P2PSIP Working Group J. Zhu Internet Draft M. Qi Intended status: Informational China Mobile Expires: August 2009 February 24, 2009 P2PSIP Security Requirements draft-zhu-p2psip-securityrequirements-00 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on August 24, 2009. Copyright Notice Copyright (C) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Judy Expires August 24, 2009 [Page 1] Internet-Draft P2PSIP Security Requirements February 2009 Abstract This draft discusses the security requirements in Peer-to-Peer (P2P) SIP system. As the P2P SIP is distributed and each peer is equal in it, it should face the extra security threat from traditional system. This draft introduces these security threats at first. After that, the security requirements of P2P SIP system were brought up. Judy Expires August 24, 2009 [Page 2] Internet-Draft P2PSIP Security Requirements February 2009 Table of Contents 1. Introduction................................................4 2. Security Scenarios..........................................5 2.1. VoIP...................................................5 2.2. Content Storage and Delivery............................7 2.3. Streaming..............................................9 3. Security Threats...........................................11 3.1. Lack of trust.........................................11 3.2. Authentication Problems................................11 3.3. Routing Insertion and Modification.....................11 3.4. Sniffer...............................................12 3.5. Insertion and Modification on Signaling and User Data...12 3.6. Flooding Attack........................................12 3.7. Distributed Denial of Service..........................12 3.8. Malicious Code Spreading...............................12 3.9. Free-Riding...........................................13 4. Security Requirements.......................................14 4.1. Trust Incentive System.................................14 4.2. Non-repudiation Mechanism..............................14 4.3. Distributed Authentication Infrastructure..............14 4.4. Fast Locate and Identify the Bad Nodes.................14 4.5. Packets and Data Integrity and Confidentiality..........14 4.6. Protection for Routing.................................15 4.7. Protection against Denial of Service...................15 4.8. Protection against Malicious Code......................15 5. Security Considerations.....................................16 6. IANA Considerations........................................17 7. Conclusions................................................18 8. References.................................................19 8.1. Normative References...................................19 8.2. Informative References.................................19 Judy Expires August 24, 2009 [Page 3] Internet-Draft P2PSIP Security Requirements February 2009 1. Introduction This draft introduce the main security concerns and security requirements in Peer-to-Peer SIP architecture [1]. SIP will be used in a peer-to-peer environment with the network development. The traditional mechanism used in SIP should be replaced by distributed mechanism to fit for the P2P network system. As a result, P2P SIP architecture should face new security threats and new security requirements. The purpose of this draft is to list the security requirements and make references for the future security solution study. Judy Expires August 24, 2009 [Page 4] Internet-Draft P2PSIP Security Requirements February 2009 2. Security Scenarios To study the security concern in P2P SIP system, there should be some application scenarios that used in P2P SIP environment. We will describe these security scenarios first and lead to discussion about security problems and security requirements. 2.1. VoIP There is an important scenario in P2P SIP system. It is how to use VoIP in the P2P SIP system. We list some assumption before discussing the security concerns in VoIP application. The first assumption is that there are some peers in the system. They are connected each other and form the P2P SIP system. Each of them act same behavior for transferring data. In the other hand some clients should be connected with peer. Each client should connect with one peer, but one peer may connect with some clients. The clients make the phone call by using this P2P network. They identify each other through some special peers in the network which named AAA. Under the assumption described above, we can design the security scenario that applying VoIP service as following figure 1. Judy Expires August 24, 2009 [Page 5] Internet-Draft P2PSIP Security Requirements February 2009 +------------------------------------------------+ | | | +-------+ +----------------+ | | |Client | V V | | +-------+ +----+ +-------+ | | ^ +------->|Peer|<--+ |PeerAAA|<+ | | | | +----+ | +-------+ | | | | | ^ | | | | | | | | 3| | | | | | | | | | | + | | | | | V V V | 5 V | | +----+ 3 +----+ 3 | +----+<---+------+ | | |Peer|<=====>|Peer|<====>|Peer| |Client| | | +----+ +----+ | +----+--->+------+ | | | ^ ^ ^ | ^^ 4 | | | | | | V 6|| | | 5| | | | +----+ || | | | 2| | +->|Peer|<-+| | | | | | +----+ | | | V | V ^ | | | +------+ 1 +--------+ | | | | |Client|<-->|Peer AAA|<-+ | | | +------+ +--------+<-------+ | +------------------------------------------------+ Figure 1 VoIP in P2P SIP system When a client (named client A) wants to call another client (named client B) by through the P2P SIP network, it should be identified at first. At the same time, the client A should identify the network too. It is shown as step 1 in the figure 1. This process MUST be done just because it is the basic of security environment. After that, client A should make a secure connection with the peer. And then, it will send a request though the P2P SIP network to set up a call connection as step 2 shown in the figure. This request should contain the information about target client and security parameter for network. When the network received this request, the network tries to find out client B. If the client B is connected with the P2P network, the client B and network should be identified each other as same as client A and network. At the same time, a secure path should be organized with the peers just as step 3. This path should meet the Judy Expires August 24, 2009 [Page 6] Internet-Draft P2PSIP Security Requirements February 2009 secure demand of client A and protect the data confidentiality and integrity. The step 4 is that P2P network is responsible for transferring the request from client A to client B. When client B received this request, it should check itself to satisfy the security demand. The step 5 shows that client B should send response message back if success. It also needs to establish the security tunnel between client B and nearest peer. The network will forward the response to client A so that the virtual voice channel has been established. It is possible that new peers enter this P2P network or old peers drop off during the conversation and the secure channel should be modified or updated as shown in step 6. These changes should be made to ensure that security level of routing will not be reduced. 2.2. Content Storage and Delivery P2P SIP system can afford distributed mass content storage and delivery. In this scenario, we make the same assumption in VoIP as the part of P2P content storage and delivery security. There is an extra assumption that each peer not only forwards the data but also acquires and stores the data if it is interested as following figure 2. Judy Expires August 24, 2009 [Page 7] Internet-Draft P2PSIP Security Requirements February 2009 +------------------------------------------------+ | | | +-------+ +----------------+ | | |Client | V V | | +-------+ +----+ +-------+ | | ^ +------->|Peer|<--+ |PeerAAA|<+ | | | | +----+ | +-------+ | | | | | ^ | | | | | | | | | | | | | | | | | | | + | | | | | V V V | V | | +----+ +----+ | +----+ +------+ | | |Peer|<=====>|Peer|<---->|Peer|<-->|Client| | | +----+ +----+ | +----+ +------+ | | ^ ^ ^ | ^ | | | + + V | | | | + + +----+ | +------+ | | 2| + +=>|Peer|<=======>|Client| | | | + +----+ | +------+ | | | V ^ | | | +------+ 1 +--------+ | | | | |Client|<-->|Peer AAA|<-+ | | | +------+ +--------+<-------+ | +------------------------------------------------+ Figure 2 Content Storage and Delivery in P2PSIP system The first step is also that a client (named client A) MUST be authenticated if it wants to connect with P2P SIP system. The AAA peer should be responsible for client authentication. After that, client A can use the content services of the network and make contribution by affording data that the system needed. When the client needs to get some resource from network, it will send request to P2P system as step 2. The network should find out the location where these resources stored, but it should not use broadcasting to get the exact positions just because broadcasting will lead to query flooding. When some peers who are stored the content receive request, they will send the content to the client. If there are some clients have the content, it should transfer the content to the peer they are connected with, then the peers forward the data to the client A. In the other side, if client A has some information that the network needs, it should transfer the information to the peer it has connected. The peer SHOULD send the information to several peers not Judy Expires August 24, 2009 [Page 8] Internet-Draft P2PSIP Security Requirements February 2009 only the peer that acquires the information but also some peers used for redundant backup. The P2P SIP network MUST protect the content with integrity and availability. As client A receives contents it needs, it should check its integrity and availability as well. P2P SIP system should inspect and control data flow for avoiding denial of service to single peer. 2.3. Streaming P2P Streaming is another application in the P2P SIP system and based on the content storage and delivery. In addition to assumption in scenario 2, we add new assumption that client can make direct communication with other clients. It is shown as figure 3. +------------------------------------------------+ | | | +-------+ +----------------+ | | |Client | V V | | +-------+ +----+ +-------+ | | ^ ^ +------->|Peer|<--+ |PeerAAA|<+ | | | | | +----+ | +-------+ | | | | | ^ | | | | | | | | | | | | | | | | | | | | | + | | | | | V V V | V | | | +----+ +----+ | +----+ +------+ | | |Peer|<=====>|Peer|<---->|Peer|<-->|Client| | | | +----+ +----+ | +----+ +------+ | | ^ ^ ^ | ^ | | | | | | V | | | | | | +----+ | +------+ | | | 2| | +=>|Peer|<------->|Client| | | | | +----+ | +------+ | | V | V ^ | | | +------+ 1 +--------+ | | | | |Client|<-->|Peer AAA|<-+ | | | +------+ +--------+<-------+ | +------------------------------------------------+ Figure 3 P2P SIP Streaming In this scenario, the security concern is very likely with the scenario in content storage and delivery. The client A and the Judy Expires August 24, 2009 [Page 9] Internet-Draft P2PSIP Security Requirements February 2009 network also need to be authenticated each other at first step, and client A can send request to network or receive request from network. In addition, client A should has ability to set up a direct tunnel with some other client. On the other hand, the network should protect streaming data that only legal users can get the right way to recognize data correctly. Judy Expires August 24, 2009 [Page 10] Internet-Draft P2PSIP Security Requirements February 2009 3. Security Threats This section analyzes the security threats about P2P-SIP system. 3.1. Lack of trust It is the basis to make the P2P SIP system secure that there is a mechanism to make peers trust each other. While the P2P SIP system has no centralized authentication node to verify peers identity, and peers should face so many network risks such as malicious attacks, toll fraud and ID impersonation, it is hard to set up a trust model for P2P SIP system. 3.2. Authentication Problems Authentication is the basis for communication. It will be important because the P2P-SIP architecture has no centralized key nodes that can authenticate users and set the right user authorizations. User's certification should be placed on a lot of nodes. This will cause the two problems o Unauthenticated user connects the system successfully o Legal user can't be recognized by system The first problem is that an attacker intrudes some weak peers and inserts fake identification of an illegal user client. As a result, the illegal user client can communicate with other peers/clients by using the fake identity. The second problem is that a legal user can't use P2P-SIP system in some situations. The first situation is the system can't find out which peer stores user client identity. The other situation is the peer stores user identity has lost identification of user client. As mentioned above, unauthenticated user can access the system easily. In another aspect, it means that the attacker can't be located rapidly when he is attacking the system, and it is difficult to find out the attacker's identity after attacking. In addition, the attacker with unauthenticated identity can send all kinds of junk information and advertisements to normal user for benefits. 3.3. Routing Insertion and Modification Routing protocol is the key protocol and core security mechanism for P2P SIP architecture. It provides some mechanisms, such as adding/deleting peers into system, locating specific peer, updating Judy Expires August 24, 2009 [Page 11] Internet-Draft P2PSIP Security Requirements February 2009 network status, searching source and the failure management. This will affect the network robust, reduce efficiency of the network, and even cause the interruption of user communication. 3.4. Sniffer Sniffer is a kind of tools which to view network traffic and analyze information in packet with detecting network communication. An attacker will use sniffer to get the private communication information, such as user's identity, the keys for protecting communication and the private data. Sniffing will be the beginning of a complex attacking action. 3.5. Insertion and Modification on Signaling and User Data An attacker can damage the system by modifying some signaling or inserting bad data. The wrong signaling will cause system unstable or some other severe problems for the network and end users, and users will suffer additional cost or lose business opportunity or any other from receiving the malicious data. 3.6. Flooding Attack Flooding attack is a kind of network attack. A bad node (client or peer) will send many packets or data to a specific peer. So the peer has no enough resource to process the huge information. A typical flooding attack is the INVITE flooding attack. The attacker will send a lot of INVITEs that mostly to fake channels. The peer should cost resource to store and deal the requests so that it can't provide services for the legal user. A proxy peer with authentication function will be more vulnerable to flooding attacks. 3.7. Distributed Denial of Service The P2P SIP architecture is vulnerable to Distributed Denial of Service (DDoS) attack. Because ach peer in the P2P SIP system can make connection with other peers. This means that the peer will be out of service if it is visited by a large number of peers in a short time. 3.8. Malicious Code Spreading In the P2P SIP environment, malicious code such as worm and Trojan horse can spread in the system easily because of the convenient sharing and routing mechanism. As the logical-adjacent peers may be far away in geographical in the p2p sip network, the malicious code Judy Expires August 24, 2009 [Page 12] Internet-Draft P2PSIP Security Requirements February 2009 can affect a large scope, and this will cause great damage for the system. 