P2PNS: A Secure Distributed Name Service for P2PSIP

Similar documents
Overlay Networks in ScaleNet

S/Kademlia: A Practicable Approach Towards Secure Key Based Routing

OverSim. A Flexible Overlay Network Simulation Framework. Ingmar Baumgart, Bernhard Heep, Stephan Krause

Coordinate-based Routing:

P2PSIP, ICE, and RTCWeb

Security for Structured Peer-to-peer Overlay Networks. Acknowledgement. Outline. By Miguel Castro et al. OSDI 02 Presented by Shiping Chen in IT818

RELOAD P2P Overlay Access Protocol. Younghan Kim Soongsil University

Unit 8 Peer-to-Peer Networking

Latest Peer-to-Peer Technologies II Artjom Lind 1

Peer-to-peer systems and overlay networks

A DHT-based Distributed Location Service for Internet Applications

OverSim. A Scalable and Flexible Overlay Framework for Simulation and Real Network Applications. Ingmar Baumgart, Bernhard Heep, Stephan Krause

Lecture 6: Overlay Networks. CS 598: Advanced Internetworking Matthew Caesar February 15, 2011

A Virtual and Distributed Control Layer with Proximity Awareness for Group Conferencing in P2PSIP

Distributed Hash Table

GNUnet Distributed Data Storage

Peer-to-Peer Internet Applications: A Review

P2PSIP Draft Charter. Dean Willis March 2006

Telecommunication Services Engineering Lab. Roch H. Glitho

Overlay and P2P Networks. Introduction. Prof. Sasu Tarkoma

Overlay and P2P Networks. Introduction. Prof. Sasu Tarkoma

08 Distributed Hash Tables

Content Overlays. Nick Feamster CS 7260 March 12, 2007

Venugopal Ramasubramanian Emin Gün Sirer SIGCOMM 04

The Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Presented By: Kamalakar Kambhatla

From POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno

Peer-to-Peer Systems. Network Science: Introduction. P2P History: P2P History: 1999 today

P2P Network Structured Networks (IV) Distributed Hash Tables. Pedro García López Universitat Rovira I Virgili

Kademlia: A P2P Informa2on System Based on the XOR Metric

Implementation and Performance Evaluation of a P2PSIP Distributed Proxy/Registrar

Introduction to Peer-to-Peer Systems

Distributed Hash Tables: Chord

Saarland University Faculty of Natural Sciences and Technology I Department of Computer Science. Masters Thesis

Problems on Voice over IP (VoIP)

Preface Preliminaries. Introduction to VoIP Networks. Public Switched Telephone Network (PSTN) Switching Routing Connection hierarchy Telephone

Cooperative SIP Infrastructure for Highly Reliable. Telecommunication Services

A Multi-constraint Resource Search Algorithm for P2P-SIP Conference Services

A RELOAD Usage for Distributed Conference Control (DisCo)

Making Gnutella-like P2P Systems Scalable

Herbivore: An Anonymous Information Sharing System

Overlay networks. To do. Overlay networks. P2P evolution DHTs in general, Chord and Kademlia. Turtles all the way down. q q q

NodeId Verification Method against Routing Table Poisoning Attack in Chord DHT

Distributed Information Processing

A Scalable Content- Addressable Network

Peer-to-Peer (P2P) Systems

CSE 5306 Distributed Systems

Mobile Peer-to-Peer Business Models T Network Services Business Models. Mikko Heikkinen

Overlay networks. Today. l Overlays networks l P2P evolution l Pastry as a routing overlay example

Overlay and P2P Networks. Introduction. Prof. Sasu Tarkoma

Asynchronous SIP Routing

P2P Network Structured Networks: Distributed Hash Tables. Pedro García López Universitat Rovira I Virgili

Peer-to-peer computing research a fad?

Service Quality Assurance Mechanisms for P2P SIP VoIP

Reminder: Distributed Hash Table (DHT) CS514: Intermediate Course in Operating Systems. Several flavors, each with variants.

Secure Distributed Storage in Peer-to-peer networks

Dissemination of Paths in Path-Aware Networks

CSE 5306 Distributed Systems. Naming

March 10, Distributed Hash-based Lookup. for Peer-to-Peer Systems. Sandeep Shelke Shrirang Shirodkar MTech I CSE

Overlay and P2P Networks. Applications. Prof. Sasu Tarkoma and

CS555: Distributed Systems [Fall 2017] Dept. Of Computer Science, Colorado State University

Veracity: Practical Secure Network Coordinates via Vote-Based Agreements

Detecting and Recovering from Overlay Routing Attacks in Peer-to-Peer Distributed Hash Tables

Problems in Reputation based Methods in P2P Networks

WhanauSIP: A Secure Peer-to-Peer Communications Platform. Raymond Cheng

Goals. EECS 122: Introduction to Computer Networks Overlay Networks and P2P Networks. Solution. Overlay Networks: Motivations.

