[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[freehaven-cvs] finish first draft of wpes04 slides

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] finish first draft of wpes04 slides
From: arma@seul.org (Roger Dingledine)
Date: Sat, 16 Oct 2004 02:59:23 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Sat, 16 Oct 2004 02:59:48 -0400
Reply-to: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net

Update of /home/freehaven/cvsroot/doc/routing-zones
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/routing-zones

Modified Files:
	slides-notes 
Log Message:
finish first draft of wpes04 slides


Index: slides-notes
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/slides-notes,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- slides-notes	15 Oct 2004 08:47:23 -0000	1.1
+++ slides-notes	16 Oct 2004 06:59:21 -0000	1.2
@@ -81,59 +81,140 @@
 
 Many different families of locations
 
-Areas controlled by a single country, state, company, ...
+E.g. Areas controlled by a single country, state, company, ...
+
+E.g. Nodes running the same operating system or class of software.
 
 We focus here on the family of locations that are ISPs. More
 correctly, \emph{autonomous systems} (ASes).
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+AS-level paths
+
+The key insight is that while we typically think of a connection as going
+from Alice to Node1, actually it traverses many different ASes for that
+single hop.
+
+Paths based on policies, not just shortest-path
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+Need to passively estimate paths
+
+Can't pull down all routing tables; can't traceroute.
+
+Used Oregon RouteViews Project data to learn adjacencies.
+
+Mao et al's [24] estimation technique is >80\% right.
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+Location independence metric
+
+What is the chance that some AS is on both the path from Alice to the
+mix-net, and also the path from the mix-net to Bob?
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+Question one
+
+Is considering IP prefix good enough?
+
+Tarzan, Morphmix, etc recommend this.
+
+Not the same. In practice, we see several cases of same-AS nodes
+with different prefixes
+
+Of the 5 pairs in Mixmaster in the same AS, three have different class
+A prefixes!
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
-The key insight is that while we typically think of a connection as going
-from Alice to Node1, actually it traverses many different ASes for that
-single hop.
+Question two (1)
 
-This is how BGP works in a slide.
+How much can one AS attack inside the network?
 
-Used Oregon RouteViews Project data -- Mao says our passive AS-level
-path estimation technique will probably be >80% right.
+This lets him follow a transaction (easier than doing stats).
 
-Location independence metric: what is the chance that some AS is on both
-the path from Alice to the mix-net, and also the path from the mix-net
-to Bob?
+Also means we're not getting the full protection of n hops
+that we thought we were.
 
-Looking at IP prefix is not the same. In practice, we see several cases
-of same-AS nodes with different prefixes -- many of those are even in
-different class A prefixes.
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
-Attacks inside the network.
- - to follow a transaction
- - to weaken the defenses tor gets from using 3 hops.
+Question two (2)
+
+Top two AS-level between-node observers in the US, to both Tor and
+Mixmaster: Level 3 and Abovenet
+
+Together they watch over half the links in the Tor network.
+
+Choosing paths without replacement helps: a 4-hop Tor path can be observed
+by a single AS with prob .10, compared to .16 if replacement is allowed.
+
+Don't forget that forward paths may be different from reverse paths.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+Question three
+
+How much can one AS attack the endpoints?
+
+Remember that it's sufficient to look at endpoints of the network,
+both for low-latency or high-latency networks.
 
-Sufficient to look at endpoints of the network.
 Endpoints can be first and last node, but they can also be Alice and Bob.
 
 We picked some reasonable sounding Alices and Bobs, mostly in the US.
 
-Top two AS-level between-node observers in the US, to both Tor and
-Mixmaster: Level 3 and Abovenet
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+Endpoint attacks are an issue
+
+Given random entry and exit points, a single AS will often be
+able to win 10\% to 30\% of the time.
+
+It's possible to reduce this to almost 0.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+Node placement
+
+With US-based Alices and Bobs, adding a far-flung node (e.g. in Asia)
+*hurts* us, not helps.
 
 Best node placement for protection against the AS-level adversary is in
 ASes that have the most links to other ASes: tier-1 ISPs.
 
-Future work:
-- Do this analysis for different location metrics, such as countries.
-- Consider Alices and Bobs outside the country.
-- Caching at exit nodes (when feasible) changes the equation.
-- Do we *hurt* anonymity by restricting path choices, against larger
-  adversaries who can take advantage of knowing our algorithm?
-- How to get routing info to Alice in a practical way?
-- Akamai? Different routing; also dangerous observer.
-- How sensitive is this metric to adding or subtracting a few nodes?
-- What about repeated web fetches, using different entry and exit points
-  each time -- how quickly does Alice's location independence degrade?
-- Others?
+A given transaction is safest when Alice, Bob, or both are in tier-1 ISPs.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+Future work (1)
+
+Consider a more diverse set of Alices and Bobs.
+
+How to get routing table to Alice? Are there practical approximations
+that still work ok?
+
+How sensitive is this metric to adding or subtracting a few nodes?
+
+What about repeated web fetches, using different entry and exit points
+each time -- how quickly does Alice's location independence degrade?
+
+Correlation between speed/reliability of network and its location
+independence?
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+Future work (2)
+
+Do this analysis for different location metrics, such as countries.
+
+Caching at exit nodes (when feasible) changes the equation.
+
+Akamai? Different routing; also dangerous observer.
+
+Do we *hurt* anonymity by restricting path choices, against larger
+adversaries who can take advantage of knowing our algorithm?
 

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/

Prev by Author: [freehaven-cvs] partial draft of notes for wpes04 talk
Next by Author: [freehaven-cvs] typos, minor fixes, and fill-ins
Previous by thread: [freehaven-cvs] partial draft of notes for wpes04 talk
Next by thread: [freehaven-cvs] First version of random grafs of usability chapter
Index(es):
- Author
- Thread