Transcription
PresenceVishal Kumar Singh and Henning SchulzrinneApril 10, 20061
Outline Presence system overviewPresence data processing Presence data formatsCompositionPrivacy filteringWatcher filteringPartial notificationPresence security Identity, authentication and authorizationPrivacyTrustDoS and SPAM2
Outline System deployment model Cross-domain deploymentInter-domain deploymentWatcher-InfoXCAPEvent Register PackageSIMPLEStone – Presence server benchmarking RequirementsIssues and factors affecting presence performanceArchitectureSIMPLEStone test specificationTransport protocol tradeoffs3
Presence System Overview Presence Ability and willingness tocommunicate.Rules about how and what part ofpresence info can be accessedMore detailed information includeslocation, preferred communicationmode, current mood and activityPresentity Represents a user or a group ofusers or a program Source of presence informationWatcher Requester of presenceinformation about a presentityBob is busyright now. Heis on 42nd,Broadway.U can reachhim after 4.00p.m. on hisoffice line.Bob’sPresentity4
Presentity and atus,locationPresenceServerBob’s Filters(Rules), omewhatavailable,InvisiblewifePUBLISHsonR u there?BUZZCellPhonecolleaguePC-IM ClientBob’s Presence UserAgents (PUA)externalworld5
Presence System Components Subscription Notification Subscribe to entitiesAuthentication of subscribersSubscribers specify subscription rulesUpdating presence state to watchersDelivering presence dataSend notifications to the watcher in a scalable manner inreal time Lots of clients Rate of change of dataPublication Send information to the server for distribution.Multiple sources for a single addressUpdates communications means, and capabilities6
Presence Data Processing7
Agenda : Presence Processing Presence Data formats PIDFRPIDPresence Data processing Composition Union composition policyPrivacy filteringWatcher filteringPartial notification8
PIDF A presence source updatespresence information bysending presence data inPIDF formatPresentity url: specifies the"pres" url of the presentityTuple “id” to uniquely identifypresence information from asourceStatus: open/closedOptional elements Communication Address:communication means andcontact address of this tupleRelative priority: numericalvalue specifying the priorityof this communicationaddressTimestamp: timestamp ofthe change of this tuple ?xml version "1.0"encoding "UTFversion "1.0"encoding "UTF-8"? presencexmlns "urn:ietf:params:xml:ns:pidf“entity "sip:alice@example.com" entity "sip:alice@example.com" tuple id "sg89ae" status basic open /basic /status contact priority "0.8" sms:9845013536 /contact /tuple /presence 9
RPID Extension ofPIDF to includedetailedinformationaboutpresentity like What is hiscurrent activityWhat is hismood presence entity "sip:alice@cs.columbia.edu" entity "sip:alice@cs.columbia.edu" tuple id "492568574609" status basic open basic open /basic open /basic ep:activities ep:activity On ep:activity On-thethe-phone /ep:activity /ep:activities ep:mood normal /ep:mood ep:privacy audio/ video/ text/ /ep:privacy /status /tuple /presence 10
Presence Data ProcessingPresenceSourcesPUBLISHCompositionPSTN Phone,Cell Phone,VOIP ivacyfilteringPresence AuthorizationPresentity specified pecifieswatcher filter11
Presence Composition Resolves conflicting presence informationSources of information conflict Stale data, e.g. latest published information is oldSensor failure, e.g. IM client indicates typing whereas noactivity on keyboardFailure to updateComposition policies Union or overriding tuples: default policyMerging based on pivot elementsRule based Time of day type rules e.g. timestamp basedSource based rules e.g. source priority considerationProgrammatic processing of presence data using compositionpolicy language (work going on in IETF)12
Union Composition PolicySubscription existsPUBLISHentitytuple idOverridetupleNo MatchNo MatchRawPresenceDocumentAddtuple esenceDocument13
Composition Policy Based on timestampBased on device priorityBased on latest activity detected (on adevice)14
Privacy Filtering Presentity specifies rules based on whichpresence server Allows or blocks subscriptionsRemove or transform presence informationEach presentity can have zero to multiplerulesEach rule has A rule idA condition – to be matched with the requestAn action –is a transformation to be done onpresence information if condition is matched.15
Privacy Filtering Condition Attributes of requests matched against theattributes in rules Transformation Identity, Sphere and ValidityA positive permission – Specifies someinformation which is allowed to the watcherThe rules can be based on Time of day, location, current activity etc.Rules specify actions for different parts ofpresence information e.g. provide-activities,16
Presence Watcher Filtering Not for ‘security’, Allows to specify what part of presence informationwatcher is interested and what needs to be filtered: “preferred notification information““triggers that cause that information to be delivered”Watchers specify filters in SUBSCRIBE requests Watchers do not want to be flooded by lots of presenceinformationRequest URI, filter URI and filter id specified in the requestServer’s local policy to honor the filter, server neednot to support watcher filteringXPATH based filters17
Presence Watcher Filtering what element :Results in generatingNOTIFY with stateinformation ofresource only if thestate of resource haschanged trigger element:Results in generatingNOTIFY withcomplete statewhenever there is achange in the state ofelement matching the trigger filterid "123"uri "sip:presentity@example.com“ what include type "xpath" /pidf:presence/pidf:tuple[rpid:class "IM" orrpid:class "MMS"]/pidf:status/pidf:basic /include /what /filter filter id "1233“uri "sip:presentity@example.com" trigger changed from "CLOSED" to "OPEN" /pidf:presence/pidf:tuple/pidf:status/pidf:basic /changed /trigger /filter Watcher Filter format18
Presence Partial Notification For receiving only parts of the presenceinformation that have changed since the lastnotificationWatchers indicate their capability andpreference to accept partial presenceinformation using the “Accept” header.Accept: application/pidf-partial xml andqalue” First NOTIFY has “state” attribute in presence tag in PIDF set to ‘full’Further NOTIFY requests have “state” as partial19
Presence Security20
Agenda Basic Presence Security Security of presence data Presence identity model (Authentication)Privacy Authorization and FilteringTrust Storage and transport securityConfidentiality and IntegrityInter provider trust, among federationsTrust between users and server/service providersDenial of Service SPAM/SPIM, attack on serverAttack on another UA21
Basic Presence Security Authentication Authorization Verifying the identity of userDifferent ways of authentication (SIP Authentication)Inter-domain Vs Intra-domainAccess and capability rights of the entityEncryption Confidentiality, prevent MitMIntegrity using digests, S/MIMETLS , IPSEC Between Servers , Trusted Gateways22
Presence AuthenticationScenariosTLS/IPsecADigestBasic TLSCryptographicallyVerified IdentityAssertedIdentityAAuthenticatorin domain ADomain AUA in domain ABS/MIMEUA in domain B23
Presence Identity Presentity identification using a presence uripres:presentity@domain Identify entity using authentication(password/hash based)Authentication – Are you the one you are claimingto be?Authorize the source to use a given identityusing authentication (user credentials)SIP URI as identity, 1 User many identities,multiple URI’s mapped to single AOR24
Presence Authorization Presentity specifies “block”, ”politeblock” or “allow” for the watchersPublisher authorization (currently basedon authentication) A source can PUBLISH on my behalfA source can PUBLISH only my status, notmy location.25
Privacy Filtering Privacy Filters ”Who can see and “what” Selective notification Presentities specify what presence information can be givento which watchers and whenDifferent views to different watchers, “my wife knows mylocation, not my friends”Providing selective access to presence information provide-devices , provide-services , provide-persons Also includes mood , place , place-type , relationship , statusicon , activities Presence authorization policy itself is very sensitiveand needs to be stored and updated securely26
Privacy Anonymous subscription Hiding Identity Do not reveal who I am?Notification confidentiality Don’t tell him who I am, Let me see him ?Only the correct entity can see me, not a man inmiddle, not even the server ?Presence privacy to prevent use of presenceinformation for illegal purposes, advertising,marketing, potential social harms27
Denial of Service DoS Attack on Server Authentication and Authorization of bogusrequestsAmplification (multiple NOTIFY for genuinePUBLISH)DoS Attack on another watcher or UA “From” header verification required (return routability)Presence SPAM (PSPAM) Authorization SPAM DOS Unsolicited subscriptionsUnsolicited NOTIFY messagesUse of SIP “From” header,Use of SIP “Subject” line28
Presence SPAM Prevention Black ListsWhite ListsOnly authorized user can send presencerequests to meAuthentication at SourceContent filteringReputation system29
