Matthew Toseland wrote: > The 50% chance of decrementing > at 10 means that 3 resets equals 6 nodes with HTL 10...
It's more complicated than that... if the HTL is 10 and the closest location isn't the previous hop's location, then the attacker knows the previous hop doesn't decrement at 10. Likewise if the HTL is 9 and the closest location isn't the previous hop's location, the previous hop decrements at 10. Either way, the attacker can use that knowledge for the rest of the session. > When an attacker gets a tunneled request, he knows 1) there is a 20% chance > that the node is the originator, and 2) that he is close to the originator, > because he is early on the route: the tunnel is only active at the beginning. Longer tunnels would help in both cases (at a cost, of course). Ideally the tunnels would be long enough to reach any node with equal probability, but maybe that's not realistic... Let's say we need an average of 10 hops. A weighted coin gives an exponential hop count distribution (actually geometric but close enough), so 25% of tunnels will have <= 2.9 hops, 50% will have <= 6.9 hops, 75% will have <= 13.9 hops. Likewise the attacker will know there's a 25% chance the initiator is within 2.9 hops, etc. (Not sure how to handle the rounding here but you get the picture.) > For a regular request, the HTL can be 10 much later on in the request. In > which case the predecessor sample is useless, and the key is likely close to > the location of the attacker. Good point about the distance - can the attacker give less weight to samples where the requested key is close to the attacker, on the assumption that they're more likely to have travelled several hops already? > Somewhere on this thread you said that the probability of two related tunnels > coming from the same node is independant of that node being the originator. I > don't understand that. I didn't mean that exactly - the fact that both tunnels pass through X *does* suggest that X is the initiator, I'm just saying it's irrelevant where they go after leaving X. An attacker doesn't learn any more by linking two tunnels that pass from X to different neighbours than he learns by linking two tunnels that pass from X to the same neighbour, because the paths of the tunnels are independent, so the fact that they did or didn't part company at X doesn't tell the attacker anything about where they originated. It was a minor point really. Cheers, Michael
