On 4/5/06, Matthew Toseland <toad at amphibian.dyndns.org> wrote: > > That, unfortunately, is a very interesting question, which we have not > fully addressed yet. Several options have been proposed. One is to > expose the topology of the network, or at least a local part of it. This > is not as radical as it sounds as our current implementation of > switching does this anyway, admittedly as a side-effect. Further, > something like this will be necessary for (reasonably well performing) > premix routing, which is necessary to have good resistance to attacks > by supposedly trusted peers. Once we have the topology, we can analyse > it to see what parts of it are likely to be bogus, and we can enforce > swaps. This is not implemented yet on Freenet :).
Do you mean that the neighbour who delivers the swap message enforces swaps by also informing all the node's other neighbours? For my application, exposing local topology is a little testy. But I see how it would be impossible to enforce location swaps without doing so, since someone who didn't like a potential swap location could just invent a set of neighbour distances that make the swap very unlikely. In that case, swapping might as well be completely on the honour system, which might be OK, but isn't preferable. Have you thought much about using TPM chips to authenticate "honest" software instances to each other? Sure, they're made for evil DRM applications, but I think there could be ways to use them for the purposes of good :) > > * How do you pre-vent a node from using multiple routing locations, > > each with different neighbours, to improve its findability? > > See above. One thing you can exploit is that it is generally difficult > to convince somebody to trust you under two completely different > identities; this *may* help to do some network analysis to establish the > credibility of a node; I've also thought about some sort of scoring > system. Yes, but you might decide to masquerade as a different node entirely to some of your neighbours. I guess that wouldn't break routing if you were doing swaps honestly for each "node" you were operating, though. > > > > * How do you prevent nodes from spoofing other nodes' locations as an > > attack? > > In a swap request? Only way you can do this is by some sort of > enforcement, and with only credible nodes permitted to participate in > swapping. Not in a swap request, but in general. For example, suppose the thought police knew the freedom fighters were operating a node at location A. What stops them from attaching thousands of new nodes up to the network, all claiming that they are location A in order to suck legitimate messages for A to their nodes and intercept them? How tolerant is your messaging scheme to multiple nodes with the same routing location? I guess any decentralized addressing scheme is vulnerable to this type of attack, and most probably more so than the type of trust network we're dealing with here. > The main advantage of using MH is that it can scale almost indefinitely. > If you don't need this you're better off with something more well known, > more well tested and more well studied. For me, one of the main advantages is the anonymous nature of the transient routing locations. > > We have a plugin API for things which use the basic Freenet > functionality already (fetching stuff, inserting stuff). I have been > thinking about an API for apps which deal directly with peers, for > things like local filesharing or instant messaging. It might be possible > to run your app on this, or we might want to provide a low level plugin > interface for stuff that uses routing. A local messaging API that provided location management would probably be enough for me. Ryan
