On Mon, Apr 01, 2019 at 10:45:59PM -0400, grarpamp wrote:
I am personally convinced that a flat traffic shape will only dare attackers to cut links between parts of the network, effectively making an even larger traffic shape to corrilate with.
Today if play the cut links game, eventually a toggled link will expose the traffic you seek, because there's no fill between nodes that automatically takes its place. Your global monitor sees a respective signal slump among the nodes making up the subject path, each node distinguishable by time deltas. Such signal the adversary was probably clocking into it themselves for easier recognition anyway... fetch 1MB, fetch 1MB, fetch 1MB, fetch 1MB... oh noes.
Tor's hidden services are total sitting ducks because of this. Same for likely all current overlay networks in production regardless of whatever service they provide... from traffic, messaging, storage, cryptocurrency, and so on.
There are surely better links from the bib space, yet here are some concepts on generated buckets, retiming, how they can contain full time "empty" fill that yields to wheat demand on the line, traffic contracts, etc therein...
https://en.wikipedia.org/wiki/Generic_cell_rate_algorithm
If all the nodes are independantly maintaining independant traffic contracts between their physical and/or logical peers, cut links won't do hardly as much impact if anything at all...
A \ B + -----> M -----> { U V W X Y Z } C + D /
If nodes ABCD on the left are trafficing through M cloud fanning out to the right mesh towards UVWXYZ, then adversary cutout of D is not visible beyond M if M makes up for D's packet slack on its left contract by continuing to emit the same amount as fill to fulfill its right contract.
M could variously blackball A for non contractual suspect misbehaviour... weird rates, timing anomalies, uptimes, etc.
M could signal BC that they can now renegotiate upwards with M since M now has more rate free on its left.
If M is cut out, the left renegotiates with some L or N nodes via new northern or southern arc routes.
The "shape" or "bitrate" of the contracts could be negotiated as need be, "flat" might not be necessary, so long as the contract is upheld and policed by all participants to it.
Contracts could be one to one, one to many, many to many, physical next IP hop to hop, logical overlay address to address, multiplex, simplex, tunneled, shared, etc. And pertain to bitrates, timing, uptime, any sort of constraints, metadata, etc.
This also makes Sybil's life more difficult... it must now own the full path or it will lose sight due to contracts with non Sybil nodes in the path who are also meshed and contracted out to other non Sybils around ot. Sybil must also uphold all its own contracts or get dropped by other nodes.
I am not convinced low latency systems can be immune to traffic shape corrilation and hence that being said
Copper, Fiber, Radio, etc.. so long as it's quality line rate hardware that can keep up with its advertised rate, their time to transfer data is dependant only on distance, not on how full the line is. Such network hardware is agnostic... fill, wheat... it all gets there in the same time.
When people say "X latency network overlay", they're really referring to the cost of software processing their overlay design on their crappy stack of PC / Phone CPU hardware. And in their transport protocols running on the same... TCP, UDP, etc... all the way down the stack until it hits the real network hardware, which will either happily accept and ship the packet, or drop it.
When people cry about "bandwidth", all they need to do in a fill model is allocate whatever bitrate to it they like and forget it. They're not going to get more bitrate from their ISP than they paid for, and they'll probably contract to the overlay under that so they can do other things with their line. And they're not going to get more wheat bytes across the overlay than a 100% wheat ratio (fill yields to wheat demand) within their contract to the overlay, even if they do disconnect from their byte transfer based ISP / Phone afterwards.
Research would need done into routing models needed to transit traffic across the overlay. ie: TCP can readily jam more yet slower circuits through a full pipe, UDP mix gets dropped routed or reserved for. Raw IP becomes interesting.
As a network HW project for defense in depth...
If hardware makers would add line rate encryption and fill silicon to every physical port on every switch, router, and NIC... mandatory on by default per physical link... that would kill off a lot of vampires.
An open IETF RFC spec for that would cost under $1 per port to integrate into existing silicon port fab worldwide, plus electricity to drive the port which would be estimated as part of the RFC process. Modular agility would not cost much more at scale.
Assuming line rate hardware, there's no latency impact here either.
I think state actors are out of scope of the current threat model of llarp.
If any network application involves free speech, politics, money aka cryptocurrency, business, journalism, industry, messaging, personal affairs, data storage and transfer, basically anything at all... you can be absolutely certain that many State and Other Actors have a serious continuum of interest in it.
Is it the responsibility of each application to develop their own solutions to the threat?
If the state is out to get you I'd just assume that everything arround you is rooted and a wire tap and act accordingly.
No... probably not when many such apps ride on, aggregate muddily over, and depend on networks. All apps can contribute to the development of a diversity sound number of strongly resistant networks that they can then utilize and endorse as they would their own.
Be they overlays on top of the internet, enhancements to the internet, or new guerrilla physical plant...
That process of people contributing to original and ongoing development of new strong networks that are not susceptible to such Basic Bitch Adversaries as Global Vampires, is something more should consider.
Indeed, we'll get there eventually. I am just a guy that made a thing because I thought it was cool.
Same for likely figuring out how to get the deployment Social aspects right so you can circle the network wagons against Sybil.
This may or may not change.
Pity the fool who changes even one satoshi based on the worthless drivel herein :)
Let the record show that I am not the one making the sybil resistance claims it's the coin team that is. I doubt them as well but I am open to being surprised. I orignally had another model in mind for mitigating bad actors on the network that I still plan on implementing (eventually) Effectively it's a f2f mesh connectivity layer to help hide traffic shape. I am not arrogant enough to claim to be able to repell state actors from sqaure one.