NymIP: Anonymity At The IP Layer

Eloquence writes: "NymIP is a new project that aims to set a standard for Internet anonymity at the IP level. It was started by Zero Knowledge Systems, but is now led by Harvard's Scott Bradner, an IETF member. Some of the biggest players in the field participate in the project, which will be introduced at the 49th IETF Meeting that starts today." Comments especially sought from anyone who attends that meeting.

Re:Anonymity sometimes just isn't the right idea

[Nightlight3]

... they know they are doing something they shouldn't be doing. If no one was breaking the rules, then there'd be no problem. By that logic, when you shut your doors when going to toilet, you have something to hide, you must be doing something wrong. Why not let the well meaning authorities have cameras in your bathroom and your bedroom if you have nothing to hide? Why not let whole neighborhood watch you on the monitors as well? You are not breaking any rules, so why not?

Re:No Technical Details To Be Found?

[regen]

I know TCP/IP fairly well, and this doesn't make sense to me. I want to establish a TCP connection to another host (packets are going both ways), so how can I stay anonymous when the remote host needs to send packets back to me? It has to go from router A, to router B, etc and then back to my computer.

You may know TCP/IP fairly well, but you don't know cryptography very well. It is possible for two parties to agree on a common random value without exchanging that value. This is the basic idea put forth in the Diffie-Hellman Key Exchange. Once you have a random number known to the two parties trying to communicate and no one else, you can use that number as an address to route the packets through the network. I don't know if this is what the research group has in mind but it is a possibility. Yes, there are some problems with this system, in particular the initial key exchange is not anonymous, but this makes it much harder to trace the actually data transfer.

The other thing too keep in mind is this: no matter what protocol you're using over the Internet, you can find out where the packets are coming from and going to. This includes ssh (Secure Shell), tunneling, normal TCP/UDP connections and even spoofed packets. This is done by running sniffers on each interface on a router (starting with the target that's being DoSed or whatever) and seeing which interface these packets came in on. You find out what that interface is connected to and start sniffing there. Repeat this process enough times, and you'll find out the source and destination of any packet.

In theory this will work, but once you cross an administrative domain, i.e. from one ISP's network to another ISP's network, you will find that they are so willing to co-operate. Read Cliff Stoll's Cuckoo's Egg for a real world example. It took him over two years to track someone, not because of technical problems, but because of adminstrative problems.

A company I used to work for had three different operating units with three different data centers in one building. To set up sniffers on the networks took two weeks of meeting and getting sign-off from data-center managers, since the managers didn't want their networks touched unless it was to fix a production problem in their network.

W00-H00!

[Johnny+Starrock]

Now no one can trace my mad fr1st postering sk1llz!!

B0mb-0mb hax0ring instructions are as follows:

Oh crap... forgot to czeck "Post Anonymously"

No Technical Details To Be Found?

[n3rd]

This looks like a good cause, but the first thing I noticed is there aren't any technical details to be found, from links on the page referenced, or even in the mailing list archives.

The other thing that makes me wonder is "how can this thing actually work?".

I know TCP/IP fairly well, and this doesn't make sense to me. I want to establish a TCP connection to another host (packets are going both ways), so how can I stay anonymous when the remote host needs to send packets back to me? It has to go from router A, to router B, etc and then back to my computer.

The only way around this issue is if a proxy is used, and I don't think this will work because someone has to provide massive amounts of bandwidth for these anonymous connections, and whoever is in control (or can gain control) of the proxy server would see everything.

The other thing too keep in mind is this: no matter what protocol you're using over the Internet, you can find out where the packets are coming from and going to. This includes ssh (Secure Shell), tunneling, normal TCP/UDP connections and even spoofed packets. This is done by running sniffers on each interface on a router (starting with the target that's being DoSed or whatever) and seeing which interface these packets came in on. You find out what that interface is connected to and start sniffing there. Repeat this process enough times, and you'll find out the source and destination of any packet.