Summary

 

Security for structured peer-to-peer overlay networks

Peter Druschel, Miguel Castro, Ayalvadi Ganesh, Antony Rowstron, and Dan S. Wallach.

In Proceedings of the Fifth Symposium on Operating Systems Design and Implementation (OSDI'02), Boston, MA, December 2002.

 

P2p technology has proven to be very useful in many applications, e.g. file sharing, anonymous communication, group multicast, load balancing, distributed storage etc. While p2p can withstand node and network failures, however, malicious nodes that misbehave or attack routing information can compromise the entire p2p system. This paper is concerned with securing routing in structured p2p networks. The paper defines an abstract model for structured p2p systems, and illustrates how this model maps to some of the existing structured p2p systems like Pastry, CAN, Chord, and Tapestry. The authors focus on 3 issues: assigning node IDs securely, securing routing tables and their maintenance, and securing the routing itself.

Early on, the authors state their assumption about the fault model and network model that they are addressing. The paper discusses the potential attacks on node ID assignments, and proposes the idea of certified node IDs to throttle such attacks. To secure routing tables against attacks, the authors suggest maintaining two routing tables; one containing efficient routes, and one containing entries with stronger, verifiable, constraints. The solution also requires the deployment of a special protocol for the bootstrapping and initialization of the routing tables. For securing the forwarding of messages during routing, the paper introduces a secure routing primitive that involves routing a message efficiently then applying a failure test to determine if the routing succeeded. If the test fails, more expensive redundant and/or iterative routing techniques are deployed. A suggested routing failure test is presented and analyzed for Pastry. Apparently, the failure test had some mixed results.

 

Discussion Points

·             Can the abstract model be mapped to all types of p2p systems? It is only relevant to p2p systems with structured addressing space.

·             there isn't a good incentive for deploying such a solution commercially, this is because users upon joining will receive a lot of junk for local storing.

·             The limitation of fixed IPs. Supporting dynamic IPs appears to be a difficult task.

·             Group descriptors in section 3 seem to be a promising idea.

·             How does certifying nodes offline solve the central point of failure problem? if you have multiple CAs, including many who are offline, how could you actually achieve a "uniform random distribution"? To make matters worse, note that nodes can request node IDs, but not use them at all.

·             Legal implications of a user who joins the system and ends up storing illegal or unwanted content because of the way the system assigns keys to objects.

·             When deploying CAs, then they have to deal with revocation issues.

 

Pros (by Prasad Naldurg)

The main contributions of the paper are the failure model for structured P2P networks. Along with the abstract model of a structured P2P network also given in the paper, the model:

 

-          Forms a basis for comparing different routing techniques and analyzing their security property.

 

-          Provides a mechanism to compare different solutions and makes the evaluation of their proposed solutions feasible.

 

-          The authors also clearly specify their assumptions and incorporate a Byzantine failure or arbitrary failure model, that captures both independent attackers and collusions.  They also describe different attacks and present implementable solutions along with analysis and simulations to validate their suggestions.

 

Cons (by David Warden)

-          While node identification must be generated securely for the proposed networks to function the use of a certificate authority is not ideal.

-          It is not desirable to expend resources in order to obtain a node certificate, and it may be impractical for the devices associated in a peer to peer network as described.

-          It also is unclear that the adversary's resources would be less than that required to gather many certificates. For small networks, it is probably better to have more state knowledge about particular nodes and their owners.

-          Since the certificate authorities are not peer to peer, it is particularly unclear what advantage the services gain by running on a peer to peer overlay as described. Individual services could issue certificates, for example.

-          The network is subject to attacks against services such as denial of service attacks.

-          They talk about using overlays on the Internet, it seems that in that case security should be provided by other methods. If it is not on the internet there is more physical topology information available.

-          It seems the failure test is a bit silly if one is actually communicating with the correct service, then routing is working, otherwise it has failed and it does not really matter why.

-           It seems other systems may be better.   

 

Evaluations

    Accept: 1

    Weak Accept: 9

    Weak Reject: 1

    Reject: 0