rfc5765









Internet Research Task Force (IRTF)                       H. Schulzrinne
Request for Comments: 5765                           Columbia University
Category: Informational                                       E. Marocco
ISSN: 2070-1721                                           Telecom Italia
                                                                 E. Ivov
                                                        SIP Communicator
                                                           February 2010


         Security Issues and Solutions in Peer-to-Peer Systems
                      for Realtime Communications

Abstract

   Peer-to-peer (P2P) networks have become popular for certain
   applications and deployments for a variety of reasons, including
   fault tolerance, economics, and legal issues.  It has therefore
   become reasonable for resource consuming and typically centralized
   applications like Voice over IP (VoIP) and, in general, realtime
   communication to adapt and exploit the benefits of P2P.  Such a
   migration needs to address a new set of P2P-specific security
   problems.  This document describes some of the known issues found in
   common P2P networks, analyzing the relevance of such issues and the
   applicability of existing solutions when using P2P architectures for
   realtime communication.  This document is a product of the P2P
   Research Group.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Research Task Force
   (IRTF).  The IRTF publishes the results of Internet-related research
   and development activities.  These results might not be suitable for
   deployment.  This RFC represents the consensus of the Peer-to-Peer
   Research Group of the Internet Research Task Force (IRTF).  Documents
   approved for publication by the IRSG are not a candidate for any
   level of Internet Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc5765.








Schulzrinne, et al.           Informational                     [Page 1]

RFC 5765         Security in P2P Realtime Communications   February 2010


Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.








































Schulzrinne, et al.           Informational                     [Page 2]

RFC 5765         Security in P2P Realtime Communications   February 2010


Table of Contents

   1. Introduction ....................................................4
      1.1. Purpose of This Document ...................................6
      1.2. Structure of This Document .................................7
   2. The Attackers ...................................................8
      2.1. Incentive of the Attacker ..................................8
      2.2. Resources Available to the Attacker ........................9
      2.3. Victim of the Attack ......................................10
      2.4. Time of Attack ............................................10
   3. Admission Control ..............................................10
   4. Determining the Position in the Overlay ........................11
   5. Resilience against Malicious Peers .............................12
      5.1. Identification of Malicious Peers .........................13
           5.1.1. Proactive Identification ...........................13
           5.1.2. Reactive Identification ............................13
      5.2. Reputation Management Systems .............................14
           5.2.1. Unstructured Reputation Management .................14
           5.2.2. Structured Reputation Management ...................14
   6. Routing and Data Integrity .....................................15
      6.1. Data Integrity ............................................15
      6.2. Routing Integrity .........................................15
   7. Peer-to-Peer in Realtime Communication .........................16
      7.1. Peer Promotion ............................................17
           7.1.1. Active vs. Passive Upgrades ........................17
           7.1.2. When to Upgrade ....................................18
           7.1.3. Which Clients to Upgrade ...........................18
           7.1.4. Incentives for Clients .............................19
      7.2. Security ..................................................19
           7.2.1. Targeted Denial of Service .........................19
           7.2.2. Man-in-the-Middle Attack ...........................20
           7.2.3. Trust between Peers ................................20
           7.2.4. Routing Call Signaling .............................20
           7.2.5. Integrity of Location Bindings .....................21
           7.2.6. Encrypting Content .................................21
           7.2.7. Other Issues .......................................22
   8. Open Issues ....................................................22
   9. Security Considerations ........................................23
   10. Acknowledgments ...............................................23
   11. Informative References ........................................23











Schulzrinne, et al.           Informational                     [Page 3]

RFC 5765         Security in P2P Realtime Communications   February 2010


1.  Introduction

   Peer-to-peer (P2P) overlays have become quite popular with the advent
   of file-sharing applications such as Napster [NAPSTER], KaZaa
   [KAZAA], and BitTorrent [BITTORRENT].  After their success in file-
   sharing and content distribution [Androutsellis-Theotokis], P2P
   networks are now also being used for applications such as Voice over
   IP (VoIP) [SKYPE] [Singh] and television [PPLIVE] [COOLSTREAM].
   However, most of these systems are not purely P2P and have
   centralized components like the login server in Skype [Baset] or
   moderators and trackers in BitTorrent [Pouwelse].  Securing pure P2P
   networks is therefore still a field of very active research
   [Wallach].

   P2P overlays can be broadly classified as structured and unstructured
   [RFC4981], depending on their routing model.  Unstructured overlays
   are often relatively simple, but search operations in them, usually
   based on flooding, tend to be inefficient.  Structured P2P overlays
   use distributed hash tables (DHTs) [Stoica] [Maymounkov] [Rowstron]
   to perform directed searches, which make lookups more efficient in
   locating data.  This document will mostly focus on DHT-based P2P
   overlays.

   When analyzing the various attacks that are possible on P2P systems,
   it is important to first understand the motivation of the attackers
   as well as the resources (e.g., computation power, access to
   different IP subnets) that they would have at their disposal.

   Once the threat has been identified, admission control is a first
   step towards security that can help avoid a substantial number of
   attacks [Kim].  Most solutions rely on the assumption that malicious
   nodes represent a small fraction of all peers.  It is therefore
   important to restrict their number in the overlay.

   Other P2P-specific security problems discussed here include attacks
   on the routing of queries, targeted denial-of-service attacks, and
   attacks on data integrity.

   In the remainder of this document, we outline the main security
   issues and proposed solutions for P2P systems.  Following this, we
   focus on a particular class of P2P applications that provide realtime
   communications.  Realtime communications use the same DHTs used by
   file-sharing applications; however, the data that is saved in these
   DHTs is different.  In realtime communications, the contents stored
   in the DHTs comprises user location, the DHT being the substitute for
   a centralized registration server.





Schulzrinne, et al.           Informational                     [Page 4]

RFC 5765         Security in P2P Realtime Communications   February 2010


   At first glance, it may appear that requirements on peer-to-peer
   systems for realtime communication services are no different than
   those for file-sharing services.  Table 1 demonstrates that there are
   sizeable differences related to privacy, availability, and a marked
   increase in the general security requirements.

   +-----------------+-----------------------+-------------------------+
   |                 | File-sharing          | Realtime communication  |
   +-----------------+-----------------------+-------------------------+
   | Distributed     | Shared file locations | User locations are      |
   | database        | are indexed in a      | indexed in a table      |
   |                 | table distributed     | distributed among       |
   |                 | among peers; often    | peers; rarely more than |
   |                 | hundreds or thousands | one per peer.           |
   |                 | per peer.             |                         |
   | Availability    | Same files are        | Users are unique;       |
   |                 | usually available at  | attacks targeting       |
   |                 | multiple locations    | single users may be     |
   |                 | and failures          | addressed both to the   |
   |                 | involving single      | distributed index and   |
   |                 | instances are         | to the user's device    |
   |                 | overcome by abundancy | directly.               |
   |                 | of resources; attacks |                         |
   |                 | targeting single      |                         |
   |                 | files need to be      |                         |
   |                 | addressed to the      |                         |
   |                 | distributed index.    |                         |
   | Integrity       | Attackers may want to | Attackers may want to   |
   |                 | share corrupted files | impersonate different   |
   |                 | in place of popular   | users in order to       |
   |                 | content, e.g., to     | handle calls directed   |
   |                 | discourage users from | to them; constitute a   |
   |                 | acquiring copyrighted | particular threat for   |
   |                 | material; constitute  | the user as, in case of |
   |                 | a threat for the      | success, the attacker   |
   |                 | service, but not for  | acquires full control   |
   |                 | the users.            | on the victim's         |
   |                 |                       | personal                |
   |                 |                       | communications.         |
   | Confidentiality | Shared files are, by  | Communications are      |
   |                 | definition, readable  | usually meant to be     |
   |                 | by all users; in some | private and need to be  |
   |                 | cases, encryption is  | encrypted;              |
   |                 | used to avoid         | eavesdropping may       |
   |                 | elements not involved | reveal sensitive data   |
   |                 | in the service to     | and is a serious threat |
   |                 | detect traffic.       | for users.              |




