On Sunday 09 November 2003 09:22 am, Martin Stone Davis wrote:
Martin Stone Davis wrote:
<snip>
My solution: ------------ My solution is analogous to a doctor's office: each node (acting as doctor) keeps a schedule of "appointments" for other nodes (patients), letting them know when they can send queries.
Any queries a node sends outside of a scheduled appointment should be answered with a highly reduced priority (many will QR here). Also, any such queries should contribute to the doctor "getting mad" and tightening up when the patient tries to schedule another appointment. The doc has to penalize the patient enough to make the patient's best strategy to stick to the appointments. To a lesser degree, the doctor should also penalize the patient if he fails to show up for an appointment. The patient then has an incentive to keep appointments and to not show up unannounced.
The result would be a much greater proportion of QA:s and a decrease in the number of queries made. Going back to the hypothetical, a requesting node would want to make 1000 queries in a minute, but might only find, say, two nodes in that minute willing to accept up to 5 queries each from him. The requesting node would then route 10 queries to those nodes, and drop the 990 others (doing so *as if* all nodes in the RT had sent QR).
Unfortunately, as Toad has pointed out in IRC, a per-node based punishment system (I believe it's called "negative trust") won't work since "identity is free": an operator can always create new nodes, gaining an unfair advantage over operators who stick to their one node. Unless we can somehow make identity less free (see below), I'll have to say my punishment system is junk.
So can we make identity (at least in regard to punishment) a little less free? Ian had pointed out that when the operator creates new nodes, he still has the same IP address. So, we could punish the entire IP address, rather than the one node. This would be too bad for nodes on dialup accounts and in internet cafes, but seems to solve the problem.
However, Toad has claimed that *even getting new IP addresses is an easy matter* for a greedy operator. How many new IP addresses are we talking about here? If the average per day over, say, a month is very low, then we can probably tolerate it, as he won't be able to create nodes fast enough to give him a great edge.
So, can negative trust work?
Why even bother? Think about it like this. Suppose each node is limited to a certain number of connections or a certain amount of bandwidth or a certain number of queries by each node they connect to. There is ZERO incentive try to modify freenet to make multiple identities to get around this. WHY? Because those nodes that you are connecting to, are still limited in those same resources, so to a limited extent your different identities are compeating with each other. It would be better form a greedy clients perspective to simply connect to more nodes! It is VERY EASY to connect to more nodes, and as far as the network is concerned, that is legitimate. So what are we trying to thwart here? A REALLY crappy denial of service attack?
We're talking about (not) modifying freenet in such a way that a "REALLY crappy denial of service attack" would actually work. Yes, at the moment, we are safe because we're not about to implement my crappy "appointment" scheme which *relied* on negative trust. Negative trust doesn't work when identity is free.
And as it turns out, identity really *is* free (see the talk about DHCP), so any negative-trust-dependant system will fail.
-Martin
_______________________________________________ Devl mailing list [EMAIL PROTECTED] http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/devl
