As I mentioned, the signer must include an expiration. There is of course a window where they could update (change) a registration, and so there could be a time where a hostile node has two valid, unexpired registrations at his disposal to choose from, and could return a false one. This is a reason why registrations (including the expiration time) must be signed, and why they should be short duration.
If an attacker controls all replicas, you do have a problem, obviously, but forget the replicas, if the attacker can control that much of an overlay, they likely can simply prevent routing. Again, this is a classic attack on P2P systems, and rate-limiting new identities is designed to protect against this. If you are assuming that the attacker can somehow directly compromise and control either a large portion (so that it includes all replicas) or targeted (peer and it's replicas), again, at that point the attacker could simply take over the overlay (or just take over A). In such a case, you are out of luck, but with that assumption, so is any client server architecture (i.e., if I can take over the server, I control the network) This isn't a new attack, it has been considered extensively in the literature and in this group, and while there are some risks (peer-to-peer networks have different attack vectors), such an attack would be difficult to mount in practice with the sort of security safe guards that are being discussed in the WG. Thanks, David On Wed, Jun 3, 2009 at 7:49 AM, Tien Tuan Anh Dinh <[email protected]> wrote: > >> In the literature, there are several ways to protect against it, >> including signed registrations with expirations to prevent spoofed or >> expired registrations from being returned, > > In the scenario I proposed, I assume the authenticity & integrity of these > registrations, which include expired date as well. So there's no worry of > spoofing. > >> replication to protect against P simply saying there is no >> registration (I can ask someone else if I get a negative response to >> get a second opinion if the party really is in the system) > > I also assumed that the attacker can control all the replicas that store the > particular registration. That could be a reasonable assumption given a > powerful attacker. > > The main issue here is not that client B (searching for client A) doesn't > get the answer from P, but instead it always gets the expired registration > from P, even A just "renewed" its registration a P. Thus, my question still > is: are there reasonable incentives for P to do that ? > > Anh. > _______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
