At Tue, 04 Mar 2008 11:23:17 -0500, jiangxingfeng 36340 wrote: > > > > At Mon, 03 Mar 2008 16:59:05 -0500, > > jiangxingfeng 36340 wrote: > > > > > > > I don't in principle have a problem with a separate non-normative > > > > document containing security analysis of P2PSIP systems. > > > > > > > > However, I believe all of the security features need to be > > part of the > > > > core protocol and the core document, which is why we built them > > > > into RELOAD. > > > > > > > > > > > > > With regard to security, IMHO, the most difficult part is how the > > > system deal with the mailicious behavior. Although some papers show > > > that if a large amount of peers are malicious, the system is > > > impossible to be a safe one. But does it mean the malicious behavior > > > need not be taken into account while design the core protocol? I > > > don't think so. > > > > Nor do I. That's why RELOAD goes to quite a bit of effort to provide > > correct functioning to the extent possible in the face of malicious > > peers (at least in certificate mode). > > > > Thanks for your effort. For protecting system from malicious > behavior, we may get new idea if we change the perspective how to > watch the P2PSIP system. Now, I write what I'm thinking and > hopefully it will be helpful to the P2PSIP WG. > > 1.It's hard to detect malicious behavior online. But the P2PSIP system, IMHO, > should have a mechanism to check who has done the malicious behavior. So A > peer, at least administrator of the overlay is able to use the mechanism > while it is suspicious of the existence of malicious behavior. > > 2. On the other hand, the P2PSIP external functions, such as routing and > storage, are realized by the action of serving each other. As compared to C/S > service model, the server's process logic is not trusted any more in P2P > system. So the client in the service model should have do something to > faciliate the above audit mechanism or do some check whether the server in > the service model has serve them according to the agreement between them. > >From this regard, IMHO, the hop-by-hop reliablity model is more easily used > >in this work. Let's get back to the specific services. There are two > >specific services in P2PSIP system, one is routing service and the other > >storage service. The routing service happen both hop-by-hop and end-to-end. > >In end-to-end case, the client requesting the routing service wants to know > >whether the real responsible peer gives the response and it also is called > identity attack. As for storage service, it is end-to-end. > > > any comments?
Yes. RELOAD provides most of this functionality already: 1. There is hop-by-hop security via DTLS. 2. End-to-end security can be provided via digital signatures on messages. It's in general not clear exactly how useful this is in any system as far as responses go because if you're referencing a specific resource ID then you don't know what peer will be responding. Obviously, the situation is different for requests. 3. Data values are signed by the storing peer, thus providing security for stored data, regardless of who is storing this. There has been some discussion of distributed (decentralized) auditing systems for P2P networks, but AFAIK it's an open research problem.[0] So, I'm reluctant to try to build in too many features explicitly for this. However, we already provide (and are open to more) diagnostic and discovery features that would be useful if you had a more clear idea of how to actually do auditing. -Ekr [0] Actually, just the question of determining whether a specific server is storing your data turns out to be quite difficult and was only recently solved satisfactorally by Shacham and Waters. (http://eprint.iacr.org/2008/073). _______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
