[liberationtech] CJDNS hype

[Michael Rogers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15/07/13 01:49, Mitar wrote:
>> BTW, how do you propose to make Sybil nodes "impossible"?
> 
> I don't. I am just making an argument, that maybe there is some way
> we (or I) don't yet know which would allow us to don't have to
> trust other nodes with anything else that they forward the packet.
> And if they don't, we can maybe detect that and remove them from
> the routing path. So at the end maybe it is not even important if
> Sybil nodes are possible or impossible. You just care if they
> forward the packet. If they do, this is it. If they don't (from
> whatever reason, being malicious or just malperforming), you route
> along that, no? But to be able to route around, you have to be able
> to have multiple paths.

Hi Mitar,

If there's no protection against Sybil attacks then in general it's
impossible to route around faulty nodes or links. The problem is that
in order to detect faults, we have to associate some kind of
reliability measurement with some kind of node or link identifier (for
example, "x percent of packets sent via link y were delivered"). If
there's no Sybil protection then whenever we detect a node or link as
being faulty, the adversary can simply create a new identifier for
that node or link. The adversary can create imaginary networks of
arbitrary size and structure, composed entirely of Sybil identities,
to absorb our measurement resources. It's like playing whack-a-mole
with an infinite number of moles. ;-)

If we consider the most limited form of Sybil protection, where we
know that our immediate neighbours in the network aren't Sybils (for
example, maybe they're people we know in real life) but we don't know
anything about the rest of the network, then we can do a very limited
form of fault detection: we can measure the reliability of each
neighbour, without speculating about what the network beyond that
neighbour looks like, and route around unreliable neighbours.

But that's not as easy as it sounds: if the adversary can distinguish
between different types of packet then she can treat them differently.
For example, if the network uses separate measurement packets and data
packets, the adversary can deliver measurement packets but drop data
packets. If the packets carry source or destination addresses, the
adversary can drop packets with certain sources or destinations while
keeping her overall reliability high. The adversary may be able to
manipulate the reliability measurements without dropping packets, for
example by spoofing addresses or forging measurement packets.

This problem is known as Byzantine robust routing. It was first framed
by Radia Perlman in 1988, and so far nobody's come up with a solution
that doesn't require some kind of limit on the creation of identities.
Many have tried and failed. I was one of them. :-) I don't know enough
about CJDNS to know whether it's solved this problem, but I'll be
pleasantly surprised if it has.

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJR5AyxAAoJEBEET9GfxSfM2OwIALyIROECcLGCiJlyM8DX6IKQ
aQdC4JFfcgsh1poTq1MaHjF1nCUA14OBF73bpxp0iRw8b0fcJ4AwqAlzdDbxL1k0
cfxdaytN6dZPSgQng6jot4o4GzCYdVNdWcAxsycNgohjX0MDa64pe6gJmYmZlmBw
S24FB8ismcMl3Ohyu1mg339NsBzo6is3zKa9/TVp5l5iB/FVFM8yjTewkAgdBFVD
BlOLwEr5h+gHUqTpmmswXbJIcqT9/xe14NogKOgUDUUfpZMe7g0ZWeF7z65FJwLn
C2kVc/HxB85TTmwaGoV/Os79lQALLVNmdafgqHhcRRNTTCRUKcqlgDsZt6/SsEE=
=ud7U
-----END PGP SIGNATURE-----