[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] edits throughout
Update of /home/freehaven/cvsroot/doc/routing-zones
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/routing-zones
Modified Files:
routing-zones.tex
Log Message:
edits throughout
Index: routing-zones.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.tex,v
retrieving revision 1.57
retrieving revision 1.58
diff -u -d -r1.57 -r1.58
--- routing-zones.tex 29 Jan 2004 05:43:42 -0000 1.57
+++ routing-zones.tex 29 Jan 2004 05:58:58 -0000 1.58
@@ -95,8 +95,8 @@
of independently operated networks called {\em autonomous systems}
(ASes). By considering the topology of the underlying Internet routing,
we can assess the vulnerability of existing mix networks to certain classes
-of adversary. Specifically, we define a {\em jurisdictional
-independence} metric that reflects the probability that the path to the
+of adversary. Specifically, our {\em jurisdictional
+independence} metric reflects the probability that the path to the
entry point of a mix network and the path from the exit point will
traverse the same AS. We then consider the topologies and node
selection algorithms of two existing mix
@@ -112,18 +112,19 @@
Tarzan~\cite{freedman:ccs02} and MorphMix~\cite{morphmix:fc04}, are
likely to be ineffective at achieving jurisdictional independence.
-Next, we measure the jurisdictional independence of paths inside the mix
-network. We find that, given existing mix network topologies, the
-Mixmaster and Tor node selection algorithms will frequently create paths
-that can be observed by a single AS. Fortunately, longer mix paths
-significantly reduce the likelihood that a single AS can observe a
-significant fraction of links in the path.
+Next, we measure the jurisdictional independence of paths inside
+the mix network. We find that for short paths, given existing mix
+network topologies, the Mixmaster and Tor node selection algorithms
+will frequently create paths that can be observed by a single AS.
+Longer mix paths greatly reduce the likelihood that a single AS can
+observe a significant fraction of links in the path.
Finally, using a model of typical senders and receivers in anonymity
networks, we measure the likelihood that a single AS can observe both
the path from the initiator to the entry node and the path from the exit
node to the responder; we find that entry and exit paths resulting from
-random node selection are likely to be observed by a single AS between
+random node selection---even when the initiator never chooses the same node
+for both entry and exit---are likely to be observed by a single AS between
10\% and 30\% of the time, depending on the location of the initiator
and responder, and that the single AS that can observe these paths is
always a backbone ISP. We conclude that a slightly different node
@@ -805,7 +806,7 @@
all of of the links on the mix network path. Second, Tor's node
selection algorithm (i.e., the onion routing scheme) provides
significant protection against observation at multiple links, but this
-node selection scheme helps Mixmaster less. For example, a four-hop
+node selection scheme helps the Mixmaster topology less. For example, a four-hop
path constructed from Tor nodes without node replacement will be
observed by a single AS on all links with probability 0.06, whereas a
four-hop path constructed with node replacement will be observed with
@@ -917,7 +918,8 @@
located in a tier-1 ISP, and thus will not have to cross other tier-1
ISPs en route to the entry point.
-\section{Design Recommendations and Future Work}\label{sec:design}
+\section{Design Recommendations and Future Work}
+\label{sec:design}
In light of our analysis, which has shown that certain ASes have
considerable eavesdropping capabilities on mix networks, we propose two
@@ -928,11 +930,8 @@
\subsection{Explicit Consideration of AS-level Paths}
-Our results suggest that
-%, to reduce the probability of eavesdropping
-%attacks using dispersal,
-designers and users of mix networks should
-take into account the underlying AS-level paths of each path in the mix
+Our results suggest that designers and users of mix networks should
+take into account the underlying AS-level paths of each link in the mix
network. Mix network paths can be made more safe if senders increase
the jurisdictional independence of the paths they use, by explicitly
choosing entry and exit nodes to avoid traversing the same AS upon entry
@@ -955,11 +954,6 @@
to reduce the probability that inter-node paths traverse the same AS.
But as mix networks expand, would nodes in certain ASes help to achieve
diversity better than others?
-%An interesting avenue for future work would be to explore which ASes
-%would have the most impact
-%would be most suitable for new nodes.
-%which mix network designers should place nodes as they expand their
-%networks.
Our results suggest that mix nodes
in edge networks (e.g., cable modem and DSL providers,
@@ -1002,13 +996,11 @@
\section{Conclusion}
We propose that mix networks aiming to achieve jurisdictional diversity
-%In this paper, we have proposed that, when designing with dispersal,
-%mix networks
should consider the underlying AS-level paths. Our paper
brings to light several interesting and important results:
-\begin{itemize}
-\item While conventional wisdom and previous systems have proposed
+\begin{tightlist}
+\item While previous systems have proposed
selecting nodes from disjoint IP address prefixes to select nodes in
different jurisdictions, we have shown that this technique is not
sufficient to achieve jurisdictional independence.
@@ -1021,18 +1013,25 @@
probability is less than 0.05 for both the Tor and Mixmaster
topologies.
-\item We have analyzed common entry and exit paths to existing mix
- network topologies and shown that, in general, given random entry and
- exit node selection, a single AS will be able to observe both the
+\item Figures~\ref{fig:as_observe} and~\ref{fig:as_observe_75} show
+ that the intra-network diversity for the Tor topology is equivalent to
+ that of the Mixmaster topology. That is, at least against observation
+ attacks from a single AS, a newborn network with nodes almost entirely
+ in the US is as robust as a mature network like Mixmaster.
+
+\item We analyzed common entry and exit paths in existing mix
+ network topologies. We show that given random entry and
+ exit node selection, even when the initiator chooses distinct entry and
+ exit nodes, a single AS will be able to observe both the
entry and exit path to the mix network between 10\% and 30\% of the time.
However, if the initiator chooses entry and exit nodes with
- jurisdictional independence in mind, she can prevent all such attacks.
-\end{itemize}
+ jurisdictional independence in mind, she can prevent most such attacks.
+\end{tightlist}
-This work brings to light an important insight that should guide the
-future design and deployment of anonymity networks: to improve mix
-networks, designers must have a better understanding of Internet
-topology. This paper is an important first step in this direction.
+%This work brings to light an important insight that should guide the
+%future design and deployment of anonymity networks: to improve mix
+%networks, designers must have a better understanding of Internet
+%topology. This paper is an important first step in this direction.
%% This area has been overlooked in the past; considering network
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/