IETF Logo Mail Archive

[P2PSIP] Re: Comments on draft-jennings-p2psip-security-00

Cullen Jennings <fluffy@cisco.com> Fri, 09 March 2007 20:36 UTC

Return-path: <p2psip-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HPlpU-000319-A8; Fri, 09 Mar 2007 15:36:44 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HPlpT-000313-CS for p2psip@ietf.org; Fri, 09 Mar 2007 15:36:43 -0500
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HPlpR-000566-OW for p2psip@ietf.org; Fri, 09 Mar 2007 15:36:43 -0500
Received: from sj-dkim-6.cisco.com ([171.68.10.81]) by sj-iport-4.cisco.com with ESMTP; 09 Mar 2007 12:36:40 -0800
X-IronPort-AV: i="4.14,268,1170662400"; d="scan'208"; a="47076977:sNHT82881792"
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-6.cisco.com (8.12.11/8.12.11) with ESMTP id l29Kae6V006892; Fri, 9 Mar 2007 12:36:40 -0800
Received: from [192.168.4.177] (sjc-fluffy-vpn1.cisco.com [10.25.236.82]) by sj-core-4.cisco.com (8.12.10/8.12.6) with SMTP id l29KadxS003772; Fri, 9 Mar 2007 20:36:39 GMT
In-Reply-To: <F4859B43-15B4-4F44-B2CA-63C88A06EBEE@magma.ca>
References: <F4859B43-15B4-4F44-B2CA-63C88A06EBEE@magma.ca>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <75E84FB8-70D2-4595-B1A5-E05D65386088@cisco.com>
Content-Transfer-Encoding: 7bit
From: Cullen Jennings <fluffy@cisco.com>
Date: Fri, 09 Mar 2007 12:36:18 -0800
To: Philip Matthews <philip_matthews@magma.ca>
X-Mailer: Apple Mail (2.752.3)
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=8449; t=1173472600; x=1174336600; c=relaxed/simple; s=sjdkim6002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fluffy@cisco.com; z=From:=20Cullen=20Jennings=20<fluffy@cisco.com> |Subject:=20Re=3A=20Comments=20on=20draft-jennings-p2psip-security-00 |Sender:=20; bh=foH90lqcGujf1K0ijFVA5HtM7pK5WXhtGCXY8PYVGhs=; b=gbKdV2piVH6yRhzHJ/RHgJpga2m8oIDIdoO02IVHeg6nQ3+kwoRysHHtX9r2jLhjKMT/9Oy9 qbRDV3jwshR9pjVuiAhyXnJWxXngrw09OCJcy86n9nxjjeYAe2B/lEss;
Authentication-Results: sj-dkim-6; header.From=fluffy@cisco.com; dkim=pass ( sig from cisco.com/sjdkim6002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 31b28e25e9d13a22020d8b7aedc9832c
Cc: P2PSIP Mailing List <p2psip@ietf.org>
Subject: [P2PSIP] Re: Comments on draft-jennings-p2psip-security-00
X-BeenThere: p2psip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Peer-to-Peer SIP working group discussion list <p2psip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/p2psip>
List-Post: <mailto:p2psip@ietf.org>
List-Help: <mailto:p2psip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=subscribe>
Errors-To: p2psip-bounces@ietf.org

On Mar 8, 2007, at 4:37 PM, Philip Matthews wrote:

> Hi Cullen:
>
> I read your draft on security draft-jennings-p2psip-security-00.
> and thought it had some interesting ideas.
> Here are some comments and questions that I have.
> I have adopted Spencer's style of mixing paragraphs from the document
> with embedded comments prefixed by "Philip:"
>
> - Philip
>
> ------------
> [snip]
>    When a client wants to store some information in a record, they  
> sent
>    a request that has:  their AOR, the record type name, the time, the
>    data to store in the record, and MUST include a signature over all
>    that information.  When a peer goes to store the information, it  
> MUST
>
> Philip: When you say "client" and "peer", are you using these terms as
> defined in the P2PSIP Concepts document? My guess is that you
> are using the word "client" in the SIP meaning, not in the P2PSIP  
> meaning.

I was trying to stay consistent with the Concepts document but I'm  
sure I messed up in places. Any help fixing up my terminology would  
be much appreciated.

>
>    check that the signature is correct.  It SHOULD also check that the
>    data looks appropriate for this type of record given by checking
>    things like the size of the data is in an appropriate range.   
> When a
>    client retrieves data out of the DHT, it retrieves all the
>    information that was signed and SHOULD verify the signature on the
>    data.
>
> Philip: This seems similar to the proposal in draft-singh-p2p-sip-01.
> Can you comment on this?
Uh, no comment :-) seriously - I have not read latest version of  
singh yet but I will read it  before the meeting - I'm not at all  
surprised that they would have same thing - we talked about this at  
some of the prior meetings

>
>    Open Issue:  how do we want to deal with checking time and also  
> does
>    the data have a Time To Live (TTL).
>
>    Open Issue:  do we pass the certificate with the signature or do we
>    provide some alternative scheme to get the certificates.  I am
>    leaning towards pass the certificate along with the signature.  A
>    problem with this is the message size.  A possible problem with not
>
> Philip: Are your worried about size in sending the message or in  
> storing
> the data?  That is, if we used for example TCP transport (i.e., not  
> UDP),
> then would your concerns go away?

Well there are many ways we could skin this cat - in the end I  
suspect that the what works best for NAT traversal will be the  
dominating factor for choosing the design.

>
>    doing it is that the signature are used to verify the constructions
>    of the routing architecture and assuming that the routing
>    architecture is in place before a signature can be checked may lead
>    to problems.
>
>
> 4.  Routing Protection Architecture
>
>    The goal of protecting the routing is stopping attacker from
>    performing a DOS attack on they system by misrouting requests in  
> the
>    DHT.  The data is already protected by the data protection scheme
>    above so an attacker can't tamper with the data in a way the user
>    can't detect but an attacker can make it look like no data is
>    available.  There are a few obvious observation to make about this.
>    First, it is easy to ensure that attacker at least has to have an
>    valid enrollment with this particular DHT.  Second, this is a DOS
>    attack and the value of successfully executing it is fairly low.
>    Third, if a larger percentage of the peers on the DHT are  
> controlled
>    by the attacker, it is probably impossible to perfectly secure  
> this.
>
>    When a peer sends a request that modifies the routing in the  
> DHT, it
>    MUST sign the request on behalf of a user that is currently
>    responsible for the peer using that users certificate.  A peer that
>    is changing the routing state based on this request to check the
>    signature before performing the request.
>
> Philip: There are a number of things I don't understand here.
yah - it is poorly written

> Can you give some examples of what you mean by
> "a request that modified the routing"?  For example, do you mean
> "setting up a new Peer Protocol connection"?
I mean a peer protocol messages that changes the finger table (or  
whatever that's DHTs equivalent is for the things the DHT uses to  
decide how to route requests and DHT update messages)

> And how does signing such requests help prevent DOS attacks?
> I can see how it might help us catch the peer that did the attack,
> but this is very much after the fact.
I think the after the fact sill has significant value - particularly  
if you have a way of slowly revoking the account. You can also do  
things where nodes can detect one user trying to be many things at  
once when it actually should only be one things and this makes it  
harder to hijack large portions of the DHT search space.

> Finally, why sign this with a user's certificate? Why not sign this
> with the certificate of the peer? (As documented in Concepts-04,
> we have already agreed that peers must have certificates to
> join the overlay.)

Uh agree and disagree here. I have not heard anyone explain why we  
need both peer and users certificates so I am assuming that where you  
need a peer certificate, you just use the user certificate for some  
users that is authorizing the peer to use it. The problem with peer  
certificates has to do do with what their names are.  If we don't  
need to introduce a whole new security namespace for peers, it is  
easier to just have users certificates.

>
>
>    To reduce attacks on routing, the design tries to limit the ability
>    of an attacker to place peers at arbitrary locations in the DHT.
>    Some possible ways to do this are:
>
>    L1:  Limiting IP addresses:  Other systems have done this by  
> forcing
>         the peer id to be a hash of a combination of the peers IP and
>         port however this approach does not work with IPv6 where the
>         users have an arbitrary number of IP addresses and the  
> scheme is
>         also difficult to make work with IPv4 and NATs.
>    L2:  Limiting by AOR:  The first step to doing this is limiting the
>         number of AORs an attacker can enroll in the system.  How  
> to do
>         this is out of scope.  The next step would be forcing a  
> peer ID
>         to have the high order bits formed from an hash of the AOR and
>         some low order bits chosen randomly or hashed from the IP
>         address and port.  Peers would check the Peer ID was  
> appropriate
>         for the given users that signed the request.
>
> Philip: What do you see as the AOR of a peer?
I have no idea which is exactly one of the reason I would rather not  
have peer certificates if we don't need them.

> Are you thinking of
> the scheme you, Bruce, and David are using in the dSIP draft?
no - I don't see that as consistent with this draft (it could easily  
be changed to be consistent with this but I don't think it is yet).

> If so, I don't quite see how this would work.
(uh, yah, I don't see how having the peers have AOR will work either :-)

> It seems that your peer-id
> would depend on itself.
> [For other readers of this message, those URIs look like:
>           peer@<hostport>; peer-id=<peerid>
> where <hostport> is an IP address and port and <peerid> is a peer-id].
> Moreover, the other unique part is the <hostport>, so this falls  
> back to
> option L1.
>
>    L3:  Limited by assignment at enrollment:  When enrolling, the user
>         would be given a small set of peer IDs for their use.  This is
>         effectively equivalent to Limited by AOR but has the addition
>         complexity of the certificates become more complex as a peer
>         would need to sign with the appropriate peer id as well as the
>         AOR.
>
>
>
> 5.  Mapping to SIP
>
>    There are several ways this could be mapped to SIP.
>
> Philip: Is this section making the assumption that the Peer Protocol
> is SIP? Otherwise, I don't understand what this has to do with SIP.

I should have made this clearer - the whole document before this  
section apples to any peer protocol. This section only applies if the  
peer protocol is SIP.

_______________________________________________
P2PSIP mailing list
P2PSIP@ietf.org
https://www1.ietf.org/mailman/listinfo/p2psip

v2.23.0 | Report a Bug | By Email