The Case for Network-Layer,Peer-to-Peer Anonymization

Michael J. Freedman

Emil Sit, Josh Cates, Robert Morris

MIT Lab for Computer Science

IPTPS’02 March 7, 2002

http://pdos.lcs.mit.edu/tarzan/

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 2

• Participant can communicate anonymously with non-participant

• User can talk to CNN.com

User

?

?

• Nobody knows who user is

The Grail of Anonymization

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 3

Our Vision for Anonymization

• Millions of nodes participate• Bounce traffic off one another

• Mechanism to organize nodes: peer-to-peer• All applications can use: IP layer

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 4

Alternative 1: Proxy Approach

• Intermediate node to proxy traffic

• Completely trust the proxy

Anonymizer.com

User Proxy

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 5

Realistic Threat Model

• Corrupt proxy– Adversary runs proxy– Adversary targets proxy and compromises

• Limited, localized network sniffing

• Global passive observer? • Adaptive active adversary?

Use cover network: a different paper

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 6

Failures of Proxy Approach

User ProxyProxy

• Traffic analysis is easy

• Proxy reveals identity

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 7

Failures of Proxy Approach

User Proxy XX

• CNN blocks connections from proxy

• Traffic analysis is easy

• Adversary blocks access to proxy (DoS)

• Proxy reveals identity

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 8

Alternative 2: Centralized Mixnet

User Relay Relay Relay

• MIX encoding creates encrypted tunnel of relays

– Individual malicious relays cannot reveal identity

• Packet forwarding through tunnel

Onion Routing, Freedom

Small-scale, static network, not general-purpose

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 9

Failures of Centralized Mixnet

Relay Relay Relay

• CNN blocks core routers

X

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 10

Relay Relay

Failures of Centralized Mixnet

• CNN blocks core routers

• Adversary targets core routers

RelayRelay

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 11

Relay

Failures of Centralized Mixnet

Relay Relay

• CNN blocks core routers

• Adversary targets core routers

• Allows network-edge analysis

Relay

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 12

Tarzan: Me Relay, You Relay

• Millions of nodes participate

• Build tunnel over random set of nodes

Crowds:

small-scale, not self-organizing, not a mixnet

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 13

Benefits of Peer-to-Peer Design

• No network edge to analyze:

First hop does not know he’s first

?

? ?? ?

• CNN cannot block everybody

• Adversary cannot target everybody

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 14

Managing Peers

• Requires a mechanism that

1. Discovers peers

2. Scalable

3. Robust against adversaries

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 15

• Adversary can join more than once

Due to lack of central authentication

Adversaries Can Join System

• Try to prevent adversary from impersonating

large address space

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 16

Stopping Evil Peers

• Contact peers directly to– Validate IP address

– Learn public key

Adversary can only answer small address space

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 17

Tarzan: Joining the System

1. Contacts known peer in big (Chord) network

2. Learns of a few peers for routing queries

User

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 18

3. Contacts random peers to learn {IP addr, PK}

Performs Chord lookup(random)

Tarzan: Discovering Peers

User

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 19

Tarzan: Building Tunnel

User

4. Iteratively selects peers and builds tunnel

Public-key encrypts tunnel info during setup

Maps flowid session key, next hop IP addr

Tunnel Private AddressPublic Alias

Address

RealIP

Address

PNAT

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 20

IP

Tarzan: Tunneling Data Traffic

5. Reroutes packets over this tunnel

User

APP

Diverts packets to tunnel source router

IP

X

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 21

IP

Tarzan: Tunneling Data Traffic

5. Reroutes packets over this tunnel

User

APP

IPIP

NATs to private address space 192.168.x.x

Layer encrypts packet

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 22

Encapsulates in UDP and forwards packet

Strips off encryption, forwards to next hop

Tarzan: Tunneling Data Traffic

5. Reroutes packets over this tunnel

User

IPIPIP

APP

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 23

IPIP

NATs again to public alias address

Tarzan: Tunneling Data Traffic

5. Reroutes packets over this tunnel

User

APP

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 24

Tarzan: Tunneling Data Traffic

5. Reroutes packets over this tunnel

User

APP

Reads IP headers and sends accordingly

IP

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 25

Response repeats process in reverse

IPIP

Tarzan: Tunneling Data Traffic

5. Reroutes packets over this tunnel

User

IPIPIPIP

APPIPIP

IP

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 26

Tarzan: Tunneling Data Traffic

Transparently supports anonymous servers

Can build double-blinded channels

Server

IPIPIPIP

APP

IPIP

IPIP IPIP

IPIP

IP IP IP IPIP

IP

ObliviousUser

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 27

Tarzan is Fast (Enough)

• Prototype implementation in C++

• Setup time per hop:

~20 ms + transmission time

• Packet forwarding per hop:

< 1 ms + transmission time

• Network latency dominates performance

March 7, 2002 The Case for Network-Layer, Peer-to-Peer Anonymization Page 28

Summary

• Gain anonymity:– Millions of relays

– No centralization

• Transparent IP-layer anonymization– Towards a critical mass of users

Peer-to-Peer design