The Peer-to-Peer (P2P) Session Initiation Protocol (SIP) Working Group (P2PSIP WG) of the Internet Engineering Task Force (IETF) is specifying the RELOAD base protocol for building distributed systems based on peer-to-peer (P2P) technologies. In particular, a large proportion of the work undertaken by the working group is focused on Distributed Hash Tables (DHTs). A DHT provides a distributed storage service, where resources are stored at a peer that, along with other peers, forms an overlay network.
A resource is stored based on a Resource-ID, which is commonly a hashed user name of a node owning the resource. A Kind-ID specifies the kind of data that may be stored at a resource.
In RELOAD, resources can be read (e.g. using a Fetch Request) by any node that knows the Resource-ID of the resource. However, for security and in order to limit the volume of information a node can store into the network, RELOAD defines a number of Access Control Policies to control which entities can create a resource and write data to a resource.
The standard access control policies defined in RELOAD are based on the User-ID (e.g. USER-MATCH) or the Node-ID (e.g. NODE-MATCH). The User-ID and the Node-ID of a node are included in the node's certificate. Typically, the node is assigned one or more Node-IDs by a central enrolment authority, although other approaches, such as a Web of Trust type model, could be used. Both the User-ID and the Node-ID are placed in a node certificate, along with the node's public key.
With RELOAD access control policies, usually a resource can only be created, written or rewritten by a single node, called the “owner” of the resource, typically the node that created the resource.
An access control policy that enables multiple nodes to write in the same resource is the USER-NODE-MATCH, which allows any node to write a single entry to a Dictionary resource, the Resource-ID of which must correspond to the Node-ID. USER-NODE-MATCH may only be used with Dictionary resources.
In RELOAD-ACL, a new access control policy, called USER-CHAIN-ACL, is defined, which allows the resource's owner to share write permissions with other nodes. This is done by associating an Access Control List (ACL) to a shared resource, and explicitly listing all users and/or nodes that have write permission for the resource.
The two policies mentioned above have some drawbacks. USER-NODE-MATCH can only be applied to Dictionary resources and allows any node of the RELOAD network with a valid certificate to write one entry in any Dictionary resource. Therefore, in order to protect its own resources, peers will commonly limit the size of such Dictionary resources. This allows the possibility of Denial of Service (DoS) attacks, as an attacker node with one or more valid certificates is able to store a high volume of data to a Dictionary resource, thereby exceeding its size limit. This prevents legitimate users from storing data. In USER-CHAIN-ACL, only users explicitly allowed by the owner of the resource (via the ACL) are able to write data. However this requires the owner node to know beforehand the list of legitimate users. Moreover, a resource cannot be shared by an arbitrary number of users, because of the burden placed on the peer responsible for the resource in managing the ACL, as well as all the associated certificates. Therefore, the size of the ACL will be limited by the peers storing to it, in particular, as the ACL resource is shared by all the USER-CHAIN-ACL resources within the same address space.