[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-dev] Anonymizing system for IPTPS

To: Andrei.Serjantov@cl.cam.ac.uk
Subject: [freehaven-dev] Anonymizing system for IPTPS
From: Michael J Freedman <mfreed@MIT.EDU>
Date: Wed, 06 Feb 2002 18:35:30 -0500
Cc: freehaven-dev@freehaven.net, waldman@scs.cs.nyu.edu,dm@scs.cs.nyu.edu
Delivered-To: archiver@seul.org
Delivered-To: freehaven-dev-outgoing@seul.org
Delivered-To: freehaven-dev@seul.org
Delivery-Date: Wed, 06 Feb 2002 18:35:32 -0500
Reply-To: freehaven-dev@freehaven.net
Sender: owner-freehaven-dev@freehaven.net

Hi Andrei,

I recently read your paper "Anonymizing Censorship Resistant Systems"

  http://www.cl.cam.ac.uk/~aas23/Anon_p2p2.ps

for the upcoming peer-to-peer workshop at MIT.  It makes several
interesting points.  I had some questions and thought I'd offer some
comments....

My basic read seems to be that you are distributing content via a
mix-net chain, one block at each link.  You further add one layer of
indirection between publisher and storer.

I had these thoughts:

-- Resource Management (Trivial Flooding)

What's to stop:

  X inserts 100 Gig into the system.  
  Storers store it.
  No more space in the system.

You'll note that Free Haven and Tangler both try to make stories for
this: Free Haven talks about trading shares precisely to add some
fungible resource (disk space * time).  Tangler talks about tickets
(allocated via out-of-bounds means.)

-- Accountability

A storer agrees to store a file.  It drops the file.  

Pastry tries to make some assumptions about smart cards, but these
make me quite uncomfortable.  In an open peer-to-peer system, anybody
can join, thus pseudo-spoofing is a problem: a user creates X servers.
Everytime they get a request they just drop it.  This cuts down on the
fault-tolerance of your system.

Now, it seems like you are trying to use PAST to load balance in case
of normal (non-malicious) failure, but I don't really understand that:

-- Use of PAST

You mention that you build on top of something like PAST for efficient
lookup, etc.  I wish we could have had these nice building tools when
thinking about Free Haven  =)

PAST is giving you some nice replication, load-balancing,
fault-tolerance.  At least, normal applications using PAST/Pastry
would.  You allude to this in the 2nd to last paragraph in the
dicussion, but don't describe at all how the use of PAST ties into the
use of mixnet reply blocks.  (These reply-blocks are very brittle --
any break in the chain will cause the block to fail -- but anyway,
that's another issue).  If we publish r_a, who knows r_s: 1. if a goes
away, it's lost (nobody else can decrypt the onion) 2. if s goes away,
it's lost.  I don't see how PAST helps?

-- Minor: if you could give a table or something of variables it would
   be helpful, I found myself looking back over several times to
   figure out what everything meant.

-- Minor: the citation for Free Haven leaves out the third author, David
   Molnar.  For simplicitly, I included several bibtex references
   which may be useful below.

Quite a bit of the complexity (share trading, reputation) with Free
Haven is that we were trying to handle these resource management and
accountability issues, esp. focusing on promising long-term storage.
The real reason we never implemented it was that we weren't convinced
it would actually solve these problems, so we decided to wait until we
believed them more.

One of the arguments for entanglements for Tangler is actually the
following: one reason a legal attacker could be target an mp3 tangled
with the Declaration of Independence is that, in the US under the
DMCA, they would have to swear, under penalty of perjury, that they
own the rights to the object.  Obviously, they don't own the rights to
the Declaration of Independence, so the legality is much trickier...

Anyway, I thought I should also mention that I'll be presenting at the
workshop about Tarzan, which is a low-level anonymizing network for
any IP traffic -- I'm connected via it right now :) I think it's
something that many systems, like Free Haven, Tangler, or your's,
might consider for all anonymous communication requestions.

Thanks,
--mike




@inproceedings{freehaven,
  title = {The {F}ree {H}aven {P}roject: Distributed Anonymous Storage Service},
  author = {Roger Dingledine and Michael J. Freedman and David Molnar},
  crossref =     {dpet},
  pages = {67--95},
  note = {\URL{http://freehaven.net}},
}

@inproceedings{freenet,
  title = "Freenet: A Distributed Anonymous Information Storage and Retrieval System",
  author = {Ian Clarke and Oscar Sandberg and Brandon Wiley and Theodore W. Hong},
  crossref =     {dpet},
  pages = {46--66},
  note = {\URL{http://freenet.sourceforge.net}},
}

@Proceedings{dpet,
  title =        {Designing Privacy Enhancing Technologies: International Workshop on Design Issues
 in Anonymity and Unobservability},
  booktitle =    {Designing Privacy Enhancing Technologies: International Workshop on Design Issues
 in Anonymity and Unobservability},
  year =         2001,
  editor =       {Hannes Federrath},
  volume =       2009,
  series =       {Lecture Notes in Computer Science},
  publisher =    {Springer-Verlag},
  isbn = "3-540-41724-9"
}



-----
"Not all those who wander are lost."                  mfreed@mit.edu

Follow-Ups:
- [freehaven-dev] (FWD) Re: Anonymizing system for IPTPS
  - From: Roger Dingledine <arma@mit.edu>

Next by Date: [freehaven-dev] (FWD) Re: Anonymizing system for IPTPS
Next by thread: [freehaven-dev] (FWD) Re: Anonymizing system for IPTPS
Index(es):
- Date
- Thread