Trust Inter-Federation Trust Mutual authentication : TLS, Based oncertificates by a mutually trusted CAOther policy negotiation among providersClient-Server Trust Digest authenticationBasic authentication with TLS30
Trusting the Provider My presence information must not becompromisedHow much should my provider know?Is my availability information reallyprivate ?Can the Provider target advertisementon me?Are my privacy preferences secure?Does he know that he is polite-blocked?31
Provider Trust This creates arequirement :PA should be Applications Presence status Privacy Preferencesable to doOn laptop/ LocationSIPdesktopdata Calendar/SchedulePresence More Agentaggregation PDA/and filtering Cell Phone/without being Telephoneable to know Trusting the presence service providerthe actualpresenceinformation32
Presence Anonymity from Provider Problem Statement: Presence server must be able toperform basic composition and filtering withoutactually obtaining the presence information. In otherwords, we want to get the services like aggregation,filtering and distribution without actually revealingany presence information.Assumptions: All watchers are authenticated not by presence server itselfbut by third party authenticator (authentication service).Watchers can also be authenticated by presentity itself usingcertificates signed by trusted CA.Participating entities have public key of other entities likewatchers, presentity and presence server which is originallydistributed using some public key distribution mechanism.33
Presence Anonymity fromProvider Proposed Solution: Every presentity has 2 sets of (public, private) key pair.1st set is the public private key pair used by PKI and is installedusing some PKI distribution mechanism, lets call this as (Pu1, Pr1),the second is self generated (public, private) key pair to be usedonly for presence purposes, lets call this as (Pu2, Pr2). The secondset is used to generate a session key (SKEY) for presence.When a SUBSCRIBE is received from a authenticated watcher, thepresentity sends to the watcher (SKEY) encrypted using public keyof watcher. Only watcher can see the (SKEY) and not the presenceserver or any other entity.The data within the XML TAG’s is encrypted using (SKEY). A slightmodification to approach can be to use the second set of (public,private) key pair and distribute the public key (Pu2).Higher layer XML tag names and attributes which are not encryptedare sufficient for composition and basic filtering by presence server.Watchers decrypt using their private key (Pr1) and then decryptagain using the (Pu2) presence public key of presentity or thesession key (SKEY) to get the presence information.34
Protocol TIFY(session keys)Presentity(Encryptsdata withinXML tags)PUBLISH(encrypted pidf)PresenceServer(usesXML presence)Watchers(Decryptsdata insideXML tags)NOTIFY(redistribute session keys)Message Flow Diagram A direct NOTIFY is sent with ‘session key’ to the watchersAny change in ‘session key’ causes a notification containing thekey to be sent to the watchersThis can be integrated with presence architecture basedcertificate distribution as proposed in Certificate ManagementService for SIP draft draft-ietf-sipping-certs.35
Presence Anonymity fromProvider Open issues: To be investigated further Key distribution, How, to distribute the (Pu2) to allwatchers securely. Probably in a direct initialNOTIFY and encrypted using watchers public keyPu1 Key leakage, assume one of the watchers iscompromised. One solution is presentityregenerates the keys and distributes in anotification to all current subscribers periodicallyand whenever an existing subscriber is blocked May be Cyclic keys can solveBasic composition works, But does filtering stillwork ?The approach works if watchers are nonanomalous, hence the only requirement is astrong authentication system for watchers36
Presence Deployment37
Presence System Deployment Cross Domain Model PSTN, Cellular and VoIP worldsInter Federation ModelDifferent Components XCAP Server Buddy ListPresence RulesResource ListsResource List packageWatcher Info PackageEvent Registration Package38
Cross-domain Presence DeploymentPSTNSIP SUBSCRIBEPresence UserAgentsWirelineSCPPresenceDatabaseSIP PUBLISHWireless rBuddiesPresence resenceServerBuddiesServerBroadband IP Network(VoIP, Internet, FiOS)Presence BuddiesServerSIP ProxySIP IP NOTIFYTV39
Cross-domain Presence DeploymentSCPSIP NOTIFYSIP PUBLISHPresence ServerPSTNPresenceDatabasePresence ServerWatchers/Buddiesfor one presentitySIP PUBLISHSIP PUBLISHWireless NetworkPresenceServerPresence ServerPresence ServerWatchers/Buddiesfor one presentitySIP SUBSCRIBEIMTVSIP PhoneBroadband IP Network(VoIP, Internet)40
