On Thursday 02 December 2010 19:49:19 xor wrote: > > For example, we could make 1) more difficult if, any time we see two peers > > in the came class-B address range, we disconnect from both of them, or at > > least never route anything to either of them. > > Restricting the amount of connections from an IP subnet is definitely > something > which should be implemented. > > However this might screw up performance because it might lead to people being > only connected to peers which are long-distance in terms of the Internet.... > In the worst case you will only have peers from another country because some > countries have quasi-monopolistic ISP structures: For example in Germany > there > is a large variety of ISPs but many of them use the backbones of the former > federal phone company which was converted to a private company less than two > decades ago and therefore still has the best infrastructure....
Well, from a security point of view, connecting mostly to people in other jurisdictions is probably a good thing. > > Therefore, it should probably only be enabled with the "NORMAL" security > level... Right. > and it should be investigated how it behaves in practice. Yeah... > > One useful measurement for that would be obtaining a "IP => Country" map Care to find one? > and > displaying a country flag next to each peer, then even non-Freenet-engineers > could figure out whether their node is well connected. I don't see what you mean by well-connected here. > > Further, I propose an additional and easier to implement improvement against > this attack: Provide a configuration option "Do not connect to strangers from > my country" which prevents Opennet connections to peers from the same > country... > - Attackers are very likely to be from the same country, both federal and > commercial ones. > Interesting possibility, similar to some other networks. I'd be a bit worried about impact on routing - given the small performance bias in opennet, isn't it possible that the nearby peers location-wise are all in your country? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20101202/329f3b69/attachment.pgp>