[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] patches throughout

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] patches throughout
From: arma@seul.org (Roger Dingledine)
Date: Wed, 28 Jan 2004 14:10:46 -0500 (EST)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Wed, 28 Jan 2004 14:11:12 -0500
Reply-to: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net
Update of /home/freehaven/cvsroot/doc/routing-zones
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/routing-zones

Modified Files:
	routing-zones.bib routing-zones.tex 
Log Message:
patches throughout


Index: routing-zones.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.bib,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- routing-zones.bib	28 Jan 2004 17:44:53 -0000	1.14
+++ routing-zones.bib	28 Jan 2004 19:10:44 -0000	1.15
@@ -197,7 +197,7 @@
 
 @misc{e2e-traffic,
   author = "Nick Mathewson and Roger Dingledine",
-  title = "",
+  title = "Practical Traffic Analysis: Extending and Resisting Statistical Disclosure",
   howpublished = {Manuscript},
   month = {January},
   year = {2004},

Index: routing-zones.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.tex,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -d -r1.37 -r1.38
--- routing-zones.tex	28 Jan 2004 19:00:31 -0000	1.37
+++ routing-zones.tex	28 Jan 2004 19:10:44 -0000	1.38
@@ -43,14 +43,13 @@
 domain. Further, many paths between nodes, and between nodes and popular
 endpoints, traverse the same domains.
 
-we show that the designs in tarzan and morphmix to ensure node
-independence by examining IP prefix are ineffective
-
 We define a \emph{jurisdictional independence} metric to characterize
-the vulnerability of an anonymity network to this adversary, assess
-the stability of the two networks (how much vulnerability
-changes by adding or removing a few nodes), and suggest ways to improve
-the independence of anonymity networks in general.
+the vulnerability of an anonymity network to this adversary,
+% assess
+%the stability of the two networks (how much vulnerability
+%changes by adding or removing a few nodes),
+and suggest ways to improve
+the diversity of anonymity networks in general.
 
 \end{abstract}
 
@@ -63,13 +62,14 @@
 to curious ISPs, % to subpoena-wielding religious fanatics
 can passively observe large pieces of the Internet. Anonymity
 networks aim to provide communications privacy for individuals or
-groups on the Internet, but such networks are still vulnerable to powerful
+groups on the Internet, but these networks are still vulnerable to
+such powerful
 eavesdroppers. Against high-latency \emph{mix networks} such as Mixmaster
 \cite{mixmaster-spec}, an adversary who observes a large volume of
 network traffic can notice over time that certain recipients are more
 likely to receive messages after particular senders have transmitted messages
 \cite{disad-free-routes,statistical-disclosure,e2e-traffic}. Low-latency
-networks like Onion Routing~\cite{tor-design} are more directly
+networks like Onion Routing~\cite{tor-design,or-jsac98} are more directly
 vulnerable: an eavesdropper on both ends of the connection can quickly
 link sender to recipient through packet counting or timing attacks
 \cite{defensive-dropping,SS03}.
@@ -80,11 +80,11 @@
 messages and reorders them before they exit, to hinder the adversary
 from learning which message in the batch originated from a given
 sender~\cite{chaum81,trickle02}.
-\item {\bf{Padding:}} Senders provide decoy traffic, as well as normal
+\item {\bf{Padding:}} Senders provide decoy traffic as well as normal
 traffic, to complicate the adversary's attempts to correlate sender and
 receiver~\cite{langos02,pipenet,defensive-dropping}.
 \item {\bf{Dispersal:}} Reducing the chance that the adversary sees
-both endpoints for a given communication can entirely block some
+both endpoints for a given communication may entirely block some
 attacks on low-latency networks, and slow down intersection attacks on
 high-latency networks.
 \end{tightlist}
@@ -96,10 +96,11 @@
 topology so messages can enter or exit at more places in the network
 (compared to a cascade topology~\cite{disad-free-routes});
 or by \emph{jurisdictional arbitrage} --- coordinating network behavior
-so each transaction includes multiple administrative domains, or jurisdictions.
+so each transaction is spread over multiple administrative domains,
+or jurisdictions.
 
