[ppsp] One more ticket for Peer protocol security requirement issues
zhangyunfei <zhangyunfei@chinamobile.com> Fri, 04 May 2012 09:00 UTC
Return-Path: <zhangyunfei@chinamobile.com>
X-Original-To: ppsp@ietfa.amsl.com
Delivered-To: ppsp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73F5121F8649 for <ppsp@ietfa.amsl.com>; Fri, 4 May 2012 02:00:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.301
X-Spam-Level:
X-Spam-Status: No, score=-96.301 tagged_above=-999 required=5 tests=[AWL=4.075, BAYES_00=-2.599, HTML_MESSAGE=0.001, RELAY_IS_221=2.222, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VLW7zI2XPZLl for <ppsp@ietfa.amsl.com>; Fri, 4 May 2012 02:00:02 -0700 (PDT)
Received: from imss.chinamobile.com (imss.chinamobile.com [221.130.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 2087421F85F2 for <ppsp@ietf.org>; Fri, 4 May 2012 01:59:58 -0700 (PDT)
Received: from imss.chinamobile.com (localhost [127.0.0.1]) by localhost.chinamobile.com (Postfix) with ESMTP id 24297E5DE; Fri, 4 May 2012 16:59:56 +0800 (CST)
Received: from mail.chinamobile.com (unknown [10.1.28.22]) by imss.chinamobile.com (Postfix) with ESMTP id 0C14DE40A; Fri, 4 May 2012 16:59:56 +0800 (CST)
Received: from zyf-PC ([10.2.43.220]) by mail.chinamobile.com (Lotus Domino Release 6.5.6) with ESMTP id 2012050416595386-22741 ; Fri, 4 May 2012 16:59:53 +0800
Date: Fri, 04 May 2012 16:59:49 +0800
From: zhangyunfei <zhangyunfei@chinamobile.com>
To: ppsp <ppsp@ietf.org>
X-Priority: 3 (Normal)
X-Mailer: Foxmail 7.0.1.85[cn]
Mime-Version: 1.0
Message-ID: <20120504165949894797116@chinamobile.com>
X-MIMETrack: Itemize by SMTP Server on jtgsml01/servers/cmcc(Release 6.5.6|March 06, 2007) at 2012-05-04 16:59:53, Serialize by Router on jtgsml01/servers/cmcc(Release 6.5.6|March 06, 2007) at 2012-05-04 16:59:55, Serialize complete at 2012-05-04 16:59:55
Content-Type: multipart/alternative; boundary="----=_001_NextPart826730411584_=----"
X-TM-AS-Product-Ver: IMSS-7.0.0.8231-6.8.0.1017-18884.006
X-TM-AS-Result: No--5.852-7.0-31-10
X-imss-scan-details: No--5.852-7.0-31-10;No--5.852-7.0-31-10
X-TM-AS-User-Approved-Sender: No;No
X-TM-AS-User-Blocked-Sender: No;No
Subject: [ppsp] One more ticket for Peer protocol security requirement issues
X-BeenThere: ppsp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: zhangyunfei <zhangyunfei@chinamobile.com>
List-Id: discussing to draw up peer to peer streaming protocol <ppsp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppsp>, <mailto:ppsp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ppsp>
List-Post: <mailto:ppsp@ietf.org>
List-Help: <mailto:ppsp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppsp>, <mailto:ppsp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 09:00:04 -0000
Hi all, Arno proposed some new issues derived from PPSP requirements as below. It would be great that some experts would look at the mail and say if you agree with the changes Arno wants to make to the peer protocol text. Ticket #4:Review the following proposals and say if you agree with the changes. If nobody expressed any concern or alternative proposal regarding security issues (with the same deadline as ticket #1, May 26th), we propose to move on and would ask Arno to proceeds with the changes in the peer protocol draft. BR Yunfei zhangyunfei From: Arno Bakker Date: 2012-02-14 21:24 To: ppsp Subject: [ppsp] New issues derived from PPSP requirements... Hi I've gone over the requirements list in draft-ietf-ppsp-reqs-05 and identified some issues (mostly security related) that need to be discussed in the WG: > * "PPSP.REQ-8: The tracker and peer protocol together MUST facilitate > acceptable QoS (e.g. low startup delay, low channel/content switching > time and minimal end-to-end delay) for both on-demand and live > streaming, even for very popular content. The tracker and peer > protocol do not include the algorithm required for scalable > streaming. However, the tracker and peer protocol SHALL NOT restrict > or place limits on any such algorithm. > > There are basic QoS requirements for streaming system. Setup time to > receive a new streaming channel or to switch between channels should > be reasonable small. End to end delay (time between content > generation, e.g. camera and content consumption, e.g. user side > monitor) will become critical in case of live streaming. Especially > in provisioning of sports events, end to end delay of 1 minute and > more are not acceptable. > > For instance, the tracker and peer protocols can support carrying QoS > related parameters (e.g. video quality, delay requirements) together > with the priorities of these parameters, and QoS situation (e.g. > performance, available uplink bandwidth) of content providing peers. > > There are also some other possible mechanisms, e.g. addition of super > peers, in-network storage, request of alternative peer addresses, and > the usage of QoS information for an advanced peer selection." The current protocol has been designed for short-time-till-playback, unless limited by security considerations (cf. Issue #26 security of handshakes). Otherwise it operates in a best effort mode. But perhaps more is needed, as indicated in the description. Also relevant is issue 12 (=Support for UNHINT), as that helps in making requesting chunks from multiple peers at the same time efficient, as you can cancel the duplicates when you receive an answer. You may need double requests when some peers are slow and strong QoS is needed. I'd like to raise this as Issue #35. > * PPSP.PP.REQ-3: The streaming content availability request message > SHOULD allow the peer to solicit an additional list of peers to that > received from the tracker - with the same swarm ID. The reply > message MUST contain swarm-membership information of the peers that > have explicitly indicated they are part of the swarm, verifiable by > the receiver. This additional list of peers MUST only contain peers > which have been checked to be valid and online recently (e.g. prevent > hearsay and DoS). > > It is possible that a peer may need additional peers for certain > streaming content. Therefore, it is allowed that the peer > communicates with the peers in the current peer list to obtain an > additional list of peers in the same swarm. The draft uses PEX_* messages for this, hence I propose to rephrase this requirement, or declare PEX as sufficient to satisfy this requirement. > * PPSP.PP.REQ-6: The peer status report/update SHOULD be advertised > among the peers to reflect the status of the peer. > > Peer status information should be advertised among the peers via the > peer status report/update message. For example, peer status can be > online time, physical link status including DSL/WIFI/etc, battery > status, processing capability, and other capabilities of the peer. > With this information, a peer can select more appropriate peers for > streaming. I'd like to raise this as Issue #36. > * PPSP.SEC.REQ-1: PPSP MUST support closed swarms, where the peers are > authenticated. > > This ensures that only the authenticated users can access the > original media in the P2P streaming system. This can be achieved by > security mechanisms such as user authentication and/or key management > scheme. I'd like to raise this as Issue #37. In addition, I propose the following solution: The Closed Swarms [CLOSED] and Enchanced Closed Swarms [ENHCLOSED] mechanisms developed in the P2P-Next project provide swarm-level access control. The basic idea is that a peer cannot download from another peer unless it shows a Proof-of-Access. Enhanced Closed Swarms improve on the original Closed Swarms by adding on-the-wire encryption against man-in-the-middle attacks and more flexible access control rules. I propose to describe Enhanced Closed Swarms as one of the mechanisms (please put forward others if you know about them) to satisfy the requirement and include it as a Section in the WG draft. > * PPSP.SEC.REQ-2: Confidentiality of the streaming content in PPSP > SHOULD be supported and the corresponding key management scheme > SHOULD scale well in P2P streaming system. > No extra mechanism is needed in to support confidentiality in PPSPP. A content publisher wishing confidentiality should just distribute content in cyphertext / DRM-ed format. I assume a higher layer handles key management out-of-band. Alternatively, the swarm access control will point-to-point encrypt content. I'd like to raise this as Issue #38, and propose to add a paragraph to Section 7 of the draft with the explanation I just gave. > * PPSP.SEC.REQ-3: PPSP MUST provide an option to encrypt the data > exchange among the PPSP entities. > If this requirement means that all PPSPP messages should be encrypted (as opposed to just content in SEC.REQ-2), IPsec or DTLS is the obvious solution. I'd like to raise this as Issue #39, and propose to add a paragraph to Section 7 of the draft with the explanation I just gave. Furthermore, a key distribution scheme would have to be added. > * PPSP.SEC.REQ-4: PPSP MUST have mechanisms to limit potential damage > caused by malfunctioning and badly behaving peers in the P2P > streaming system. > > Such an attack will degrade the quality of the rendered media at the > receiver. For example, in a P2P live video streaming system a > polluter can introduce corrupted chunks. Each receiver integrates > into its playback stream the polluted chunks it receives from its > other neighbors. Since the peers forwards chunks to other peers, the > polluted content can potentially spread through much of the P2P > streaming network. Content integrity protection helps here. I'd like to raise this as Issue #40 and will provide a per-message analysis of issues later. > * PPSP.SEC.REQ-5: PPSP SHOULD support identifying badly behaving peers, > and exclude or reject them from the P2P streaming system. Quoting WG draft 6.3.2.3: "The Merkle tree hashing scheme allows a receiving peer to detect a malicious or faulty sender, which it can subsequently ignore. Spreading this knowledge to other peers such that they know about this bad behavior is hearsay." So we can provide protection, but to actually oust bad peers permanently from the system, access control and a reliable accusation system is needed that is itself protected against malicious peers reporting about good peers. Such a system is complex. I'd like to raise this as Issue #41, and propose to add a paragraph to Section 7 of the draft with the explanation I just gave. > * PPSP.SEC.REQ-6: PPSP MUST prevent peers from DoS attacks which will > exhaust the P2P streaming system's available resource. > > Given the prevalence of DoS attacks in the Internet, it is important > to realize that a similar threat could exist in a large-scale > streaming system where attackers are capable of consuming a lot of > resources with just a small amount of effort. Quoting WG draft 6.3.2.3: "A risk in peer-to-peer streaming systems is that malicious peers launch an Eclipse [ECLIPSE] attack on the initial injectors of the content (in particular in live streaming). The attack tries to let the injector upload to just malicious peers which then do not forward the content to others, thus stopping the distribution. An Eclipse attack could also be launched on an individual peer. Letting these injectors only use trusted trackers that provide true random samples of the population or using a secure peer sampling service [PUPPETCAST] can help negate such an attack." So we need PEX protection as discussed in the mail "Proposal to resolve Issue 17+20..." of Feb 14th. In addition, a peer A must not let other peers T1..TN fill all its available connection slots, i.e., A must initiate connections itself too, to prevent isolation. Furthermore, to prevent malicious peers consuming all upload bandwidth of a peer, there should be a limit on the upload capacity a single peer can consume, e.g. via a limit on the number of requests as in SecureStream [SECSTREAM]. A natural upper limit of this upload quotum is the bitrate of the content. Protection against amplifcation attacks such as mentioned in the mail "Proposal to solve Issue #26" of Jan 25th also help to satisfy this requirement. If you know any other resource exhaustion attacks possible, please submit them with proposals on how to solve them. I'd like to raise this as Issue #42, and propose to add paragraphs to Section 7 of the draft with the explanation I just gave. > * PPSP.SEC.REQ-7: PPSP SHOULD be robust, i.e., when centralized tracker > fails the P2P streaming system SHOULD still work by supporting > distributed trackers. We need PEX protection as discussed in the mail "Proposal to resolve Issue 17+20..." of Feb 14th. I propose to update Issue 20 to indicate that this requirement is related. > * PPSP.SEC.REQ-9: Integrity of the streaming content in PPSP MUST be > supported to provide a peer with the possibility to identify > inauthentic media content (undesirable modified by other entities > rather than its genuine source). The corresponding checksum > distribution and verification scheme SHOULD scale well in P2P > streaming system and be robust against distrustful trackers/peers. The Merkle hash trees mechanism provides content integrity protection and is already explained in the draft. Merkle hash trees can also be used for live streaming. In that context we should quote [DIGSIGFLOW], the signature amortization scheme that also uses Merkle trees. I'd like to raise adding the reference as Issue #43. Support for multiple content integrity schemes will be added when we reach concensus on Issue #10+13 (see my mail dd. Jan 18th). What do you think? CU, Arno References ---------- [CLOSED] N. Borch, K. Michell, I. Arntzen, and D. Gabrijelcic: "Access control to BitTorrent swarms using closed swarms". In Proceedings of the 2010 ACM workshop on Advanced video streaming techniques for peer-to-peer networks and social networking (AVSTP2P '10). ACM, New York, NY, USA, 25-30. http://doi.acm.org/10.1145/1877891.1877898 [ENHCLOSED] V. Jovanovikj, D. Gabrijelčič and T. Klobučar. "Access Control in BitTorrent P2P Networks Using the Enhanced Closed Swarms Protocol". In Proceedings of the Fifth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2011), pp. 97-102, Nice, France, August 2011. [SECSTREAM] Maya Haridasan and Robbert van Renesse. "SecureStream: An Intrusion-Tolerant Protocol for Live-Streaming Dissemination". The Journal of Computer Communication's Special issue on Foundation of Peer-to-Peer Computing. Volume 31 Number 2, Elsevier, 2008. [DIGSIGFLOW] Chung Kei Wong and Simon S. Lam. "Digital Signatures for Flows and Multicasts". IEEE/ACM Transactions on Networking, Volume 7, Issue 4, pp. 502-513, Aug 1999. http://dx.doi.org/10.1109/90.793005 _______________________________________________ ppsp mailing list ppsp@ietf.org https://www.ietf.org/mailman/listinfo/ppsp
- [ppsp] One more ticket for Peer protocol security… zhangyunfei
- Re: [ppsp] One more ticket for Peer protocol secu… stefano previdi