Internet Research Task Force (IRTF)                       H. Schulzrinne
Request for Comments: 5765                           Columbia University
Category: Informational                                       E. Marocco
ISSN: 2070-1721                                           Telecom Italia
                                                                 E. Ivov
                                                        SIP Communicator
                                                           February 2010
        
Internet Research Task Force (IRTF)                       H. Schulzrinne
Request for Comments: 5765                           Columbia University
Category: Informational                                       E. Marocco
ISSN: 2070-1721                                           Telecom Italia
                                                                 E. Ivov
                                                        SIP Communicator
                                                           February 2010
        

Security Issues and Solutions in Peer-to-Peer Systems for Realtime Communications

用于实时通信的对等系统中的安全问题和解决方案

Abstract

摘要

Peer-to-peer (P2P) networks have become popular for certain applications and deployments for a variety of reasons, including fault tolerance, economics, and legal issues. It has therefore become reasonable for resource consuming and typically centralized applications like Voice over IP (VoIP) and, in general, realtime communication to adapt and exploit the benefits of P2P. Such a migration needs to address a new set of P2P-specific security problems. This document describes some of the known issues found in common P2P networks, analyzing the relevance of such issues and the applicability of existing solutions when using P2P architectures for realtime communication. This document is a product of the P2P Research Group.

由于各种原因,包括容错、经济和法律问题,对等(P2P)网络在某些应用和部署中变得流行。因此,对于资源消耗和典型的集中式应用程序(如IP语音(VoIP))以及一般的实时通信来说,适应和利用P2P的优势是合理的。这种迁移需要解决一组新的特定于P2P的安全问题。本文档描述了常见P2P网络中的一些已知问题,分析了这些问题的相关性以及在使用P2P架构进行实时通信时现有解决方案的适用性。本文档是P2P研究小组的产品。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Peer-to-Peer Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网研究工作组(IRTF)的产品。IRTF发布互联网相关研究和开发活动的结果。这些结果可能不适合部署。本RFC代表了互联网研究工作组(IRTF)对等研究小组的共识。IRSG批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5765.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5765.

Copyright Notice

版权公告

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1. Introduction ....................................................4
      1.1. Purpose of This Document ...................................6
      1.2. Structure of This Document .................................7
   2. The Attackers ...................................................8
      2.1. Incentive of the Attacker ..................................8
      2.2. Resources Available to the Attacker ........................9
      2.3. Victim of the Attack ......................................10
      2.4. Time of Attack ............................................10
   3. Admission Control ..............................................10
   4. Determining the Position in the Overlay ........................11
   5. Resilience against Malicious Peers .............................12
      5.1. Identification of Malicious Peers .........................13
           5.1.1. Proactive Identification ...........................13
           5.1.2. Reactive Identification ............................13
      5.2. Reputation Management Systems .............................14
           5.2.1. Unstructured Reputation Management .................14
           5.2.2. Structured Reputation Management ...................14
   6. Routing and Data Integrity .....................................15
      6.1. Data Integrity ............................................15
      6.2. Routing Integrity .........................................15
   7. Peer-to-Peer in Realtime Communication .........................16
      7.1. Peer Promotion ............................................17
           7.1.1. Active vs. Passive Upgrades ........................17
           7.1.2. When to Upgrade ....................................18
           7.1.3. Which Clients to Upgrade ...........................18
           7.1.4. Incentives for Clients .............................19
      7.2. Security ..................................................19
           7.2.1. Targeted Denial of Service .........................19
           7.2.2. Man-in-the-Middle Attack ...........................20
           7.2.3. Trust between Peers ................................20
           7.2.4. Routing Call Signaling .............................20
           7.2.5. Integrity of Location Bindings .....................21
           7.2.6. Encrypting Content .................................21
           7.2.7. Other Issues .......................................22
   8. Open Issues ....................................................22
   9. Security Considerations ........................................23
   10. Acknowledgments ...............................................23
   11. Informative References ........................................23
        
   1. Introduction ....................................................4
      1.1. Purpose of This Document ...................................6
      1.2. Structure of This Document .................................7
   2. The Attackers ...................................................8
      2.1. Incentive of the Attacker ..................................8
      2.2. Resources Available to the Attacker ........................9
      2.3. Victim of the Attack ......................................10
      2.4. Time of Attack ............................................10
   3. Admission Control ..............................................10
   4. Determining the Position in the Overlay ........................11
   5. Resilience against Malicious Peers .............................12
      5.1. Identification of Malicious Peers .........................13
           5.1.1. Proactive Identification ...........................13
           5.1.2. Reactive Identification ............................13
      5.2. Reputation Management Systems .............................14
           5.2.1. Unstructured Reputation Management .................14
           5.2.2. Structured Reputation Management ...................14
   6. Routing and Data Integrity .....................................15
      6.1. Data Integrity ............................................15
      6.2. Routing Integrity .........................................15
   7. Peer-to-Peer in Realtime Communication .........................16
      7.1. Peer Promotion ............................................17
           7.1.1. Active vs. Passive Upgrades ........................17
           7.1.2. When to Upgrade ....................................18
           7.1.3. Which Clients to Upgrade ...........................18
           7.1.4. Incentives for Clients .............................19
      7.2. Security ..................................................19
           7.2.1. Targeted Denial of Service .........................19
           7.2.2. Man-in-the-Middle Attack ...........................20
           7.2.3. Trust between Peers ................................20
           7.2.4. Routing Call Signaling .............................20
           7.2.5. Integrity of Location Bindings .....................21
           7.2.6. Encrypting Content .................................21
           7.2.7. Other Issues .......................................22
   8. Open Issues ....................................................22
   9. Security Considerations ........................................23
   10. Acknowledgments ...............................................23
   11. Informative References ........................................23
        
1. Introduction
1. 介绍

Peer-to-peer (P2P) overlays have become quite popular with the advent of file-sharing applications such as Napster [NAPSTER], KaZaa [KAZAA], and BitTorrent [BITTORRENT]. After their success in file-sharing and content distribution [Androutsellis-Theotokis], P2P networks are now also being used for applications such as Voice over IP (VoIP) [SKYPE] [Singh] and television [PPLIVE] [COOLSTREAM]. However, most of these systems are not purely P2P and have centralized components like the login server in Skype [Baset] or moderators and trackers in BitTorrent [Pouwelse]. Securing pure P2P networks is therefore still a field of very active research [Wallach].

随着Napster[Napster]、KaZaa[KaZaa]和BitTorrent[BitTorrent]等文件共享应用程序的出现,对等(P2P)覆盖变得非常流行。P2P网络在文件共享和内容分发方面取得成功后,现在也被用于IP语音(VoIP)[SKYPE][Singh]和电视[PPLIVE][COOLSTREAM]等应用。然而,这些系统中的大多数并不是纯粹的P2P系统,它们有集中的组件,如Skype[Baset]中的登录服务器或BitTorrent[Pouwelse]中的版主和跟踪器。因此,保护纯P2P网络仍然是一个非常活跃的研究领域[Wallach]。

P2P overlays can be broadly classified as structured and unstructured [RFC4981], depending on their routing model. Unstructured overlays are often relatively simple, but search operations in them, usually based on flooding, tend to be inefficient. Structured P2P overlays use distributed hash tables (DHTs) [Stoica] [Maymounkov] [Rowstron] to perform directed searches, which make lookups more efficient in locating data. This document will mostly focus on DHT-based P2P overlays.

P2P覆盖可以大致分为结构化和非结构化[RFC4981],这取决于它们的路由模型。非结构化覆盖通常相对简单,但其中的搜索操作(通常基于泛洪)往往效率低下。结构化P2P覆盖使用分布式哈希表(DHT)[Stoica][Maymounkov][Rowstron]执行定向搜索,这使得查找在定位数据时更加高效。本文档主要关注基于DHT的P2P覆盖。

When analyzing the various attacks that are possible on P2P systems, it is important to first understand the motivation of the attackers as well as the resources (e.g., computation power, access to different IP subnets) that they would have at their disposal.

在分析P2P系统上可能发生的各种攻击时,首先了解攻击者的动机以及他们可以使用的资源(例如,计算能力、对不同IP子网的访问)非常重要。

Once the threat has been identified, admission control is a first step towards security that can help avoid a substantial number of attacks [Kim]. Most solutions rely on the assumption that malicious nodes represent a small fraction of all peers. It is therefore important to restrict their number in the overlay.

一旦确定了威胁,准入控制是实现安全的第一步,有助于避免大量攻击[Kim]。大多数解决方案都假设恶意节点只占所有节点的一小部分。因此,在覆盖中限制其数量非常重要。

Other P2P-specific security problems discussed here include attacks on the routing of queries, targeted denial-of-service attacks, and attacks on data integrity.

这里讨论的其他P2P特定安全问题包括对查询路由的攻击、有针对性的拒绝服务攻击以及对数据完整性的攻击。

In the remainder of this document, we outline the main security issues and proposed solutions for P2P systems. Following this, we focus on a particular class of P2P applications that provide realtime communications. Realtime communications use the same DHTs used by file-sharing applications; however, the data that is saved in these DHTs is different. In realtime communications, the contents stored in the DHTs comprises user location, the DHT being the substitute for a centralized registration server.

在本文档的其余部分中,我们将概述P2P系统的主要安全问题和建议的解决方案。接下来,我们将重点关注一类提供实时通信的特定P2P应用程序。实时通信使用与文件共享应用程序相同的DHT;但是,保存在这些DHT中的数据是不同的。在实时通信中,存储在DHTs中的内容包括用户位置,DHT是集中式注册服务器的替代品。

At first glance, it may appear that requirements on peer-to-peer systems for realtime communication services are no different than those for file-sharing services. Table 1 demonstrates that there are sizeable differences related to privacy, availability, and a marked increase in the general security requirements.

乍一看,对等系统对实时通信服务的要求似乎与文件共享服务的要求没有什么不同。表1表明,在隐私、可用性和一般安全要求的显著增加方面存在很大的差异。

   +-----------------+-----------------------+-------------------------+
   |                 | File-sharing          | Realtime communication  |
   +-----------------+-----------------------+-------------------------+
   | Distributed     | Shared file locations | User locations are      |
   | database        | are indexed in a      | indexed in a table      |
   |                 | table distributed     | distributed among       |
   |                 | among peers; often    | peers; rarely more than |
   |                 | hundreds or thousands | one per peer.           |
   |                 | per peer.             |                         |
   | Availability    | Same files are        | Users are unique;       |
   |                 | usually available at  | attacks targeting       |
   |                 | multiple locations    | single users may be     |
   |                 | and failures          | addressed both to the   |
   |                 | involving single      | distributed index and   |
   |                 | instances are         | to the user's device    |
   |                 | overcome by abundancy | directly.               |
   |                 | of resources; attacks |                         |
   |                 | targeting single      |                         |
   |                 | files need to be      |                         |
   |                 | addressed to the      |                         |
   |                 | distributed index.    |                         |
   | Integrity       | Attackers may want to | Attackers may want to   |
   |                 | share corrupted files | impersonate different   |
   |                 | in place of popular   | users in order to       |
   |                 | content, e.g., to     | handle calls directed   |
   |                 | discourage users from | to them; constitute a   |
   |                 | acquiring copyrighted | particular threat for   |
   |                 | material; constitute  | the user as, in case of |
   |                 | a threat for the      | success, the attacker   |
   |                 | service, but not for  | acquires full control   |
   |                 | the users.            | on the victim's         |
   |                 |                       | personal                |
   |                 |                       | communications.         |
   | Confidentiality | Shared files are, by  | Communications are      |
   |                 | definition, readable  | usually meant to be     |
   |                 | by all users; in some | private and need to be  |
   |                 | cases, encryption is  | encrypted;              |
   |                 | used to avoid         | eavesdropping may       |
   |                 | elements not involved | reveal sensitive data   |
   |                 | in the service to     | and is a serious threat |
   |                 | detect traffic.       | for users.              |
        
   +-----------------+-----------------------+-------------------------+
   |                 | File-sharing          | Realtime communication  |
   +-----------------+-----------------------+-------------------------+
   | Distributed     | Shared file locations | User locations are      |
   | database        | are indexed in a      | indexed in a table      |
   |                 | table distributed     | distributed among       |
   |                 | among peers; often    | peers; rarely more than |
   |                 | hundreds or thousands | one per peer.           |
   |                 | per peer.             |                         |
   | Availability    | Same files are        | Users are unique;       |
   |                 | usually available at  | attacks targeting       |
   |                 | multiple locations    | single users may be     |
   |                 | and failures          | addressed both to the   |
   |                 | involving single      | distributed index and   |
   |                 | instances are         | to the user's device    |
   |                 | overcome by abundancy | directly.               |
   |                 | of resources; attacks |                         |
   |                 | targeting single      |                         |
   |                 | files need to be      |                         |
   |                 | addressed to the      |                         |
   |                 | distributed index.    |                         |
   | Integrity       | Attackers may want to | Attackers may want to   |
   |                 | share corrupted files | impersonate different   |
   |                 | in place of popular   | users in order to       |
   |                 | content, e.g., to     | handle calls directed   |
   |                 | discourage users from | to them; constitute a   |
   |                 | acquiring copyrighted | particular threat for   |
   |                 | material; constitute  | the user as, in case of |
   |                 | a threat for the      | success, the attacker   |
   |                 | service, but not for  | acquires full control   |
   |                 | the users.            | on the victim's         |
   |                 |                       | personal                |
   |                 |                       | communications.         |
   | Confidentiality | Shared files are, by  | Communications are      |
   |                 | definition, readable  | usually meant to be     |
   |                 | by all users; in some | private and need to be  |
   |                 | cases, encryption is  | encrypted;              |
   |                 | used to avoid         | eavesdropping may       |
   |                 | elements not involved | reveal sensitive data   |
   |                 | in the service to     | and is a serious threat |
   |                 | detect traffic.       | for users.              |
        
   | Bitrate and     | The file-transfer use | Realtime traffic almost |
   | latency         | case is particularly  | always requires a       |
   |                 | tolerant to unstable  | constant minimum        |
   |                 | bitrates and ability  | bitrate and low latency |
   |                 | to burst on and off   | in order to avoid       |
   |                 | as peers disappear or | problems like jitter.   |
   |                 | new ones become       | While this is not       |
   |                 | available.            | directly related to a   |
   |                 |                       | specific sort of        |
   |                 |                       | attacks, it is a        |
   |                 |                       | significant constraint  |
   |                 |                       | to the design of        |
   |                 |                       | certain design          |
   |                 |                       | solutions, and in       |
   |                 |                       | particular those that   |
   |                 |                       | somehow affect routing. |
   | Peer lifetime   | File-sharing users do | Realtime communication  |
   |                 | not need to stay in   | applications need not   |
   |                 | the overlay more than | leave the overlay for   |
   |                 | the time required for | as long as the user     |
   |                 | downloading the       | wants to stay connected |
   |                 | content they are      | and be reachable.  This |
   |                 | looking for.          | gives the attackers     |
   |                 |                       | longer time for         |
   |                 |                       | conducting successful   |
   |                 |                       | targeted attacks.       |
   +-----------------+-----------------------+-------------------------+
        
   | Bitrate and     | The file-transfer use | Realtime traffic almost |
   | latency         | case is particularly  | always requires a       |
   |                 | tolerant to unstable  | constant minimum        |
   |                 | bitrates and ability  | bitrate and low latency |
   |                 | to burst on and off   | in order to avoid       |
   |                 | as peers disappear or | problems like jitter.   |
   |                 | new ones become       | While this is not       |
   |                 | available.            | directly related to a   |
   |                 |                       | specific sort of        |
   |                 |                       | attacks, it is a        |
   |                 |                       | significant constraint  |
   |                 |                       | to the design of        |
   |                 |                       | certain design          |
   |                 |                       | solutions, and in       |
   |                 |                       | particular those that   |
   |                 |                       | somehow affect routing. |
   | Peer lifetime   | File-sharing users do | Realtime communication  |
   |                 | not need to stay in   | applications need not   |
   |                 | the overlay more than | leave the overlay for   |
   |                 | the time required for | as long as the user     |
   |                 | downloading the       | wants to stay connected |
   |                 | content they are      | and be reachable.  This |
   |                 | looking for.          | gives the attackers     |
   |                 |                       | longer time for         |
   |                 |                       | conducting successful   |
   |                 |                       | targeted attacks.       |
   +-----------------+-----------------------+-------------------------+
        

Table 1: Main differences between P2P applications used for file-sharing and for realtime communication.

表1:用于文件共享和实时通信的P2P应用程序之间的主要区别。

1.1. Purpose of This Document
1.1. 本文件的目的

The goal of this document is to provide authors of P2P protocols for realtime communications with background that they may find useful while designing security mechanisms for specific cases. The document has been extensively discussed during face-to-face meetings and on the P2PRG mailing list; it has been reviewed both substantially and editorially by two members of the research group and reflects the consensus of the group.

本文档的目标是为P2P实时通信协议的作者提供背景信息,这些背景信息在为特定情况设计安全机制时可能会有用。该文件在面对面会议和P2PRG邮件列表中进行了广泛讨论;研究小组的两名成员对其进行了实质性审查和编辑性审查,反映了研究小组的共识。

The content of this document was partially derived from the article "Peer-to-peer Overlays for Real-Time Communication: Security Issues and Solutions," published in IEEE Surveys & Tutorials, Vol. 11, No. 1, and originally authored by Dhruv Chopra, Henning Schulzrinne, Enrico Marocco, and Emil Ivov.

本文档的部分内容来源于IEEE Surveys&Tutorials第11卷第1期中发表的文章“实时通信的点对点覆盖:安全问题和解决方案”,最初由Dhruv Chopra、Henning Schulzrinne、Enrico Marocco和Emil Ivov撰写。

It is important to note that this document considers "security" from the perspective of application developers and protocol architects. It is hence entirely agnostic to potential legislation issues that may apply when protecting applications against a specific attack, as, for example, in the case of lawful interception.

需要注意的是,本文档从应用程序开发人员和协议架构师的角度考虑了“安全性”。因此,在保护应用程序免受特定攻击(例如,在合法拦截的情况下)时,可能适用的潜在立法问题是完全不可知的。

1.2. Structure of This Document
1.2. 本文件的结构

The document is organized as follows. In Section 2, we discuss P2P security attackers. We try to elaborate on their motivation, the resources that would generally be available to them, their victims, and the timing of their attacks. In Section 3, we discuss admission control problems. In Section 4, we identify the problem of where a node joins in the overlay. In Section 5, we describe problems related to identification of malicious nodes and the dissemination of this information. In Section 6, we describe the issues of routing and data integrity in P2P networks. Finally, in Section 7 we discuss how issues and solutions previously presented apply in P2P overlays for realtime communication.

该文件的组织如下。在第2节中,我们将讨论P2P安全攻击者。我们试图详细说明他们的动机、他们、他们的受害者通常可以获得的资源以及他们袭击的时间。在第3节中,我们将讨论接纳控制问题。在第4节中,我们确定了节点在覆盖中的连接位置问题。在第5节中,我们描述了与识别恶意节点和传播此信息相关的问题。在第6节中,我们描述了P2P网络中的路由和数据完整性问题。最后,在第7节中,我们将讨论以前提出的问题和解决方案如何应用于P2P覆盖以实现实时通信。

Table 2 and Table 3 provide an index of the attacks and the solutions discussed in the rest of this document.

表2和表3提供了本文档其余部分讨论的攻击和解决方案的索引。

   +---------------------------------------+---------------------------+
   | Attack name                           | Referring sections        |
   +---------------------------------------+---------------------------+
   | botnets (use of)                      | Section 2.1, Section 2.2  |
   | denial of service (DoS)               | Section 2.1,              |
   |                                       | Section 7.2.1             |
   | man in the middle (MITM)              | Section 7.2.2             |
   | poisoning                             | Section 6.1,              |
   |                                       | Section 7.2.2             |
   | pollution                             | Section 2.1, Section 6.1  |
   | sybil                                 | Section 2.2, Section 4    |
   | targeted denial of service            | Section 7.2.1             |
   +---------------------------------------+---------------------------+
        
   +---------------------------------------+---------------------------+
   | Attack name                           | Referring sections        |
   +---------------------------------------+---------------------------+
   | botnets (use of)                      | Section 2.1, Section 2.2  |
   | denial of service (DoS)               | Section 2.1,              |
   |                                       | Section 7.2.1             |
   | man in the middle (MITM)              | Section 7.2.2             |
   | poisoning                             | Section 6.1,              |
   |                                       | Section 7.2.2             |
   | pollution                             | Section 2.1, Section 6.1  |
   | sybil                                 | Section 2.2, Section 4    |
   | targeted denial of service            | Section 7.2.1             |
   +---------------------------------------+---------------------------+
        

Table 2: Index of some of the more popular attacks and problems discussed in this document.

表2:本文档中讨论的一些比较流行的攻击和问题的索引。

   +---------------------------------------+---------------------------+
   | Solution name                         | Referring sections        |
   +---------------------------------------+---------------------------+
   | admission control                     | Section 3                 |
   | anonymity                             | Section 5.2               |
   | asymmetric key pair                   | Section 7.2.5             |
   | CAPTCHA                               | Section 3                 |
   | certificates                          | Section 7.2.3             |
   | CONNECT (SIP method)                  | Section 7.2.4             |
   | cryptographic puzzles                 | Section 4                 |
   | diametrically opposite IDs            | Section 4                 |
   | end-to-end encryption                 | Section 7.2.4             |
   | group authority                       | Section 3                 |
   | group charter                         | Section 3                 |
   | iterative routing                     | Section 7.2.2             |
   | no profit for newcomers               | Section 5.2               |
   | online phone book                     | Section 7.2.5             |
   | passive upgrades                      | Section 7.1.1             |
   | peer promotion                        | Section 7.1               |
   | proactive identification              | Section 5.1.1             |
   | reactive identification               | Section 5.1.2             |
   | recommendation                        | Section 3                 |
   | reputation management systems         | Section 5.2               |
   | self-policing                         | Section 5.2               |
   | signatures                            | Section 3                 |
   | social networks (using)               | Section 4, Section 6.2,   |
   | SRTP                                  | Section 7.2.6             |
   | structured reputation management      | Section 5.2.2             |
   | SybilGuard (protocol)                 | Section 4                 |
   | transitivity of trust                 | Section 5.2.2             |
   | trust and distrust vectors            | Section 5.2.1             |
   | trust and trusted nodes               | Section 3, Section 6.2,   |
   |                                       | Section 7.2.3             |
   | unstructured reputation management    | Section 5.2.1             |
   | voluntary moderators                  | Section 6.1               |
   +---------------------------------------+---------------------------+
        
   +---------------------------------------+---------------------------+
   | Solution name                         | Referring sections        |
   +---------------------------------------+---------------------------+
   | admission control                     | Section 3                 |
   | anonymity                             | Section 5.2               |
   | asymmetric key pair                   | Section 7.2.5             |
   | CAPTCHA                               | Section 3                 |
   | certificates                          | Section 7.2.3             |
   | CONNECT (SIP method)                  | Section 7.2.4             |
   | cryptographic puzzles                 | Section 4                 |
   | diametrically opposite IDs            | Section 4                 |
   | end-to-end encryption                 | Section 7.2.4             |
   | group authority                       | Section 3                 |
   | group charter                         | Section 3                 |
   | iterative routing                     | Section 7.2.2             |
   | no profit for newcomers               | Section 5.2               |
   | online phone book                     | Section 7.2.5             |
   | passive upgrades                      | Section 7.1.1             |
   | peer promotion                        | Section 7.1               |
   | proactive identification              | Section 5.1.1             |
   | reactive identification               | Section 5.1.2             |
   | recommendation                        | Section 3                 |
   | reputation management systems         | Section 5.2               |
   | self-policing                         | Section 5.2               |
   | signatures                            | Section 3                 |
   | social networks (using)               | Section 4, Section 6.2,   |
   | SRTP                                  | Section 7.2.6             |
   | structured reputation management      | Section 5.2.2             |
   | SybilGuard (protocol)                 | Section 4                 |
   | transitivity of trust                 | Section 5.2.2             |
   | trust and distrust vectors            | Section 5.2.1             |
   | trust and trusted nodes               | Section 3, Section 6.2,   |
   |                                       | Section 7.2.3             |
   | unstructured reputation management    | Section 5.2.1             |
   | voluntary moderators                  | Section 6.1               |
   +---------------------------------------+---------------------------+
        

Table 3: Index of some of the more popular solutions discussed in this document.

