Re: [VIPR] VIPR privacy issue
Marc Petit-Huguenin <petithug@acm.org> Thu, 26 January 2012 16:48 UTC
Return-Path: <petithug@acm.org>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 837F221F8617 for <vipr@ietfa.amsl.com>; Thu, 26 Jan 2012 08:48:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.189
X-Spam-Level:
X-Spam-Status: No, score=-102.189 tagged_above=-999 required=5 tests=[AWL=0.411, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAEhqlS29GGh for <vipr@ietfa.amsl.com>; Thu, 26 Jan 2012 08:48:19 -0800 (PST)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id 018B021F8616 for <vipr@ietf.org>; Thu, 26 Jan 2012 08:48:19 -0800 (PST)
Received: from [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08] (shalmaneser.org [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 7E638202D2; Thu, 26 Jan 2012 16:33:59 +0000 (UTC)
Message-ID: <4F2183D0.3070809@acm.org>
Date: Thu, 26 Jan 2012 08:48:16 -0800
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20120104 Icedove/8.0
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <4F1F1A42.1030201@acm.org> <9734F726-C0A8-42D6-87A4-65535D5F3E80@bbn.com> <4F217CC9.4080802@acm.org> <50D0BC87-EC6C-401E-A2F9-A05AC60D5EF0@bbn.com>
In-Reply-To: <50D0BC87-EC6C-401E-A2F9-A05AC60D5EF0@bbn.com>
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "vipr@ietf.org" <vipr@ietf.org>
Subject: Re: [VIPR] VIPR privacy issue
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>, <mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>, <mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2012 16:48:20 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/26/2012 08:40 AM, Richard L. Barnes wrote: >> On 01/26/2012 08:01 AM, Richard L. Barnes wrote: >>> Let's not get hysterical here. These issues are inherent to any >>> system for resolving identifiers. My local DNS resolver has a very >>> good idea of things like what websites I'm visiting (A google.com) and >>> what services I'm using (SRV _xmpp-server._tcp.jabber.org). >> >> Yes, but this is not the problem here. AFAIK, it is not possible for >> anybody to add its own DNS server as nameserver of google.com and receive >> all the requests sent to this domain and collect the source IP addresses. >> *That* would be the DNS equivalent of the privacy leak of VIPR. > > True. Although in principle anyone could announce the anycast prefixes > used by the root nodes (in the absence of SIDR deployment), which would get > you lots of interesting traffic. > > At the very least, however, your queries get forwarded to the DNS root and > intermediate name servers, which has been a problem before: > <https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005266.html> > > Like I said, the mitigation here is the same as any situation where you > want to hide your IP address: Send packets from a different network. Yes, and (I am not sure you saw the second part of my response below), this would not be a concern if we could fix RELOAD to do exactly that. > > --Richard > > > >>> >>> Analogous mitigations apply, e.g.: >>> >>> * For masking sources of requests, use indirection. In the DNS >>> context, authoritative servers don't see my IP address because I go >>> through a local resolver. In the VIPR context, you could have an >>> outsourced RELOAD agent acquire tickets on behalf of clients who trust >>> it to handle call information. >>> >>> * For masking destinations of requests, use multiple requests. In the >>> DNS context, request names/RRtypes other than the one you're looking >>> for. In the VIPR context, look for numbers you didn't dial, or look >>> for numbers when you haven't dialled anyone. >>> >>> Note that in both cases, the mitigations are about how you use the >>> protocol, not the protocol itself. So while it might be worthwhile to >>> write up a privacy considerations document, it doesn't seem like we >>> need to change the protocol documents to deal with these threats. >> >> The concern is not how to fix the problem, but that half of the problem >> comes from a protocol (RELOAD) that is not under our control, and so will >> take years to bring to a point where we can fix this problem. >> >>> >>> --Richard >>> >>> >>> On Jan 24, 2012, at 3:53 PM, Marc Petit-Huguenin wrote: >>> >>> Michael Procter explained on the last VIPR design team weekly >>> conference call a privacy attack that I think is devastating. The end >>> result is simple to explain: VIPR turns the Internet into a "trap and >>> trace device"[1], allowing anybody to record the phone numbers called >>> by any entities using VIPR, and this for a relatively low cost. >>> >>> Let's say that VIPR is well deployed in US enterprises and that a >>> spying group is willing to spend the money to know about the phone >>> calls made by these enterprises. This spying group just have to add >>> enough VIPR servers to the RELOAD overlay to register all the phone >>> numbers in the USA. Because all registrations are considered equally >>> untrusted, they will all be verified by establishing a TCP connection >>> between the VIPR server of the source of the call and the VIPR server >>> that stored the registration for a particular phone number. There is >>> multiple pieces of information that are leaked but it is easy for >>> example to find the enterprise that is originating the TCP connection >>> by looking at the source address and to enter it in whois. >>> >>> As Michael pointed out, you have to be on VIPR to protect your privacy, >>> i.e destination numbers that are *not* using VIPR are especially at >>> risk. If the destination number is using VIPR, the TCP connection used >>> to verify the first call from any enterprise has a lower probability to >>> be directed to the spying group, because the real owner of the number >>> may be tried first and prevent other registrations to be tried if >>> successful. And as soon the real owner sends a SIP route and ticket >>> back, the spying group will no longer receive any information about the >>> calls between this enterprise and this destination number, excepted for >>> the periodic renewal of the ticket. >>> >>> Note that the information leaked go deeper than just the verification >>> connection. Here's the various places where privacy information >>> leakage happens with this attack: >>> >>> - If the spying group uses a different VServiceId for each registered >>> phone number, the called number is always leaked. - The called number >>> is also leaked for methods A and B. - For method "A", the Caller-ID is >>> leaked (the bcrypt hash is hard to crack, but it is not impossible). - >>> For method "B", a random time in the middle of the call is leaked. - >>> For method "C", the rounded start and stop time of the call are leaked. >>> - The source IP address of the TCP connection for the PVP transaction >>> is always leaked. - The addr_port in the AppAttachReq RELOAD message >>> that was used to establish the TCP connection is leaked. - The >>> certificate of the signer of the AppAttachReq RELOAD message is leaked. >>> Even if the certificate does not contain information about the sender >>> (subject, subjectAltName), it always contains the Node-ID, which can >>> always be resolved to an IP address by using an Attach request. - The >>> Node-ID is leaked a second time in the via_list of the AppAttachReq >>> message, unless an intermediary RELOAD peer replaced it with a >>> compressed ID. >>> >>> There is probably ways to fix all of these leakages, and I found >>> solutions for most of them, but they make RELOAD and VIPR much, much >>> more complex, to the point that I am starting to think that RELOAD >>> itself is not up to the task. Using TURN to anonymize, as I proposed, >>> does not work because of the multiple places where data is leaked and >>> fixing RELOAD itself, which will require among other things adding >>> something like onion routing, will probably take years[2]. >>> >>> At a minimum, we will need to add a strong requirement about required >>> anonymization in -overview, but it is clear to me that the >>> standardization of VIPR will take a much longer time than expected. >>> >>> >>> [1] http://en.wikipedia.org/wiki/Trap_and_trace_device [2] >>> http://www.ietf.org/mail-archive/web/p2psip/current/msg06166.html >>> - -- Marc Petit-Huguenin Personal email: marc@petit-huguenin.org Professional email: petithug@acm.org Blog: http://blog.marc.petit-huguenin.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJPIYPOAAoJECnERZXWan7Er+QP/iqC1BvcJkFilL5tJaQpXEMp Nc6eWH6cEKUpL4Q6gBRhYk7CD0k3CFmNTGEblhjKhZAsLILicdUIUeAsXN8JFFdD Bxf2D99R2t24qrMwBzmOhRUNoV3JryNDOH0S5qFbCZ564WKPdfLrrPRdYfedTBXo H7sm7THDrSNuNLUDejLtRmpLG4CENjSOJe4RMnUkgMb2ikG3OfpRPp3VexKE9prN HO6sJ0IBWtdGt/p0K8CE4xsG2Kg3CYz4v65A7YefQ/6YKy4nk4rfW6fBEchEqApL xRRsoxvSOzNXDHRZqOZiQbrP1qxupAIU43ladvf7Hx4Y9c22uxkw5818o4EJJ0pZ XD03Aml4gCVzl5Mg/X8/4D9oR9GFieeKjXvKO/Y/5LHSC7l/hCVkz/f+2jiSqvtd BfOz9xfxBqIhU3l0x29euur6nO2k0LMYIaulDgp4Rmd1UAY6JqtFoloCjAJrFGFf 0fYjzoI4Lxa+Qknh7Rt3it2JUKooUO3qjygF6CuQ23aB8x2pRZGbZeUp0pvPbb8O AoxeIAF5Bk9JwOb0WfA//g7oKBwZCh0dTRXhL1YycxIlk63LTpMbOdO8VHxSB8GA hbDmMina7oqPBJV/lgJIuolWt3MyYv6EZTaCNXiAJm02HBY+5328P9Lm15KOwlZT 7MnhkdbhrQYOjijmKJZb =Kp7M -----END PGP SIGNATURE-----
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Kevin P. Fleming
- Re: [VIPR] VIPR privacy issue Kurt Bergsbaken
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Dean Willis
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Mary Barnes
- Re: [VIPR] VIPR privacy issue Kurt Bergsbaken
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Kevin P. Fleming
- Re: [VIPR] VIPR privacy issue Dean Willis
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin