Hi Jing, >-----Original Message----- >From: Jing Chen [mailto:[EMAIL PROTECTED] >Sent: Monday, August 04, 2008 10:34 AM >To: songhaibin 64081 >Cc: [email protected]; Dan York >Subject: Re: Re :Re: [P2PSIP] P2PSIP security > >Hi all, > I have a question about the nodeID assignment in P2PSIP. As it said >that " In order to prevent so-called Sybil or join-leave attacks, the >attacker SHOULD NOT be able to easily register a unlimited number of >IDs of his choice in the P2SIP overlay. The P2PSIP system SHOULD be >able to control ID assignment. " in "draft-matuszewski-p2psip-security >requirements-03.txt", how to determine the node's real identification >in nodeID assignment? By its IP addr? By the username used on it? Or >by its MAC addr? The IP addr may change, the username who uses the >node may change,and so on. I mean that the attacker may change his >usernames or his node IP addresses to register new nodeIDs or perhaps >he can control many nodes to register many new nodeIDs although our >P2PSIP system can control ID assignment indeed.
When you bind a node ID with its physical equipment or device, e.g. MAC addr, a user who has many equipment or devices can obtain many node IDs if he can afford the cost. When you bind a node ID to a username, then a user who registered many usernames can also obtain many node IDs, however, perhaps there are economic resorts to lessen the problem. I mean, you can not absolutely prevent a "user" to obtain more than one node ID unless you can bind the node ID to the user's unique characteristic, e.g. passport number, etc. Most likely we can only prevent a user to "easily" obtain unlimited number of node IDs. Regards! Song Haibin > >2008/7/30 songhaibin 64081 <[EMAIL PROTECTED]>: >> Hi Jing, >> >> >>> I have three questions about the new security requirements draft (-03): >>>(1) The threats and security requirements on DHT network or overlay are >discussed , but >what about the threats and security requirements on SIP? >Especially that what are the >threats on decentralized SIP? >>> >> >> Good question. I have discussed this question with Dan before, but we are so >busy. You will see the text about it in the next revision. >> >>>(2) Why the layers in "Figure 2 P2PSIP architecture" are different from >the >architecture layers in RELOAD? The KBR Layer isn't included in the layers >of RELOAD, and >this layer is not defined in draft-ietf-p2psip-concepts-02. >>> >> >> I think the WG now have not achieved a consensus on the P2P layers. Bruce didn't >mention that issue in his presentation. But I think the architecture are similar >with Reload. We will surely make the architecture consistent with the WG's >consensus. >> >> From many papers, you will find KBR layer is often used. Anyway, we will keep >it consistent with the WG's consensus item. >> >>>(3) As I know, PKI-based certificate is not flexible enough nor bandwidth >>>efficient because of the size of keys and certificates used. Why we don't >consider to use >>>Identity-based security framework ? >>> >> >> I think Identity-based security framework may be easy to use in the self >organzed network. But the purpose of this draft mainly is not to provide the >concrete solutions. It just tell you what the security issues are in the overlay, >and you should consider them when you establish a p2p overlay. >> >> Best Regards! >> -Song Haibin >> >> >> >> >> _______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
