Author: hobx
Date: 2006-03-13 01:18:06 +0000 (Mon, 13 Mar 2006)
New Revision: 8236
Modified:
trunk/docs/fnet.tex
Log:
so tired...
Modified: trunk/docs/fnet.tex
===================================================================
--- trunk/docs/fnet.tex 2006-03-12 01:01:32 UTC (rev 8235)
+++ trunk/docs/fnet.tex 2006-03-13 01:18:06 UTC (rev 8236)
@@ -1,5 +1,5 @@
-\documentclass[11pt,a4paper]{article}
-%\documentclass[leqno,twocolumn]{article}
+%\documentclass[11pt,a4paper]{article}
+\documentclass[11pt, a4paper,twocolumn]{article}
\usepackage[latin1]{inputenc}
\usepackage{amstext}
@@ -10,12 +10,13 @@
\usepackage{amssymb}
%\usepackage{amsthm}
\usepackage{amsmath}
+\usepackage{url}
%\usepackage[swedish]{babel}
-%% \addtolength{\hoffset}{-1cm}
-%% \addtolength{\textwidth}{2cm}
-%% \addtolength{\voffset}{-1cm}
-%% \addtolength{\textheight}{2cm}
+ \addtolength{\hoffset}{-1cm}
+ \addtolength{\textwidth}{2cm}
+ \addtolength{\voffset}{-1cm}
+ \addtolength{\textheight}{2cm}
\title{Private Communication Through a Network of Trusted Connections: The
Dark Freenet}
\author{Ian Clarke \thanks{FreenetProject Inc. ian at freenetproject.org},
Oskar
@@ -49,44 +50,46 @@
unwise. In fact, as has been seen in many cases, it is possible
to control and censor much of the Internet, and users of online
services are considerably less anonymous and more exposed than most
-believe.
+believe (see for instance \cite{tan:china}).
The Freenet Project is an ongoing effort to develop a distributed
peer-to-peer network for publication and distribution of data. The
system, Freenet \cite{clarke:protecting}\cite{clarke:freenet}, is an
-Internet wide distributed hashtable where users can insert intended to
-strengthen the freedom of speech by allowing anyone to publish
-anything in the network at any time. To this end, the system
-integrates many levels of redundancy while dispersing data throughout
-the Internet's topology, which makes it difficult for an adversary to
-remove data from the network. The network strives to be opaque, so
-that it is difficult without global knowledge to see which nodes are
-responsible for storing which data at which time, and flexible, so
-that it can survive both the everyday churn of an uncontrolled
-peer-to-peer environment and malicious attacks.
+Internet wide distributed hashtable (DHT) intended to strengthen the
+freedom of speech by allowing anyone to publish anything in the
+network at any time. To this end, the system integrates many levels
+of redundancy while dispersing data throughout the Internet's
+topology, which makes it difficult for an adversary to remove data
+from the network. The network strives to be opaque, so that it is
+difficult without global knowledge to see which nodes are responsible
+for storing which data at which time, and flexible, so that it can
+survive both the everyday churn of an uncontrolled peer-to-peer
+environment and malicious attacks.
An important element of allowing free communication is that the
privacy of both those who publish and those who access information
should be protected, both from outsiders and from other participants.
-Earlier generations of Freenet anomymized only via a Crowds [] type
-system, which, while offering some disassociation between queries and
-those who initiate them, is vulnerable to many forms of attack. One of
-the outstanding questions of Freenet development has been how the
-network can better anonymize queries in the future, with the option of
-utilizing stronger mixing techniques [].
+Earlier generations of Freenet anomymized only via a Crowds
+\cite{reiter:crowds} type system, which, while offering some
+disassociation between queries and those who initiate them, is
+vulnerable to many forms of attack. One of the outstanding questions
+of Freenet development has been how the network can better anonymize
+queries in the future, with the use of stronger mixing techniques such
+as \cite{chaum:untraceable} and \cite{goldschlag:onion} considered a
+possible, but complicated, option.
