å°å ¥
CiscoãBlueCoatãFireEye ãªã©ã®æåãªã¡ãŒã«ãŒãæäŸããææ°ã®äŒæ¥ã³ã³ãã³ã ãã£ã«ã¿ãªã³ã° ã·ã¹ãã ã«ã¯ãåœå®¶ã¬ãã«ã§ç©æ¥µçã«å°å
¥ãããŠããããã匷åãªå¯Ÿå¿è£œåã§ãã DPI ã·ã¹ãã ãšå€ãã®å
±éç¹ããããŸããã©ã¡ãã®äœæ¥ã®æ¬è³ªããéåä¿¡ãããã€ã³ã¿ãŒããã ãã©ãã£ãã¯ãæ€æ»ãããã©ãã¯/ãã¯ã€ã ãªã¹ãã«åºã¥ããŠã€ã³ã¿ãŒãããæ¥ç¶ãçŠæ¢ãã決å®ãäžãããšã§ãããããŠãã©ã¡ããä»äºã®åºæ¬ã«ãããŠåæ§ã®ååã«äŸåããŠãããããããããåé¿ããæ¹æ³ã«ãå€ãã®å
±éç¹ããããŸãã
DPI ãšäŒæ¥ã·ã¹ãã ã®äž¡æ¹ãéåžžã«å¹æçã«ãã€ãã¹ã§ãããã¯ãããžã® XNUMX ã€ã¯ããã¡ã€ã³ ããã³ã ãã¯ãããžã§ãããã®æ¬è³ªã¯ããããã¯ããããªãœãŒã¹ã«ç§»åããè©å€ã®è¯ãå¥ã®ãããªã㯠ãã¡ã€ã³ã®èåŸã«é ããããšã§ãããã®ãªãœãŒã¹ã¯ãæããã«ã©ã®ã·ã¹ãã ã«ãã£ãŠããããã¯ãããŸãã (äŸ: google.com)ã
ãã®ãã¯ãããžãŒã«ã€ããŠã¯ãã§ã«ããªãå€ãã®èšäºãæžãããŠãããå€ãã®äŸãæããããŠããŸãããã ããæè¿è©±é¡ã«ãªã£ãŠãã DNS-over-HTTPS ããã³æå·å SNI ãã¯ãããžãŒãããã³ TLS 1.3 ãããã³ã«ã®æ°ããŒãžã§ã³ã«ããããã¡ã€ã³ ããã³ãã®å¥ã®ãªãã·ã§ã³ãæ€èšããããšãå¯èœã«ãªããŸãã
ãã¯ãããžãŒãç解ãã
ãŸãã誰ã誰ã§ããªããããå¿ èŠãªã®ãã誰ããç解ã§ããããã«ãåºæ¬çãªæŠå¿µãå®çŸ©ããŸãããã eSNI ã¡ã«ããºã ã«ã€ããŠã¯èª¬æããŸãããããã®åäœã«ã€ããŠã¯ããã«è©³ãã説æããŸãã eSNI (æå·åããããµãŒããŒå衚瀺) ã¡ã«ããºã ã¯ãTLS 1.3 ãããã³ã«ã§ã®ã¿äœ¿çšã§ãã SNI ã®å®å šãªããŒãžã§ã³ã§ããäž»ãªã¢ã€ãã¢ã¯ããªã¯ãšã¹ããã©ã®ãã¡ã€ã³ã«éä¿¡ããããã«é¢ããæ å ±ãæå·åããããšã§ãã
ããã§ãeSNI ã¡ã«ããºã ãå®éã«ã©ã®ããã«æ©èœããããèŠãŠã¿ãŸãããã
ææ°ã® DPI ãœãªã¥ãŒã·ã§ã³ã«ãã£ãŠãããã¯ãããŠããã€ã³ã¿ãŒããã ãªãœãŒã¹ããããšããŸã (ããšãã°ãæå㪠torrent ãã©ãã«ãŒ rutracker.nl ãèããŠã¿ãŸããã)ããã¬ã³ã ãã©ãã«ãŒã® Web ãµã€ãã«ã¢ã¯ã»ã¹ããããšãããšããªãœãŒã¹ããããã¯ãããŠããããšã瀺ããããã€ããŒã®æšæºã¹ã¿ãã衚瀺ãããŸãã
RKN Web ãµã€ãã§ã¯ããã®ãã¡ã€ã³ã¯å®éã«åæ¢ãªã¹ãã«ãªã¹ããããŠããŸãã
