I've changed the subject to be more meaningful. As Brian indicated in his message, the current specs aren't set in stone, so if there's some important security feature to be added, the WG can certainly add it. That said, I'm not sure I understand the security issues you're concerned with.
xianghan.zheng wrote: > Several internet draft propose a certificate-based security solution. It > does solved some problems. However, it is not enough for protecting > privacy. In the decentralized system, one malicious peer may become > malicious when it receives the certificate and joins the overlay. Sure. We anticipate that some fraction of the nodes in the overlay will be malicious. > That > means he can act as an intermediate peer that read the incoming P2PSIP > request and record a profile of the source and destination privacy. Well, it's a little more complicated than this. 1. Because of the structure of the overlay, any given node only has a modest fraction of being in the path between two other nodes. Specifically, if source (S) and destination (D) are randomly chosen, then the probability that an arbitrary node A will be on the path between S and D is on the order of (1-log(N)/N)^log(N) [for Chord]. In some overlay algorithms, attackers can affect the topology, thus increasing the number of paths they are on. There are of course countermeasures for this as well. 2. Even if a node is on the path between two other nodes, they learn only a limited amount of information, mostly who is talking to who and what they are asking for. If nodes wish to hide this information, they can use CONNECT to set up a connection between themselves and then perform transactions over that direct connection. This isn't perfect since the information that they set up a connection between themselves, but it's not clear that that information is itself sensitive. Note that we could in principle add an encryption feature to RELOAD to remove the CONNECT overhead, but that's just a optimization. 3. The destination/via list features allow nodes to act as anonymization proxies, though of course that will need the explicit support of that node. > Later, he can do many malicious things, e.g. send the SPAM, DoS attack, > etc. So, in the decentralized system, currently, there is no solution to > protect the privacy. 1. SPAM, DoS, etc. aren't really privacy issues. 2. I'm not convinced that being able to snoop messages in the overlay makes SPAM and DoS much easier. Can you explain why you think this is the case. 3. To a great extent, any open network has SPAM and DoS issues. Because RELOAD provides positive authentication of participants, it arguably is substantially better in this regard. > And in order to protect privacy, which is the basic servie P2PSIP system > should do, we may need to consider to revise a little bit in revising > the protocol, ..... and so on. That is why i thought the internet drafts > are not enough and powerful currently. I'd certainly be interested in hearing about any new security features you think would be useful here. > Most of the engineers consider the accessibiliy and availability too > much so that some times they did not think of the security, privacy, and > some basic things. I did when i was working in the network application > field, but now i work more in the system security. Actually, we did think about security pretty extensively during the design of RELOAD. -Ekr _______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