Schulzrinne, et al.           Informational                     [Page 5]

RFC 5765         Security in P2P Realtime Communications   February 2010


   | Bitrate and     | The file-transfer use | Realtime traffic almost |
   | latency         | case is particularly  | always requires a       |
   |                 | tolerant to unstable  | constant minimum        |
   |                 | bitrates and ability  | bitrate and low latency |
   |                 | to burst on and off   | in order to avoid       |
   |                 | as peers disappear or | problems like jitter.   |
   |                 | new ones become       | While this is not       |
   |                 | available.            | directly related to a   |
   |                 |                       | specific sort of        |
   |                 |                       | attacks, it is a        |
   |                 |                       | significant constraint  |
   |                 |                       | to the design of        |
   |                 |                       | certain design          |
   |                 |                       | solutions, and in       |
   |                 |                       | particular those that   |
   |                 |                       | somehow affect routing. |
   | Peer lifetime   | File-sharing users do | Realtime communication  |
   |                 | not need to stay in   | applications need not   |
   |                 | the overlay more than | leave the overlay for   |
   |                 | the time required for | as long as the user     |
   |                 | downloading the       | wants to stay connected |
   |                 | content they are      | and be reachable.  This |
   |                 | looking for.          | gives the attackers     |
   |                 |                       | longer time for         |
   |                 |                       | conducting successful   |
   |                 |                       | targeted attacks.       |
   +-----------------+-----------------------+-------------------------+

   Table 1: Main differences between P2P applications used for
               file-sharing and for realtime communication.

1.1.  Purpose of This Document

   The goal of this document is to provide authors of P2P protocols for
   realtime communications with background that they may find useful
   while designing security mechanisms for specific cases.  The document
   has been extensively discussed during face-to-face meetings and on
   the P2PRG mailing list; it has been reviewed both substantially and
   editorially by two members of the research group and reflects the
   consensus of the group.

   The content of this document was partially derived from the article
   "Peer-to-peer Overlays for Real-Time Communication: Security Issues
   and Solutions," published in IEEE Surveys & Tutorials, Vol. 11, No.
   1, and originally authored by Dhruv Chopra, Henning Schulzrinne,
   Enrico Marocco, and Emil Ivov.





Schulzrinne, et al.           Informational                     [Page 6]

RFC 5765         Security in P2P Realtime Communications   February 2010


   It is important to note that this document considers "security" from
   the perspective of application developers and protocol architects.
   It is hence entirely agnostic to potential legislation issues that
   may apply when protecting applications against a specific attack, as,
   for example, in the case of lawful interception.

1.2.  Structure of This Document

   The document is organized as follows.  In Section 2, we discuss P2P
   security attackers.  We try to elaborate on their motivation, the
   resources that would generally be available to them, their victims,
   and the timing of their attacks.  In Section 3, we discuss admission
   control problems.  In Section 4, we identify the problem of where a
   node joins in the overlay.  In Section 5, we describe problems
   related to identification of malicious nodes and the dissemination of
   this information.  In Section 6, we describe the issues of routing
   and data integrity in P2P networks.  Finally, in Section 7 we discuss
   how issues and solutions previously presented apply in P2P overlays
   for realtime communication.

   Table 2 and Table 3 provide an index of the attacks and the solutions
   discussed in the rest of this document.

   +---------------------------------------+---------------------------+
   | Attack name                           | Referring sections        |
   +---------------------------------------+---------------------------+
   | botnets (use of)                      | Section 2.1, Section 2.2  |
   | denial of service (DoS)               | Section 2.1,              |
   |                                       | Section 7.2.1             |
   | man in the middle (MITM)              | Section 7.2.2             |
   | poisoning                             | Section 6.1,              |
   |                                       | Section 7.2.2             |
   | pollution                             | Section 2.1, Section 6.1  |
   | sybil                                 | Section 2.2, Section 4    |
   | targeted denial of service            | Section 7.2.1             |
   +---------------------------------------+---------------------------+

   Table 2: Index of some of the more popular attacks and problems
                        discussed in this document.












Schulzrinne, et al.           Informational                     [Page 7]

RFC 5765         Security in P2P Realtime Communications   February 2010


   +---------------------------------------+---------------------------+
   | Solution name                         | Referring sections        |
   +---------------------------------------+---------------------------+
   | admission control                     | Section 3                 |
   | anonymity                             | Section 5.2               |
   | asymmetric key pair                   | Section 7.2.5             |
   | CAPTCHA                               | Section 3                 |
   | certificates                          | Section 7.2.3             |
   | CONNECT (SIP method)                  | Section 7.2.4             |
   | cryptographic puzzles                 | Section 4                 |
   | diametrically opposite IDs            | Section 4                 |
   | end-to-end encryption                 | Section 7.2.4             |
   | group authority                       | Section 3                 |
   | group charter                         | Section 3                 |
   | iterative routing                     | Section 7.2.2             |
   | no profit for newcomers               | Section 5.2               |
   | online phone book                     | Section 7.2.5             |
   | passive upgrades                      | Section 7.1.1             |
   | peer promotion                        | Section 7.1               |
   | proactive identification              | Section 5.1.1             |
   | reactive identification               | Section 5.1.2             |
   | recommendation                        | Section 3                 |
   | reputation management systems         | Section 5.2               |
   | self-policing                         | Section 5.2               |
   | signatures                            | Section 3                 |
   | social networks (using)               | Section 4, Section 6.2,   |
   | SRTP                                  | Section 7.2.6             |
   | structured reputation management      | Section 5.2.2             |
   | SybilGuard (protocol)                 | Section 4                 |
   | transitivity of trust                 | Section 5.2.2             |
   | trust and distrust vectors            | Section 5.2.1             |
   | trust and trusted nodes               | Section 3, Section 6.2,   |
   |                                       | Section 7.2.3             |
   | unstructured reputation management    | Section 5.2.1             |
   | voluntary moderators                  | Section 6.1               |
   +---------------------------------------+---------------------------+

   Table 3: Index of some of the more popular solutions discussed in
                              this document.

2.  The Attackers

2.1.  Incentive of the Attacker

   Attacks on networks happen for a variety of reasons such as monetary
   gain, personal enmity, or even for fame in the hacker community.





Schulzrinne, et al.           Informational                     [Page 8]

RFC 5765         Security in P2P Realtime Communications   February 2010


   There are quite a few well-known cases of denial-of-service attacks
   for extortion in the client-server model [McCue].  One of the salient
   points of the P2P model is that the services it provides have higher
   robustness against failure.  However, denial-of-service attacks are
   still possible against individuals within the overlay if the
   attackers possess sufficient resources.  For instance, a network of
   worm-infected malicious nodes spread across the Internet and
   controlled by an attacker (often referred to as botnet) could
   simultaneously bombard lookup queries for a particular key in the
   DHT.  The peer responsible for this key would then come under a lot
   of load and could crash [Sit].  However, with replication of key-
   value pairs at multiple locations, such threats can be mitigated.

   Attackers may also have other incentives indirectly related to money.
   With the growth of illegal usage of sharing files with copyrights,
   record companies have been known to pollute content in the overlays
   by putting up nodes with corrupt chunks of data but with correct file
   names to degrade the service [Liang] and in hope that users would get
   frustrated and stop using it.  Similarly, competition between
   different communication service providers, either or both based on
   P2P technologies, and the low level of traceability of attacks
   targeted to single users could be considered as motivation for
   attempting service disruption.

   Attacks can also be launched by novice attackers who are attacking
   the overlay for fun or fame in a community.  These are perhaps less
   likely to be successful or cause damage, since their resources tend
   to be relatively limited.

2.2.  Resources Available to the Attacker

   Resource constraints play an important role in determining the nature
   of the attack.  An attacker who controls a botnet can use an Internet
   relay channel and launch distributed denial-of-service attacks
   against another node.  With respect to attacks where a single node
   impersonates multiple identities, as in the case of the Sybil attack
   [Douceur] described in Section 4, IP addresses are also an important
   resource for the attacker since in DHTs such as Chord [Stoica], the
   position in the overlay is determined by using a base hash function
   such as SHA-1 [SHA1] on the node's IP address.  The cryptographic
   puzzles [Rowaihy] that are sometimes suggested as a way to deter
   Sybil attacks by making the join process harder are futile against an
   attacker with a botnet and virtually unlimited computation power.
   Douceur [Douceur] proves that even with the assumption that attackers
   only have minimum resources at their disposal, it is not possible to
   defend against them in a pure P2P system.





Schulzrinne, et al.           Informational                     [Page 9]

RFC 5765         Security in P2P Realtime Communications   February 2010


2.3.  Victim of the Attack

   The victim of an attack could be an individual node, a particular
   content entry, or the entire overlay service.  If malicious nodes are
   strategically placed in the overlay, they can block a node from using
   its services.  Attacks could also be launched against specific
   content [Sit] or even the entire overlay service.  For example, if
   the malicious nodes are randomly placed in the overlay and drop
   packets or upload malicious content, then the quality of the overlay
   would deteriorate.

2.4.  Time of Attack

   A malicious node could start misbehaving as soon as it enters the
   overlay or it could follow the rules of the overlay for a finite
   amount of time and then attack.  The latter could prove to be more
   harmful if the overlay design suggests accumulating trust in peers
   based on the amount of time they have been present and/or not
   misbehaving.  In Kademlia [Maymounkov], for instance, the routing
   tables are populated with nodes that have been up for a certain
   amount of time.  While this provides some robustness from attacks in
   which the malicious nodes start dropping routing requests from the
   moment they enter, it would take time for the algorithm to adapt to
   nodes that start misbehaving in a later stage (i.e., after they have
   been recorded in routing tables).  Similarly for reputation
   management systems, it is important that they adapt to the current
   behavior of a peer.

3.  Admission Control

   Admission control depends on who decides whether or not to admit a
   node and how this permission is granted.  Kim et al.  [Kim] answer
   these questions independently of any particular environment or
   application.  They define two basic elements for admission in a peer
   group, a group charter, which is an electronic document that
   specifies the procedure of admission into the overlay, and a group
   authority, which is an entity that can certify group admission.  A
   prospective member first gets a copy of the group charter, satisfies
   the requirements, and approaches the group authority.  The group
   authority then verifies the admission request and grants a group
   membership certificate.

   The group charter and authority verification can be provided by a
   centralized certificate authority or a trusted third party, or it
   could be provided by the peers themselves (by voting).  The former is
   more practical and tends to make the certification process simpler
   although it is in violation of the pure P2P model and exposes the
   system to attacks typical for server-based solutions (e.g., denial-



Schulzrinne, et al.           Informational                    [Page 10]

RFC 5765         Security in P2P Realtime Communications   February 2010


   of-service attacks targeted to the central authority).  In the latter
   case, the group authority could either be a fixed number of peers or
   it could be a dynamic number based on the total membership of the
   group.  The authors argue that even if the group charter requires a
   prospective member to get votes from peers, the group membership
   certificate must be issued by a distinct entity.  The reason for this
   is that voters need to accompany their votes with a certificate that
   proves their own membership.  Possible signature schemes that could
   be used in voting such as plain digital signature, threshold
   signature, and accountable subgroup multisignature are also
   described.  Saxena et al.  [Saxena] performed experiments with the
   different signature schemes and suggest the use of plain signatures
   for groups of moderate size and where bandwidth is not a concern.
   For larger groups and where bandwidth is a concern, they suggest
   threshold signature [Kong] and multisignature schemes [Ohta].

   Another way of handling admission would be to use mechanisms based on
   trust and recommendation where each new applicant has to be known and
   vouched for by at least N existing members.  The difficulties that
   such models represent include identity assertion and preventing bot/
   worm attacks.  A compromised node could have a valid certificate
   identifying a trustworthy peer, and it would be difficult to detect
   this.  Possible solutions include sending graphic or logic puzzles
   easily addressed by humans but hard to solve by computers, also known
   as CAPTCHA [Ahn]; however, reliability of such mechanisms is at the
   time of writing a topic of lively debate [Tam] [Chellapilla].

4.  Determining the Position in the Overlay

   For ring-based DHT overlays such as Chord [Stoica], Kademlia
   [Maymounkov], and Pastry [Rowstron], when a node joins the overlay,
   it uses a numeric identifier (ID) to determine its position in the
   ring.  The positioning of a node determines what information it
   stores and which nodes it serves.  To provide a degree of robustness,
   content and services are often replicated across multiple nodes.
   However, it is possible for an adversary with sufficient resources to
   undermine the redundancy deployed in the overlay by representing
   multiple identities.  Such an attack is called a Sybil attack
   [Douceur].  This makes the assignment of IDs very important.  One
   possible scheme to tackle such attacks on the ID mapping is to have a
   temporal mechanism in which nodes need to re-join the network after
   some time [Condie] [Scheideler].  Such temporal solutions, however,
   have the drawback that they increase the maintenance traffic and
   possibly deteriorate the efficiency of caching.  Danezis et al.
   [Danezis] suggest mechanisms to mitigate the effect of Sybil attacks
   by reducing the amount of information received from malicious nodes.
   Their idea is to vary the nodes used for routing with time.  This
   helps avoiding trust bottlenecks that may occur when applications



Schulzrinne, et al.           Informational                    [Page 11]

RFC 5765         Security in P2P Realtime Communications   February 2010


   only route traffic through a limited set of highly trusted nodes.
   Other solutions suggest making the joining process harder by
   introducing cryptographic puzzles as suggested by Rowaihy et al.
   [Rowaihy].  The assumption is that the adversary has limited
   computational resources, which may not be true if the adversary has
   control over a botnet.  Another drawback of such methods is that non-
   malicious nodes would also have to perform the extra computations
   before they can join the overlay.

   A possible heuristic to hamper Sybil attacks is to employ redundancy
   at nodes with diametrically opposite IDs (in the DHT ID space)
   instead of successive IDs as in Chord.  The idea behind choosing
   diametrically opposite nodes is based on the fact that a malicious
   peer can grant admission to others as its successor without them
   actually possessing the required IP address (whose hash is adjacent
   to the former's), and then they can cooperate to control access to
   that part of the ring.  If, however, admission decisions and
   redundant content (for robustness) also involve nodes that are the
   farthest away (diametrically opposite) from a given position, then
   the adversary would require double resources (IP addresses) to
   attack.  This happens because the adversary would need presence in
   the overlay at two independent positions in the ring.

   Another approach proposed by Yu et al.  [Yu] to limit Sybil attacks
   is based on the usage of the social relations between users.  The
   solution exploits the fact that as a result of Sybil attacks,
   affected P2P overlays end up containing a large set of Sybil nodes
   connected to the rest of the peers through an irregularly small
   number of edges.  The SybilGuard protocol [Yu] defines a method that
   allows to discover such kinds of discontinuities in the topology by
   using a special kind of a verifiable random walk and hence without
   the need of one node having a global vision of the graph.

   It is also worth mentioning that in DHT overlays using different
   geometric concepts (e.g., hypercubes instead of rings), peer
   positions are usually not related to identifiers.  In the content
   addressable network (CAN) [Ratnasamy], for example, the position of
   an entering node may be either selected by the node itself or, with
   little modification to the original algorithm, assigned by peers
   already in the overlay.  However, even when malicious nodes do not
   know their position before joining, the overlay is still vulnerable
   to Sybil attacks.

5.  Resilience against Malicious Peers

   Making overlays robust against even a small percentage of malicious
   nodes is difficult [Castro].  It is therefore important for other
   peers to identify such nodes and keep track of their number.  There



Schulzrinne, et al.           Informational                    [Page 12]

RFC 5765         Security in P2P Realtime Communications   February 2010


   are two aspects to this problem.  One is the identification itself,
   and the second is the dissemination of this information amongst the
   peers.  Different metrics need to be defined depending on the peer
   group for the former, and reputation management systems are needed
   for the latter.

5.1.  Identification of Malicious Peers

   For identifying a node as malicious, malicious activity has to be
   observed first.  This could be done in either a proactive way or a
   reactive way.

5.1.1.  Proactive Identification

   When acting proactively, peers perform periodic operations with the
   purpose of detecting malicious activity.  A malicious node could
   prevent access to content for which it is responsible (e.g., by
   claiming the object doesn't exist), or return references to content
   that does not match the original queries [Sit].  With this approach,
   publishers of content can later perform lookups for it at periodic
   intervals and verify the integrity of whatever is returned.  Any
   inconsistencies could then be interpreted as malicious activity.  The
   problem with proactive identification is the management of the
   overhead it implies: if checks are performed too often, they may
   actually hinder scalability, while, if they are performed too rarely,
   they would probably be useless.

   An additional approach for mitigating routing attacks and identifying
   malicious peers consists in sending multiple copies of the same
   message on different paths.  With such an approach, implemented, for
   example, in Kademlia [Maymounkov], the sending peer can identify
   anomalies comparing responses coming in from different paths.

5.1.2.  Reactive Identification

   In a reactive strategy, the peers perform normal operations and if
   they happen to detect some malicious activity, then they can label
   the responsible node as malicious and avoid sending any further
   message to it.  In a file-sharing application, for example, after
   downloading content from a node, if the peer observes that data does
   not match its original query it can identify the corresponding node
   as malicious.  Poon et al.  [Poon] suggest a strategy based on the
   forwarding of queries.  If routing is done in an iterative way, then
   dropping of packets, forwarding to an incorrect node, and delay in
   forwarding arouse suspicion and the corresponding peer is identified
   as malicious.





Schulzrinne, et al.           Informational                    [Page 13]

RFC 5765         Security in P2P Realtime Communications   February 2010


5.2.  Reputation Management Systems

   Reputation management systems are used to allow peers to share
   information about other peers based on their own experience and thus
   help in making better judgments.  Most reputation management systems
   proposed in the literature for file-sharing applications [Uzun]
   [Damiani] [Lee] [Kamvar] aim at preventing misbehaving peers with low
   reputation to rejoin the network with a different ID and therefore
   start from a clean slate.  To achieve this, Lee et al.  [Lee] store
   not only the reputation of a peer but also the reputation of files
   based on file name and content to avoid spreading of a bad file.
   Another method is to make the reputation of a new peer the minimum
   possible.  Kamvar et al.  [Kamvar] define five design considerations
   for reputation management systems:

   o  The system should be self-policing.

   o  The system should maintain anonymity.

   o  The system should not assign any profit to newcomers.

   o  The system should have minimal overhead in terms of computation,
      infrastructure, storage, and message complexity.

   o  The system should be robust to malicious collectives of peers who
      know one another and attempt to collectively subvert the system.

5.2.1.  Unstructured Reputation Management

   Unstructured reputation management systems have been proposed by Uzun
   et al.  [Uzun] and Damiani et al.  [Damiani].  The basic idea of
   these is that each peer maintains information about its own
   experience with other peers and resources, and shares it with others
   on demand.  In the system proposed by Uzun et al.  [Uzun], each node
   maintains trust and distrust vectors for every other node with which
   it has interacted.  When reputation information about a peer is
   required, a node first checks its local database, and if insufficient
   information is present, it sends a query to its neighbors just as it
   would when looking up content.  However, such an approach requires
   peers to get reputation information from as many sources as possible;
   otherwise, malicious nodes may successfully place targeted attacks
   returning false values for their victims.

5.2.2.  Structured Reputation Management

   One of the problems with unstructured reputation management systems
   is that they either take the feedback from few peers or, if they do
   so from all, then they incur large traffic overhead.  Systems such as



Schulzrinne, et al.           Informational                    [Page 14]

RFC 5765         Security in P2P Realtime Communications   February 2010


   those proposed by [Lee] [Kamvar] try to resolve it in a structured
   manner.  The idea of the eigen trust algorithm [Kamvar], for example,
   is transitivity of trust.  If a node trusts peer X, then it would
   also trust the feedback it gives about other peers.  A node builds
   such information in an iterative way; for maintaining it in a
   structured way, the authors propose to use a content addressable
   network (CAN) DHT [Ratnasamy].  The information about each peer is
   stored and replicated on different peers to provide robustness
   against malicious nodes.  They also suggest favoring peers
   probabilistically with high trust values instead of doing it
   deterministically, to allow new peers to slowly develop a reputation.
   Eventually, they suggest the use of incentives for peers with high
   reputation values.

