[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Fri, 25 Jan 2019 17:44:49 -0700
Autocrypt: addr=mirimir@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsBNBFEN49cBCADWl1VZKYO8L+f/65G2nBWzh41VTAZDcJSxMWXrBSvpJzzLt6sJf0L0Rjmy W4VPxJMCm/32auRAp8Xx1iNmBpvYENSM1YJVWfk43tlSOY8CR3TVODMxWPhUu48Pb9OKSntz WHGwdZmOr14zF9vr4PaS9A6+Hyt9FPKuGcQFw7K8jK1Hpp5XgdY/DMHKeaJykJ8JH1HBTFTT OJdxIWu6cZ+spNaNfKdnNjk98hMPw69isVGzcm7b3lJUsjVnMSqnrtZ8CSIv1njyxJH7NB5n LzrE7EiXR37k+4Poc9/DeLSAKrq5N3ZMpX1EDOoXFa8lLVGWHBTwVN/tl7FLM0NmVuL5ABEB AAHNHG1pcmltaXIgPG1pcmltaXJAcmlzZXVwLm5ldD7CwIEEEwECACsCGyMGCwkIBwMCBhUI AgkKCwQWAgMBAh4BAheAAhkBBQJafNQ7BQkNMVdkAAoJEGINZVEXwuQ+5LoIAKyZQDkNqj+Y E26o1bdEQlmOLhhXev45euNCnaFrnbOyKLivHdF4vvXyWBTzJmCsoRxTJ0A3Zmwa3ZihbKaU FCAdRgspLfA+TGICVYOztB+faWV18k5OTCk7ZiBQ/mOMQA4p3RPOV+UCgdelvZRHrFdUgHro dho/FqZhRoPdsPPB08QBisDO7SfFMMe9U9EZ03n4f2TvMgaTjK/kZCopwgLj2nB11SnCYfWJ jxUFDs+VFObf/jSK8T0SX9O6p430NWZm30vutUVac9lfodMjBcJqTnFxmZrwQomlCYGvSqNw 4Xy5+/gBzv/flXHngQSU053smHRtrMlGK5OU1RSixDfOwE0EUQ3j1wEIAMDcexhcaIO5jpl+ SHM14zuBvF2QG61IpH4Lag6nQmSMTljizuJg2kLaLbfc69AxmjuL5obqYi5ywXn4kQKqiwfa OHvVlKn662/J5YgXuc8tRLyqvgb+hibtAnlhWAuusP0eoQQP6SAASRjtrb8RVapTzJXy2Snf PtkcdtkTLLLcyeGoDOkpPkspnnp8avvI9ayzhGFLg9qNWaIuBMudxT6oHK4rZH+Sv6km9viI /ziV6E8Z+PpvMsGdebeYBLQA7ueuTbyOGbDyProwvocrKynI/UM40VYS8bS1PjWtljUlj7Vx 8C/746hnfdge0m24jnaWfu5UDjwpsHzs/JXqklsAEQEAAcLAZQQYAQIADwIbDAUCWnzURgUJ DTFXbwAKCRBiDWVRF8LkPsCjCACNvnnmpcDwEbtXUFZD/+ewNlPfM9o0mIXgi7DIVR9MVCw/ u14+mJUlQny4jPRV+hv/erjbiqEcVPZ296J3I4kUvO4slI+ZyODsRQSzwMz6ihwC6nN1xove YSBzVKKQrV+FDHVk6dJVLtgPdewOR9ZAar7mEbCLTJZ/e5aVb+NrlC1jWx3V3mMGCKOsEHhu 97cu3AswlxhzqPjczTo3rjtcfxdjeGU6mIEEAlhUlVDdfbGLODIyCXrP39zYxYXFFpVcbGAu +cndl1AQkIXUiMoJuzTMU8TQ+zz8yLof9fB7Y8O8VbmZBPQqN2IiHPeGbfqZjk/uHjJQUayI +beL0kxL
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 25 Jan 2019 19:45:06 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1548463492; bh=3ArQGEgaAZfCP2yP5dgXkSY0dhwP7n/JM2WpgdzhfZ8=; h=Subject:To:References:From:Date:In-Reply-To:From; b=VJDO7OLbw2nO06HOJ2wHP25jeRQe2NooPQ09lJuNpfTQeJCp2WwSWMvjtDxe9GtoD Qg5cQsPitnK+/s8vLLDoF/0o4ggzzhLA1ZxvbiYOlMbX8qwswOwzpMS1XAjgOqu68d BPi4q4kIVMvrIFnqC6GpPFZhlWizjroIdHhcCT+k=
In-reply-to: <CAFWeb9+rNAkYX92excBoFJTseD6Ptr8mFRvvD70yRGuszcojvg@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: preference=signencrypt
References: <HXwpNCWjFk4e2L_6zcYxLDgv-Qb3514OXwnOavdDO8haFbdSW69fDWFZ_fOcnhARa6-B_34aYSKHpplk_Bh0Vn1JjaMzZf9w1UgfhY7AHBE=@protonmail.com> <alpine.LRH.2.21.1901221030320.22674@bofh.nohats.ca> <Fs3dwg5FjE0HpV-F3u72sNT7vcfiDCWpdnrD-N5Jmpu2Kd10kGYcAlEPHrwnkQz8FW691nRdHKGPH7_cdJUzxIlE1wqtnW3I_Bn5GFcdioY=@protonmail.com> <alpine.LRH.2.21.1901241154360.26176@bofh.nohats.ca> <CAD2Ti2-8Gb_-KiNMuJ7N-uViQEJse_nj9NBpNgo+LfZFn+u2Hg@mail.gmail.com> <CAFWeb9J9WjK+Q2BpU6Uwa88jt8NMMG9MoNoQ=mGqYJVyv8MaXQ@mail.gmail.com> <ec43d3b6-3d59-59fb-4e44-64fc099d651f@riseup.net> <CAFWeb9JWaGPfdmvFXQ3U0OuF907htEYp4F1JYjfC+_63go4mCA@mail.gmail.com> <5e462c8c-80f8-2998-522e-75dcef7a7277@riseup.net> <CAFWeb9+rNAkYX92excBoFJTseD6Ptr8mFRvvD70yRGuszcojvg@mail.gmail.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 01/25/2019 04:32 AM, Alec Muffett wrote:
> On Fri, 25 Jan 2019, 10:43 Mirimir <mirimir@xxxxxxxxxx wrote:
> 
>>
>> I don't do audio on this box.
> 
> 
> I'll wait; most questions about "what do [I] mean?" are answered in that
> video.

