[Freedombox-discuss] Freedombox Mesh Network Simulator
-----BEGIN PGP SIGNED MESSAGE-----
I am one of the developers of Project Byzantium and heard about this
discussion from The Doctor. Freedombox is not our project so we have no
authority to direct which way the project goes, but we have done some
significant research and development in this space. Our knowledge and
experience might be relevant to the discussion.
On Fri, 22 Jun 2012, Sam Hartman wrote:
> I'm having a hard time wrapping my head around the security implications
> of this discussion.
> I think that's in part because goals like
> censorship-resistant-connectivity and privacy seem in conflict.
> To the best of my understanding these routing protocols have not been
> designed with the goal of preventing a malicious party from capturing
> (that is observing and possibly modifying) traffic that party is
> interested in.
You are correct. These routing protocols are designed to efficiently
solve the OSI Layer 3 concern of routing packets from a source address
to a destination address. Whether the packet is sniffed and observed in
transit is outside the scope of a layer-3 routing protocol, and so they
provide no protection against that. Of course, once you have a
functioning layer-3 network you can do encryption and obfuscation of the
traffic at layer-4 or higher, but that's not a concern of layer-3.
As for packets being modified or not being delivered, these are both
cases that can be partially handled at layer-3, or handled at layer-4
and above. Some routing protocols may recognize that a particular node
is not routing traffic correctly and lower the metric for routes to that
node, so subsequent traffic will automatically avoid the bad node. It
also seems that recently the Quagga developers have been working on
implementing packet authentication in their implementation of Babel to
prevent corrupted routes from being propagated.
> Encryption and integrity protection can defend against modification
> assuming that is supported by the protocol in question. Services like
> VPN tunnels or TOR can be used to get enthcryption/integrity protection
> across the mesh when accessing services that support Internet but do not
> themselves support integrity/confidentiality.
> However, finding out what services someone is accessing is also a
> concern as well as monitoring access patterns and the like.
> These mesh technologies seem to present huge issues in that direction.
> Combining mesh technologies with things like TOR doesn't make these
> issues go away; it does make them harder to analyze.
Correct, anyone who is operating a node will be able to monitor traffic
across their node and analyze it for patterns of usage. This is because
mesh nodes are effectively network infrastructure. That is, each node is
like a mini-version of the the routers that form the Internet.
Look at it this way, what you're talking about is already possible. Your
ISP can already see all your traffic and they can analayze everything
you're doing. If the government comes knocking they will have to turn
over their logs or tap your line. With mesh networking, you are
mitigating that risk by spreading your traffic among a large number of
peer nodes. Sure, some of those nodes might be malicious, or some of
them could be coercable, but it's less likely that any one of them will
be the exclusive transport for all your traffic, so they are only seeing
a part of your traffic. How much do you trust your ISP? Do you trust
your ISP more than you trust your neighbors? How easy is it for an
adversary to coerce your ISP into giving up your traffic? How easy would
it be for the adversary to coerce ALL of your neighbors into giving up
In my opinion, we're safer when our neighbors, private citizens, own the
infrastructuer than when it's controlled and operated by some central
authority (even if it's a private business). The adversary would have to
coerce a larger number of private individuals to get at your traffic
then they do now.
> As I see all these conflicting requirements I become increasingly
> concerned that it will be difficult for technical folks to understand
> what security and privacy properties a Freedom Box actually provides. I
> think conveying that to an end-user may be beyond our capability.
I agree, these are tough problems to analyze and explain to people who
think of the Internet as a black box (in the shape of a fluffy white
cloud) that connects people together. Without a solid understanding of
how networking works at the lower levels of the OSI model, and the
realistic threats the network faces at those levels, it's a tough
converstaion to have. But it is still a fairly important one. Securing
layer-3 by removing the traditional hierarchical routing infrastructure
is a key step to improving privacy for everyone, but only if used
appropriatly in conjunction with encryptions and other tools at layers 4
> One thing that might be valuable to do at least for designers of the
> system to understand it is to focus on making available the best in
> privacy-defeating technology we can. That is, make it easy to find all
> you can about people using your mesh node, to combine that with others
> who are willing to share privacy-defeating information with you,
> etc. The goal would be to understand what the practical attacks and
> exposures are with various technologies we're using as we are combining them.
My guess is that this is going to take a lot of experimentation and
testing. We've done a bit alread with Byzantium, but there is still a
lot of work left to do. Help is always welcomed.
Ben the Pyrate
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
-----END PGP SIGNATURE-----