[liberationtech] RFC: comments on discovery mechanisms

Seth David Schoen schoen at eff.org
Fri Nov 26 18:58:49 PST 2010 

Daniel Colascione writes:

> Hello all,
> 
> I've been working sporadically on a paper describing some current
> approaches to the discovery aspect of the circumvention problem, which,
> frankly, is harder than simply moving packets through a firewall. I've
> attached a draft, and I would appreciate any feedback you could provide.

You might be interested in Bram's list at

http://bramcohen.livejournal.com/73933.html

which seemed like a pretty thorough list of relevant tactics within
his taxonomy.

Another point: you mentioned the conventional wisdom that nobody can
scan IPv6 address space.  I think this is clearly true if the address
space owner doesn't want to be scanned (or chooses addresses at random
and is indifferent), but in the scenario you set out it seems that
maybe the address space owner _does_ want to be scanned, and wants to
choose addresses cooperatively in order to be found easily (ideally by
the anticircumvention service users, but not by the censors).

One approach to this would be to agree on a particular address space
assignment algorithm where the lower n bits of the address are chosen
by a cryptographic means so that finding (potentially) valid IP
addresses requires knowing something and/or computing something.  This
suggests several possible address allocation strategies:

- an HMAC of a shared secret with the current date
- an HMAC of a shared secret with the end-user's IP address
- some kind of proof-of-work or proof-of-effort scheme
- hashes of solutions to captchas that are presented in some
  prearranged way or place

I haven't thought about this enough to know whether this approach is
actually good for anything or whether it just adds complexity without
adding security.

Another point is that, if you have enough IP addresses, you could set
up an IP address equivalent to port knocking, where the user has to
connect to IP addresses in a certain sequence in order to get a
service to admit that it's present (or in order to elicit a different
behavior from an existing service).  Here, again, I'm not sure if
there are scenarios where there would be any meaningful security
gain.

If IPv4 address space is exhausted soon, it might become harder or
more expensive for circumvention service operators to get all the
fresh IP addresses they might want.  This is probably a less extreme
concern for services like Tor that directly try to persuade new
populations of end users to start running proxies, as opposed to
services that have to put servers in commercial colocation.

-- 
Seth Schoen
Senior Staff Technologist                         schoen at eff.org
Electronic Frontier Foundation                    https://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     +1 415 436 9333 x107

More information about the liberationtech mailing list