On Thursday 17 January 2008 23:06, Michael T?nzer wrote: > Michael T?nzer schrieb: > > Matthew Toseland schrieb: > >> On Thursday 17 January 2008 03:23, Michael T?nzer (vid,smtp2) wrote: > >>> Matthew Toseland schrieb: > >>> As we probably don't want to run a node on our server itself (we could, > >>> but would it have enough ressources to serve the important things like > >>> web pages, SVN and stuff even if we are /.ed?) the Seedserver has to > >>> have a connection to a node somewhere and as we have some Nodes which > >>> should be available anyway, why not use them? This also balances the > >>> load between the Seednodes, avoids another single point of failure and > >>> makes sure they're online so we don't have to recheck apart from that. > >>> We don't have to be connected to all of our Seednodes all the time. Just > >>> if we want to verify a new Seednode we establish a new connection to one > >>> of our Seednodes on the Port which on which the Seedservice runs and > >>> verify that it's us. > >> You mean for the seed server to connect to the seednodes (easily spoofed), or > >> for the seednodes to connect to each other (somewhat less easily spoofed)? > > > > For the Seedserver connecting to the Seednodes. > > How is it supposed to be spoofed? > > - Each packet that doesn't come from our Seedservers IP is dropped > > - To accept the package it has to be encrypted with our public key > > (which _should_ only be known to us) > > Doh, of course the public key is known by someone else (otherwise it > wouldn't be public) it should be only known by the _SeedServer_ because > he's the only one we gave it to. But it also shouldn't be a problem if > it get's known in public, then the second part of the identification > process comes into play:
That's not what I mean. I mean an attacker's bogus seednodes know the IP of the seed server and can easily only respond to that IP address, thus saving lots of bandwidth and not providing any useful service to any other node. Also, if it's only verified shortly after adding, they can use this info too. > > > - The SeedServer has to verify itself, by sending back a random number > > encrypted with it's public key (only the SeedServer knows the private > > key to decrypt it an send it back) I accept that you can't MITM the SeedServer ... but you can watch its traffic and identify seednodes. That's probably unavoidable. > > regards > Neo at NHNG -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20080118/db297f79/attachment.pgp>
