Currently, an attacker can run a malicious seednode, send us it, and then get connected to a large proportion of new nodes, use bogus identities to keep connections to the node, and observe their traffic. He is limited mainly by resources - does he have the ability to connect to all those nodes for long enough to identify whether they are interesting? For hit-and-run, an important use case that Freenet has never been any good at but which is very interesting in practice, he wouldn't necessarily have to keep connections open long term either...
We can of course increase costs by requiring nodes to be on different /8's or /16's etc, but this only slightly increases costs. Some sort of onion routing involving peers found via different seednodes would be possible, but clunky as later on seednodes don't really matter, and extremely expensive. Taking Tor's approach and having a large list of automatically gathered seeds, and only giving a subset to each announcee, doesn't really solve the problem either: The attacker can simply run loads of slow seeds. What we really want is a way to discover peers which is dependant on multiple seednodes, i.e. a new announcement protocol. Hence I propose the following: We connect to 3 seednodes. (The seed list should ensure that they are run by different organisations if possible) We send an announcement via each of them, all to the same location. Each seednode returns a list of nodes, with connect offers that can be reliably taken up for a short period, and the node identities. (Not necessarily the full node reference at this stage). We select a bunch of nodes based on closeness to the random target location. We attempt to connect to each of the chosen nodes *via all three paths*. Any node we cannot connect to via at least two of the three paths is discarded. We connect to the remaining nodes. Clearly if we are connected to two collaborating malicious seednodes, we are busted. But if there is only one malicious node, he can only force us to connect to his favoured nodes (short of DoS attacks) by having an expensive dominant position on the network whereby our routes reach his territory quickly regardless of what key we are searching for. So on a large network this should be very expensive. It should be possible to ensure that an attacker cannot bootstrap new nodes to the exact required location while seeding, via e.g. having an uptime requirement. In any case it would be a rather tricky attack. We may be able to increase security by tuning the parameters e.g. requiring 3 of 5 instead of 2 of 3. The Tor approach may help, but obviously there are attacks such as selectively blocking seednodes that you don't own ... The question is, would this mechanism improve security for opennet? I am fairly sure it would.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] http://freenetproject.org/cgi-bin/mailman/listinfo/devl
