IETF Logo Mail Archive

RE: [P2PSIP] Re: Comments on draft-jennings-p2psip-security-00

<marcin.matuszewski@nokia.com> Mon, 19 March 2007 10:24 UTC

Return-path: <p2psip-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTF2u-0006nO-IV; Mon, 19 Mar 2007 06:24:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTF2t-0006nI-Aw for p2psip@ietf.org; Mon, 19 Mar 2007 06:24:55 -0400
Received: from smtp.nokia.com ([131.228.20.170] helo=mgw-ext11.nokia.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HTF2s-0007pi-9y for p2psip@ietf.org; Mon, 19 Mar 2007 06:24:55 -0400
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-ext11.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id l2JAObGm004550; Mon, 19 Mar 2007 12:24:48 +0200
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Mar 2007 12:24:27 +0200
Received: from esebe102.NOE.Nokia.com ([172.21.138.217]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Mar 2007 12:24:27 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [P2PSIP] Re: Comments on draft-jennings-p2psip-security-00
Date: Mon, 19 Mar 2007 12:24:37 +0200
Message-ID: <3F18E76823C95E4795181D74BAC7664F03E93940@esebe102.NOE.Nokia.com>
In-Reply-To: <DE412EAE-5DB5-46C5-A30C-1396900BD727@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [P2PSIP] Re: Comments on draft-jennings-p2psip-security-00
thread-index: AcdpsReIWujIcpwSRGi0GGDJdrxltQAVxZZQ
References: <F4859B43-15B4-4F44-B2CA-63C88A06EBEE@magma.ca><75E84FB8-70D2-4595-B1A5-E05D65386088@cisco.com><4d4304a00703181157jc2cfde6m5ab5e1a1ac905f9d@mail.gmail.com> <DE412EAE-5DB5-46C5-A30C-1396900BD727@cisco.com>
From: marcin.matuszewski@nokia.com
To: fluffy@cisco.com, dbryan@sipeerior.com
X-OriginalArrivalTime: 19 Mar 2007 10:24:27.0748 (UTC) FILETIME=[C6036240:01C76A10]
X-eXpurgate-Category: 1/0
X-eXpurgate-ID: 149371::070319122449-10196BB0-174FAFCE/0-0/0-1
X-Nokia-AV: Clean
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 32a65c0bf5eb4ec26489239c7cdd0636
Cc: philip_matthews@magma.ca, p2psip@ietf.org
X-BeenThere: p2psip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Peer-to-Peer SIP working group discussion list <p2psip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/p2psip>
List-Post: <mailto:p2psip@ietf.org>
List-Help: <mailto:p2psip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=subscribe>
Errors-To: p2psip-bounces@ietf.org

Hi,

I agree with Cullen. Every device has an owner (an individual person or
an organization). A device typically do not behave maliciously. This is
the owner that may try to attack a system using the device. And even if
there are many admins, they typically belong to the same organization
(they represent the organization).

Can a peerID change? If the peerID is based on an IP address then the
peerID changes when the device moves from one subnet to another.

PeerID can also be designed so it includes location information.