Optimizing SIP Service Provisioning in Internet Connected MANETs

R/Kademlia: Recursive and Topology-aware Overlay Routing

Peer-To-Peer Techniques

CS 640 Introduction to Computer Networks. Today s lecture. What is P2P? Lecture30. Peer to peer applications

EECS 122: Introduction to Computer Networks Overlay Networks and P2P Networks. Overlay Networks: Motivations

Topics in P2P Networked Systems

Peer to Peer Networks

Peer-to-Peer Systems and Distributed Hash Tables

Tech-invite. RFC 3261's SIP Examples. biloxi.com Registrar. Bob's SIP phone

Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana. UC Berkeley SIGCOMM 2002

Flooded Queries (Gnutella) Centralized Lookup (Napster) Routed Queries (Freenet, Chord, etc.) Overview N 2 N 1 N 3 N 4 N 8 N 9 N N 7 N 6 N 9

Today. Why might P2P be a win? What is a Peer-to-Peer (P2P) system? Peer-to-Peer Systems and Distributed Hash Tables

PeerfactSim.KOM: A Simulation Framework for Peer-to-Peer Systems

Searching for Shared Resources: DHT in General

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

Searching for Shared Resources: DHT in General

Internet Engineering Task Force (IETF)

Configure Centralized Deployment

Overlay and P2P Networks. Structured Networks and DHTs. Prof. Sasu Tarkoma

Host Identity Protocol

Overlay and P2P Networks. Introduction and unstructured networks. Prof. Sasu Tarkoma

Internet Engineering Task Force (IETF) Request for Comments: Ericsson A. Johnston Avaya January 2011

CPSC 426/526. P2P Lookup Service. Ennan Zhai. Computer Science Department Yale University

Web caches (proxy server) Applications (part 3) Applications (part 3) Caching example (1) More about Web caching

Peer to Peer Networks

Extensions to SIP and P2PSIP

A Common API for Structured Peer-to- Peer Overlays. Frank Dabek, Ben Y. Zhao, Peter Druschel, Ion Stoica

Page 1. How Did it Start?" Model" Main Challenge" CS162 Operating Systems and Systems Programming Lecture 24. Peer-to-Peer Networks"

Cisco VCS Authenticating Devices

EE 122: Peer-to-Peer (P2P) Networks. Ion Stoica November 27, 2002

Naming in Distributed Systems

Badri Nath Rutgers University

Host Identity Indirection Infrastructure Hi 3. Jari Arkko, Pekka Nikander and Börje Ohlman Ericsson Research

Unified Communications Mobile and Remote Access via Cisco Expressway

Peer-to-Peer Computing

Transcription:

P2PNS: A Secure Distributed Name Service for P2PSIP Mobile P2P 2008, Hong Kong, China

Outline Decentralized VoIP (P2PSIP) Peer-to-Peer name service (P2PNS) Architecture Two-stage name resolution P2PNS security Attacks on nodeid generation Attacks on message forwarding Attacks on DHT layer Conclusion 1

Peer-to-Peer SIP What is P2PSIP? Using a peer-to-peer network instead of centralized servers for SIP user registration and location lookup Why P2PSIP? Cost reduction (no servers needed) Scalability Reliability (No single point of failure, self healing) Failover for server-based SIP networks (in emergency cases) NAT traversal Skype (largest VoIP provider in the world) also uses P2P technologies, but no open standard 2

Server-based SIP vs. P2PSIP Call setup with server-based SIP: Alice 1 2 REGISTER alice@tm.uka.de => 141.31.93.13 INVITE alice@tm.uka.de Bob 141.31.93.13 tm.uka.de 3 Contact :141.31.93.13 Call setup with P2PSIP: Alice 141.31.93.13 1 REGISTER alice => 141.31.93.13 P2P- Overlay 3 2 INVITE alice Contact: 141.31.93.13 Bob 3

Decentralized VoIP (P2PSIP) Alice 1 REGISTER alice => 141.31.93.13 P2PNS 2 INVITE alice Bob 141.31.93.13 3 Contact: 141.31.93.13 Main task in P2PSIP: Resolve AoR to current IP address Challenge: Many security issues in a completely decentralized network Our approach: Generic distributed name service P2PNS (IETF draft-baumgart-p2psip-p2pns-00) 4

Peer-to-Peer Name Service (P2PNS) Distributed name resolution for: P2PSIP, decentralized DNS, HIP, decentralized IM (XMPP) Same task in all scenarios: Resolve a name (AoR, domain name, HIT) to the current transport address (IP, port) P2PNS interface: register(name, transport address) resolve(name) Name cache on top of KBR/DHT P2P layer Focus on security in completely decentralized networks: Unique usernames Prevent identity theft 5

