On Tuesday 05 February 2008 21:10, Robert Hailey wrote: > > On Feb 4, 2008, at 7:24 PM, Michael Rogers wrote: > > > Matthew Toseland wrote: > >> Swapping creates this problem. Or does it? Could you perhaps do > >> some simulations of two networks of different sizes weakly linked > >> and show whether they get independant location spaces, or whether > >> swapping tries to put one of them within the global keyspace for > >> the other? > > > > Here's a quick simulation that shows that two weakly-connected > > subnets move into separate regions of the key space. Each subnet has > > an ideal Kleinberg topology and starts out uniformly distributed > > across the whole key space, and there are also a few random links > > between the subnets - this is meant to represent what would happen > > if you created a few links between two mature networks, or between a > > real network and a Sybil network. > > > > I couldn't be bothered to do a nice GUI so the output is just a > > series of histograms: on each line the key space is divided into 20 > > regions, and each column shows the number of nodes from the first > > subnet in that region. Initially there are roughly 50 nodes in each > > region, but swapping causes the subnets to segregate so that > > eventually most regions are almost exclusively occupied by one > > subnet or the other. > > > > It's kind of interesting to compare this with "white flight" in > > sociology... > > > > Cheers, > > Michael > > Ok. I see it Michael's way now. > > I'm not sure to what degree this effects our present network, but when > graphed out, the individual location movements from this swapping > simulator often mirror zothar's previous graph (of location jumping); > and while one network is making a hole in the other, the sliding/ > compression looks just like what I saw previously as network rotation. > > This is quite a problem. In fact, this may be the fundamental problem > with swapping. Because of this, a sybil network could presently even > choose which segment of the keyspace to occupy with very few links. > > The same network coloring/routing logic *might* be applicable to > swapping. That is, to simply confine swaps to the network they came > from. I'm not aware of another way to both secure sybil nets from > invasion and keep major keyspaces separate. Unfortunately it has the > obvious problem of a dependency feedback loop: > > (1) swaps are fundamental to routing, > (2) routing is required for my auth-ping idea, > (3) these auth pings are required for secured network-id coloring, > (4) then... could we use the network id's to modify swapping??? > > It seems like the network-id idea would have to be changed to be a > little more relaxed; either by not effecting swapping until we have > computed the assigned network-ids (fall-open while in transition), or > by simply accepting (for the moment) the most common network id from > our peer set (rather than strictly random id on startup). > > My question is, *if* such an idea is considered valid and in such a > case how could we be assured that us labeling and isolating a subnet > is not what *keeps* it labeled as a subnet because it's routing is > messed up for lack of swapping? I guess that would require all the > bordering nodes to consider that simultaneously, which would be a rare > and unstable condition in a well connected network.
Over short distances we can expose the topology, does that help? The other problem with swapping - which may also be a fatal flaw, and may be another variant of the same bug - is that an attacker can send bogus swap requests, which can be catastrophic. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20080205/ad1f5925/attachment.pgp>