表3:本文档中讨论的一些比较流行的解决方案的索引。

2. The Attackers
2. 特别攻击队
2.1. Incentive of the Attacker
2.1. 攻击者的动机

Attacks on networks happen for a variety of reasons such as monetary gain, personal enmity, or even for fame in the hacker community.

网络攻击的发生有多种原因,如金钱利益、个人敌意,甚至是为了在黑客社区中的名声。

There are quite a few well-known cases of denial-of-service attacks for extortion in the client-server model [McCue]. One of the salient points of the P2P model is that the services it provides have higher robustness against failure. However, denial-of-service attacks are still possible against individuals within the overlay if the attackers possess sufficient resources. For instance, a network of worm-infected malicious nodes spread across the Internet and controlled by an attacker (often referred to as botnet) could simultaneously bombard lookup queries for a particular key in the DHT. The peer responsible for this key would then come under a lot of load and could crash [Sit]. However, with replication of key-value pairs at multiple locations, such threats can be mitigated.

在客户机-服务器模型[McCue]中,有许多众所周知的针对勒索的拒绝服务攻击案例。P2P模型的一个显著特点是,它提供的服务具有更高的抗故障鲁棒性。但是,如果攻击者拥有足够的资源,则仍然可能对覆盖中的个人进行拒绝服务攻击。例如,一个由蠕虫病毒感染的恶意节点组成的网络在互联网上传播,并由攻击者(通常称为僵尸网络)控制,可能同时轰炸DHT中特定密钥的查找查询。负责该密钥的对等方将承受大量负载,并可能崩溃[Sit]。但是,通过在多个位置复制键值对,可以缓解此类威胁。

Attackers may also have other incentives indirectly related to money. With the growth of illegal usage of sharing files with copyrights, record companies have been known to pollute content in the overlays by putting up nodes with corrupt chunks of data but with correct file names to degrade the service [Liang] and in hope that users would get frustrated and stop using it. Similarly, competition between different communication service providers, either or both based on P2P technologies, and the low level of traceability of attacks targeted to single users could be considered as motivation for attempting service disruption.

攻击者还可能有其他与金钱间接相关的动机。随着非法使用具有版权的共享文件的增长,唱片公司被认为会污染覆盖层中的内容,因为他们在节点上放置损坏的数据块,但使用正确的文件名来降低服务质量[Liang],并希望用户会感到沮丧并停止使用它。类似地,基于P2P技术的不同通信服务提供商之间的竞争,以及针对单个用户的攻击的低可追踪性,可以被视为试图中断服务的动机。

Attacks can also be launched by novice attackers who are attacking the overlay for fun or fame in a community. These are perhaps less likely to be successful or cause damage, since their resources tend to be relatively limited.

新手攻击者也可以发起攻击,他们攻击覆盖层是为了在社区中获得乐趣或名声。这些措施可能不太可能成功或造成损害,因为它们的资源往往相对有限。

2.2. Resources Available to the Attacker
2.2. 攻击者可用的资源

Resource constraints play an important role in determining the nature of the attack. An attacker who controls a botnet can use an Internet relay channel and launch distributed denial-of-service attacks against another node. With respect to attacks where a single node impersonates multiple identities, as in the case of the Sybil attack [Douceur] described in Section 4, IP addresses are also an important resource for the attacker since in DHTs such as Chord [Stoica], the position in the overlay is determined by using a base hash function such as SHA-1 [SHA1] on the node's IP address. The cryptographic puzzles [Rowaihy] that are sometimes suggested as a way to deter Sybil attacks by making the join process harder are futile against an attacker with a botnet and virtually unlimited computation power. Douceur [Douceur] proves that even with the assumption that attackers only have minimum resources at their disposal, it is not possible to defend against them in a pure P2P system.

资源约束在确定攻击性质方面起着重要作用。控制僵尸网络的攻击者可以使用Internet中继通道对另一个节点发起分布式拒绝服务攻击。对于单个节点模拟多个身份的攻击,如第4节中描述的Sybil攻击[Douceur]的情况,IP地址也是攻击者的重要资源,因为在诸如Chord[Stoica]之类的DHT中,覆盖中的位置是通过使用诸如SHA-1[SHA1]之类的基哈希函数来确定的在节点的IP地址上。密码谜题[Rowaihy]有时被认为是通过使连接过程更加困难来阻止Sybil攻击的一种方法,对于具有僵尸网络和几乎无限计算能力的攻击者来说是徒劳的。Douceur[Douceur]证明,即使假设攻击者只能使用最少的资源,在纯P2P系统中也不可能防御它们。

2.3. Victim of the Attack
2.3. 袭击的受害者

The victim of an attack could be an individual node, a particular content entry, or the entire overlay service. If malicious nodes are strategically placed in the overlay, they can block a node from using its services. Attacks could also be launched against specific content [Sit] or even the entire overlay service. For example, if the malicious nodes are randomly placed in the overlay and drop packets or upload malicious content, then the quality of the overlay would deteriorate.

攻击的受害者可能是单个节点、特定内容条目或整个覆盖服务。如果恶意节点被战略性地放置在覆盖中,它们可以阻止节点使用其服务。还可以针对特定内容[Sit]甚至整个覆盖服务发起攻击。例如,如果恶意节点随机放置在覆盖中并丢弃数据包或上载恶意内容,则覆盖的质量将恶化。

2.4. Time of Attack
2.4. 攻击时间

A malicious node could start misbehaving as soon as it enters the overlay or it could follow the rules of the overlay for a finite amount of time and then attack. The latter could prove to be more harmful if the overlay design suggests accumulating trust in peers based on the amount of time they have been present and/or not misbehaving. In Kademlia [Maymounkov], for instance, the routing tables are populated with nodes that have been up for a certain amount of time. While this provides some robustness from attacks in which the malicious nodes start dropping routing requests from the moment they enter, it would take time for the algorithm to adapt to nodes that start misbehaving in a later stage (i.e., after they have been recorded in routing tables). Similarly for reputation management systems, it is important that they adapt to the current behavior of a peer.

恶意节点可能在进入覆盖层后立即开始行为异常,或者在有限的时间内遵循覆盖层的规则,然后进行攻击。如果覆盖设计建议根据对等方出现和/或没有行为不端的时间积累对对等方的信任,那么后者可能更有害。例如,在Kademlia[Maymounkov]中,路由表由已经运行了一定时间的节点填充。虽然这提供了一些鲁棒性,防止恶意节点从进入时就开始丢弃路由请求的攻击,但算法需要时间来适应在稍后阶段(即,在路由表中记录这些节点之后)开始出现错误行为的节点。与声誉管理系统类似,重要的是它们要适应同级的当前行为。

3. Admission Control
3. 准入控制

Admission control depends on who decides whether or not to admit a node and how this permission is granted. Kim et al. [Kim] answer these questions independently of any particular environment or application. They define two basic elements for admission in a peer group, a group charter, which is an electronic document that specifies the procedure of admission into the overlay, and a group authority, which is an entity that can certify group admission. A prospective member first gets a copy of the group charter, satisfies the requirements, and approaches the group authority. The group authority then verifies the admission request and grants a group membership certificate.

接纳控制取决于谁决定是否接纳节点以及如何授予此权限。Kim等人。[Kim]独立于任何特定环境或应用程序回答这些问题。它们定义了对等组准入的两个基本要素,一个是组章程,它是一个电子文档,指定了进入覆盖层的程序,另一个是组权限,它是一个可以认证组准入的实体。潜在成员首先获得集团章程副本,满足要求,并向集团管理局寻求帮助。然后,集团授权机构验证准入请求并授予集团成员资格证书。

The group charter and authority verification can be provided by a centralized certificate authority or a trusted third party, or it could be provided by the peers themselves (by voting). The former is more practical and tends to make the certification process simpler although it is in violation of the pure P2P model and exposes the system to attacks typical for server-based solutions (e.g., denial-

集团章程和权限验证可以由集中的证书颁发机构或受信任的第三方提供,也可以由对等方自己(通过投票)提供。前者更为实用,并倾向于简化认证过程,尽管它违反了纯P2P模型,并使系统暴露于基于服务器的解决方案的典型攻击(例如拒绝)-

of-service attacks targeted to the central authority). In the latter case, the group authority could either be a fixed number of peers or it could be a dynamic number based on the total membership of the group. The authors argue that even if the group charter requires a prospective member to get votes from peers, the group membership certificate must be issued by a distinct entity. The reason for this is that voters need to accompany their votes with a certificate that proves their own membership. Possible signature schemes that could be used in voting such as plain digital signature, threshold signature, and accountable subgroup multisignature are also described. Saxena et al. [Saxena] performed experiments with the different signature schemes and suggest the use of plain signatures for groups of moderate size and where bandwidth is not a concern. For larger groups and where bandwidth is a concern, they suggest threshold signature [Kong] and multisignature schemes [Ohta].

针对中央机构的服务攻击的数量)。在后一种情况下,组权限可以是固定数量的对等方,也可以是基于组成员总数的动态数字。作者认为,即使集团章程要求潜在成员获得同行的投票,集团成员资格证书也必须由不同的实体颁发。这是因为选民需要在投票时附上证明自己是会员的证明。还描述了可用于投票的可能的签名方案,如普通数字签名、门限签名和可解释的子群多重签名。Saxena等人[Saxena]对不同的签名方案进行了实验,并建议将普通签名用于中等规模且带宽不受关注的组。对于更大的群体和带宽是一个问题的地方,他们建议阈值签名[Kong]和多重签名方案[Ohta]。

Another way of handling admission would be to use mechanisms based on trust and recommendation where each new applicant has to be known and vouched for by at least N existing members. The difficulties that such models represent include identity assertion and preventing bot/ worm attacks. A compromised node could have a valid certificate identifying a trustworthy peer, and it would be difficult to detect this. Possible solutions include sending graphic or logic puzzles easily addressed by humans but hard to solve by computers, also known as CAPTCHA [Ahn]; however, reliability of such mechanisms is at the time of writing a topic of lively debate [Tam] [Chellapilla].

另一种处理接纳的方式是使用基于信任和推荐的机制,其中每个新申请人必须由至少N名现有成员知道并证明。这些模型所代表的困难包括身份断言和防止机器人/蠕虫攻击。受损节点可能具有识别可信对等方的有效证书,并且很难检测到这一点。可能的解决方案包括发送图形或逻辑谜题,这些谜题很容易被人类解决,但很难被计算机解决,也称为验证码[Ahn];然而,在撰写这篇文章时,这种机制的可靠性是一个引起热烈讨论的话题[Tam][Chellapilla]。

4. Determining the Position in the Overlay
4. 确定覆盖中的位置
   For ring-based DHT overlays such as Chord [Stoica], Kademlia
   [Maymounkov], and Pastry [Rowstron], when a node joins the overlay,
   it uses a numeric identifier (ID) to determine its position in the
   ring.  The positioning of a node determines what information it
   stores and which nodes it serves.  To provide a degree of robustness,
   content and services are often replicated across multiple nodes.
   However, it is possible for an adversary with sufficient resources to
   undermine the redundancy deployed in the overlay by representing
   multiple identities.  Such an attack is called a Sybil attack
   [Douceur].  This makes the assignment of IDs very important.  One
   possible scheme to tackle such attacks on the ID mapping is to have a
   temporal mechanism in which nodes need to re-join the network after
   some time [Condie] [Scheideler].  Such temporal solutions, however,
   have the drawback that they increase the maintenance traffic and
   possibly deteriorate the efficiency of caching.  Danezis et al.
   [Danezis] suggest mechanisms to mitigate the effect of Sybil attacks
   by reducing the amount of information received from malicious nodes.
   Their idea is to vary the nodes used for routing with time.  This
   helps avoiding trust bottlenecks that may occur when applications
        
   For ring-based DHT overlays such as Chord [Stoica], Kademlia
   [Maymounkov], and Pastry [Rowstron], when a node joins the overlay,
   it uses a numeric identifier (ID) to determine its position in the
   ring.  The positioning of a node determines what information it
   stores and which nodes it serves.  To provide a degree of robustness,
   content and services are often replicated across multiple nodes.
   However, it is possible for an adversary with sufficient resources to
   undermine the redundancy deployed in the overlay by representing
   multiple identities.  Such an attack is called a Sybil attack
   [Douceur].  This makes the assignment of IDs very important.  One
   possible scheme to tackle such attacks on the ID mapping is to have a
   temporal mechanism in which nodes need to re-join the network after
   some time [Condie] [Scheideler].  Such temporal solutions, however,
   have the drawback that they increase the maintenance traffic and
   possibly deteriorate the efficiency of caching.  Danezis et al.
   [Danezis] suggest mechanisms to mitigate the effect of Sybil attacks
   by reducing the amount of information received from malicious nodes.
   Their idea is to vary the nodes used for routing with time.  This
   helps avoiding trust bottlenecks that may occur when applications
        

only route traffic through a limited set of highly trusted nodes. Other solutions suggest making the joining process harder by introducing cryptographic puzzles as suggested by Rowaihy et al. [Rowaihy]. The assumption is that the adversary has limited computational resources, which may not be true if the adversary has control over a botnet. Another drawback of such methods is that non-malicious nodes would also have to perform the extra computations before they can join the overlay.

仅通过一组有限的高度信任节点路由流量。其他解决方案建议,如Rowaihy等人[Rowaihy]所建议的,通过引入密码谜题,使加入过程更加困难。假设对手的计算资源有限,如果对手控制了僵尸网络,则情况可能并非如此。这种方法的另一个缺点是,非恶意节点在加入覆盖之前还必须执行额外的计算。

A possible heuristic to hamper Sybil attacks is to employ redundancy at nodes with diametrically opposite IDs (in the DHT ID space) instead of successive IDs as in Chord. The idea behind choosing diametrically opposite nodes is based on the fact that a malicious peer can grant admission to others as its successor without them actually possessing the required IP address (whose hash is adjacent to the former's), and then they can cooperate to control access to that part of the ring. If, however, admission decisions and redundant content (for robustness) also involve nodes that are the farthest away (diametrically opposite) from a given position, then the adversary would require double resources (IP addresses) to attack. This happens because the adversary would need presence in the overlay at two independent positions in the ring.

阻止Sybil攻击的一种可能的启发式方法是在ID完全相反的节点(在DHT ID空间中)使用冗余,而不是像Chord中那样使用连续ID。选择截然相反的节点背后的想法是基于这样一个事实,即恶意对等方可以允许他人作为其继任者,而不需要他们实际拥有所需的IP地址(其哈希与前者相邻),然后他们可以合作控制对环的该部分的访问。然而,如果接纳决策和冗余内容(为了稳健性)也涉及到距离给定位置最远(截然相反)的节点,那么对手将需要双重资源(IP地址)进行攻击。发生这种情况是因为对手需要在环中两个独立位置的叠加中出现。

Another approach proposed by Yu et al. [Yu] to limit Sybil attacks is based on the usage of the social relations between users. The solution exploits the fact that as a result of Sybil attacks, affected P2P overlays end up containing a large set of Sybil nodes connected to the rest of the peers through an irregularly small number of edges. The SybilGuard protocol [Yu] defines a method that allows to discover such kinds of discontinuities in the topology by using a special kind of a verifiable random walk and hence without the need of one node having a global vision of the graph.

Yu等人[Yu]提出的另一种限制Sybil攻击的方法是基于用户之间社会关系的使用。该解决方案利用了一个事实,即由于Sybil攻击,受影响的P2P覆盖最终包含大量Sybil节点,这些节点通过不规则的少量边缘连接到其余对等节点。SybilGuard协议[Yu]定义了一种方法,该方法允许通过使用一种特殊的可验证随机游动来发现拓扑中的此类不连续性,因此不需要一个节点具有图形的全局视觉。

It is also worth mentioning that in DHT overlays using different geometric concepts (e.g., hypercubes instead of rings), peer positions are usually not related to identifiers. In the content addressable network (CAN) [Ratnasamy], for example, the position of an entering node may be either selected by the node itself or, with little modification to the original algorithm, assigned by peers already in the overlay. However, even when malicious nodes do not know their position before joining, the overlay is still vulnerable to Sybil attacks.

还值得一提的是,在使用不同几何概念(例如,超立方体而不是环)的DHT覆盖中,对等位置通常与标识符无关。例如,在内容可寻址网络(CAN)[Ratnasamy]中,进入节点的位置可以由节点本身选择,或者在对原始算法几乎没有修改的情况下,由覆盖中已经存在的对等方分配。但是,即使恶意节点在加入之前不知道自己的位置,覆盖层仍然容易受到Sybil攻击。

5. Resilience against Malicious Peers
5. 针对恶意对等点的恢复能力

Making overlays robust against even a small percentage of malicious nodes is difficult [Castro]. It is therefore important for other peers to identify such nodes and keep track of their number. There

使覆盖对哪怕一小部分恶意节点都具有鲁棒性是很困难的[Castro]。因此,其他节点识别此类节点并跟踪其数量非常重要。那里

are two aspects to this problem. One is the identification itself, and the second is the dissemination of this information amongst the peers. Different metrics need to be defined depending on the peer group for the former, and reputation management systems are needed for the latter.

这个问题有两个方面。一个是身份本身,第二个是在同行之间传播该信息。对于前者,需要根据对等组定义不同的度量,对于后者,需要声誉管理系统。

5.1. Identification of Malicious Peers
5.1. 识别恶意节点

For identifying a node as malicious, malicious activity has to be observed first. This could be done in either a proactive way or a reactive way.

要将节点识别为恶意节点,必须首先观察恶意活动。这可以采取主动或被动的方式。

5.1.1. Proactive Identification
5.1.1. 主动识别

When acting proactively, peers perform periodic operations with the purpose of detecting malicious activity. A malicious node could prevent access to content for which it is responsible (e.g., by claiming the object doesn't exist), or return references to content that does not match the original queries [Sit]. With this approach, publishers of content can later perform lookups for it at periodic intervals and verify the integrity of whatever is returned. Any inconsistencies could then be interpreted as malicious activity. The problem with proactive identification is the management of the overhead it implies: if checks are performed too often, they may actually hinder scalability, while, if they are performed too rarely, they would probably be useless.

当主动采取行动时,对等方会定期执行操作,以检测恶意活动。恶意节点可能阻止对其负责的内容的访问(例如,通过声称对象不存在),或返回对与原始查询不匹配的内容的引用[Sit]。通过这种方法,内容发布者可以在以后定期对其进行查找,并验证返回内容的完整性。任何不一致都可能被解释为恶意活动。主动识别的问题在于它所暗示的开销的管理:如果检查执行得太频繁,它们实际上可能会阻碍可伸缩性,而如果检查执行得太少,它们可能会毫无用处。

An additional approach for mitigating routing attacks and identifying malicious peers consists in sending multiple copies of the same message on different paths. With such an approach, implemented, for example, in Kademlia [Maymounkov], the sending peer can identify anomalies comparing responses coming in from different paths.

减轻路由攻击和识别恶意对等方的另一种方法是在不同路径上发送同一消息的多个副本。通过这种方法(例如在Kademlia[Maymounkov]中实现),发送对等方可以通过比较来自不同路径的响应来识别异常。

5.1.2. Reactive Identification
5.1.2. 反应识别

In a reactive strategy, the peers perform normal operations and if they happen to detect some malicious activity, then they can label the responsible node as malicious and avoid sending any further message to it. In a file-sharing application, for example, after downloading content from a node, if the peer observes that data does not match its original query it can identify the corresponding node as malicious. Poon et al. [Poon] suggest a strategy based on the forwarding of queries. If routing is done in an iterative way, then dropping of packets, forwarding to an incorrect node, and delay in forwarding arouse suspicion and the corresponding peer is identified as malicious.

在反应策略中,对等方执行正常操作,如果他们碰巧检测到一些恶意活动,那么他们可以将责任节点标记为恶意节点,并避免向其发送任何进一步的消息。例如,在文件共享应用程序中,从节点下载内容后,如果对等方发现数据与其原始查询不匹配,则可以将相应的节点标识为恶意节点。Poon等人[Poon]提出了一种基于查询转发的策略。如果路由是以迭代的方式进行的,那么丢弃数据包、转发到错误的节点以及转发中的延迟会引起怀疑,相应的对等方会被识别为恶意的。

5.2. Reputation Management Systems
5.2. 声誉管理系统

Reputation management systems are used to allow peers to share information about other peers based on their own experience and thus help in making better judgments. Most reputation management systems proposed in the literature for file-sharing applications [Uzun] [Damiani] [Lee] [Kamvar] aim at preventing misbehaving peers with low reputation to rejoin the network with a different ID and therefore start from a clean slate. To achieve this, Lee et al. [Lee] store not only the reputation of a peer but also the reputation of files based on file name and content to avoid spreading of a bad file. Another method is to make the reputation of a new peer the minimum possible. Kamvar et al. [Kamvar] define five design considerations for reputation management systems:

声誉管理系统用于允许对等方根据自己的经验共享其他对等方的信息,从而帮助做出更好的判断。文献中针对文件共享应用程序[Uzun][Damiani][Lee][Kamvar]提出的大多数信誉管理系统旨在防止信誉较低的行为不端的对等方使用不同的ID重新加入网络,从而从头开始。为了实现这一点,Lee等人[Lee]不仅存储对等方的信誉,而且还基于文件名和内容存储文件的信誉,以避免坏文件的传播。另一种方法是尽可能降低新节点的声誉。Kamvar等人[Kamvar]定义了声誉管理系统的五个设计注意事项:

o The system should be self-policing.

o 这个系统应该是自我监督的。

o The system should maintain anonymity.

o 系统应保持匿名性。

o The system should not assign any profit to newcomers.

o 系统不应将任何利润分配给新来者。

o The system should have minimal overhead in terms of computation, infrastructure, storage, and message complexity.

o 系统在计算、基础设施、存储和消息复杂性方面的开销应该最小。

o The system should be robust to malicious collectives of peers who know one another and attempt to collectively subvert the system.

o 该系统应该对相互认识并试图集体颠覆系统的恶意同侪群体具有鲁棒性。

5.2.1. Unstructured Reputation Management
5.2.1. 非结构化声誉管理

Unstructured reputation management systems have been proposed by Uzun et al. [Uzun] and Damiani et al. [Damiani]. The basic idea of these is that each peer maintains information about its own experience with other peers and resources, and shares it with others on demand. In the system proposed by Uzun et al. [Uzun], each node maintains trust and distrust vectors for every other node with which it has interacted. When reputation information about a peer is required, a node first checks its local database, and if insufficient information is present, it sends a query to its neighbors just as it would when looking up content. However, such an approach requires peers to get reputation information from as many sources as possible; otherwise, malicious nodes may successfully place targeted attacks returning false values for their victims.

Uzun等人[Uzun]和Damiani等人[Damiani]提出了非结构化声誉管理系统。这些方法的基本思想是,每个对等体维护关于其自身与其他对等体和资源的经验的信息,并根据需要与其他人共享这些信息。在Uzun等人[Uzun]提出的系统中,每个节点都为与之交互的每个其他节点维护信任和不信任向量。当需要对等方的信誉信息时,节点首先检查其本地数据库,如果没有足够的信息,它会像查找内容一样向其邻居发送查询。然而,这种方法要求同行从尽可能多的来源获取声誉信息;否则,恶意节点可能会成功实施目标攻击,为受害者返回错误值。

5.2.2. Structured Reputation Management
5.2.2. 结构化声誉管理

One of the problems with unstructured reputation management systems is that they either take the feedback from few peers or, if they do so from all, then they incur large traffic overhead. Systems such as

非结构化声誉管理系统的一个问题是,它们要么从少数对等方获取反馈,要么如果从所有对等方获取反馈,则会产生巨大的流量开销。系统,例如

those proposed by [Lee] [Kamvar] try to resolve it in a structured manner. The idea of the eigen trust algorithm [Kamvar], for example, is transitivity of trust. If a node trusts peer X, then it would also trust the feedback it gives about other peers. A node builds such information in an iterative way; for maintaining it in a structured way, the authors propose to use a content addressable network (CAN) DHT [Ratnasamy]. The information about each peer is stored and replicated on different peers to provide robustness against malicious nodes. They also suggest favoring peers probabilistically with high trust values instead of doing it deterministically, to allow new peers to slowly develop a reputation. Eventually, they suggest the use of incentives for peers with high reputation values.

[Lee][Kamvar]提出的方案试图以结构化的方式解决这一问题。例如,特征信任算法[Kamvar]的思想就是信任的传递性。如果节点信任对等点X,那么它也会信任它给出的关于其他对等点的反馈。节点以迭代的方式构建这样的信息;为了以结构化的方式维护它,作者建议使用内容寻址网络(CAN)DHT[Ratnasamy]。关于每个对等点的信息存储并复制到不同的对等点上,以提供针对恶意节点的健壮性。他们还建议在概率上偏爱具有高信任值的对等方,而不是决定性地这样做,以允许新的对等方慢慢建立声誉。最后,他们建议对具有高声誉价值的同行采取激励措施。

6. Routing and Data Integrity
6. 路由和数据完整性

Preserving integrity of routing and data, or, in other words, preventing peers from returning corrupt responses to queries and routing through malicious peers, is an important security issue in P2P networks. The data stored on a P2P overlay depends on the applications that are using it. For file-sharing, this data would be the files themselves, their location, and owner information. For realtime communication, this would include user location bindings and other routing information. We describe such data integrity issues in Section 7.

保护路由和数据的完整性,或者换句话说,防止对等方通过恶意对等方返回对查询和路由的损坏响应,是P2P网络中一个重要的安全问题。存储在P2P覆盖上的数据取决于使用它的应用程序。对于文件共享,这些数据将是文件本身、位置和所有者信息。对于实时通信,这将包括用户位置绑定和其他路由信息。我们在第7节中描述了此类数据完整性问题。

6.1. Data Integrity
6.1. 数据完整性

For file-sharing applications, insertion of wrong content (e.g., files not matching their names or descriptions) and introduction of corrupt data chunks (often referred to as poisoning and pollution) are a significant problem. BitTorrent uses voluntary moderators to weed out bogus files and the SHA-1 algorithm to determine the hash of each piece of a file to allow verification of integrity. If a peer detects a bad chunk, it can download that chunk from another peer. With this strategy, different peers download different pieces of a file before the original peer disappears from the network. However, if a malicious peer modifies the pieces that are only available on it and the original peer disappears, then the object distribution will fail [Zhang]. An analysis of BitTorrent in terms of integrity and performance can be found in the work of Pouwelse et al. [Pouwelse].

对于文件共享应用程序,插入错误的内容(例如,与名称或描述不匹配的文件)和引入损坏的数据块(通常称为中毒和污染)是一个重大问题。BitTorrent使用自愿的版主来清除伪造文件,并使用SHA-1算法来确定文件的每一部分的哈希值,以允许验证完整性。如果一个对等方检测到坏块,它可以从另一个对等方下载该块。使用此策略,不同的对等方在原始对等方从网络中消失之前下载不同的文件片段。但是,如果恶意对等方修改了仅在其上可用的部分,并且原始对等方消失,则对象分发将失败[Zhang]。Pouwelse等人[Pouwelse]的工作中对BitTorrent的完整性和性能进行了分析。

6.2. Routing Integrity
6.2. 路由完整性

To enhance the integrity of routing, it is important to reduce the number of queries forwarded to malicious nodes. Marti et al. [Marti] developed a system that uses social network information to route queries over trusted nodes. Their algorithm uses trusted nodes

为了增强路由的完整性,减少转发到恶意节点的查询数量非常重要。Marti等人[Marti]开发了一个系统,该系统使用社交网络信息在可信节点上路由查询。他们的算法使用可信节点

to forward queries (if one exists and is closer to the required ID in the ID space). Otherwise, they use the regular Chord [Stoica] routing table to forward queries. While their results indicate good average performance, it cannot guarantee log(N) hops for all cases. Danezis et al. [Danezis] suggest a method for routing in the presence of a large number of Sybil nodes. Their method is to ensure that a peer queries a diverse set of nodes and does not place too much trust in a node. Both the above works have been described based on Chord. However, unlike Chord, in DHTs like Pastry [Rowstron] and Kademlia [Maymounkov] there is flexibility in selecting nodes for any row in a peer's routing table. Potentially many nodes have a common ID prefix of a given length and are candidates for routing a given query. To exploit the social network information and still guarantee log(N) hops, a peer should select its friends to route a query, but only when they are present in the appropriate row selected by the DHT algorithm.

转发查询(如果存在,并且更接近ID空间中所需的ID)。否则,它们使用常规Chord[Stoica]路由表转发查询。虽然他们的结果显示了良好的平均性能,但它不能保证所有情况下的对数(N)跳数。Danezis等人[Danezis]提出了一种在存在大量Sybil节点的情况下进行路由的方法。他们的方法是确保对等方查询一组不同的节点,并且不会对节点施加太多信任。以上两项工作都是基于Chord进行描述的。然而,与Chord不同,在诸如Pastry[Rowstron]和Kademlia[Maymounkov]之类的DHT中,为对等路由表中的任何行选择节点都具有灵活性。可能有许多节点具有给定长度的公共ID前缀,并且是路由给定查询的候选节点。为了利用社交网络信息并保证日志(N)跳数,对等方应选择其朋友来路由查询,但仅当他们出现在DHT算法选择的适当行中时。

7. Peer-to-Peer in Realtime Communication
7. 实时通信中的点对点

The idea of using P2P in realtime communication essentially implies distributing centralized entities from conventional architectures over P2P overlays and thus reducing the costs of deployment and increasing reliability of the different services. Initiatives such as the P2PSIP working group in IETF [P2PSIP] are currently concentrating on achieving this by using a DHT for services such as registration, location lookup, and support for NAT traversal, which are normally handled by dedicated servers.

在实时通信中使用P2P的想法本质上意味着将传统体系结构中的集中式实体分布在P2P覆盖上,从而降低部署成本并提高不同服务的可靠性。IETF[P2PSIP]中的P2PSIP工作组等计划目前正致力于通过使用DHT来实现这一点,DHT用于注册、位置查找和NAT穿越支持等服务,这些服务通常由专用服务器处理。

Even if based on the same technology, overlays used for realtime communication differ from those used for file-sharing in at least two aspects:

即使基于相同的技术,用于实时通信的覆盖与用于文件共享的覆盖至少在两个方面有所不同:

o Resource consumption. Contrary to file-sharing systems where the DHT is used to store huge amounts of data (even if the distributed database is used only for storing file locations, each user usually indexes hundreds or thousands of files), realtime communication overlays only require a subset of the resources available at any given time as users only register a limited number of locations (rarely more than one).

o 资源消耗。与文件共享系统相反,文件共享系统使用DHT存储大量数据(即使分布式数据库仅用于存储文件位置,每个用户通常索引数百或数千个文件),实时通信覆盖只需要在任何给定时间可用资源的子集,因为用户只注册有限数量的位置(很少超过一个)。

o Confidentiality. In file-sharing applications, eavesdropping and identity theft do not constitute real threats; after all, files are supposed to be made publicly available. This is not true in realtime communications, where the privacy and confidentiality of the participants are of paramount importance. Furthermore, the notion of identity plays an important role in realtime

o 保密性。在文件共享应用程序中,窃听和身份盗窃并不构成真正的威胁;毕竟,文件应该是公开的。这在实时通信中是不正确的,因为参与者的隐私和保密性至关重要。此外,身份的概念在实时性中起着重要作用

communications since it is the basis for starting a communication session. As such, it is essential to have mechanisms to unequivocally assert identities in realtime communication systems.

通信,因为它是启动通信会话的基础。因此,在实时通信系统中,必须有明确地断言身份的机制。

In this section we go over the admission issues and security problems discussed in previous sections, and discuss solutions that would be applicable to realtime communication in P2P.

在本节中,我们将回顾前面几节讨论的准入问题和安全问题,并讨论适用于P2P实时通信的解决方案。

7.1. Peer Promotion
7.1. 同侪晋升

In order to remain compatible with existing user agents, P2P communication architectures would have to allow certain nodes to use their services without actually using overlay-specific semantics. One way to achieve this would be for overlay-agnostic nodes to register with an existing peer or a dedicated proxy via a standard protocol like SIP [RFC3261]. Through the rest of this document, we will refer to nodes that access the service without actually joining the overlay as "clients".

为了保持与现有用户代理的兼容性,P2P通信体系结构必须允许某些节点在不实际使用覆盖特定语义的情况下使用其服务。实现这一点的一种方法是,覆盖不可知节点通过标准协议(如SIP[RFC3261])向现有对等方或专用代理注册。在本文档的其余部分中,我们将把访问服务而不实际加入覆盖层的节点称为“客户端”。

In most cases, users would be able to benefit from the overlay by only acting as clients. However, in order to keep the solution scalable, at some point clients would have to be promoted to peers (admission to the DHT). This requires addressing the following issues.

在大多数情况下,用户只需充当客户端就可以从覆盖中获益。但是,为了保持解决方案的可扩展性,在某些时候,必须将客户端升级为对等客户端(进入DHT)。这需要解决以下问题。

7.1.1. Active vs. Passive Upgrades
7.1.1. 主动升级与被动升级

Most existing P2P networks [KAZAA] [BITTORRENT] [PPLIVE] would generally leave it to the clients to determine if and when they would apply for becoming peers. A well-known exception to this trend is the Skype network [SKYPE], arguably one of the most popular overlay networks used for realtime communications today. Instances of the Skype application are supposed to operate as either super-nodes, directly contributing to the distributed provision of the service, or ordinary-nodes, simply using the service, and the "promotions" are decided by the higher levels of the hierarchy [Baset]. Even if there is not much difference for a client whether it has to actively ask for authorization to join an overlay or passively wait for an invitation, the latter approach has some advantages that fit well in overlays where only a subset of the peers is required to provide the service (as in realtime communication):

大多数现有的P2P网络[KAZAA][BITTORRENT][PPLIVE]通常会让客户自行决定是否以及何时申请成为对等网络。这一趋势的一个众所周知的例外是Skype网络[Skype],可以说是当今用于实时通信的最流行的覆盖网络之一。Skype应用程序的实例应作为超级节点(直接为分布式服务提供贡献)或普通节点(仅使用该服务)运行,并且“升级”由层次结构的更高级别决定[Baset]。即使客户机必须主动请求授权才能加入覆盖或被动等待邀请没有太大区别,后一种方法也有一些优点,非常适合只需要一部分对等方来提供服务的覆盖(如在实时通信中):

o An attacker cannot estimate in advance when and if it would be invited to join the overlay as a peer.

o 攻击者无法提前估计何时以及是否会被邀请作为对等方加入覆盖。

o It allows peers to perform long-lasting measurements on sets of candidates, in order to accurately select the most appropriate for upgrading and only invite it when they are "ready" to do so. The

o 它允许对等方对候选集执行长期测量,以便准确地选择最适合升级的候选集,并且仅在他们“准备好”时邀请它。这个

opposite approach, that is, when clients initiate the join themselves, adds an extra constraint for the peer that has to act upon the request since it doesn't know if and when the peer would attempt to join again.

相反的方法,即当客户机自己发起加入时,会为对等方添加一个额外的约束,该约束必须根据请求进行操作,因为它不知道对等方是否以及何时会再次尝试加入。

o It discourages malicious peers from attempting Sybil and, more generally, brute force attacks, as only a small ratio of clients has chances to join the overlay (possibly after an accurate examination).

o 它阻止恶意对等方尝试Sybil和更一般的暴力攻击,因为只有一小部分客户端有机会加入覆盖(可能在经过精确检查后)。

7.1.2. When to Upgrade
7.1.2. 何时升级

In order to answer this question, one would have to define some criteria that would allow determination of the load on a peer and a reasonable threshold. When the load exceeds this threshold, a client is invited to become a peer and share the load. Several mechanisms to diagnose the status of P2P systems have recently been proposed [P2PSIP-DIAG]; in general, reasonable criteria for determining load can be:

为了回答这个问题,必须定义一些标准来确定对等机上的负载和合理的阈值。当负载超过此阈值时,将邀请客户端成为对等方并共享负载。最近提出了几种诊断P2P系统状态的机制[P2PSIP-DIAG];一般来说,确定荷载的合理标准可以是:

o Number of clients attached.

o 连接的客户端数。

o Bandwidth usage for DHT maintenance, forwarding requests, and responses to and from peers and from the attached clients.

o 用于DHT维护、转发请求以及与对等方和连接的客户端之间的响应的带宽使用。

o Memory usage for DHT routing table, DHT neighborhood table, application-specific data, and information about the attached clients.

o DHT路由表、DHT邻域表、特定于应用程序的数据以及有关所连接客户端的信息的内存使用情况。

7.1.3. Which Clients to Upgrade
7.1.3. 要升级哪些客户端

Selecting which clients to upgrade would require defining and keeping track of new metrics. The exact set of metrics and how they influence decisions should be the subject of serious analysis and experimentation. These could be based on the following observations:

选择要升级的客户机需要定义并跟踪新的指标。准确的指标集以及它们如何影响决策应该是认真分析和实验的主题。这些可基于以下观察结果:

o Uptime. A peer could easily record the amount of time that it has been maintaining a connection with a client and take it into account when trying to determine whether or not to upgrade it.

o 正常运行时间。对等方可以很容易地记录它与客户机保持连接的时间,并在尝试确定是否升级时将其考虑在内。

o Level of activity. It is reasonable to assume that the more a client uses the service (e.g., making phone calls), the less they would be willing to degrade it.

o 活动水平。可以合理地假设,客户使用服务越多(例如打电话),他们就越不愿意降低服务质量。

o Keeping track of history. Peers could record history of the clients they invite and the way they contribute to the overlay.

o 跟踪历史。同行可以记录他们邀请的客户的历史记录以及他们对覆盖的贡献方式。

Other metrics such as public vs. private IP addresses, computation power, and bandwidth should also be taken into account even though they do not necessarily have a direct impact on security.

还应考虑其他指标,如公共IP地址与私有IP地址、计算能力和带宽,即使它们不一定对安全性有直接影响。

Note however that a set of colluded malicious peers can manufacture basically any criteria considered for the upgrade. Furthermore, sophisticated peers can overload the system or run denial-of-service attacks against existing super-nodes in order to improve their chances of being upgraded.

但是请注意,一组串通的恶意对等方基本上可以制定升级所考虑的任何标准。此外,复杂的节点可以使系统过载或对现有超级节点运行拒绝服务攻击,以提高其升级的机会。

7.1.4. Incentives for Clients
7.1.4. 对客户的激励

Clients need to have incentives for accepting upgrades in order to prevent excessive burden on existing peers. One way to handle this would be to maintain separate incentive management through the use of currency or credits. Another option would involve embedding these incentives inside the protocol itself:

客户需要有接受升级的激励,以防止现有同行承受过度负担。处理这一问题的一种方法是通过使用货币或信贷维持单独的激励管理。另一种选择是将这些激励措施嵌入议定书本身:

o Peers share with clients only a fraction of their bandwidth (uplink and downlink). This would result in higher latency when using the services of the overlay as a client and better service quality for peers.

o 对等点仅与客户端共享其带宽的一小部分(上行链路和下行链路)。当将覆盖层的服务用作客户端时,这将导致更高的延迟,并为对等方提供更好的服务质量。

o Peers could restrict the number or types of calls that they allow clients to make.

o 对等方可以限制其允许客户端拨打的电话的数量或类型。

Introducing such incentives, however, may turn out to be somewhat risky. Differences in quality would probably be perceptible for end users who would not always be able to understand the difference between the roles that their user agent is playing in the overlay. Such behavior may therefore be interpreted as arbitrary and make the service look unreliable.

然而,引入此类激励措施可能会有一定的风险。最终用户可能会察觉到质量上的差异,他们并不总是能够理解他们的用户代理在覆盖中扮演的角色之间的差异。因此,此类行为可能被解释为任意行为,并使服务看起来不可靠。

7.2. Security
7.2. 安全
7.2.1. Targeted Denial of Service
7.2.1. 目标拒绝服务

In addition to bombardment with queries as described in Section 2, the denial-of-service attack against an individual node can be conducted in DHTs if the peers that surround a particular ID are compromised. These peers that act as proxy servers for the victim can fake the responses from the victim by sending fictitious error messages back to peers trying to establish a session. Danezis et al.'s solution [Danezis] can also provide protection against such attacks, as in their solution peers vary the nodes used in queries.

除了第2节中所述的查询轰炸之外,如果围绕特定ID的对等方受到攻击,则可以在DHTs中对单个节点进行拒绝服务攻击。这些充当受害者代理服务器的对等方可以通过向试图建立会话的对等方发送虚构的错误消息来伪造受害者的响应。Danezis等人的解决方案[Danezis]也可以针对此类攻击提供保护,因为在他们的解决方案中,对等方可以改变查询中使用的节点。

7.2.2. Man-in-the-Middle Attack
7.2.2. 中间人攻击

The man-in-the-middle attack is well described by Seedorf [Seedorf1] in the particular case of P2PSIP [P2PSIP] and consists of an attack that exploits the lack of integrity when routing information. A malicious node could return IP addresses of other malicious nodes when queried for a particular ID. The requesting peer would then establish a session with a second malicious node, which would again return a "poisoned" reply. This could go on until the Time to Live (TTL) expires and the requester gives up the "wild goose chase" [Danezis]. A simple way for entities to verify the correctness of the routing lookup is to employ iterative routing and to check the node-ID of every routing hop that is returned, and it should get closer to the desired ID with every hop. However, this is not a strong check and can be defeated [Seedorf1].

中间人攻击由西多夫[Seedorf1]在P2PSIP[P2PSIP]的特殊情况下进行了详细描述,它包括一种利用路由信息时缺乏完整性的攻击。当查询特定ID时,恶意节点可能会返回其他恶意节点的IP地址。然后,请求的对等方将与第二个恶意节点建立会话,第二个恶意节点将再次返回“中毒”回复。这可能一直持续到生存时间(TTL)到期,请求者放弃“白鹅追逐”[Danezis]。实体验证路由查找正确性的一种简单方法是采用迭代路由,并检查返回的每个路由跃点的节点ID,每个跃点的ID应该更接近所需的ID。然而,这不是一个强有力的检查,可以被击败[Seedorf1]。

7.2.3. Trust between Peers
7.2.3. 对等方之间的信任

The effect of malicious peers could be mitigated by introducing the concept of trust within an overlay. This can be done in different ways:

通过在覆盖中引入信任的概念,可以减轻恶意对等的影响。这可以通过不同的方式实现:

o Using certificates assigned by an external authority. The drawback with this approach is that it requires a centralized element.

o 使用由外部机构分配的证书。这种方法的缺点是需要一个集中的元素。

o Using certificates reciprocally signed by peers. This mechanism is quite similar to PGP [Zimmermann]; every peer signs certificates of "friend" peers and trusts any other peer with a certificate signed by one of its friends. However, even though it might be theoretically possible, in reality it is extremely difficult to obtain long enough trust chains.

o 使用对等方相互签署的证书。这一机制与PGP[Zimmermann]非常相似;每个对等方都会签署“朋友”对等方的证书,并使用其朋友之一签署的证书信任任何其他对等方。然而,即使理论上是可能的,但实际上要获得足够长的信任链是极其困难的。

7.2.4. Routing Call Signaling
7.2.4. 路由呼叫信令

One way for implementing realtime communication overlays (as we have mentioned in earlier sections) would be to simply replace centralized entities in signaling protocols like SIP [RFC3261] with distributed services. In some cases, this might imply reusing existing protocol mechanisms for routing signaling messages. In the case of SIP, this would imply regarding peers as SIP proxies. However, the design of SIP supposes that such proxies are trusted, and makes it possible for them to fork requests or change their destination, add or remove header fields, act as the remote party, and generally manipulate message content and semantics.

实现实时通信覆盖的一种方法(正如我们在前面章节中提到的)是简单地用分布式服务替换信令协议(如SIP[RFC3261])中的集中式实体。在某些情况下,这可能意味着重用现有的协议机制来路由信令消息。在SIP的情况下,这意味着将对等方视为SIP代理。然而,SIP的设计假定这些代理是可信的,并使它们能够分叉请求或更改其目的地,添加或删除头字段,充当远程方,并通常操纵消息内容和语义。

However, in a P2P environment where messages may be routed through numerous successive peers, some of which might be compromised, it is important not to treat them as trusted proxies. One way to limit what peers can do is by protecting signaling with some kind of end-to-end encryption.

然而,在P2P环境中,消息可能通过多个连续的对等点进行路由,其中一些对等点可能会受到损害,重要的是不要将它们视为受信任的代理。限制对等方可以做什么的一种方法是使用某种端到端加密来保护信令。

Another option would be to extend existing signaling protocols and modify the way they route messages in order to guarantee secure end-to-end transmission. Gurbani et al. [Gurbani] define a similar mechanism for SIP that allows nodes to establish a secure channel by sending a CONNECT SIP request, and then tunnel all SIP messages through it, adopting a similar mechanism to the one used for upgrading from HTTP to HTTPS [RFC2818].

另一种选择是扩展现有的信令协议,并修改它们路由消息的方式,以确保安全的端到端传输。Gurbani等人[Gurbani]为SIP定义了一种类似的机制,允许节点通过发送连接SIP请求建立安全通道,然后通过隧道传输所有SIP消息,采用与从HTTP升级到HTTPS的机制类似的机制[RFC2818]。

7.2.5. Integrity of Location Bindings
7.2.5. 位置绑定的完整性

It is important to ensure that the location that a user registers, usually a (URI, IP) pair, is what is returned to the requesting party. Or the entities that issue the lookup request must be able to verify the integrity of this pair. A pure P2P approach to allow verification of the integrity of location binding information is presented in [Seedorf2]. The idea is for an entity to choose an asymmetric key pair and hash its public key to generate its URI. The entity then signs its present location with its private key and registers with the quadruple (URI, IP, signature, public key). Any entity that looks up the URI and receives such a quadruple can then verify its integrity by using the public key and the certificate. Another possible merit of such an approach could be that it is possible to identify the malicious nodes and maintain a black list. However, the resulting URIs are not easy to remember and associate with entities. Discovering these URIs and associating them with entities would therefore require some sort of a directory service. The authors suggest using existing authentication infrastructure for this such as a certified web service using SSL that can publish an "online phone book" mapping users to URIs.

确保用户注册的位置(通常是(URI,IP)对)是返回给请求方的,这一点很重要。或者发出查找请求的实体必须能够验证此对的完整性。[Seedorf2]中介绍了一种允许验证位置绑定信息完整性的纯P2P方法。其思想是让实体选择非对称密钥对并散列其公钥以生成其URI。然后,实体用其私钥对其当前位置进行签名,并用四重密钥(URI、IP、签名、公钥)进行注册。任何查找URI并接收这样一个四元组的实体都可以使用公钥和证书来验证其完整性。这种方法的另一个可能优点是可以识别恶意节点并维护黑名单。但是,生成的URI不容易记住,也不容易与实体关联。因此,发现这些URI并将它们与实体关联需要某种目录服务。作者建议为此使用现有的身份验证基础设施,例如使用SSL的认证web服务,该服务可以发布将用户映射到URI的“在线电话簿”。

7.2.6. Encrypting Content
7.2.6. 加密内容

Using P2P overlays for realtime communication implies that content is likely to traverse numerous intermediate peers before reaching its destination. A typical example could be the use of peers as media relays as a way of traversing NATs in VoIP calls.

使用P2P覆盖进行实时通信意味着内容在到达目的地之前可能会经过许多中间对等点。一个典型的例子可能是使用对等点作为媒体中继,作为VoIP呼叫中穿越NAT的一种方式。

Contrary to publicly shared files, communication sessions are in most cases expected to be private. It is therefore very important to make sure that no media leaves the client application without being encrypted and securely transported through a protocol like SRTP [RFC3711]. However, the processing required by the encryption

与公开共享的文件相反,在大多数情况下,通信会话应该是私有的。因此,非常重要的一点是,确保没有介质在未通过SRTP[RFC3711]等协议加密和安全传输的情况下离开客户端应用程序。但是,加密所需的处理

algorithms and the extra resources necessary for managing the keying material (e.g., for retrieving public keys when interacting with unknown peers) may be expensive, especially for mobile devices.

管理密钥材料所需的算法和额外资源(例如,在与未知对等方交互时检索公钥)可能非常昂贵,尤其是对于移动设备。

7.2.7. Other Issues
7.2.7. 其他问题

Details on cost and payment regimes could help identify further threats. Such details could also be important when determining the impact of a potential attack in the context of the specific business models associated with particular overlays. In many cases, answers to the following simple questions significantly aid the design of protection mechanisms:

有关成本和付款制度的详细信息有助于确定进一步的威胁。在确定与特定覆盖相关的特定业务模型上下文中潜在攻击的影响时,这些细节也可能很重要。在许多情况下,对以下简单问题的回答有助于保护机制的设计:

o Whom do the users pay?

o 用户向谁付费?

o Do the users only pay when accessing the public telephone network?

o 用户是否仅在访问公共电话网络时付费?

o Is the billing done per call or is it fixed?

o 每次通话的计费是完成的还是固定的?

For instance, the implications of an attack such as taking control over another's user agent or its identity and using it for outbound calls would depend on whether or not this would be economically advantageous for the attacker. Baumann et al. [Baumann] suggest that to prevent unwanted communication costs, gateways for the public telephone network should only be accessible via authenticated servers and dialing authorizations should be enforced. Also, it seems that it would be difficult to do billing in a pure P2P manner as it would mean keeping the billing details with untrusted peers.

例如,攻击的含义,如控制另一个用户代理或其身份,并将其用于出站呼叫,将取决于这是否对攻击者有利。Baumann等人[Baumann]建议,为了避免不必要的通信成本,公共电话网络的网关应该只能通过经过身份验证的服务器访问,并且应该强制执行拨号授权。此外,似乎很难以纯P2P方式进行计费,因为这意味着将计费详细信息保存在不受信任的对等方。

8. Open Issues
8. 公开问题

Existing systems used for file-sharing, media streaming, and realtime communications all achieve a reasonable level of security relying on centralized components (e.g., login servers in Skype [Baset], moderators and trackers in BitTorrent [Pouwelse]). Securing pure P2P networks is therefore still a very active research field; at the time of writing the main open issues fall in five areas:

用于文件共享、媒体流和实时通信的现有系统都通过集中组件(例如Skype[Baset]中的登录服务器、BitTorrent[Pouwelse]中的版主和跟踪器)实现了合理的安全级别。因此,保护纯P2P网络仍然是一个非常活跃的研究领域;在撰写本文时,主要未决问题分为五个方面:

o Secure assignment of node IDs.

o 节点ID的安全分配。

o Entity-identity association.

o 实体标识关联。

o Distributed trust among peers.

o 对等点之间的分布式信任。

o Resistance against malicious peer collusion.

o 抵抗恶意同级共谋。

o Robustness and damage recovery.

o 鲁棒性和损伤恢复。

In general, P2P overlays are designed to work when the vast majority of their peers are interested in the service provided by the system and act benevolently. Understanding how operations in different overlays are perturbed as the number of malicious or compromised peers grows is another interesting area of research. Also, a widely adopted methodology for the evaluation and classification of security solutions would be likely to help research in the field of P2P security progress more efficiently.

一般来说,P2P覆盖被设计为在绝大多数对等方对系统提供的服务感兴趣并表现出善意的情况下工作。另一个有趣的研究领域是了解不同覆盖中的操作是如何随着恶意或受损对等体数量的增加而受到干扰的。此外,广泛采用的安全解决方案评估和分类方法可能有助于提高P2P安全领域的研究效率。

9. Security Considerations
9. 安全考虑

This document, tutorial in nature, discusses some of the security issues of P2P systems used for realtime communications. It does not aim at identifying all possible threats and the corresponding solutions; instead, starting from an analysis of the attackers, it delves into some important aspects of P2P security, referencing the most relevant works published at the time of writing and discussing how they apply (or could apply) to the case of realtime communications.

本文档《自然》教程讨论了用于实时通信的P2P系统的一些安全问题。其目的不是确定所有可能的威胁和相应的解决方案;相反,本文从分析攻击者入手,深入研究了P2P安全的一些重要方面,参考了撰写本文时发表的最相关著作,并讨论了它们如何应用(或可能应用)于实时通信。

10. Acknowledgments
10. 致谢

The authors are particularly grateful to Dhruv Chopra, who contributed to the writing of the article "Peer-to-peer Overlays for Real-Time Communication: Security Issues and Solutions" (IEEE Surveys & Tutorials, Vol. 11, No. 1) from which this work is partially derived.

作者特别感谢Dhruv Chopra,他为撰写文章“实时通信的点对点覆盖:安全问题和解决方案”(IEEE调查与教程,第11卷,第1期)做出了贡献,这项工作的部分来源于这篇文章。

The authors would also like to thank Vijay Gurbani and Song Haibin for reviewing the document and the many others who provided useful comments.

作者还要感谢Vijay Gurbani和Song Haibin审阅了该文件,并感谢其他提供了有用意见的人。

11. Informative References
11. 资料性引用

[Ahn] Ahn, L., Blum, M., and J. Langford, "Telling humans and computers apart automatically", Communications of the ACM, vol. 47, no. 2, February 2004.

[Ahn]Ahn,L.,Blum,M.,和J.Langford,“自动区分人类和计算机”,ACM通讯,第47卷,第2期,2004年2月。

[Androutsellis-Theotokis] Androutsellis-Theotokis, S. and D. Spinellis, "A survey of peer-to-peer content distribution technologies", ACM CSUR, vol. 36, no. 4, December 2004.

[Androutsellis Theotokis]Androutsellis Theotokis,S.和D.Spinellis,“对等内容分发技术的调查”,ACM CSUR,第36卷,第4期,2004年12月。

[BITTORRENT] "BitTorrent", <http://www.bittorrent.com/>.

[BITTORRENT]“BITTORRENT”<http://www.bittorrent.com/>.

[Baset] Baset, S. and H. Schulzrinne, "An analysis of the skype peer-to-peer internet telephony protocol", Proceedings of IEEE INFOCOM 2006, April 2006.

[Baset]Baset,S.和H.Schulzrinne,“skype对等互联网电话协议分析”,IEEE INFOCOM 2006年会议记录,2006年4月。

[Baumann] Baumann, R., Cavin, S., and S. Schmid, "Voice Over IP - Security and SPIT", Technical Report, University of Berne, September 2006.

[鲍曼]鲍曼,R,Cavin,美国和S. Schmid,“语音超过IP -安全和唾液”,技术报告,伯尔尼大学,2006年9月。

[COOLSTREAM] "COOLSTREAMING", <http://www.coolstreaming.us>.

[COOLSTREAM]“COOLSTREAMING”<http://www.coolstreaming.us>.

[Castro] Castro, M., Druschel, P., Ganesh, A., Rowstron, A., and D. Wallach, "Secure routing for structured peer-to-peer overlay networks", Proceedings of 5th symposium on Operating systems design and implementation, December 2002.

[Castro]Castro,M.,Druschel,P.,Ganesh,A.,Rowstron,A.,和D.Wallach,“结构化对等覆盖网络的安全路由”,第五届操作系统设计和实现研讨会论文集,2002年12月。

[Chellapilla] Chellapilla, K. and P. Simard, "Using Machine Learning to Break Visual Human Interaction Proofs (HIPs)", Proceedings of Advances in Neural Information Processing Systems, December 2004.

[Chellapilla]Chellapilla,K.和P.Simard,“使用机器学习打破视觉人机交互证明(HIPs)”,神经信息处理系统进展论文集,2004年12月。

[Condie] Condie, T., Kacholia, V., Sankararaman, S., Hellerstein, J., and P. Maniatis, "Maelstorm: Churn as Shelter", Proceedings of 13th Annual Network and Distributed System Security Symposium, November 2005.

[Condie]Condie,T.,Kacholia,V.,Sankaraman,S.,Hellerstein,J.,和P.Manatis,“大漩涡:作为避难所的搅动”,第13届年度网络和分布式系统安全研讨会论文集,2005年11月。

[Damiani] Damiani, E., Vimercati, D., Paraboschi, S., Samarati, P., and F. Violante, "A Reputation-Based Approach for Choosing Reliable Resources in Peer-to-Peer Networks", Proceedings of Conference on Computer and Communications Security, November 2002.

[Damiani]Damiani,E.,Vimercati,D.,Paraboschi,S.,Samarati,P.,和F.Violante,“在对等网络中选择可靠资源的基于声誉的方法”,计算机和通信安全会议记录,2002年11月。

[Danezis] Danezis, G., Lesniewski-Laas, C., Kaashoek, M., and R. Anderson, "Sybil-resistant DHT routing", Proceedings of 10th European Symposium on Research in Computer Security, September 2005.

[Danezis]Danezis,G.,Lesniewski Laas,C.,Kaashoek,M.,和R.Anderson,“抗Sybil DHT路由”,第十届欧洲计算机安全研究研讨会论文集,2005年9月。

[Douceur] Douceur, J., "The Sybil Attack", Revised Papers from First International Workshop on Peer-to-Peer Systems, March 2002.

[Douceur]Douceur,J.,“Sybil攻击”,第一届对等系统国际研讨会的修订论文,2002年3月。

[Gurbani] Gurbani, V., Willis, D., and F. Audet, "Cryptographically Transparent Session Initiation Protocol (SIP) Proxies", Proceedings of IEEE ICC '07, June 2007.

[Gurbani]Gurbani,V.,Willis,D.,和F.Audet,“加密透明会话启动协议(SIP)代理”,IEEE ICC'07会议记录,2007年6月。

[KAZAA] "KaZaa", <http://www.kazaa.com/>.

[KAZAA]“KAZAA”<http://www.kazaa.com/>.

[Kamvar] Kamvar, S., Garcia-Molina, H., and M. Schlosser, "The EigenTrust Algorithm for Reputation Management in P2P Networks", Proceedings of 12th international conference on World Wide Web, May 2003.

[Kamvar]Kamvar,S.,Garcia Molina,H.,和M.Schlosser,“P2P网络中声誉管理的特征信任算法”,第12届万维网国际会议记录,2003年5月。

[Kim] Kim, Y., Mazzocchi, D., and G. Tsudik, "Admission Control in Peer Groups", Proceedings of Second IEEE International Symposium on Network Computing and Applications, April 2003.

[Kim]Kim,Y.,Mazzocchi,D.,和G.Tsudik,“对等组中的准入控制”,第二届IEEE网络计算和应用国际研讨会论文集,2003年4月。

[Kong] Kong, J., Zerfos, P., Luo, H., Lu, S., and L. Zhang, "Providing robust and ubiquitous security support for MANET", Proceedings of 9th International Conference on Network Protocols, November 2001.

[Kong]Kong,J.,Zerfos,P.,Luo,H.,Lu,S.,和L.Zhang,“为MANET提供强大且无处不在的安全支持”,第九届网络协议国际会议记录,2001年11月。

[Lee] Lee, S., Kwon, O., Kim, J., and S. Hong, "A Reputation Management System in Structured Peer-to-Peer Networks", Proceedings of 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, June 2005.

[Lee]Lee,S.,Kwon,O.,Kim,J.,和S.Hong,“结构化对等网络中的声誉管理系统”,第14届IEEE国际研讨会论文集,使能技术:协作企业基础设施,2005年6月。

[Liang] Liang, J., Kumar, R., Xi, Y., and K. Ross, "Pollution in p2p file sharing systems", Proceedings of IEEE INFOCOM 2005, March 2005.

梁亮,J.,库马尔,R,Xi,Y.和K. Ross,“P2P文件共享系统中的污染”,IEEE ICOFCOM 2005,2005年3月。

[Marti] Marti, S., Ganesan, P., and H. Garcia-Molina, "SPROUT: P2P Routing with Social Networks", Proceedings of First International Workshop on Peer-to-Peer and Databases, March 2004.

[Marti]Marti,S.,Ganesan,P.,和H.Garcia Molina,“萌芽:社交网络的P2P路由”,第一届对等网络和数据库国际研讨会论文集,2004年3月。

[Maymounkov] Maymounkov, P. and D. Mazi, "Kademlia: A Peer-to-peer Information System Based on the XOR Metric", Proceedings of First International Workshop on Peer-to-peer Systems, March 2002.

[Maymounkov]Maymounkov,P.和D.Mazi,“Kademlia:基于XOR度量的对等信息系统”,第一届对等系统国际研讨会论文集,2002年3月。

[McCue] McCue, Andy., "Bookie reveals 100,000 cost of denial-of-service extortion attacks", available from http://www.silicon.com, June 2004.

[McCue]McCue,Andy.,“博彩公司揭示拒绝服务勒索攻击的100000成本”,可从http://www.silicon.com,2004年6月。

[NAPSTER] "Napster", <http://www.napster.com/>.

[NAPSTER]“NAPSTER”<http://www.napster.com/>.

[Ohta] Ohta, K., Micali, S., and L. Reyzin, "Accountable Subgroup Multisignatures", Proceedings of 8th ACM conference on Computer and Communications Security, November 2001.

[Ohta]Ohta,K.,Michali,S.,和L.Reyzin,“责任小组多重签名”,第八届ACM计算机和通信安全会议记录,2001年11月。

[P2PSIP] "Peer-to-Peer Session Initiation Protocol (P2PSIP) IETF Working Group", <http://www.ietf.org/html.charters/ p2psip-charter.html>.

[P2PSIP]“对等会话发起协议(P2PSIP)IETF工作组”<http://www.ietf.org/html.charters/ p2psip charter.html>。

[P2PSIP-DIAG] Yongchao, S., Jiang, X., Even, R., and D. Bryan, "P2PSIP Overlay Diagnostics", Work in Progress, December 2009.

[P2PSIP-DIAG]永超,S.,蒋,X.,连,R.,和D.布莱恩,“P2PSIP叠加诊断”,正在进行的工作,2009年12月。

[PPLIVE] "PPLive", <http://www.pplive.com>.

[PPLIVE]“PPLIVE”<http://www.pplive.com>.

[Poon] Poon, W. and R. Chang, "Robust Forwarding in Structured Peer-to-Peer Overlay Networks", Proceedings of ACM SIGCOMM 2004, August 2004.

[Poon]Poon,W.和R.Chang,“结构化对等覆盖网络中的健壮转发”,ACM SIGCOMM 2004年会议记录,2004年8月。

[Pouwelse] Pouwelse, J., Garbacki, P., Epema, D., and H. Sips, "The Bittorent P2P File-Sharing System: Measurements and Analysis", Proceedings of 4th International Workshop of Peer-to-peer Systems, February 2005.

[Pouwelse]Pouwelse,J.,Garbacki,P.,Epema,D.,和H.Sips,“Bittorent P2P文件共享系统:测量和分析”,第四届对等系统国际研讨会论文集,2005年2月。

[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

[RFC2818]Rescorla,E.,“TLS上的HTTP”,RFC2818,2000年5月。

[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.

[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月。

[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, March 2004.

[RFC3711]Baugher,M.,McGrew,D.,Naslund,M.,Carrara,E.,和K.Norrman,“安全实时传输协议(SRTP)”,RFC 37112004年3月。

[RFC4981] Risson, J. and T. Moors, "Survey of Research towards Robust Peer-to-Peer Networks: Search Methods", RFC 4981, September 2007.

[RFC4981]Risson,J.和T.Moors,“稳健对等网络研究概况:搜索方法”,RFC 49812007年9月。

[Ratnasamy] Ratnasamy, S., Francis, P., Handley, M., Karp, R., and S. Shenker, "A Scalable Content-Addressable Network", Proceedings of ACM SIGCOMM 2001, January 2001.

[Ratnasamy]Ratnasamy,S.,Francis,P.,Handley,M.,Karp,R.,和S.Shenker,“可扩展内容寻址网络”,ACM SIGCOMM 2001年会议记录,2001年1月。

[Rowaihy] Rowaihy, H., Enck, W., McDaniel, P., and T. Porta, "Limiting Sybil attacks in structured peer-to-peer networks", Proceedings of IEEE INFOCOM 2007, May 2007.

[Rowaihy]Rowaihy,H.,Enck,W.,McDaniel,P.,和T.Porta,“限制结构化对等网络中的Sybil攻击”,IEEE INFOCOM 2007年会议记录,2007年5月。

[Rowstron] Rowstron, A. and P. Druschel, "Pastry: Scalable, distributed object location and routing for large-scale peer-to-peer systems", Proceedings of 18th IFIP/ACM International Conference on Distributed Systems Platforms (Middleware 2001), November 2001.

[Rowstron]Rowstron,A.和P.Druschel,“糕点:大规模对等系统的可伸缩分布式对象定位和路由”,第18届IFIP/ACM分布式系统平台国际会议论文集(中间件,2001年),2001年11月。

[SHA1] 180-1, FIPS., "Secure Hash Standard", April 2005.

[SHA1]180-1,FIPS.,“安全哈希标准”,2005年4月。

[SKYPE] "Skype", <http://www.skype.com/>.

[SKYPE]“SKYPE”<http://www.skype.com/>.

[Saxena] Saxena, N., Tsudik, G., and J. Yi, "Admission Control in Peer-to-Peer: Design and Performance Evaluation", Proceedings of 1st ACM workshop on Security of ad hoc and sensor networks, October 2003.

[Saxena]Saxena,N.,Tsudik,G.,和J.Yi,“对等网络中的准入控制:设计和性能评估”,第一届ACM特设网络和传感器网络安全研讨会论文集,2003年10月。

[Scheideler] Scheideler, C., "How to Spread Adversarial Nodes?: Rotate!", Proceedings of 37th Annual ACM Symposium on Theory of Computing, May 2005.

[Scheideler]Scheideler,C.“如何传播敌对节点?:轮换!”,第37届ACM计算理论年度研讨会论文集,2005年5月。

[Seedorf1] Seedorf, J., "Security Challenges for Peer-to-Peer SIP", IEEE Network, vol. 20, no. 5, September 2006.

[Seedorf1]Seedorf,J.,“对等SIP的安全挑战”,IEEE网络,第20卷,第5期,2006年9月。

[Seedorf2] Seedorf, J., "Using Cryptographically Generated SIP-URIs to Protect the Integrity of Content in P2P-SIP", Proceedings of 3rd Annual VoIP Security Workshop, June 2006.

[Seedorf2]Seedorf,J.,“使用加密生成的SIP URI保护P2P-SIP中内容的完整性”,第三届年度VoIP安全研讨会论文集,2006年6月。

[Singh] Singh, K. and H. Schulzrinne, "Peer-to-Peer Internet Telephony using SIP", Proceedings of International Workshop on Network and Operating System Support for Digital Audio and Video, June 2005.

[Singh]Singh,K.和H.Schulzrinne,“使用SIP的点对点互联网电话”,数字音频和视频网络和操作系统支持国际研讨会论文集,2005年6月。

[Sit] Sit, E. and R. Morris, "Security considerations for peer- to-peer distributed hash tables", Revised Papers from First International Workshop on Peer-to-Peer Systems, March 2002.

[Sit]Sit,E.和R.Morris,“点对点分布式哈希表的安全考虑”,第一次点对点系统国际研讨会的修订论文,2002年3月。

[Stoica] Stoica, I., Morris, R., Karger, D., Kaashoek, M., and H. Balakrishnan, "Chord: A Scalable Peer-to-peer Lookup Service for Internet Applications", Proceedings of Applications, Technologies, Architectures, and Protocols for Computer Communication 2001, May 2001.

[Stoica]Stoica,I.,Morris,R.,Karger,D.,Kaashoek,M.,和H.Balakrishnan,“Chord:一种用于互联网应用的可扩展对等查找服务”,《计算机通信的应用、技术、架构和协议学报》,2001年5月。

[Tam] Tam, J., Simsa, J., Hyde, S., and L. Ahn, "Breaking Audio CAPTCHAs with Machine Learning Techniques", Proceedings of Advances in Neural Information Processing Systems, December 2009.

[Tam]Tam,J.,Simsa,J.,Hyde,S.,和L.Ahn,“用机器学习技术打破音频验证码”,神经信息处理系统进展论文集,2009年12月。

[Uzun] Uzun, E., Pariente, M., and A. Selpk, "A Reputation-Based Trust Management System for P2P Networks", Proceedings of International Symposium on Cluster Computing and the Grids, April 2004.

[Uzun]Uzun,E.,Pariente,M.和A.Selpk,“P2P网络基于信誉的信任管理系统”,集群计算和网格国际研讨会论文集,2004年4月。

[Wallach] Wallach, D., "A Survey of Peer-to-Peer Security Issues", Proceedings of International Symposium of Software Security 2002, November 2002, <http://www.cs.rice.edu/~dwallach/pub/ tokyo-p2p2002.pdf>.

[Wallach]Wallach,D.,“对等安全问题的调查”,《2002年软件安全国际研讨会论文集》,2002年11月<http://www.cs.rice.edu/~dwallach/pub/tokyo-p2p2002.pdf>。

[Yu] Yu, H., Kaminsky, M., Gibbons, P., and A. Flaxman, "SybilGuard: Defending Against Sybil Attacks via Social Networks", Proceedings of ACM SIGCOMM 2006, September 2006.

[Yu]Yu,H.,Kaminsky,M.,Gibbons,P.,和A.Flaxman,“SybilGuard:通过社交网络防御Sybil攻击”,ACM SIGCOMM 2006年会议记录,2006年9月。

[Zhang] Zhang, X., Chen, S., and R. Sandhu, "Enhancing Data Authenticity and Integrity in P2P Systems", IEEE Internet Computing, vol. 9, no. 6, September 2005.

[Zhang]Zhang,X.,Chen,S.,和R.Sandhu,“增强P2P系统中的数据真实性和完整性”,IEEE互联网计算,第9卷,第6期,2005年9月。

[Zimmermann] Zimmermann, Philip., "Pretty good privacy: public key encryption for the masses", Building in big brother: the cryptographic policy debate pag. 103-107, 1995.

[Zimmermann]Zimmermann,Philip.,“相当好的隐私:大众的公钥加密”,构建于《老大哥:密码政策辩论》第页。103-107, 1995.

Authors' Addresses

作者地址

Henning Schulzrinne Columbia University 1214 Amsterdam Avenue New York, NY 10027 USA

美国纽约州纽约市阿姆斯特丹大道1214号亨宁·舒尔兹林内哥伦比亚大学,邮编:10027

   EMail: hgs@cs.columbia.edu
        
   EMail: hgs@cs.columbia.edu
        

Enrico Marocco Telecom Italia Via G. Reiss Romoli, 274 Turin 10148 Italy

Enrico Marocco Telecom Italia Via G.Reiss Romoli,274意大利都灵10148

   EMail: enrico.marocco@telecomitalia.it
        
   EMail: enrico.marocco@telecomitalia.it
        

Emil Ivov SIP Communicator / University of Strasbourg 4 rue Blaise Pascal Strasbourg Cedex F-67070 France

埃米尔IVIV SIP通信器/斯特拉斯堡大学4路BRAISPASCAL斯特拉斯堡CEDEX F67070法国

   EMail: emcho@sip-communicator.org
        
   EMail: emcho@sip-communicator.org