Re: [VIPR] VIPR privacy issue
Marc Petit-Huguenin <petithug@acm.org> Thu, 26 January 2012 18:53 UTC
Return-Path: <petithug@acm.org>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEEBD21F860F for <vipr@ietfa.amsl.com>; Thu, 26 Jan 2012 10:53:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.202
X-Spam-Level:
X-Spam-Status: No, score=-102.202 tagged_above=-999 required=5 tests=[AWL=0.398, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Him1cabJlD2L for <vipr@ietfa.amsl.com>; Thu, 26 Jan 2012 10:53:24 -0800 (PST)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE5921F85C0 for <vipr@ietf.org>; Thu, 26 Jan 2012 10:53:24 -0800 (PST)
Received: from [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08] (shalmaneser.org [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 46F722040F; Thu, 26 Jan 2012 18:39:04 +0000 (UTC)
Message-ID: <4F21A121.10403@acm.org>
Date: Thu, 26 Jan 2012 10:53:21 -0800
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20120104 Icedove/8.0
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <4F1F1A42.1030201@acm.org> <9734F726-C0A8-42D6-87A4-65535D5F3E80@bbn.com> <4F217CC9.4080802@acm.org> <50D0BC87-EC6C-401E-A2F9-A05AC60D5EF0@bbn.com> <4F2183D0.3070809@acm.org> <373FB643-AE7A-473C-A7AB-09F9A9E7093B@bbn.com>
In-Reply-To: <373FB643-AE7A-473C-A7AB-09F9A9E7093B@bbn.com>
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "vipr@ietf.org" <vipr@ietf.org>
Subject: Re: [VIPR] VIPR privacy issue
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>, <mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>, <mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2012 18:53:26 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/26/2012 08:52 AM, Richard L. Barnes wrote: >>>>> Let's not get hysterical here. These issues are inherent to any >>>>> system for resolving identifiers. My local DNS resolver has a very >>>>> good idea of things like what websites I'm visiting (A >>>>> google.com) and what services I'm using (SRV >>>>> _xmpp-server._tcp.jabber.org). >>>> >>>> Yes, but this is not the problem here. AFAIK, it is not possible >>>> for anybody to add its own DNS server as nameserver of google.com >>>> and receive all the requests sent to this domain and collect the >>>> source IP addresses. *That* would be the DNS equivalent of the >>>> privacy leak of VIPR. >>> >>> True. Although in principle anyone could announce the anycast prefixes >>> used by the root nodes (in the absence of SIDR deployment), which >>> would get you lots of interesting traffic. >>> >>> At the very least, however, your queries get forwarded to the DNS root >>> and intermediate name servers, which has been a problem before: >>> <https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005266.html> >>> >>> >>> >>> Like I said, the mitigation here is the same as any situation where you >>> want to hide your IP address: Send packets from a different network. >> >> Yes, and (I am not sure you saw the second part of my response below), >> this would not be a concern if we could fix RELOAD to do exactly that. > > Doesn't really seem like a RELOAD issue. Rather, something for > higher/lower layers. Pay someone to do RELOAD on your behalf, or use a VPN > to somewhere else. Agree with a group of friends that you'll all make the > same queries at the same times, so that your individual patterns are > indistinguishable. OPSEC, not COMSEC. > Yes, and my original proposal was to use the TURN servers that are already present in the RELOAD overlay to hide the source of the PVP connections. But after last Friday's call I worked on establishing an exhaustive list of the places where data is leaked. Some information are leaked by the SRP-TLS protocol, but we already worked on that in the WG and are making progress. No concern here. The source IP address of the PVP connection can be hidden by TURN or any of the other solutions you proposed. Here also, no concern. Then I started to dig deeper in RELOAD itself, which is used to pass the information to establish the TCP connection used for the SRP-TLS exchange. If we use TURN or a similar mechanism, then the source IP is also hidden. But the message used for this (an AppAttachReq RELOAD message) also leaks data. The RELOAD messages are authenticated end-to-end, so it is really easy to extract the certificate of the sender, then the Node-ID of the sender and use an Attach (a transaction that is part of the basic set of transactions required for RELOAD) to find the IP address of the sender. The same data is leaked a second time in the via_list. So that's two additional layers that require some work to be made anonymous. And this is where I have concerns. I (and others) have seen our RELOAD extension proposals delayed for the last two years in P2PSIP, so even there is no doubt that we can fix the privacy issues, the problem is more in the time required to fix them. Cullen's email in P2PSIP was unambiguous in saying that doing this will push VIPR to 2015/2020. Let's see a concrete example. I want to know all the calls made by VIPR users to all the phone numbers (VIPR or not) in the USA. For each of these numbers, I register my VIPR server with a different VService-ID: Rogue RELOAD | Store(+14085550001=rogue-Node-ID) | |----------------------------------->| | | Someone with a VIPR enabled phone make a call to *any* of the US phone numbers. In this case, because +1408-555-0001 is not VIPR enabled, the caller cannot already have a SIP route, so the RELOAD distributed database is queried: Rogue RELOAD VIPR Phone | | Fetch(+14085550001)=Node-ID | | |<-------------------------------| | | The next step is for the VIPR phone to execute an AppAttach transaction: Rogue RELOAD VIPR Phone | | | | | AppAttach(phone-IP)=rogue-IP | |<--------------------------------------------------------------------| | | | The AppAttach request contains the IP address of the PVP client - that's the first leak. The AppAttach request is signed by the certificate of VIPR phone. That's the second leak. The AppAttach request also contains the Node-ID of the VIPR phone in the via_list, so RELOAD can route back the response. That the third leak. Then the VIPR phone starts a TCP connection to the PVP server, using the IP address returned in the AppAttach response: Rogue RELOAD VIPR Phone | | | | | TCP establishment | |<--------------------------------------------------------------------| | | | That's the fourth leak. Next step is to establish the SRP-TLS session: Rogue RELOAD VIPR Phone | | | | Client Hello | | |-------------------------------------------------------------------->| | ServerHello/ServerKeyExchange/ServerHelloDone | |<--------------------------------------------------------------------| | Alert | | |-------------------------------------------------------------------->| We know that the 3 PVP methods leaks some data but first as the rogue VIPR server used different VServiceID for each registered phone number, and as the VServiceId is sent in clear in the SRP-TLS exchange, the rogue server knows the called number. Then for method A the hash of the Caller-ID is also sent in clear. For method B a random time chosen in the middle of the call is sent in clear. For method C the start/end time of the call are sent in clear. Again, we can fix all of these. The problem is that we cannot fix the RELOAD issues in a timely manner. - -- Marc Petit-Huguenin Personal email: marc@petit-huguenin.org Professional email: petithug@acm.org Blog: http://blog.marc.petit-huguenin.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJPIaEfAAoJECnERZXWan7EHjYQALwGDeCdRFLOzinFviR8WTfw z86vZFWhL2+Bzxnc50cFZY8uav9CBgN9xpLBRIklXvlhwyWxwossUAASE/b7BCQr SaspiMW3oijv3jjPdPyqUuFNMYJFxf+mS+MOwwd+TnUUVLMQZBi7vI9lsbOegWLm 30jaY1NfBscgqzJPDY3hgbp56R31cGTYl7scE4WndudNA0wr7QeratzvQa3rm9OI XzGXJGaFtuXEG9KTC/cDJiXM23CtDCq9rFmA+6P5FkaVIsG/YDQi4gPYIiUT7vvv YXdHhVaOa7GZVUbOYjoi73J898iRtzyBoZtEvE50CbHs91PYw7PuXaqF0KYF6zfU 82pXh+Wvlw+O5l+X/6EfWj3cjTMY5bBueP2VBtIsmz+iqEKY63PCNGWUaOiyOCbv 5lRjFVLlqjxvL/jJoCOf7Hrvw67NpOcx/ZZyXfF883enb+E2z1f+qvK26VKkOLG4 2gSThVi+SypDyw5MId0tNGp4DXVD4x9oepc5kqYooiNAjFkY4Q3HBAqCHmcbgYvn qa/lUEelPryQ3ojbhgXfww8H8axHsmh0o0np/8JlpDQmQJ5CBBavMY00gZdgyF1z syesITpMgkpIhj5qQjsMd6gSRGu8RLPClg1fK/BPDLHwBUF2tMkJmCvAHwQK9etv 1eYCUlXRb9AUBhshZMrY =XNF7 -----END PGP SIGNATURE-----
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Kevin P. Fleming
- Re: [VIPR] VIPR privacy issue Kurt Bergsbaken
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Dean Willis
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Mary Barnes
- Re: [VIPR] VIPR privacy issue Kurt Bergsbaken
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Kevin P. Fleming
- Re: [VIPR] VIPR privacy issue Dean Willis
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin