> For example, we could make 1) more difficult if, any time we see two peers > in the came class-B address range, we disconnect from both of them, or at > least never route anything to either of them.
Restricting the amount of connections from an IP subnet is definitely something which should be implemented. However this might screw up performance because it might lead to people being only connected to peers which are long-distance in terms of the Internet.... In the worst case you will only have peers from another country because some countries have quasi-monopolistic ISP structures: For example in Germany there is a large variety of ISPs but many of them use the backbones of the former federal phone company which was converted to a private company less than two decades ago and therefore still has the best infrastructure.... Therefore, it should probably only be enabled with the "NORMAL" security level... and it should be investigated how it behaves in practice. One useful measurement for that would be obtaining a "IP => Country" map and displaying a country flag next to each peer, then even non-Freenet-engineers could figure out whether their node is well connected. Further, I propose an additional and easier to implement improvement against this attack: Provide a configuration option "Do not connect to strangers from my country" which prevents Opennet connections to peers from the same country... - Attackers are very likely to be from the same country, both federal and commercial ones.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org http://freenetproject.org/cgi-bin/mailman/listinfo/devl