3.9. Free-Riding Free-Riding is a term that means some peer get the resources from the other peers rather than sharing own resources. The free-riding action will reduce the robustness and availability of P2P-SIP network. Judy Expires August 24, 2009 [Page 13] Internet-Draft P2PSIP Security Requirements February 2009 4. Security Requirements This section analyzes the security requirements of P2P SIP system. 4.1. Trust Incentive System It is necessary to create a trust system in the light of the trust architecture in the real world. This system will distinguish trust extent of each node as it works. It can avoid the problems as lack of confidence, system resources abusing and difficulty to identify attacker. 4.2. Non-repudiation Mechanism There is a need to set up non-repudiation mechanism in P2P SIP network. As the network is a lack-of-trust system, all nodes in this system have ability to deny the things which they made. Non- repudiation mechanism forces each node in the network to be responsible for its behaviour and limit the threat like deny-of- transaction, information-tampering, fraud and any other threaten. 4.3. Distributed Authentication Infrastructure P2P SIP system is a distributed network. This network has no centralized nodes. So P2P SIP system need distributed authentication mechanism. This mechanism should guarantee that identity of every node, either peer or client, can't be forged and no one node can impersonate other nodes. In addition, this mechanism should ensure that a legal user can access the system correctly. The identity for the legal user should be access easily and quickly. 4.4. Fast Locate and Identify the Bad Nodes The range of P2P overlay network under attack will be spread rapidly just because the every nodes is able to send out message to other nodes in P2P system. So the earlier attacker was located, the less lost in the P2P system was suffered. At the same time, it can limit and diminish security threats with identifying attacker's identity fast. 4.5. Packets and Data Integrity and Confidentiality Packets and data in P2P SIP system should be more dangerous than traditional SIP network. So the packets and data should be given more protection. Different kinds of packets need different security levels. This will give more protection for the important data. To promise that peer received exact packet without insertion and modification, Judy Expires August 24, 2009 [Page 14] Internet-Draft P2PSIP Security Requirements February 2009 the integrity protection mechanism for packet should be applied. In addition, SIP message should be protected with confidentiality being routed by peer nodes, when those peer nodes might well be hostile as described in section 8 of document [1]. 4.6. Protection for Routing Routing protocol is the key protocol and core security mechanism for P2P SIP architecture. It is needed to study a new mechanism in P2P overlay network to identify, limit and diminish the damage originated from fake routing to keep routers away from the attacking such as inserting fake record modifying current routing table to guide node visit trap. And the operation of routing table should be recorded with operator identity. 4.7. Protection against Denial of Service Denial of Service (DoS) attack will cause the system out of services and even broken down. So there should be some mechanism to prevent DoS attack. 4.8. Protection against Malicious Code In P2P SIP system every nodes are equal. Each peer has ability to share and spread information it has. So if malicious code infects a weak security peer, it will spread rapidly. For this reason, there should be a mechanism or some technology to prevent and diminish malicious code spreading. Judy Expires August 24, 2009 [Page 15] Internet-Draft P2PSIP Security Requirements February 2009 5. Security Considerations This memo considers the security concerns and security requirements about P2P SIP system. So it would not introduce any additional security problems. Judy Expires August 24, 2009 [Page 16] Internet-Draft P2PSIP Security Requirements February 2009 6. IANA Considerations There are no IANA considerations associated to this memo. Judy Expires August 24, 2009 [Page 17] Internet-Draft P2PSIP Security Requirements February 2009 7. Conclusions This memo describes variety of security threats in P2P SIP system first. According these security threats, P2P SIP security requirements is brought up. Judy Expires August 24, 2009 [Page 18] Internet-Draft P2PSIP Security Requirements February 2009 8. References 8.1. Normative References [1] Bryan, D., Matthews, P., Shim, P., and D. Willis, "Concepts and Terminology for Peer to Peer SIP", draft-ietf-p2psip-concepts- 02.txt (work in progress), July 2008. [2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:Session Initiation Protocol", RFC 3261, June 2002. [3] Matuszewski, M., Ekberg, J-E. and Laitinen, P., "Security requirements in P2PSIP", draft-matuszewski-p2psip-security- requirements-02.txt(work-in-progress), November 2007. 8.2. Informative References Author's Addresses Judy Zhu China Mobile Unit 2, 28 Xuanwumenxi Ave, Xuanwu District, Beijing 100053, China Email: zhuhongru@chinamobile.com Minpeng Qi China Mobile Unit 2, 28 Xuanwumenxi Ave, Xuanwu District, Beijing 100053, China Email: qiminpeng@chinamobile.com Judy Expires August 24, 2009 [Page 19]