On Thursday 03 January 2008 01:49, Michael Rogers wrote: > Matthew Toseland wrote: > > "Local" = direct peer. If we use one tunnel per local pseudo-identity, it > > might work, but there is still a very high chance that the node sending the > > request is the originator. > > Right, but that's also the case at the moment: if requests travel n hops > on average then there's a 1/n chance that the previous hop is the > initiator. I don't see how you can get away from that without onion routing.
Indeed. Which is why afaics we need onion routing. Would tunneling without onion routing increase our vulnerability? It looks like it might to me. > > > OTOH if we use more than one tunnel, either local > > collusion or rerouting may make life *much* easier for the attacker. > > Yes, we should keep the number of linkable tunnels to a minimum. > > > Makes it easier to track down the origin node for a swarm of requests once it > > reaches the request stage. Maybe that's not such a big deal. > > If tunnels do their job then it doesn't matter if an attacker can find > the last node in the tunnel. It's still good to avoid it if possible. Consider it a minor issue. > > > For performance most users would likely want the node to use multiple tunnels > > for a single splitfile, and arguably this is a security issue: if the > > attacker receives the tunnel, and doesn't like its contents, he can > > trickle-feed it as an effective DoS. > > Users who value performance over anonymity could use multiple tunnels > per splitfile and/or shorter tunnels. I'm just saying that for maximum > anonymity, the tunnels should be long enough that any node could be the > initiator, and the number of linkable tunnels should be minimised (eg > one tunnel per Frost ID per session rather than one per message). Sure, and from time to time they will be DoSed and they will have to reroute. Or they will route through a series of overloaded nodes and have to reroute. Even here we end up with multiple tunnels. > > > For > > premix routing, any effective attack requires that the tunnel exit node is > > owned by the attacker, and usually at least one node prior to that also. > > True, I'm not suggesting that tunnels are as strong as premix routing, > but on the other hand they don't require revealing the topology or > distributing (and agreeing on) public keys for every node in the cell. Yes but swapping already requires we reveal a lot of the topology, that's not a big deal IMHO. It partly depends on what you think about local attackers - without premix routing, local attackers are extremely powerful. > > Cheers, > Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20080104/9f5d4692/attachment.pgp>