Whois ãã¯ãšãªãããšããã¡ã€ã³èªäœãã¯ã©ãŠã ãããã€ã㌠Cloudflare ã®èåŸã«ãé ãããŠãããããšãããããŸãã
ããããRKN ã®ãå°é家ããšã¯ç°ãªããããæè¡çã«ç²Ÿéãã Beeline ã®åŸæ¥å¡ (ãŸãã¯æåãªèŠå¶åœå±ã®èŠãçµéšããæãããã) ã¯ãæãã«ã IP ã¢ãã¬ã¹ã§ãµã€ããçŠæ¢ããã®ã§ã¯ãªãããã¡ã€ã³åãåæ¢ãªã¹ãã«è¿œå ããŸãããåã IP ã¢ãã¬ã¹ã®èåŸã«ã©ã®ãããªä»ã®ãã¡ã€ã³ãé ãããŠãããã確èªãããã®ãã¡ã® XNUMX ã€ã«ã¢ã¯ã»ã¹ããŠã¢ã¯ã»ã¹ããããã¯ãããŠããªãããšã確èªãããšããããç°¡åã«ç¢ºèªã§ããŸãã
ããã¯ã©ãããŠèµ·ããã®ã§ãããã?ãã¹ãŠã®é信㯠https ãããã³ã«çµç±ã§è¡ãããBeeline ããã® https 蚌ææžã®çœ®ãæãã«ãŸã æ°ã¥ããŠããªãããããããã€ããŒã® DPI ã¯ã©ã®ããã«ããŠç§ã®ãã©ãŠã¶ãŒãã©ã®ãã¡ã€ã³ã«ããã®ããç¥ãã®ã§ãããã?圌ã¯éèŠèœåãããã®ãââããããšãç§ãå°Ÿè¡ãããŠããã®ãïŒ
Wireshark ãä»ãããã©ãã£ãã¯ãèŠãŠãã®è³ªåã«çããŠã¿ãŸããã
ãã®ã¹ã¯ãªãŒã³ã·ã§ããã¯ãæåã«ãã©ãŠã¶ãŒã DNS çµç±ã§ãµãŒããŒã® IP ã¢ãã¬ã¹ãååŸãã次ã«å®å
ãµãŒããŒãšã®éã§æšæºã® TCP ãã³ãã·ã§ã€ã¯ãçºçãããã®åŸãã©ãŠã¶ãŒããµãŒããŒãšã® SSL æ¥ç¶ã確ç«ããããšããããšã瀺ããŠããŸãããããè¡ãããã«ããœãŒã¹ ãã¡ã€ã³ã®ååãã¯ãªã¢ ããã¹ãã§å«ã SSL Client Hello ãã±ãããéä¿¡ããŸãããã®ãã£ãŒã«ãã¯ãcloudflare ããã³ããšã³ããµãŒããŒãæ¥ç¶ãæ£ããã«ãŒãã£ã³ã°ããããã«å¿
èŠã§ããããã§ãããã€ããŒã® DPI ãæãããããæ¥ç¶ãåæãããŸããåæã«ããããã€ããŒããã¹ã¿ããåãåããããµã€ããç¡å¹ã«ãªã£ãŠããããåã«æ©èœããŠããªããã®ãããªæšæºçãªãã©ãŠã¶ãŒ ãšã©ãŒã衚瀺ãããŸãã
次ã«ãæé ã«èšèŒãããŠããããã«ããã©ãŠã¶ã§ eSNI ã¡ã«ããºã ãæå¹ã«ããŸãããã
ãããè¡ãã«ã¯ãFirefox èšå®ããŒãžãéããŸãã çŽïŒèšå® ãããŠã次ã®èšå®ãæå¹ã«ããŸãã
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
ãã®åŸãcloudflare Web ãµã€ãã§èšå®ãæ£ããæ©èœããŠããããšã確èªããŸãã
åºæ¥äžãããç§ãã¡ã®ãæ°ã«å
¥ãã®ãã©ãã«ãŒã¯ãVPN ããããã· ãµãŒããŒãªãã§éããŸãããäœãèµ·ãã£ãã®ãã確èªããããã« Wireshark ã®ãã©ãã£ã㯠ãã³ããèŠãŠã¿ãŸãããã
ä»åãSSL ã¯ã©ã€ã¢ã³ã hello ããã±ãŒãžã«ã¯å®å
ãã¡ã€ã³ãæ瀺çã«å«ãŸããŠããŸãããã代ããã«ããã±ãŒãžã«æ°ãããã£ãŒã«ã encrypted_server_name ã衚瀺ãããŠããŸããããã«ã¯ rutracker.nl ã®å€ãå«ãŸããŠãããããã埩å·åã§ããã®ã¯ Cloudflare ããã³ããšã³ã ãµãŒããŒã®ã¿ã§ããåéããã®å Žåããããã€ã㌠DPI ã¯æãæŽã£ãŠãã®ãããªãã©ãã£ãã¯ãèš±å¯ãã以å€ã«éžæè¢ã¯ãããŸãããæå·åã«ã¯ä»ã®ãªãã·ã§ã³ã¯ãããŸããã
ããã§ããã®ãã¯ãããžãŒããã©ãŠã¶ãŒã§ã©ã®ããã«æ©èœãããã調ã¹ãŸããã次ã«ããããããå ·äœçã§èå³æ·±ããã®ã«é©çšããŠã¿ãŸãããããŸããåãã«ãŒã«ã« eSNI ã䜿çšã㊠TLS 1.3 ã§åäœããããã«æããåæã« eSNI ããŒã¹ã®ãã¡ã€ã³ ããã³ãåŠçèªäœãã©ã®ããã«æ©èœãããã確èªããŸãã
eSNI ã«ãããã¡ã€ã³ããã³ãã£ã³ã°
curl ã¯æšæºã® openssl ã©ã€ãã©ãªã䜿çšã㊠https ãããã³ã«çµç±ã§æ¥ç¶ããããããŸããã㧠eSNI ãµããŒããæäŸããå¿ èŠããããŸãã openssl ãã¹ã¿ãŒ ãã©ã³ãã«ã¯ãŸã eSNI ãµããŒãããªããããç¹å¥ãª openssl ãã©ã³ããããŠã³ããŒãããã³ã³ãã€ã«ããŠã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã
GitHub ãããªããžããªã®ã¯ããŒã³ãäœæããéåžžã©ããã³ã³ãã€ã«ããŸãã
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
次ã«ãcurl ã䜿çšããŠãªããžããªã®ã¯ããŒã³ãäœæããã³ã³ãã€ã«ããã openssl ã©ã€ãã©ãªã䜿çšããŠãã®ã³ã³ãã€ã«ãæ§æããŸãã
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
ããã§ãopenssl ãé 眮ãããŠãããã¹ãŠã®ãã£ã¬ã¯ã㪠(ãã®äŸã§ã¯ã/opt/openssl/) ãæ£ããæå®ããæ§æããã»ã¹ããšã©ãŒãªãã§å®äºããããšã確èªããããšãéèŠã§ãã
æ§æãæåãããšã次ã®è¡ã衚瀺ãããŸãã
èŠå: esni ESNI ã¯æå¹ã§ãããå®éšçãšããŒã¯ãããŠããŸããæ éã«äœ¿çšããŠãã ããã
$ make
ããã±ãŒãžãæ£åžžã«ãã«ããããããopenssl ã®ç¹å¥ãª bash ãã¡ã€ã«ã䜿çšããŠãcurl ãæ§æããŠå®è¡ããŸãã䟿å®äžãcurl ã䜿çšããŠãã£ã¬ã¯ããªã«ã³ããŒããŸãããã
cp /opt/openssl/esnistuff/curl-esni
ãããŠãcloudflare ãµãŒããŒã«å¯ŸããŠãã¹ã https ãªã¯ãšã¹ããäœæããåæã« Wireshark 㧠DNS ãã±ãããš TLS ãã±ãããèšé²ããŸãã
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/
ãµãŒããŒå¿çã§ã¯ãopenssl ãšcurl ããã®å€ãã®ãããã°æ å ±ã«å ããŠãcloudflare ããã³ãŒã 301 ã® HTTP å¿çãåãåããŸãã
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
ããã¯ããªã¯ãšã¹ããå®å ãµãŒããŒã«æ£åžžã«é ä¿¡ãããåä¿¡ãããåŠçãããããšã瀺ããŸãã
次ã«ãWireshark ã®ãã©ãã£ã㯠ãã³ããèŠãŠã¿ãŸãããããã®å Žåããããã€ã DPI ãèªèãããã®ã
æåã«ãcurl ã DNS ãµãŒããŒã«æ¥ç¶ããŠãcloudflare ãµãŒããŒã®å
¬é eSNI ããŒãååŸããããšãããããŸããããã¯ã_esni.cloudflare.com ãžã® TXT DNS ãªã¯ãšã¹ã (ããã±ãŒãžçªå· 13) ã§ãã次ã«ãcurl 㯠openssl ã©ã€ãã©ãªã䜿çšããŠãåã®æé ã§ååŸããå
¬éããŒã§ SNI ãã£ãŒã«ããæå·åããã TLS 1.3 ãªã¯ãšã¹ãã Cloudflare ãµãŒããŒã«éä¿¡ããŸãã (ãã±ãã #22)ã ãã ããSSL-hello ãã±ããã«ã¯ãeSNI ãã£ãŒã«ãã«å ããŠãéåžžã®ãªãŒãã³ SNI ã®ãã£ãŒã«ããå«ãŸããŠãããä»»æã®é åºã§æå®ã§ããŸã (ãã®å Žåã¯ã-
ãã®ãªãŒãã³ SNI ãã£ãŒã«ãã¯ãcloudflare ãµãŒããŒã«ãã£ãŠåŠçããããšãã«ãŸã£ããèæ ®ãããããããã€ã㌠DPI ã®ãã¹ã¯ãšããŠã®ã¿æ©èœããŸããã CloudflareãµãŒããŒã¯ssl-helloãã±ãããåä¿¡ããeSNIã埩å·åããããããå ã®SNIãæœåºããŠãäœäºããªãã£ããã®ããã«åŠçããŸããïŒeSNIã®éçºæã«èšç»ãããšããã«ãã¹ãŠãæ£ç¢ºã«å®è¡ããŸããïŒã
ãã®å ŽåãDPI ã®èŠ³ç¹ããææã§ããå¯äžã®ããšã¯ã_esni.cloudflare.com ãžã®ãã©ã€ã㪠DNS ãªã¯ãšã¹ãã§ãããã ãããã®ã¡ã«ããºã ãå éšããã©ã®ããã«æ©èœãããã瀺ãããã«ã®ã¿ãDNS ãªã¯ãšã¹ãããªãŒãã³ã«ããŸããã
æçµçã« DPI ã®äžããåé¡ã解決ããããã«ããã§ã«è¿°ã¹ã DNS-over-HTTPS ã¡ã«ããºã ã䜿çšããŸããç°¡åãªèª¬æ - DOH ã¯ãHTTPS çµç±ã§ DNS ãªã¯ãšã¹ããéä¿¡ããããšã§äžéè æ»æããä¿è·ã§ãããããã³ã«ã§ãã
ãªã¯ãšã¹ããå床å®è¡ããŠã¿ãŸãããããã ããä»å㯠DNS ã§ã¯ãªã https ãããã³ã«çµç±ã§å ¬é eSNI ããŒãåãåããŸãã
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/
ãªã¯ãšã¹ã ãã©ãã£ã㯠ãã³ãã¯ã以äžã®ã¹ã¯ãªãŒã³ã·ã§ããã«ç€ºãããŠããŸãã
Curl ã¯ãŸã DoH ãããã³ã« (ãµãŒã㌠104.16.249.249 ãžã® https æ¥ç¶) çµç±ã§ mozilla.cloudflare-dns.com ãµãŒããŒã«ã¢ã¯ã»ã¹ãããããã SNI æå·åçšã®å
¬éããŒã®å€ãååŸãã次ã«å®å
ã«ã¢ã¯ã»ã¹ããããšãããããŸãããµãŒããŒããã¡ã€ã³ã®åŸãã«é ããŠããŸã
äžèšã® DoH ãªãŸã«ã㌠mozilla.cloudflare-dns.com ã«å ããŠãæåãªæªã®äŒæ¥ã®ãããªä»ã®äººæ°ã®ãã DoH ãµãŒãã¹ã䜿çšããããšãã§ããŸãã
次ã®ã¯ãšãªãå®è¡ããŠã¿ãŸãããã
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/
ãããŠã次ã®ãããªçããåŸãããŸãã
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
ãã®å ŽåãDoH ãªãŸã«ã㌠dns.google ã䜿çšããŠããããã¯ããã rutracker.nl ãµãŒããŒã«æ³šç®ã (ããã«ã¿ã€ããã¹ã¯ãããŸãããæåãªäŒæ¥ã¯ç¬èªã®ãã¡ãŒã¹ãã¬ãã« ãã¡ã€ã³ãæã£ãŠããŸã)ãå¥ã®ãã¡ã€ã³ã§èªåèªèº«ãã«ããŒããŸããããã¹ãŠã® DPI ãæ»ã®èŠãã¿ã®äžã§ãããã¯ããããšã¯çŠæ¢ãããŠããŸããåãåã£ãå¿çã«åºã¥ããŠããªã¯ãšã¹ããæ£åžžã«åŠçãããããšãããããŸãã
ãããã€ããŒã® DPI ãã«ããŒãšããŠéä¿¡ãããªãŒãã³ SNI ã«å¿çãããã©ããã®è¿œå ãã§ãã¯ãšããŠãä»ã®çŠæ¢ãããŠãããªãœãŒã¹ (ããšãã°ãå¥ã®ãè¯ãããã¬ã³ã ãã©ãã«ãŒ) ãè£ ã£ãŠ rutracker.nl ã«ãªã¯ãšã¹ããéä¿¡ã§ããŸãã
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/
ãµãŒããŒããã®å¿çãåä¿¡ãããŸãããçç±ã¯...ç§ãã¡ã®ãªã¯ãšã¹ã㯠DPI ã·ã¹ãã ã«ãã£ãŠãããã¯ãããŸãã
æåã®éšåã®çãçµè«
ãã®ãããopenssl ãšcurl ã䜿çšã㊠eSNI ã®æ©èœãå®èšŒããeSNI ã«åºã¥ãããã¡ã€ã³ ããã³ãã®åäœããã¹ãããããšãã§ããŸãããåæ§ã«ãopenssl ã©ã€ãã©ãªã䜿çšãããæ°ã«å
¥ãã®ããŒã«ããä»ã®ãã¡ã€ã³ã®ãè£
ãã§ãåäœããããã«é©å¿ãããããšãã§ããŸããããã«ã€ããŠã¯æ¬¡ã®èšäºã§è©³ãã説æããŸãã
åºæïŒ habr.com