[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Router twins are obsolete?



Ok, I'm convinced enough to leave them in for now. If we find a more
compelling reason that leaving in support for them is getting hard,
we'll revisit the question then.

On Sat, Aug 23, 2003 at 07:14:42PM -0400, Paul Syverson wrote:
> > However, we're not planning to do reply onions anymore, because rendezvous
> > points are more flexible and more robust.
> 
> However, rendezvous points have not been completely spec'ed, implemented
> or analyzed. So we only have educated guesses so far about what is preferable.
> Also, reply onions might be used in a complementary or orthogonal way,
> we just haven't examined this area enough to say one way or another.

I should note that last I checked, we don't have any proposal for reply
onions + incremental path building, except for supporting both separately,
which I guess wouldn't necessarily be so bad.

> > B) If Alice chooses a path and a node in it is down, she needs to choose
> > a whole new path (that is, build a whole new onion). This endangers her
> > anonymity, as per the recent papers by Wright et al.
> Don't want to be distracted too much by this. Since it is the
> entry/exit points that matter as far as analysis we've done has shown
> (and possibly those adjacent to them depending on the configuration),
> the attendant assumptions of those attacks does not show them an
> imminent practical threat to OR type systems.

Another reason this may not be a problem is that the user doesn't reveal
his intended destination until the circuit-build is successful. Morphmix
has a similar security argument. (Though remember that choosing nodes
for their exit policies starts to degrade this security argument.)

> On the other hand we've also had some recent looks at doing load balancing
> for anonymity not just performance. Not based on router twins, but we
> haven't even considered how router twins play in there. 

True. More research remains, as always. Anybody want to solve this one
for us?

> > E) Surprising jurisdiction changes. Imagine Alice choosing an exit

> Yeah, but this is easily handled by listing the members of a twin in
> the directory servers.

True.

>  In fact, a moderate amount
> of twinning might make the need to check which nodes are up or down
> almost nonexistent. Hmmm.

That would definitely be a different network design. Reminds me a lot
of reencryption networks. Could be good to pursue.

--Roger