Re: [P2PSIP] Auth/boot is weakest link
"Peter Pan" <huang-ming.pan@comcast.net> Mon, 20 August 2007 20:22 UTC
Return-path: <p2psip-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1INDle-0003uP-C3; Mon, 20 Aug 2007 16:22:30 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1INDld-0003nZ-7S for p2psip@ietf.org; Mon, 20 Aug 2007 16:22:29 -0400
Received: from alnrmhc15.comcast.net ([204.127.225.95]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1INDlb-00006F-UQ for p2psip@ietf.org; Mon, 20 Aug 2007 16:22:29 -0400
Received: from home2000 (c-76-21-99-127.hsd1.ca.comcast.net[76.21.99.127]) by comcast.net (alnrmhc15) with SMTP id <20070820202226b1500bggu0e>; Mon, 20 Aug 2007 20:22:27 +0000
Message-ID: <003c01c7e368$5a9533e0$030aa8c0@comcast.net>
From: Peter Pan <huang-ming.pan@comcast.net>
To: David Barrett <dbarrett@quinthar.com>, 'Hannes Tschofenig' <Hannes.Tschofenig@gmx.net>
References: <E1INDNo-0001wA-KC@megatron.ietf.org>
Subject: Re: [P2PSIP] Auth/boot is weakest link
Date: Mon, 20 Aug 2007 13:26:12 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2741.2600
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2742.200
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e472ca43d56132790a46d9eefd95f0a5
Cc: p2psip@ietf.org
X-BeenThere: p2psip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Peer-to-Peer SIP working group discussion list <p2psip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/p2psip>
List-Post: <mailto:p2psip@ietf.org>
List-Help: <mailto:p2psip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=subscribe>
Errors-To: p2psip-bounces@ietf.org
do u mean that we should turn our heads away from dht technologies? another question, can existing dns infrastructure carry millions or even billions of individual sip ua's without overhaul? thank u. pp ----- Original Message ----- From: "David Barrett" <dbarrett@quinthar.com> To: "'Hannes Tschofenig'" <Hannes.Tschofenig@gmx.net> Cc: <p2psip@ietf.org> Sent: Monday, August 20, 2007 12:57 PM Subject: RE: [P2PSIP] Auth/boot is weakest link > Well, DNS and mDNS are proven solutions to the problem of resolving names to > IP addresses, and thus were tossed out as candidate solutions for resolving > SIP names to UA IP addresses. In summary it'd work like this: > > 1) Users purchase DNS names from any registrar supporting dynamic DNS > 2) When you install a SIP UA, you plug in your domain name > 3) When your UA starts up, it updates your DNS name to resolve to your IP > 4) Furthermore, it listens on the mDNS port for attempts to resolve your DNS > 5) When you call me, your UA just resolves my DNS name to get my IP > 6) If that fails, it also tries an mDNS broadcast to see if we're on a LAN > > The result is you get authentication (performed by the DNS registrar) and > rendezvous (performed by DNS/mDNS) without depending upon any single > provider: rather than Skype, Inc. being wholly responsible for (and having > complete control over) all P2P calls, every user has the legal and technical > right to switch entirely to a different provider. It's still "centralized" > in the sense that it depends upon centrally hosted servers, but it's > "distributed" between many technical and legal entities. > > To give an example: > 1) I purchase "quinthar.com" from any dynamic-DNS registrar [1] > 2) I install my SIP UA and tell it my name is "dbarrett.quinthar.com" > 3) On startup, it figures out my latest IP address, and uses dynamic DNS to > update the record for "dbarrett.quinthar.com" to resolve to my laptop. > 4) Likewise, it listens on the mDNS port to see if anybody tries to resolve > "dbarrett.quinthar.com" > 5) When you call me, your UA does a totally-standard DNS resolve on > "dbarrett.quinthar.com" and comes up with my laptop's IP address > 6) Alternatively, if we're on an ad-hoc network in the middle of a desert > and for some reason yelling is insufficient, you broadcast an mDNS request > on the WLAN for "dbarrett.quinthar.com" and my UA responds with my WLAN IP > address. > > At any point, you or I can change our DNS registrars and the system > continues to function as normal. Indeed, even if the provider of our SIP > software (eg, Skype) goes out of business or is taken over by a malevolent > force, it has absolutely no knowledge of or control over our calls. > > [1] > http://www.dmoz.org/Computers/Software/Internet/Servers/Address_Management/D > ynamic_DNS_Services/ > > > We had a *long* discussion on this last year, with Adam Fisk first > suggesting the use of dynamic DNS: > > http://www1.ietf.org/mail-archive/web/p2psip/current/msg01632.html > > And then Matthew Kaufman suggesting adding mDNS to the mix: > > http://www1.ietf.org/mail-archive/web/p2psip/current/msg01688.html > > I summarized how the combination of the two (I didn't know about mDNS at the > time, so I was theorizing some "P2P-DNS") effectively cover all the P2PSIP > use cases, without all the hassle of a DHT: > > http://www1.ietf.org/mail-archive/web/p2psip/current/msg01679.html > > > Now, that's all background. As for how this would help Skype, that's not > entirely clear given it's not clear what precise problem Skype suffered. > Indeed, their explanation that it was due to a massive restart surge > triggered by Windows Update seems really unlikely to me. > > But, assuming that's true, the system above would fare much better because > it is geographically distributed over many more servers, managed by a > variety of entirely distinct legal entities, and constructed from a wide > diversity of hardware and software. It uses standard, open protocols, all > of which already exist today and have been proven at scale. It works as > well from your office as it does in a post-Katrina disaster zone. > > Anyway, now you've got me riled up talking about it, but it probably isn't > useful to revisit and rehash the former inconclusive debate. > > Regardless, the reason I brought it up is I'm curious what other options are > on the table for bootstrapping/authentication/rendezvous. I've mentioned > dynamic-DNS/mDNS and provided some summary around that. Can you provide > some summary around alternative solutions? > > Brian Rosen put forward some general guidelines and requirements around a > solution (which, incidentally, I think the above dynDNS/mDNS solution > meets). Brian -- Can you give any more detail on this? > > -david > > PS: I haven't read the drafts you mentioned; I'll take a look but they look > good at first glance! > > > -----Original Message----- > > From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net] > > Sent: Monday, August 20, 2007 2:38 AM > > To: David Barrett > > Cc: p2psip@ietf.org > > Subject: Re: [P2PSIP] Auth/boot is weakest link > > > > Hi David, > > > > could you explain a bit more why you think that mDNS would help to solve > > the problems Skype faced? > > > > When you talk about mDNS then do you have these solutions in mind? > > http://tools.ietf.org/id/draft-lee-sip-dns-sd-uri-01.txt > > http://www.xmpp.org/extensions/xep-0174.html > > > > Ciao > > Hannes > > > > David Barrett wrote: > > > Any thoughts on the latest Skype debacle? > > > > > > Generally Skype is held up as justification of the power of p2p voip. > > > However, as clearly evidenced in the past week, a system is only as > > > decentralized as its most centralized link: in this case, > > > bootstrapping and authentication. > > > > > > What's the latest thinking about how p2psip would fare better? > > > > > > While no official position has been taken on the issue, it's been > > > argued that a combination of DNS/mDNS makes a good candidate. (Though > > > technically centralized, it's highly redundant and distributed, as > > > well as decentralized in a legal sense -- especialy when compared to > > > Skype!) > > > > > > What other options are on the table for providing authentication and > > > bootstrapping in a way that's superior to Skype? > > > > > > -david > > > > > > _______________________________________________ > > > P2PSIP mailing list > > > P2PSIP@ietf.org > > > https://www1.ietf.org/mailman/listinfo/p2psip > > > _______________________________________________ > P2PSIP mailing list > P2PSIP@ietf.org > https://www1.ietf.org/mailman/listinfo/p2psip _______________________________________________ P2PSIP mailing list P2PSIP@ietf.org https://www1.ietf.org/mailman/listinfo/p2psip
- [P2PSIP] Auth/boot is weakest link David Barrett
- Re: [P2PSIP] Auth/boot is weakest link Hannes Tschofenig
- RE: [P2PSIP] Auth/boot is weakest link Brian Rosen
- RE: [P2PSIP] Auth/boot is weakest link David Barrett
- Re: [P2PSIP] Auth/boot is weakest link Peter Pan
- RE: [P2PSIP] Auth/boot is weakest link David Barrett
- Re: [P2PSIP] Auth/boot is weakest link Peter Pan
- RE: [P2PSIP] Auth/boot is weakest link David Barrett
- Re: [P2PSIP] Auth/boot is weakest link Peter Pan
- Re: [P2PSIP] Auth/boot is weakest link Philip Matthews