Matthew Toseland wrote: >> Right, but that's also the case at the moment: if requests travel n hops >> on average then there's a 1/n chance that the previous hop is the >> initiator. I don't see how you can get away from that without onion routing. > > Indeed. Which is why afaics we need onion routing. Would tunneling without > onion routing increase our vulnerability? It looks like it might to me.
How would it increase our vulnerability? The attacker already knows there's a high probability that the previous hop is the initiator. But currently, the attacker gets one sample per request. With tunneling, the attacker would get one sample per tunnel. > Sure, and from time to time they will be DoSed and they will have to reroute. > Or they will route through a series of overloaded nodes and have to reroute. > Even here we end up with multiple tunnels. Yup, we can't avoid rebuilding failed tunnels, but as long as each tunnel carries more than one request on average it's still an improvement over the current situation (at least in terms of anonymity - obviously there's a cost in terms of hop count). > Yes but swapping already requires we reveal a lot of the topology, that's not > a big deal IMHO. The information in swap requests can be more or less anonymised, can't it? (Locations but no long-term node IDs, maybe a weighted coin instead of a hop counter?) > It partly depends on what you think about local attackers - > without premix routing, local attackers are extremely powerful. Tunnels should slow down local statistical attacks. Cheers, Michael