Inter-domain presence: Crossfederation (logical and BENOTIFYLogical and actual flow ofmessages being shown todomains that are logicallyor physically separatedfrom an external domainSIP Proxy ServerPresence Agentpa.columbia.eduPresence Agentpa.cs.columbia.eduPUBLISHPresence Agentpa.campus1.columbia.edu PUBLISHPUBLISHLogical sub-domain:cs.columbia.edu41
Interaction between differentpresence protocolsBuddy List Update,Policy Update,Authorization.PresentityXCAP ServerPUBLISHAuth Policy,Resource sence Agent(resource-list,composition,Filtering llee prefs]SIP Proxy/Registrar42
Presence Message Flow DiagramProxy ServerPresentity AXCAPPresence ServerWatcher BSUBSCRIBE A[presence]NOTIFY B[presence] (closed)SUBSCRIBE A[reg]NOTIFY [reg] ASUBSCRIBE A[winfo.presence]NOTIFY A[winfo.presence]XCAP policyupdate by APUBLISH A[presence]XCAPupdateNOTIFY B (optional)[presence] (open)NOTIFY B[presence] (open)REGISTER ANOTIFY [reg] ANOTIFY B[presence] (open)43
XCAP HTTP based protocol to read, write andmodify XML based application configurationdata Creating and modifying presence authorizationpolicy fileCreating and modifying the buddy list andpresence resource listsXPATH based - XML mapped to HTTP URIXCAP security Presentity can modify only their own data Based on home directory or directory serviceUse of HTTPS44
Watcher-Info Event Package Presentity needs to get the changes in thewatcher information for an event package Presentity subscribes to watcher-info package fora given event packagePresentity gets NOTIFY containing list of watcher’sfor that event packagePresence server sends notification to thepresentity whenever presentity’s watcherinformation changes, i.e., Existing watchers becoming active, pendingChanges in the watcher list (subscribe, unsubscribe)Used by presentity to make authorizationdecisions and create presence privacy policy45
Watcher-Info WinfoAuthorization Presentity isauthorized bydefault to get itsown watcher-listPresentity canauthorize othersto see itswatchers watcherinfoxmlns "urn:ietf:params:xml:ns:watcherinfo"version "0" state "full" watcher watcher-list resource "sip:B@example.com“package "presence" watcher id "7768a77s"event "subscribe“ status "pending" sip:A@example.com /watcher /watcher /watcher-list /watcherinfo Presentity cansee the watchersof his watcher listWinfo-XML Format46
Event Registration P diffNOTIFY [Reg]SIP Proxy/RegistrarBasic block diagram of presence components Presence server (PA) needs to get the user’s registration statusfrom the REGISTRAR or the proxy server PA subscribes to SIP proxy server (registrar) with event registerto get notification of changes in users registration statusUser registration state changes when Registration is a source of user’s presence informationNew Register request arrivesRegistration time-out or expirySIP proxy server sends NOTIFY to PA which updates presencestate and distributes it to the watchers47
Event Registration Package ?xml version "1.0"? reginfo xmlns "urn:ietf:params:xml:ns:reginfo“xmlns:xsi http://www.w3.org/2001/XMLSchemaxmlns:xsi 2001/XMLSchema-instanceversion "0“ state "full" registration aor "sip:user@example.com" id "as9"state "active" contact id "76" state "active" event "registered“durationduration-registered "7322" q "0.8" uri sip:user@pc887.example.com /uri /contact contact id "77" state "terminated" event "expired“durationduration-registered "3600" q "0.5" uri sip:user@university.edu /uri /contact /registration /reginfo Reg-info XML format48
SIMPLEStone – Presence ServerPerformance Benchmarking49
SIMPLEStone – Presence ServerPerformance Benchmarking Presence scalability requirementsNeed for a benchmarking metric andbenchmarking toolIssues with presence serverbenchmarkingSIMPLEStone architecture50
Presence Scalability Requirements To make informed, accurate decisions,presence-based services depend on thetimely delivery of presence informationto watchersLarge number of watchers andpresentities, with each presentity hasmany sources (PUA’s)Every presentity’s status change maygenerate a NOTIFY to all watchers. Load on the network51
SIMPLEStone – PresenceBenchmarking Standard Capacity planning and dimensioning A service provider needs to know how manyservers are good for a given user populationA server software vendor needs to specify thecapacity of his serverNetwork loadDifferent servers and hardware platforms A uniform evaluation and performance testingmethodologyBenchmarking server software and hardwareplatform performance52
SIMPLEStone Benchmarking unit is a function of thesupported user population Can be expressed as the number of messages rate of requests (PUBLISH, NOTIFY and SUBSCRIBE)Number of messages per user depends on Average number of user subscriptions (buddies)Notification rate to the user from buddies. Device mobility User behavior Cellular or wifi phoneTV as source of presenceIM user has his status as the internet radioNumber of sources53
