IETF Logo Mail Archive

Re: [Sip] draft-jennings-sip-hashcash-01

Michael Thomas <mat@cisco.com> Wed, 02 March 2005 18:54 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA13745 for <sip-web-archive@ietf.org>; Wed, 2 Mar 2005 13:54:14 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D6Z0M-0007xS-RQ for sip-web-archive@ietf.org; Wed, 02 Mar 2005 13:55:31 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D6Yxf-0004RU-LM; Wed, 02 Mar 2005 13:52:43 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D6Yxd-0004RP-Ji for sip@megatron.ietf.org; Wed, 02 Mar 2005 13:52:41 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA13661 for <sip@ietf.org>; Wed, 2 Mar 2005 13:52:38 -0500 (EST)
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D6Yyq-0007v5-Ai for sip@ietf.org; Wed, 02 Mar 2005 13:53:57 -0500
Received: from sj-core-2.cisco.com (171.71.177.254) by sj-iport-3.cisco.com with ESMTP; 02 Mar 2005 12:08:24 +0000
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="3.90,130,1107734400"; d="asc'?scan'208"; a="230802854:sNHT54528136"
Received: from imail.cisco.com (imail.cisco.com [128.107.200.91]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id j22IqQq8007305; Wed, 2 Mar 2005 10:52:26 -0800 (PST)
Received: from thomasm-lnx.cisco.com (thomasm-lnx.cisco.com [171.71.96.50]) by imail.cisco.com (8.12.11/8.12.10) with ESMTP id j22IkSu1007867; Wed, 2 Mar 2005 10:46:28 -0800
Subject: Re: [Sip] draft-jennings-sip-hashcash-01
From: Michael Thomas <mat@cisco.com>
To: Jonathan Rosenberg <jdrosen@cisco.com>
In-Reply-To: <4225924C.6030100@cisco.com>
References: <1ECE0EB50388174790F9694F77522CCF01980E18@zrc2hxm0.corp.nortel.com> <4225924C.6030100@cisco.com>
Organization: Cisco Systems
Message-Id: <1109789547.22395.2.camel@thomasm-lnx.cisco.com>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6
Date: Wed, 02 Mar 2005 10:52:27 -0800
IIM-SIG: v:"1.1"; h:"imail.cisco.com"; d:"cisco.com"; z:"home"; m:"krs"; t:"1109789188.696144"; x:"432200"; a:"rsa-sha1"; b:"nofws:6912"; e:"Iw=="; n:"sQYarK2E51MdcTiUqeif3F7cWdxIfoCiXhdfb9vD5ee/j0jXL15gbFxF2p" "XIweAblu0N6XAgK7k+wrbr7bQDJaCDqOmzqpRUBjIRQAXQ7NzadpmR3pUL6wxaRUtW+c43sl9jC" "50Qg1sXHpPjt8Y+Y16ioyQAQAdSunM4YhevURc="; s:"NJGYe8IcFFUZIKhmaiVVtbtjWEekYBtQRTKVsJmTrSmzWOmC43qg/89bGrSGQHi/9KMe7BLX" "ls7SUCnI6ClQMrq+bPh8eBG/uFlsksc5FVEU+Ot4ejsFPUrf+wkGbjY/2apD3SjVcpZ2gbulXHz" "MAbnGcucwFyLxo5zGVUcsLFc="; c:"Subject: Re: [Sip] draft-jennings-sip-hashcash-01"; c:"From: Michael Thomas <mat@cisco.com>"; c:"Date: Wed, 02 Mar 2005 10:52:27 -0800"
IIM-VERIFY: s:"y"; v:"y"; r:"60"; h:"imail.cisco.com"; c:"message from imail.cisco.com verified; "
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8041eca2a724d631b098c15e9048ce9
Cc: 'Cullen Jennings' <fluffy@cisco.com>, "'sip@ietf.org'" <sip@ietf.org>, Francois Audet <audet@nortel.com>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0590242216=="
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a3f7094ccc62748c06b21fcf44c073ee

The big problem I have with hashcash is the advent of 
zombie armies. With them in mind, about them only
thing you do is punish legitimate UA's with itsy-bitsy
CPU's, and leave the spammers essentially unaffected 
with their near limitless CPU resources.

		Mike

On Wed, 2005-03-02 at 02:15,

 Jonathan Rosenberg wrote:
> Even with whitelists, I think its a fair problem to ask as to whether 
> one can come up with an amount of hashcash that is sufficiently 
> expensive to stop the rate of spam, yet cheap enough not to totally 
> disrupt legitimate new calls, given the disparity of endpoints. Keep in 
> mind we also have low end UA that run in cell phones and other things, 
> and these may prove even more problematic than a gateway. Unclear which 
> one has the least amount of CPU density, that is, the amount of CPU 
> power available per call.
> 
> The most recent spam draft is kind of lukewarm on hashcash for these 
> reasons.
> 
> There are some other issues that one needs to consider, ignoring the big 
> elephant in the corner above:
> 
> 1. The mechanism interacts badly with forking at the moment. One problem 
> is HERFP. If I have a mix of endpoints, some of which support this (and 
> thus send a 419), and others that don't (and thus ring the phone), then 
> you'll end up always completing the call on the endpoints that don't 
> support the extension.
> 
> 2. THe mechanism doesn't provide a way for a proxy to aggregate multiple 
> Puzzle headers from forked branches. It needs to do something like 
> WWW-Authenticate where a proxy collects these from the various 419 and 
> places all of them in the 419 forwarded upstream. That will also require 
> something akin to realm, that allows a UA/proxy to pull out its own puzzle.
> 
> 
> Thanks,
> Jonathan R.
> 
> Francois Audet wrote:
> 
> > Yeah, a white list approach might work.
> >  
> > The practical scenario that I am thinking about is with a typical VoIP 
> > service provider.
> >  
> > Today, the vast majority of calls from subscribers terminate on gateways 
> > (owned by the operator of the service).  These calls are not to a 
> > specific "user" but really to a gateway, using presumably something like 
> > the tel-URI-in-SIP-URI approach. In this case then, the white list is 
> > not to a whole URI but to "something" that is related to the gateway 
> > itself. This is different from the IM-scenario you quote.
> >  
> > Now, if we only have to worry about one set of gateways (like the ones 
> > owned by the service provider), I guess you could base the white list on 
> > the domain name or find some other solution. It may be more difficult 
> > when gateways are scattered all over the place (like in an enterprise 
> > for example, or a federation of enterprise, or when it terminates to 
> > another service provider).
> >  
> > I believe we should make sure that we describe white list properly 
> > before we publish the puzzle mechanism. I have a fear that we could 
> > define something where the people who make the SIP end-devices have an 
> > incentive to do something that is good for them (i.e., limit 
> > vulnerability to spam) but could be very problematic for the Gateways 
> > (or Proxies). Somehow we have to be able to mandate a white list 
> > capabily (or some other mechanism). Otherwise software upgrades could 
> > kill the operator of the service.
> >  
> > PS: Note that this is a recurring problem with gateways (I think certs 
> > has the same issue).
> > 
> >     -----Original Message-----
> >     *From:* Cullen Jennings [mailto:fluffy@cisco.com]
> >     *Sent:* Friday, February 25, 2005 08:03
> >     *To:* Audet, Francois [SC100:9T51:EXCH]; sip@ietf.org
> >     *Subject:* Re: [Sip] draft-jennings-sip-hashcash-01
> > 
> > 
> >     The idea would be to have a very skewed amount of computation to
> >     help rate limit attacks. Whatever amount of computation is
> >     "reasonable" for a valid client to do, an attacker is going to be
> >     able to apply a lot more computation to the problem. However, this
> >     still limits the number of messages the attacker can do and thus
> >     raises the cost. I discuss this some what in the SPAM draft.
> > 
> >     This could all happen in different ways. Imagine a case where my
> >     enterprise proxy compute the puzzles on behalf of my phone when I
> >     call another domain. Say in a large enterprise, it has 10,000 people
> >     and during a busy hour makes 10 calls per second that are to an
> >     address external to the domain. Of these only 2 are not whitelists.
> >     If the enterprise proxy was willing to spend say 3GHz worth of CPU
> >     at computing challenges for these 2cps, well that is a pretty hefty
> >     amount of hash that could be required.
> > 
> >     Another ways is perhaps all the UAC are willing to do about the
> >     amount of hashing that 1 second of G.729 compression would take.
> >     It's hard to imagine that most UAs (even large GWs) could not do
> >     this. This would limit the rate of attack of a single computer to in
> >     the 100s of messages per second. This is a lot less hashing that the
> >     example above but contrast this to what is possible today. Today I
> >     can send in the order of 100,000 message per second. Increasing the
> >     cost of an attack by 1000 is good. It slows it down and give you
> >     time to trace the source and cut it off before it is everywhere. It
> >     makes is less worth while to advertise products that a very very
> >     small percentage of the receivers would buy.
> > 
> >     As discussed in the SPAM draft, you would always want to use white
> >     lists first then if the person was not on the white list fallback to
> >     something else like this.
> > 
> >     Cullen
> > 
> > 
> >     On 2/24/05 11:30 AM, "Francois Audet" <audet@nortel.com> wrote:
> > 
> >         We may need to explain some of the limitations of this. It seems
> >         to me that this mechanism would not be terribly appropriate for
> >         applications that aggregate a large number of clients onto a
> >         single platform. For example, this may be too computationally
> >         intensive for a large PSTN Gateway, or even a large Proxy.
> > 
> >         Any ideas of how a UAS would make the decision to send the 419
> >         without burdening the UAC? Should there be a supported/require
> >         header for this functionality, so that a UAC could "opt out"?
> > 
> > 
> >              
> >             -----Original Message-----
> >             *From:*  sip-bounces@ietf.org [mailto:sip-bounces@ietf.org]
> >             *On Behalf Of *Cullen  Jennings
> >             *Sent:* Tuesday, February 22, 2005 16:46
> >             *To:*  sip@ietf.org
> >             *Subject:* [Sip]  draft-jennings-sip-hashcash-01
> > 
> > 
> >             I updated  this draft on "SIP Computational Puzzles" so it
> >             has enough detail to implement  it. (Previous version did
> >             not). It is in the drafts directory and also in HTML  form at:
> > 
> >             http://scm.sipfoundry.org/rep/ietf-drafts/fluffy/draft-jennings-sip-hashcash-01.html
> > 
> >             Cullen
> > 
> > 
> >         ------------------------------------------------------------------------
> >         _______________________________________________
> >         Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> >         This list is for NEW development of the core SIP Protocol
> >         Use sip-implementors@cs.columbia.edu for questions on current sip
> >         Use sipping@ietf.org for new developments on the application of sip
> > 
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > _______________________________________________
> > Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> > This list is for NEW development of the core SIP Protocol
> > Use sip-implementors@cs.columbia.edu for questions on current sip
> > Use sipping@ietf.org for new developments on the application of sip

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email