A second concern, that has come to the forefront with the actual
deployment of Freenet, is the vulnerability of people operating nodes
-in the network. While the network strived to dissociate users with the
-data they access and nodes with the data they served, it did not hide
-the fact that a particular node was part of the network. In order to
-find Freenet nodes in earlier incarnations of the system, it was
-sufficient to join the network and start operating as a node oneself:
-through the continuous process of routing and optimizing the network,
-one would eventually learn the identities and Internet addresses of
-more and more nodes in the network. This means that somebody wishing
-to attack the Freenet network in its entirety would have had no
-problem finding and identifying participants given sufficient time.
+in the network. While the network strove to dissociate users from the
+data they accessed and nodes from the data they served, it did not
+hide that a particular node was part of the network. In order to find
+Freenet nodes in earlier incarnations of the system, it was sufficient
+to join the network and start operating as a node oneself: through the
+continuous process of routing and optimizing the network, one would
+eventually learn the identities and Internet addresses of more and
+more nodes in the network. This means that somebody wishing to attack
+the Freenet network in its entirety would have had no problem finding
+and identifying participants given sufficient time.
In order to resolve these problems, we have radically shifted the
direction of Freenet development. Instead of direct connections
@@ -98,50 +101,88 @@
issues. Notably, since the we cannot design the overlay graph of
connected nodes ourselves, routing from one point to another becomes
more difficult. There is also a cost to usability, especially with
-regard to barrier of entry into the network (with trusted connections,
-a new node cannot enter the network until it knows other other nodes
-that are present).
+regard to barrier of entry into the network, since with trusted
+connections, a new user must know and be authenticated by at least one
+existing user before they can join.
We believe, however, that the benefits of the trusted connections
-model outweigh the complications. We hold that in many cases trusted
-connections are a better model for protecting the identities of those
-publishing and accessing data then traditional mixing approaches. They
-also dramatically increase the difficulty of identifying and attacking
-participants in the network, which nodes when only talk to trusted
-peers must be done by subjugating one node at a time, and then
-proceeding to attack its neighbors\footnotemark.
+model outweigh the complications it implies. We hold that in many
+cases trusted connections are a better model for protecting the
+identities of those publishing and accessing data than traditional
+mixing approaches. They also dramatically increase the difficulty of
+identifying and attacking participants in the network, which nodes
+when only talk to trusted peers must be done by subjugating one node
+at a time, and then proceeding to attack its neighbors\footnotemark.
\footnotetext{Assuming of course that nodes cannot be identified in
another way, such as monitoring the network for specific traffic
patterns.}
+\subsection{Previous Work}
+
+As mentioned, earlier versions of the Freenet system were previously
+described in \cite{clarke:protecting}, \cite{clarke:freenet}, as well
+as \cite{hong:performance}. The algorithm which we use to route in the
+network was described and simulated in \cite{sandberg:distributed}.
+The algorithm draws off the small-world model of Jon Kleinberg
+\cite{kleinberg:smallworld}, which has also inspired previous attempts
+to route in social networks \cite{adamic:social} \cite{nowell:geographic}.
+
+In some respects and goals, but not in others, Freenet resembles other
+designs for distributed secure data storage such as the Eternity
+service \cite{anderson:eternity} and the Free Haven Project
+\cite{dingledine:freehaven}. In operation, Freenet also shares a lot
+with common distributed hashtable (DHT) designs, such as
+\cite{plaxton:accessing} \cite{stoica:chord} \cite{manku:symphony}.
+Oceanstore \cite{kubiatowicz:oceanstore}, is a fully developed system
+for the distributed storage of information based on a DHT, but it is
+not designed with uncensorability or user privacy in mind.
+
+The term ``Darknet'', which we have used to describe the trusted
+connections model on which the new version of Freenet is based, was
+coined in \cite{biddle:darknet} as a more general term for private,
+concealed overlay networks. This is also described in
+\cite{lassica:darknet}. An alternative name for the same thing,
+``Friend-to-Friend network'' was coined by Dan Bricklin in
+\cite{bricklin:friend}.
+
+Despite the idea having been around for some time, very few
+trusted-connection based networks have actually been deployed. A
+program called \emph{Aimster} (and later \emph{Madster}) was released
+in 2000 allowing file-sharing between people who were on each others
+AOL Instant Messenger ``buddy lists'', but the company that made it is
+no longer in operation. \emph{WASTE} is a program released, and then
+withdrawn, by AOL division Nullsoft in 2003, that is somewhat similar,
+see \cite{nullsoft:waste} for a description. These systems do not
+attempt to allow communication between any two participants.
+
\section{Freenet's Design and Operation}
Freenet's goal is to provide a distributed system for the publication
and access of information. Documents are stored, or inserted, into the
network with an associated address, or key, which consists of a binary
string. The key is used both to decide where in the network to store
-the document, and to authenticate the document when it is transfered. A
-person wishing to access the document sends out a retrieve query, or
-request, which performs a best first search with backtracking. When
-the request finds a node containing a copy of the document, the entire
-document is returned through the search path.
+the document, and to authenticate the document when it is transfered.
+A person wishing to access the document sends out a retrieve query, or
+request, which performs a routed depth-first search with backtracking.
+When the request finds a node containing a copy of the document, the
+entire document is returned through the search path.
Freenet nodes do not make guarantees about the persistence of
documents, but keep them using a best-effort algorithm that removes
the least-recently accessed document when a node's storage overflows.
In fact, nodes aggressively cache many if not all the documents that
-they transfer, so a system of removing documents from the cache is
-necessary. The system can be viewed as a large grid of caching proxy
+they transfer, so a system for removing documents from the cache is
+necessary. The network can be viewed as a large grid of caching proxy
hosts, each proxying and caching for one another, but with no source
to return to should the document not be in the cache. In practice, we
have found that the system is relatively good at maintaining data when
-a sufficient amount of storage is available (see for instance [theos
-chapter], and [that other fn paper] for a modification to improve
-this). Furthermore, Freenet does not guarantee that data in the
-network can be found by any particular search in a bounded number of
-steps (or indeed at all) - it only attempts to make it likely that it
-will.
+a sufficient amount of storage is available (see for instance
+\cite{hong:performance}, and \cite{zhang:freenet} for a modification
+to improve this). Furthermore, Freenet does not guarantee that data
+in the network can be found by any particular search in a bounded
+number of steps (or indeed at all) - it only attempts to make it
+likely that it will.
\subsection{Inserting and Requesting data}
@@ -152,19 +193,20 @@
node to node and selecting the most desirable neighbor that is
available and not already in the route as the next step. When this is
not possible, the query backtracks and the route is restarted from the
-previous node. Routes continue until they terminate due to achieving
-their purpose (in practice: finding the sought document) or terminate
-because of some heuristic (which could be as simple as the number of
-steps reaching a limit).
+previous node. The routing process is terminated either due to the
+query achieving its purpose or because of some heuristic based on the
+number of steps taken. In current implementations, the reason for
+terminating is either that the sought document has been found, or that
+nodes have given up looking for it.
-It should be noted that, unlike in other DHT systems, a key has no
+It should be noted that, unlike most other DHT systems, a key has no
canonical home or destination in the network. While there may be a
node that is the most desirable destination for a particular $K$, that
-node will most likely not know it. Because of this, the manner in
-which the routing tables are constructed need only be consistent, in
-that two routes for the same key should be likely to intersect, and
-well distributed, meaning that routes should not all tend toward some
-small subset of the nodes. See Figure \ref{fig:route}.
+node will most likely not know it. The manner in which the routing
+tables are constructed need only be consistent, in that two routes for
+the same key should be likely to intersect, and well distributed,
+meaning that routes should not all tend toward some small subset of
+the nodes. See Figure \ref{fig:route}.
\begin{figure}
\centering
@@ -185,10 +227,11 @@
cache it.
The inverse process, that of originally inserting a document, is
-similar. A route is established, and if a document matching K is not
-found, the document $D$ is proxied up the route, with each node caching
-it. If an existing document matching $K$ is found while routing, it is
-returned down the path just like if $K$ had been requested.
+similar. A route is established, and if it terminates without finding
+a cached document matching K, the document $D$ is proxied up the
+route, with each node caching it. If an existing document matching $K$
+is found while routing, it is returned down the path just like if $K$
+had been requested.
\subsection{Keys and Document Authentication}
@@ -216,7 +259,7 @@
The second type of key, known as a Signed Subspace Key (SSK), allows
several documents to be published by the holder of a single asymmetric
key-pair. As the name implies, the holder of the key-pair has a
-private subspace in which he can publish signed documents, by varrying
+private subspace in which he can publish signed documents, by varying
the name part. This is used to implement updating schemes - either by
including a version in the name, or having the name include a date of
publication.
@@ -228,11 +271,10 @@
PK in some way.\footnotemark No method for direct keyword searching is
provided,
though some methods are possible\footnotemark.
-\footnotetext{A system for expressing keys as URIs have been deviced
- for Freenet. The non-readble sections are expressed as strings in a
+\footnotetext{A system for expressing keys as URIs have been devised
+ for Freenet. The non-readable sections are expressed as strings in a
modified BASE64 encoding, and the readable bytes (such as the
- document name in the SSK) in plaintext. Keys may look like: ADD
- EXAMPLES OF KEYS.}
+ document name in the SSK) in plaintext.}
\footnotetext{One method that has been used is to create the public
key/private key pair for an SSK using a string as a seed to a known
@@ -261,7 +303,7 @@
the key itself is normally derived from the data's original hash.
The client also handles splitting and padding of data. As a basic
-measure againts profiling and traffic analysis, documents in Freenet
+measure against profiling and traffic analysis, documents in Freenet
are a fixed size - 32kB for CHKs, and 1kB for SSKs. Clients ensure
this by padding and by splitting larger documents into many smaller
parts. The latter process is also an enhancement to performance and
@@ -272,42 +314,41 @@
additional layer of redundancy, since the clients can use erasure
codes to make sure that not all the parts are necessary to recreate
the document. Freenet currently makes use of Vandermonde Forward Error
-Correction codes.
+Correction codes \cite{rizzo:erasure}.
\section{Routing in the Network}
-Under the trusted connection model, we have to assume that the graph of
-nodes and links between them is fixed, and cannot be optimized for
-routing purposes. This is a very different model from previous version
-of Freenet, and other DHT systems like [ref][ref][ref] which all
-construct a graph explicitly so as to make efficient routing
-possible.
+Under the trusted connection model, we have to assume that the graph
+of nodes and links between them is fixed, and cannot be optimized for
+routing purposes. This is a very different model from what previous
+version of Freenet, and other DHT systems have operated under: they
+all construct a graph explicitly so as to make efficient routing
+possible.
In fact, the possible efficiency of routing depends on the structure
of the network. If there is no short path between two nodes, it will
not be possible for a document inserted at one to be reachable at
another in a short number of steps, regardless of how well we route.
-Thus the possibility of the system working depends crucially on
-network having certain properties.
-
We must thus rely on certain observations about the network of trusted
connections. In particular, it is a subgraph of the of the world's
social network, the dynamics which has been the subject of much study,
initially by sociologists and experimental psychologists
-[ref][ref][ref], and increasingly by mathematical means [ref][ref].
-In particular, it is generally accepted that the worlds social network
-is a so called ``small world'', meaning that there are short paths
-between every two nodes, and that there is local clustering (people
-who share a common friend are more likely to know each other).
+\cite{milgram:smallworld}, and increasingly by mathematical means
+\cite{pool:contacts} \cite{watts:smallworld}. It is generally
+accepted that the worlds social network is a so called ``small
+world'', meaning that there are short paths between every two nodes,
+and that there is local clustering (people who share a common friend
+are more likely to know each other).
-In fact, studies of routing in the world's social network have already
-been done, starting in the 1960s with Stanley Migram's [ref] famous
-small-world experiments [ref]. These, and subsequent repetitions
-[ref][ref] seem to indicate that it is possible to find routes from
-any person to any other, using only a very small number of steps (the
-idea of ``six degrees of separation'' for the entire world is derived
-from Milgram's data.)
+Studies of routing in the world's social network have already
+been done, starting in the 1960s with Stanley Migram's famous
+small-world experiments \cite{milgram:smallworld}
+\cite{travers:smallworld}. These, and subsequent repetitions
+\cite{dodds:social} seem to indicate that it is possible to find
+routes from any person to any other, using only a very small number of
+steps (the idea of ``six degrees of separation'' for the entire world
+is derived from Milgram's data.)
We assume (perhaps somewhat optimistically) that the network of
trusted connections that we can use is a small world. In order to
@@ -315,8 +356,8 @@
can be routed to. The most direct way of assigning these identities is
to choose them from the same space as the keys, and then try to route
queries for a particular key to those nodes whose identities most
-closely match the key value. This technique is used by all current DHT
-systems. In light of the observation described in Figure
+closely match the key value. This technique is used by almost all
+current DHT systems. In light of the observation described in Figure
\ref{fig:route} the identities of each node can be selected quite
randomly, though their assignment will need to reflect the network in
some respect.
@@ -324,28 +365,49 @@
Once each node has an identity, one could imagine calculating the all
pairs shortest path for the graph, and keeping a routing table at each
node showing where to reach queries intended to ultimately reach every
-node. This would involve a large amount of work and bandwidth when
-trying to calculate the paths, as well as network sized routing tables
-at each node, neither or which is desirable. More crucially, it would
-require one to recalculate the entire routing able every time a node
-joins or leaves the network, which is an impossibility under the
-intended usage.
+node. This would ensure that the best possible route was always used,
+but involve a large amount of work and bandwidth when trying to
+calculate the paths, and require network sized routing tables at each
+node. More crucially, it would require one to recalculate the entire
+routing able every time a node joins or leaves the network, which is
+an impossibility under the intended usage. Other previously known
+systems schemes for building routing tables with guarantees on the
+stretch\footnotemark{} such as \cite{thorup:compact} suffer from the
+same problems under our application.
+\footnotetext{The stretch of a routing scheme is the amount by which
+ the lengths routes found differs from the optimal possible value.}
+
Instead, we use a method which draws off the small world models of Jon
-Kleinberg [ref]. The routing we perform is purely greedy: at each
-step, the desirability of the neighbors is ordered by the proximity of
-their identities to the route key $K$ (seen as floating point number
-between 0 and 1 with periodic boundary\footnotemark). The question
-then becomes one of trying affect the randomized assignment of
-identities such that this becomes an efficient way of routing. The
-method we have chosen for doing this is described in detail in
-\cite{sandberg:distributed}. In our implementation nodes start with
-randomly selected identities seen as numbers between 0 and 1, and then
-switch with each other using the described method, causing nodes that
-are in some sense close in the network topology to also have nearby
-identities. (It is only when this property holds that greedy routing
-makes sense in anything but the final step.)
+Kleinberg \cite{kleinberg:smallworld}. The routing we perform is
+purely greedy: at each step, the desirability of the neighbors is
+ordered by the proximity of their identities to the route key $K$
+(seen as floating point number between 0 and 1 with periodic
+boundary\footnotemark). The question then becomes one of trying affect
+the randomized assignment of identities such that this becomes an
+efficient way of routing. For routing to be efficient Kleinberg's
+results show that certain relation between the frequency of
+connections of different lengths (with respect to the identities) must
+be present, so our goal is to, as well as can be done for a given
+graph, assign identities so that this holds. The method we have chosen
+for doing this is described in detail in \cite{sandberg:distributed}.
+In our implementation nodes start with randomly selected identities
+seen as numbers between 0 and 1, and then switch with each other using
+the described method, causing nodes that are in some sense close in
+the network topology to also have nearby identities. (It is only when
+this property holds that greedy routing makes sense in anything but
+the final step.) The use of random positions, rather than fixed points
+in a grid, makes our model slightly different than Kleinbergs, but
+similar continuum models have been previously studied in
+\cite{franceschetti:navigation} and \cite{manku:symphony}. Nodes at a
+constant rate initiate random walks, which terminate after a fixed
+number of steps (current six, which simulation indicates is enough
+even in a large network). When the walk terminates, the node at which
+it was started and that at which it ended attempt to switch
+identities, which will happen with a probability specified by the
+algorithm.
+
\footnotetext{That is circular distance, so the distance between 0.9
to 0.0 is 0.1.}
@@ -359,6 +421,31 @@
which is motivated by attempting to balance a thorough search while
limiting resource usage.
+Several enhancements to the basic algorithm described in
+\cite{sandberg:distributed} which could lead to better results have
+been suggested. Knowing the identity of ones neighbors' neighbors is
+known to improve the performance of routing in Kleinberg type networks
+\cite{manku:neighbor} by allowing nodes to route to the neighbor whose
+neighbors identities best match the query. Knowing the identities of
+neighbor's neighbors reveals something about the surrounding network,
+but does not tell one who they are, so the basic principle of only
+revealing oneself to trusted peers remains. Another performance
+enhancement that may be possible is for nodes to aware of which
+documents are present in their neighbor's cache, by for instance
+neighbors passing Bloom filters \cite{bloom:space} summarizing the
+contents of their cache to each other. A combination of both these
+techniques will greatly increase the number of successful searches and
+decrease the query length.
+
+One artifact of the fact that nodes are constantly (though, when the
+network is steady, not very frequently) changing identities is that
+such a switch invalidates much of their cache. A node that has just
+gained a new identity will not have a cache full of documents closely
+matching this, since it has seen few if any queries for that identity
+before. Some method from migrating data between nodes after an
+identity switch may be necessary, but in the current implementation we
+rely only redundancy and the re-caching of data to ensure this.
+
\section{Joining and Leaving the Network}
The procedure for nodes when joining and leaving the network is very
@@ -371,7 +458,7 @@
cryptographic identifiers for the nodes.
When a user imports a certificate his node will adds the certificate's
-node as a trusted peer, and attempt to contact it. The other node will
+node as a trusted peer, and attempts to contact it. The other node will
only respond if it has previously the certificate of the node
attempting to contact it. On failure to connect, nodes try again,
letting the time between subsequent attempts increase exponentially.
@@ -398,6 +485,12 @@
software to be used as an instant messaging client and/or file-sharing
client with those one has authenticated).
+Leaving the network requires no special action. Nodes operate under
+the assumption that neighbors may seize operating at any time, and
+simply send routes to the next most desirable neighbor when the most
+desirable one is no longer responding. Attempts to contact a node that
+is not responding tailor off exponentially in frequency.
+
\section{Implementation}
@@ -405,56 +498,90 @@
\centering
\resizebox{3.0in}{!}{\includegraphics{freenet_real.eps}}
\caption{A (small) realization of the actual Freenet network.}
- \label{fig:route}
+ \label{fig:real}
\end{figure}
-We have an early implementation of this new algorithm. So far it appears
-to function, but the network is far too small, and the load on it is
-far too low, to draw any certain conclusions. Also so far this has not
-been a true darknet; users have not connected to those whom they have
-a pre-existing trust connection to, in general, rather to whomever
-happened to be around.
+As part of the Freenet Project\footnotemark{} we have an early
+implementation of the new version of the Freenet. The current
+implementation is in Java, using a UDP/IP messaging layer originally
+used for the \emph{Dijjer}\footnotemark{} download accelerator. Other
+code has been carried over from the previous versions of Freenet.
+This includes the higher level code for processing data, as well as
+some of the security and authentication code.
-This represents the biggest problem with the new algorithm: it relies on
-users creating "friend-to-friend" connections. This is not likely to
-happen except in specialized fragments of the real world, until the code
-reaches a certain level of usability, and the network reaches a certain
-size. So we have a chicken and egg problem: no darknet connections until
-the network is big, no big network until we have lots of darknet
-connections. The solution is to provide an alternative, interoperable
-"opennet".
+\footnotetext{\url{http://www.freenetproject.org/}}
-Nodes will either participate in the opennet or the darknet, or both. On
-the darknet, as we have discussed, connections are formed manually in a
-"friend to friend" fashion, based on pre-existing trust (however marginal).
-On the opennet, connections are dynamically formed and broken by the
-network, based on a Least Recently Used algorithm; when an opennet node
-successfully fetches a datum, it returns the node reference (identity plus
-IP address, essentially) of the original data source. This will
-occasionally be reset along the route. The node receiving the datum may
-then open a connection to the referred-to node; if it does it will probably
-have to throw out an existing connection as routing tables are of limited
-size, so it disconnects from the node which least recently provided data.
-Actual routing will still be done via the location swapping and greedy
-routing algorithm described above, and care needs to be taken to ensure the
-network is not so dynamic that routing can never settle. But this mechanism
-is known to work; it is very close to the original Freenet routing algorithm
-[1], and it will produce a small world network [2], which the algorithm we
-describe above should be able to route on.
+\footnotetext{\url{http://dijjer.org/}}
-Thus, we have a hybrid network which can get large quickly, on the basis of an
-open network, and which can then expand at the edges and internally in darknet
-form. If many users have even the opennet freenet, then somebody looking to
join
-in darknet mode should be able to find people he knows who are already running
-it, knowing that his node will not be exposed, because he connects as a pure
-darknet node. The hope is that once a certain critical density is reached, the
-majority of new nodes will have at least some darknet connections.
