IETF Logo Mail Archive

Re: [VIPR] VIPR privacy issue

"Kevin P. Fleming" <kpfleming@digium.com> Tue, 24 January 2012 22:20 UTC

Return-Path: <kpfleming@digium.com>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3237911E8085 for <vipr@ietfa.amsl.com>; Tue, 24 Jan 2012 14:20:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.507
X-Spam-Level:
X-Spam-Status: No, score=-106.507 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1UfjdbtzLr9 for <vipr@ietfa.amsl.com>; Tue, 24 Jan 2012 14:20:19 -0800 (PST)
Received: from mail.digium.com (mail.digium.com [216.207.245.2]) by ietfa.amsl.com (Postfix) with ESMTP id EC54A11E8079 for <vipr@ietf.org>; Tue, 24 Jan 2012 14:20:18 -0800 (PST)
Received: from [10.24.55.203] (helo=zimbra.hsv.digium.com) by mail.digium.com with esmtp (Exim 4.69) (envelope-from <kpfleming@digium.com>) id 1Rpoiw-0003c9-Lz for vipr@ietf.org; Tue, 24 Jan 2012 16:20:18 -0600
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbra.hsv.digium.com (Postfix) with ESMTP id A8606D8004 for <vipr@ietf.org>; Tue, 24 Jan 2012 16:20:18 -0600 (CST)
Received: from zimbra.hsv.digium.com ([127.0.0.1]) by localhost (zimbra.hsv.digium.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZl0W6n-Bb5b for <vipr@ietf.org>; Tue, 24 Jan 2012 16:20:18 -0600 (CST)
Received: from [10.24.250.46] (unknown [10.24.250.46]) by zimbra.hsv.digium.com (Postfix) with ESMTPSA id 3040AD8002 for <vipr@ietf.org>; Tue, 24 Jan 2012 16:20:18 -0600 (CST)
Message-ID: <4F1F2EA1.5070209@digium.com>
Date: Tue, 24 Jan 2012 16:20:17 -0600
From: "Kevin P. Fleming" <kpfleming@digium.com>
Organization: Digium, Inc.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: vipr@ietf.org
References: <4F1F1A42.1030201@acm.org>
In-Reply-To: <4F1F1A42.1030201@acm.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [VIPR] VIPR privacy issue
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>, <mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>, <mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 22:20:20 -0000

On 01/24/2012 02:53 PM, Marc Petit-Huguenin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Michael Procter explained on the last VIPR design team weekly conference call
> a privacy attack that I think is devastating.  The end result is simple to
> explain:  VIPR turns the Internet into a "trap and trace device"[1], allowing
> anybody to record the phone numbers called by any entities using VIPR, and
> this for a relatively low cost.
>
> Let's say that VIPR is well deployed in US enterprises and that a spying group
> is willing to spend the money to know about the phone calls made by these
> enterprises.  This spying group just have to add enough VIPR servers to the
> RELOAD overlay to register all the phone numbers in the USA.  Because all
> registrations are considered equally untrusted, they will all be verified by
> establishing a TCP connection between the VIPR server of the source of the
> call and the VIPR server that stored the registration for a particular phone
> number.  There is multiple pieces of information that are leaked but it is
> easy for example to find the enterprise that is originating the TCP connection
> by looking at the source address and to enter it in whois.
>
> As Michael pointed out, you have to be on VIPR to protect your privacy, i.e
> destination numbers that are *not* using VIPR are especially at risk.  If the
> destination number is using VIPR, the TCP connection used to verify the first
> call from any enterprise has a lower probability to be directed to the spying
> group, because the real owner of the number may be tried first and prevent
> other registrations to be tried if successful.  And as soon the real owner
> sends a SIP route and ticket back, the spying group will no longer receive any
> information about the calls between this enterprise and this destination
> number, excepted for the periodic renewal of the ticket.
>
> Note that the information leaked go deeper than just the verification
> connection.  Here's the various places where privacy information leakage
> happens with this attack:
>
> - - If the spying group uses a different VServiceId for each registered phone
> number, the called number is always leaked.
> - - The called number is also leaked for methods A and B.
> - - For method "A", the Caller-ID is leaked (the bcrypt hash is hard to crack,
> but it is not impossible).
> - - For method "B", a random time in the middle of the call is leaked.
> - - For method "C", the rounded start and stop time of the call are leaked.
> - - The source IP address of the TCP connection for the PVP transaction is
> always leaked.
> - - The addr_port in the AppAttachReq RELOAD message that was used to establish
> the TCP connection is leaked.
> - - The certificate of the signer of the AppAttachReq RELOAD message is leaked.
> Even if the certificate does not contain information about the sender
> (subject, subjectAltName), it always contains the Node-ID, which can always be
> resolved to an IP address by using an Attach request.
> - - The Node-ID is leaked a second time in the via_list of the AppAttachReq
> message, unless an intermediary RELOAD peer replaced it with a compressed ID.
>
> There is probably ways to fix all of these leakages, and I found solutions for
> most of them, but they make RELOAD and VIPR much, much more complex, to the
> point that I am starting to think that RELOAD itself is not up to the task.
> Using TURN to anonymize, as I proposed, does not work because of the multiple
> places where data is leaked and fixing RELOAD itself, which will require among
> other things adding something like onion routing, will probably take years[2].
>
> At a minimum, we will need to add a strong requirement about required
> anonymization in -overview, but it is clear to me that the standardization of
> VIPR will take a much longer time than expected.

A very similar point was raised during the last in-person VIPR meeting 
that I attended (two IETFs ago, I think). I commented that we had 
personal experience with this problem in the Asterisk world, years ago 
when we had a public DUNDi cloud for routing E.164-numbered traffic. It 
is one of the primary reasons that many of us (I was not with Digium at 
the time) stopped using that cloud.

I'm certain that as you say, these problems are not intractable, but 
providing solutions for them may very well make VIPR (and similar 
mechanisms) so complex to implement and deploy that nobody will choose 
to do so.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming@digium.com | SIP: kpfleming@digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org

v2.23.0 | Report a Bug | By Email