks-registration-in-ripe-registry-following-order-from-dutch-police>.

[GhostClickCrime]Crime NCC,“根据荷兰警方的命令,Crime NCC阻止在Crime注册表中注册”,2012年<http://www.ripe.net/internet-coordination/news/ 关于熟透ncc和熟透/熟透ncc根据荷兰警方>的命令在熟透注册表中阻止注册。

[IN-OM-filtering] Citizen Lab, "Routing Gone Wild: Documenting upstream filtering in Oman via India", July 2012, <https://citizenlab.org/2012/07/routing-gone-wild/>.

[在OM过滤中]公民实验室,“路由失控:记录阿曼通过印度的上游过滤”,2012年7月<https://citizenlab.org/2012/07/routing-gone-wild/>.

[ISOCFiltering] Internet Society, "DNS: Finding Solutions to Illegal On-line Activities", 2012, <http://www.internetsociety.org/what-we-do/issues/dns/ finding-solutions-illegal-line-activities>.

互联网协会,“DNS:寻找非法在线活动的解决方案”,2012年<http://www.internetsociety.org/what-we-do/issues/dns/ 查找非法线路活动的解决方案>。

[Malicious-Resolution] Dagon, D., Provos, N., Lee, C., and W. Lee, "Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority", 2008, <http://www.citi.umich.edu/u/provos/papers/ ndss08_dns.pdf>.

[恶意解析]Dagon,D.,Provos,N.,Lee,C.,和W.Lee,“损坏的DNS解析路径:恶意解析机构的兴起”,2008年<http://www.citi.umich.edu/u/provos/papers/ ndss08_dns.pdf>。

[Morris] Kehoe, B., "The Robert Morris Internet Worm", 1992, <http://groups.csail.mit.edu/mac/classes/6.805/articles/ morris-worm.html>.

[Morris]Kehoe,B.,“罗伯特·莫里斯网络蠕虫”,1992年<http://groups.csail.mit.edu/mac/classes/6.805/articles/ morrisworm.html>。

[NW08] Marsan, C., "YouTube/Pakistan incident: Could something similar whack your site?", Network World, March 2008, <http://www.networkworld.com/article/2284273/software/ youtube-pakistan-incident--could-something-similar-whack-your-site-.html>.

[NW08]Marsan,C.,“YouTube/Pakistan事件:类似的事情会袭击你的网站吗?”,《网络世界》,2008年3月<http://www.networkworld.com/article/2284273/software/ youtube巴基斯坦事件——类似事件可能会袭击你的网站-.html>。

[Poort] Poort, J., Leenheer, J., van der Ham, J., and C. Dumitru, "Baywatch: Two approaches to measure the effects of blocking access to The Pirate Bay", Telecommunications Policy 38:383-392, DOI 10.1016/j.telpol.2013.12.008, 2014, <http://staff.science.uva.nl/~vdham/research/ publications/1401-Baywatch.pdf>.

[Poort]Poort,J.,Leenher,J.,van der Ham,J.,和C.Dumitru,“海湾观察:封锁海盗湾影响的两种测量方法”,电信政策38:383-392,DOI 10.1016/J.telpol.2013.12.008,2014<http://staff.science.uva.nl/~vdham/research/publications/1401 Baywatch.pdf>。

[RenesysPK] Brown, M., "Pakistan hijacks YouTube", February 2008, <http://research.dyn.com/2008/02/ pakistan-hijacks-youtube-1/>.

布朗,M.,“巴基斯坦劫持YouTube”,2008年2月<http://research.dyn.com/2008/02/ 巴基斯坦-劫持-youtube-1/>。

[RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, DOI 10.17487/RFC1122, October 1989, <http://www.rfc-editor.org/info/rfc1122>.

[RFC1122]Braden,R.,Ed.“互联网主机的要求-通信层”,STD 3,RFC 1122,DOI 10.17487/RFC1122,1989年10月<http://www.rfc-editor.org/info/rfc1122>.

[RFC1149] Waitzman, D., "Standard for the transmission of IP datagrams on avian carriers", RFC 1149, DOI 10.17487/RFC1149, April 1990, <http://www.rfc-editor.org/info/rfc1149>.

[RFC1149]Waitzman,D.,“鸟类载体上IP数据报传输标准”,RFC 1149,DOI 10.17487/RFC1149,1990年4月<http://www.rfc-editor.org/info/rfc1149>.

[RFC2826] Internet Architecture Board, "IAB Technical Comment on the Unique DNS Root", RFC 2826, DOI 10.17487/RFC2826, May 2000, <http://www.rfc-editor.org/info/rfc2826>.

[RFC2826]互联网体系结构委员会,“关于唯一DNS根的IAB技术评论”,RFC 2826,DOI 10.17487/RFC2826,2000年5月<http://www.rfc-editor.org/info/rfc2826>.

[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000, <http://www.rfc-editor.org/info/rfc2827>.

[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,DOI 10.17487/RFC2827,2000年5月<http://www.rfc-editor.org/info/rfc2827>.

[RFC2979] Freed, N., "Behavior of and Requirements for Internet Firewalls", RFC 2979, DOI 10.17487/RFC2979, October 2000, <http://www.rfc-editor.org/info/rfc2979>.

[RFC2979]Freed,N.,“互联网防火墙的行为和要求”,RFC 2979,DOI 10.17487/RFC2979,2000年10月<http://www.rfc-editor.org/info/rfc2979>.

[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, <http://www.rfc-editor.org/info/rfc3261>.

[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,DOI 10.17487/RFC3261,2002年6月<http://www.rfc-editor.org/info/rfc3261>.

[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, DOI 10.17487/RFC3704, March 2004, <http://www.rfc-editor.org/info/rfc3704>.

[RFC3704]Baker,F.和P.Savola,“多宿网络的入口过滤”,BCP 84,RFC 3704,DOI 10.17487/RFC3704,2004年3月<http://www.rfc-editor.org/info/rfc3704>.

[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, March 2005, <http://www.rfc-editor.org/info/rfc4033>.

[RFC4033]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,DOI 10.17487/RFC4033,2005年3月<http://www.rfc-editor.org/info/rfc4033>.

[RFC4084] Klensin, J., "Terminology for Describing Internet Connectivity", BCP 104, RFC 4084, DOI 10.17487/RFC4084, May 2005, <http://www.rfc-editor.org/info/rfc4084>.

[RFC4084]Klensin,J.,“描述互联网连接的术语”,BCP 104,RFC 4084,DOI 10.17487/RFC4084,2005年5月<http://www.rfc-editor.org/info/rfc4084>.

[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, <http://www.rfc-editor.org/info/rfc4301>.

[RFC4301]Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 4301,DOI 10.17487/RFC4301,2005年12月<http://www.rfc-editor.org/info/rfc4301>.

[RFC4924] Aboba, B., Ed. and E. Davies, "Reflections on Internet Transparency", RFC 4924, DOI 10.17487/RFC4924, July 2007, <http://www.rfc-editor.org/info/rfc4924>.

[RFC4924]Aboba,B.,Ed.和E.Davies,“关于互联网透明度的思考”,RFC 4924,DOI 10.17487/RFC4924,2007年7月<http://www.rfc-editor.org/info/rfc4924>.

[RFC4948] Andersson, L., Davies, E., and L. Zhang, "Report from the IAB workshop on Unwanted Traffic March 9-10, 2006", RFC 4948, DOI 10.17487/RFC4948, August 2007, <http://www.rfc-editor.org/info/rfc4948>.

[RFC4948]Andersson,L.,Davies,E.,和L.Zhang,“国际律师协会2006年3月9日至10日不必要交通研讨会报告”,RFC 4948,DOI 10.17487/RFC4948,2007年8月<http://www.rfc-editor.org/info/rfc4948>.

[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, <http://www.rfc-editor.org/info/rfc4949>.

[RFC4949]Shirey,R.,“互联网安全词汇表,第2版”,FYI 36,RFC 4949,DOI 10.17487/RFC4949,2007年8月<http://www.rfc-editor.org/info/rfc4949>.

[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>.

[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,DOI 10.17487/RFC5246,2008年8月<http://www.rfc-editor.org/info/rfc5246>.

[RFC5782] Levine, J., "DNS Blacklists and Whitelists", RFC 5782, DOI 10.17487/RFC5782, February 2010, <http://www.rfc-editor.org/info/rfc5782>.

[RFC5782]Levine,J.,“DNS黑名单和白名单”,RFC 5782,DOI 10.17487/RFC5782,2010年2月<http://www.rfc-editor.org/info/rfc5782>.

[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, February 2012, <http://www.rfc-editor.org/info/rfc6480>.

[RFC6480]Lepinski,M.和S.Kent,“支持安全互联网路由的基础设施”,RFC 6480,DOI 10.17487/RFC6480,2012年2月<http://www.rfc-editor.org/info/rfc6480>.

[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012, <http://www.rfc-editor.org/info/rfc6698>.

[RFC6698]Hoffman,P.和J.Schlyter,“基于DNS的命名实体认证(DANE)传输层安全(TLS)协议:TLSA”,RFC 6698,DOI 10.17487/RFC6698,2012年8月<http://www.rfc-editor.org/info/rfc6698>.

[RFC6943] Thaler, D., Ed., "Issues in Identifier Comparison for Security Purposes", RFC 6943, DOI 10.17487/RFC6943, May 2013, <http://www.rfc-editor.org/info/rfc6943>.

[RFC6943]Thaler,D.,Ed.,“出于安全目的的标识符比较问题”,RFC 6943,DOI 10.17487/RFC6943,2013年5月<http://www.rfc-editor.org/info/rfc6943>.

[RFC7288] Thaler, D., "Reflections on Host Firewalls", RFC 7288, DOI 10.17487/RFC7288, June 2014, <http://www.rfc-editor.org/info/rfc7288>.

[RFC7288]Thaler,D.,“关于主机防火墙的思考”,RFC 7288,DOI 10.17487/RFC7288,2014年6月<http://www.rfc-editor.org/info/rfc7288>.

[RojaDirecta] Masnick, M., "Homeland Security Seizes Spanish Domain Name That Had Already Been Declared Legal", 2011, <http://www.techdirt.com/articles/20110201/10252412910/ homeland-security-seizes-spanish-domain-name-that-had-already-been-declared-legal.shtml>.

[Rojadirta]Masnick,M.,“国土安全部没收已宣布合法的西班牙域名”,2011年<http://www.techdirt.com/articles/20110201/10252412910/ 国土安全部没收了已经宣布合法的西班牙域名。shtml>。

[SAC-056] ICANN SSAC, "SSAC Advisory on Impacts of Content Blocking via the Domain Name System", October 2012, <http://www.icann.org/en/groups/ssac/documents/ sac-056-en.pdf>.

[SAC-056]ICANN SSAC,“关于通过域名系统阻止内容的影响的SSAC咨询”,2012年10月<http://www.icann.org/en/groups/ssac/documents/ sac-056-en.pdf>。

[SafeBrowsing] Google, "Safe Browsing API", 2012, <https://developers.google.com/safe-browsing/>.

[安全浏览]谷歌,“安全浏览API”,2012年<https://developers.google.com/safe-browsing/>.

[Takedown08] Moore, T. and R. Clayton, "The Impact of Incentives on Notice and Take-down", Workshop on the Economics of Information Security 2008, <http://www.econinfosec.org/archive/weis2008/papers/ MooreImpact.pdf>.

[Takedown08]Moore,T.和R.Clayton,“激励措施对通知和记录的影响”,2008年信息安全经济学研讨会<http://www.econinfosec.org/archive/weis2008/papers/ MooreImpact.pdf>。

[Telex] Wustrow, E., Wolchok, S., Goldberg, I., and J. Halderman, "Telex: Anticensorship in the Network Infrastructure", <https://telex.cc/>.

[电传]Wustrow,E.,Wolchok,S.,Goldberg,I.,和J.Halderman,“电传:网络基础设施中的反感应”<https://telex.cc/>.

[Tor] "Tor Project: Anonymity Online", <https://www.torproject.org/>.

[Tor]“Tor项目:匿名在线”<https://www.torproject.org/>.

[Wayback] "Internet Archive: Wayback Machine", <http://archive.org/web/>.

[Wayback]“互联网档案:Wayback机器”<http://archive.org/web/>.

IAB Members at the Time of Approval

批准时的IAB成员

Jari Arkko Mary Barnes Marc Blanchet Ralph Droms Ted Hardie Joe Hildebrand Russ Housley Erik Nordmark Robert Sparks Andrew Sullivan Dave Thaler Brian Trammell Suzanne Woolf

贾里·阿克科·玛丽·巴恩斯·马克·布兰切特·拉尔夫·德罗姆斯·泰德·哈迪·乔·希尔德布兰德·罗斯·霍斯利·埃里克·诺德马克·罗伯特·斯帕克斯·安德鲁·沙利文·戴夫·泰勒·布莱恩·特拉梅尔·苏珊娜·伍尔夫

Acknowledgments

致谢

Thanks to the many reviewers who provided helpful comments, especially Bill Herrin, Eliot Lear, Patrik Faltstrom, Pekka Savola, and Russ White. NLnet Labs is also acknowledged as Olaf Kolkman's employer during most of this document's development.

感谢许多提供了有益评论的评论家,特别是比尔·赫林、艾略特·李尔、帕特里克·法茨特罗姆、佩卡·萨沃拉和罗斯·怀特。在本文件的大部分开发过程中,NLnet实验室也被公认为Olaf Kolkman的雇主。

Authors' Addresses

作者地址

Richard Barnes Mozilla Suite 300 650 Castro Street Mountain View, CA 94041 United States

Richard Barnes Mozilla套房300 650美国加利福尼亚州卡斯特罗街山景城,邮编94041

   Email: rlb@ipv.sx
        
   Email: rlb@ipv.sx
        

Alissa Cooper Cisco 707 Tasman Drive Milpitas, CA 95035 United States

美国加利福尼亚州米尔皮塔斯塔斯曼大道707号Alissa Cooper Cisco,邮编95035

   Email: alcoop@cisco.com
        
   Email: alcoop@cisco.com
        

Olaf Kolkman Internet Society

奥拉夫·科尔克曼互联网协会

   Email: kolkman@isoc.org
        
   Email: kolkman@isoc.org
        

Dave Thaler Microsoft One Microsoft Way Redmond, WA 98052 United States

Dave Thaler美国华盛顿州雷德蒙微软一路98052

   Email: dthaler@microsoft.com
        
   Email: dthaler@microsoft.com
        

Erik Nordmark Arista

埃里克·诺德马克·阿里斯塔

   Email: nordmark@arista.com
        
   Email: nordmark@arista.com