Matthew Toseland wrote: >> It's more complicated than that... if the HTL is 10 and the closest >> location isn't the previous hop's location, then the attacker knows the >> previous hop doesn't decrement at 10. > > It's a function of the input node, not the output node.
So each node makes a separate decision about whether to decrement max HTL requests arriving from each peer (and presumably a separate decision for local requests)? That seems to reduce the anonymity set in a different way: if I receive an HTL=10 request and an HTL=9 request from a peer, I know that only one of them can be local, and I know that if they're not local they came from different upstream peers. > The problem is that a weighted coin would increase the > variance in path length *significantly*, Do we have any idea what the variance currently is? > cause more no-fault timeouts, True. > cause more no-fault failures (too short a path), DNF after a short search isn't a big deal, we can always try again. > make request coalescing extremely difficult, On the contrary, coalescing would be simplified: all requests can be expected to travel the same distance on average, so they can be coalesced in the same way requests with equal HTL are currently coalesced. > and likewise with ULPRs. I don't know enough about ULPRs to comment. > Is there an alternative? A weighted coin is the only possibility that reveals /nothing/ about how far the request has travelled so far, because it carries no state. I'm not saying that makes it an ideal choice, but perhaps that makes it a good starting point for designing an alternative to the current mechanism - an alternative that reveals a quantifiable amount of information. > 10 hops is quite > expensive... do we want to have it customisable-per-request? Paranoid > requestors would then stick out... OTOH this might be best, 99% of people > will use the default setting. IMO it shouldn't be customisable. If some of the traffic flowing through my node belongs to unusually paranoid or unusually confident people who modify the weight of the coin, my anonymity is reduced even though I stuck with the default. > How much information does an attacker gain from linking two > tunnels from the same X ? A fairly high confidence that X is the originator, > surely? Higher than the 10% or 20% we're talking about above...? For each possible initiator, the attacker would have to work out the probability of two random walks from that initiator reaching X - or maybe the conditional probability of the second random walk reaching X, given that the first random walk reached X? For X, the conditional probability is 1. For each n-hop neighbour of X it's roughly 1/degree^n. So yeah, if two linked tunnels emerge from X, X is far more likely than any other node to be the initiator. Cheers, Michael
