[liberationtech] CJDNS hype

[Michael Rogers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/08/13 19:55, Caleb James DeLisle wrote:
> This is good from a capabilities standpoint but it doesn't cover 
> motive which is hugely important to threat modeling. If someone
> has significant resources and their motive is "to cause mayhem",
> securing infrastructure against them is not really possible which
> is why traditional antiterrorism efforts seem incoherent.

Ah! I think you've uncovered an unstated assumption of mine that might
explain a lot of our disagreements.

This conversation started with a question about whether cjdns was
suitable for resisting government censorship. So the adversary I've
been imagining is a government: she has lots of resources, and will be
satisfied if she can make cjdns unusable for some or all users. I
should've made that assumption explicit a long time ago!

The attacks I've been describing - running a bunch of nodes,
infiltrating the social network, attacking the protocol from within,
creating Sybil identities to protect the infiltrators from detection -
are clearly very resource-intensive, and I wouldn't expect anyone less
powerful and organised than a government to carry them out.

Having said that, the adversary I've described isn't omnipotent -
she's a realistic adversary that we might realistically hope to oppose.

> Another motive for localized DoS is to force users to an
> unencrypted channel. If every time the police use encrypted radio
> you jam it, they may be tricked into using unencrypted channels.
> The main defense against this is not to have an insecure backup.

I agree with that defense, but unfortunately there's often an insecure
backup that's outside your control: users can switch to an entirely
different method of communicating.

If the adversary can disrupt cjdns without disrupting the legacy
internet, she can encourage users to switch back to the legacy
internet, where they can be censored and surveilled.

> Also note that localized network outages can be caused by wire
> cutters and/or wifi jammers so a protocol attack may never be the
> most effective approach.

True, but protocol attacks are more selective than physical attacks
and may be harder to attribute. (Of course, the adversary may use both
approaches at once.)

>> How would you find a set of known evil nodes?
> 
> cat-and-mouse games which is why I don't like this approach. You
> could send forwarded packets to nodes to whom you know a direct 
> path and then send them a direct packet asking if they got the 
> forwarded packet. You have to try it a few times to be sure the 
> endpoint is not fooling you and there are still more ways to
> detect and work around it.
> 
> It's not something I'm interested in ever implementing so it's not 
> really worth further discussion.

I agree that these cat-and-mouse games are pointless, which is why I'm
skeptical about vague answers like "use heuristics".

The point I was trying to make in my first email is that the Sybil
attack is actually an entire class of attacks. If you solve one
specific instance, the attacker can just use a different instance. The
same applies to Byzantine routing faults.

Faced with a class of attacks like that, it seems to me that you have
three options:

1. Decide that you can't defend against this class of attacks. This is
a perfectly legitimate option - every system has limits beyond which
it doesn't claim to work. Arguably, Tor succeeded where anonymous
remailers failed because Tor tried to defend against a less powerful,
but still realistic, adversary.

2. Demonstrate that you have a general solution to the entire class of
attacks. This is possible, but the resulting solutions may not be
practical to use - see Perlman's work on Byzantine robust routing and
the SybilGuard family of protocols for two examples.

3. Demonstrate that the entire class of attacks is irrelevant to your
system. For example, a system with no routing doesn't have to worry
about Byzantine routing faults.

It's possible that you've already chosen option 1 and I've
misunderstood the kind of adversary you aim to protect against, in
which case I apologise for wasting your time with this long thread
(although it's taught me a lot about cjdns - thanks for that).

- From our discussion so far, I don't think you've chosen option 2 or 3,
because I think we've established the following points:

* Sybil attacks can have (at least) a localised effect
* There's currently no detection or prevention of packet-dropping
attacks, as long as the attacker doesn't drop pings
* Even if a randomly chosen source and a randomly chosen destination
are each surrounded by trustworthy nodes, there isn't necessarily a
physical path between them that only passes through trustworthy nodes

It seems to me that those three points add up to a reasonable doubt
about whether cjdns could be disrupted by a combination of Sybil
attacks and packet-dropping attacks.

I don't think it would be fruitful to simulate a specific attack and
design a specific solution, because we'd just be playing the
cat-and-mouse game in simulation. Instead, let's think about whether
these attack classes are applicable to cjdns in general, and whether
they can be prevented in general or should be ruled out of scope.

>> Unfortunately it's not that simple. You're assuming that from the
>> point of view of a given node, all the Sybils are behind a single
>> edge (an attack edge, in SybilGuard terminology). But a given
>> Sybil may be reachable via multiple attack edges. That's why
>> SybilGuard and its descendents are so complex: before sampling
>> the network to look for clusters, they have to ensure that
>> there's only a single way for samples to reach each node.
> 
> With cjdns there are multiple ways to reach a node but only one
> best way so that's mostly a solved problem.
> 
> A non-adversarial way to look at this proposal is it attempts to
> avoid over-reliance on a single network link. Each edge would just
> appear as a link with a disproportionate number of nodes relying on
> it.

That reminds me of a question I meant to raise earlier in the
conversation - imagine there's a physical path Alice - Bob - Carol -
Dave, and another physical path Alice - Ellie - Carol - Frank. Alice
knows that those paths have different next hops (Bob and Ellie,
respectively), and she knows that they terminate at different nodes
(Dave and Frank, respectively). Can she tell (for example by examining
the switching labels) that both paths pass through Carol?

> You should check out the network, I think you'd find some
> interesting discussions in the dark irc network (irc.hypeirc.net)
> #hyperboria and #cjdns you might also find some people interested
> in helping with briar ;)

Hehe, thanks, I'll see what I can find! :-)

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSAk8rAAoJEBEET9GfxSfMPp4H/Arx/ZgFZgwUOOo7G9CiS2Tu
Xrwh6BKiJBPaXKi746xfUvcamI0Bl9fGp5W1PYJ7TWoF+h3Xt0lEc+srkM/9mIMP
INPMWnHWAh76fxL6PaSbRjCy4OzrUhbYOzQ56VGvLtXnyy+4LhBpgdj+0oUT9/Cv
m/NcmUFsiMMYL4Yek3rfM3W3ygasOu9n/JIIW2g5FpBf/61Y2oSab6URxRhy2udU
Q9q77/HKiGrLsfN3wS1bPqBIQCDfe5HjOMv/fcAmk4M0Qpr1q8B4aNSTJt+BTWub
cVxZIIIZuBFngXCquLpAE3us20qqej/HXqmB4DpyNnizLedMH5numsLPJxp2NPA=
=h9tR
-----END PGP SIGNATURE-----