Issues in Presence Benchmarking Number of requests is not very accuratemetricThroughput depends on Protocol used (UDP, TCP or TLS)Size of PUBLISH request bodyComposition policy on serverFiltering support Size of privacy filtersSize of watcher filters54
SIMPLEStone – Factors AffectingServer Performance Impact of composition policy Single composition policy on server or per usercomposition.Type of composition policies Simple Union or OverridingIntelligent Merge – Based on pivot element.Rule based Type of rule will effect the performance of server. Impactof FilteringPrivacy filter and watcher filtering Larger filter more look up, comparison and XMLmanipulation operations on the serverImpact on traffic generated by the presence serverRate at which watcher modifies the filter55
SIMPLEStone ArchitecturePresence loadgenerator. Models auser and generatesPUBLISH at aspecified ratePUBLISHLoader(Presentities) 200 OKDBPAServer UnderTestUser agent server.Models a user andgenerates SUBSCRIBEand receives NOTIFYmessages.SUBSCRIBE200OKNOTIFY200 OKHandler(Watchers)The SUT can be replaced by different configurationsin which the PA operates along with the SIP server.The SUT details and other test details are specifiedusing a configuration file to the test controller.56
SIMPLEStone SUT ConfigurationsDBP1-PAs0DBSIP ProxyP1-PAs0StatelessProxyDBP2- PAConfiguration 1 Configuration 2SIMPLEStone sees different configurations of SUT as black box.The database can be arranged into 2N or N 1 redundancy mode.The Stateless proxy server(s) can act as load balancer distributingrequests based on hashing algorithm.57
SIMPLEStone Test Details SIMPLEStone test specification consists of : Rate at which the loader sends PUBLISH messages to theSUTNumber of presentities and their SIP addresses which theloader uses to generate PUBLISH and handler uses to sendSUBSCRIBENumber of watchers and SIP addresses for the handler’s useTimeout interval between receipt of NOTIFY for eachPUBLISH messageProtocol type for the test (UDP,TCP,TLS)PUBLISH message bodyOther test details The machine details where loader, handler and SUT run arespecified to the test controller58
Results with SIMPLEStone tests(sipd)success rate vs cpu and memory59
Results with SIMPLEStone tests(sipd)Throughput vs Load60
SIMPLEStone test analysis Size of SIP messages 400 -- 500 BytesSize of presence message bodies (350-1000)bytes on an average, depends on sourceBest performance observed with UDP 180 request per second successfully processedTCP: 900 open socket descriptors used up in30 seconds for an input request rate of 30messages per second,TLS: Performance goes down by 60%. Coprocessor for security can be tried.61
SIMPLEStone Test AnalysisTransport ProtocolUDPLow overhead, no statemaintenance, Higher throughput No file descriptor limit No congestion control NO TLS – Security. Fragmentation of UDP packet isdisadvantageous because ofpossibility of loss of fragment,Hence handling larger data sizes(NOTIFY bodies) can be an issue Client failure detection using ICMPerrors, number of retransmissionsdepends on effectiveness of clientfailure detection TCP or TLSTCP state maintenance, higheroverhead, lower throughput File descriptor limit Inbuilt congestion control Security using TLS Handles larger data sizes, allfragments will have guaranteeddelivery, better for large NOTIFYbodies Easy failure detection during sendcall based on no TCP ACK. Effectivefailure detection to doretransmission control 62
Questions?63
References RFC’s (11 ) Drafts (9 ) 3261 : Core SIP Specification2778,2779 : Presence requirements and Overview3863 : PIDF Data Format3265 : SIP Specific Event Notification3856: Presence Event Package3857, 3858 : Watcher Info Event Package and XML format3680 : Event Registration Package3840, 3841 : Indicating user agent preferences andRPID draftCommon-Policy draftPresence authorization rules draftWatcher filtering functional description draftWatcher filter format draftPartial notification draftPresence data model draftXCAP draftResource list draftReports SIPStone, SIMPLEStone : Benchmarking standardsPresence scalability architecture,Presence security report,64
A presence source updates presence information by sending presence data in PIDF format Presentity url: specifies the "pres" url of the presentity Tuple "id" to uniquely identify presence information from a source Status: open/closed Optional elements Communication Address: communication means and contact address of this tuple
