Hi Michael,
I don’t quite follow the case you described. Shouldn’t a well-behaved rejoining peer be using the still valid certificate in the first place? Otherwise, it is easy to exploit this to launch a DoS attack against ES, which must be protected. BR Lingli 发件人: [email protected] [mailto:[email protected]] 代表 Michael Chen 发送时间: 2013年7月5日 1:56 收件人: [email protected] 主题: [P2PSIP] An overlay resource leak scenario Hi, Background ========== In a SIP usage of RELOAD, a peer can store its AoR and certificate in a single RELOAD Store Request with a SIP Registration kind and a Certificate By User kind. The data model for the SIP Registration is dictionary with its Node-ID as key, and Certificate By User is array. P2PSIP Draft =========== In pspsip-base-26, section 11.3, bullet #5 says: o One or more Node-IDs ... ... The enrollment server SHOULD maintain a mapping of users to Node-IDs and if the same user returns (e.g., to have their certificate re-issued) return the same Node-IDs, thus avoiding the need for implementations to re-store all their data when their certificates expire. Implementation ============= The enrollment server always returns a new Node-ID or keeps the above mapping for a short period compared to the expiration time of the certificate. Usage Scenario ============= A device goes in and out of the range of WiFi as it moves or sleeps then awakes. Each time it loses the WiFi, RELOAD does not get the chance to properly Leave the overlay. Each time it gets the WiFi back, it rejoins the overlay and receives a new Node-ID and thus a new certificate. Resource Leak ============= Due to the data model (dictionary key off Node-ID) and array (Store by appending), the overlay holds on to more and more useless SIP Registration and Certificate By User at the Resource-ID (hash of the device's AoR). Possible Remedy 1 ================ (p2psip-base) The enrollment server MUST maintain the same AoR to Node-ID mapping as long as the corresponding certificate is still valid. Con: expensive enrollment server storage. Possible Remedy 2 ================ (p2psip-sip and p2psip-base?) The joining peer MUST fetch and remove existing SIP Registration and Certificate By User at the Resource-ID before storing its current one. Con: peer-join complexity. Do I have a case? Thanks --Michael
_______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
