This project will explore the security issues raised by P2P networks by studying an Analysis of Peer-to- example on an extreme point on the design spectrum: Gnutella [Gnu]. Our primary Peer Network focus will be the Gnutella network, which is Security using the de facto standard for large, loosely structured, P2P networks. The Grid is a very Gnutella large-scale , heterogeneous, formally structured P2P network that spans many organizations to make “virtual systems” of Dimitri DeFigueiredo±, Antonio resources. [OGSA] It is quickly becoming Garcia+, and Bill Kramer* the standard for distributed resource allocation for high-end computer and ±Department of Computer Science, University of instrumentation systems. This paper California at Davis: [email protected] demonstrates that for P2P networks with ad +Department of Physics, University of California at Berkeley: [email protected] hoc structure, significant security concerns *Department of Computing Sciences, University of persist. California at Berkeley and the National Energy Research Scientific Computing Center, Lawrence Berkeley National Laboratory: What are Peer-to-peer [email protected] Networks “Peer-to-peer computing is the sharing of computer resources and services by direct exchange between systems. These resources and services include the exchange of Abstract information, processing cycles, cache Peer-to-peer (P2P) networks have emerged storage, and disk storage for files.”[P2PWG] over the past several years as new and A broad definition of P2P includes the client effective ways for distributed resources to server mode of computing, as well as communicate and cooperate. "Peer-to-peer exchange directly amongst clients or computing is the sharing of computer amongst servers. However, P2P now also resources and services by direct exchange is used to describe some new uses of between systems. These resources and computers and networking. In particular, it services include the exchange of is becoming more common for systems to information, processing cycles, cache play both the server and client roles storage, and disk storage for files." P2P simultaneously. P2P networking now is networking has the potential to greatly being used to present new services and expand the usefulness of the network - be it functions. P2P is more than just the for sharing music and video, privately universal file -sharing model popularized by contracting for services or for coordinating Napster. According to the Peer-to-peer the use of expensive scientific instruments working group, business applications for and computers. Some of the networks, such P2P computing fall into a handful of as Napster and Gnutella are created in an ad scenarios. hoc manner with little or no centralized control. Other P2P networks such as · Collaboration: Geographic computational and data grids are being distributed individuals and teams designed and implemented in a very create and manage real-time and structured manner. P2P networks are off-line collaboration areas in a presenting new challenges to computer variety of ways. The goals are security and privacy in a number of ways. typically increased productivity and The focus on decentralization represents a decreased costs. current trend in P2P systems and many see it · Edge services. Edge services move as the stepping-stone to the extended data closer to the point at which it is functionality these systems may provide in actually consumed acting as a the future. This is one of the main reasons network caching mechanism. This this work focuses on the Gnutella network, helps deliver services and Gnutella’s distributed non-homogeneous capabilities more efficiently across architecture make it a suitable test bed to diverse geographic boundaries. A observe how new ideas may affect future current example is Akamai for an P2P networks. However, to put Gnutella’s enterprise architecture into perspective we must be · Distributed computing and aware of what other approaches have been resources. Using networks and taken. computers, P2P technology can use idle CPU power and disk space, allowing businesses to distribute The Grid large computational tasks and data across multiple computers. Results can be shared directly between There are many networks emerging for e- participating peers. Prioritized use commerce and scientific efforts that have a of the resources, even if they are not more formal structure. One excellent idle, is possible. Examples here example of this type of P2P network is what range from the seti@home to the is commonly called “the Grid”. Grid Distributed Teragrid. technology is a collection of tools and · Intelligent agents. Provides ways for services that facilitate the building and computing networks to dynamically managing of “virtual” systems that integrate work together using intelligent distributed, heterogeneous, multi- agents. Agents reside on peer organizational resources on demand. [Grid] computers and communicate various These resources might include the different kinds of information back and forth. computing and data systems operated by a Agents may also initiate tasks on supercomputer center like NERSC, as well behalf of other peer systems. as a diverse collection of user-controlled computing and data systems and scientific Formally and Loosely instruments. The "Grid" is a research effort Structured Peer-to-peer (~10 years in all) whose principle initiators are Ian Foster (ANL) and Carl Kesselman Networks (Cal Tech). The initial implementations centered on Globus and did demonstrations The most commonly known P2P networks (1995-96) of single applications running on are those associated with music sharing. geographically distributed, large parallel First made popular by Napster, a centrally machines– essentially co-scheduling CPUs managed P2P network, and now represented by human agreement and management. The by Gnutella and Kazaa, these P2P networks concepts and software have evolved are designed to be loose structures and dramatically since and has expanded to highly dynamic. Gnutella, Kazaa and others supported large scale data movement, are designed intentionally to have no central collaborative work tools, and much more. control or authority so they are entirely self- There are several "Grids" moving for organizing. The loose federation of experimental to "production" status as other continuing dynamic organization of these projects now use grid tools as reliable networks presents very challenging security infrastructure for their science and issues, especially as the network expands. engineering. Examples of production or that might run on remote resources execute near production grids are the NSF Teragrid, once and only once. Both Globus and NASA Information Power Grid, DOE Condor services provide for communicating Science Grid, Grids for Physics and the with remote jobs, etc. EuroGr id. There is an organization that is like the IETF for setting grid standards A sophisticated set of Grid data services is called the Global Grid Forum. GGF has being developed by the NSF GriPhyN and brought corporate and research communities EU DataGrid projects for managing massive together to work on Grid implementations. data sets in support of the global high energy This effort was given a major critical mass physics community. Over the next few when IBM, ANL and CalTech jointly years these will provide for cataloging, proposed the Open Grid Service querying, accessing, and managing Architecture (OGSA) about 8 months ago. replication, location, and movement of very The joint effort (with about 50 developers) large data sets from a worldwide collection is aimed at integrating the best features of of data sources. Grid portal work at half a Globus (and associated tools) with IBM's dozen institutions is defining and building Websphere technology and is turning the the Web services and primitives that will grid effort from one of creating virtual organizations with resources to one of provide all Grid services though the user’s creating a distributed service system that is Web browser. Advanced services that will for “modern enterprise and provide for brokering, co-scheduling, interorganizational computing advance reservation of CPU capacity, environments” [OGSA]. The end goal for network bandwidth, and tertiary stored data industry is to create move to providing “on- availability are currently being developed. demand computing” services rather than Collaboration services are also being computing hardware. Sam Palmisano – developed that provide for secure distributed CEO of IBM – is quoted as saying grid collaboration group management, computing is the “is the most important messaging, versioning and authoring, and imitative IBM has undertaken since the the definition and management of “virtual Internet”[BW]. organizations.” These services are being integrated with the basic Grid services, Current Grids are mostly based on services frequently through Web Grid services. from the Globus and Condor software packages, and emerging data Grid and Web Gnutella based portals. Globus services provide a standard way to define and submit jobs, manage the code and data associated with Overview of the protocol and those jobs, and locate and monitor the architecture available resources across geographically and organizationally dispersed sites. They The Gnutella protocol is a peer-to-peer also provide a consistent set of security (P2P) overlay network designed for resource services based on X.509, PKI, or Kerberos sharing across the global Internet. The