Marcin

>-----Original Message-----
>From: ext Cullen Jennings [mailto:fluffy@cisco.com] 
>Sent: 19 March, 2007 00:57
>To: David Bryan
>Cc: Philip Matthews; P2PSIP Mailing List
>Subject: Re: [P2PSIP] Re: Comments on draft-jennings-p2psip-security-00
>
>
>I think one of the key consideration here has to do with what 
>you are using the peer certificate for. In the end it has to 
>do with assigning some trust and traceability about the 
>operator of the device. A device ID is sort of lousy for this 
>- what you actually want to know is something more about the 
>user that is operating the device. Think about, what do you 
>think might end up being more useful, "the MAC address of the 
>machine that is hijacking your calls is 123456" or "the 
>operator of the machine that is hijacking your calls is 
>fluffy@example.com". What I am suggesting here is that all 
>peer software is operated and run by some users. And that user 
>has to has to be enrolled on the DHT and the uses that users 
>credentials for describing what user that devices is operating 
>the device. I understand that you could have a device with no 
>users, but why? It greatly complicates making assertion about 
>the device if you have to be able to do that independent of 
>any user. Even a bootstrap node is run by some user.
>
>Let me flip the questions around, what security feature can 
>you provide by having two types of certificates?
>
>Cullen <with my individual hat on>
>
>
>
>On Mar 18, 2007, at 7:57 PM, David A. Bryan wrote:
>
>> Forgot to reply this...also possibly the wrong thread for 
>this, should 
>> maybe have posted in the other thread about certificates.
>>
>> There may be cases where we need a separate peerID in the sense that 
>> the device has no associated user. I'm thinking things like 
>gateways, 
>> or even a bootstrap if you have a persistent box somewhere 
>to help you 
>> bootstrap on.
>>
>> May only be corner cases, however. Maybe a user "bootstrap" or 
>> something...
>>
>> David
>>
>> On 3/9/07, Cullen Jennings <fluffy@cisco.com> wrote:
>> >
>> > On Mar 8, 2007, at 4:37 PM, Philip Matthews wrote:
>> >
>> > > Hi Cullen:
>> > >
>> > > I read your draft on security draft-jennings-p2psip-security-00.
>> > > and thought it had some interesting ideas.
>> > > Here are some comments and questions that I have.
>> > > I have adopted Spencer's style of mixing paragraphs from the
>> document
>> > > with embedded comments prefixed by "Philip:"
>> > >
>> > > - Philip
>> > >
>> > > ------------
>> > > [snip]
>> > >    When a client wants to store some information in a 
>record, they 
>> > > sent
>> > >    a request that has:  their AOR, the record type name, the
>> time, the
>> > >    data to store in the record, and MUST include a signature
>> over all
>> > >    that information.  When a peer goes to store the
>> information, it
>> > > MUST
>> > >
>> > > Philip: When you say "client" and "peer", are you using these
>> terms as
>> > > defined in the P2PSIP Concepts document? My guess is 
>that you are 
>> > > using the word "client" in the SIP meaning, not in the P2PSIP 
>> > > meaning.
>> >
>> > I was trying to stay consistent with the Concepts document but I'm 
>> > sure I messed up in places. Any help fixing up my 
>terminology would 
>> > be much appreciated.
>> >
>> > >
>> > >    check that the signature is correct.  It SHOULD also check
>> that the
>> > >    data looks appropriate for this type of record given by
>> checking
>> > >    things like the size of the data is in an appropriate range.
>> > > When a
>> > >    client retrieves data out of the DHT, it retrieves all the
>> > >    information that was signed and SHOULD verify the signature
>> on the
>> > >    data.
>> > >
>> > > Philip: This seems similar to the proposal in draft-singh-p2p-
>> sip-01.
>> > > Can you comment on this?
>> > Uh, no comment :-) seriously - I have not read latest version of 
>> > singh yet but I will read it  before the meeting - I'm not at all 
>> > surprised that they would have same thing - we talked 
>about this at 
>> > some of the prior meetings
>> >
>> > >
>> > >    Open Issue:  how do we want to deal with checking 
>time and also 
>> > > does
>> > >    the data have a Time To Live (TTL).
>> > >
>> > >    Open Issue:  do we pass the certificate with the signature
>> or do we
>> > >    provide some alternative scheme to get the certificates.  I am
>> > >    leaning towards pass the certificate along with the
>> signature.  A
>> > >    problem with this is the message size.  A possible problem
>> with not
>> > >
>> > > Philip: Are your worried about size in sending the message or in 
>> > > storing the data?  That is, if we used for example TCP transport 
>> > > (i.e.,
>> not
>> > > UDP),
>> > > then would your concerns go away?
>> >
>> > Well there are many ways we could skin this cat - in the end I 
>> > suspect that the what works best for NAT traversal will be the 
>> > dominating factor for choosing the design.
>> >
>> > >
>> > >    doing it is that the signature are used to verify the
>> constructions
>> > >    of the routing architecture and assuming that the routing
>> > >    architecture is in place before a signature can be checked
>> may lead
>> > >    to problems.
>> > >
>> > >
>> > > 4.  Routing Protection Architecture
>> > >
>> > >    The goal of protecting the routing is stopping attacker from
>> > >    performing a DOS attack on they system by misrouting
>> requests in
>> > > the
>> > >    DHT.  The data is already protected by the data protection
>> scheme
>> > >    above so an attacker can't tamper with the data in a way the
>> user
>> > >    can't detect but an attacker can make it look like no data is
>> > >    available.  There are a few obvious observation to make
>> about this.
>> > >    First, it is easy to ensure that attacker at least has to
>> have an
>> > >    valid enrollment with this particular DHT.  Second, this is
>> a DOS
>> > >    attack and the value of successfully executing it is fairly