6.  Routing and Data Integrity

   Preserving integrity of routing and data, or, in other words,
   preventing peers from returning corrupt responses to queries and
   routing through malicious peers, is an important security issue in
   P2P networks.  The data stored on a P2P overlay depends on the
   applications that are using it.  For file-sharing, this data would be
   the files themselves, their location, and owner information.  For
   realtime communication, this would include user location bindings and
   other routing information.  We describe such data integrity issues in
   Section 7.

6.1.  Data Integrity

   For file-sharing applications, insertion of wrong content (e.g.,
   files not matching their names or descriptions) and introduction of
   corrupt data chunks (often referred to as poisoning and pollution)
   are a significant problem.  BitTorrent uses voluntary moderators to
   weed out bogus files and the SHA-1 algorithm to determine the hash of
   each piece of a file to allow verification of integrity.  If a peer
   detects a bad chunk, it can download that chunk from another peer.
   With this strategy, different peers download different pieces of a
   file before the original peer disappears from the network.  However,
   if a malicious peer modifies the pieces that are only available on it
   and the original peer disappears, then the object distribution will
   fail [Zhang].  An analysis of BitTorrent in terms of integrity and
   performance can be found in the work of Pouwelse et al.  [Pouwelse].

6.2.  Routing Integrity

   To enhance the integrity of routing, it is important to reduce the
   number of queries forwarded to malicious nodes.  Marti et al.
   [Marti] developed a system that uses social network information to
   route queries over trusted nodes.  Their algorithm uses trusted nodes



Schulzrinne, et al.           Informational                    [Page 15]

RFC 5765         Security in P2P Realtime Communications   February 2010


   to forward queries (if one exists and is closer to the required ID in
   the ID space).  Otherwise, they use the regular Chord [Stoica]
   routing table to forward queries.  While their results indicate good
   average performance, it cannot guarantee log(N) hops for all cases.
   Danezis et al.  [Danezis] suggest a method for routing in the
   presence of a large number of Sybil nodes.  Their method is to ensure
   that a peer queries a diverse set of nodes and does not place too
   much trust in a node.  Both the above works have been described based
   on Chord.  However, unlike Chord, in DHTs like Pastry [Rowstron] and
   Kademlia [Maymounkov] there is flexibility in selecting nodes for any
   row in a peer's routing table.  Potentially many nodes have a common
   ID prefix of a given length and are candidates for routing a given
   query.  To exploit the social network information and still guarantee
   log(N) hops, a peer should select its friends to route a query, but
   only when they are present in the appropriate row selected by the DHT
   algorithm.

7.  Peer-to-Peer in Realtime Communication

   The idea of using P2P in realtime communication essentially implies
   distributing centralized entities from conventional architectures
   over P2P overlays and thus reducing the costs of deployment and
   increasing reliability of the different services.  Initiatives such
   as the P2PSIP working group in IETF [P2PSIP] are currently
   concentrating on achieving this by using a DHT for services such as
   registration, location lookup, and support for NAT traversal, which
   are normally handled by dedicated servers.

   Even if based on the same technology, overlays used for realtime
   communication differ from those used for file-sharing in at least two
   aspects:

   o  Resource consumption.  Contrary to file-sharing systems where the
      DHT is used to store huge amounts of data (even if the distributed
      database is used only for storing file locations, each user
      usually indexes hundreds or thousands of files), realtime
      communication overlays only require a subset of the resources
      available at any given time as users only register a limited
      number of locations (rarely more than one).

   o  Confidentiality.  In file-sharing applications, eavesdropping and
      identity theft do not constitute real threats; after all, files
      are supposed to be made publicly available.  This is not true in
      realtime communications, where the privacy and confidentiality of
      the participants are of paramount importance.  Furthermore, the
      notion of identity plays an important role in realtime





Schulzrinne, et al.           Informational                    [Page 16]

RFC 5765         Security in P2P Realtime Communications   February 2010


      communications since it is the basis for starting a communication
      session.  As such, it is essential to have mechanisms to
      unequivocally assert identities in realtime communication systems.

   In this section we go over the admission issues and security problems
   discussed in previous sections, and discuss solutions that would be
   applicable to realtime communication in P2P.

7.1.  Peer Promotion

   In order to remain compatible with existing user agents, P2P
   communication architectures would have to allow certain nodes to use
   their services without actually using overlay-specific semantics.
   One way to achieve this would be for overlay-agnostic nodes to
   register with an existing peer or a dedicated proxy via a standard
   protocol like SIP [RFC3261].  Through the rest of this document, we
   will refer to nodes that access the service without actually joining
   the overlay as "clients".

   In most cases, users would be able to benefit from the overlay by
   only acting as clients.  However, in order to keep the solution
   scalable, at some point clients would have to be promoted to peers
   (admission to the DHT).  This requires addressing the following
   issues.

7.1.1.  Active vs. Passive Upgrades

   Most existing P2P networks [KAZAA] [BITTORRENT] [PPLIVE] would
   generally leave it to the clients to determine if and when they would
   apply for becoming peers.  A well-known exception to this trend is
   the Skype network [SKYPE], arguably one of the most popular overlay
   networks used for realtime communications today.  Instances of the
   Skype application are supposed to operate as either super-nodes,
   directly contributing to the distributed provision of the service, or
   ordinary-nodes, simply using the service, and the "promotions" are
   decided by the higher levels of the hierarchy [Baset].  Even if there
   is not much difference for a client whether it has to actively ask
   for authorization to join an overlay or passively wait for an
   invitation, the latter approach has some advantages that fit well in
   overlays where only a subset of the peers is required to provide the
   service (as in realtime communication):

   o  An attacker cannot estimate in advance when and if it would be
      invited to join the overlay as a peer.

   o  It allows peers to perform long-lasting measurements on sets of
      candidates, in order to accurately select the most appropriate for
      upgrading and only invite it when they are "ready" to do so.  The



Schulzrinne, et al.           Informational                    [Page 17]

RFC 5765         Security in P2P Realtime Communications   February 2010


      opposite approach, that is, when clients initiate the join
      themselves, adds an extra constraint for the peer that has to act
      upon the request since it doesn't know if and when the peer would
      attempt to join again.

   o  It discourages malicious peers from attempting Sybil and, more
      generally, brute force attacks, as only a small ratio of clients
      has chances to join the overlay (possibly after an accurate
      examination).

7.1.2.  When to Upgrade

   In order to answer this question, one would have to define some
   criteria that would allow determination of the load on a peer and a
   reasonable threshold.  When the load exceeds this threshold, a client
   is invited to become a peer and share the load.  Several mechanisms
   to diagnose the status of P2P systems have recently been proposed
   [P2PSIP-DIAG]; in general, reasonable criteria for determining load
   can be:

   o  Number of clients attached.

   o  Bandwidth usage for DHT maintenance, forwarding requests, and
      responses to and from peers and from the attached clients.

   o  Memory usage for DHT routing table, DHT neighborhood table,
      application-specific data, and information about the attached
      clients.

