Suppose that we expose the topology of the network, to at least the range of swap requests in each direction. This has some obvious disadvantages, but it has some major advantages too. Given that there is a good chance that a large amount of unintentional information leakage on the network topology is inevitable, we should seriously consider the advantages of simply giving in and exposing the network topology:
1. Accountability in swapping ----------------------------- If we know what the topology of the network is, we can hold nodes accountable for their alleged swapping. Successful swaps can be public knowledge and can be enforced; if a node refuses to accept a swap which it committed itself to, adjacent nodes can immediately detect this and take sanctions against it. The only risk is that nodes invent imaginary nodes behind them in order to do bogus swaps. However, this can be mitigated just as it can with premix routing. 2. Premix routing ----------------- If we know the topology for several hops, we can identify a fixed-size, reasonably stable set of nearby nodes in which to hide ourselves, and then for each request or group of requests pick a start node and premix tunnel to there. This gives a good deal of collective security against correlation attacks. Intersection attacks are more interesting: We need to ensure that our anonymity set is never seriously diminished due to nodes being offline, but we also need to ensure that it is not so dynamic that our node is the only constant in it! Also the anonymity set needs to be the same for all the nodes in it (otherwise it's not much of an anonymity set!), so we require a cellular structure. Obviously there are also the classic intersection attack issues. Mitigation of virtual node attacks ---------------------------------- (Not an advantage but an issue which needs to be addressed) Nodes which are not sufficiently trustworthy can be excluded from swapping and premix routing. Trust can be established from the topology itself; I know that I am trustworthy, and that my immediately adjacent peers are probably trustworthy; I can calculate how much grounds I have to believe that a node a few hops away actually exists. I can also assume that a node is bogus and try to prove a contradiction (based on a couple of other axioms such as "you cannot get two connections to a user's node, because they will know you are the same person"). I have said more about this before. -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20060315/fae98bf2/attachment.pgp>
