Re: [VIPR] VIPR privacy issue
"Richard L. Barnes" <rbarnes@bbn.com> Thu, 26 January 2012 16:52 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C06221F85BD for <vipr@ietfa.amsl.com>; Thu, 26 Jan 2012 08:52:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.179
X-Spam-Level:
X-Spam-Status: No, score=-106.179 tagged_above=-999 required=5 tests=[AWL=0.420, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9sCYfxXQofH9 for <vipr@ietfa.amsl.com>; Thu, 26 Jan 2012 08:52:33 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 1A79721F85B7 for <vipr@ietf.org>; Thu, 26 Jan 2012 08:52:33 -0800 (PST)
Received: from ros-dhcp192-1-51-95.bbn.com ([192.1.51.95]:59793) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1RqSYq-000FcH-FM; Thu, 26 Jan 2012 11:52:32 -0500
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <4F2183D0.3070809@acm.org>
Date: Thu, 26 Jan 2012 11:52:31 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <373FB643-AE7A-473C-A7AB-09F9A9E7093B@bbn.com>
References: <4F1F1A42.1030201@acm.org> <9734F726-C0A8-42D6-87A4-65535D5F3E80@bbn.com> <4F217CC9.4080802@acm.org> <50D0BC87-EC6C-401E-A2F9-A05AC60D5EF0@bbn.com> <4F2183D0.3070809@acm.org>
To: Marc Petit-Huguenin <petithug@acm.org>
X-Mailer: Apple Mail (2.1084)
Cc: "vipr@ietf.org" <vipr@ietf.org>
Subject: Re: [VIPR] VIPR privacy issue
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>, <mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>, <mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2012 16:52:34 -0000
>>>> Let's not get hysterical here. These issues are inherent to any >>>> system for resolving identifiers. My local DNS resolver has a very >>>> good idea of things like what websites I'm visiting (A google.com) and >>>> what services I'm using (SRV _xmpp-server._tcp.jabber.org). >>> >>> Yes, but this is not the problem here. AFAIK, it is not possible for >>> anybody to add its own DNS server as nameserver of google.com and receive >>> all the requests sent to this domain and collect the source IP addresses. >>> *That* would be the DNS equivalent of the privacy leak of VIPR. >> >> True. Although in principle anyone could announce the anycast prefixes >> used by the root nodes (in the absence of SIDR deployment), which would get >> you lots of interesting traffic. >> >> At the very least, however, your queries get forwarded to the DNS root and >> intermediate name servers, which has been a problem before: >> <https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005266.html> >> >> Like I said, the mitigation here is the same as any situation where you >> want to hide your IP address: Send packets from a different network. > > Yes, and (I am not sure you saw the second part of my response below), this > would not be a concern if we could fix RELOAD to do exactly that. Doesn't really seem like a RELOAD issue. Rather, something for higher/lower layers. Pay someone to do RELOAD on your behalf, or use a VPN to somewhere else. Agree with a group of friends that you'll all make the same queries at the same times, so that your individual patterns are indistinguishable. OPSEC, not COMSEC. --Richard > >> >> --Richard >> >> >> >>>> >>>> Analogous mitigations apply, e.g.: >>>> >>>> * For masking sources of requests, use indirection. In the DNS >>>> context, authoritative servers don't see my IP address because I go >>>> through a local resolver. In the VIPR context, you could have an >>>> outsourced RELOAD agent acquire tickets on behalf of clients who trust >>>> it to handle call information. >>>> >>>> * For masking destinations of requests, use multiple requests. In the >>>> DNS context, request names/RRtypes other than the one you're looking >>>> for. In the VIPR context, look for numbers you didn't dial, or look >>>> for numbers when you haven't dialled anyone. >>>> >>>> Note that in both cases, the mitigations are about how you use the >>>> protocol, not the protocol itself. So while it might be worthwhile to >>>> write up a privacy considerations document, it doesn't seem like we >>>> need to change the protocol documents to deal with these threats. >>> >>> The concern is not how to fix the problem, but that half of the problem >>> comes from a protocol (RELOAD) that is not under our control, and so will >>> take years to bring to a point where we can fix this problem. >>> >>>> >>>> --Richard >>>> >>>> >>>> On Jan 24, 2012, at 3:53 PM, Marc Petit-Huguenin wrote: >>>> >>>> Michael Procter explained on the last VIPR design team weekly >>>> conference call a privacy attack that I think is devastating. The end >>>> result is simple to explain: VIPR turns the Internet into a "trap and >>>> trace device"[1], allowing anybody to record the phone numbers called >>>> by any entities using VIPR, and this for a relatively low cost. >>>> >>>> Let's say that VIPR is well deployed in US enterprises and that a >>>> spying group is willing to spend the money to know about the phone >>>> calls made by these enterprises. This spying group