View
214
Download
0
Tags:
Embed Size (px)
Citation preview
The Case for Network-Layer,Peer-to-Peer Anonymization
Michael J. Freedman
Emil Sit, Josh Cates, Robert Morris
MIT Lab for Computer Science
IPTPS’02 March 7, 2002
http://pdos.lcs.mit.edu/tarzan/
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 2
• Participant can communicate anonymously with non-participant
• User can talk to CNN.com
User
?
?
• Nobody knows who user is
The Grail of Anonymization
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 3
Our Vision for Anonymization
• Millions of nodes participate• Bounce traffic off one another
• Mechanism to organize nodes: peer-to-peer• All applications can use: IP layer
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 4
Alternative 1: Proxy Approach
• Intermediate node to proxy traffic
• Completely trust the proxy
Anonymizer.com
User Proxy
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 5
Realistic Threat Model
• Corrupt proxy– Adversary runs proxy– Adversary targets proxy and compromises
• Limited, localized network sniffing
• Global passive observer? • Adaptive active adversary?
Use cover network: a different paper
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 6
Failures of Proxy Approach
User ProxyProxy
• Traffic analysis is easy
• Proxy reveals identity
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 7
Failures of Proxy Approach
User Proxy XX
• CNN blocks connections from proxy
• Traffic analysis is easy
• Adversary blocks access to proxy (DoS)
• Proxy reveals identity
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 8
Alternative 2: Centralized Mixnet
User Relay Relay Relay
• MIX encoding creates encrypted tunnel of relays
– Individual malicious relays cannot reveal identity
• Packet forwarding through tunnel
Onion Routing, Freedom
Small-scale, static network, not general-purpose
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 9
Failures of Centralized Mixnet
Relay Relay Relay
• CNN blocks core routers
X
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 10
Relay Relay
Failures of Centralized Mixnet
• CNN blocks core routers
• Adversary targets core routers
RelayRelay
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 11
Relay
Failures of Centralized Mixnet
Relay Relay
• CNN blocks core routers
• Adversary targets core routers
• Allows network-edge analysis
Relay
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 12
Tarzan: Me Relay, You Relay
• Millions of nodes participate
• Build tunnel over random set of nodes
Crowds:
small-scale, not self-organizing, not a mixnet
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 13
Benefits of Peer-to-Peer Design
• No network edge to analyze:
First hop does not know he’s first
?
? ?? ?
• CNN cannot block everybody
• Adversary cannot target everybody
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 14
Managing Peers
• Requires a mechanism that
1. Discovers peers
2. Scalable
3. Robust against adversaries
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 15
• Adversary can join more than once
Due to lack of central authentication
Adversaries Can Join System
• Try to prevent adversary from impersonating
large address space
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 16
Stopping Evil Peers
• Contact peers directly to– Validate IP address
– Learn public key
Adversary can only answer small address space
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 17
Tarzan: Joining the System
1. Contacts known peer in big (Chord) network
2. Learns of a few peers for routing queries
User
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 18
3. Contacts random peers to learn {IP addr, PK}
Performs Chord lookup(random)
Tarzan: Discovering Peers
User
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 19
Tarzan: Building Tunnel
User
4. Iteratively selects peers and builds tunnel
Public-key encrypts tunnel info during setup
Maps flowid session key, next hop IP addr
Tunnel Private AddressPublic Alias
Address
RealIP
Address
PNAT
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 20
IP
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
APP
Diverts packets to tunnel source router
IP
X
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 21
IP
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
APP
IPIP
NATs to private address space 192.168.x.x
Layer encrypts packet
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 22
Encapsulates in UDP and forwards packet
Strips off encryption, forwards to next hop
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
IPIPIP
APP
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 23
IPIP
NATs again to public alias address
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
APP
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 24
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
APP
Reads IP headers and sends accordingly
IP
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 25
Response repeats process in reverse
IPIP
Tarzan: Tunneling Data Traffic
5. Reroutes packets over this tunnel
User
IPIPIPIP
APPIPIP
IP
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 26
Tarzan: Tunneling Data Traffic
Transparently supports anonymous servers
Can build double-blinded channels
Server
IPIPIPIP
APP
IPIP
IPIP IPIP
IPIP
IP IP IP IPIP
IP
ObliviousUser
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 27
Tarzan is Fast (Enough)
• Prototype implementation in C++
• Setup time per hop:
~20 ms + transmission time
• Packet forwarding per hop:
< 1 ms + transmission time
• Network latency dominates performance
March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 28
Summary
• Gain anonymity:– Millions of relays
– No centralization
• Transparent IP-layer anonymization– Towards a critical mass of users
Peer-to-Peer design