>> low.
>> > >    Third, if a larger percentage of the peers on the DHT are 
>> > > controlled
>> > >    by the attacker, it is probably impossible to 
>perfectly secure 
>> > > this.
>> > >
>> > >    When a peer sends a request that modifies the routing in the 
>> > > DHT, it
>> > >    MUST sign the request on behalf of a user that is currently
>> > >    responsible for the peer using that users certificate.  A
>> peer that
>> > >    is changing the routing state based on this request to check
>> the
>> > >    signature before performing the request.
>> > >
>> > > Philip: There are a number of things I don't understand here.
>> > yah - it is poorly written
>> >
>> > > Can you give some examples of what you mean by "a request that 
>> > > modified the routing"?  For example, do you mean 
>"setting up a new 
>> > > Peer Protocol connection"?
>> > I mean a peer protocol messages that changes the finger table (or 
>> > whatever that's DHTs equivalent is for the things the DHT uses to 
>> > decide how to route requests and DHT update messages)
>> >
>> > > And how does signing such requests help prevent DOS attacks?
>> > > I can see how it might help us catch the peer that did 
>the attack, 
>> > > but this is very much after the fact.
>> > I think the after the fact sill has significant value - 
>particularly 
>> > if you have a way of slowly revoking the account. You can also do 
>> > things where nodes can detect one user trying to be many things at 
>> > once when it actually should only be one things and this makes it 
>> > harder to hijack large portions of the DHT search space.
>> >
>> > > Finally, why sign this with a user's certificate? Why not sign
>> this
>> > > with the certificate of the peer? (As documented in Concepts-04, 
>> > > we have already agreed that peers must have certificates to join 
>> > > the overlay.)
>> >
>> > Uh agree and disagree here. I have not heard anyone explain why we 
>> > need both peer and users certificates so I am assuming that where
>> you
>> > need a peer certificate, you just use the user certificate 
>for some 
>> > users that is authorizing the peer to use it. The problem 
>with peer 
>> > certificates has to do do with what their names are.  If we don't 
>> > need to introduce a whole new security namespace for peers, it is 
>> > easier to just have users certificates.
>> >
>> > >
>> > >
>> > >    To reduce attacks on routing, the design tries to limit the
>> ability
>> > >    of an attacker to place peers at arbitrary locations in the
>> DHT.
>> > >    Some possible ways to do this are:
>> > >
>> > >    L1:  Limiting IP addresses:  Other systems have done this by 
>> > > forcing
>> > >         the peer id to be a hash of a combination of the peers
>> IP and
>> > >         port however this approach does not work with IPv6
>> where the
>> > >         users have an arbitrary number of IP addresses and the 
>> > > scheme is
>> > >         also difficult to make work with IPv4 and NATs.
>> > >    L2:  Limiting by AOR:  The first step to doing this is
>> limiting the
>> > >         number of AORs an attacker can enroll in the 
>system.  How 
>> > > to do
>> > >         this is out of scope.  The next step would be forcing a 
>> > > peer ID
>> > >         to have the high order bits formed from an hash of the
>> AOR and
>> > >         some low order bits chosen randomly or hashed from the IP
>> > >         address and port.  Peers would check the Peer ID was 
>> > > appropriate
>> > >         for the given users that signed the request.
>> > >
>> > > Philip: What do you see as the AOR of a peer?
>> > I have no idea which is exactly one of the reason I would 
>rather not 
>> > have peer certificates if we don't need them.
>> >
>> > > Are you thinking of
>> > > the scheme you, Bruce, and David are using in the dSIP draft?
>> > no - I don't see that as consistent with this draft (it 
>could easily 
>> > be changed to be consistent with this but I don't think it is yet).
>> >
>> > > If so, I don't quite see how this would work.
>> > (uh, yah, I don't see how having the peers have AOR will work
>> either :-)
>> >
>> > > It seems that your peer-id
>> > > would depend on itself.
>> > > [For other readers of this message, those URIs look like:
>> > >           peer@<hostport>; peer-id=<peerid> where 
><hostport> is an 
>> > > IP address and port and <peerid> is a
>> peer-id].
>> > > Moreover, the other unique part is the <hostport>, so this falls 
>> > > back to option L1.
>> > >
>> > >    L3:  Limited by assignment at enrollment:  When enrolling,
>> the user
>> > >         would be given a small set of peer IDs for their use.   
>> This is
>> > >         effectively equivalent to Limited by AOR but has the
>> addition
>> > >         complexity of the certificates become more complex as a
>> peer
>> > >         would need to sign with the appropriate peer id as well
>> as the
>> > >         AOR.
>> > >
>> > >
>> > >
>> > > 5.  Mapping to SIP
>> > >
>> > >    There are several ways this could be mapped to SIP.
>> > >
>> > > Philip: Is this section making the assumption that the Peer
>> Protocol
>> > > is SIP? Otherwise, I don't understand what this has to do with
>> SIP.
>> >
>> > I should have made this clearer - the whole document before this 
>> > section apples to any peer protocol. This section only applies if
>> the
>> > peer protocol is SIP.
>> >
>> > _______________________________________________
>> > P2PSIP mailing list
>> > P2PSIP@ietf.org
>> > https://www1.ietf.org/mailman/listinfo/p2psip
>> >
>>
>>
>> --
>> David A. Bryan
>> dbryan@SIPeerior.com
>> +1.757.565.0101 x101
>> +1.757.565.0088 (fax)
>> www.SIPeerior.com
>>
>
>_______________________________________________
>P2PSIP mailing list
>P2PSIP@ietf.org
>https://www1.ietf.org/mailman/listinfo/p2psip
>

_______________________________________________
P2PSIP mailing list
P2PSIP@ietf.org
https://www1.ietf.org/mailman/listinfo/p2psip

v2.23.0 | Report a Bug | By Email