summaryrefslogtreecommitdiff
path: root/doc/design-paper/challenges.tex
diff options
context:
space:
mode:
authorRoger Dingledine <arma@torproject.org>2005-01-31 09:09:15 +0000
committerRoger Dingledine <arma@torproject.org>2005-01-31 09:09:15 +0000
commitf80734d590f89599b779cc05f4020a6b47b46c37 (patch)
tree12815a09caf2d32c90be82986daa164288784c11 /doc/design-paper/challenges.tex
parent2fa4b77735a09975a9d252f3904508966142ba9a (diff)
downloadtor-f80734d590f89599b779cc05f4020a6b47b46c37.tar.gz
tor-f80734d590f89599b779cc05f4020a6b47b46c37.zip
clean up our references some more
svn:r3483
Diffstat (limited to 'doc/design-paper/challenges.tex')
-rw-r--r--doc/design-paper/challenges.tex23
1 files changed, 12 insertions, 11 deletions
diff --git a/doc/design-paper/challenges.tex b/doc/design-paper/challenges.tex
index d5e6b9a032..043f684b05 100644
--- a/doc/design-paper/challenges.tex
+++ b/doc/design-paper/challenges.tex
@@ -159,7 +159,7 @@ SOCKS (see section \ref{subsec:tcp-vs-ip}).
Tor differs from other deployed systems for traffic analysis resistance
in its security and flexibility. Mix networks such as
-Mixmaster~\cite{mixmaster} or its successor Mixminion~\cite{minion-design}
+Mixmaster~\cite{mixmaster-spec} or its successor Mixminion~\cite{minion-design}
gain the highest degrees of anonymity at the expense of introducing highly
variable delays, thus making them unsuitable for applications such as web
browsing that require quick response times. Commercial single-hop
@@ -206,7 +206,7 @@ Tor is not the only anonymity system that aims to be practical and useful.
Commercial single-hop proxies~\cite{anonymizer}, as well as unsecured
open proxies around the Internet~\cite{open-proxies}, can provide good
performance and some security against a weaker attacker. Dresden's Java
-Anon Proxy~\cite{jap} provides similar functionality to Tor but only
+Anon Proxy~\cite{web-mix} provides similar functionality to Tor but only
handles web browsing rather than arbitrary TCP. Also, JAP's network
topology uses cascades (fixed routes through the network); since without
end-to-end padding it is just as vulnerable as Tor to end-to-end timing
@@ -219,8 +219,8 @@ that it could transport arbitrary IP packets, and it also supported
pseudonymous access rather than just anonymous access; but it had
a different approach to sustainability (collecting money from users
and paying ISPs to run servers), and has shut down due to financial
-load. Finally, more scalable designs like Tarzan~\cite{tarzan} and
-MorphMix~\cite{morphmix} have been proposed in the literature, but
+load. Finally, more scalable designs like Tarzan~\cite{tarzan:ccs02} and
+MorphMix~\cite{morphmix:fc04} have been proposed in the literature, but
have not yet been fielded. We direct the interested reader to Section
2 of~\cite{tor-design} for a more indepth review of related work.
@@ -531,7 +531,7 @@ approach that can provide security despite
packet loss and out-of-order delivery. Freedom allegedly had one, but it was
never publicly specified, and we believe it's likely vulnerable to tagging
attacks \cite{tor-design}. Also, TLS over UDP is not implemented or even
-specified, though some early work has begun on that \cite{ben-tls-udp}.
+specified, though some early work has begun on that \cite{dtls}.
\item \emph{We'll still need to tune network parameters}. Since the above
encryption system will likely need sequence numbers and maybe more to do
replay detection, handle duplicate frames, etc, we will be reimplementing
@@ -593,11 +593,11 @@ granularity. If servers forward these chunks in roughly synchronous
fashion, it will increase the similarity of data stream timing
signatures. By experimenting with the granularity of data chunks and
of synchronization we can attempt once again to optimize for both
-usability and anonymity. Unlike in \cite{sync-batch}, it may be
+usability and anonymity. Unlike in \cite{sync-batching}, it may be
impractical to synchronize on network batches by dropping chunks from
a batch that arrive late at a given node---unless Tor moves away from
stream processing to a more loss-tolerant processing of traffic (cf.\
-section~\ref{subsec:stream-vs-packet}). In other words, there would
+Section~\ref{subsec:stream-vs-packet}). In other words, there would
probably be no direct attempt to synchronize on batches of data
entering the Tor network at the same time. Rather, it is the link
level batching that will add noise to the traffic patterns exiting the
@@ -918,6 +918,7 @@ style doesn't work because we don't want just *one* path. Point to
Geoff's stuff.
\subsection{Location diversity and ISP-class adversaries}
+\label{subsec:routing-zones}
Anonymity networks have long relied on diversity of node location for
protection against attacks---typically an adversary who can observe a
@@ -930,7 +931,7 @@ distributed trust to spread each transaction over multiple jurisdictions.
But how do we decide whether two nodes are in related locations?
Feamster and Dingledine defined a \emph{location diversity} metric
-in \cite{routing-zones}, and began investigating a variant of location
+in \cite{feamster:wpes2004}, and began investigating a variant of location
diversity based on the fact that the Internet is divided into thousands of
independently operated networks called {\em autonomous systems} (ASes).
The key insight from this paper is that while we typically think of a
@@ -954,8 +955,8 @@ Many open questions remain. First, it will be an immense engineering
challenge to get an entire BGP routing table to each Tor client, or at
least summarize it sufficiently. Without a local copy, clients won't be
able to safely predict what ASes will be traversed on the various paths
-through the Tor network to the final destination. Tarzan~\cite{tarzan}
-and MorphMix~\cite{morphmix} suggest that we compare IP prefixes to
+through the Tor network to the final destination. Tarzan~\cite{tarzan:ccs02}
+and MorphMix~\cite{morphmix:fc04} suggest that we compare IP prefixes to
determine location diversity; but the above paper showed that in practice
many of the Mixmaster nodes that share a single AS have entirely different
IP prefixes. When the network has scaled to thousands of nodes, does IP
@@ -1011,7 +1012,7 @@ addresses (or having them donated), abandoning old addresses as they are
anonymizing networks again have an advantage here, in that we already
have tens of thousands of separate IP addresses whose users might
volunteer to provide this service since they've already installed and use
-the software for their own privacy~\cite{koepsell-wpes2004}. Because
+the software for their own privacy~\cite{koepsell:wpes2004}. Because
the Tor protocol separates routing from network discovery (see Section
\ref{do-we-discuss-this?}), volunteers could configure their Tor clients
to generate server descriptors and send them to a special directory