OK. Hopefully you point to some resources for learning that stuff.

> Let's say that I have a bunch of VPS, running Tor and OnionCat. Each has
>> the others' OnionCat IPv6 addresses in its /etc/hosts. Now I can use any
>> app that talks TCP/IP, without customization (except re latency).
>>
> 
> How are you going to inhibit leaks and connections to "promiscuous" service
> listener-sockets over the LAN interface? Perhaps firewalls? Yet more /
> additional server misconfiguration opportunities?

Yes, with OnionCat, you're on an open LAN. So I use restrictive iptables
rules for IPv6. Just as I do for IPv4. I drop all packets by default,
and allow only required addresses and ports.

> Safer, instead, for the client to be clear and explicit about what manner
> of network address it wishes to connect to.

I suppose. But way back when, one could have used the same argument
against development of TCP/IP. Perhaps you do. But damn, it'd be a very
different Internet. And perhaps you would have preferred that. Yes?

> I'm sure that one could write code that did all the same stuff, using
>> actual v3 onion hostnames.
> 
> 
> 
> I've done similar hacks using /etc/hosts:
> 
> https://github.com/alecmuffett/the-onion-diaries/blob/master/basic-production-onion-server.md
> 
> ... but that is mostly a server-side convenience, and not strictly
> necessary.

OK, thanks.

> .What do you mean by "services"?
> 
> 
> As above.
> 
> 
> If all you have is SOCKS5, you're pretty
>> limited.
> 
> 
> My experience suggests otherwise, and I am calling for expansion in this
> space.
> 
> 
> you use shims like AF_X25. I never had to use that, but I'm sure that
>> OnionCat is far less hassle.
>>
> 
> How many systems do you have using it?
> 
> -a

My friends and I use OnionCat quite heavily. We're interested in
reliable private networking for mutually anonymous servers. Primarily as
a capability, and not for any particular application. But for example,
say that one must transfer filesystem images or VMs, for backup or
sharing. We've found that bbcp (using the MPTCP kernel, with multiple
OnionCat interfaces) works very well for that.

Stuff that requires UDP transport is especially problematic with Tor.
Private Docker registries, for example. We've tested a few VPNs in TCP
mode, but nothing has proved as reliable as OnionCat. It is necessary to
use custom wrappers, I admit, because the stock systemd service is quite
fragile. Or maybe it's just that OnionCat is no longer maintained.

In recent years, my friends and I have played with various P2P networks
(such as Freenet, BitTorrent and various VoIP apps) and distributed
filesystems (such as LizardFS, QFS and Tahoe-LAFS). The P2P stuff tends
to work well enough with Tor+OnionCat. But high latency tends to be
problematic for distributed filesystems (albeit less so for Tahoe-LAFS).

I appreciate concerns about overloading the Tor network. However, it's
arguable that increased traffic among onions, as chaff, would actually
improve anonymity for other users. And it's my understanding that it's
exit bandwidth that's most limited. But OnionCat puts no explicit load
on exit-only relays.

From https://metrics.torproject.org/bandwidth-flags.html I get that
relays without the exit flag (middle relays and most guards) are
underutilized. Currently, 110 Gbit/s out of 240 Gbit/s is consumed.
That's less than 50%, on average. Also, it's my impression that, given
Tor's relay-selection logic, only the fastest non-exit relays get much
use at all. And based on a recent thread on tor-relays, even some
high-speed non-exit relays see only ~20% utilization.

Anyway, that's why I value OnionCat. If I had to, I could learn to use
v3 onion sockets. But I fear that it would be painful.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
  - From: grarpamp
- Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
  - From: Alec Muffett
- Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
  - From: Mirimir
- Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
  - From: Alec Muffett
- Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
  - From: Mirimir
- Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
  - From: Alec Muffett

Prev by Author: Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
Next by Author: Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
Previous by thread: Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
Next by thread: Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address
Index(es):
- Author
- Thread