summary this post suggests that technically, routing through a sub-network does not necessarily increase complexity or hinder traffic analysis, as it can be treated as a virtual node. given that, LAM-type networks may not provide much protection in a politically unkind environment. i also suggest a way of rating (or classifying) secure networks based on how well they hide suspect data and routes in other traffic. as this in response to tim may's LAM post, i'll respond quoting that. Tim May <tcmay@got.net> writes:

A message would enter the physical site, bounce around to N machines, and exit, perhaps going to other machines and sites, and back again, etc. (The image was of perhaps 20 or 30 cheap PCs linked with Ethernet in a set of apartments in Berkeley--obtaining search warrants or court orders to allow monitoring of all 20 or 30 machines, scattered across several physical addresses, would be "problematic.")

i won't repeat my objections to a reliance on "problematic" court orders, which i've made in another post. let us simply assume, for example, that i am the NSA, and i don't need court orders, but i'm a sneaky sort so i don't want to go in with guns blazing just yet. Alice has a network, alice.net, 10.1.1.0. she has many machines on this network, some hers, some belonging to Bob. when Alice and Bob plan stink-bomb attacks on the IRS (sorry, when they, or Li-Xia and Bu-pang, write articles on human rights violations in xinjiang) to Carol and David, outside their network, they first bounce their packets around their 30 machines. i sniff all packets going into and out of the network 10.1.1.0, from the upstream provider (Alice has her whole building in a faraday cage, which is ok because she never tries to use her mobile phone indoors). so. does it matter in the least, to me, whether alice wrote her last rant from kitchen.alice.net (10.1.1.1) or garage.alice.net (10.1.1.2) or whether it was actually Bob - Bob Inc, to be safe - from 10.1.1.33? it could matter politically/legally (if i wanted to prosecute) or technically (if i want to trace traffic down, to, from or through alice's net). technically first: it doesn't really matter. i treat alice's net as a hermetically sealed virtual "node"...

-- the routing topology of the site may be an interesting area to look at. Ideally, a "Linda"-like broadcast topology (all machines see all packets, like messages in a bottle thrown into the "sea") could have certain

... which is all the more correct topologically if broadcast addresses (10.1.1.255) are used. so i treat alice's net as a single node, and monitor traffic as it enters and leaves that "node". just as i would monitor traffic entering and leaving a single machine, without caring much which disk drive or memory bank it passed through. with a single physical entry and exit point to the network it can be treated exactly as if it were a single node for the purposes of any traffic analysis (security/traceability). multiple physical connections might complicate it slightly, but if i'm sniffing them all, and they connect to the same set of machines (i.e. the same network), not much (if it's IP the address spaces may differ but that's a minor matter). depending on what remailer math tells us - and we really do need remailer math, as tim pointed out! - bouncing traffic around sub-nets may have little impact on security. it could remain the same; i don't see how it could become much better; it could plausibly get worse, if multiple nodes in a single subnet can eat into your random route hops resulting in concentration of traffic through fewer virtual "nodes". the only situation in which this isn't true is if the source and destination of traffic are both within the sealed network - presumably what would happen most of the time with tim's suggestion of voice/high-bandwidth stuff. now for the political/legal bit. given that i'd like to see cypherpunk technology as daring enough to be of use outside western democracies, let's look at a slightly challenging situation. you're a bunch of people, each with your own firm for added safety, in this building. now i'm not a decent american cop, worried about court orders etc. ok, i don't exactly want to shoot all of you at once. but if i am satisfied (which i could be, using technical methods) that lots of "suspicious" stuff is coming from your network, then i'll certainly come in and reeducate you all on your "errors and distortions." (sorry, just finished a week of watching andrzej wajda films at a retrospective.) oho. it's a BIG building. and i don't really suspect all of you. ok, i go have a chat with the network admin - Alice - and hold her responsible. she has great respect for the government and police and would never write such a nasty thing as "the state tortures political prisoners?" uh oh. so i tell her that for the good of the country she must let someone listen in at her machine ("you didn't keep logs? ah, that was a mistake, no?") - i'm now inside, and the sealed network shrinks. of course if i'm impatient and don't believe her innocent approach, i just use the rubber hose. the same goes for multiple physical links into the same network. can _technology_ - rather than relying on law-abiding cops, and rights-abiding laws - provide a solution? the key is the BIG building. the more non-suspicious routes there are - i.e. a route through normal, unsuspected people, typically but not necessarily outside the physically well-protected area - the harder to usefully treat a network as a virtual node. looking at 10.1.1.0 as a node may help, just 256 people there; but 10.1.0.0 is a bit big to make a coherent "node" so although a LAM may be a great way to _test_ new tech and protocols out, i'd think it a big mistake to actually deploy it, as it were, on a large scale. it wouldn't help at all in the tough spots, and it would only serve to make the easier spots tougher, strengthening the immune system of would-be tyrannical states (i.e. the nicer western democracies). in general "WAMs" would be much more helpful and secure. the other thing that helps is of course the degree of non-suspicious traffic on suspected routes. putting them together, i think you can get some measure of the utility of a protocol and topology. the ideal would a) make it technically impossible to trace the route of suspicious traffic; and b) make it politically/legally difficult to prosecute originators/destinations of suspicious traffic. it would do this by a) blurring the distinction between suspicious and "regular" routes; and b) make it difficult to distinguish suspicious from harmless traffic on those routes; c) make it difficult or impossible to block suspicious routes or intercept/monitor suspicious traffic without causing unacceptable deterioration of service for "ordinary" traffic. two ratios seem useful to me as a way of organising cryptoanarchic network protocols. suspicious routes/ordinary routes; suspicious/ordinary traffic on any route. an ideal universal DC-Net with padding to keep constant throughput would have both ratios tending towards 1 - there is only one route - broadcast - for everyone; and traffic is constant so the degree of really suspicious stuff is unknown. pure Blacknet-type systems tend towards [1,0] - there is only one route, assuming everyone uses it. but without padding, you could suspect all traffic. Pipenet tends towards [0,1] - there are many routes, and they're all pretty suspicious as it's possible for the monitor to discriminate among them. but traffic is constant, so you don't know when to suspect. regards, rishab First Monday - The Peer-Reviewed Journal on the Internet http://www.firstmonday.dk/ Munksgaard International Publishers, Copenhagen Intl & Managing Editor - Rishab Aiyer Ghosh (ghosh@firstmonday.dk) Mobile +91 98110 14574; Fax +91 11 2209608; Tel +91 11 2454717 A4/204 Ekta Apts., 9 Indraprastha Extn, New Delhi 110092 INDIA