P2PNS Architecture Modular architecture based on Common API: Key Based Routing (KBR) Task: Message routing to nodeids Distributed Hash Table (DHT) Task: Distributed data storage Name Cache Task: Caching of AoRs P2PSIP proxy: Connects legacy SIP UAs to the P2PNS service register() resolve() Name Cache put() get() route() lookup() DHT KBR 6

Key-based Routing (KBR) Message routing to nodeids Provided by structured overlay networks Kademlia, Chord, Koorde, Broose, Pastry Main idea: Each node has a nodeid Overlay routing table with nodeids of overlay neighbours Efficient lookup of keys and nodeids in O(log N) 7

Distributed Hash Table (DHT) Distributed storage of (key, value) tuples Uses the KBR layer to determine responsible nodes for data storage Locate a node with a nodeid close to H(key) 21.001-40.000 40.001-65.536 7001-10.000 0-1000 4001-7000 10.001-21.000 1001-2000 2001-4000 H( sip:baumgart )=2313 Node stores the mapping (sip:baumgart, NodeID) 8

DHT security is expensive Malicious nodes can modify or delete locally stored data items Countermeasure: Replicate data items on k nodes and use majority votes Modifying data items in a DHT is expensive DHT usage for P2PSIP Usual approach: DHT stores AoR IP mapping P2PNS approach: Two-stage name resolution based on KBR and DHT services 9

Two-Stage Name Resolution 1.) Resolve AoR NodeID (DHT layer) 2.) Resolve NodeID IP (KBR layer) Motivation: Modification of data records on DHT is expensive (due to security mechanisms) (AoR, NodeID) binding is static: No modification needed if IP address changes (ID/Loc split) IP address changes are efficiently handled on KBR layer 10

Example: P2PNS user registration 2. REGISTER(U) 1. REGISTER(To:U) SIP register() resolve() 3. JOIN(NodeID_X) Name Cache put() get() route() lookup() DHT 4. PUT(U, NodeID_X) User U KBR Peer X 11

Example: P2PNS user lookup 5. INVITE(To:U) 2. RESOLVE(U) 1. INVITE(To:U) User V SIP register() resolve() 4. LOOKUP(NodeID_X) Name Cache put() get() route() lookup() KBR DHT 3. GET(U) 6. INVITE(To:U) User U SIP Peer Y 12

P2PNS security threats Attacks on routing (KBR) NodeID generation By carefully choosing a node ID an attacker can control access to target objects Message forwarding Malicious nodes along the route between sender and target node can modify or drop messages to a key Routing table maintenance DoS attack by distribution of faulty routing table updates Attacks on data storage (DHT) Malicious nodes can modify or delete locally stored data items 13

Attacks on nodeid generation Eclipse attack: By carefully choosing a nodeid an attacker can control access to target objects Sybil attack: A single node can join the network with several nodeids Countermeasure: Make nodeid generation expensive Limit free nodeid selection 14

Secure NodeID generation Common approach: NodeID = SHA1(IP+port) Problems: Sybil attack still possible if an attacker controls several IP addresses Constantly changing nodeids on dial-up connections Better: NodeID = SHA1(public key) Public key can be used to authenticate node messages Sybil attack and choose of a specific nodeid still feasible Use in combination with crypto puzzles to make creation of new nodeids expensive Use a offline CA to generate nodeids (if available) 15

Attacks on message forwarding Malicious nodes along the path between sender and target node can modify or drop messages to a key Countermeasure: Parallel lookup over disjoint paths increases the lookup success ratio: P(lookup success) = 1 (1 (1 m) h ) d Most important security properties of KBR protocols Average path length h Number of disjoint paths d 16

Effect of disjoint paths on lookup success Fraction of successful node lookups 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 d=8 d=4 d=2 d=1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Fraction of adversarial nodes (N=10000, k=16, s=16) Even with 25% adversarial nodes 99% lookups succeed in a Kademlia network with 10000 nodes 17

Secure DHT layer Data records must only be modified by the owner of a record Modification requests are signed with k priv Only store a single record for each key Unique usernames Data records are replicated on k nodes Query all replica in parallel and use majority votes Joining nodes pull all replica in their key range 18

P2PNS implementation Unmodified SIP UAs Added P2PNS support to OpenSER SIP proxy Overlay Framework OverSim (http://www.oversim.org/) Provides P2PNS service to the P2PSIP proxy 19

Future work KBR protocol selection Several promising candidates: Kademlia, Broose, Pastry Focus on low latency and security Evaluation of DHT replication strategies Standardization Generic P2P protocol Common interface for KBR/DHT service Bootstrapping NAT traversal 20

Conclusion P2PNS provides generic name resolution for P2PSIP, DNS, Jabber, HIP Modular architecture based on Common API Focus on security in completely decentralized environments Two-stage name resolution reduces communication costs in dynamic networks 21

Thank you for your attention! Any questions? 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback