From toad at amphibian.dyndns.org Mon Mar 5 16:38:54 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Mon, 5 Mar 2007 16:38:54 +0000 Subject: [Tech] FYI: Anonymous networks vulnerable to attacks with fake routing data In-Reply-To: References: Message-ID: <20070305163854.GG29425@amphibian.dyndns.org> We have been aware of this style of attack for a while, but it shouldn't be possible on darknet. On opennet, of course, very similar attacks are possible. On Wed, Feb 28, 2007 at 08:22:36AM +0100, bbackde at googlemail.com wrote: > I don't know if this is old news. > > See http://www.heise-security.co.uk/news/85965 > > (german: http://www.heise.de/newsticker/meldung/85944 ) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070305/adf79043/attachment.pgp From freenet-tech at david.sowder.com Mon Mar 5 20:08:10 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Mon, 05 Mar 2007 14:08:10 -0600 Subject: [Tech] Small World Message-ID: <45EC78AA.3010008@david.sowder.com> I'm trying to resolve something in my mind about the small world model and how it relates to Freenet. My understanding has been that the relation was in Freenet node location distances and my assumption was that the swapping algorithm was intended to optimized the "small world model" of an arbitrary set of connections such that, in my mind, it would theoretically settle on all nodes having a small world distribution of peers: increasing numbers of peers as shorter distances from a given node. Toad has informed me on IRC a bit ago that the swapping algorithm does not make arbitrary interconnections achieve "small world", which leaves me with these questions: Is there more than one metric for which we are trying to achieve "small world"? If so, could that be confusing things for others as well? Can a given node and a list of potential peers be used to create a small world model, at least from the perspective of the given node? I assume this is somehow possible as I understand it that opennet will be doing this, Some of you may already know where I'm likely going with this. What can opennet built into fred do that a program like refbot.py couldn't do? Could refbot.py potentially say, add 50 peers and then remove (in an orderly fashion) all but 15 based on a small world location/distance distribution to achieve a small world model if say, all/most nodes were using this same algorithm? From Colin at sq7.org Mon Mar 5 20:37:22 2007 From: Colin at sq7.org (Colin Davis) Date: Mon, 05 Mar 2007 15:37:22 -0500 Subject: [Tech] Small World In-Reply-To: <45EC78AA.3010008@david.sowder.com> References: <45EC78AA.3010008@david.sowder.com> Message-ID: <45EC7F82.6070108@sq7.org> I've thought about this before, but it's difficult to do that in a way that's both difficult to harvest lists of opennet users from, and not having external requirements. You could arrange and find parters through IRC, but then it's trivial for someone to /join that IRC channel and watch who's connecting, and could be blocked by blocking IRC.. The best answer that I could come up with, was to post noderefs to Freenet, NIM-style.. That would by in-band, so it wouldn't be any more blockable than the rest of freenet.. It would still be harvestable, though, and it would require you to connect with at least darknet user, before Open-net could start.. Personally, I think that's a good requirement ;) -Colin David Sowder (Zothar) wrote: > I'm trying to resolve something in my mind about the small world model > and how it relates to Freenet. My understanding has been that the > relation was in Freenet node location distances and my assumption was > that the swapping algorithm was intended to optimized the "small world > model" of an arbitrary set of connections such that, in my mind, it > would theoretically settle on all nodes having a small world > distribution of peers: increasing numbers of peers as shorter distances > from a given node. > > Toad has informed me on IRC a bit ago that the swapping algorithm does > not make arbitrary interconnections achieve "small world", which leaves > me with these questions: > > Is there more than one metric for which we are trying to achieve "small > world"? If so, could that be confusing things for others as well? > > Can a given node and a list of potential peers be used to create a small > world model, at least from the perspective of the given node? I assume > this is somehow possible as I understand it that opennet will be doing this, > > Some of you may already know where I'm likely going with this. What can > opennet built into fred do that a program like refbot.py couldn't do? > Could refbot.py potentially say, add 50 peers and then remove (in an > orderly fashion) all but 15 based on a small world location/distance > distribution to achieve a small world model if say, all/most nodes were > using this same algorithm? > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech From Colin at sq7.org Mon Mar 5 20:49:17 2007 From: Colin at sq7.org (Colin Davis) Date: Mon, 05 Mar 2007 15:49:17 -0500 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <20070305203131.GF937@freenetproject.org> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <45EC784B.3020908@sq7.org> <20070305203131.GF937@freenetproject.org> Message-ID: <45EC824D.5040609@sq7.org> I'm sorry that I'm being dim- Could you please explain how the network topography is exposed? I'm sure you're right, I'm just missing it. If we have two clients, A and B, who want to talk to one another.. Both are behind Firewalls.. * A calls up B, and tells him "Connect to me, at 11.22.33.44, password 'Bob is a super cool password'" * B Says sure, and clicks the "Connect to a new client" icon in Fred, enters the IP and Password. * B's machine starts sending Freenet packets to A, thus opening up a NAT hole to his machine through the UDP trick. * B then tells A "It's running! Add my computer back. Mine is 22.33.44.55, and the password is 'Donkeys are really cool, and I like the way they look' " * A adds B's IP and password, and starts sending freenet packets to B. * A's machine is now exposed, through the UDP trick. * B's packets, which he is still sending, get through. * A's packets get through to B. * Now that they're talking, they exchange signed keys (real noderefs), so next time, they don't need to do the passwords. * Fred disables the passwords. Nothing has required the use of a third party, other than the telephone call between the two of them to share the passwords. -Colin >> When Side-A added the noderef of B, it would start sending out packets >> to B, knowing that they won't get returned.. But the Sending of these >> packets would open a NAT-hole.. >> Then, Side-B would get around to adding the noderef of A, and start >> sending packets to A, opening a NAT-hole on their own side.. Side A's >> packets then get in through this hole, just as B's now arrive at A. >> >> What am I missing? >> >> -Colin > From nextgens at freenetproject.org Mon Mar 5 21:07:08 2007 From: nextgens at freenetproject.org (NextGen$) Date: Mon, 5 Mar 2007 21:07:08 +0000 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <45EC824D.5040609@sq7.org> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <45EC784B.3020908@sq7.org> <20070305203131.GF937@freenetproject.org> <45EC824D.5040609@sq7.org> Message-ID: <20070305210705.GG937@freenetproject.org> * Colin Davis [2007-03-05 15:49:17]: > I'm sorry that I'm being dim- > Could you please explain how the network topography is exposed? I'm sure > you're right, I'm just missing it. Well, your solution is about shortening the reference. I thought you were trying to address the node installation/deployment problem without emu/the mirroring system. NextGen$ > > > > > > If we have two clients, A and B, who want to talk to one another.. Both > are behind Firewalls.. > > * A calls up B, and tells him "Connect to me, at 11.22.33.44, password > 'Bob is a super cool password'" > > * B Says sure, and clicks the "Connect to a new client" icon in Fred, > enters the IP and Password. > > * B's machine starts sending Freenet packets to A, thus opening up a NAT > hole to his machine through the UDP trick. > > * B then tells A "It's running! Add my computer back. Mine is > 22.33.44.55, and the password is 'Donkeys are really cool, and I like > the way they look' " > > * A adds B's IP and password, and starts sending freenet packets to B. > * A's machine is now exposed, through the UDP trick. > > * B's packets, which he is still sending, get through. > * A's packets get through to B. > > * Now that they're talking, they exchange signed keys (real noderefs), > so next time, they don't need to do the passwords. > > * Fred disables the passwords. > > Nothing has required the use of a third party, other than the telephone > call between the two of them to share the passwords. > > -Colin > > > > > >> When Side-A added the noderef of B, it would start sending out packets > >> to B, knowing that they won't get returned.. But the Sending of these > >> packets would open a NAT-hole.. > >> Then, Side-B would get around to adding the noderef of A, and start > >> sending packets to A, opening a NAT-hole on their own side.. Side A's > >> packets then get in through this hole, just as B's now arrive at A. > >> > >> What am I missing? > >> > >> -Colin > > > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech From Colin at sq7.org Mon Mar 5 21:15:43 2007 From: Colin at sq7.org (Colin Davis) Date: Mon, 05 Mar 2007 16:15:43 -0500 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <20070305210705.GG937@freenetproject.org> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <45EC784B.3020908@sq7.org> <20070305203131.GF937@freenetproject.org> <45EC824D.5040609@sq7.org> <20070305210705.GG937@freenetproject.org> Message-ID: <45EC887F.9080000@sq7.org> Fair enough- I (mis)understood the problem as wanting to make it possible to add the connections without requiring file-transfers.. I didn't realize that you were trying to avoid having to download the binary from a central source. For that, I agree, burnable .zips, and .5-style distribution servlet pages are likely the best that can be done. -Colin NextGen$ wrote: > * Colin Davis [2007-03-05 15:49:17]: > >> I'm sorry that I'm being dim- >> Could you please explain how the network topography is exposed? I'm sure >> you're right, I'm just missing it. > > Well, your solution is about shortening the reference. I thought you were > trying to address the node installation/deployment problem without emu/the > mirroring system. > > NextGen$ > >> >> >> >> >> If we have two clients, A and B, who want to talk to one another.. Both >> are behind Firewalls.. >> >> * A calls up B, and tells him "Connect to me, at 11.22.33.44, password >> 'Bob is a super cool password'" >> >> * B Says sure, and clicks the "Connect to a new client" icon in Fred, >> enters the IP and Password. >> >> * B's machine starts sending Freenet packets to A, thus opening up a NAT >> hole to his machine through the UDP trick. >> >> * B then tells A "It's running! Add my computer back. Mine is >> 22.33.44.55, and the password is 'Donkeys are really cool, and I like >> the way they look' " >> >> * A adds B's IP and password, and starts sending freenet packets to B. >> * A's machine is now exposed, through the UDP trick. >> >> * B's packets, which he is still sending, get through. >> * A's packets get through to B. >> >> * Now that they're talking, they exchange signed keys (real noderefs), >> so next time, they don't need to do the passwords. >> >> * Fred disables the passwords. >> >> Nothing has required the use of a third party, other than the telephone >> call between the two of them to share the passwords. >> >> -Colin >> >> >> >> >>>> When Side-A added the noderef of B, it would start sending out packets >>>> to B, knowing that they won't get returned.. But the Sending of these >>>> packets would open a NAT-hole.. >>>> Then, Side-B would get around to adding the noderef of A, and start >>>> sending packets to A, opening a NAT-hole on their own side.. Side A's >>>> packets then get in through this hole, just as B's now arrive at A. >>>> >>>> What am I missing? >>>> >>>> -Colin >> _______________________________________________ >> Tech mailing list >> Tech at freenetproject.org >> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech From Colin at sq7.org Mon Mar 5 21:19:33 2007 From: Colin at sq7.org (Colin Davis) Date: Mon, 05 Mar 2007 16:19:33 -0500 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <45EC887F.9080000@sq7.org> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <45EC784B.3020908@sq7.org> <20070305203131.GF937@freenetproject.org> <45EC824D.5040609@sq7.org> <20070305210705.GG937@freenetproject.org> <45EC887F.9080000@sq7.org> Message-ID: <45EC8965.1030409@sq7.org> For the record- I still think that reducing the initial connection to "IP:Port and Password", rather than having to exchange a noderef will signing your friends up much easier, and make people more likely to use the darknet ;) -Colin Colin Davis wrote: > Fair enough- > > > I (mis)understood the problem as wanting to make it possible to add the > connections without requiring file-transfers.. I didn't realize that you > were trying to avoid having to download the binary from a central source. > > For that, I agree, burnable .zips, and .5-style distribution servlet > pages are likely the best that can be done. > > -Colin > > > > > > > NextGen$ wrote: >> * Colin Davis [2007-03-05 15:49:17]: >> >>> I'm sorry that I'm being dim- >>> Could you please explain how the network topography is exposed? I'm sure >>> you're right, I'm just missing it. >> Well, your solution is about shortening the reference. I thought you were >> trying to address the node installation/deployment problem without emu/the >> mirroring system. >> >> NextGen$ >> >>> >>> >>> >>> If we have two clients, A and B, who want to talk to one another.. Both >>> are behind Firewalls.. >>> >>> * A calls up B, and tells him "Connect to me, at 11.22.33.44, password >>> 'Bob is a super cool password'" >>> >>> * B Says sure, and clicks the "Connect to a new client" icon in Fred, >>> enters the IP and Password. >>> >>> * B's machine starts sending Freenet packets to A, thus opening up a NAT >>> hole to his machine through the UDP trick. >>> >>> * B then tells A "It's running! Add my computer back. Mine is >>> 22.33.44.55, and the password is 'Donkeys are really cool, and I like >>> the way they look' " >>> >>> * A adds B's IP and password, and starts sending freenet packets to B. >>> * A's machine is now exposed, through the UDP trick. >>> >>> * B's packets, which he is still sending, get through. >>> * A's packets get through to B. >>> >>> * Now that they're talking, they exchange signed keys (real noderefs), >>> so next time, they don't need to do the passwords. >>> >>> * Fred disables the passwords. >>> >>> Nothing has required the use of a third party, other than the telephone >>> call between the two of them to share the passwords. >>> >>> -Colin >>> >>> >>> >>> >>>>> When Side-A added the noderef of B, it would start sending out packets >>>>> to B, knowing that they won't get returned.. But the Sending of these >>>>> packets would open a NAT-hole.. >>>>> Then, Side-B would get around to adding the noderef of A, and start >>>>> sending packets to A, opening a NAT-hole on their own side.. Side A's >>>>> packets then get in through this hole, just as B's now arrive at A. >>>>> >>>>> What am I missing? >>>>> >>>>> -Colin >>> _______________________________________________ >>> Tech mailing list >>> Tech at freenetproject.org >>> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech >> _______________________________________________ >> Tech mailing list >> Tech at freenetproject.org >> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech From dbkr at freenetproject.org Mon Mar 5 21:39:37 2007 From: dbkr at freenetproject.org (Dave Baker) Date: Mon, 5 Mar 2007 21:39:37 +0000 Subject: [Tech] Small World In-Reply-To: <45EC7F82.6070108@sq7.org> References: <45EC78AA.3010008@david.sowder.com> <45EC7F82.6070108@sq7.org> Message-ID: <200703052139.37766.dbkr@freenetproject.org> > David Sowder (Zothar) wrote: > > Is there more than one metric for which we are trying to achieve "small > > world"? If so, could that be confusing things for others as well? I don't claim to be an authority on this, so I will leave any kind of detailed explanation to the people who really know about it, but I may be able to help on a couple of points: Swapping can't achieve the triangles, ie. if A knows B and B knows C, it's likley that A knows C. This is really the definition of a small-world network (looked at from one perspective), and the swapping algorithm will find it's job much more difficult if this property doesn't hold. Arguably this property does emerge with #freenet-refs, since people who join at similar times will end up peered with each other. The other property is geographical closeness. If all my friends suddenly started using Freenet, nearly all my peers would be in the UK, and thus have reasonably good ping times to my node. To some extent, people in the same time zone will be on #freenet-refs at the same time, and so it will have this property too. Much less so when you factor in ref exchange bots, of course. I believe this is what's already been said, but I'll add it if only for the sake if archive completeness: the swapping algorithm is merely a mechanism of assigning values to nodes so that we have a concept of location for routing in the network. It doesn't set out to achieve any kind of topology, merely represent the topology that it's given. The only way we can change the topology is by changing the connections. As for Colin's reply: > I've thought about this before, but it's difficult to do that in a way > that's both difficult to harvest lists of opennet users from Fundamentally, if a new Freenet user can automatically find new peers, so can the FBI. I'm sorry, but there's no getting around this, full-stop, simply because we cannot distinguish the two. Yes, you can have things like refbot.py that collect 10 refs and disappear, meaning that you have to watch #freenet-refs constantly, but it's still possible. Granted, doing it over freenet keys means that it's less blockable (you can still spam the key, which is a minor annoyance), but that's really equivalent to opennet via requests, so we're just getting down into implementation details, which is not what this discussion is about. Slightly long post, I know, but I hope it's helpful. On Monday 05 March 2007 20:37:22 Colin Davis wrote: > I've thought about this before, but it's difficult to do that in a way > that's both difficult to harvest lists of opennet users from, and not > having external requirements. > > You could arrange and find parters through IRC, but then it's trivial > for someone to /join that IRC channel and watch who's connecting, and > could be blocked by blocking IRC.. > > The best answer that I could come up with, was to post noderefs to > Freenet, NIM-style.. That would by in-band, so it wouldn't be any more > blockable than the rest of freenet.. It would still be harvestable, > though, and it would require you to connect with at least darknet user, > before Open-net could start.. > > Personally, I think that's a good requirement ;) > > -Colin > > > David Sowder (Zothar) wrote: > > I'm trying to resolve something in my mind about the small world model > > and how it relates to Freenet. My understanding has been that the > > relation was in Freenet node location distances and my assumption was > > that the swapping algorithm was intended to optimized the "small world > > model" of an arbitrary set of connections such that, in my mind, it > > would theoretically settle on all nodes having a small world > > distribution of peers: increasing numbers of peers as shorter distances > > from a given node. > > > > Toad has informed me on IRC a bit ago that the swapping algorithm does > > not make arbitrary interconnections achieve "small world", which leaves > > me with these questions: > > > > Is there more than one metric for which we are trying to achieve "small > > world"? If so, could that be confusing things for others as well? > > > > Can a given node and a list of potential peers be used to create a small > > world model, at least from the perspective of the given node? I assume > > this is somehow possible as I understand it that opennet will be doing this, > > > > Some of you may already know where I'm likely going with this. What can > > opennet built into fred do that a program like refbot.py couldn't do? > > Could refbot.py potentially say, add 50 peers and then remove (in an > > orderly fashion) all but 15 based on a small world location/distance > > distribution to achieve a small world model if say, all/most nodes were > > using this same algorithm? > > _______________________________________________ > > Tech mailing list > > Tech at freenetproject.org > > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > From ian at locut.us Mon Mar 5 21:55:23 2007 From: ian at locut.us (Ian Clarke) Date: Mon, 5 Mar 2007 15:55:23 -0600 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <45EC8965.1030409@sq7.org> References: <20070305174545.GA29567@amphibian.dyndns.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <45EC784B.3020908@sq7.org> <20070305203131.GF937@freenetproject.org> <45EC824D.5040609@sq7.org> <20070305210705.GG937@freenetproject.org> <45EC887F.9080000@sq7.org> <45EC8965.1030409@sq7.org> Message-ID: <823242bd0703051355i16c698bfn49f7cfd800841498@mail.gmail.com> Not a bad idea, anyone see any problems with it? Ian. On 3/5/07, Colin Davis wrote: > For the record- I still think that reducing the initial connection to > "IP:Port and Password", rather than having to exchange a noderef will > signing your friends up much easier, and make people more likely to use > the darknet ;) > > -Colin > > > > Colin Davis wrote: > > Fair enough- > > > > > > I (mis)understood the problem as wanting to make it possible to add the > > connections without requiring file-transfers.. I didn't realize that you > > were trying to avoid having to download the binary from a central source. > > > > For that, I agree, burnable .zips, and .5-style distribution servlet > > pages are likely the best that can be done. > > > > -Colin > > > > > > > > > > > > > > NextGen$ wrote: > >> * Colin Davis [2007-03-05 15:49:17]: > >> > >>> I'm sorry that I'm being dim- > >>> Could you please explain how the network topography is exposed? I'm sure > >>> you're right, I'm just missing it. > >> Well, your solution is about shortening the reference. I thought you were > >> trying to address the node installation/deployment problem without emu/the > >> mirroring system. > >> > >> NextGen$ > >> > >>> > >>> > >>> > >>> If we have two clients, A and B, who want to talk to one another.. Both > >>> are behind Firewalls.. > >>> > >>> * A calls up B, and tells him "Connect to me, at 11.22.33.44, password > >>> 'Bob is a super cool password'" > >>> > >>> * B Says sure, and clicks the "Connect to a new client" icon in Fred, > >>> enters the IP and Password. > >>> > >>> * B's machine starts sending Freenet packets to A, thus opening up a NAT > >>> hole to his machine through the UDP trick. > >>> > >>> * B then tells A "It's running! Add my computer back. Mine is > >>> 22.33.44.55, and the password is 'Donkeys are really cool, and I like > >>> the way they look' " > >>> > >>> * A adds B's IP and password, and starts sending freenet packets to B. > >>> * A's machine is now exposed, through the UDP trick. > >>> > >>> * B's packets, which he is still sending, get through. > >>> * A's packets get through to B. > >>> > >>> * Now that they're talking, they exchange signed keys (real noderefs), > >>> so next time, they don't need to do the passwords. > >>> > >>> * Fred disables the passwords. > >>> > >>> Nothing has required the use of a third party, other than the telephone > >>> call between the two of them to share the passwords. > >>> > >>> -Colin > >>> > >>> > >>> > >>> > >>>>> When Side-A added the noderef of B, it would start sending out packets > >>>>> to B, knowing that they won't get returned.. But the Sending of these > >>>>> packets would open a NAT-hole.. > >>>>> Then, Side-B would get around to adding the noderef of A, and start > >>>>> sending packets to A, opening a NAT-hole on their own side.. Side A's > >>>>> packets then get in through this hole, just as B's now arrive at A. > >>>>> > >>>>> What am I missing? > >>>>> > >>>>> -Colin > >>> _______________________________________________ > >>> Tech mailing list > >>> Tech at freenetproject.org > >>> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > >> _______________________________________________ > >> Tech mailing list > >> Tech at freenetproject.org > >> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > > > > _______________________________________________ > > Tech mailing list > > Tech at freenetproject.org > > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > > -- Founder and CEO, Thoof Inc Email: ian at thoof.com Office: +1 512 485 1970 Cell: +1 310 593 3724 AIM: ian.clarke at mac.com Skype: sanity From toad at amphibian.dyndns.org Mon Mar 5 22:58:02 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Mon, 5 Mar 2007 22:58:02 +0000 Subject: [Tech] Small World In-Reply-To: <45EC78AA.3010008@david.sowder.com> References: <45EC78AA.3010008@david.sowder.com> Message-ID: <20070305225802.GA29396@amphibian.dyndns.org> "Small world" is primarily a property of the connection topology - the network, stripped of all location information. Swapping takes the network and assigns locations so that it is routable. On Mon, Mar 05, 2007 at 02:08:10PM -0600, David Sowder (Zothar) wrote: > I'm trying to resolve something in my mind about the small world model > and how it relates to Freenet. My understanding has been that the > relation was in Freenet node location distances and my assumption was > that the swapping algorithm was intended to optimized the "small world > model" of an arbitrary set of connections such that, in my mind, it > would theoretically settle on all nodes having a small world > distribution of peers: increasing numbers of peers as shorter distances > from a given node. > > Toad has informed me on IRC a bit ago that the swapping algorithm does > not make arbitrary interconnections achieve "small world", which leaves > me with these questions: > > Is there more than one metric for which we are trying to achieve "small > world"? If so, could that be confusing things for others as well? > > Can a given node and a list of potential peers be used to create a small > world model, at least from the perspective of the given node? I assume > this is somehow possible as I understand it that opennet will be doing this, > > Some of you may already know where I'm likely going with this. What can > opennet built into fred do that a program like refbot.py couldn't do? > Could refbot.py potentially say, add 50 peers and then remove (in an > orderly fashion) all but 15 based on a small world location/distance > distribution to achieve a small world model if say, all/most nodes were > using this same algorithm? > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070305/1a5ddb22/attachment.pgp From toad at amphibian.dyndns.org Mon Mar 5 23:01:36 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Mon, 5 Mar 2007 23:01:36 +0000 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <45EC824D.5040609@sq7.org> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <45EC784B.3020908@sq7.org> <20070305203131.GF937@freenetproject.org> <45EC824D.5040609@sq7.org> Message-ID: <20070305230136.GB29396@amphibian.dyndns.org> Okay, the below could work (you have to include the port number though). However in an ideal world we would like to be able to eliminate the callback stage (B telling A his password) altogether; then A could simply give B a CD-ROM containing the node plus a one-time reference; B runs this, and it Just Works. On Mon, Mar 05, 2007 at 03:49:17PM -0500, Colin Davis wrote: > I'm sorry that I'm being dim- > Could you please explain how the network topography is exposed? I'm sure > you're right, I'm just missing it. > > > > > > If we have two clients, A and B, who want to talk to one another.. Both > are behind Firewalls.. > > * A calls up B, and tells him "Connect to me, at 11.22.33.44, password > 'Bob is a super cool password'" > > * B Says sure, and clicks the "Connect to a new client" icon in Fred, > enters the IP and Password. > > * B's machine starts sending Freenet packets to A, thus opening up a NAT > hole to his machine through the UDP trick. > > * B then tells A "It's running! Add my computer back. Mine is > 22.33.44.55, and the password is 'Donkeys are really cool, and I like > the way they look' " > > * A adds B's IP and password, and starts sending freenet packets to B. > * A's machine is now exposed, through the UDP trick. > > * B's packets, which he is still sending, get through. > * A's packets get through to B. > > * Now that they're talking, they exchange signed keys (real noderefs), > so next time, they don't need to do the passwords. > > * Fred disables the passwords. > > Nothing has required the use of a third party, other than the telephone > call between the two of them to share the passwords. > > -Colin > > > > > >> When Side-A added the noderef of B, it would start sending out packets > >> to B, knowing that they won't get returned.. But the Sending of these > >> packets would open a NAT-hole.. > >> Then, Side-B would get around to adding the noderef of A, and start > >> sending packets to A, opening a NAT-hole on their own side.. Side A's > >> packets then get in through this hole, just as B's now arrive at A. > >> > >> What am I missing? > >> > >> -Colin > > > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070305/2116b266/attachment.pgp From toad at amphibian.dyndns.org Mon Mar 5 23:02:49 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Mon, 5 Mar 2007 23:02:49 +0000 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <45EC8965.1030409@sq7.org> References: <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <45EC784B.3020908@sq7.org> <20070305203131.GF937@freenetproject.org> <45EC824D.5040609@sq7.org> <20070305210705.GG937@freenetproject.org> <45EC887F.9080000@sq7.org> <45EC8965.1030409@sq7.org> Message-ID: <20070305230249.GC29396@amphibian.dyndns.org> On Mon, Mar 05, 2007 at 04:19:33PM -0500, Colin Davis wrote: > For the record- I still think that reducing the initial connection to > "IP:Port and Password", rather than having to exchange a noderef will > signing your friends up much easier, and make people more likely to use > the darknet ;) Is it so hard to transfer a file? Don't most IM clients (unlike IRC) manage to get through firewalls somehow? Admittedly they have no security... > > -Colin > > > > Colin Davis wrote: > > Fair enough- > > > > > > I (mis)understood the problem as wanting to make it possible to add the > > connections without requiring file-transfers.. I didn't realize that you > > were trying to avoid having to download the binary from a central source. > > > > For that, I agree, burnable .zips, and .5-style distribution servlet > > pages are likely the best that can be done. > > > > -Colin > > > > > > > > > > > > > > NextGen$ wrote: > >> * Colin Davis [2007-03-05 15:49:17]: > >> > >>> I'm sorry that I'm being dim- > >>> Could you please explain how the network topography is exposed? I'm sure > >>> you're right, I'm just missing it. > >> Well, your solution is about shortening the reference. I thought you were > >> trying to address the node installation/deployment problem without emu/the > >> mirroring system. > >> > >> NextGen$ > >> > >>> > >>> > >>> > >>> If we have two clients, A and B, who want to talk to one another.. Both > >>> are behind Firewalls.. > >>> > >>> * A calls up B, and tells him "Connect to me, at 11.22.33.44, password > >>> 'Bob is a super cool password'" > >>> > >>> * B Says sure, and clicks the "Connect to a new client" icon in Fred, > >>> enters the IP and Password. > >>> > >>> * B's machine starts sending Freenet packets to A, thus opening up a NAT > >>> hole to his machine through the UDP trick. > >>> > >>> * B then tells A "It's running! Add my computer back. Mine is > >>> 22.33.44.55, and the password is 'Donkeys are really cool, and I like > >>> the way they look' " > >>> > >>> * A adds B's IP and password, and starts sending freenet packets to B. > >>> * A's machine is now exposed, through the UDP trick. > >>> > >>> * B's packets, which he is still sending, get through. > >>> * A's packets get through to B. > >>> > >>> * Now that they're talking, they exchange signed keys (real noderefs), > >>> so next time, they don't need to do the passwords. > >>> > >>> * Fred disables the passwords. > >>> > >>> Nothing has required the use of a third party, other than the telephone > >>> call between the two of them to share the passwords. > >>> > >>> -Colin > >>> > >>> > >>> > >>> > >>>>> When Side-A added the noderef of B, it would start sending out packets > >>>>> to B, knowing that they won't get returned.. But the Sending of these > >>>>> packets would open a NAT-hole.. > >>>>> Then, Side-B would get around to adding the noderef of A, and start > >>>>> sending packets to A, opening a NAT-hole on their own side.. Side A's > >>>>> packets then get in through this hole, just as B's now arrive at A. > >>>>> > >>>>> What am I missing? > >>>>> > >>>>> -Colin > >>> _______________________________________________ > >>> Tech mailing list > >>> Tech at freenetproject.org > >>> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > >> _______________________________________________ > >> Tech mailing list > >> Tech at freenetproject.org > >> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > > > > _______________________________________________ > > Tech mailing list > > Tech at freenetproject.org > > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070305/d72a6c57/attachment.pgp From freenet-tech at david.sowder.com Mon Mar 5 23:02:22 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Mon, 05 Mar 2007 17:02:22 -0600 Subject: [Tech] Easier reference swapping In-Reply-To: <20070305224137.GB12373@amphibian.dyndns.org> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <20070305224137.GB12373@amphibian.dyndns.org> Message-ID: <45ECA17E.3050901@david.sowder.com> Matthew Toseland wrote: > On Mon, Mar 05, 2007 at 01:52:33PM -0600, David Sowder (Zothar) wrote: > >> Colin Davis wrote: >> >>> It solves #2- Don't run things you get in e-mail.. >>> >>> Instead of requiring a Noderef, allow someone to connect with just a >>> password, and the IP address. This is something you can TELL someone, or >>> say in an IM, no file transfer required. >>> >>> >> I don't think we should necessarily categorically discount a fred-based >> installer distribution servlet because of NAT problems. What if we >> allow decoupling the installer from the noderef? Then those that can >> overcome or don't have the NAT problem can host the installer. >> > > They are a sufficiently small fraction of the overall target audience as > to be uninteresting. UP&P would make them a large enough group to be > interesting, although still only something like 50% because UP&P is > extremely unreliable from what I have heard. > > >> If I, >> for some reason, cannot host the installer, perhaps one of my peers is >> willing to share their installer hosting such that I could get "access >> keys" from his node to pass out to my friends and include my noderef >> from the distribution area of FProxy in the email I send to my friend >> with the "access key". My friend saves the attached noderef (which was >> attached as a file with a .fref extension) to a file, connects to the my >> peer's installer host, uses the "access key", which will probably be >> part of the URL, and downloads and installs the node. Then my friend >> can double click on the .fref file he downloaded, which includes a >> one-time code generated by the distribution area of my FProxy (or FCP >> server) that my node uses to authenticate the addition of a node I >> didn't already have the noderef of. Node installed in a decentralized >> way. Peer connection created. >> > > This is not very clear. Please divide into what friend A does and what > friend B does. > Friend A (wanting to connect with Friend B) does: 1) Gets an installer URI (containing an "access key") from his node's direct (or maybe even indirect mutual friend's) peer (C's) 2) Generates a one-time sharable noderef by asking his own node (A's) via FProxy or FCP 3) Emails the installer URI from step 1 to Friend B (the to-be-peered-with friend), attaching the .fref file generated in step 2 Friend B does: 1) Receives the email from Friend A 2) Saves the email attached .fref to disk' 3) Points a web browser at the installer URI from the email 4) Installs a Freenet node using the installer located at the installer URI 5) Double-clicks or otherwise uses the .fref file as configured for Friend B's operating system by the installer to add Friend A's one-time sharable noderef (it contains a code Friend A's node uses to authenticate connection to a peer it didn't previously have a ref for) 6) Trades "normal" noderefs with others to add more peers to his node Friend C does: 1) Gives Friend A permission and access to distribution area of their node to generate installer URIs to be used by Friend B (and Friend A's other friends) 2) Leaves the node up and running enough for Friend B to use the installer URI to install a Freenet node The roles of Friend A and Friend C could be combined in the case where Friend A doesn't have NAT or has proper port forwarding and dyndns, in which case a installer and noderef URI could be used instead. (Provides the installer and connects to the node created by the installer it provided.) From freenet-tech at david.sowder.com Mon Mar 5 23:11:41 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Mon, 05 Mar 2007 17:11:41 -0600 Subject: [Tech] Small World In-Reply-To: <45EC7F82.6070108@sq7.org> References: <45EC78AA.3010008@david.sowder.com> <45EC7F82.6070108@sq7.org> Message-ID: <45ECA3AD.6030806@david.sowder.com> Colin Davis wrote: > I've thought about this before, but it's difficult to do that in a way > that's both difficult to harvest lists of opennet users from, and not > having external requirements. > > You could arrange and find parters through IRC, but then it's trivial > for someone to /join that IRC channel and watch who's connecting, and > could be blocked by blocking IRC.. > > The best answer that I could come up with, was to post noderefs to > Freenet, NIM-style.. That would by in-band, so it wouldn't be any more > blockable than the rest of freenet.. It would still be harvestable, > though, and it would require you to connect with at least darknet user, > before Open-net could start.. > > Personally, I think that's a good requirement ;) > I'm leaving the how to get the 50 references out of the equation as it's a separate issue. As you mention, there are several possibilities there. I'm just looking for an approach that can work with a set of a few dozen nodes and don't want global knowledge. My understanding is that the proposed opennet won't have global knowledge, but IIRC, how the small world stuff is done is not covered in detail on the Wiki page. I'm also not worried about whether the result is darknet or opennet. I figure if it can be done, then it'd help make the darknet style ref trading we try to have now hat's mostly hacked into a bad opennet by #freenet-refs, etc. to possibly have some of the properties that make it closer to the darknet topologically than it is now, even if it's really more like an opennet (it'd be somewhere in between in my thinking). To my mind, no automatic ref trading scheme can be a true darknet. Sorry if that last bit is confusing or hard to parse. Probably cramming too many ideas into one space. > David Sowder (Zothar) wrote: > >> I'm trying to resolve something in my mind about the small world model >> and how it relates to Freenet. My understanding has been that the >> relation was in Freenet node location distances and my assumption was >> that the swapping algorithm was intended to optimized the "small world >> model" of an arbitrary set of connections such that, in my mind, it >> would theoretically settle on all nodes having a small world >> distribution of peers: increasing numbers of peers as shorter distances >> from a given node. >> >> Toad has informed me on IRC a bit ago that the swapping algorithm does >> not make arbitrary interconnections achieve "small world", which leaves >> me with these questions: >> >> Is there more than one metric for which we are trying to achieve "small >> world"? If so, could that be confusing things for others as well? >> >> Can a given node and a list of potential peers be used to create a small >> world model, at least from the perspective of the given node? I assume >> this is somehow possible as I understand it that opennet will be doing this, >> >> Some of you may already know where I'm likely going with this. What can >> opennet built into fred do that a program like refbot.py couldn't do? >> Could refbot.py potentially say, add 50 peers and then remove (in an >> orderly fashion) all but 15 based on a small world location/distance >> distribution to achieve a small world model if say, all/most nodes were >> using this same algorithm? >> From freenet-tech at david.sowder.com Mon Mar 5 23:17:49 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Mon, 05 Mar 2007 17:17:49 -0600 Subject: [Tech] Small World In-Reply-To: <20070305225802.GA29396@amphibian.dyndns.org> References: <45EC78AA.3010008@david.sowder.com> <20070305225802.GA29396@amphibian.dyndns.org> Message-ID: <45ECA51D.2090707@david.sowder.com> Matthew Toseland wrote: > "Small world" is primarily a property of the connection topology - the > network, stripped of all location information. Swapping takes the network > and assigns locations so that it is routable. > I was kinda getting there before and dbkr's post pretty much got me there. I do like how well it's put here though. I guess this leads me to the question of if Freenet-driven opennet will be "small world" and if so, can refbot.py borrow some/all of the same algorithm to get us to some closer approximation than refbot.py has been giving us so far? Unfortunately, I've gotten the impression that hobx isn't always luring on these lists in "real-time" to answer such questions. :) > On Mon, Mar 05, 2007 at 02:08:10PM -0600, David Sowder (Zothar) wrote: > >> I'm trying to resolve something in my mind about the small world model >> and how it relates to Freenet. My understanding has been that the >> relation was in Freenet node location distances and my assumption was >> that the swapping algorithm was intended to optimized the "small world >> model" of an arbitrary set of connections such that, in my mind, it >> would theoretically settle on all nodes having a small world >> distribution of peers: increasing numbers of peers as shorter distances >> from a given node. >> >> Toad has informed me on IRC a bit ago that the swapping algorithm does >> not make arbitrary interconnections achieve "small world", which leaves >> me with these questions: >> >> Is there more than one metric for which we are trying to achieve "small >> world"? If so, could that be confusing things for others as well? >> >> Can a given node and a list of potential peers be used to create a small >> world model, at least from the perspective of the given node? I assume >> this is somehow possible as I understand it that opennet will be doing this, >> >> Some of you may already know where I'm likely going with this. What can >> opennet built into fred do that a program like refbot.py couldn't do? >> Could refbot.py potentially say, add 50 peers and then remove (in an >> orderly fashion) all but 15 based on a small world location/distance >> distribution to achieve a small world model if say, all/most nodes were >> using this same algorithm? >> From m.rogers at cs.ucl.ac.uk Tue Mar 6 00:15:19 2007 From: m.rogers at cs.ucl.ac.uk (Michael Rogers) Date: Tue, 06 Mar 2007 00:15:19 +0000 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <823242bd0703051355i16c698bfn49f7cfd800841498@mail.gmail.com> References: <20070305174545.GA29567@amphibian.dyndns.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <45EC784B.3020908@sq7.org> <20070305203131.GF937@freenetproject.org> <45EC824D.5040609@sq7.org> <20070305210705.GG937@freenetproject.org> <45EC887F.9080000@sq7.org> <45EC8965.1030409@sq7.org> <823242bd0703051355i16c698bfn49f7cfd800841498@mail.gmail.com> Message-ID: <45ECB297.7010809@cs.ucl.ac.uk> Ian Clarke wrote: > Not a bad idea, anyone see any problems with it? It would be more secure to use a public key fingerprint instead of a password - that way we only need to worry about active MITM, not eavesdropping, and the ref can still be reasonably short (you could trade off security against convenience by using a shorter fingerprint - even 32 bits would be more secure than most passwords). FWIW, Alliance refs are short base64 strings that seem to include the IP address, port number and some kind of authentication token. Pretty convenient for cutting and pasting. Cheers, Michael From toad at amphibian.dyndns.org Tue Mar 6 00:42:35 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 00:42:35 +0000 Subject: [Tech] Easier reference swapping In-Reply-To: <45ECA17E.3050901@david.sowder.com> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <20070305224137.GB12373@amphibian.dyndns.org> <45ECA17E.3050901@david.sowder.com> Message-ID: <20070306004235.GA12481@amphibian.dyndns.org> So it's some sort of micro-trusted-third-parties thing. Hmm. Isn't the big worry that people will tend to just re-use their friends' install URIs? On Mon, Mar 05, 2007 at 05:02:22PM -0600, David Sowder (Zothar) wrote: > Friend A (wanting to connect with Friend B) does: > 1) Gets an installer URI (containing an "access key") from his node's > direct (or maybe even indirect mutual friend's) peer (C's) > 2) Generates a one-time sharable noderef by asking his own node (A's) > via FProxy or FCP > 3) Emails the installer URI from step 1 to Friend B (the > to-be-peered-with friend), attaching the .fref file generated in step 2 > > Friend B does: > 1) Receives the email from Friend A > 2) Saves the email attached .fref to disk' > 3) Points a web browser at the installer URI from the email > 4) Installs a Freenet node using the installer located at the installer URI > 5) Double-clicks or otherwise uses the .fref file as configured for > Friend B's operating system by the installer to add Friend A's one-time > sharable noderef (it contains a code Friend A's node uses to > authenticate connection to a peer it didn't previously have a ref for) > 6) Trades "normal" noderefs with others to add more peers to his node > > Friend C does: > 1) Gives Friend A permission and access to distribution area of their > node to generate installer URIs to be used by Friend B (and Friend A's > other friends) > 2) Leaves the node up and running enough for Friend B to use the > installer URI to install a Freenet node > > The roles of Friend A and Friend C could be combined in the case where > Friend A doesn't have NAT or has proper port forwarding and dyndns, in > which case a installer and noderef URI could be used instead. (Provides > the installer and connects to the node created by the installer it > provided.) > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/8b515015/attachment.pgp From freenet-tech at david.sowder.com Tue Mar 6 00:52:15 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Mon, 05 Mar 2007 18:52:15 -0600 Subject: [Tech] Easier reference swapping In-Reply-To: <20070306004235.GA12481@amphibian.dyndns.org> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <20070305224137.GB12373@amphibian.dyndns.org> <45ECA17E.3050901@david.sowder.com> <20070306004235.GA12481@amphibian.dyndns.org> Message-ID: <45ECBB3F.1010102@david.sowder.com> Matthew Toseland wrote: > So it's some sort of micro-trusted-third-parties thing. Hmm. Isn't the > big worry that people will tend to just re-use their friends' install > URIs? > Installer URIs would be one time use. Friend A could limit Friend B's use of installer URIs. There is trust that the installer includes the correct code for Freenet, yes, but it's a mechanism that allows decentralized distribution even "by" NATted nodes that don't know how or can't port forward, etc. > On Mon, Mar 05, 2007 at 05:02:22PM -0600, David Sowder (Zothar) wrote: > >> Friend A (wanting to connect with Friend B) does: >> 1) Gets an installer URI (containing an "access key") from his node's >> direct (or maybe even indirect mutual friend's) peer (C's) >> 2) Generates a one-time sharable noderef by asking his own node (A's) >> via FProxy or FCP >> 3) Emails the installer URI from step 1 to Friend B (the >> to-be-peered-with friend), attaching the .fref file generated in step 2 >> >> Friend B does: >> 1) Receives the email from Friend A >> 2) Saves the email attached .fref to disk' >> 3) Points a web browser at the installer URI from the email >> 4) Installs a Freenet node using the installer located at the installer URI >> 5) Double-clicks or otherwise uses the .fref file as configured for >> Friend B's operating system by the installer to add Friend A's one-time >> sharable noderef (it contains a code Friend A's node uses to >> authenticate connection to a peer it didn't previously have a ref for) >> 6) Trades "normal" noderefs with others to add more peers to his node >> >> Friend C does: >> 1) Gives Friend A permission and access to distribution area of their >> node to generate installer URIs to be used by Friend B (and Friend A's >> other friends) >> 2) Leaves the node up and running enough for Friend B to use the >> installer URI to install a Freenet node >> >> The roles of Friend A and Friend C could be combined in the case where >> Friend A doesn't have NAT or has proper port forwarding and dyndns, in >> which case a installer and noderef URI could be used instead. (Provides >> the installer and connects to the node created by the installer it >> provided.) >> From the_bishop at web.de Tue Mar 6 00:58:01 2007 From: the_bishop at web.de (Martin Scheffler) Date: Tue, 6 Mar 2007 01:58:01 +0100 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <20070305230249.GC29396@amphibian.dyndns.org> References: <45EC5B42.1010701@sq7.org> <45EC8965.1030409@sq7.org> <20070305230249.GC29396@amphibian.dyndns.org> Message-ID: <200703060158.07022.the_bishop@web.de> Am Dienstag, 6. M?rz 2007 00:02 schrieb Matthew Toseland: > On Mon, Mar 05, 2007 at 04:19:33PM -0500, Colin Davis wrote: > > For the record- I still think that reducing the initial connection to > > "IP:Port and Password", rather than having to exchange a noderef will > > signing your friends up much easier, and make people more likely to > > use the darknet ;) > > Is it so hard to transfer a file? Don't most IM clients (unlike IRC) > manage to get through firewalls somehow? Admittedly they have no > security... I have a problem with that. if big brother reads the email or IM, you disclose more by exchanging full references. The initial connection should be easy to establish (small amount of data), by phone, snail mail or smoke clouds. the point here is that more people feel invited to try it out. where is the threat when you dont push "initiate connection"? If the peers agree on that, the IP:port and one-time-password are exchanged. And on inital connecten the noderefs are exchanged. good byte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/db86fc82/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 01:05:50 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 01:05:50 +0000 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <200703060158.07022.the_bishop@web.de> References: <45EC5B42.1010701@sq7.org> <45EC8965.1030409@sq7.org> <20070305230249.GC29396@amphibian.dyndns.org> <200703060158.07022.the_bishop@web.de> Message-ID: <20070306010550.GA24907@amphibian.dyndns.org> On Tue, Mar 06, 2007 at 01:58:01AM +0100, Martin Scheffler wrote: > Am Dienstag, 6. M?rz 2007 00:02 schrieb Matthew Toseland: > > On Mon, Mar 05, 2007 at 04:19:33PM -0500, Colin Davis wrote: > > > For the record- I still think that reducing the initial connection to > > > "IP:Port and Password", rather than having to exchange a noderef will > > > signing your friends up much easier, and make people more likely to > > > use the darknet ;) > > > > Is it so hard to transfer a file? Don't most IM clients (unlike IRC) > > manage to get through firewalls somehow? Admittedly they have no > > security... > > I have a problem with that. if big brother reads the email or IM, you > disclose more by exchanging full references. Which info in particular? If we have a full implementation of STS, then all they will really get is the ARK - and they can track you anyway, can't they? > > The initial connection should be easy to establish (small amount of data), > by phone, snail mail or smoke clouds. the point here is that more people > feel invited to try it out. where is the threat when you dont > push "initiate connection"? > > If the peers agree on that, the IP:port and one-time-password are > exchanged. And on inital connecten the noderefs are exchanged. > > good byte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/df6fdbe2/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 01:06:46 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 01:06:46 +0000 Subject: [Tech] Easier reference swapping In-Reply-To: <45ECBB3F.1010102@david.sowder.com> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <20070305224137.GB12373@amphibian.dyndns.org> <45ECA17E.3050901@david.sowder.com> <20070306004235.GA12481@amphibian.dyndns.org> <45ECBB3F.1010102@david.sowder.com> Message-ID: <20070306010646.GB24907@amphibian.dyndns.org> On Mon, Mar 05, 2007 at 06:52:15PM -0600, David Sowder (Zothar) wrote: > Matthew Toseland wrote: > > So it's some sort of micro-trusted-third-parties thing. Hmm. Isn't the > > big worry that people will tend to just re-use their friends' install > > URIs? > > > Installer URIs would be one time use. Friend A could limit Friend B's > use of installer URIs. There is trust that the installer includes the > correct code for Freenet, yes, but it's a mechanism that allows > decentralized distribution even "by" NATted nodes that don't know how or > can't port forward, etc. No it doesn't. Distribution is strictly by non-NATed nodes, but you can get your non-NATed friend to make a distribution page for you, right? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/cab0ad34/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 01:30:45 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 01:30:45 +0000 Subject: [Tech] Proposal: one-time references Message-ID: <20070306013045.GB12481@amphibian.dyndns.org> I am trying to disentangle the whole "easier reference swapping" discussion. So lets have one thread per proposal, shall we? One-time references =================== Fproxy provides an interface to produce one-time references. These consist of a file, including: - The node's current IP addresses (all of them) - A deadline after which the reference is no longer valid - A blob of data which is recorded by the node in permanent storage for that period - Symmetric encryption keys for the setup process (these are unique to this one-time reference) When a one-time reference is double-clicked or otherwise fed to a node, it will connect to the node by the given IP, verify that it has the blob of data via a challenge/response protocol, and full noderefs will be exchanged. The blob will be removed from persistent storage; they are not re-usable. Dependancies ------------ The node issuing one-time references must be able to receive packets from anywhere on the internet. So we need UP&P. Easy extension -------------- This can easily be extended to the ability for fproxy to produce a binary installer which includes a one-time noderef. Attacks ------- The one-time reference MUST be delivered securely. If it is sent through a cleartext channel it may be intercepted (which gives away that you are running a node) or replaced via a Man-In-The-Middle attack (resulting in the attacker being connected to both the issuer and the recipient). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/7e97c58d/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 01:37:52 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 01:37:52 +0000 Subject: [Tech] Proposal: UP&P Message-ID: <20070306013752.GC12481@amphibian.dyndns.org> Universal Plug and Play support =============================== I suggest that we need UP&P support. The main caveats are that it is not usable on an untrusted LAN, so we need to ask the user, and that we may not easily be able to distinguish between a local trusted LAN and an ISP's LAN. It is also reported that UP&P works only around 50% of the time when it is detected. However: - It would significantly improve connection reliability. If for example all your peers are german and in germany all domestic IPs change every 24 hours, if you are down for 24 hours you are lost for good. - Right now good connectivity relies on getting a few geek nodes - nodes that are directly connected or port forwarded. UP&P would increase the proportion of such nodes dramatically. - It would allow for all sorts of bootstrapping protocols. One-time references are the tip of the iceberg: Anything that involves giving your details well in advance of the actual connection attempt will be greatly helped by UP&P support. - It would (mostly) eliminate the need to rely on centralised STUN servers. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/7e7a19f3/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 01:49:54 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 01:49:54 +0000 Subject: [Tech] Proposal: one-time passwords Message-ID: <20070306014954.GD12481@amphibian.dyndns.org> One-time passwords ================== Note that this was not my idea! Colin Davis is probably the most directly responsible person. Fproxy provides an interface to create, or set, one-time passwords. These are time-limited, single-use, human-readable keys which enable a bootstrap connection to your node. You give a friend your IP address, port number, and a one-time password. This can be used precisely once. It can however be used by a newbie. The recipient sets up a node, or already has one. He types in the IP address, port number and the one-time password. The node connects to that IP address and sends a hash of the password and the current time (and some random data etc to start to set up encryption for the rest of the exchange, encrypted using another hash of the password). If the node recognises the password, a reference exchange ensues and the nodes get connected. Dependancies ------------ The node issuing one-time passwords must be able to receive packets from anywhere on the internet. So we need UP&P. Attacks ------- A brute-force/dictionary attack may be mounted by an attacker. We can either hope that he doesn't hit the right password (reasonable if it is computer generated and long, or is very short lived; not so reasonable otherwise), or we can shut down the introduction mechanism if we see too many attempts (this is turning it into a DoS). A dictionary attack on captured traffic may reveal this protocol, hence allow the attacker to find nodes passively. An active man-in-the-middle attack should not be feasible unless the attacker can guess the password, assuming the protocol is well-designed (it isn't really designed at all right now). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/24022614/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 02:05:49 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 02:05:49 +0000 Subject: [Tech] Proposal: connect password + out of band verification Message-ID: <20070306020549.GE12481@amphibian.dyndns.org> Connect password + out of band verification =========================================== Another variant on other people's ideas. We have a connection password, which may be (relatively) public. This enables a user to send a message to the node asking for a connection. This includes the name of the user, and a random string of bytes. We construct an authorisation key: Key = encrypt MY_RANDOM with HIS_RANDOM We keep MY_RANDOM. The node receiving the message relays the connection attempt to the user: A node called wants to connect, if you know this person please contact them and verify the connection by sending them the following string: [ Key above turned into words as a la PGP ] When the sending node receives the string, it sends that, and when the receiving node decrypts it and finds its random, the nodes exchange references. Dependancies ------------ Again, UP&P would be very helpful. Variants -------- We could have a full blown noderef instead of a simple connection password, and keep the verification stage. This would eliminate dictionary attacks. Attacks ------- A dictionary attack against the connection password (which will generally be reasonably human readable) is possible, and would be a DoS. It is probably possible to find such connection attempts from passive traffic analysis. MITM should not be possible even if we have the connection key (which is mostly used to keep out port scanners etc) because we cannot obtain MY_RANDOM. If the attacker can spy on the out of band verification mechanism, he may be able to MITM. So this isn't safe against Echelon, but what is? :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/e21912ab/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 02:11:33 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 02:11:33 +0000 Subject: [Tech] Proposal: permanent passwords Message-ID: <20070306021133.GF12481@amphibian.dyndns.org> Permanent passwords =================== We could make IP + password play the same role as noderefs do now. They must be exchanged in both directions, but if you have both passwords you can initiate a connection and noderefs will be exchanged. This should be a reasonably simple protocol: Just send a packet which includes proof that you have both passwords (a hash), and a random nonce for crypto setup. This is no more work than out of band verification. However, you cannot broadcast your IP + password and wait for people to contact you, which is a distinct advantage in out of band verification: All contacts must be arranged strictly in advance. And it's not very newbie friendly either. Dependancies ------------ UP&P isn't necessary if the exchange is conducted in real time. If it is almost-real-time then UP&P may be helpful. Attacks ------- If the attacker can guess both passwords he can MITM, identify traffic, etc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/7e72aedb/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 02:13:07 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 02:13:07 +0000 Subject: [Tech] Small World In-Reply-To: <45ECA51D.2090707@david.sowder.com> References: <45EC78AA.3010008@david.sowder.com> <20070305225802.GA29396@amphibian.dyndns.org> <45ECA51D.2090707@david.sowder.com> Message-ID: <20070306021307.GG12481@amphibian.dyndns.org> On Mon, Mar 05, 2007 at 05:17:49PM -0600, David Sowder (Zothar) wrote: > Matthew Toseland wrote: > > "Small world" is primarily a property of the connection topology - the > > network, stripped of all location information. Swapping takes the network > > and assigns locations so that it is routable. > > > I was kinda getting there before and dbkr's post pretty much got me > there. I do like how well it's put here though. I guess this leads me > to the question of if Freenet-driven opennet will be "small world" and > if so, can refbot.py borrow some/all of the same algorithm to get us to > some closer approximation than refbot.py has been giving us so far? > Unfortunately, I've gotten the impression that hobx isn't always luring > on these lists in "real-time" to answer such questions. :) Yes it will be small world. But I don't see how you could borrow it as it relies on path-folding on successful requests. > > On Mon, Mar 05, 2007 at 02:08:10PM -0600, David Sowder (Zothar) wrote: > > > >> I'm trying to resolve something in my mind about the small world model > >> and how it relates to Freenet. My understanding has been that the > >> relation was in Freenet node location distances and my assumption was > >> that the swapping algorithm was intended to optimized the "small world > >> model" of an arbitrary set of connections such that, in my mind, it > >> would theoretically settle on all nodes having a small world > >> distribution of peers: increasing numbers of peers as shorter distances > >> from a given node. > >> > >> Toad has informed me on IRC a bit ago that the swapping algorithm does > >> not make arbitrary interconnections achieve "small world", which leaves > >> me with these questions: > >> > >> Is there more than one metric for which we are trying to achieve "small > >> world"? If so, could that be confusing things for others as well? > >> > >> Can a given node and a list of potential peers be used to create a small > >> world model, at least from the perspective of the given node? I assume > >> this is somehow possible as I understand it that opennet will be doing this, > >> > >> Some of you may already know where I'm likely going with this. What can > >> opennet built into fred do that a program like refbot.py couldn't do? > >> Could refbot.py potentially say, add 50 peers and then remove (in an > >> orderly fashion) all but 15 based on a small world location/distance > >> distribution to achieve a small world model if say, all/most nodes were > >> using this same algorithm? > >> > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/bd34c195/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 02:15:37 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 02:15:37 +0000 Subject: [Tech] [freenet-dev] Easier reference swapping In-Reply-To: <200703060158.07022.the_bishop@web.de> References: <45EC5B42.1010701@sq7.org> <45EC8965.1030409@sq7.org> <20070305230249.GC29396@amphibian.dyndns.org> <200703060158.07022.the_bishop@web.de> Message-ID: <20070306021537.GH12481@amphibian.dyndns.org> On Tue, Mar 06, 2007 at 01:58:01AM +0100, Martin Scheffler wrote: > Am Dienstag, 6. M?rz 2007 00:02 schrieb Matthew Toseland: > > On Mon, Mar 05, 2007 at 04:19:33PM -0500, Colin Davis wrote: > > > For the record- I still think that reducing the initial connection to > > > "IP:Port and Password", rather than having to exchange a noderef will > > > signing your friends up much easier, and make people more likely to > > > use the darknet ;) > > > > Is it so hard to transfer a file? Don't most IM clients (unlike IRC) > > manage to get through firewalls somehow? Admittedly they have no > > security... > > I have a problem with that. if big brother reads the email or IM, you > disclose more by exchanging full references. Hence PGP. Or giving somebody a physical CD-ROM. > > The initial connection should be easy to establish (small amount of data), > by phone, snail mail or smoke clouds. the point here is that more people > feel invited to try it out. where is the threat when you dont > push "initiate connection"? Well, how? > > If the peers agree on that, the IP:port and one-time-password are > exchanged. And on inital connecten the noderefs are exchanged. So you need real-time exchange (presumably by phone) of IP:port in both directions. That sucks; is it acceptable? Is it close to one of the proposal mails I sent? > > good byte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/e10fab7a/attachment.pgp From nextgens at freenetproject.org Tue Mar 6 11:09:10 2007 From: nextgens at freenetproject.org (Florent =?iso-8859-1?Q?Daigni=E8re_=28NextGen$=29?=) Date: Tue, 6 Mar 2007 12:09:10 +0100 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070306013752.GC12481@amphibian.dyndns.org> References: <20070306013752.GC12481@amphibian.dyndns.org> Message-ID: <20070306110910.GF4145@freenetproject.org> * Matthew Toseland [2007-03-06 01:37:52]: > Universal Plug and Play support > =============================== > > I suggest that we need UP&P support. The main caveats are that it is not > usable on an untrusted LAN, so we need to ask the user, and that we may > not easily be able to distinguish between a local trusted LAN and an > ISP's LAN. It is also reported that UP&P works only around 50% of the > time when it is detected. Ok, let's feed the troll. > > However: > - It would significantly improve connection reliability. If for example > all your peers are german and in germany all domestic IPs change every > 24 hours, if you are down for 24 hours you are lost for good. Do we have any stats regarding how many of our users are double-natted? I know that in france most people had DSL connectivity before the Wireless craze ; meaning that most users are likely to have two different natting appliances (the routing modem and the wireless AP). > - Right now good connectivity relies on getting a few geek nodes - nodes > that are directly connected or port forwarded. UP&P would increase the > proportion of such nodes dramatically. I am not sure it's an issue. I am idling on #freenet-refs on a regular basis to see how the installer performs and to see where users get stuck : most of them don't have connectivity problems. > - It would allow for all sorts of bootstrapping protocols. One-time > references are the tip of the iceberg: Anything that involves giving > your details well in advance of the actual connection attempt will be > greatly helped by UP&P support. Will be greatly helped if UP&P works : indeed. > - It would (mostly) eliminate the need to rely on centralised STUN servers. it's assuming there is no double nat : again ;) I won't debate on it to much as it has proven to be a useless waste of my time : I'll just give some references : [1] http://archives.freenetproject.org/message/20060620.021959.c1c37934.en.html [2] http://archives.freenetproject.org/message/20060421.194006.53dfbd93.en.html [3] http://emu.freenetproject.org/pipermail/tech/2006-April/001010.html (from toad ;) ) [4] http://wiki.openwrt.org/OpenWrtDocs/upnp?highlight=%28upnp%29 I won't object to someone implementing up&p support as a plugin for fred as long as it remains optionnal and isn't done by toad. But still, I do think it's a useless waste of time/money/effort for the project. NextGen$ From nextgens at freenetproject.org Tue Mar 6 11:25:48 2007 From: nextgens at freenetproject.org (Florent =?iso-8859-1?Q?Daigni=E8re_=28NextGen$=29?=) Date: Tue, 6 Mar 2007 12:25:48 +0100 Subject: [Tech] Proposal: one-time references In-Reply-To: <20070306013045.GB12481@amphibian.dyndns.org> References: <20070306013045.GB12481@amphibian.dyndns.org> Message-ID: <20070306112547.GH4145@freenetproject.org> * Matthew Toseland [2007-03-06 01:30:45]: > I am trying to disentangle the whole "easier reference swapping" > discussion. So lets have one thread per proposal, shall we? > > One-time references > =================== > > Fproxy provides an interface to produce one-time references. These > consist of a file, including: > - The node's current IP addresses (all of them) > - A deadline after which the reference is no longer valid > - A blob of data which is recorded by the node in permanent storage for > that period > - Symmetric encryption keys for the setup process (these are unique to > this one-time reference) > > When a one-time reference is double-clicked or otherwise fed to a node, > it will connect to the node by the given IP, verify that it has the blob > of data via a challenge/response protocol, and full noderefs will be > exchanged. The blob will be removed from persistent storage; they are > not re-usable. > > Dependancies > ------------ > > The node issuing one-time references must be able to receive packets > from anywhere on the internet. So we need UP&P. > > Easy extension > -------------- > > This can easily be extended to the ability for fproxy to produce a > binary installer which includes a one-time noderef. > > Attacks > ------- > > The one-time reference MUST be delivered securely. If it is sent through > a cleartext channel it may be intercepted (which gives away that you are > running a node) or replaced via a Man-In-The-Middle attack (resulting in > the attacker being connected to both the issuer and the recipient). As far as I understand they are security risks and no real gain : It doesn't allow "on the phone" exchange because of the binary blob ... I am going to write up a proposal too :). NextGen$ From m.rogers at cs.ucl.ac.uk Tue Mar 6 13:01:59 2007 From: m.rogers at cs.ucl.ac.uk (Michael Rogers) Date: Tue, 06 Mar 2007 13:01:59 +0000 Subject: [Tech] Small World In-Reply-To: <45EC78AA.3010008@david.sowder.com> References: <45EC78AA.3010008@david.sowder.com> Message-ID: <45ED6647.6020907@cs.ucl.ac.uk> David Sowder (Zothar) wrote: > Is there more than one metric for which we are trying to achieve "small > world"? If so, could that be confusing things for others as well? Yup, there are two ways to define a small world: 1) The average number of hops between any two nodes is low and the probability that two neighbours of a given node are neighbours is high. 2) Every node has a location, and the probability that any two nodes are neighbours is proportional to 1/(r^d), where r is the distance between the nodes and d is the number of dimensions. Graphs that fit the second definition generally fit the first definition, but not necessarily vice versa. Freenet uses the second definition, with d=1. > Can a given node and a list of potential peers be used to create a small > world model, at least from the perspective of the given node? Yes, this is what swapping does: given an arbitrary graph, it changes the locations of the nodes to fit the second definition above, without making or breaking any connections. > Could refbot.py potentially say, add 50 peers and then remove (in an > orderly fashion) all but 15 based on a small world location/distance > distribution to achieve a small world model if say, all/most nodes were > using this same algorithm? It's possible, but I'm not sure it's necessary - the locations are arbitrary, so rather than adding and removing connections you could just change the locations. Cheers, Michael From m.rogers at cs.ucl.ac.uk Tue Mar 6 14:46:36 2007 From: m.rogers at cs.ucl.ac.uk (Michael Rogers) Date: Tue, 06 Mar 2007 14:46:36 +0000 Subject: [Tech] Proposal: one-time passwords In-Reply-To: <20070306014954.GD12481@amphibian.dyndns.org> References: <20070306014954.GD12481@amphibian.dyndns.org> Message-ID: <45ED7ECC.6000205@cs.ucl.ac.uk> Matthew Toseland wrote: > You give a friend your IP address, port number, and a one-time password. > This can be used precisely once. It can however be used by a newbie. Sounds reasonable, but a public key fingerprint - even a short one - would be more secure against eavesdroppers than a password. Regardless of whether passwords or fingerprints are used, we have to exchange references in both directions if we want mutual authentication. How short can we make the references? Ideally they should be short enough to read out over the phone or paste into IRC without getting kicked off the server. The IP address and port are 48 bits, and the fingerprint should be at least 32 bits (128 if we want decent security, but that would make the reference quite long). The whole reference could be encoded in base32, which is nearly as compact as base64 and easier to read out over the phone. That means a reference with a 32 bit fingerprint would be 16 characters including address and port - "ghw5 q63y aklt 24t3". A more secure reference with a 128 bit fingerprint would be 36 characters - "ghw5 q63y aklt 24t3 67ip 32yt sgqi 24od 5fan". That seems a bit unwieldy to me - what does everyone else think? Where should we draw the line between brevity and security? Cheers, Michael From nextgens at freenetproject.org Tue Mar 6 15:00:55 2007 From: nextgens at freenetproject.org (Florent =?iso-8859-1?Q?Daigni=E8re_=28NextGen$=29?=) Date: Tue, 6 Mar 2007 16:00:55 +0100 Subject: [Tech] Proposal: one-time passwords In-Reply-To: <45ED7ECC.6000205@cs.ucl.ac.uk> References: <20070306014954.GD12481@amphibian.dyndns.org> <45ED7ECC.6000205@cs.ucl.ac.uk> Message-ID: <20070306150055.GJ4145@freenetproject.org> * Michael Rogers [2007-03-06 14:46:36]: > Matthew Toseland wrote: > > You give a friend your IP address, port number, and a one-time password. > > This can be used precisely once. It can however be used by a newbie. > > Sounds reasonable, but a public key fingerprint - even a short one - > would be more secure against eavesdroppers than a password. Regardless > of whether passwords or fingerprints are used, we have to exchange > references in both directions if we want mutual authentication. > > How short can we make the references? Ideally they should be short > enough to read out over the phone or paste into IRC without getting > kicked off the server. The IP address and port are 48 bits, and the > fingerprint should be at least 32 bits (128 if we want decent security, > but that would make the reference quite long). > > The whole reference could be encoded in base32, which is nearly as > compact as base64 and easier to read out over the phone. That means a > reference with a 32 bit fingerprint would be 16 characters including > address and port - "ghw5 q63y aklt 24t3". A more secure reference with a > 128 bit fingerprint would be 36 characters - "ghw5 q63y aklt 24t3 67ip > 32yt sgqi 24od 5fan". That seems a bit unwieldy to me - what does > everyone else think? Where should we draw the line between brevity and > security? > > Cheers, > Michael As far as I know, many people are using the phone as a mean to exchange serial keys of software ... Some are over 30 characters long ! And anyway, the size doesn't matter that much, does it ? ;) NextGen$ PS: and yes I'm proud of my gibe :p From toad at amphibian.dyndns.org Tue Mar 6 16:52:18 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 16:52:18 +0000 Subject: [Tech] Small World In-Reply-To: <45ED6647.6020907@cs.ucl.ac.uk> References: <45EC78AA.3010008@david.sowder.com> <45ED6647.6020907@cs.ucl.ac.uk> Message-ID: <20070306165218.GA25048@amphibian.dyndns.org> On Tue, Mar 06, 2007 at 01:01:59PM +0000, Michael Rogers wrote: > David Sowder (Zothar) wrote: > > Is there more than one metric for which we are trying to achieve "small > > world"? If so, could that be confusing things for others as well? > > Yup, there are two ways to define a small world: > > 1) The average number of hops between any two nodes is low and the > probability that two neighbours of a given node are neighbours is high. > > 2) Every node has a location, and the probability that any two nodes are > neighbours is proportional to 1/(r^d), where r is the distance between > the nodes and d is the number of dimensions. 2a) Any network with no inherent locations for nodes which can be transformed into a type 2 network by assigning locations. *This* is what we require. It's not too far away from type 1. The algorithm we use will break if it isn't possible to transform the network to a type 2 - i.e. if it is not a type 2a. > > Graphs that fit the second definition generally fit the first > definition, but not necessarily vice versa. Freenet uses the second > definition, with d=1. > > > Can a given node and a list of potential peers be used to create a small > > world model, at least from the perspective of the given node? > > Yes, this is what swapping does: given an arbitrary graph, it changes > the locations of the nodes to fit the second definition above, without > making or breaking any connections. No. Small-world is a property of the graph. It exists without location information. > > > Could refbot.py potentially say, add 50 peers and then remove (in an > > orderly fashion) all but 15 based on a small world location/distance > > distribution to achieve a small world model if say, all/most nodes were > > using this same algorithm? > > It's possible, but I'm not sure it's necessary - the locations are > arbitrary, so rather than adding and removing connections you could just > change the locations. Many networks are not sufficiently close to small-world to be compatible with our swapping algorithm. In particular, most things created by refbots are very unlikely to be small-world. Swapping cannot create the small-world property out of nothing; it must already be small world, swapping makes it navigable. > > Cheers, > Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/2bc22822/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 16:54:20 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 16:54:20 +0000 Subject: [Tech] Proposal: one-time references In-Reply-To: <20070306112547.GH4145@freenetproject.org> References: <20070306013045.GB12481@amphibian.dyndns.org> <20070306112547.GH4145@freenetproject.org> Message-ID: <20070306165420.GB25048@amphibian.dyndns.org> On Tue, Mar 06, 2007 at 12:25:48PM +0100, Florent Daigni?re (NextGen$) wrote: > * Matthew Toseland [2007-03-06 01:30:45]: > > As far as I understand they are security risks and no real gain : How are they a security risk? > > It doesn't allow "on the phone" exchange because of the binary blob ... True. But it would be good to be able to do reference exchange at the convenience of the recipient. E.g. I give somebody a CD-R at a conference and when he gets back home he tries it out. > > I am going to write up a proposal too :). :) > > NextGen$ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/8f4fa8a3/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 16:56:37 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 16:56:37 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070306110910.GF4145@freenetproject.org> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306110910.GF4145@freenetproject.org> Message-ID: <20070306165637.GC25048@amphibian.dyndns.org> On Tue, Mar 06, 2007 at 12:09:10PM +0100, Florent Daigni?re (NextGen$) wrote: > * Matthew Toseland [2007-03-06 01:37:52]: > > > However: > > - It would significantly improve connection reliability. If for example > > all your peers are german and in germany all domestic IPs change every > > 24 hours, if you are down for 24 hours you are lost for good. > > Do we have any stats regarding how many of our users are double-natted? > I know that in france most people had DSL connectivity before the > Wireless craze ; meaning that most users are likely to have two > different natting appliances (the routing modem and the wireless AP). You are quite sure that it isn't possible to break out of a double-NAT? > > > - Right now good connectivity relies on getting a few geek nodes - nodes > > that are directly connected or port forwarded. UP&P would increase the > > proportion of such nodes dramatically. > > I am not sure it's an issue. I am idling on #freenet-refs on a regular > basis to see how the installer performs and to see where users get > stuck : most of them don't have connectivity problems. Not initially. The problem here is that somebody gets a few references, they're all in Germany so their addresses are recycled every 24 hours. They take their node offline for a couple of days for whatever reason. They bring it back online and they have no connectible peers. > > > - It would allow for all sorts of bootstrapping protocols. One-time > > references are the tip of the iceberg: Anything that involves giving > > your details well in advance of the actual connection attempt will be > > greatly helped by UP&P support. > > Will be greatly helped if UP&P works : indeed. Right. > > > - It would (mostly) eliminate the need to rely on centralised STUN servers. > > it's assuming there is no double nat : again ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/0faadf21/attachment.pgp From nextgens at freenetproject.org Tue Mar 6 17:30:59 2007 From: nextgens at freenetproject.org (Florent =?iso-8859-1?Q?Daigni=E8re_=28NextGen$=29?=) Date: Tue, 6 Mar 2007 18:30:59 +0100 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070306165637.GC25048@amphibian.dyndns.org> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306110910.GF4145@freenetproject.org> <20070306165637.GC25048@amphibian.dyndns.org> Message-ID: <20070306173056.GM4145@freenetproject.org> * Matthew Toseland [2007-03-06 16:56:37]: > On Tue, Mar 06, 2007 at 12:09:10PM +0100, Florent Daigni?re (NextGen$) wrote: > > * Matthew Toseland [2007-03-06 01:37:52]: > > > > > However: > > > - It would significantly improve connection reliability. If for example > > > all your peers are german and in germany all domestic IPs change every > > > 24 hours, if you are down for 24 hours you are lost for good. > > > > Do we have any stats regarding how many of our users are double-natted? > > I know that in france most people had DSL connectivity before the > > Wireless craze ; meaning that most users are likely to have two > > different natting appliances (the routing modem and the wireless AP). > > You are quite sure that it isn't possible to break out of a double-NAT? UP&P is a mess involving multicast and http/xml streams over udp : no : the multicast won't pass the nat. > > > > > - Right now good connectivity relies on getting a few geek nodes - nodes > > > that are directly connected or port forwarded. UP&P would increase the > > > proportion of such nodes dramatically. > > > > I am not sure it's an issue. I am idling on #freenet-refs on a regular > > basis to see how the installer performs and to see where users get > > stuck : most of them don't have connectivity problems. > > Not initially. The problem here is that somebody gets a few references, > they're all in Germany so their addresses are recycled every 24 hours. > They take their node offline for a couple of days for whatever reason. > They bring it back online and they have no connectible peers. I don't think that's why people leave... but yes, it's an issue. > > > > > - It would allow for all sorts of bootstrapping protocols. One-time > > > references are the tip of the iceberg: Anything that involves giving > > > your details well in advance of the actual connection attempt will be > > > greatly helped by UP&P support. > > > > Will be greatly helped if UP&P works : indeed. > > Right. > > > > > - It would (mostly) eliminate the need to rely on centralised STUN servers. > > > > it's assuming there is no double nat : again ;) From freenet-tech at david.sowder.com Tue Mar 6 18:38:03 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Tue, 06 Mar 2007 12:38:03 -0600 Subject: [Tech] Easier reference swapping In-Reply-To: <20070306010646.GB24907@amphibian.dyndns.org> References: <20070305174545.GA29567@amphibian.dyndns.org> <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <20070305224137.GB12373@amphibian.dyndns.org> <45ECA17E.3050901@david.sowder.com> <20070306004235.GA12481@amphibian.dyndns.org> <45ECBB3F.1010102@david.sowder.com> <20070306010646.GB24907@amphibian.dyndns.org> Message-ID: <45EDB50B.1030701@david.sowder.com> Matthew Toseland wrote: > On Mon, Mar 05, 2007 at 06:52:15PM -0600, David Sowder (Zothar) wrote: > >> Matthew Toseland wrote: >> >>> So it's some sort of micro-trusted-third-parties thing. Hmm. Isn't the >>> big worry that people will tend to just re-use their friends' install >>> URIs? >>> >>> >> Installer URIs would be one time use. Friend A could limit Friend B's >> use of installer URIs. There is trust that the installer includes the >> correct code for Freenet, yes, but it's a mechanism that allows >> decentralized distribution even "by" NATted nodes that don't know how or >> can't port forward, etc. >> > > No it doesn't. Distribution is strictly by non-NATed nodes, but you can > get your non-NATed friend to make a distribution page for you, right? > Yes, distribution is by your non-NATted friend's node. That's why the "by" was in quotes. From toad at amphibian.dyndns.org Tue Mar 6 18:40:04 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 18:40:04 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070306013752.GC12481@amphibian.dyndns.org> References: <20070306013752.GC12481@amphibian.dyndns.org> Message-ID: <20070306184003.GA32039@amphibian.dyndns.org> Some feedback from #azureus : nat traversal + UPnP + NAT-PMP can solve about 80% of the NATed problems you have any quantitative numbers btw? nope it's 2nd-hand info i got from the devs Anyone got anything more concrete? On Tue, Mar 06, 2007 at 01:37:52AM +0000, Matthew Toseland wrote: > Universal Plug and Play support > =============================== > > I suggest that we need UP&P support. The main caveats are that it is not > usable on an untrusted LAN, so we need to ask the user, and that we may > not easily be able to distinguish between a local trusted LAN and an > ISP's LAN. It is also reported that UP&P works only around 50% of the > time when it is detected. > > However: > - It would significantly improve connection reliability. If for example > all your peers are german and in germany all domestic IPs change every > 24 hours, if you are down for 24 hours you are lost for good. > - Right now good connectivity relies on getting a few geek nodes - nodes > that are directly connected or port forwarded. UP&P would increase the > proportion of such nodes dramatically. > - It would allow for all sorts of bootstrapping protocols. One-time > references are the tip of the iceberg: Anything that involves giving > your details well in advance of the actual connection attempt will be > greatly helped by UP&P support. > - It would (mostly) eliminate the need to rely on centralised STUN servers. > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/e18e430c/attachment.pgp From toad at amphibian.dyndns.org Tue Mar 6 18:40:45 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 18:40:45 +0000 Subject: [Tech] Easier reference swapping In-Reply-To: <45EDB50B.1030701@david.sowder.com> References: <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <20070305224137.GB12373@amphibian.dyndns.org> <45ECA17E.3050901@david.sowder.com> <20070306004235.GA12481@amphibian.dyndns.org> <45ECBB3F.1010102@david.sowder.com> <20070306010646.GB24907@amphibian.dyndns.org> <45EDB50B.1030701@david.sowder.com> Message-ID: <20070306184045.GB32039@amphibian.dyndns.org> On Tue, Mar 06, 2007 at 12:38:03PM -0600, David Sowder (Zothar) wrote: > Yes, distribution is by your non-NATted friend's node. That's why the > "by" was in quotes. Most people don't have non-NATed friends. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/940b66c9/attachment.pgp From freenet-tech at david.sowder.com Tue Mar 6 18:50:38 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Tue, 06 Mar 2007 12:50:38 -0600 Subject: [Tech] Easier reference swapping In-Reply-To: <20070306184045.GB32039@amphibian.dyndns.org> References: <45EC5B42.1010701@sq7.org> <200703051809.41642.dbkr@freenetproject.org> <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <20070305224137.GB12373@amphibian.dyndns.org> <45ECA17E.3050901@david.sowder.com> <20070306004235.GA12481@amphibian.dyndns.org> <45ECBB3F.1010102@david.sowder.com> <20070306010646.GB24907@amphibian.dyndns.org> <45EDB50B.1030701@david.sowder.com> <20070306184045.GB32039@amphibian.dyndns.org> Message-ID: <45EDB7FE.8020108@david.sowder.com> Matthew Toseland wrote: > On Tue, Mar 06, 2007 at 12:38:03PM -0600, David Sowder (Zothar) wrote: > >> Yes, distribution is by your non-NATted friend's node. That's why the >> "by" was in quotes. >> > > Most people don't have non-NATed friends. > I don't think that should stop us from providing this functionality. Those that can get it to work (perhaps because they need to get it to work) can use it and it'll be there when we implement one or more auto-mated port forwarding solutions. From toad at amphibian.dyndns.org Tue Mar 6 19:07:44 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 19:07:44 +0000 Subject: [Tech] Easier reference swapping In-Reply-To: <45EDB7FE.8020108@david.sowder.com> References: <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <20070305224137.GB12373@amphibian.dyndns.org> <45ECA17E.3050901@david.sowder.com> <20070306004235.GA12481@amphibian.dyndns.org> <45ECBB3F.1010102@david.sowder.com> <20070306010646.GB24907@amphibian.dyndns.org> <45EDB50B.1030701@david.sowder.com> <20070306184045.GB32039@amphibian.dyndns.org> <45EDB7FE.8020108@david.sowder.com> Message-ID: <20070306190744.GA13908@amphibian.dyndns.org> On Tue, Mar 06, 2007 at 12:50:38PM -0600, David Sowder (Zothar) wrote: > Matthew Toseland wrote: > > On Tue, Mar 06, 2007 at 12:38:03PM -0600, David Sowder (Zothar) wrote: > > > >> Yes, distribution is by your non-NATted friend's node. That's why the > >> "by" was in quotes. > > > > Most people don't have non-NATed friends. > > > I don't think that should stop us from providing this functionality. > Those that can get it to work (perhaps because they need to get it to > work) can use it and it'll be there when we implement one or more > auto-mated port forwarding solutions. File a bug for it if you like. Certainly the first part of implementing this - being able to create a tarball which will connect automatically to you (possibly with a verification stage) - is useful. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/935c68a4/attachment.pgp From freenet-tech at david.sowder.com Tue Mar 6 19:29:11 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Tue, 06 Mar 2007 13:29:11 -0600 Subject: [Tech] Small World In-Reply-To: <20070306021307.GG12481@amphibian.dyndns.org> References: <45EC78AA.3010008@david.sowder.com> <20070305225802.GA29396@amphibian.dyndns.org> <45ECA51D.2090707@david.sowder.com> <20070306021307.GG12481@amphibian.dyndns.org> Message-ID: <45EDC107.7010509@david.sowder.com> Matthew Toseland wrote: > On Mon, Mar 05, 2007 at 05:17:49PM -0600, David Sowder (Zothar) wrote: > >> Matthew Toseland wrote: >> >>> "Small world" is primarily a property of the connection topology - the >>> network, stripped of all location information. Swapping takes the network >>> and assigns locations so that it is routable. >>> >>> >> I was kinda getting there before and dbkr's post pretty much got me >> there. I do like how well it's put here though. I guess this leads me >> to the question of if Freenet-driven opennet will be "small world" and >> if so, can refbot.py borrow some/all of the same algorithm to get us to >> some closer approximation than refbot.py has been giving us so far? >> Unfortunately, I've gotten the impression that hobx isn't always luring >> on these lists in "real-time" to answer such questions. :) >> > > Yes it will be small world. But I don't see how you could borrow it as > it relies on path-folding on successful requests. > Then I need to understand this path-folding is and how it works. Any pointers to info on this would be appreciated. >>> On Mon, Mar 05, 2007 at 02:08:10PM -0600, David Sowder (Zothar) wrote: >>> >>> >>>> I'm trying to resolve something in my mind about the small world model >>>> and how it relates to Freenet. My understanding has been that the >>>> relation was in Freenet node location distances and my assumption was >>>> that the swapping algorithm was intended to optimized the "small world >>>> model" of an arbitrary set of connections such that, in my mind, it >>>> would theoretically settle on all nodes having a small world >>>> distribution of peers: increasing numbers of peers as shorter distances >>>> from a given node. >>>> >>>> Toad has informed me on IRC a bit ago that the swapping algorithm does >>>> not make arbitrary interconnections achieve "small world", which leaves >>>> me with these questions: >>>> >>>> Is there more than one metric for which we are trying to achieve "small >>>> world"? If so, could that be confusing things for others as well? >>>> >>>> Can a given node and a list of potential peers be used to create a small >>>> world model, at least from the perspective of the given node? I assume >>>> this is somehow possible as I understand it that opennet will be doing this, >>>> >>>> Some of you may already know where I'm likely going with this. What can >>>> opennet built into fred do that a program like refbot.py couldn't do? >>>> Could refbot.py potentially say, add 50 peers and then remove (in an >>>> orderly fashion) all but 15 based on a small world location/distance >>>> distribution to achieve a small world model if say, all/most nodes were >>>> using this same algorithm? >>>> From freenet-tech at david.sowder.com Tue Mar 6 19:44:56 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Tue, 06 Mar 2007 13:44:56 -0600 Subject: [Tech] Easier reference swapping In-Reply-To: <20070306190744.GA13908@amphibian.dyndns.org> References: <45EC5DD7.6080302@sq7.org> <45EC7501.80509@david.sowder.com> <20070305224137.GB12373@amphibian.dyndns.org> <45ECA17E.3050901@david.sowder.com> <20070306004235.GA12481@amphibian.dyndns.org> <45ECBB3F.1010102@david.sowder.com> <20070306010646.GB24907@amphibian.dyndns.org> <45EDB50B.1030701@david.sowder.com> <20070306184045.GB32039@amphibian.dyndns.org> <45EDB7FE.8020108@david.sowder.com> <20070306190744.GA13908@amphibian.dyndns.org> Message-ID: <45EDC4B8.8030400@david.sowder.com> Matthew Toseland wrote: > On Tue, Mar 06, 2007 at 12:50:38PM -0600, David Sowder (Zothar) wrote: > >> Matthew Toseland wrote: >> >>> On Tue, Mar 06, 2007 at 12:38:03PM -0600, David Sowder (Zothar) wrote: >>> >>> >>>> Yes, distribution is by your non-NATted friend's node. That's why the >>>> "by" was in quotes. >>>> >>> Most people don't have non-NATed friends. >>> >>> >> I don't think that should stop us from providing this functionality. >> Those that can get it to work (perhaps because they need to get it to >> work) can use it and it'll be there when we implement one or more >> auto-mated port forwarding solutions. >> > > File a bug for it if you like. Certainly the first part of implementing > this - being able to create a tarball which will connect automatically > to you (possibly with a verification stage) - is useful. > Inserting the installer on Freenet would go a long way toward this. I'm pretty sure I could make an easy jump from there to the auto-connect ability, at least on the installer side. Need to file a bug (note to self). From toad at amphibian.dyndns.org Tue Mar 6 20:11:31 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 20:11:31 +0000 Subject: [Tech] Small World In-Reply-To: <45EDC107.7010509@david.sowder.com> References: <45EC78AA.3010008@david.sowder.com> <20070305225802.GA29396@amphibian.dyndns.org> <45ECA51D.2090707@david.sowder.com> <20070306021307.GG12481@amphibian.dyndns.org> <45EDC107.7010509@david.sowder.com> Message-ID: <20070306201131.GA4976@amphibian.dyndns.org> On Tue, Mar 06, 2007 at 01:29:11PM -0600, David Sowder (Zothar) wrote: > > > > Yes it will be small world. But I don't see how you could borrow it as > > it relies on path-folding on successful requests. > > > Then I need to understand this path-folding is and how it works. Any > pointers to info on this would be appreciated. Path folding = When a request completes successfully, there is a chance of connecting to the source of the data. (This is reset occasionally to preserve anonymity and manage load). See the older pre-0.7 freenet papers (probably still on the papers section on the website) http://wiki.freenetproject.org/OpennetDesign -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/6cf2b253/attachment.pgp From freenet-tech at david.sowder.com Tue Mar 6 20:27:28 2007 From: freenet-tech at david.sowder.com (David Sowder (Zothar)) Date: Tue, 06 Mar 2007 14:27:28 -0600 Subject: [Tech] Small World In-Reply-To: <20070306201131.GA4976@amphibian.dyndns.org> References: <45EC78AA.3010008@david.sowder.com> <20070305225802.GA29396@amphibian.dyndns.org> <45ECA51D.2090707@david.sowder.com> <20070306021307.GG12481@amphibian.dyndns.org> <45EDC107.7010509@david.sowder.com> <20070306201131.GA4976@amphibian.dyndns.org> Message-ID: <45EDCEB0.4090008@david.sowder.com> Matthew Toseland wrote: > On Tue, Mar 06, 2007 at 01:29:11PM -0600, David Sowder (Zothar) wrote: > >>> Yes it will be small world. But I don't see how you could borrow it as >>> it relies on path-folding on successful requests. >>> >>> >> Then I need to understand this path-folding is and how it works. Any >> pointers to info on this would be appreciated. >> > > Path folding = When a request completes successfully, there is a chance > of connecting to the source of the data. (This is reset occasionally to > preserve anonymity and manage load). > Haven't looked for the papers, but it sounds like that means opennet implemented in fred will be integrated with other node functions and thus things outside fred can't use path-folding without that same integration. Unless I've not thought of something, it sounds to me like "opennet" can't be implemented anywhere but fred as everything else, including refbot.py, will generate a physical connection topology that is very likely to be incompatible with "small world". > See the older pre-0.7 freenet papers (probably still on the papers > section on the website) > http://wiki.freenetproject.org/OpennetDesign > From toad at amphibian.dyndns.org Tue Mar 6 21:11:00 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Tue, 6 Mar 2007 21:11:00 +0000 Subject: [Tech] Small World In-Reply-To: <45EDCEB0.4090008@david.sowder.com> References: <45EC78AA.3010008@david.sowder.com> <20070305225802.GA29396@amphibian.dyndns.org> <45ECA51D.2090707@david.sowder.com> <20070306021307.GG12481@amphibian.dyndns.org> <45EDC107.7010509@david.sowder.com> <20070306201131.GA4976@amphibian.dyndns.org> <45EDCEB0.4090008@david.sowder.com> Message-ID: <20070306211100.GA22548@amphibian.dyndns.org> On Tue, Mar 06, 2007 at 02:27:28PM -0600, David Sowder (Zothar) wrote: > Matthew Toseland wrote: > > > > Path folding = When a request completes successfully, there is a chance > > of connecting to the source of the data. (This is reset occasionally to > > preserve anonymity and manage load). > > > Haven't looked for the papers, but it sounds like that means opennet > implemented in fred will be integrated with other node functions and > thus things outside fred can't use path-folding without that same > integration. Unless I've not thought of something, it sounds to me like > "opennet" can't be implemented anywhere but fred as everything else, > including refbot.py, will generate a physical connection topology that > is very likely to be incompatible with "small world". True opennet yes. However there are lots of not-so-good opennets (e.g. #freenet-refs ) and there are algorithms to create small world networks. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/38d79203/attachment.pgp From juiceman69 at gmail.com Tue Mar 6 21:35:03 2007 From: juiceman69 at gmail.com (Juiceman) Date: Tue, 6 Mar 2007 16:35:03 -0500 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070306110910.GF4145@freenetproject.org> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306110910.GF4145@freenetproject.org> Message-ID: <8b525dee0703061335q706a12bcxbff47fd18e1920d2@mail.gmail.com> On 3/6/07, Florent Daigni?re (NextGen$) wrote: > > * Matthew Toseland [2007-03-06 01:37:52]: > > > Universal Plug and Play support > > =============================== > > > > I suggest that we need UP&P support. The main caveats are that it is not > > usable on an untrusted LAN, so we need to ask the user, and that we may > > not easily be able to distinguish between a local trusted LAN and an > > ISP's LAN. It is also reported that UP&P works only around 50% of the > > time when it is detected. > > Ok, let's feed the troll. > > > > > However: > > - It would significantly improve connection reliability. If for example > > all your peers are german and in germany all domestic IPs change every > > 24 hours, if you are down for 24 hours you are lost for good. > > Do we have any stats regarding how many of our users are double-natted? > I know that in france most people had DSL connectivity before the > Wireless craze ; meaning that most users are likely to have two > different natting appliances (the routing modem and the wireless AP). > > > > - Right now good connectivity relies on getting a few geek nodes - nodes > > that are directly connected or port forwarded. UP&P would increase the > > proportion of such nodes dramatically. > > I am not sure it's an issue. I am idling on #freenet-refs on a regular > basis to see how the installer performs and to see where users get > stuck : most of them don't have connectivity problems. > > That would be because if the user is tech savvy enough to get on IRC, they can forward a port at their router... DUH I'm not saying people do or do not have connectivity problems, just that this is a really bad way to judge. ;-) -- I may disagree with what you have to say, but I shall defend, to the death, your right to say it. - Voltaire Those who would give up Liberty, to purchase temporary Safety, deserve neither Liberty nor Safety. - Ben Franklin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://emu.freenetproject.org/pipermail/tech/attachments/20070306/5b47871f/attachment.htm From m.rogers at cs.ucl.ac.uk Wed Mar 7 09:22:02 2007 From: m.rogers at cs.ucl.ac.uk (Michael Rogers) Date: Wed, 07 Mar 2007 09:22:02 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070306184003.GA32039@amphibian.dyndns.org> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> Message-ID: <45EE843A.4060008@cs.ucl.ac.uk> Matthew Toseland wrote: > Some feedback from #azureus : > > nat traversal + UPnP + NAT-PMP can solve about 80% of the > NATed problems > you have any quantitative numbers btw? > nope > it's 2nd-hand info i got from the devs > > Anyone got anything more concrete? There are some useful stats in this paper: http://nutss.gforge.cis.cornell.edu/pub/imc05-tcpnat.pdf Here's the raw data: http://www.guha.cc/saikat/stunt-results.php It looks like about 70% of deployed NATs are full cone, so 81% of NAT-to-NAT connections should work without UPnP, NAT-PMP or manual port forwarding. Cheers, Michael From m.rogers at cs.ucl.ac.uk Wed Mar 7 13:24:22 2007 From: m.rogers at cs.ucl.ac.uk (Michael Rogers) Date: Wed, 07 Mar 2007 13:24:22 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <45EE843A.4060008@cs.ucl.ac.uk> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> Message-ID: <45EEBD06.9030508@cs.ucl.ac.uk> Matthew Toseland wrote: > Some feedback from #azureus : > > nat traversal + UPnP + NAT-PMP can solve about 80% of the > NATed problems > you have any quantitative numbers btw? > nope > it's 2nd-hand info i got from the devs > > Anyone got anything more concrete? More links: http://www.brynosaurus.com/pub/net/p2pnat/ http://tools.ietf.org/id/draft-jennings-midcom-stun-results-02.txt Cheers, Michael From toad at amphibian.dyndns.org Thu Mar 8 01:29:45 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Thu, 8 Mar 2007 01:29:45 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <45EE843A.4060008@cs.ucl.ac.uk> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> Message-ID: <20070308012945.GA11782@amphibian.dyndns.org> On Wed, Mar 07, 2007 at 09:22:02AM +0000, Michael Rogers wrote: > Matthew Toseland wrote: > > Some feedback from #azureus : > > > > nat traversal + UPnP + NAT-PMP can solve about 80% of the > > NATed problems > > you have any quantitative numbers btw? > > nope > > it's 2nd-hand info i got from the devs > > > > Anyone got anything more concrete? > > There are some useful stats in this paper: > http://nutss.gforge.cis.cornell.edu/pub/imc05-tcpnat.pdf > > Here's the raw data: > http://www.guha.cc/saikat/stunt-results.php > > It looks like about 70% of deployed NATs are full cone, so 81% of If that is true, then things are a lot easier than I had thought. Linux for example doesn't normally do full cone. It is the same with UDP as with TCP? > NAT-to-NAT connections should work without UPnP, NAT-PMP or manual port > forwarding. > > Cheers, > Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070308/be8ac984/attachment.pgp From toad at amphibian.dyndns.org Thu Mar 8 01:31:35 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Thu, 8 Mar 2007 01:31:35 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <45EE843A.4060008@cs.ucl.ac.uk> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> Message-ID: <20070308013135.GB11782@amphibian.dyndns.org> On Wed, Mar 07, 2007 at 09:22:02AM +0000, Michael Rogers wrote: > > There are some useful stats in this paper: > http://nutss.gforge.cis.cornell.edu/pub/imc05-tcpnat.pdf > > Here's the raw data: > http://www.guha.cc/saikat/stunt-results.php > > It looks like about 70% of deployed NATs are full cone, so 81% of > NAT-to-NAT connections should work without UPnP, NAT-PMP or manual port > forwarding. If that is the case then we can even use TCP - provided that we identify the rewritten port number if any, and that we open a connection to another node... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070308/c3795f54/attachment.pgp From m.rogers at cs.ucl.ac.uk Thu Mar 8 12:57:01 2007 From: m.rogers at cs.ucl.ac.uk (Michael Rogers) Date: Thu, 08 Mar 2007 12:57:01 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070308012945.GA11782@amphibian.dyndns.org> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> <20070308012945.GA11782@amphibian.dyndns.org> Message-ID: <45F0081D.8000200@cs.ucl.ac.uk> Matthew Toseland wrote: >> It looks like about 70% of deployed NATs are full cone, so 81% of > > If that is true, then things are a lot easier than I had thought. Linux > for example doesn't normally do full cone. It is the same with UDP as > with TCP? It seems to be slightly worse for TCP - see the brynosaurus link in my other email. Linux and BSD software NATs are some of the worst to be behind, but hopefully we can rely on Linux and BSD users to know how to forward a port. Cheers, Michael From toad at amphibian.dyndns.org Thu Mar 8 13:01:06 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Thu, 8 Mar 2007 13:01:06 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <45F0081D.8000200@cs.ucl.ac.uk> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> <20070308012945.GA11782@amphibian.dyndns.org> <45F0081D.8000200@cs.ucl.ac.uk> Message-ID: <20070308130106.GA5953@amphibian.dyndns.org> On Thu, Mar 08, 2007 at 12:57:01PM +0000, Michael Rogers wrote: > Matthew Toseland wrote: > >> It looks like about 70% of deployed NATs are full cone, so 81% of > > > > If that is true, then things are a lot easier than I had thought. Linux > > for example doesn't normally do full cone. It is the same with UDP as > > with TCP? > > It seems to be slightly worse for TCP - see the brynosaurus link in my > other email. Linux and BSD software NATs are some of the worst to be > behind, but hopefully we can rely on Linux and BSD users to know how to > forward a port. Well some routers use Linux/BSD. But most don't because cheaper hardware usually trumps cheaper software. > > Cheers, > Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070308/770a9f0e/attachment.pgp From m.rogers at cs.ucl.ac.uk Fri Mar 9 10:51:16 2007 From: m.rogers at cs.ucl.ac.uk (Michael Rogers) Date: Fri, 09 Mar 2007 10:51:16 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070308013135.GB11782@amphibian.dyndns.org> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> <20070308013135.GB11782@amphibian.dyndns.org> Message-ID: <45F13C24.8040407@cs.ucl.ac.uk> Matthew Toseland wrote: > If that is the case then we can even use TCP - provided that we identify > the rewritten port number if any, and that we open a connection to > another node... Sounds like a good idea. In some cases it's even possible to do hole punching with TCP, but you need to contact a public server to discover your external port and I don't think there are many STUNT servers deployed yet. Cheers, Michael From toad at amphibian.dyndns.org Fri Mar 9 17:52:34 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Fri, 9 Mar 2007 17:52:34 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <45F13C24.8040407@cs.ucl.ac.uk> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> <20070308013135.GB11782@amphibian.dyndns.org> <45F13C24.8040407@cs.ucl.ac.uk> Message-ID: <20070309175234.GA5377@amphibian.dyndns.org> On Fri, Mar 09, 2007 at 10:51:16AM +0000, Michael Rogers wrote: > Matthew Toseland wrote: > > If that is the case then we can even use TCP - provided that we identify > > the rewritten port number if any, and that we open a connection to > > another node... > > Sounds like a good idea. In some cases it's even possible to do hole > punching with TCP, but you need to contact a public server to discover > your external port and I don't think there are many STUNT servers > deployed yet. That's another interesting point: port rewriting. Right now we don't take any steps to identify our external port number, apart from using it as well as our real port number if we hear it from successful connectees. > > Cheers, > Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070309/6bdb1298/attachment.pgp From m.rogers at cs.ucl.ac.uk Sat Mar 10 01:37:01 2007 From: m.rogers at cs.ucl.ac.uk (Michael Rogers) Date: Sat, 10 Mar 2007 01:37:01 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070309175234.GA5377@amphibian.dyndns.org> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> <20070308013135.GB11782@amphibian.dyndns.org> <45F13C24.8040407@cs.ucl.ac.uk> <20070309175234.GA5377@amphibian.dyndns.org> Message-ID: <45F20BBD.5070001@cs.ucl.ac.uk> Matthew Toseland wrote: > That's another interesting point: port rewriting. Right now we don't > take any steps to identify our external port number, apart from using it > as well as our real port number if we hear it from successful connectees. STUNT uses the following trick, based on the fact that most NATs increase the external port number by 0, 1 or 2 for successive mappings with the same internal address and port number: * Contact first STUNT server, learn external port p1 * Contact second STUNT server, learn external port p2 * Predicted port for next connection = p2 + (p2 - p1) * Peers exchange their predicted ports out of band, then try to connect This might also work with STUN - I'm not sure whether UDP mappings are allocated in the same way but I don't see why they wouldn't be. However, the predicted port doesn't stay fresh for very long unless p1 = p2 (full cone), so it might not be very useful unless the peers have a low-latency channel to exchange predicted ports (eg a mutual friend's node). Cheers, Michael From nextgens at freenetproject.org Sat Mar 10 09:53:53 2007 From: nextgens at freenetproject.org (NextGen$) Date: Sat, 10 Mar 2007 09:53:53 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <45F20BBD.5070001@cs.ucl.ac.uk> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> <20070308013135.GB11782@amphibian.dyndns.org> <45F13C24.8040407@cs.ucl.ac.uk> <20070309175234.GA5377@amphibian.dyndns.org> <45F20BBD.5070001@cs.ucl.ac.uk> Message-ID: <20070310095353.GD9107@freenetproject.org> * Michael Rogers [2007-03-10 01:37:01]: > Matthew Toseland wrote: > > That's another interesting point: port rewriting. Right now we don't > > take any steps to identify our external port number, apart from using it > > as well as our real port number if we hear it from successful connectees. > > STUNT uses the following trick, based on the fact that most NATs > increase the external port number by 0, 1 or 2 for successive mappings > with the same internal address and port number: > > * Contact first STUNT server, learn external port p1 > * Contact second STUNT server, learn external port p2 > * Predicted port for next connection = p2 + (p2 - p1) > * Peers exchange their predicted ports out of band, then try to connect > > This might also work with STUN - I'm not sure whether UDP mappings are > allocated in the same way but I don't see why they wouldn't be. However, > the predicted port doesn't stay fresh for very long unless p1 = p2 (full > cone), so it might not be very useful unless the peers have a > low-latency channel to exchange predicted ports (eg a mutual friend's node). > > Cheers, > Michael Moreover such things -source port randomization- (http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=90) will prevent it to work ;) NextGen$ From m.rogers at cs.ucl.ac.uk Sat Mar 10 10:09:00 2007 From: m.rogers at cs.ucl.ac.uk (Michael Rogers) Date: Sat, 10 Mar 2007 10:09:00 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <20070310095353.GD9107@freenetproject.org> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> <20070308013135.GB11782@amphibian.dyndns.org> <45F13C24.8040407@cs.ucl.ac.uk> <20070309175234.GA5377@amphibian.dyndns.org> <45F20BBD.5070001@cs.ucl.ac.uk> <20070310095353.GD9107@freenetproject.org> Message-ID: <45F283BC.2020204@cs.ucl.ac.uk> NextGen$ wrote: > Moreover such things -source port randomization- > (http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=90) will prevent > it to work ;) Yeah, unfortunately some people seem to enjoy breaking their own connectivity. But luckily they're in the minority. ;-) Cheers, Michael From toad at amphibian.dyndns.org Sat Mar 10 20:57:46 2007 From: toad at amphibian.dyndns.org (Matthew Toseland) Date: Sat, 10 Mar 2007 20:57:46 +0000 Subject: [Tech] Proposal: UP&P In-Reply-To: <45F20BBD.5070001@cs.ucl.ac.uk> References: <20070306013752.GC12481@amphibian.dyndns.org> <20070306184003.GA32039@amphibian.dyndns.org> <45EE843A.4060008@cs.ucl.ac.uk> <20070308013135.GB11782@amphibian.dyndns.org> <45F13C24.8040407@cs.ucl.ac.uk> <20070309175234.GA5377@amphibian.dyndns.org> <45F20BBD.5070001@cs.ucl.ac.uk> Message-ID: <20070310205746.GA58