+The software is functional, but not yet ready for mainstream
+deployment. The user interface is still primitive, especially when it
+comes to the creation and authentication of the trusted connections,
+which, as noted above, are crucial to the network becoming something
+we can hope to route in. Test networks have been deployed and seem to
+function - an example of such a network is shown in Figure
+\ref{fig:real} - but they are too small and used by too limited a
+class of people to provide any real data on what the network will look
+like once truly deployed.
-Also the network is a "testnet", meaning that nodes report their status to a
-central point, and that developers can remotely log into nodes to browse logs;
-this makes debugging significantly easier and it is hoped that we can run a
-testnet in parallel with the production network for some time.
+The fact that the technical functionality of the new Freenet depends
+essentially on the usage patterns and the dynamics of social networks
+that we can do little to control is an almost unique challenge for
+software development. Nobody can know for sure that the implementation
+will function until we have reached a large number of users and
+continue to see positive results.
+Likewise, the goal of building a dark network, which by design is to
+be opaque, makes a deployed system very difficult to analyze. Indeed,
+if the system works as well as we have hoped, it will be difficult to
+even estimate the size of a deployed network, let alone say anything
+about its graph topology. The current early code provides data to
+developers about the network, but we cannot expect to continue doing
+that when Freenet is being used for real purposes (it would be counter
+to our goals even if just a portion of our users revealed their
+neighborhoods publicly).
+
+\section{Privacy and Anonymity}
+
+It is perhaps a matter of definition how much privacy the trusted
+connections model provides compared to layered or telescopic
+encryption schemes such as those used in Mixnets
+\cite{chaum:untraceable} and in Onion Routing \cite{goldschlag:onion}
+\cite{dingledine:tor}. While these schemes generally attempt to ensure
+that no party in the network can alone determine what the user is
+accessing, we allow our neighbors in the network to see what we are
+accessing, but assume that they are trusted friends. In this sense the
+anonymity provided is simply the classical method of going through a
+trusted third party, but with the difference that trust is distributed
+throughout the network, and so single party needs to be trusted by
+everyone.
+
+The type of privacy required also depends on the application. A user
+who wants to access information about, for example, a venereal
+disease, might prefer simply hiding among the masses on the current
+plaintext World Wide Web than routing his query through people who
+know him. On the other hand, people wishing to share political
+information that is being repressed by their government may have much
+to gain from the trusted-connection model, especially when even
+accessing open anonymity networks may be blocked and illegal.
+
+The perhaps largest advantage that the trusted-connection model offers
+over traditional anonymity networks is protection against the Sybil
+attack \cite{douceur:sybil}, where a single attacker infiltrates the
+network by pretending to have many identities. Since the network
+depends on out of band trust relationships, an attacker gains strength
+only through the number of people he can fool into trusting him, and
+gains nothing by presenting multiple identities online.
+
+Our current implementation does not perform any mixing of queries
+inside the nodes, and thus cannot, in spite of the fixed size of
+documents, defend against an adversary with global access. The threat
+model considered is more along the lines of that used by TOR
+\cite{dingledine:tor}, in that we assume that the adversary cannot
+perform advanced traffic analysis on the inter-node communication. It
+is possible to implement mixing within the nodes, at least to some
+extent, but currently our emphasis is on getting a efficient, usable,
+functioning system rather than strengthening the threat model.
+
\section{Conclusion}
We have described a new version of Freenet based on constructing an
@@ -467,10 +594,10 @@
Many questions remain as to the viability of operating software like
Freenet in the real world. Other open question regard the security and
-anonynity provided by the model. The difficulty of performing denial
+anonymity provided by the model. The difficulty of performing denial
of service attacks by attempting to affect the routing in various ways
needs to be studied, and similarly attacks by flooding and spamming in
-order to decrease the avilability of legitimate data.
+order to decrease the availability of legitimate data.
However, we see our design as a proof of concept
of an entirely new form of peer-to-peer overlay, which ensures privacy
@@ -478,7 +605,7 @@
free communication networks even where they are not desired by all.
-\bibliographystyle{unsrt}
+\bibliographystyle{plain}
\bibliography{../tex/ossa}
\end{document}
