110 likes | 131 Views
P2P SIP Names & Security. Cullen Jennings fluffy@cisco.com. Security Trade Offs. Certain other features, or convenience of operation, make users willing to accept reduced security Better than nothing principle
E N D
P2P SIPNames & Security Cullen Jennings fluffy@cisco.com
Security Trade Offs • Certain other features, or convenience of operation, make users willing to accept reduced security • Better than nothing principle • Certain ideas that work in small groups of friends completely fail before they meet any size that would be considered “successful”
Threat Models • No idea what to put here - will need work • Run in my home? • Run on the internet? • Protect from neighbor? from me? wireless to front yard? • Protect what? • Used for playing games and no one cares if works? • Used by emergency workers? • Skype claims to have surprisingly strong security? Is it P2P? • What are the devices? • What is the information they exchange? • Who might be able to intercept/tamper with it? • How much would users or attackers care?
Security Concerns • Who am I talking to • When people want to talk to me, do they reach me • Can other people listen to my call • Can people discover who I call and when • Do I know who is calling me • Can I call someone without revealing who I am • Denial of service • Who can cancel my name • Do I know I am talking to same person as previous call • SPAM SPAM SPAMSPAM SPAMSPAM SPAM SPAM SPAM SPAM SPAM
Names • Some properties a namespace might have: • Names are unique • Can know who is authorized to use a name • Don’t require a central registry • Delegation of portions of namespace • Size of namespace • Free/Cheap in the monetary sense • Pick any few :-)
Names, Routes & Translation • What is a name: • An identifier that some object asserts that it goes by. The name is persistent over some time span. • Ex: email address, telephone number, “number” in DHT • What is a routable address: • An address that is routable in the context of a particular network element. • Ex: IP address • What is a translation: • lookup from name to another name or routable address • Ex: DHT
Example Namespaces • DNS • unique, central, delegated, cheap • authorization via web certs • Email addresses • sub delegation of DNS • IP Addresses • unique (mostly), admin delegate + DHCP • E.164 Telephone numbers • unique, non central, delegated, not cheap • authorization hard • somewhat limited size
P2P Names & Translation • Self assigned identifiers as names • Can “ask” if they are unique • Can’t “guarantee” that they are unique • Translation • all examples here translate to IP • A few approaches • Translation with DHT • Translation with broadcast table • Security Properties • Bad: identity, integrity, privacy, DoS, name stealing, Spam • Good: uh, ah, not much • Other properties • Good: operations and management
P2P as a DNS Replacement (Hint: I suspect this is not a good idea) • There are some use cases when DNS is not reachable • Many of these cases can be solved with local discovery approaches • Ex: (multicast, zeroconf, rendezvous, SrvLoc)
The BAD news • So far, no way to simultaneously achieve both: • no central name authority • stop names from being stolen by other users • This will somewhat constrain the security properties of various solutions
The GOOD newsGot lemons, Make lemonade • Anonymous Communications • Anonymous communications can be anonymous • SIP has not practically solved how to deploy media and signaling Anonymization • Distributed media relay • P2P style distributed media relays do not require names principle