[VIPR] Minutes for 2012/01/20 conference call
Marc Petit-Huguenin <petithug@acm.org> Mon, 23 January 2012 17:02 UTC
Return-Path: <petithug@acm.org>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0361421F846C for <vipr@ietfa.amsl.com>; Mon, 23 Jan 2012 09:02:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.341
X-Spam-Level:
X-Spam-Status: No, score=-102.341 tagged_above=-999 required=5 tests=[AWL=0.259, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQugBLUJAQcZ for <vipr@ietfa.amsl.com>; Mon, 23 Jan 2012 09:01:59 -0800 (PST)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id AC13021F846E for <vipr@ietf.org>; Mon, 23 Jan 2012 09:01:58 -0800 (PST)
Received: from [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08] (shalmaneser.org [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 3F3A020142 for <vipr@ietf.org>; Mon, 23 Jan 2012 16:47:50 +0000 (UTC)
Message-ID: <4F1D9283.4010208@acm.org>
Date: Mon, 23 Jan 2012 09:01:55 -0800
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20120104 Icedove/8.0
MIME-Version: 1.0
To: "vipr@ietf.org" <vipr@ietf.org>
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: [VIPR] Minutes for 2012/01/20 conference call
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>, <mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>, <mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jan 2012 17:02:00 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 VIPR Design Team conference call on Friday January 20h, from 9:05am to 9:55am PST. o Attendees: Hakim Mehmood Marc Petit-Huguenin Michael Procter Dean Willis o Regrets Mary Barnes Daryl Malas Muthu Arul Mozhi Perumal Jon Peterson John Ward o Agenda - - ICE support in VIPR - - Traffic statistics leakage - - Obtaining the PVP credentials in an office environment - - Registering multiple PVP servers to validate based on time tolerance o Action items - - Continue discussion on privacy issue. - - Discuss about anonymizing the Node-ID in the RELOAD record. - - Add ICE as mandatory for the RELOAD overlay. - - Document the statistic issue in the specs. o Minutes Marc: The discussion in this meeting is about the privacy concerns as listed in Michael Procter's draft. The first one was the Caller-ID, and the agreement was to hash the Caller-ID in method A and publish a new method "C" that invert the selector and the secret. The next concern was source IP identification, and one obvious solution to hide it is to use a relay or a series of relays. One of the simplest solution to do this is to use the TURN servers that should be available in the RELOAD overlay. But TURN servers are only mandatory if the RELOAD overlay uses ICE. So the question shifts to "Do we want to support ICE or not?". We can still mandate TURN servers if the overlay does not require ICE, but there is probably other ways in this case to hide the source. There is an assumption in the specs that the VIPR servers are installed either on the Internet or in the DMZ of a firewall, which implied a non-ice solution. But what is the granularity that we want for the VIPR server? For example as a proof of concept, I am development a prototype of what I call a VIPR Fax, where the VIPR server is embedded inside a fax machine and connect directly on the RELOAD overlay on its own, without requiring external servers. Hakim: Why does this problem applies only to source? Anybody can do a Fetch and find the destination. Why is it more important for the caller than for the callee? Marc: This is a valid but different attack and we should talk about it. I will add this concern to the agenda of the next meeting. Hakim: In the enterprise space, the feedback is that all the security things are good to do but should not be mandatory. Michael: I am not sure how compatible that is with the view that there should be one VIPR overlay. I do not know how we can make many things optional and still have a working overlay. Hakim: It's just the feedback I have from my customers. Marc: My concern is that the lack of security will prevent people to join the VIPR network. Hakim: The architecture should be a compromise between security and manageability. Michael: Going back to something Marc said. If Alice wants to call Bob, but Bob thinks that VIPR does not have the proper security and decide to not participate in VIPR, when Alice call Bob, the fact that she calls still leaks. Bob cannot stop the privacy leak even by just not participating. Without even reducing the security, there is already privacy issues, even if you do not participate. Hakim: I was more talking about source IP