AnoNet
Encyclopedia
anoNet is a decentralized friend-to-friend
network built using VPNs and software BGP routers. anoNet works by making it difficult to learn the identities of others on the network allowing them to anonymously host IPv4
and IPv6
services
.
. A simpler approach could be to design an IPv4
/IPv6
network where its participants enjoyed strong anonymity. Doing so allows the use of any number of applications and services already written and available on the internet at large.
IPv4 networks do not preclude anonymity by design; it is only necessary to decouple the identity of the owner of an IP address
from the address itself. Commercial internet connectivity and its need of billing records makes this impossible, but private IPv4 networks do not share that requirement. Assuming that a router administrator on such a metanet knows only information about the adjacent routers, standard routing protocols can take care of finding the proper path for a packet to take to reach its destination. All destinations further than one hop can for most people's threat models be considered anonymous. This is because only your immediate peers know your IP. Anyone not directly connected to you only knows you by an IP in the 1.0.0.0/8 range, and that IP is not necessarily tied to any identifiable information.
However, all existing F2F programs can be used inside anoNet, making it harder to detect that someone uses one of these F2F programs (only a VPN connection can be seen from the outside, but traffic analysis
remain possible).
To avoid addressing conflict with the internet itself, the range 1.0.0.0/8 is used. This is to avoid conflicting with internal networks such as 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16, as well as assigned Internet ranges. In January 2010 IANA
allocated 1.0.0.0/8 to APNIC. If the service does not switch to another IPv4 address range or to IPv6 then Internet hosts using 1.0.0.0/8 will be inaccessible to AnoNet users. Until then AnoNet clients will participate in ~160 Mbit/s pollution of the 1.0.0.0/8 space.
The network itself is not arranged in any regular, repeating pattern of routers, although redundant (>1) links are desired. This serves to make it more decentralized, reduces choke points, and the use of BGP allows for redundancy.
Suitable VPN choices are available, if not numerous. Any robust IPsec
package is acceptable, such as FreeSWAN or Greenbow. Non-IPsec solutions also exist, such as OpenVPN
and SSH
tunneling. There is no requirement for a homogeneous network; each link could in fact use a different VPN daemon.
. Thus, the anoNet realizes that you will be known to your peer, along with the subnet mask used for communicating with them. A routing protocol, BGP, allows any node to advertise any routes they like, and this seemingly chaotic method is what provides users with anonymity
. Once a node advertises a new route, it is hard for anyone else to determine if it is a route to another machine in another country via VPN, or just a dummy interface on that users machine.
It is possible that certain analysis could be used to determine if the subnet was remote (as in another country), or local (as in either a dummy interface, or a machine connected via Ethernet.)
These include TCP timestamps, ping times, OS identification, user agents, and traffic analysis.
Most of these are mitigatible through action on the users' part.
There are also only 65536 /24 subnets in the 1.0.0.0/8 subnet. This would be easier to overcome by adding a new unused /8 subnet if there were any.
With the chaotic nature of random addressing, it is not necessary to hide link IP addresses. These are already known. If however, a user wants to run services, or participate in discussions anonymously, he can advertise a new route, and bind his services or clients to the new IP addresses.
Friend-to-friend
A friend-to-friend computer network is a type of peer-to-peer network in which users only make direct connections with people they know. Passwords or digital signatures can be used for authentication....
network built using VPNs and software BGP routers. anoNet works by making it difficult to learn the identities of others on the network allowing them to anonymously host IPv4
IPv4
Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
and IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
services
Network service
Network services are the foundation of a networked computing environment. Generally network services are installed on one or more servers to provide shared resources to client computers.- Network services in LAN :...
.
Motivation
Implementing an anonymous network on a service by service basis has its drawbacks, and it is debatable if such work should be built at the application levelApplication layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....
. A simpler approach could be to design an IPv4
IPv4
Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
/IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
network where its participants enjoyed strong anonymity. Doing so allows the use of any number of applications and services already written and available on the internet at large.
IPv4 networks do not preclude anonymity by design; it is only necessary to decouple the identity of the owner of an IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
from the address itself. Commercial internet connectivity and its need of billing records makes this impossible, but private IPv4 networks do not share that requirement. Assuming that a router administrator on such a metanet knows only information about the adjacent routers, standard routing protocols can take care of finding the proper path for a packet to take to reach its destination. All destinations further than one hop can for most people's threat models be considered anonymous. This is because only your immediate peers know your IP. Anyone not directly connected to you only knows you by an IP in the 1.0.0.0/8 range, and that IP is not necessarily tied to any identifiable information.
anoNet is pseudonymous
Everyone can build a profile of an anoNet IP address: what kind of documents it publishes or requests, in which language, about which countries or towns, etc. If this IP ever publishes a document that can lead to its owner's identity, then all other documents ever published or requested can be tied to this identity. Unlike some other Friend to Friend (F2F) programs, there is no automatic forwarding in anoNet that hides the IP of a node from all nodes that are not directly connected to it.However, all existing F2F programs can be used inside anoNet, making it harder to detect that someone uses one of these F2F programs (only a VPN connection can be seen from the outside, but traffic analysis
Traffic analysis
Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and...
remain possible).
Architecture
Since running fiber to distant hosts is prohibitively costly for the volunteer nature of such a network, the network uses off-the-shelf VPN software for both router to router, and router to user links. This offers other advantages as well, such as invulnerability to external eavesdropping and the lack of need for unusual software which might give notice to those interested in who is participating.To avoid addressing conflict with the internet itself, the range 1.0.0.0/8 is used. This is to avoid conflicting with internal networks such as 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16, as well as assigned Internet ranges. In January 2010 IANA
Internet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
allocated 1.0.0.0/8 to APNIC. If the service does not switch to another IPv4 address range or to IPv6 then Internet hosts using 1.0.0.0/8 will be inaccessible to AnoNet users. Until then AnoNet clients will participate in ~160 Mbit/s pollution of the 1.0.0.0/8 space.
The network itself is not arranged in any regular, repeating pattern of routers, although redundant (>1) links are desired. This serves to make it more decentralized, reduces choke points, and the use of BGP allows for redundancy.
Suitable VPN choices are available, if not numerous. Any robust IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
package is acceptable, such as FreeSWAN or Greenbow. Non-IPsec solutions also exist, such as OpenVPN
OpenVPN
OpenVPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for...
and SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
tunneling. There is no requirement for a homogeneous network; each link could in fact use a different VPN daemon.
Goals
One of the primary goals of anoNet is to protect its participants' rights of speech and expression, especially those that have come under attack of late. Some examples of what might be protected by anoNet include:- Fan fictionFan fictionFan fiction is a broadly-defined term for fan labor regarding stories about characters or settings written by fans of the original work, rather than by the original creator...
- DeCSSDeCSSDeCSS is a computer program capable of decrypting content on a commercially produced DVD video disc. Before the release of DeCSS, there was no way for computers running a Linux-based operating system to play video DVDs....
- Criticisms of electronic voting machines.
- BnetdBnetdbnetd is a software package that was reverse engineered from Blizzard Entertainment's Battle.net online multiplayer gaming service, providing near-complete emulation. The software allows users to create and play games on their own servers, instead of Battle.net servers...
and similar software - Song of the SouthSong of the SouthSong of the South is a 1946 American musical film produced by Walt Disney and released by RKO Radio Pictures. The film is based on the Uncle Remus cycle of stories by Joel Chandler Harris. The live actors provide a sentimental frame story, in which Uncle Remus relates the folk tales of the...
and other films of historical interest unavailable due to political controversy
How it works
It is impossible on the Internet to communicate with another host without knowing its IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
. Thus, the anoNet realizes that you will be known to your peer, along with the subnet mask used for communicating with them. A routing protocol, BGP, allows any node to advertise any routes they like, and this seemingly chaotic method is what provides users with anonymity
Anonymity
Anonymity is derived from the Greek word ἀνωνυμία, anonymia, meaning "without a name" or "namelessness". In colloquial use, anonymity typically refers to the state of an individual's personal identity, or personally identifiable information, being publicly unknown.There are many reasons why a...
. Once a node advertises a new route, it is hard for anyone else to determine if it is a route to another machine in another country via VPN, or just a dummy interface on that users machine.
It is possible that certain analysis could be used to determine if the subnet was remote (as in another country), or local (as in either a dummy interface, or a machine connected via Ethernet.)
These include TCP timestamps, ping times, OS identification, user agents, and traffic analysis.
Most of these are mitigatible through action on the users' part.
Scaling
There are 65536 ASNs available in BGP v4. Long before anoNet reaches that number of routers the network will have to be split into OSPF clouds, or switched to a completely different routing protocol or alter the BGP protocol to use a 32bit integer for ASNs, like the rest of the Internet will do, since 32-bit AS numbers now are standardised.There are also only 65536 /24 subnets in the 1.0.0.0/8 subnet. This would be easier to overcome by adding a new unused /8 subnet if there were any.
Security concerns
Since there is no identifiable information tied to a user of anoNet, one might assume that the network would drop into complete chaos. Unlike other anonymous networks, on anoNet if a particular router or user is causing a problem it is easy to block them with a firewall. In the event that they are affecting the entire network, their peers would drop their tunnel.With the chaotic nature of random addressing, it is not necessary to hide link IP addresses. These are already known. If however, a user wants to run services, or participate in discussions anonymously, he can advertise a new route, and bind his services or clients to the new IP addresses.
See also
- FreenetFreenetFreenet is a decentralized, censorship-resistant distributed data store originally designed by Ian Clarke. According to Clarke, Freenet aims to provide freedom of speech through a peer-to-peer network with strong protection of anonymity; as part of supporting its users' freedom, Freenet is free and...
- GNUnetGNUnetGNUnet is a free software framework for decentralized, peer-to-peer networking. The framework offers link encryption, peer discovery and resource allocation....
- IIP
- I2PI2PI2P is a mixed-license, free and open source project building an anonymous network .The network is a simple layer that applications can use to anonymously and securely send...
- Mute-Net
- Crypto-anarchismCrypto-anarchismCrypto-anarchism expounds the use of strong public-key cryptography to bring about privacy and freedom. It was described by Vernor Vinge as a cyberspatial realization of anarchism. Crypto-anarchists aim to create cryptographic software that can be used to evade prosecution and harassment while...
- DarkNET Conglomeration
External links
- http://anonet.org/ "Official" homepage of anoNet
- http://wiki.ucis.nl/Anonet Another informative page (including information on connecting)
- http://www.anonet2.org/ AnoNet2, a forkFork (software development)In software engineering, a project fork happens when developers take a legal copy of source code from one software package and start independent development on it, creating a distinct piece of software...
of AnoNet with slightly different rules