-In this paper, we investigate a variant of jurisdictional arbitrage by
-taking advantage of the fact that the Internet is divided into thousands
+In this paper, we investigate a variant of jurisdictional arbitrage that
+takes advantage of the fact that the Internet is divided into thousands
 of independently operated networks called {\em autonomous systems}
 (ASes). By considering the topology of the underlying Internet routing,
 we can assess the vulnerability of existing mix networks to certain classes
@@ -111,36 +112,35 @@
 traverse the same AS.  We then consider the topologies and node
 selection algorithms of two existing mix
 networks---Tor~\cite{tor-design} and
-Mixmaster~\cite{mixmaster-spec}---and evaluate the independence metric
-for these networks.
+Mixmaster---and evaluate the independence metric for these networks.
 
-This paper presents several interesting results.  
+This paper presents several interesting results.
 First, we find that both Tor and Mixmaster have multiple mix nodes in
 the same autonomous system.  Users of these networks should take care to
 avoid selecting two nodes from the same AS.  In light of this, we argue
-that node selection algorithms used in previous systems, such as
+that node selection algorithms that look only at IP prefixes, such as
+those used in
 Tarzan~\cite{freedman:ccs02} and MorphMix~\cite{morphmix:fc04}, are
 likely to be ineffective at achieving jurisdictional independence.
 
-Next, we measure the jurisdictional independence of intra-mix network
-paths and find that, given existing mix network topologies, the
-Mixmaster and Tor selection algorithms will nearly always create
+Next, we measure the jurisdictional independence of paths inside the
+mix network. We find that given existing mix network topologies, the
+Mixmaster and Tor path selection algorithms will nearly always create
 paths that can be observed by a single AS in multiple locations.  We
-also discover that, because paths between mix nodes often cross the same AS,
+also discover that because paths between mix nodes often cross the same AS,
 a user's vulnerability to eavesdropping does not decrease proportionally
 with the number of mix nodes in the path.
 
 Finally, using a model of typical senders and receivers in anonymity
-networks we measure the likelihood that a single AS can observe both the
-path from the sender to the entry node and from the exit node to the
-receiver; we find that entry and exit paths resulting from random entry
-and exit node selection are often likely to be observed by a single AS
-between 10\% and 30\% of the time, depending on the sender and receiver,
-and that the single AS that can observe these paths is always a backbone
-ISP.  Users of these networks should take care to select mix nodes to
-minimize the likelihood that the entry path and exit path for the mix
-network do not traverse the same AS.
-
+networks, we measure the likelihood that a single AS can observe both
+the path from the initiator to the entry node and the path from the exit
+node to the responder; we find that entry and exit paths resulting from
+random node selection are likely to be observed by a single AS between
+10\% and 30\% of the time, depending on the location of the initiator
+and responder, and that the single AS that can observe these paths is
+always a backbone ISP.  We conclude that with a small change in the node
+selection algorithm, users of these networks can minimize the likelihood
+that their entry path and exit path traverse the same AS.
 
 \section{Background}
 
@@ -174,7 +174,7 @@
 
 Anonymity networks aim to protect against a wide variety of both passive
 and active attacks~\cite{back01,raymond00}. Such attacks generally
-fall into two categories: attacks inside the network, and endpoint
+fall into two categories: attacks inside the network and endpoint
 attacks. Attacks inside the network aim to partition anonymity sets
 through passive observation~\cite{disad-free-routes,minion-design}
 or active traffic manipulation~\cite{trickle02}, or otherwise reduce
@@ -916,26 +916,31 @@
 
 \subsection{Improving Jurisdictional Independence with Node Placement}
 
-Our analysis of inter-mix network paths suggest that currently deployed
+Our analysis of inter-mix network paths suggests that currently deployed
 mix networks could benefit from increased diversity in node placement,
 to reduce the probability that inter-node paths traverse the same AS.
-An interesting avenue for future work would be to explore the ASes in
-which mix network designers should place nodes as they expand their
-networks. 
+But as mix networks expand, would nodes in certain ASes help to achieve
+better diversity than others?
+%An interesting avenue for future work would be to explore which ASes
+%would have the most impact
+%would be most suitable for new nodes.
+%which mix network designers should place nodes as they expand their
+%networks. 
 
-Our results suggest that that mix nodes that
-are placed in edge networks (e.g., cable modem and DSL providers,
+Our results suggest that mix nodes
+in edge networks (e.g., cable modem and DSL providers,
 universities, etc.) are likely to traverse the same AS on both the
 inbound and outbound paths to those nodes.  Far-flung node locations
-that provide significant geographical diversity are likely to actually
+that provide significant geographical diversity, such as nodes in Asia,
+are likely to actually
 {\em reduce} jurisdictional independence, because such nodes do not
-typically have diverse AS-level connectivity.  Rather, the best places
-to place nodes for mix networks is likely to be in ASes that have {\em
+typically have diverse AS-level connectivity.  Rather, the best place
+for new nodes is likely to be in ASes that have {\em
 high degree}---that is, those that connect to a large number of other
 ASes.  Ironically, the ASes with the highest degree tend to be tier-1
-ISPs; this suggests that placing one node in each tier-1 ISP and
-building mix paths between those nodes may be a reasonable strategy for
-increasing jurisdictional diversity.  Exploring this question is an
+ISPs themselves; thus placing one node in each tier-1 ISP and
+building mix paths between those nodes may be the best strategy for
+increasing jurisdictional independence.  Exploring this question is an
 excellent direction for future work.
 
 
@@ -962,9 +967,11 @@
 
 \section{Conclusion}
 
-In this paper, we have proposed that, when designing with dispersal,
-mix networks should consider the underlying AS-level paths.  Our paper
-brings to light several interesting, important results:
+We propose that mix networks aiming to achieve jurisdictional diversity
+%In this paper, we have proposed that, when designing with dispersal,
+%mix networks 
+should consider the underlying AS-level paths.  Our paper
+brings to light several interesting and important results:
 
 \begin{itemize}
 \item While conventional wisdom and previous systems have proposed
@@ -972,23 +979,23 @@
   different jurisdictions, we have shown that this technique is not
   sufficient to achieve jurisdictional independence.
 
-\item We have analyzed the AS-level path properties of existing mix
-  networks and have found the likelihood of crossing the same AS more
-  than once along a mix network path to be a near certainty.  The
-  likelihood that a single AS will usually be able to observe more than
-  75\% of the edges along a mix path for paths longer than 3 nodes.
+\item We analyzed the AS-level path properties of existing mix
+  networks and found the likelihood of crossing the same AS more
+  than once along a mix network path to be a near certainty.  Similarly,
+  it is almost always the case
+  that a single AS will be able to observe more than
+  75\% of the links along a mix path with more than 3 hops.
 
 \item We have analyzed common entry and exit paths to existing mix
   network topologies and shown that, in general, given random entry and
   exit node selection, a single AS will be able to observe both the
   entry and exit path to the mix network between 10\% and 30\% of the time.
-  However, achieving jurisdictional independence for entry and exit
-  paths is possible, as long as the sender chooses entry and exit
-  nodes with jurisdictional independence in mind.
+  However, if the initiator chooses entry and exit nodes with
+  jurisdictional independence in mind, she can prevent all such attacks.
 \end{itemize}
 
-This work brings to light an important insight that should guide the design
-and deployment of anonymity networks in the future: to improve mix
+This work brings to light an important insight that should guide the
+future design and deployment of anonymity networks: to improve mix
 networks, designers must have a better understanding of Internet
 topology.  This paper is an important first step in this direction.
 

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Prev by Author: [freehaven-cvs] clean up 7.1
Next by Author: [freehaven-cvs] tweaks on secs 1 and 2
Previous by thread: [freehaven-cvs] minor edits in last 3 paragraphs of intro
Next by thread: [freehaven-cvs] minor edits,
Index(es):
- Author
- Thread