Re: [Sip] draft-jennings-sip-hashcash-01
Cullen Jennings <fluffy@cisco.com> Fri, 25 February 2005 16:04 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA03173 for <sip-web-archive@ietf.org>; Fri, 25 Feb 2005 11:04:32 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D4hxK-00050U-Sj for sip-web-archive@ietf.org; Fri, 25 Feb 2005 11:04:45 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D4hwP-0000mG-VV; Fri, 25 Feb 2005 11:03:45 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D4hwN-0000ll-T6 for sip@megatron.ietf.org; Fri, 25 Feb 2005 11:03:44 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA03067 for <sip@ietf.org>; Fri, 25 Feb 2005 11:03:41 -0500 (EST)
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D4hwV-0004zC-D8 for sip@ietf.org; Fri, 25 Feb 2005 11:03:54 -0500
Received: from sj-core-4.cisco.com (171.68.223.138) by sj-iport-5.cisco.com with ESMTP; 25 Feb 2005 08:04:07 -0800
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="3.90,117,1107763200"; d="scan'208,217"; a="163653723:sNHT45095400"
Received: from vtg-um-e2k4.sj21ad.cisco.com (vtg-um-e2k4.cisco.com [171.70.93.57]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id j1PG3UYO008723; Fri, 25 Feb 2005 08:03:30 -0800 (PST)
Received: from [127.0.0.1] ([171.68.225.134]) by vtg-um-e2k4.sj21ad.cisco.com with Microsoft SMTPSVC(6.0.3790.0); Fri, 25 Feb 2005 08:03:30 -0800
User-Agent: Microsoft-Entourage/11.1.0.040913
Date: Fri, 25 Feb 2005 08:03:28 -0800
Subject: Re: [Sip] draft-jennings-sip-hashcash-01
From: Cullen Jennings <fluffy@cisco.com>
To: Francois Audet <audet@nortel.com>, "sip@ietf.org" <sip@ietf.org>
Message-ID: <BE448C50.2AA3D%fluffy@cisco.com>
In-Reply-To: <1ECE0EB50388174790F9694F77522CCF01980017@zrc2hxm0.corp.nortel.com>
Mime-version: 1.0
X-OriginalArrivalTime: 25 Feb 2005 16:03:30.0460 (UTC) FILETIME=[8C92E5C0:01C51B53]
X-Spam-Score: 1.2 (+)
X-Scan-Signature: 202a3ece0492a8c7e7c8672d5214398f
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0200368865=="
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 1.2 (+)
X-Scan-Signature: 311e798ce51dbeacf5cdfcc8e9fda21b
The idea would be to have a very skewed amount of computation to help rate limit attacks. Whatever amount of computation is "reasonable" for a valid client to do, an attacker is going to be able to apply a lot more computation to the problem. However, this still limits the number of messages the attacker can do and thus raises the cost. I discuss this some what in the SPAM draft. This could all happen in different ways. Imagine a case where my enterprise proxy compute the puzzles on behalf of my phone when I call another domain. Say in a large enterprise, it has 10,000 people and during a busy hour makes 10 calls per second that are to an address external to the domain. Of these only 2 are not whitelists. If the enterprise proxy was willing to spend say 3GHz worth of CPU at computing challenges for these 2cps, well that is a pretty hefty amount of hash that could be required. Another ways is perhaps all the UAC are willing to do about the amount of hashing that 1 second of G.729 compression would take. It's hard to imagine that most UAs (even large GWs) could not do this. This would limit the rate of attack of a single computer to in the 100s of messages per second. This is a lot less hashing that the example above but contrast this to what is possible today. Today I can send in the order of 100,000 message per second. Increasing the cost of an attack by 1000 is good. It slows it down and give you time to trace the source and cut it off before it is everywhere. It makes is less worth while to advertise products that a very very small percentage of the receivers would buy. As discussed in the SPAM draft, you would always want to use white lists first then if the person was not on the white list fallback to something else like this. Cullen On 2/24/05 11:30 AM, "Francois Audet" <audet@nortel.com> wrote: > We may need to explain some of the limitations of this. It seems to me that > this mechanism would not be terribly appropriate for applications that > aggregate a large number of clients onto a single platform. For example, this > may be too computationally intensive for a large PSTN Gateway, or even a large > Proxy. > > Any ideas of how a UAS would make the decision to send the 419 without > burdening the UAC? Should there be a supported/require header for this > functionality, so that a UAC could "opt out"? >> >> >> -----Original Message----- >> From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org] On Behalf Of Cullen >> Jennings >> Sent: Tuesday, February 22, 2005 16:46 >> To: sip@ietf.org >> Subject: [Sip] draft-jennings-sip-hashcash-01 >> >> >> I updated this draft on "SIP Computational Puzzles" so it has enough detail >> to implement it. (Previous version did not). It is in the drafts directory >> and also in HTML form at: >> >> http://scm.sipfoundry.org/rep/ietf-drafts/fluffy/draft-jennings-sip-hashcash- >> 01.html >> >> Cullen > > > _______________________________________________ > Sip mailing list https://www1.ietf.org/mailman/listinfo/sip > This list is for NEW development of the core SIP Protocol > Use sip-implementors@cs.columbia.edu for questions on current sip > Use sipping@ietf.org for new developments on the application of sip
_______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] draft-jennings-sip-hashcash-01 Cullen Jennings
- Re: [Sip] draft-jennings-sip-hashcash-01 Dan Wing
- RE: [Sip] draft-jennings-sip-hashcash-01 Francois Audet
- Re: [Sip] draft-jennings-sip-hashcash-01 Jonathan Rosenberg
- Re: [Sip] draft-jennings-sip-hashcash-01 Dan Wing
- Re: [Sip] draft-jennings-sip-hashcash-01 Michael Thomas
- Re: [Sip] draft-jennings-sip-hashcash-01 Henning Schulzrinne
- [Sip] jennings-sip-hashcash - does it help - does… Cullen Jennings
- Re: [Sip] draft-jennings-sip-hashcash-01 Cullen Jennings
- [Sip] Re: jennings-sip-hashcash - does it help - … Michael Thomas
- Re: [Sip] draft-jennings-sip-hashcash-01 Cullen Jennings
- Re: [Sip] draft-jennings-sip-hashcash-01 Henning Schulzrinne
- [Sip] Re: jennings-sip-hashcash - does it help - … Jonathan Rosenberg
- RE: [Sip] draft-jennings-sip-hashcash-01 Francois Audet
- Re: [Sip] draft-jennings-sip-hashcash-01 Jonathan Rosenberg
- Re: [Sip] draft-jennings-sip-hashcash-01 David R Oran
- RE: [Sip] draft-jennings-sip-hashcash-01 Francois Audet
- RE: [Sip] draft-jennings-sip-hashcash-01 Francois Audet
- Re: [Sip] draft-jennings-sip-hashcash-01 Cullen Jennings