NymIP: Anonymity At The IP Layer

Eloquence writes: "NymIP is a new project that aims to set a standard for Internet anonymity at the IP level. It was started by Zero Knowledge Systems, but is now led by Harvard's Scott Bradner, an IETF member. Some of the biggest players in the field participate in the project, which will be introduced at the 49th IETF Meeting that starts today." Comments especially sought from anyone who attends that meeting.

Re:Anonymity sometimes just isn't the right idea

... they know they are doing something they shouldn't be doing. If no one was breaking the rules, then there'd be no problem. By that logic, when you shut your doors when going to toilet, you have something to hide, you must be doing something wrong. Why not let the well meaning authorities have cameras in your bathroom and your bedroom if you have nothing to hide? Why not let whole neighborhood watch you on the monitors as well? You are not breaking any rules, so why not?

Re:No Technical Details To Be Found?

I know TCP/IP fairly well, and this doesn't make sense to me. I want to establish a TCP connection to another host (packets are going both ways), so how can I stay anonymous when the remote host needs to send packets back to me? It has to go from router A, to router B, etc and then back to my computer.

You may know TCP/IP fairly well, but you don't know cryptography very well. It is possible for two parties to agree on a common random value without exchanging that value. This is the basic idea put forth in the Diffie-Hellman Key Exchange. Once you have a random number known to the two parties trying to communicate and no one else, you can use that number as an address to route the packets through the network. I don't know if this is what the research group has in mind but it is a possibility. Yes, there are some problems with this system, in particular the initial key exchange is not anonymous, but this makes it much harder to trace the actually data transfer.

The other thing too keep in mind is this: no matter what protocol you're using over the Internet, you can find out where the packets are coming from and going to. This includes ssh (Secure Shell), tunneling, normal TCP/UDP connections and even spoofed packets. This is done by running sniffers on each interface on a router (starting with the target that's being DoSed or whatever) and seeing which interface these packets came in on. You find out what that interface is connected to and start sniffing there. Repeat this process enough times, and you'll find out the source and destination of any packet.

In theory this will work, but once you cross an administrative domain, i.e. from one ISP's network to another ISP's network, you will find that they are so willing to co-operate. Read Cliff Stoll's Cuckoo's Egg [fatbrain.com] for a real world example. It took him over two years to track someone, not because of technical problems, but because of adminstrative problems.

A company I used to work for had three different operating units with three different data centers in one building. To set up sniffers on the networks took two weeks of meeting and getting sign-off from data-center managers, since the managers didn't want their networks touched unless it was to fix a production problem in their network.

Its up to the admin to secure the site? BS

So I guess its up to the guy I shoot in the head to duck the bullet then?

Toto, we are no longer on the Internet anymore

Over the last years I have given precisely this issue quite some thought. Initially I did not like the answer.

IP addresses allow remote servers and third parties to invade your privacy by linking your actions to that address. Even if you get a different address regularly it still is a way of linking actions within a certain timespan (typically a dailup session or a dhcp timeout). Also handing out your address to everyone makes you a target for hacking and DoS.

So trying to allow the user to control wether this privacy sensitive informartion is given away or obscured is a good thing.

However if you start looking at how you implement this you run into a number of interesting issues.

1. we are talking about some form of address translation here.
2. For certain applications this requires application-level awareness of the translation here. Please note that I am not calling it NAT, you simply rewrite the from address not alter anything in the packet. (Oh yeah, all of this breaks IP sec... So you need a seceure tunneling protocol to get to the translator.)
3. You will need an organisation that will provide this for you. This could be your ISP, it could be someone else.
4. At any rate you need to have a contract with those guys stating that they will keep the mapping between your real IP address and your apparent address very private and change it regularly, sometimes even for each packet you send out. (oops, you'd have to be able to select this behaviour per application, it breaks some of of the applications we have now that assume you stay on the same address during a session...)
5. Yet the authoraties will soon catch up and governments will demand that this information will be made available for legal interception purposes. In some countries the government is already prepared for this because they stated that every telecommunication service shall be interceptable. This is not necessarily a bad thing. It is just something to keep in mind, you are not anonymous to everyone.
6. In order to make yourself not immediately a suspect to legal investigation just by using it once. you'd have to use nymity all the time . It is a common misconception that only crooks require privacy. Everyone has the need for privacy! Wether it is about your bank transactions, religion, illnesses all people have things they'd like others not to know (or at least control to whom they communicate it).

If we would introduce nymity boxes we seem to have lost the transparency of the Internet. I'd not like to see this as unraveling of the Internet. I'd like to see this as a different kind of IP deployment. You could tunnel this over the Internet or have a new kind of network for it.

Is this necessarily a bad thing? No! As long as the applications remain transparent this can work. Yet it requires some thought.

While you are breaking the Internet-model anyway you may just as well go all the way and include:

• QoS, the kind where you can reserve a path end-to-end (this implies authentication and billing per second)
• access control, so your wireless 3rd generation terminal does not suffer a DoS attack because someone burns up the bandwidth on its wireless link or your mobile phone gets hacked so someone can access your bank-account.

I know, this sounds like heresey at first, but after a while I could see the appeal of a world in which you can have privacy, QoS and access control . Especially if this not replaces the Internet but offers you more choice.

Now let's see when Scott Bradner is going to have a BoF session on this.

Re:Just impossible

Exactly. This is what we're taught, and what we (collectively speaking) never do. People who sign every message (to provide repudiation for those they didn't send, they have to sign all the ones they did send as standard procedure) are called out as paranoid. Our (collectively again) associates and friends have a hard time understanding encryption, and when they learn to operate the tools, it's inconvenient to do so, so they only use them for, you guessed it, the "good stuff."

I agree completely that we need to make privacy, security, and anonymity standard practices--to do otherwise draws attention to those of us who do use these tools consistently.

I also relish the thought of some three letter agency expending millions of CPU hours on my correspondence, only to find picayune (love that word--thanks) stuff :).

Has Happened: See nym.alias.net.

You're not very up on the times it would seem. Penet went down because its reply blocks were in the clear, and there was no ability to chain your replies thru other anonymous remailers cryptographically. Penet did not use any encryption at all. Thats why it went down. It was a giant risk to its users and as such, a nice big fat juicy target for the cult of scientology to sue (to try and get those reply blocks). The model was hopelessly flawed, but that does not mean that the idea of perfect forward secrecy, digital mixes and anonymous bi-drectional communication is flawed. Its not.

Modern remailers, such as Type I and Type II remailers, as well as nym remailers (which allow for anonymous bi-directional traffic, without reply blocks being in the clear, and with the ability to chain the replies thru N Type I or Type II remailers) which have been in use for years, solve all of the problems that brought penet.

You can have absolute privacy and absolute anonymity now. Just visit http://mixmaster.shinn.net [shinn.net] or any of the other remailers websites for instructions. Heck, if you want ease of use, you can install ZKS' freedom software and abstract away all the work (at a little cost to security). Privacy is not that hard to do, and its really frustrating that people on slashdot have bought into the myth that privacy is not something you can have in this day and age. That is absolute bunk.

Python

Only without logging...

The overview isn't much on gory details, so I'm speaking from a somewhat limited viewpoint here. Hopefully someone else will know more about this and be able to flesh it out a little more into reality.

This can only work if they intend to create what amounts to proxy-based co-operative subnets, which allocate, use, and discard IP addresses for sets of users. With a large enough number of users per group, it would tend to mask out individual users.

The problem as I see it is that you'd still have to have some identifying information, or there's no way to form a socket. Even if the identifying information is one of the sockets within a certain group, the accessed server will still log the connection as coming from a user within that group.

The group can't be infinitely large because that would be too much strain on the proxy routers. But they can't be too small, either, because information could be inferred from the time of the connection, etc.

And it doesn't stop people from tying together a username, biographical information, and the proxy-router pool of users the accesses are coming from. Then again, the article says it's 'controlled nymity', but it's a long way from paying in cash for a pr0n mag.

--sjd;

W00-H00!

Now no one can trace my mad fr1st postering sk1llz!!

B0mb-0mb hax0ring instructions are as follows:

Oh crap... forgot to czeck "Post Anonymously"

Good, but do we want this?

I am fully for First Ammendment rights, but I also know that the first ammendment does not guarentee us _anonymous_ freedom of speech. We are only allowed to say whatever we want until we yell fire into a crowded theater.
While I think there shouldn't be legislation to require constant identification, do we really think that making things more anonymous is a step in the right direction?
I'm sorry if I'm reading the concept wrong, but his is the equivelant of giving everyone a ski mask. Yeah, everyone has the right to wear one all the time, in public, but would our society be much better? While I'm always intrigued by new technology, I wonder if we should do it just for the sake of doing it.

I disagree.

Anonymous political speech is what it's all about. You need to be able to say things without dying for your cause... so much pain comes to those who speak out (ask Ken Sare We-wa (sp)).

Will Never Happen: See anon.penet.fi

Whether your big book of ideals say anonymity is required for you to enjoy complete privacy is irrelevant - the powers that be are never going to allow this to be implemented at the carrier/backbone level, and frankly in the world we live in, this may be a wise choice.

Before you get into a tizzy, for 99% of us, the most intriguing thing we do online is buy things, and this is already tracked through our credit card numbers, so issues of IP tracing are irrelevant.

Unfortuntely, you have no privacy, deal with it.

Some words on the matter

Since my wife is one of the persons on the list of people actually working on this, I may add a few words to it. Marit [koehntopp.de] has a publications list [koehntopp.de] online.

How does it work? Well, have a look at project anonymity and unobservability [tu-dresden.de] on the Internet. A MIX network is like a system of remailers, just for IP packets. There are several kinds of attacks against a MIX network ("nix the MIX") and they are categorized and discussed in that paper.

Specifically, the problem of cooperating MIX network node operators is being discussed. Have a look at the properties of ideal MIXes: It is sufficient for the MIX network to have a single trustworthy node in your path in order to protect your anonymity (section 1.2 of that paper).

Marit has a paper on anonymity terminology [koehntopp.de] online, too (txt version of that paper [koehntopp.de]). Have a look at it in order to get your vocabulary. Additionally, there is a web page on identity management [koehntopp.de] on her server. This relates P3P [w3c.org] and anonymity/pseudonymity.


© Copyright 2000 Kristian Köhntopp [koehntopp.de]
All rights reserved.

No Technical Details To Be Found?

This looks like a good cause, but the first thing I noticed is there aren't any technical details to be found, from links on the page referenced, or even in the mailing list archives.

The other thing that makes me wonder is "how can this thing actually work?".

I know TCP/IP fairly well, and this doesn't make sense to me. I want to establish a TCP connection to another host (packets are going both ways), so how can I stay anonymous when the remote host needs to send packets back to me? It has to go from router A, to router B, etc and then back to my computer.

The only way around this issue is if a proxy is used, and I don't think this will work because someone has to provide massive amounts of bandwidth for these anonymous connections, and whoever is in control (or can gain control) of the proxy server would see everything.

The other thing too keep in mind is this: no matter what protocol you're using over the Internet, you can find out where the packets are coming from and going to. This includes ssh (Secure Shell), tunneling, normal TCP/UDP connections and even spoofed packets. This is done by running sniffers on each interface on a router (starting with the target that's being DoSed or whatever) and seeing which interface these packets came in on. You find out what that interface is connected to and start sniffing there. Repeat this process enough times, and you'll find out the source and destination of any packet.

Just impossible

To get IP traffic the sender needs to know what IP you are at, if they can get your IP they can log it. Proxies can disguise this, but you still need to trust the person running the proxy.

Running an anonymiser is a great way to conduct man in the middle attacks, particularly since you know anyone using an anonymiser is doing something they don't want people to find out about.

Re:Anonymity sometimes just isn't the right idea

I'm going to respond to this on the presumption that you aren't a troll -- while you have a valid point, it's also an easy one to use while looking for flames. That said...

You operate on the presumption that that which is wrong and that which is illegal are one and the same. I (A US citizen) have done (and exported) work on crypto software (before the laws were relaxed), which made my actions illegal under munitions export laws. Does that mean I shouldn't have done it? Personally, I don't think so.

Basically, I think that individuals should be able to defy the law. Every revolution, every protest, every major stride in human rights -- all of these involved broken laws. Do you really think humanity would be better served by an unevadable law enforcement?

Personally, I don't.

Re:Anonymity sometimes just isn't the right idea

I see your point, but I think your analogy is flawed.

While pedestrians can't put on a "Generic Pedestrian Mask," neither are all of their actions logged. Some of your actions are logged--video cameras will log that you walked into a store, credit card purchases create a paper trail as well--but you can avoid most of them (pay cash) and the ones that you can't avoid (security cameras) don't tie your action explicitly to your identity. They may have an image on tape of you walking into 7-11 to buy your copy of Juggs Magazine, but they don't know who that image represents without extensive research.

Furthermore, people don't just go for anonymity because they're doing something they shouldn't be doing. If you think you might have HIV, and you're looking at HIV information sites in a panic trying to figure out what to do and whether you're going to die, you have every moral AND LEGAL right to anonymity.

Also, it's not just concern about governmental monitoring that motivates people to go anonymous. I would argue that some cracker who wants to extort money from you is just as big a concern, as is the private investigator hired by your ex-spouse to dig up dirt on you.

And I don't buy the statement that "government organizations have better things to do than worry about what some joe schmoe is reading about." Plenty of non-paranoid types will agree that the government does a hell of a lot of grab-bag signal interception and analysis, i.e. Echelon.

Re:Good, but do we want this?

Anonymous speech has a long and illustrious history, both in writing an in literature. Writing anonymously can be the only way to speak out against oppressive laws and governments without fear of retribution. And freedom often seems to be an all-or-nothing issue on the Internet.

