[108286] in Cypherpunks
TCQ/Dial-up Mix Net, comments requested
daemon@ATHENA.MIT.EDU (Frank O'Dwyer)
Thu Feb 11 07:09:26 1999
Date: Thu, 11 Feb 1999 11:46:55 +0000
From: "Frank O'Dwyer" <fod@brd.ie>
To: cypherpunks@cyberpass.net
Reply-To: "Frank O'Dwyer" <fod@brd.ie>
I am looking for a way to establish mixes between dial-up participants.
I've looked at PipeNet and Mixmaster, and am thinking of doing something
along those lines. I've also seen the NRL stuff. Can anyone provide
pointers to other stuff I might look at for ideas and pitfalls? (I'm
aware that this type of thing has been discussed extensively on the list
of course, but I can't locate a searchable archive.)
The basic requirement I have is for dial-up users to dynamically form
lightweight mix networks and forward email-like packets for one another,
without depending on some central service. Initally I will be happy to
get a basic sender-anonymous channel for datagrams (no delivery
guarantee, no ordering guarantee), but a stream interface would be nice.
(How dial-up users discover willing mix participants is out of scope for
the moment, but for example it could be done using IRC or by posting
notices on web pages.)
Comments on the following issues/ideas would also be welcome:
- Guarding against traffic analysis seems to require sending at a fixed
rate, and including padding traffic (cf. PipeNet). This is OK if a slow
user data rate is acceptable (e.g. a small datagram on the order of
every few seconds), but it's onerous for dial-up connections since nodes
must commit a large proportion of their bandwidth to forwarding. Could a
solution which transmitted padding traffic at random intervals work
instead?
- Would DC-nets be a practical alternative to something like
PipeNet/remailer-style nets? (Emphasis on practical...I have only
skimmed the theory of DC nets, it looks like the business, I'd be
interested in comments from someone who's looked at it in more detail.
How hard to implement and how useful in practice? Any patents?)
- If I want to build a fully anonymous connection between A and B, is it
sufficient for A and B to build sender-anonymous connections to C, and
splice those connections together (by requesting C to do forwarding)?
This leaves C in an MITM position, but if A and B are anonymous I'm not
sure that's a problem. If it is a problem, the application can add its
own encryption/authentication on top. (Another method for receiver
anonymity that occurs to me is for the exit node to copy a packet to all
nodes in the mix, sending random data to all but the real receiver. This
too would be a bandwidth hog--if IP multicast were available it might be
workable, but unfortunately it isn't)
- The anonymity that this can provide seems to be constrained by the
transient nature of the participants. For example, if two parties
regularly participate in such a mix, and use nothing else to enhance
their anonymity, then the fact that they are communicating may become
clear by analysing the endpoints of the mix over time. Nonetheless such
mixes might be useful components of stronger systems (for example a
remailer network could in principle use one as a hop for routing mail).
- http://www.obscura.com/~loki/remailer-essay.html mentions spam attacks
on remailers that look like replay attacks. I am thinking of using
kerberos-style loose clock synchronisation, sequence numbering, and
replay cache to defend against them, since this makes the storage
requirements a bit more manageable. Is there another approach that
doesn't need the clock synch.?
- How can disrupters be detected? I was thinking of having nodes attempt
to route datagrams back to themselves, and if the message doesn't return
in an acceptable time, mark that route as suspect and lower its priority
when selecting routes. If routes were selected carefully this approach
could eventually weed out nodes that attempted to disrupt (by delaying
or not forwarding).
- (Application-level) spamming is a big problem with a system like this.
I've read some stuff about ecash postage to deal with this, but is
there something more lightweight that could be done to complicate
spamming? For example is it feasible to rate-limit mix links on an
individual basis, or would that introduce traffic patterns that reduce
anonymity?
Cheers,
Frank O'Dwyer.