7.1.3.  Which Clients to Upgrade

   Selecting which clients to upgrade would require defining and keeping
   track of new metrics.  The exact set of metrics and how they
   influence decisions should be the subject of serious analysis and
   experimentation.  These could be based on the following observations:

   o  Uptime.  A peer could easily record the amount of time that it has
      been maintaining a connection with a client and take it into
      account when trying to determine whether or not to upgrade it.

   o  Level of activity.  It is reasonable to assume that the more a
      client uses the service (e.g., making phone calls), the less they
      would be willing to degrade it.

   o  Keeping track of history.  Peers could record history of the
      clients they invite and the way they contribute to the overlay.





Schulzrinne, et al.           Informational                    [Page 18]

RFC 5765         Security in P2P Realtime Communications   February 2010


   Other metrics such as public vs. private IP addresses, computation
   power, and bandwidth should also be taken into account even though
   they do not necessarily have a direct impact on security.

   Note however that a set of colluded malicious peers can manufacture
   basically any criteria considered for the upgrade.  Furthermore,
   sophisticated peers can overload the system or run denial-of-service
   attacks against existing super-nodes in order to improve their
   chances of being upgraded.

7.1.4.  Incentives for Clients

   Clients need to have incentives for accepting upgrades in order to
   prevent excessive burden on existing peers.  One way to handle this
   would be to maintain separate incentive management through the use of
   currency or credits.  Another option would involve embedding these
   incentives inside the protocol itself:

   o  Peers share with clients only a fraction of their bandwidth
      (uplink and downlink).  This would result in higher latency when
      using the services of the overlay as a client and better service
      quality for peers.

   o  Peers could restrict the number or types of calls that they allow
      clients to make.

   Introducing such incentives, however, may turn out to be somewhat
   risky.  Differences in quality would probably be perceptible for end
   users who would not always be able to understand the difference
   between the roles that their user agent is playing in the overlay.
   Such behavior may therefore be interpreted as arbitrary and make the
   service look unreliable.

7.2.  Security

7.2.1.  Targeted Denial of Service

   In addition to bombardment with queries as described in Section 2,
   the denial-of-service attack against an individual node can be
   conducted in DHTs if the peers that surround a particular ID are
   compromised.  These peers that act as proxy servers for the victim
   can fake the responses from the victim by sending fictitious error
   messages back to peers trying to establish a session.  Danezis et
   al.'s solution [Danezis] can also provide protection against such
   attacks, as in their solution peers vary the nodes used in queries.






Schulzrinne, et al.           Informational                    [Page 19]

RFC 5765         Security in P2P Realtime Communications   February 2010


7.2.2.  Man-in-the-Middle Attack

   The man-in-the-middle attack is well described by Seedorf [Seedorf1]
   in the particular case of P2PSIP [P2PSIP] and consists of an attack
   that exploits the lack of integrity when routing information.  A
   malicious node could return IP addresses of other malicious nodes
   when queried for a particular ID.  The requesting peer would then
   establish a session with a second malicious node, which would again
   return a "poisoned" reply.  This could go on until the Time to Live
   (TTL) expires and the requester gives up the "wild goose chase"
   [Danezis].  A simple way for entities to verify the correctness of
   the routing lookup is to employ iterative routing and to check the
   node-ID of every routing hop that is returned, and it should get
   closer to the desired ID with every hop.  However, this is not a
   strong check and can be defeated [Seedorf1].

7.2.3.  Trust between Peers

   The effect of malicious peers could be mitigated by introducing the
   concept of trust within an overlay.  This can be done in different
   ways:

   o  Using certificates assigned by an external authority.  The
      drawback with this approach is that it requires a centralized
      element.

   o  Using certificates reciprocally signed by peers.  This mechanism
      is quite similar to PGP [Zimmermann]; every peer signs
      certificates of "friend" peers and trusts any other peer with a
      certificate signed by one of its friends.  However, even though it
      might be theoretically possible, in reality it is extremely
      difficult to obtain long enough trust chains.

7.2.4.  Routing Call Signaling

   One way for implementing realtime communication overlays (as we have
   mentioned in earlier sections) would be to simply replace centralized
   entities in signaling protocols like SIP [RFC3261] with distributed
   services.  In some cases, this might imply reusing existing protocol
   mechanisms for routing signaling messages.  In the case of SIP, this
   would imply regarding peers as SIP proxies.  However, the design of
   SIP supposes that such proxies are trusted, and makes it possible for
   them to fork requests or change their destination, add or remove
   header fields, act as the remote party, and generally manipulate
   message content and semantics.






Schulzrinne, et al.           Informational                    [Page 20]

RFC 5765         Security in P2P Realtime Communications   February 2010


   However, in a P2P environment where messages may be routed through
   numerous successive peers, some of which might be compromised, it is
   important not to treat them as trusted proxies.  One way to limit
   what peers can do is by protecting signaling with some kind of end-
   to-end encryption.

   Another option would be to extend existing signaling protocols and
   modify the way they route messages in order to guarantee secure end-
   to-end transmission.  Gurbani et al.  [Gurbani] define a similar
   mechanism for SIP that allows nodes to establish a secure channel by
   sending a CONNECT SIP request, and then tunnel all SIP messages
   through it, adopting a similar mechanism to the one used for
   upgrading from HTTP to HTTPS [RFC2818].

7.2.5.  Integrity of Location Bindings

   It is important to ensure that the location that a user registers,
   usually a (URI, IP) pair, is what is returned to the requesting
   party.  Or the entities that issue the lookup request must be able to
   verify the integrity of this pair.  A pure P2P approach to allow
   verification of the integrity of location binding information is
   presented in [Seedorf2].  The idea is for an entity to choose an
   asymmetric key pair and hash its public key to generate its URI.  The
   entity then signs its present location with its private key and
   registers with the quadruple (URI, IP, signature, public key).  Any
   entity that looks up the URI and receives such a quadruple can then
   verify its integrity by using the public key and the certificate.
   Another possible merit of such an approach could be that it is
   possible to identify the malicious nodes and maintain a black list.
   However, the resulting URIs are not easy to remember and associate
   with entities.  Discovering these URIs and associating them with
   entities would therefore require some sort of a directory service.
   The authors suggest using existing authentication infrastructure for
   this such as a certified web service using SSL that can publish an
   "online phone book" mapping users to URIs.

7.2.6.  Encrypting Content

   Using P2P overlays for realtime communication implies that content is
   likely to traverse numerous intermediate peers before reaching its
   destination.  A typical example could be the use of peers as media
   relays as a way of traversing NATs in VoIP calls.

   Contrary to publicly shared files, communication sessions are in most
   cases expected to be private.  It is therefore very important to make
   sure that no media leaves the client application without being
   encrypted and securely transported through a protocol like SRTP
   [RFC3711].  However, the processing required by the encryption



Schulzrinne, et al.           Informational                    [Page 21]

RFC 5765         Security in P2P Realtime Communications   February 2010


   algorithms and the extra resources necessary for managing the keying
   material (e.g., for retrieving public keys when interacting with
   unknown peers) may be expensive, especially for mobile devices.

7.2.7.  Other Issues

   Details on cost and payment regimes could help identify further
   threats.  Such details could also be important when determining the
   impact of a potential attack in the context of the specific business
   models associated with particular overlays.  In many cases, answers
   to the following simple questions significantly aid the design of
   protection mechanisms:

   o  Whom do the users pay?

   o  Do the users only pay when accessing the public telephone network?

   o  Is the billing done per call or is it fixed?