It is interesting to note the tradition anonymity has in American Politics. Tracts like Paine's Common Sense [constitution.org] were originally published anonymously. And after the revolution, highly influential papers like those in the Anti-Federalist Papers [constitution.org] were penned under names like "Centinel" and "Federal Farmer".

Anonymity can serve as a check on the power of government (not to mention the wraith of the masses). There is a compromise, of course. If one can speak anonymously, one is safe to publish lies and slander. And it's rapidly coming to mean that you can publish hard-core kiddy porn and nuclear weapon schematics too.

Oh, well. Nobody said freedom was perfect. The alternative is to place your trust in your government, and hope no utterance you make ever comes to be regarded as seditious.

Me? Well, I guess it's enough to note that my real name isn't "Skald" :-)

Re:Will Never Happen: See anon.penet.fi

Quite saddly, Ars-Fartsica shortsightedly speaks:
"for 99% of us, the most intriguing thing we do online is buy things"

People actually do many other interesting things on-line, and here's some of them:

• Many folks read and contribute opinions to public or semi-public discussion forums, as you and I have done here. Perhaps it is less than in the glory days of usenet, but it's certainly a healthy percentage. Public discussing boards are common at many websites, and they tend to be filled with comments. That's no tiny fraction of users.
• Most users exchange private messages with a limited set of other users. E-mail is used, at least somewhat, by nearly ALL internet users. Many many users, at some point, exchange email with another person whom they would not have met and communicated with in the absence of the internet.
• A good number of people participate in real-time chat or instant messaging. AOL and MS wouldn't have a big IM war if there weren't an aweful lot of "eyeballs" at stake.
• A significant number of people exchange files with one-another. Napster's claimed 40e6 userbase, and actual 500k to 1e6 active-at-any-given-time numbers are very significant. Copyright issues aside, digital data copying creates an exchange of commodities based on abundance instead of scarcity. I personally find this environment of abundance very intriguing.
• A smaller, but meaningful number of users publish their ideas or creative efforts. Personal websites are often lacking content, but there are a good many that are among the most informative sites on the web, at least for their particular topic. Even though this number is small, the benefit is quite substantial, and when you consider the number of readers, the total number of users involved grows quickly.
• A good number of programmers write Free or Open-Source software, which would otherwise not come about with the net. While the number of programmers is small compared to the entire group of users, the combined group of programmers and users of their wares (the full set involved in the communication) is rather large.

I suppose the meaning in your comment revolves around the word "intriguing". It is a sad state of affairs when on-line shopping is more intriguing than these examples of people communicating with other in ways generally not possible with the net, and with people whom they would likely never have known, exchanging ideas that they would not have expressed, or publishing or consuming data they would not have had, had it not been for the internet.

It is a topic of much debate if anonymous access is a benefit. For people who can't see much value in the internet beyond on-line shopping, anonymous access must seem like a worthless persuit. In all of these examples listed above, anonymous access can add intriguing possibilities. Some possibilities are for abuse (spam email comes easily to mind), some allow users to exchange copyrighted or contraband material, and others allow people to express themselves and share ideas that they would have been afraid to share otherwise.

The in the subject line, anon.penet.fi was an anonymous remailer. (this paragraph is for the benefit of anyone who wasn't using the net back then.... back with on-line shopping more or less didn't exist) You sent an email, and it would resend it to someone else or to a newsgroup, without any identifying info about you. When someone replied, it would receive the reply and send it to you, in a similarily anonymous way. It was used heavily in the old days of the usenet (before being overrun with spam). It was commononly used by people in various alt.sex... groups, who obviously wanted to talk about their (often kinky) sex interests, without fear of neighbors and workmates learning their identity. There were many other legit uses, sexual abuse recovery discussions come to mind, though open sex related conversations seemed to be one of the largest legit uses. Unfortunately there were many abuses, such as posting hate speach, death threats, etc. I remember when it was shut down, but I've since forgotten the details. Perhaps someone else will post them. For a long time, it was believed that anon.penet.fi would never compromise. The guy running it (wasn't it something like "Julf") claimed he'd delete everything if a court order ever was served. Unfortunately, the court order did happen and enough pressure was applied that the authorities made him comply and they obtained all the data. Many people who had depended on the anonyminity were scared that they would be exposed. The whole anon.penet.fi case certainly is a lesson that in the long run, a central server won't work.

For better or worse, I'm quite interested in the technical aspects of how such an anonymous protocol could be designed. I was unaware of these other projects, fling [sourceforge.net] and the work at zer0knowledge [zeroknowledge.com]. Had it not been for this slashdot discussion, I probably would not have learned of their existance. Now I have some interesting reading to go do.... but I'll say just one more time: anyone who thinks the most intriguing aspect of the internet is on-line shopping really needs to open their eyes. I know it's less than 99%, and I hope it's a lot less.