Re: [secdir] Secdir review of draft-ietf-p2psip-concepts-08
Dean Willis <dean.willis@softarmor.com> Thu, 10 March 2016 19:28 UTC
Return-Path: <dean.willis@softarmor.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF78E12DBFD for <secdir@ietfa.amsl.com>; Thu, 10 Mar 2016 11:28:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=softarmor.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G4QnqrbMLsX3 for <secdir@ietfa.amsl.com>; Thu, 10 Mar 2016 11:28:26 -0800 (PST)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89D3712DC22 for <secdir@ietf.org>; Thu, 10 Mar 2016 11:28:25 -0800 (PST)
Received: by mail-ob0-x230.google.com with SMTP id m7so90951128obh.3 for <secdir@ietf.org>; Thu, 10 Mar 2016 11:28:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=softarmor.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=+BWrBzYfWHtjxVswNPQqqEyGRtBL7KPNNWInttbMj+8=; b=COFzAT3vOj2/Nhkgk/e0I6SkPcKaF5oaoPs7mRQFllIxlvJaHgBs2UmVslLTW2Rt35 ruWbJUgv6Y5cr/PA2vVANVDnjzc+gEigEAuk2ZydCYQhpNgeom0wwAmED56zUMiUDikh fGcxKnaDi6HTFGZ1/Xo9SSdr4bsoROGwEbnp8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=+BWrBzYfWHtjxVswNPQqqEyGRtBL7KPNNWInttbMj+8=; b=CIB0cVW/eSBxy6YJ/rcCWeifykbg6PeR4Brx1U/QipcWUzXCC/e0C1KKsWJCgGlPhA SXhMQ1UrHFvBrnUQ8AdG2ABsOQLVy1BAETIILwi4phJb36fHpPjJT1hqlDBeui7MZkOT d1iZM5dI3pmKp3mPOsTRG2FdRBtURmk/SQj89Y9MPj/uvuIIFMgMOyhaPiSNq1QA54oT 3j2hvvs8U1wArAuSqv4PmiZeSrLBLP/FDaJVgYWpV3nFtK9IoCMWfO7kM7c3N+e/ODMs YfOQ670ZOnLCYeDnYzYubWvnLALciy5wQEqA4cKqdgt6yFf8y+OI6Col/Ao7Pe6lT04x 4UDA==
X-Gm-Message-State: AD7BkJILKe3xXmAtfO3I2ERpCsmKrwgKqrVptKIpN9H66tg7770Q0rjy4YhAUb+fjnhsHQ==
X-Received: by 10.182.225.231 with SMTP id rn7mr3423993obc.2.1457638104910; Thu, 10 Mar 2016 11:28:24 -0800 (PST)
Received: from [192.168.2.124] ([104.50.220.72]) by smtp.gmail.com with ESMTPSA id ku6sm2416231obb.25.2016.03.10.11.28.23 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 10 Mar 2016 11:28:23 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_102E1962-4957-4339-AFF8-1ED0920B0BDE"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Dean Willis <dean.willis@softarmor.com>
In-Reply-To: <CAFOuuo7MpSbTfMzAZgV1B1xVi0D4R7bwotbzTe=3RAY-O_vXhw@mail.gmail.com>
Date: Thu, 10 Mar 2016 13:28:22 -0600
Message-Id: <E1D6A68D-D2A9-4854-A28C-FB38D4E14D8F@softarmor.com>
References: <CAFOuuo7MpSbTfMzAZgV1B1xVi0D4R7bwotbzTe=3RAY-O_vXhw@mail.gmail.com>
To: Radia Perlman <radiaperlman@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/KT2bqwkKW36RPi1UVvLmADe2QKY>
Cc: The IESG <iesg@ietf.org>, draft-ietf-p2psip-concepts.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-p2psip-concepts-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2016 19:28:29 -0000
Thanks, Radia. Good catch on “the the typo.” RFC 6940 has most of the security considerations for RELOAD (the protocol that came out of this work), using the terminology from this document. In short, it boils down to the single-cert problem; the typical RELOAD overlay has a simple PKI understructure, using a singular authority (the enrollment server) that has a public key used to sign the credentials for each enrollee. RFC 5765 is, in its entirety, security considerations for P2P. You actually ask a very good question here about motivation, one that we spent a lot of time TALKING about, but apparently didn’t spend much time WRITING about. There were “scenarios” drafts that covered motivations, but they didn’t get conserved into a publication-ready state. An example is https://tools.ietf.org/html/draft-jiang-p2psip-peer-protocol-requirement-01 <https://tools.ietf.org/html/draft-jiang-p2psip-peer-protocol-requirement-01> The short answer to your concern is that the “enrollment” process happens on the order of N times, where N is the number of nodes participating in the overlay (multiplied some relatively low expiry rate). But registration and resolution (aka, rendezvous) operations are vastly more frequent, happening (at the least) every time the IP address of a node changes (or in SIP, every 30 seconds, just in case), and every time one node needs to contact another (which scales with the link-density of the network, typically an exponential). Practically speaking, an enrollment server can run on a typical LAMP stack with one box (or perhaps a redundant pair) supporting millions of users. But the rendezvous problem is more like trying to run the Internet on dynamic DNS servers — it gets gnarly quickly. Further, if enrollment breaks, no new nodes can be added, but existing nodes continue to work. But if rendezvous breaks, the whole system grinds to a halt. Rendezvous, therefore, benefits from a high level of distribution — both from a load scaling and a resilience perspective. Yet another issue is that the traditional SIP proxy/registrar represents a very rich target for interception of communications metadata. If every movement of a user and every communications between any two users is mediated by a single box, that box becomes a very high priority target. The attack surface is narrow, but the payoff is huge. The P2P routing model, on the other hand, stores relatively little information at any given node, producing a broader attack surface, but requiring vastly more nodes to be compromised before overall opsec is diminished. This is particularly significant in the scenario of a nation-state actor, who must penetrate not just the local proxy-registrar but potentially millions of foreign nodes in order to tap the metadata. So, here’s the question: Where should such motivations be documented? Do they belong in the terminology document? I can see making this into a terminology-and-rationale document. Do they belong in the protocol specifications? — Dean > On Mar 10, 2016, at 11:57, Radia Perlman <radiaperlman@gmail.com> wrote: > > (Sorry...I'm resending because I mistyped and sent to draft-ietf-p2psip-concept.all@tools.ietf.org <mailto:draft-ietf-p2psip-concept.all@tools.ietf.org> the first time) > > I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. > > This document is titled "Concepts and Terminology for Peer to Peer SIP", and as such would have no security considerations, as noted in the document. > > However, this document describes how to discover which host a client is at, instead of using a SIP proxy, by using a peer-to-peer network and DHT. > > I'd have liked a motivation for why this would be a preferable mechanism. It seems like it would be less secure, in that more things will need to be trusted. And furthermore, as this document says in section 5.4: > > "The P2PSIP WG does not impose a particular mechanism for how the > peer-ID and the credentials are obtained, but the RELOAD protocol > does specify the format for the configuration information." > > I'd think the hard problems would be things like who to get a credential from for joining the peer-to-peer group of proxies, and how that entity would decide whether you should be trusted to join the peer-to-peer group. And if there is such a trusted entity (a central administration), why wouldn't the whole discovery process be more centralized? > > Also, with a peer-to-peer DHT, it seems like there are more things that need to be trusted. Any of them acting maliciously can cause incorrect answers. > > Admittedly, I didn't read all the background documents. > > There's a minor typo in section 2.2, clearly a cut and paste error: > > "A special peer may be a member of the in the P2PSIP overlay" > > Radia > >
- [secdir] Secdir review of draft-ietf-p2psip-conce… Radia Perlman
- [secdir] Secdir review of draft-ietf-p2psip-conce… Radia Perlman
- Re: [secdir] Secdir review of draft-ietf-p2psip-c… Dean Willis
- Re: [secdir] Secdir review of draft-ietf-p2psip-c… Radia Perlman