[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: no circuit loops?
On Sat, Oct 25, 2003 at 06:33:34AM -0400, Paul Syverson wrote:
> all the worse for enclave level protection. The upshot is that I
> think we should probably require loops to be at least ABCA. Comments?
>
I probably should have noted that this means loops will be on at least
five hop routes, which should be rare given the distribution. I'm
realizing that this is reproducing some of the thought that led to a
default of five hops in the original onion routing design. There were
some different assumptions, which I won't spell out now. Note that
enclave level protections really change these assumptions. If most
circuits are just two hops, then just a single link observer will be
able to tell that two enclaves are communicating with high probability.
So, it would seem that enclaves should have a four node minimum circuit
to prevent trivial circuit insider identification of the whole circuit,
and three hop minimum for circuits from an enclave to some nonclave
responder. But then... we would have to make everyone obey these rules
or a node that through timing inferred it was on a four hop circuit
would know that it was probably carrying enclave to enclave traffic.
Which... if there were even a moderate number of bad nodes in the
network would make it advantageous to break the connection to conduct
a reformation intersection attack. Ahhh! I gotta stop thinking
about this and work on the paper some before the family wakes up.
-Paul