just have to add >>>> enough VIPR servers to the RELOAD overlay to register all the phone >>>> numbers in the USA. Because all registrations are considered equally >>>> untrusted, they will all be verified by establishing a TCP connection >>>> between the VIPR server of the source of the call and the VIPR server >>>> that stored the registration for a particular phone number. There is >>>> multiple pieces of information that are leaked but it is easy for >>>> example to find the enterprise that is originating the TCP connection >>>> by looking at the source address and to enter it in whois. >>>> >>>> As Michael pointed out, you have to be on VIPR to protect your privacy, >>>> i.e destination numbers that are *not* using VIPR are especially at >>>> risk. If the destination number is using VIPR, the TCP connection used >>>> to verify the first call from any enterprise has a lower probability to >>>> be directed to the spying group, because the real owner of the number >>>> may be tried first and prevent other registrations to be tried if >>>> successful. And as soon the real owner sends a SIP route and ticket >>>> back, the spying group will no longer receive any information about the >>>> calls between this enterprise and this destination number, excepted for >>>> the periodic renewal of the ticket. >>>> >>>> Note that the information leaked go deeper than just the verification >>>> connection. Here's the various places where privacy information >>>> leakage happens with this attack: >>>> >>>> - If the spying group uses a different VServiceId for each registered >>>> phone number, the called number is always leaked. - The called number >>>> is also leaked for methods A and B. - For method "A", the Caller-ID is >>>> leaked (the bcrypt hash is hard to crack, but it is not impossible). - >>>> For method "B", a random time in the middle of the call is leaked. - >>>> For method "C", the rounded start and stop time of the call are leaked. >>>> - The source IP address of the TCP connection for the PVP transaction >>>> is always leaked. - The addr_port in the AppAttachReq RELOAD message >>>> that was used to establish the TCP connection is leaked. - The >>>> certificate of the signer of the AppAttachReq RELOAD message is leaked. >>>> Even if the certificate does not contain information about the sender >>>> (subject, subjectAltName), it always contains the Node-ID, which can >>>> always be resolved to an IP address by using an Attach request. - The >>>> Node-ID is leaked a second time in the via_list of the AppAttachReq >>>> message, unless an intermediary RELOAD peer replaced it with a >>>> compressed ID. >>>> >>>> There is probably ways to fix all of these leakages, and I found >>>> solutions for most of them, but they make RELOAD and VIPR much, much >>>> more complex, to the point that I am starting to think that RELOAD >>>> itself is not up to the task. Using TURN to anonymize, as I proposed, >>>> does not work because of the multiple places where data is leaked and >>>> fixing RELOAD itself, which will require among other things adding >>>> something like onion routing, will probably take years[2]. >>>> >>>> At a minimum, we will need to add a strong requirement about required >>>> anonymization in -overview, but it is clear to me that the >>>> standardization of VIPR will take a much longer time than expected. >>>> >>>> >>>> [1] http://en.wikipedia.org/wiki/Trap_and_trace_device [2] >>>> http://www.ietf.org/mail-archive/web/p2psip/current/msg06166.html >>>> > > > > - -- > Marc Petit-Huguenin > Personal email: marc@petit-huguenin.org > Professional email: petithug@acm.org > Blog: http://blog.marc.petit-huguenin.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQIcBAEBCAAGBQJPIYPOAAoJECnERZXWan7Er+QP/iqC1BvcJkFilL5tJaQpXEMp > Nc6eWH6cEKUpL4Q6gBRhYk7CD0k3CFmNTGEblhjKhZAsLILicdUIUeAsXN8JFFdD > Bxf2D99R2t24qrMwBzmOhRUNoV3JryNDOH0S5qFbCZ564WKPdfLrrPRdYfedTBXo > H7sm7THDrSNuNLUDejLtRmpLG4CENjSOJe4RMnUkgMb2ikG3OfpRPp3VexKE9prN > HO6sJ0IBWtdGt/p0K8CE4xsG2Kg3CYz4v65A7YefQ/6YKy4nk4rfW6fBEchEqApL > xRRsoxvSOzNXDHRZqOZiQbrP1qxupAIU43ladvf7Hx4Y9c22uxkw5818o4EJJ0pZ > XD03Aml4gCVzl5Mg/X8/4D9oR9GFieeKjXvKO/Y/5LHSC7l/hCVkz/f+2jiSqvtd > BfOz9xfxBqIhU3l0x29euur6nO2k0LMYIaulDgp4Rmd1UAY6JqtFoloCjAJrFGFf > 0fYjzoI4Lxa+Qknh7Rt3it2JUKooUO3qjygF6CuQ23aB8x2pRZGbZeUp0pvPbb8O > AoxeIAF5Bk9JwOb0WfA//g7oKBwZCh0dTRXhL1YycxIlk63LTpMbOdO8VHxSB8GA > hbDmMina7oqPBJV/lgJIuolWt3MyYv6EZTaCNXiAJm02HBY+5328P9Lm15KOwlZT > 7MnhkdbhrQYOjijmKJZb > =Kp7M > -----END PGP SIGNATURE-----
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Kevin P. Fleming
- Re: [VIPR] VIPR privacy issue Kurt Bergsbaken
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Dean Willis
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Mary Barnes
- Re: [VIPR] VIPR privacy issue Kurt Bergsbaken
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Kevin P. Fleming
- Re: [VIPR] VIPR privacy issue Dean Willis
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin