Active Protocols for Agile CensorResistant Networks Robert Ricci
Active Protocols for Agile Censor-Resistant Networks Robert Ricci Jay Lepreau University of Utah May 22, 2001
Key Ideas l l Censor-resistant (p 2 p) publishing is a compelling and feasible application of active networking …through on-demand, rapid, decentralized, diversification of the hop -by-hop protocol We prototyped this in Freenet
Active Networking’s Biggest Problem l Demand: no killer app Inherent problem, by definition! The space of AN protocols is interesting, not any given protocol But… a good match for censor-resistant networks
Censor-Resistant Networks l Goals – Make intentional deletion or denial of access infeasible or difficult – Often: Anonymity l l Usually: overlay network An example: Freenet – Keyed data retrieval system; routing based on a hash of key – Message initiation/relaying look the same – Copies made along return route for requests: preserves popular data
Some Problems Facing CRNs l CRN traffic may be identifiable – Static set of protocols a weakness l Mere membership may be incriminating – Only identification may be necessary, not eavesdropping – Last link vulnerable: mercy of ISP l Users on restricted networks cannot participate – But special techniques can get traffic through firewalls, proxies, etc.
Agile Protocols l l Use active networking techniques for replacement of single-hop protocols Completely decentralized – Any node can create a new protocol & pass to its peer – Rapid response time to censorship – Nodes can customize for their environment l Unbounded set of protocols – Attacker cannot even know what percentage of set they have discovered
Protocol Examples l Disguise and tunnel, eg through SMTP, HTTP l Port-hopping… randomly l Port-smearing (~spread spectrum) l Bounce thru 3 rd host l Steganography l …even better in wireless domain: physical & link level
“Protocol Objects” l l Protocol Objects implement replacement single-hop protocols Identified by content hash
What About Malicious Protocol Objects?
Protecting Local Node’s Integrity, Privacy, and Availability l Threat model like Java applet, but worse for privacy – node state: cache contents, neighbor list, IP addr, username, hard drive contents – message itself l l Integrity and privacy: std type-safety and namespace isolation Resource attacks: resource-managing JVM [OSDI’ 00, . . . ]
Publishing-specific Do. S Attacks l Same general issues as malicious nodes l Failure (total or intermittent) – Either malicious or unintentional – Heuristic approach: rate Protocol Objects • Ratings based on success rates for requests • Evaluate via loopback test harness – Ratings are node-local l More attacks/responses in paper
What About Bootstrapping? l l l Shared by base Freenet system: must acquire initial {IP addr, port} out-ofband Now need {IP addr, byte code} Quantitative difference ==> qualitative change? Memory, piece of paper ==> floppy disk, email attachment, applet Conclusion: acceptable
Our Implementation l l Prototype based on Freenet system Peers can exchange Java bytecode for new protocols Protocol usage can be asymmetric, can change on any message boundary Restricted namespace
Four sample Protocol Objects l ‘Classic’ Freenet protocol l HTTPProtocol: Looks (vaguely) like HTTP l l Tricky. Protocol: Negotiates port change after every message Spread. Protocol: Splits message on arbitrary byte boundaries, sends each chunk on a different port
Reprise: AN’s Major Technical Challenges l Performance: no problem – In Java already! – Overlay network: IP not my problem l Security – Key: change local, keep global protocol – Global network: domain-specific, therefore tractable. – Local to node: tractable, based on recent research
Conclusions, Future Work l l l AN techniques seem likely to improve the censor-resistance of CR networks Feasible to implement in existing systems Future work – Implement ratings, etc. – Evaluate in lab – Evaluate “in the wild”
Active Networking’s Major Technical Challenges l Performance l Security – Local: node – Global: network
Attacks (cont’d) l Selective failure: targeted censorship – Solution: encrypt before passing to PO l Attack on document integrity – Reduce system integrity, or ‘tag’ for tracing – Solution: secure hash
- Slides: 19