p2p taxonomy and security concerns ryan lackey cto, havenco, ltd. ryan@havenco.com rsa conference...
Post on 11-Jan-2016
214 Views
Preview:
TRANSCRIPT
P2P Taxonomy and
Security Concerns
Ryan LackeyCTO, HavenCo, Ltd.ryan@havenco.com
RSA Conference 2002 San Jose0900 20-02-2002
Introduction
• Variety of P2P systems• P2P is not a new thing
Types of Systems
• “Traditional” p2p File Sharing• Email• Proxies• Chat systems• Infrastructure systems
Major File Systems
NapsterGnutellaKaZaA/Fasttrack/MorpheusFreenetMojonation
Traditional Email
• SMTP is peer to peer• Deployed with “supernodes” with
smtp/pop3 and inter-realm communication via supernodes
Cypherpunks-style remailers
• 35 or so nodes• “Onion routing”
Chat Systems
• IRC isn’t really p2p• AIM/ICQ with centralized presence• Gale, Jabber, IMPP proposals
Infrastructure Protocols
• DNS• NTP• PKI Certification Authorities
Design Comparison
• Target applications• Transport• Interactivity• Degree of centralization• Design/compile-time organization or
install/configuration or runtime/evolving• Security: traffic encryption, DoS
protection, • Replication for reliability
Implementation Comparison
• “Official” vs. covert adoption• Importance of “network effects”
for minimal utility• Legal issues (content, copyright
controls)• Administrative control – what
functionality is possible, who exercises it?
Security Issues
• Users provided an incentive to violate security model
• System not designed to be compatible with non-P2P restrictions
• Modifies underlying assumptions about connectivity
Observations
• “Old” p2p systems (email, etc.) seem to be designed into security models, so newer systems can emulate
• Power ultimately wins over security
• Systems can be re-deployed internally for security
Summary
Since P2P applications have been popular, and continue to be popular, security practices must take them into account
Deployment choices are as important as implementation choices; even unsafe technologies can be wrapped in a security model
Q&A
top related