   For instance, the implications of an attack such as taking control
   over another's user agent or its identity and using it for outbound
   calls would depend on whether or not this would be economically
   advantageous for the attacker.  Baumann et al.  [Baumann] suggest
   that to prevent unwanted communication costs, gateways for the public
   telephone network should only be accessible via authenticated servers
   and dialing authorizations should be enforced.  Also, it seems that
   it would be difficult to do billing in a pure P2P manner as it would
   mean keeping the billing details with untrusted peers.

8.  Open Issues

   Existing systems used for file-sharing, media streaming, and realtime
   communications all achieve a reasonable level of security relying on
   centralized components (e.g., login servers in Skype [Baset],
   moderators and trackers in BitTorrent [Pouwelse]).  Securing pure P2P
   networks is therefore still a very active research field; at the time
   of writing the main open issues fall in five areas:

   o  Secure assignment of node IDs.

   o  Entity-identity association.

   o  Distributed trust among peers.

   o  Resistance against malicious peer collusion.

   o  Robustness and damage recovery.




Schulzrinne, et al.           Informational                    [Page 22]

RFC 5765         Security in P2P Realtime Communications   February 2010


   In general, P2P overlays are designed to work when the vast majority
   of their peers are interested in the service provided by the system
   and act benevolently.  Understanding how operations in different
   overlays are perturbed as the number of malicious or compromised
   peers grows is another interesting area of research.  Also, a widely
   adopted methodology for the evaluation and classification of security
   solutions would be likely to help research in the field of P2P
   security progress more efficiently.

9.  Security Considerations

   This document, tutorial in nature, discusses some of the security
   issues of P2P systems used for realtime communications.  It does not
   aim at identifying all possible threats and the corresponding
   solutions; instead, starting from an analysis of the attackers, it
   delves into some important aspects of P2P security, referencing the
   most relevant works published at the time of writing and discussing
   how they apply (or could apply) to the case of realtime
   communications.

10.  Acknowledgments

   The authors are particularly grateful to Dhruv Chopra, who
   contributed to the writing of the article "Peer-to-peer Overlays for
   Real-Time Communication: Security Issues and Solutions" (IEEE Surveys
   & Tutorials, Vol. 11, No. 1) from which this work is partially
   derived.

   The authors would also like to thank Vijay Gurbani and Song Haibin
   for reviewing the document and the many others who provided useful
   comments.

11.  Informative References

   [Ahn]          Ahn, L., Blum, M., and J. Langford, "Telling humans
                  and computers apart automatically", Communications of
                  the ACM, vol. 47, no. 2, February 2004.

   [Androutsellis-Theotokis]
                  Androutsellis-Theotokis, S. and D. Spinellis, "A
                  survey of peer-to-peer content distribution
                  technologies", ACM CSUR, vol. 36, no. 4,
                  December 2004.

   [BITTORRENT]   "BitTorrent", <http://www.bittorrent.com/>.






Schulzrinne, et al.           Informational                    [Page 23]

RFC 5765         Security in P2P Realtime Communications   February 2010


   [Baset]        Baset, S. and H. Schulzrinne, "An analysis of the
                  skype peer-to-peer internet telephony protocol",
                  Proceedings of IEEE INFOCOM 2006, April 2006.

   [Baumann]      Baumann, R., Cavin, S., and S. Schmid, "Voice Over IP
                  - Security and SPIT", Technical Report, University of
                  Berne, September 2006.

   [COOLSTREAM]   "COOLSTREAMING", <http://www.coolstreaming.us>.

   [Castro]       Castro, M., Druschel, P., Ganesh, A., Rowstron, A.,
                  and D.  Wallach, "Secure routing for structured
                  peer-to-peer overlay networks", Proceedings of 5th
                  symposium on Operating systems design and
                  implementation, December 2002.

   [Chellapilla]  Chellapilla, K. and P. Simard, "Using Machine Learning
                  to Break Visual Human Interaction Proofs (HIPs)",
                  Proceedings of Advances in Neural Information
                  Processing Systems, December 2004.

   [Condie]       Condie, T., Kacholia, V., Sankararaman, S.,
                  Hellerstein, J., and P. Maniatis, "Maelstorm: Churn as
                  Shelter", Proceedings of 13th Annual Network and
                  Distributed System Security Symposium, November 2005.

   [Damiani]      Damiani, E., Vimercati, D., Paraboschi, S., Samarati,
                  P., and F. Violante, "A Reputation-Based Approach for
                  Choosing Reliable Resources in Peer-to-Peer Networks",
                  Proceedings of Conference on Computer and
                  Communications Security, November 2002.

   [Danezis]      Danezis, G., Lesniewski-Laas, C., Kaashoek, M., and R.
                  Anderson, "Sybil-resistant DHT routing", Proceedings
                  of 10th European Symposium on Research in Computer
                  Security, September 2005.

   [Douceur]      Douceur, J., "The Sybil Attack", Revised Papers
                  from First International Workshop on Peer-to-Peer
                  Systems, March 2002.

   [Gurbani]      Gurbani, V., Willis, D., and F. Audet,
                  "Cryptographically Transparent Session Initiation
                  Protocol (SIP) Proxies", Proceedings of IEEE ICC '07,
                  June 2007.

   [KAZAA]        "KaZaa", <http://www.kazaa.com/>.




Schulzrinne, et al.           Informational                    [Page 24]

RFC 5765         Security in P2P Realtime Communications   February 2010


   [Kamvar]       Kamvar, S., Garcia-Molina, H., and M. Schlosser, "The
                  EigenTrust Algorithm for Reputation Management in P2P
                  Networks", Proceedings of 12th international
                  conference on World Wide Web, May 2003.

   [Kim]          Kim, Y., Mazzocchi, D., and G. Tsudik, "Admission
                  Control in Peer Groups", Proceedings of Second IEEE
                  International Symposium on Network Computing and
                  Applications, April 2003.

   [Kong]         Kong, J., Zerfos, P., Luo, H., Lu, S., and L. Zhang,
                  "Providing robust and ubiquitous security support for
                  MANET", Proceedings of 9th International Conference on
                  Network Protocols, November 2001.

   [Lee]          Lee, S., Kwon, O., Kim, J., and S. Hong, "A Reputation
                  Management System in Structured Peer-to-Peer
                  Networks", Proceedings of 14th IEEE International
                  Workshops on Enabling Technologies: Infrastructure for
                  Collaborative Enterprise, June 2005.

   [Liang]        Liang, J., Kumar, R., Xi, Y., and K. Ross, "Pollution
                  in p2p file sharing systems", Proceedings of IEEE
                  INFOCOM 2005, March 2005.

   [Marti]        Marti, S., Ganesan, P., and H. Garcia-Molina, "SPROUT:
                  P2P Routing with Social Networks", Proceedings
                  of First International Workshop on Peer-to-Peer and
                  Databases, March 2004.

   [Maymounkov]   Maymounkov, P. and D. Mazi, "Kademlia: A Peer-to-peer
                  Information System Based on the XOR Metric",
                  Proceedings of First International Workshop on
                  Peer-to-peer Systems, March 2002.

