Transcript Slide - University of Utah

Active Protocols for Agile
Censor-Resistant Networks
Robert Ricci
Jay Lepreau
University of Utah
May 22, 2001
Key Ideas


Censor-resistant (p2p) publishing is a
compelling and feasible application of
active networking
…through on-demand, rapid,
decentralized, diversification of the
hop-by-hop protocol
We prototyped this in Freenet
Active Networking’s Biggest
Problem

Demand: no killer app
Inherent problem, by definition!
The space of AN protocols is interesting,
not any given protocol
But… a good match for censor-resistant
networks
Censor-Resistant Networks

Goals
– Make intentional deletion or denial of access
infeasible or difficult
– Often: Anonymity


Usually: overlay network
An example: Freenet
– Keyed data retrieval system; routing based on a hash
of key
– Message initiation/relaying look the same
– Copies made along return route for requests:
preserves popular data
Some Problems Facing CRNs

CRN traffic may be identifiable
– Static set of protocols a weakness

Mere membership may be incriminating
– Only identification may be necessary, not
eavesdropping
– Last link vulnerable: mercy of ISP

Users on restricted networks cannot
participate
– But special techniques can get traffic through
firewalls, proxies, etc.
Agile Protocols


Use active networking techniques for
replacement of single-hop protocols
Completely decentralized
– Any node can create a new protocol & pass to its peer
– Rapid response time to censorship
– Nodes can customize for their environment

Unbounded set of protocols
– Attacker cannot even know what percentage of set
they have discovered
Protocol Examples

Disguise and tunnel, eg through SMTP,
HTTP

Port-hopping… randomly

Port-smearing (~spread spectrum)

Bounce thru 3rd host

Steganography

…even better in wireless domain:
physical & link level
“Protocol Objects”


Protocol Objects implement replacement
single-hop protocols
Identified by content hash
What About Malicious
Protocol Objects?
Protecting Local Node’s Integrity,
Privacy, and Availability

Threat model like Java applet, but
worse for privacy
– node state: cache contents, neighbor list, IP
addr, username, hard drive contents
– message itself


Integrity and privacy: std type-safety
and namespace isolation
Resource attacks: resource-managing
JVM [OSDI’00, ...]
Publishing-specific DoS
Attacks

Same general issues as malicious nodes

Failure (total or intermittent)
– Either malicious or unintentional
– Heuristic approach: rate Protocol Objects
• Ratings based on success rates for requests
• Evaluate via loopback test harness
– Ratings are node-local

More attacks/responses in paper
What About Bootstrapping?





Shared by base Freenet system: must
acquire initial {IP addr, port} out-ofband
Now need {IP addr, byte code}
Quantitative difference ==> qualitative
change?
Memory, piece of paper ==> floppy
disk, email attachment, applet
Conclusion: acceptable
Our Implementation




Prototype based on Freenet system
Peers can exchange Java bytecode for
new protocols
Protocol usage can be asymmetric, can
change on any message boundary
Restricted namespace
Four sample Protocol Objects




‘Classic’ Freenet protocol
HTTPProtocol: Looks (vaguely) like
HTTP
TrickyProtocol: Negotiates port change
after every message
SpreadProtocol: Splits message on
arbitrary byte boundaries, sends each
chunk on a different port
Reprise:AN’s Major Technical
Challenges

Performance: no problem
– In Java already!
– Overlay network: IP not my problem

Security
– Key: change local, keep global protocol
– Global network: domain-specific, therefore tractable.
– Local to node: tractable, based on recent research
Conclusions, Future Work



AN techniques seem likely to improve
the censor-resistance of CR networks
Feasible to implement in existing
systems
Future work
– Implement ratings, etc.
– Evaluate in lab
– Evaluate “in the wild”
Active Networking’s Major
Technical Challenges

Performance

Security
– Local: node
– Global: network
Attacks (cont’d)

Selective failure: targeted censorship
– Solution: encrypt before passing to PO

Attack on document integrity
– Reduce system integrity, or ‘tag’ for tracing
– Solution: secure hash