[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)

On Thu, May 20, 2010 at 07:44:51AM -0400, andrew@xxxxxxxxxxxxxx wrote:
> On Thu, May 20, 2010 at 01:31:47PM +0200, tor@xxxxxxxxxxxxxx wrote 0.9K bytes in 19 lines about:
> : >From what I understand, yes, at the moment both "partners" have to list
> : each other. That's what the fuss is all about, because this becomes hard
> : to manage when you run a lot of nodes.
> Yes, this is how MyFamily works.  Each node in the family must be
> configured to list all other nodes in the family.  If I start up node
> Alice, and list Bob and Mallory in MyFamily, Bob must list Alice and
> Mallory, and Mallory must list Alice and Bob.  If Mallory lists Alice
> and Bob, but neither Alice nor Bob list Mallory, it's not a valid
> Family.  Otherwise, Mallory could list every node in the network and
> screw everyone.  Or list all nodes in the network but 3 and shunt all
> traffic through those 3, etc.

Glad I read this thread through to the end. This was what I was
going to say, only not as well as Andrew.

It is possible however, to have some value to allowing some asymmetry,
viz: if Alice lists Bob_1, ..., Bob_1000 in her family, but no Bob
lists Alice, then a path selection that chooses both Alice and Bob_i
will be rejected, but one that lists Bob_i and Bob_j will be just fine.
This is not how MyFamily works now (or am I wrong ?).
But that could change. The only paths Alice could then
affect would be ones that choose her.
The point is not just that the attacks Andrew mentioned are no
longer possible. It is also true that someone who mananged to set
MyFamily on only some of his nodes would still cause those paths to
be avoided. S/he may or may not have covered the entire family by this
process, but s/he can cover the entire family by setting MyFamily
in half of them, perhaps a little less overhead.

Perhaps this is what various people were alluding to when they said
that there is no attack in letting one node set MyFamily and having it
only affect itself thereby? The above is not an unqualified
recommendation, however. Besides the fifty percent configuration
overhead savings for people with large families. I like that a
partially set family provides some of the intended function rather
than just failing completely, but (a) It's off the top of my head, (b)
There may be other more subtle attacks than the obvious ones Andrew
was mentioning, (c) The added complexity of it being OK to do
something less complete than setting this at all nodes may lead to
more people getting it wrong more often so that the graceful failure
is more than offset. (d) I haven't thought about implications for
complexity of path selection, distribution of directory info, etc.
They may render any benefit too expensive. 
All that said, it is perhaps worth at least considering.

To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/