:: Re: [Netsukuku] DOS/MITM by TP spoo…
Top Page
Delete this message
Reply to this message
Author: michi1
Date:  
To: Eugen Leitl
CC: netsukuku
Subject: Re: [Netsukuku] DOS/MITM by TP spoofing??
Hi!

On 14:48 Wed 26 Oct     , Eugen Leitl wrote:

> On Wed, Oct 26, 2011 at 02:10:16PM +0200, michi1@??? wrote:
>
> > > NAT provides no anonymization whatsoever, if compared to Tor or I2P.
> >
> > If compared to Tor or I2P - not really. If compared to IPv4 without NAT: Yes,
> > it does. You tell me how to find who did something, if the source IP points to
> > a network with 1000 pcs in it.
>
> Again, NAT is a braindamaged solution to the address scarcity problem, hides nothing
> as you can probe and do Layer 7 level analysis and NAT penetration is part of
> NAT reality and P2P applications. NAT might give you plausible deniability
> before the law, but we're talking engineering, and not legalese.


The weak anonymisation "features" in the internet where mostly "accidents".
Layer 7 analysis and NAT penetration do not deanonymise users. That is except
you find the pc which had the particular software installed. Even then, you do
not know whether somebody else had the same software, but deinstalled it in
the mean time.

Also plausible deniability is anonymity.

> > > If you want efficient (cut-through at relativistic speed) and no global
> > > routing tables you must follow geography. There is no other way.
> >
> > Correction: your routing tables must be "small". You can do this with the
>
> Yes, they're small enough for hardware lookup even for purely photonic
> implementations as they only store local connecvitivity/its deviation
> from idealicity. It's obvious that the current router table bloat is rapidly
> heading towards a catastrophe. It will be likely postponed by introducing
> e.g. hyperbolic mapping (which makes it converge towards geography, actually)
> just as CIDR postponed the reckoning with IPv4, but eventually you have
> to change the architecture.
>
> > usual network/prefix addressing or you can present each network as one host
> > and do NAT.
>
> NAT is dead, let's get used to the idea.


No, it is not. Even IPv6 will hopefully get it:
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/39978

> > > > onion encryption or geographically distributed. But overlay mix networks have
> > > > their own problems, like performance, exit node liability/harassment or the
> > >
> > > Exactly, the same network provides both low-overhead high-performance
> > > services and high-overhead slower services for those cases where you
> > > need anonymity. There's no need for mandatory overhead for optional
> > > features.
> >
> > Mix networks are slow, *because* they are overlay networks. Pinging between 2
>
> That's what I said, yes.
>
> > routers takes 100ms instead of 1ms. This will not get any faster.
>
> Of course it can get faster. But it doesn't have to get much faster than
> today in order to be usable.


It does need to get faster.

> > Also, anonymity is *not* an optional feature. It was accidentially present in
>
> It is not an optional feature, in the sense that you *must* have it. However, it is optional
> in the sense that sometimes you must or want to operate closer to the possible
> efficiency, and hiding your physical location/identity is not required.
> In a sane world, >99% of the traffic is not anonymous, on the average.


99% non-anonymous??? I guess in todays internet the average user would rather
need anonymisation "always on" to avoid profiling and lots of other bad stuff.

> > What do you want to tell me?
>
> That the constraints are very different if you're implementing it as a virtual
> layer on top of the existing Internet, or if you're rolling your own infrastructure
> from scratch (=migrating from the virtual implementation using the Internet
> as a transport layer).


Maybe, but I still think it is possible. At least locally in mesh networks.

    -Michi