   [McCue]        McCue, Andy., "Bookie reveals 100,000 cost of
                  denial-of-service extortion attacks", available from
                  http://www.silicon.com, June 2004.

   [NAPSTER]      "Napster", <http://www.napster.com/>.

   [Ohta]         Ohta, K., Micali, S., and L. Reyzin, "Accountable
                  Subgroup Multisignatures", Proceedings of 8th ACM
                  conference on Computer and Communications Security,
                  November 2001.






Schulzrinne, et al.           Informational                    [Page 25]

RFC 5765         Security in P2P Realtime Communications   February 2010


   [P2PSIP]       "Peer-to-Peer Session Initiation Protocol (P2PSIP)
                  IETF Working Group",
                  <http://www.ietf.org/html.charters/
                  p2psip-charter.html>.

   [P2PSIP-DIAG] Yongchao, S., Jiang, X., Even, R., and D. Bryan,
                  "P2PSIP Overlay Diagnostics", Work in Progress,
                  December 2009.

   [PPLIVE]       "PPLive", <http://www.pplive.com>.

   [Poon]         Poon, W. and R. Chang, "Robust Forwarding in
                  Structured Peer-to-Peer Overlay Networks", Proceedings
                  of ACM SIGCOMM 2004, August 2004.

   [Pouwelse]     Pouwelse, J., Garbacki, P., Epema, D., and H. Sips,
                  "The Bittorent P2P File-Sharing System: Measurements
                  and Analysis", Proceedings of 4th International
                  Workshop of Peer-to-peer Systems, February 2005.

   [RFC2818]      Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC3261]      Rosenberg, J., Schulzrinne, H., Camarillo, G.,
                  Johnston, A., Peterson, J., Sparks, R., Handley, M.,
                  and E.  Schooler, "SIP: Session Initiation Protocol",
                  RFC 3261, June 2002.

   [RFC3711]      Baugher, M., McGrew, D., Naslund, M., Carrara, E., and
                  K.  Norrman, "The Secure Real-time Transport Protocol
                  (SRTP)", RFC 3711, March 2004.

   [RFC4981]      Risson, J. and T. Moors, "Survey of Research towards
                  Robust Peer-to-Peer Networks: Search Methods",
                  RFC 4981, September 2007.

   [Ratnasamy]    Ratnasamy, S., Francis, P., Handley, M., Karp, R., and
                  S.  Shenker, "A Scalable Content-Addressable Network",
                  Proceedings of ACM SIGCOMM 2001, January 2001.

   [Rowaihy]      Rowaihy, H., Enck, W., McDaniel, P., and T. Porta,
                  "Limiting Sybil attacks in structured peer-to-peer
                  networks", Proceedings of IEEE INFOCOM 2007, May 2007.

   [Rowstron]     Rowstron, A. and P. Druschel, "Pastry: Scalable,
                  distributed object location and routing for
                  large-scale peer-to-peer systems", Proceedings of 18th
                  IFIP/ACM International Conference on Distributed
                  Systems Platforms (Middleware 2001), November 2001.



Schulzrinne, et al.           Informational                    [Page 26]

RFC 5765         Security in P2P Realtime Communications   February 2010


   [SHA1]         180-1, FIPS., "Secure Hash Standard", April 2005.

   [SKYPE]        "Skype", <http://www.skype.com/>.

   [Saxena]       Saxena, N., Tsudik, G., and J. Yi, "Admission Control
                  in Peer-to-Peer: Design and Performance Evaluation",
                  Proceedings of 1st ACM workshop on Security of ad hoc
                  and sensor networks, October 2003.

   [Scheideler]   Scheideler, C., "How to Spread Adversarial Nodes?:
                  Rotate!", Proceedings of 37th Annual ACM Symposium on
                  Theory of Computing, May 2005.

   [Seedorf1]     Seedorf, J., "Security Challenges for Peer-to-Peer
                  SIP", IEEE Network, vol. 20, no. 5, September 2006.

   [Seedorf2]     Seedorf, J., "Using Cryptographically Generated
                  SIP-URIs to Protect the Integrity of Content in
                  P2P-SIP", Proceedings of 3rd Annual VoIP Security
                  Workshop, June 2006.

   [Singh]        Singh, K. and H. Schulzrinne, "Peer-to-Peer Internet
                  Telephony using SIP", Proceedings of International
                  Workshop on Network and Operating System Support for
                  Digital Audio and Video, June 2005.

   [Sit]          Sit, E. and R. Morris, "Security considerations for
                  peer- to-peer distributed hash tables", Revised Papers
                  from First International Workshop on Peer-to-Peer
                  Systems, March 2002.

   [Stoica]       Stoica, I., Morris, R., Karger, D., Kaashoek, M., and
                  H.  Balakrishnan, "Chord: A Scalable Peer-to-peer
                  Lookup Service for Internet Applications", Proceedings
                  of Applications, Technologies, Architectures, and
                  Protocols for Computer Communication 2001, May 2001.

   [Tam]          Tam, J., Simsa, J., Hyde, S., and L. Ahn, "Breaking
                  Audio CAPTCHAs with Machine Learning Techniques",
                  Proceedings of Advances in Neural Information
                  Processing Systems, December 2009.

   [Uzun]         Uzun, E., Pariente, M., and A. Selpk, "A
                  Reputation-Based Trust Management System for P2P
                  Networks", Proceedings of International Symposium on
                  Cluster Computing and the Grids, April 2004.





Schulzrinne, et al.           Informational                    [Page 27]

RFC 5765         Security in P2P Realtime Communications   February 2010


   [Wallach]      Wallach, D., "A Survey of Peer-to-Peer Security
                  Issues", Proceedings of International Symposium of
                  Software Security 2002, November 2002,
                  <http://www.cs.rice.edu/~dwallach/pub/
                  tokyo-p2p2002.pdf>.

   [Yu]           Yu, H., Kaminsky, M., Gibbons, P., and A. Flaxman,
                  "SybilGuard: Defending Against Sybil Attacks via
                  Social Networks", Proceedings of ACM SIGCOMM 2006,
                  September 2006.

   [Zhang]        Zhang, X., Chen, S., and R. Sandhu, "Enhancing Data
                  Authenticity and Integrity in P2P Systems", IEEE
                  Internet Computing, vol. 9, no. 6, September 2005.

   [Zimmermann]   Zimmermann, Philip., "Pretty good privacy: public key
                  encryption for the masses", Building in big brother:
                  the cryptographic policy debate pag. 103-107, 1995.

Authors' Addresses

   Henning Schulzrinne
   Columbia University
   1214 Amsterdam Avenue
   New York, NY  10027
   USA

   EMail: hgs@cs.columbia.edu


   Enrico Marocco
   Telecom Italia
   Via G. Reiss Romoli, 274
   Turin  10148
   Italy

   EMail: enrico.marocco@telecomitalia.it


   Emil Ivov
   SIP Communicator / University of Strasbourg
   4 rue Blaise Pascal
   Strasbourg Cedex  F-67070
   France

   EMail: emcho@sip-communicator.org





Schulzrinne, et al.           Informational                    [Page 28]



ERRATA