disclosure. Michael: What I said applies to that too. Hakim: But how does that compromise my security in this use case? Michael: It all goes back to asymmetric expectations. Alice in this case could have her fully itemized phone bill posted on the Internet. Hakim: But I was talking about a particular use case. Alice probably does not care, but Bob cares and he can anonymize. So as long Bob has the security he wants it's fine. Michael: It is not. Marc: What about putting a flag inside RELOAD asking for privacy? This has the advantage that each registration can choose the level and privacy and will not put as much pressure on the overlay. Michael: It is essentially a bid-down attack. The problem is that you have to be on VIPR to protect your privacy. This is a fundamental problem and expecting everyone to opt-in to protect their privacy is a bit of a challenge. Marc: Let's put on the agenda for next week. We can still talk about the requiring ICE in the overlay. Michael: I like the the VIPR fax use case. I think that it will keep us honest in other areas, because it does not mean that we automatically assume that only companies over 200 employees will be in VIPR. And because of this we'll need ICE. Marc: The only concern with ICE is the complexity. But it's not like RELOAD is simple without ICE. RELOAD is complex, and is even more complex with ICE. Anyway the main case for RELOAD was SIP, and you need ICE for SIP, so any standard RELOAD server will probably also support ICE. Marc: Let's move to statistics leakage. Even if we manage to fully anonymize the PVP transactions, the simple fact that PVP transactions are made discloses information. Michael: As an example we have a taxi company as customer, and simply by looking at the Internet traffic pattern, we can predict the weather in the city in which this company operates. Even adding noise would not help and I think that this attack is real. Marc: This is true for a lot of other things in the Internet. This is something that we need to document, even if we cannot fix it. Michael: And here also the problem exists either people participate or not in the VIPR overlay. Marc: Moving to the office pranks attacks. These attacks exists from the facts that in some environments, you have access to more information, for example inside an enterprise. These attacks can be carried by a virus inside an enterprise. First attack was to obtain the PVP validation. One of the way to mitigate this is to do validation per user, instead of per enterprise. Interestingly it parallel the VIPR fax use case, where each device also has its own VServiceID. Marc: The last attack is similar but was using the rounding. Note that this attack and the previous one come from the low security of methods A and B. If we mandate a validation based on e.g. fingerprinting, then we no longer have these issues, but these methods are the minimum common denominator. Michael: If ICE is not adopted because of its complexity, then we will have a problem adopting fingerprinting, which is even more complex. Marc: Yes, and this also creates a problem for SIP intermediaries who do not have access to the media. Hakim: Two mains themes with our customers has been: Why does it take so long to validate, and what rounding should I use to have my validations succeeding. Marc: We can solve a lot of problems by simply forgetting about these methods, but we are restricting the use of this technology, But these methods looks so bad, between reliability, privacy and time to succeed, that it is perhaps not worth the effort. - -- Marc Petit-Huguenin Personal email: marc@petit-huguenin.org Professional email: petithug@acm.org Blog: http://blog.marc.petit-huguenin.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJPHZJ/AAoJECnERZXWan7EbKsP/RjkAh6cf7AFngJ7a22OfOxK Q2KilGCjpIcfL8Z6MHf8Qp9JVUg7zTwZXy6UEZabUWWjEs6l3IqPCXL1mF+YFjCX Wpv0bofkZzW+95x2ZmTVd47W1rVT5H/zcZoU6c8RASd8Xhorout1VXZDDW4NxfEi vTdSU58DmOBJTCFcrFJYBeGWiK6RHLI9Ufxp7QMZu/oWfIDepN2FPBfQNKgbEiWR XTamwFuXt1m9gzW0ACePVElA29/fSeoL6WjjLZ4A5f1ahfVPbCuMdso5bxQ8RW6y cYIWFacLNAMvr1+vaOKp03cPF2EBkc8ZZvljB1kF5DrTIedaNxaIx8uRVv3qb7vy 3bAfy95o7H80HmRn0YWCIDxn2YgFTm3fJgRMk7EKP+qIP5BDpXT2XQ26i+/UxVY2 xW9dIYXgJQ1OyjaxM/y6QVLboBjNNYvGtm1w+BhCEHsSs0oEzpjkQeQjF6Zxb1fe 26m8eBLYn82VHkxQwJK5rVl+rLOqNSwZikLCng6TleohnGKEzEuL7lIv0/CQKB+g pZZxzrjEmAwwxu3qR5p3ZScOoS+qbA4e6mJ1QqLZ1Os4U2n2hqVDmxnUfs+HfoN3 iBT34BDkL99qwKXAptwXMOuwGKSuMrWk6uafYQANfjqr6TDTnF5GifNaipbB+wtx Y47/BGUEO1YYPYUZoxPk =13ni -----END PGP SIGNATURE-----
- [VIPR] Minutes for 2012/01/20 conference call Marc Petit-Huguenin