[VIPR] Minutes for 2012/01/27 conference call
Marc Petit-Huguenin <petithug@acm.org> Mon, 30 January 2012 23:50 UTC
Return-Path: <petithug@acm.org>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A57411E80EA for <vipr@ietfa.amsl.com>; Mon, 30 Jan 2012 15:50:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.266
X-Spam-Level:
X-Spam-Status: No, score=-102.266 tagged_above=-999 required=5 tests=[AWL=0.334, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJuq84yWMbdo for <vipr@ietfa.amsl.com>; Mon, 30 Jan 2012 15:50:07 -0800 (PST)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id 6462C11E80F4 for <vipr@ietf.org>; Mon, 30 Jan 2012 15:50:07 -0800 (PST)
Received: from [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08] (shalmaneser.org [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 0F0C420142 for <vipr@ietf.org>; Mon, 30 Jan 2012 23:35:30 +0000 (UTC)
Message-ID: <4F272CAC.5030905@acm.org>
Date: Mon, 30 Jan 2012 15:50:04 -0800
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20120104 Icedove/8.0
MIME-Version: 1.0
To: "vipr@ietf.org" <vipr@ietf.org>
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: [VIPR] Minutes for 2012/01/27 conference call
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>, <mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>, <mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2012 23:50:09 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 VIPR Design Team conference call on Friday January 27h, from 9:05am to 9:55am PST. o Attendees: Mary Barnes Kurt Bergsbaken Daryl Malas Hakim Mehmood Jon Peterson Marc Petit-Huguenin Michael Procter John Ward Dean Willis o Regrets Muthu Arul Mozhi Perumal o Agenda - - Privacy issue o Action items - - We continue working on VIPR. - - Michael to update his document, please send text. o Minutes Marc: I propose to talk about the privacy problem is 3 steps. First we need to agree that this is really a problem. Option 4, proposed by Richard Barnes, was to not do anything about this. If we agree that this is problem, then the second question is do we agree that this requires modification in RELOAD. Then the 3rd step would be to decide what to do, knowing that doing anything in RELOAD will take a long time. Daryl: If this problem has not shown itself in p2psip, I am curious to know if this problem is unique to VIPR, and then to decide if we want to do any modification to RELOAD. Marc: My original plan was to work on VIPR until December, I extended for 3 months, but after the meeting in Paris I will no longer be able to put as much work on VIPR. So let's be sure that we have some kind of decision at the end of this meeting, so I know if I am going to Paris or not. Marc: So is this privacy issue really a problem? Dean: This is a real problem. You have a 50% chance of being in the first attempt of verifying the connection, and for every registration you increase your odds. Michael: It's right if you stop after the first success. Jon: The reason for doing that relates to things that are still controversial, like SIP intermediaries. From my perspective, it's an interesting problem, but I do not think that it is a showstopper in the sense that I do not think that VIPR is worthless if it has this liability. I would be comfortable with documenting the problem, and measures that mitigates it. And I would also be comfortable with saying is there a way to really do an anonymous DHT, but it's almost a research project. But I certainly do not think that it render useless and that we should go home. Hakim: I agree with everything you said. Marc: Should we put a requirement in the -overview document saying that we must fix this privacy problem, and is it just something that we should work on in the future? Jon: There is specific threat models that we can discuss. There is a difference between someone who register for one number and someone who register for all numbers. For example this is an argument to not go through all registrations. But there is no fix for this, as there is no fix for SIP security issues. Daryl: I agree with that. There is a lot of architectures that VIPR works very well within. Dean: There is potential mitigation that we can build going forward. For example adding a web of trust. Alice calls Bob and successfully validates, then Alice put something in the overlay saying this, then Charlie, who has an existing relationship with Alice might then be more inclined to trust the validation of Bob. This is things that we can address going forward. We can also came with suggestions for RELOAD, and have the RELOAD design change over time, but they will not change RELOAD in this round. But that does not prevent a first version of the protocol to be released. Daryl: I like that approach. To go back to what Jon said, in the early days of SIP, there was concerns around security issues, workarounds were documented, but still people do not implement them - people still are not doing SIP over TLS. Michael: There is plenty of things we can do to attack the problem, but if we continue with the idea that there will be only one VIPR network, globally, that make it a lot harder for us to solve these problems. If we define things that should work with a group of participants, then I think that we can make something that has all the properties for that group of users. But if we focus on one overlay for the whole planet, then these problems will really bite. Jon: I am sure that the designers of VIPR would be reluctant to give up the property that there something that everyone can join and that it is public. I would prefer that we keep that property. Daryl: Are you suggesting to have multiple VIPR networks, and have some sort of inter-domain communication? Jon: Michael is suggesting that it is the public nature of VIPR that is creating all these problems. If you imagine a closed trusted community of enterprises, that would be one way to prevent rogue party to entering and putting bogus registrations. Cullen alluded to a common CA, so if everybody follow a trust anchor, we can trace who everybody who is participating is. Daryl: So it's a federation that's being established. Jon: That does not change RELOAD. Changing RELOAD will not happen in any reasonable time. Daryl: I totally agree. And I agree with the federation that you described. Jon: Michael, do you think that the only way to combating this is to split the overlay, or do you think there is alternatives? Michael: For some of the attacks we can probably work out mitigation while maintaining a single DHT. But I do not think that we can capture all the problems, and I fear that we will end up with one DHT that cause this huge problem. A lot of these problems seems to go away if you deploy in small groups, so maybe one approach is to finish off a version of VIPR that is suitable for groups that prominently trust each other. Jon: Does the current specification mandates a single overlay? Marc: The specification assumes only one DHT. Dean: Even with one VIPR cloud, one could imagine adding information in the overlay to track the relationship between CAs. Marc: This is not a small modification of VIPR. Jon: A lot of the mitigation solutions would be looking at the registrations deciding why one is preferred over the others. Hakim: You could have one more step where the Fetch comes from your trusted domain, so you do not start PVP. Jon: It's like a whitelist, The original design was really to have an introductory system, to be a way to use the PSTN as a bootstrap. We can argue to a point where it's no longer doing what it's supposed to do. Hakim: It's part of the mitigation. At the end the goal is for everybody to use VIPR with confidence, and not undermine privacy and security, but those measures should be recommended, not mandated. Marc: If we can anonymize the PVP connection and the RELOAD transactions, then we can solve this problem without adding more verifications. Hakim: Agreed. Jon: I am not even sure where to start with that. That's almost a research problem. Marc: Yes and the problem is that RELOAD is not the best place to do that currently. Jon: I agree that anonymyzing RELOAD would be great, but that would require a new working group, a different charter, and would complete in 5/7 years. If we want to continue, our job is to figure how to mitigate with the current system. Hakim: Was your comment about anonymizing the IP address? Jon: Yes, because from the source IP address you can find the enterprise. Hakim: If we use TURN and method B, it would hide the source IP address and the Caller-ID. Jon: The problem with TURN is that you do not necessarily trust the people you are asking. You need several hops, to have a reasonable assurance that the nodes you are using are not bad actors. And I suspect that would be a very different model for RELOAD. Michael: You still leak the fact that someone has requested the record for that phone number. Jon: That's why it's important to articulate the whole set of threats. But if your could solve the problem of hiding analytics, the bittorrent community would be so thrilled. Michael: But the point is that with bittorrent, who have the choice to not participate, but with VIPR, you do not. Jon: When I was first reading about this problem, I though about fixing it the other way: is there anyway we can get as many registrations done as possible. There is the interesting property that says that as soon the validation is done, you are no longer vulnerable, until you need a revalidation. But the result for an attacker will be very unpredictable. Michael: I agree. John: We are talking for the point of view of an attacker, but there is all kind of usages for intermediaries. For example I can query the DHT and determine the network topology of my competitors. Jon: The network topology under VIPR is pretty flat. John: We will not get away from the point where there will not be intermediaries. Jon: It's another approach to privacy. Dean : Yes, if there is 3 aggregators in the world, there is not much information leak. Jon: We need to document thoroughly that the threat is first. One is where someone is curious about a particular phone number. Another is to collect information on any number. For each of these threats we need to understand what they can accomplish, do we have any way to detecting it, and finally what change to the design we can make to mitigate that. Daryl: Would this potentially cause a situation where these become just proprietary VIPR. I do not want to say at the end to go to one vendor. Dean: How would we block aggregator choice of delivery? Daryl: The goal is to encourage various vendors to participate, not to create these proprietary aggregations that never talk to each other. Jon: We can add compromising RELOAD to the list of threats. Dean: Do we have something like the voice hammer attack? Marc: There is a quota mechanism in RELOAD, so the more registrations you put on the network, the more hardware you need to contribute. Jon: Yes, these are active attacks. But we should separate the from the passive attacks. The privacy attacks are discoverable, because you can look after the fact. Dean: You can also do self verification of validation, i.e. audit your phone number and if there is strange registrations, make inquiries. Jon: Yes, each time there is a failed validation you can record it, and we can flag the source. Marc: Yes and remember that in RELOAD there is a blacklist mechanism, so the people responsible for the overlay configuration document can prevent specific nodes to join. But note that it is not because a registration fails that the guy at the other side is a bad guy. There is a lot of reasons why a registration can fail and still be a legitimate node. We do not want to go overboard, and create a new attack that prevent the right owner to participate. Jon: Yes, but if every node reports that there is a problem with a particular entity, then there is a consensus that there is a problem. Marc: OK, we have a consensus that we should continue to work on this, and we agree to document the use cases. Michael: Please send text. - -- Marc Petit-Huguenin Personal email: marc@petit-huguenin.org Professional email: petithug@acm.org Blog: http://blog.marc.petit-huguenin.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJPJyymAAoJECnERZXWan7EbaEQAIa+zCMXY3LW+t2SyX5iwXqG DVSIbYWpVFM06Z+yWj+Z7pOaWal2GrfIsqHyhHTj2r2HCakW7Q/fA5LRqg+58K/c nJwJEuioyLyh25OWbQ1xd0bdcxySIKyXD4EXYLHbOAxwEG3OfT1kieva9+ja0RNt qMQZnNOjRr70gomhDPjLUejTiVc1zeUSNyDLNG3WbhfYjAvoM2/YEVfyej5f93/N lzfncI0u+mQ3QrqEFWysUumUe5DPR0OoJoMHFEPWJzXfWpWl3INmAxAq+p96FlvX MBpPqqF6XbHni3q3tY0s/0rwEI/ouY9jSUJ0rJ+1limJI3eUNzjl8uKDF4qrHYaH yiu7VVTPhJ7faeeJ1JRcnS9tp4mvwI3+lPWWglFkdXgAmMSbGvQTaPkq5Pdyo7Rr sE17t5ZDuXFj8bgA4AQbgthTy5EugBMAYMJ4YfYoUcRoeLl6Q3RXeSR+9QnYBEsg XVH5o5OP92zR+vP0C+xqmCnLDfEnj2eB7fIlsWIE0QbIPX11LMltsV/1wkCwfIY9 4oYVSvbSswbMlhPNRDKmCnzouwDVeV+NfdVn84ybBEQz1Sg/0KgPF1WnWEV1TA/n 3hUmJZCigM23QedwhuX+ooNy5Le5UNX8d09WcMV92xBlIx6kBG0jhlJdoYAcqB9y 4xM8EEX903UWEexiCNia =/1U3 -----END PGP SIGNATURE-----
- [VIPR] Minutes for 2012/01/27 conference call Marc Petit-Huguenin