the case for network-layer, peer-to-peer anonymization michael j. freedman emil sit, josh cates,...
Post on 20-Dec-2015
212 views
TRANSCRIPT
![Page 1: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/1.jpg)
The Case for Network-Layer,Peer-to-Peer Anonymization
Michael J. Freedman
Emil Sit, Josh Cates, Robert Morris
MIT Lab for Computer Science
IPTPS’02 March 7, 2002
http://pdos.lcs.mit.edu/tarzan/
![Page 2: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/2.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 2
• Participant can communicate anonymously with non-participant
• User can talk to CNN.com
User
?
?
• Nobody knows who user is
The Grail of Anonymization
![Page 3: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/3.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 3
Our Vision for Anonymization
• Millions of nodes participate• Bounce traffic off one another
• Mechanism to organize nodes: peer-to-peer• All applications can use: IP layer
![Page 4: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/4.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 4
Alternative 1: Proxy Approach
• Intermediate node to proxy traffic
• Completely trust the proxy
Anonymizer.com
User Proxy
![Page 5: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/5.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 5
Realistic Threat Model
• Corrupt proxy– Adversary runs proxy– Adversary targets proxy and compromises
• Limited, localized network sniffing
• Global passive observer? • Adaptive active adversary?
Use cover network: a different paper
![Page 6: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/6.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 6
Failures of Proxy Approach
User ProxyProxy
• Traffic analysis is easy
• Proxy reveals identity
![Page 7: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/7.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 7
Failures of Proxy Approach
User Proxy XX
• CNN blocks connections from proxy
• Traffic analysis is easy
• Adversary blocks access to proxy (DoS)
• Proxy reveals identity
![Page 8: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/8.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 8
Alternative 2: Centralized Mixnet
User Relay Relay Relay
• MIX encoding creates encrypted tunnel of relays
– Individual malicious relays cannot reveal identity
• Packet forwarding through tunnel
Onion Routing, Freedom
Small-scale, static network, not general-purpose
![Page 9: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/9.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 9
Failures of Centralized Mixnet
Relay Relay Relay
• CNN blocks core routers
X
![Page 10: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/10.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 10
Relay Relay
Failures of Centralized Mixnet
• CNN blocks core routers
• Adversary targets core routers
RelayRelay
![Page 11: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/11.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 11
Relay
Failures of Centralized Mixnet
Relay Relay
• CNN blocks core routers
• Adversary targets core routers
• Allows network-edge analysis
Relay
![Page 12: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/12.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 12
Tarzan: Me Relay, You Relay
• Millions of nodes participate
• Build tunnel over random set of nodes
Crowds:
small-scale, not self-organizing, not a mixnet
![Page 13: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/13.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 13
Benefits of Peer-to-Peer Design
• No network edge to analyze:
First hop does not know he’s first
?
? ?? ?
• CNN cannot block everybody
• Adversary cannot target everybody
![Page 14: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/14.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 14
Managing Peers
• Requires a mechanism that
1. Discovers peers
2. Scalable
3. Robust against adversaries
![Page 15: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/15.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 15
• Adversary can join more than once
Due to lack of central authentication
Adversaries Can Join System
• Try to prevent adversary from impersonating
large address space
![Page 16: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/16.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 16
Stopping Evil Peers
• Contact peers directly to– Validate IP address
– Learn public key
Adversary can only answer small address space
![Page 17: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/17.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 17
Tarzan: Joining the System
1. Contacts known peer in big (Chord) network
2. Learns of a few peers for routing queries
User
![Page 18: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/18.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 18
3. Contacts random peers to learn {IP addr, PK}
Performs Chord lookup(random)
Tarzan: Discovering Peers
User
![Page 19: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/19.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 19
Tarzan: Building Tunnel
User
4. Iteratively selects peers and builds tunnel
Public-key encrypts tunnel info during setup
Maps flowid session key, next hop IP addr
Tunnel Private AddressPublic Alias
Address
RealIP
Address
PNAT
![Page 20: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/20.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 20
IP
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
APP
Diverts packets to tunnel source router
IP
X
![Page 21: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/21.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 21
IP
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
APP
IPIP
NATs to private address space 192.168.x.x
Layer encrypts packet
![Page 22: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/22.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 22
Encapsulates in UDP and forwards packet
Strips off encryption, forwards to next hop
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
IPIPIP
APP
![Page 23: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/23.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 23
IPIP
NATs again to public alias address
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
APP
![Page 24: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/24.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 24
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
APP
Reads IP headers and sends accordingly
IP
![Page 25: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/25.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 25
Response repeats process in reverse
IPIP
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
IPIPIPIP
APPIPIP
IP
![Page 26: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/26.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 26
Tarzan: Tunneling Data Traffic
Transparently supports anonymous servers
Can build double-blinded channels
Server
IPIPIPIP
APP
IPIP
IPIP IPIP
IPIP
IP IP IP IPIP
IP
ObliviousUser
![Page 27: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/27.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 27
Tarzan is Fast (Enough)
• Prototype implementation in C++
• Setup time per hop:
~20 ms + transmission time
• Packet forwarding per hop:
< 1 ms + transmission time
• Network latency dominates performance
![Page 28: The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d4c5503460f94a29b45/html5/thumbnails/28.jpg)
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 28
Summary
• Gain anonymity:– Millions of relays
– No centralization
• Transparent IP-layer anonymization– Towards a critical mass of users
Peer-to-Peer design