ITU-T Recommendations on

Peer-to-Peer (P2P) Network Security

Tatsuaki Hamai

KDDI Corporation

3-10-10 Iidabashi, Chiyoda-ku, TOKYO 102-8460 Japan

Masahiro Fujii, Yu Watanabe

Utsunomiya University

7-1-2 Yoto, Utsunomiya-shi, TOCHIGI 321-8585 Japan

Abstract— Peer-to-peer (P2P) networks use diverse connectivity

between participants in networks. P2P networks are useful for

many purposes. Sharing content files containing audio, video,

data or anything in digital format is very common, and real-time

data, such as telephony traffic, is also passed using P2P

technology. Because the P2P communication model differs from

that of conventional server and client system, further security

threats emerge, which are not applicable to server and client

architecture. The Telecommunication Standardization Sector

(ITU-T) developed network security Recommendations for P2P

telecommunications on behalf of the International

Telecommunication Union (ITU). This paper provides general

survey of the Recommendations.

Keywords-component; ITU-T; Recommendation; P2P; Security

I. INTRODUCTION

Peer-to-peer (P2P) networks do not have the notion of clients or servers but only equal peer nodes that simultaneously function as both clients and servers to the other nodes in the network. In a P2P network, all peers have equivalent authority and responsibility, differing completely from that of server and client system. When data or messages are exchanged in a P2P network, a peer communicates with other peers directly. Because traffic and processing are distributed to each peer, the P2P network does not require high performance computing power and high bandwidth network compared with the server and client system.

The P2P communication architecture differs from that of the server and client system, and further security threats emerge, which are not applicable to server and client architecture. With this in mind, P2P applications should be carefully built while taking into consideration the security threats to P2P communications.

Two Recommendations were developed in ITU-T (Telecommunication Standardization Sector, International Telecommunication Union) for secure P2P communications, which describe the security-related framework, architectural model and operations that can be applied to various P2P networks.

II. CONCEPTS OF P2P COMMUNICATIONS

The concepts of P2P communications are explained in the ITU-T Recommendation X.1161, “Framework for secure peer-to-peer communications” [1].

A. Basic P2P service concept

Figure 1 shows a basic P2P service architecture. In the communications using the P2P architecture, information data processed by each peer are exchanged directly among users. In the communication, there is no central sever to store the information data, and each peer must find which peers have target information data before retrieving the same. Moreover, each peer also needs to permit accesses from other peers to exchange the information data.

B. Unstructured and structured P2P communications

Unstructured P2P networks are formed when the P2P links are established arbitrarily. The unstructured networks can be easily constructed as a new peer that wants to join the network can copy existing links of another node and then form its own links over time. In an unstructured P2P network, if a peer wants to find a desired piece of data in the network, the query has to be flooded through the network to find as many peers as possible that share the data. The main disadvantage with such networks is that the queries may not always be resolved. Popular content is likely to be available at several peers and any peer searching for it is likely to find the same thing. But if a peer is looking for rare data shared by only a few other peers, then it is highly unlikely that search will be successful. Since there is no correlation between a peer and the content managed by it, there is no guarantee that flooding will find a peer that has the desired data. Flooding also causes a high amount of signaling traffic in the network and hence such networks typically have very poor search efficiency. Most of the popular P2P networks such as Gnutella and FastTrack are unstructured.

Structured P2P network employ a globally consistent protocol to ensure that any node can efficiently route a search to some peer that has the desired file, even if the file is extremely rare. Such a guarantee necessitates a more structured pattern of overlay links. By far the most common type of structured P2P network is the distributed hash table (DHT), in which a variant of consistent hashing is used to assign ownership of each file to a particular peer, in a way analogous to a traditional hash table's assignment of each key

to a particular array slot. Some well-known DHTs are Chord, Pastry, Tapestry, CAN, and Tulip. Not a DHT-approach but a structured P2P network is HyperCuP.

III. SERVICE SCENARIOS AND CHARACTERISTICS OF P2P

COMMUNICATIONS

The service scenarios and characteristics of P2P communications are explained in the ITU-T Recommendation X.1161.

A. Service scenarios of P2P communications

a) Information sharing and contents distribution A P2P network can be used as large database. Each peer

stores several kinds of data in local storage, and other peers search the data and download them.

b) Communication platform A P2P network can be used as a communication platform.

If a user would like to contact other user, the calling user starts to search for the location of the called user. When the calling user finds the called user, the user makes set up a call with the called user directly. The P2P communication platform can be used for instant messaging, Internet telephony, video conferencing, etc.

c) Groupware A P2P network can be used for collaborative work with

group members. Basic technologies of this service scenario are based on the information sharing and communication platform.

d) Distributed computing A P2P network can be used for distributed computing.

Each peer joins the P2P network in order to provide its computational power.

B. Characteristics of P2P communications

P2P communications have following various characteristics regarding security:

- Each peer needs to have capability as server. The peer permits access from other peers.

- In server and client communication, the server can monitor communication situations of traffic, accessing

client and accessed files, etc, and the server can control its traffic by changing the access control policy. It is, however, not easy to monitor the communication situations in case of P2P communications.

- If the P2P is used as a network platform, many users join this platform as peers. It may be easy for malicious users to join this P2P network.

- In P2P communications, many data are exchanged between peers. In case of P2P communications, such data may be sent from unreliable peers.

IV. SECURITY THREATS TO P2P COMMUNICATIONS

This section describes security threats to P2P communications given in X.1161.

A. Eavesdropping

The P2P communications use open networks, and anonymous attackers may eavesdrop its communications by capturing traffic. Moreover, if malicious users join the P2P network as peers, the peers may be able to gather various kinds of data, which are exchanged on P2P networks.

B. Communication jamming

In P2P communications, malicious users, which join the P2P network as peers, may be able to disturb the P2P communications. The following attacks are examples of this threat:

- A peer stores and retrieves data repeatedly.

- A peer joins and leaves the P2P network rapidly.

- A peer sends unsolicited messages to other peers repeatedly.

- A peer disturbs the routing information of the P2P network.

These attacks can result in DoS (Denial of Services) attacks.

C. Injection and modification data

The peers of the P2P network relay data from one peer to another, and therefore they can easily inject and modify the data. Furthermore, it may be easy to distribute malicious software, such as viruses, worms, bots, etc., and malicious information, such as false file indexes, false IP addresses, or false routing tables.

D. Unauthorized access

Access control is the ability to limit and control the access to data and peers. This threat occurs when a malicious peer gains access to other peers by masquerading as a normal peer. Peers trying to gain unauthorized access must be identified, or authenticated.

E. Repudiation

This attack occurs when a peer denies the fact of having transmitted or received data, respectively.

Figure 1. P2P service architecture

(Figure1 of the ITU-T Recommendation X.1161)

F. Man in the middle attack

A man in the middle attack is a situation whereby an attacker can read, insert and modify messages between two parties without either party knowing that the link between them has been compromised.

G. Sybil attack

A Sybil attack is a situation whereby that an attacker controls a P2P network by generating a large number of pseudonymous entities. The Eclipse attack is a typical example of the Sybil attack. Each node in the P2P network needs to maintain links to a set of neighboring nodes, with which it communicates by forwarding messages. In case of the Eclipse attack, an attacker controls a large fraction of the neighboring sets of victim nodes by dropping or rerouting messages.

V. ITU-T RECOMMENDATION X.1161: FRAMEWORK FOR

SECURE PEER-TO-PEER COMMUNICATIONS [1]

ITU-T Recommendation X.1161, “Framework for secure peer-to-peer communications” describes the security requirements and functions for P2P communications.

A. Security requirements for P2P communications

a) User Authentication User authentication is used for one user of peer to prove its

identity to a corresponding user of peer.

b) Anonymity Ensuring the anonymity on the P2P applications make it

easy for users to join communities on the P2P network. This enables the transmission of data with anonymity of the sending user.

Complete anonymity may, however, be used to attack the P2P network. Therefore protection mechanisms for such attacks should be considered when the anonymity is provided.

c) Privacy The privacy provides for the protection of information that

might be derived from the observation of network activities or communication. Examples of this information include communicating peers, the contents of transferred data or messages, a user’s geographic location and user’s ID.

d) Data integrity In the P2P communications, data and messages are stored at

peers, and transferred to other peers. When malicious users receive the data or messages, they may alter them in order to distribute malicious programs or messages. The data integrity ensures the correctness or accuracy of data or messages. The data or messages are then protected against unauthorized modification, deletion, creation and replication, and an indication of these unauthorized activities can be provided.

e) Data confidentiality In certain applications, users might want to disclose

sensitive data or messages to specified users only. Data confidentiality protects data from unauthorized disclosure and ensures that unauthorized peers cannot read the data content.

f) Access control

Access control protects against unauthorized access to several kinds of resources and ensures that only authorized peers are allowed access to data or messages, P2P networks and other peer resources.

g) Non-repudiation - Non-repudiation with proof of origin

This is used to prove that the origin of received data or messages is a particular peer. The peer to falsely deny sending the data or messages uses this mechanism in order to protect against any attempts.

- Non-repudiation with proof of delivery

This is used to provide proof of delivery of data or a message to a peer. The peer to falsely deny receiving the data or messages uses this mechanism in order to protect against any subsequent attempts.

h) Usability P2P networks consist of many peers, each of which

communicates with other peers directly. P2P applications should provide a good user interface and security mechanisms that do not permit users to have incorrect settings.

i) Availability Availability ensures that there is no denial of authorized

access to several kinds of resources due to events impacting the network. Availability also allows users to receive an application service from anywhere and at anytime on P2P with the ability of such service.

j) Traceability The traceability ensures that the communication of past

activities can be checked. When a problem occurs, an administrator of a P2P network or a peer may need to trace the activity of the same.

k) Traffic control P2P communications may result in a heavily congested

situation. In such cases, traffic control mitigates the congested communication by controlling data or message transfer timing, and adjusting communication speed, etc.

B. Security functions for satisfying security requirements of

P2P communications

a) Encipherment The encipherment function can ensure the confidentiality of

either communication data or stored data.

Encipherment algorithms may be reversible or irreversible.

b) Key exchange The key exchange function allows for key sharing in

encipherment implementations, especially that of the symmetric encipherment algorithm.

c) Digital signature The essential characteristic of the signature function is the

fact that the signature can only be produced using the signatory's private information. Thus, when the signature is verified, it can subsequently be proven to a third party (e.g. a

judge or arbitrator) at any time that only the unique holder of the private information could have produced the signature.

d) Trust management - Local recommendation

The trust value of one user is acquired by inquiring of a finite number of other users.

- Public key infrastructure

There are a few central nodes supervising the whole network and regularly notifying the errant nodes. The validity and effectiveness of these central nodes is guaranteed by CA issued certificates.

- Reputation

The peer trusts value of a peer node is calculated through the feedback of transactions between each other. The trust value of a user is calculated after evaluation and statistical analysis of such feedback.

- Role base

In the role-based P2P trust model, the trust value of a specific peer node determines its user status in the network and the status of a user can be mapped to its relation with other users.

e) Access control The access control function may use the authenticated

identity of a user or information about the user (such as membership within a known set of users) or the capabilities of the user, in order to determine and enforce the access rights of the same. If the user attempts to use an unauthorized resource or an authorized resource with an improper type of access, then the access control function will reject the attempt and may additionally report the incident for the purposes of generating an alarm and/or recording it as part of a security audit trail.

f) Data integrity mechanism Two aspects of data integrity are considered: the integrity

of a single data unit or field and the integrity of a stream of data units or fields respectively. In general, different technologies are used to provide these two types of integrity function, although the provision of the second without the first is impractical. Protecting the integrity of a sequence of data units (i.e. protecting against disorder, loss, replaying and inserting or modifying data) requires the addition of some form of explicit ordering, such as sequential numbering, time stamping, or cryptographic chaining.

g) Authentication exchange The authentication exchange function may be incorporated

in order to provide communicating user authentication. If the function does not succeed in authenticating the user, this will result in rejection or termination of the connection and may cause a user to show up on the security audit trail and/or a report to a security management centre.

h) Notarization

The property of the data communicated between two or more users, such as its integrity, origin, time and destination, can be assured by the provision of a notarization function. The assurance is provided by a third party notary, which is the trusted communicating entities trust, and which holds the necessary information to provide the required assurance in a verifiable manner.

i) Secure routing In case of P2P communications, each peer provides the

routing function. A secure routing function can be applied. This function protects against incorrect routing information that may be generated by the malicious peers.

j) Traffic control mechanism The traffic control function is used to prevent the

congestion of messages or data transfer. It is also used to prevent access concentration to one peer.

k) ID assignment In order to distinguish each peer and information, all peers

and information are assigned unique ID. Because there are no centralized servers in the case of pure P2P service models, such IDs are assigned by agreement of peers. A secure ID assignment function is therefore used to protect against the misuse of assigned IDs and abuse of illegal IDs.

VI. ITU-T RECOMMENDATION X.1162: SECURITY

ARCHITECTURE AND OPERATIONS FOR PEER-TO-PEER

NETWORK [2]

An overlay network is a computer network, which is built on top of another network, and peer-to-peer networks are overlay networks because they run on top of the Internet. ITU-T Recommendation X.1162, “Security architecture and operations for peer-to-peer network” describes a general and common security-related architectural model and operations of an overlay network that can be applied to various peer-to-peer (P2P) networks.

A. Conceptual architecture of overlay network

Overlay networks have the following characteristics:

- Overlay networks allow both networking developers and application users to design and implement their own communication environment and protocols, e.g., data routing and file sharing management.

- Data routing in overlay networks can be very flexible, quickly detecting and avoiding network congestions by adaptively selecting paths based on different metrics such as probed latency.

- The end-nodes in overlay networks are closely connected to each other using flexible routing capabilities. As long as the physical network connections exist, one peer can always communicate to another peer via overlay networks. Scalability and robustness in overlay networks are two attractive features.

P2P Overlay StratumP2P Overlay StratumP2P Overlay StratumP2P Overlay Stratum

Transportation StratumTransportation StratumTransportation StratumTransportation Stratum

JoinJoinJoinJoin

SearchSearchSearchSearch Overlay Service…

Peer

Peer(Device)User

Peer(Server)

Peer(Device)

User

(1)

(2)

(3)

Figure 1. Architectural reference model for the P2P network (Figure 2 of the ITU-T Recommendation X.1162)

- The high connectivity of peers to join overlay

networks enables the effective sharing of a huge

amount of information and resources available in the

Internet.

- Overlay networks are open to all kinds of Internet

users, and the security and privacy issues can be quite

serious.

- Overlay networks are highly decentralized; hence the

possibly weak ability for resource coordination.

As a kind of overlay networks, P2P (Peer-to-Peer) networks

are typically used for connecting nodes via ad hoc connections.

B. Security architecture of the Peer-to-Peer network

Figure 2 depicts the physical and logical P2P network architecture [3] specified in the Recommendation X.1162. The figure also shows the logical P2P network architecture as a virtual network over the physical transport network. The operation of each peer is assumed not to be limited by the physical network architecture, and a peer can communicate with each peer regardless of its location. The structure of peer-to-peer network is divided into two layers: P2P overlay and transport.

