RemailerNet v0.2 (RN0.2 for short) 1.0 a number N of RN gateways exist 1.1 these communicate using encrypted packets of a fixed length L 1.2 messages may originate from gateways or from outside the network 1.3 messages are passed across the network in packets 1.4 a packet may contain data from 0, 1, or more messages 1.5 routing of the packets is randomized (this does not mean that the probability of a route being chosen is equal for all routes, it means that if N>2, there is no route for which the probability is 1) 1.6 the order of dispatch of packets is randomized 1.7 on average, all gateways are required to send and receive the same number of packets per unit of chronological time 1.8 the dispatch randomization function adjusts the average latency and the distribution of latencies so that the preceding commitment is met, introducing noise packets as required 1.9 mechanisms allow the traffic level to rise quickly but constrain them to fall slowly 1.10 gateways are required to exchange the same number of packets in any session 1.11 inter-gateway connections may be either open at all times (in which case sessions begin only when the connection has gone down by accident) or they may be established periodically 2.0 any message has a source gateway and a destination gateway 2.1 message fragmentation takes place at the source gateway 2.2 message reassembly takes place at the destination gateway 2.3 all packets are acknowledged 2.4 message delivery is reliable, in the sense that the destination gateway will report delivery of incomplete or damaged messages to the gateway 2.5 messages may be sent to a gateway for forwarding to another gateway 2.6 message delivery time can be specified 2.7 message delivery policy can be specified 2.8 delivery policies include (a) hold until picked up, (b) hold for a specified period of time, (c) discard if not received immediately 2.9 gateways should always destroy mail after delivery is acknowledged [unless the mail is to an as-yet-unspecified persistent store] 3.0 gateways frequently exchange routing information 3.1 that routing information has an expiration date 3.2 gateway operators can choose who they announce routing information to and accept routing information from 3.3 gateways can settle accounts with one another periodically 4.0 level 2 gateways will communicate with one another using RN protocols using IP datagrams 4.1 level 1 and 2 gateways will communicate using the same protocols using email (SMTP) datagrams 4.2 where gateways are operated by users, the requirement that gateways should exchange the same number of packets per unit time would be weakened in some as yet unspecified way 5.0 end users may either operate gateways or communicate with a level 1 or 2 gateway using email 5.1 in either case, users may have accounts with gateways and may be charged for usage 6.0 RN gateway software should be available only from trusted sites by FTP 6.1 RN bootstrap software should be available on diskette 6.2 the bootstrap software should allow the secure downloading of system updates over RemailerNet 7.0 an alt.? group could be used to announce new gateways 7.1 established gateways would be encouraged to rate new gateways 7.2 software updates would be announced in the alt.? group 7.3 a FAQ would be published in the alt.? group every ten days or so 8.0 users would be encouraged to use gateways in geographically distant locations -- Jim Dixon [adding the notion of a persistent store would allow the creation of electronic safety deposit boxes]
I'm glad to see Jim's description of his RemailerNet v0.2. I still have a few questions, though. What is the goal of the RN as far as defeating traffic analysis? Is it just to get messages from one "gateway" to another? Or is there also a desire to prevent traffic analysis from one non-gateway end user to another? What are the allowed capabilities of the opponent? Can he watch all of the links? Can he subvert some gateways? Does every user expose the source and destination information of his messages to the initial gateway? What other information is sent by the user to the RN? Are there any limitations on the information which spreads through the RN? E.g. are gateways allowed to send source/dest information along with the messages? Here are some questions related to Jim's specific points:
1.6 the order of dispatch of packets is randomized For 1.5 you defined what randomized means. What does it mean here?
1.7 on average, all gateways are required to send and receive the same number of packets per unit of chronological time Do you mean that all gateways send the same number of packets per time all the time? E.g. all gateways send 100 packets per hour all the time
1.8 the dispatch randomization function adjusts the average latency and the distribution of latencies so that the preceding commitment is met, introducing noise packets as required This could be accomplished by adding no latency at all during times when the incoming traffic load happens to equal the desired internal traffic level. But presumably some latency is actually used to provide reordering. What rule would determine how much latency would be used in that case?
1.10 gateways are required to exchange the same number of packets in any session What is a session? Do you mean, during every session exactly (say) 1000 packets will be exchanged, or do you mean, during any session the number of packets exchanged by each gateway will equal the number ex- changed by every other gateway (but this number may vary from session to session)?
2.4 message delivery is reliable, in the sense that the destination gateway will report delivery of incomplete or damaged messages to the gateway To which gateway? The source gateway?
4.2 where gateways are operated by users, the requirement that gateways should exchange the same number of packets per unit time would be weakened in some as yet unspecified way Why do this?
5.1 in either case, users may have accounts with gateways and may be charged for usage What gateways would be in a position to charge users? Only the source gateway? The destination gateway? Others in between?
6.0 RN gateway software should be available only from trusted sites by FTP What are you trying to prevent by this, and what would happen if someone wrote his own version of the RN software?
7.1 established gateways would be encouraged to rate new gateways What kind of information would be available to them to create the ratings?
participants (2)
-
Hal -
jdd@aiki.demon.co.uk