Hi Michael, So, do I understand correctly then that if my Freenet node sends out a packet to my ISP (to be forwarded on to your Freenet node) that packet will feature: - Encrypted content about which my ISP can know virtually nothing (unless it has the relevant private key); - A UDP protocol header That is, until the packet content is decrypted, there is nothing in the header to indicate that the packet is a "Freenet packet". So it's like having a Freenet packet hidden behind encryption within the content part of the packet? (Although I guess the encrypted Freenet packet would have to be broken up across a number of packets). Or am I completely off the mark?
And where is the initial handshake done? I would have thought that a handshake only becomes possible once the packet content is decrypted. That is, my ISP and your ISP look at the header of the packet I send and then send it through to the Freenet port on your machine, believing it to be something other than it is. I mean, isn't it only when your Freenet node decrypts the packet content that it is able to see the Freenet protocol? Your comment about malicious opennet nodes finding darknet friends to use as entry points into darknets is interesting. I would assume that once one darknet node is found in such a manner, the IP addresses of all nodes on the relevant darknet could then be discovered. That is, if my opennet node has a darknet friend, doesn't this mean that I have effectively amalgamated the relevant darknet into the opennet? If so, this "darknet friend" business seems like a dangerous idea. Or am I missing something here? Oh, and finally, do I understand correctly that a denial of service attack on Freenet would actually cause the Freenet webpage being attacked to become more - rather than less - available?! That is, a barrage of requests for the webpage would in fact proliferate it across the network? Sorry to throw all these questions at you. I'm mulling over a hypothesis that networks such as Freenet and TOR are vulnerable to being entirely shutdown in autocratic states unless they can attract large groups of mainstream users. Thank you very much for your comments. Peter ---------------------------------------- > Date: Mon, 7 Apr 2008 00:17:15 +0100 > From: m.rogers at cs.ucl.ac.uk > To: tech at freenetproject.org > Subject: Re: [Tech] Would it be possible to effectively shutdown Freenet > within the PRC? > > Peter Rosenmai wrote: >> Chinese ISPs could simply look >> for and block the Freenet protocol, couldn't they? > > Hi Peter, > > It's certainly possible in theory, but I'm not sure whether it can be > done with the technology they're currently using. > > First, it might be difficult to detect the Freenet protocol reliably: as > far as I know all parts of the protocol are encrypted or obfuscated, > even the initial handshake. > > Second, I don't think internet traffic within China passes through the > same filters as international traffic. > > Third, the international routers don't perform the filtering themselves, > they send a copy of every packet to a separate piece of equipment that > kills connections that match certain rules by sending forged TCP RST > packets to both ends of the connection. Freenet uses UDP rather than > TCP, so sending TCP RSTs wouldn't work, but perhaps they have another > way of filtering UDP. > >> 2. Would it be possible for the PRC to run Freenet nodes in order to >> determine the IP addresses of other nodes within China? > > Yes. Freenet users can choose between 'darknet' mode, in which they only > connect to their trusted friends, and 'opennet' mode, in which the node > automatically finds other nodes to connect to. Opennet users can also > have darknet friends. By running an opennet node the Chinese government > could discover opennet users in China very easily. With additional > effort it might be possible to follow the darknet connections of the > opennet users to discover some or all of the darknet users too. > >> 3. Is it true that the PRC has previously blocked Freenet? If so, how >> was this achieved? > > The protocol was previously based on TCP and there were some plaintext > bytes in the initial handshake that could be used to identify a Freenet > connection. Nowadays the protocol's based on UDP and as far as I know > there are no plaintext fields any more. > > Cheers, > Michael > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech _________________________________________________________________ Find the job of your dreams before someone else does http://mycareer.com.au/?s_cid=596064