The transport layer provides the session service based on the TCP and HTTP. To ensure security of P2P overlay layer, a P2P provider can use the traditional security mechanisms such

as TLS and HTTPS to confirm the trustiness among peers. The P2P layer provides primitive operations that are generally used for P2P networks, i.e. provides the community services among the peers: join, leave, search, routing, etc. The security domain administrator needs to implement the primitive operations using adequate security functions to meet the security requirements specified in the Recommendation X.1161. Follows summarizes security functions and operations of the Peer-to-Peer network.

a) Join A peer user can join a group of P2P services by executing

the P2P program. After joining, peer users can communicate and share resources with each other. The security domain administrator may require that every joining peer be authenticated. Therefore, the join operation should implement a mechanism for providing user authentication.

b) Leave A peer user can leave a group of P2P services by executing

leave operation. In P2P networks, a peer user may accidentally leave the network without notifying the security domain administrator and/or other peer users in case of unreliable network condition and power failure. Normally, the P2P network may implement an explicit leave operation to ensure the validity of other operations. The leave operation should be able to enforce the security domain administrator’s policy as to

whether or not the leaving peer user’s personal or state information is revealed to other peers.

c) Search A peer user broadcasts a search query to the P2P network.

If there are some peers who can meet the request, they respond to the query. Some peers who cannot meet the request relay the search query to adjacent peers. The security domain administrator may require that only an authenticated peer be able to search the network.

d) Chat A peer of a group can select the other peer for

communicating with each other. After setting the session between peers, they send and/or receive text or voice messages to/from each other. The security domain administrator may require that only an authenticated peer be able to chat with other peer(s) in the network.

e) Routing Routing is an operation not only on the unstructured P2P

network but also on the structured P2P one. It is the role of the security domain administrator to define and implement the routing mechanism. The security domain administrator may require that only an authenticated peer be able to participate in the routing operation.

f) Insertion & Retrieval Insertion & retrieval operations belong to the structured

P2P network. For the inserting and retrieving processes, the routing table of each peer’s is calculated. In the case of inserting a new resource, the hash value of the peer’s is computed, and the table of the corresponding peers are retrieved and updated. Finally, the resource is stored on the retrieved peer. The security domain administrator may require that only an authenticated peer be able to perform the insert and (or) retrieve operation.

g) Update & Delete Update is an operation designed to change the contents of

the inserted resource; delete is an operation designed to delete the inserted resource. The security domain administrator may require that only an authenticated peer be able to perform the update and (or) delete operation.

h) Multicasting In general, P2P multicasting is realized using the

application-level retransmissions at each peer. Peers on the middle paths relay the multicasting packets to neighboring peers. The security domain administrator may require that only an authenticated peer be able to participate in the multicasting operation.

VII. CONCLUSIONS

Peer-to-peer (P2P) is an instantiation of network architectures where all peers have equivalent authority and responsibility, differing completely from that of server and client system. In P2P communications, a peer can be both the server and the client and different from conventional server client type of communications. Therefore ITU-T developed two Recommendations on security aspects of P2P communications. The object of this paper is to survey those

two Recommendations, X.1161 and X.1162. The Recommendation X.1161 describes the framework for secure P2P communications, which includes security threats and security requirements for P2P communications. Security architectures and operations of P2P communications are defined in the Recommendation X.1162. Those Recommendations specify a comprehensive framework and mechanisms for the security of P2P services. The telecommunications industry has been experiencing an exponential growth in the area of secure application services. Specifically, security of telecommunication-based application services including P2P (peer-to-peer) service, Web services and TTP (trusted third party) is crucial for the further development of the industry. ITU-T will continue studies on Secure Application Services.

REFERENCES

[1] ITU-T Recommendation X.1161, Framework for secure peer-to-peer communications, to be published.

[2] ITU-T Recommendation X.1162, Security architecture and operations for peer-to-peer network, to be published.

[3] Jörg Eberspächer and Rüdiger Schollmeier, “First and Second Generation of Peer-to-Peer Systems,” R. Steinmetz and K. Wehrle (Eds.): P2P Systems and Applications, LNCS 3485, pp. 35-56, Springer-Verlag Berlin Heidelberg 2005.