[Freedombox-discuss] Distributed Naming BOF Questions

mirsal mirsal at mirsal.fr
Fri Aug 5 09:17:25 UTC 2011 

Hi !

On Fri, 2011-08-05 at 13:24 +1000, John Walsh wrote:
> > I agree it's a good idea to be able to use the existing DNS 
> > for ease of transition; that doesn't mean that i think the 
> > existing DNS is decentralized :(
> I think now, "decentralised" was a poor choice of words because it can mean
> different things to so many people, but that's the FBX Foundations words not
> mine. My step towards decentralisation meant moving from
> username at facebook.com to username at mydomain.tld, while your step is even
> further ;)
> 
> > If any of these operators can be compromised, they can take 
> > control of the name that you thought you owned.  So it's not 
> > just a single point of failure; for any domain in today's 
> > DNS, there are potentially multiple parties capable of acting 
> > as an SPOF for a powerful adversary to target.
> If, the FBX does issue domain names it could reduce the attack surface by
> picking a single TLD 

> > Note also that DNS (as it is actually used these days) is 
> > even more vulnerable than the description above, due to lack 
> > of cryptographic authentication.  With DNSSEC in use, 
> > problems with network-based attackrs are limited, but the 
> > vulnerabilities to centralized pressure from powerful 
> > adversaries (those outlined above) remain.  But DNSSECC is 
> > not used effectively by the vast majority of all hosts on the 
> > global network (you'd need cryptographic authentication in 
> > your local machine's resolver for that)
> Again if the FBX does issue domain names can't the foundation pick a host
> that uses DNSSEC effectively, or does every host have to use DNSSEC for it
> to be effective?
> I am just trying to see can we minimise the risks within the existing
> system.
> 
> > 
> > > On a related note, there have been a lot of discussions on 
> > this list 
> > > about "darknet". I have read Wikipedia and I am still confused. If, 
> > > FBX were to use darknet, do I lose contact with my friends 
> > on the DNS 
> > > system. My only wish is that whatever FBX naming scheme is 
> > chosen that 
> > > I will always be contactable without having to change my contact 
> > > address
> > 
> > I have yet to hear any concrete proposals for a "darknet" on this list
> > -- and note that wikipedia [0] provides multiple definitions; 
> > reachable/unreachable, private/public, etc.  Perhaps the 
> > folks using the term on this list would like to make it clear 
> > at least what they think the advantages and goals of a 
> > "darknet" would be?  Without some kind of explicit statement 
> > of intent, it's pretty hard to evaluate the proposals.
> Thanks for confirming there are currently no concrete proposals for an FBX
> "darknet".
> 
> > 
> > fwiw, i agree with you that it would be silly to create a 
> > system that requires you to lose contact with your friends.  
> > However, it would also be silly to make a device that just 
> > feeds your personal data and relationship information back 
> > into the same centralized social gatekeepers many of us are 
> > currently subject to.
> 
> IMHO, I don't think we can stop feeding our personal data and relationship
> information back into the existing system, because unfortunately, we will
> not be able to get *all* our family and friends on an FBX. On the upside
> buying an FBX will help me take back my privacy by having my own email
> server as opposed to using my ISP's email server. Baby steps. To me that is
> so much infinitely better than what I have now, and with respect I think I
> would be silly not to buy such a device ;)

I'd like to share some bits of my experience as a darknet router
operator, as it may be useful to those doing freedombox-related research
on that area.

I should have talked about it at debconf during the Distributed Naming
BoF, though I was at the "debian for shy people" bof for a reason :/

Anyway, I know about 3 IP based darknets in operation today (two of
which having implemented a simple way of managing naming in a
decentralized way):

 - dn42, which stands for decentralized network 42 and is essentially 
         about experimenting with advanced routing and having a very
         large VPN, which interconnects hackerspaces mostly.
         Read about it on http://dn42.net

 - anonet2, which is also very (even more?) decentralized and aims to
            create a censorsip resistant pseudonymous alternate 
            internet. see: http://www.anonet2.org

 - VAnet, which is much more centralized than the above two is trading
          off decentralization for performance. More info on
          http://www.vanet.org/wiki/About_VAnet

These networks use somewhat different approaches for managing naming,
though all of them use the DNS with alternate TLDs, so they are in a way
'compatible' with the regular internet's DNS (ie: they don't conflict).

Those TLDs are not accessible from the regular internet.
Anonet2 has a network of web proxies allowing access to HTTP services
from outside the darknet. Tor hidden services are extensively used for
making non-HTTP services visible from the ICANN internet.

anonet2 and dn42 both use a DVCS to store the data needed to generate
DNS root zones in a decentralized way.
Anonet2 uses git to manage the contents of its root zone, with members
manually pulling from each other's repositories and examining changes (a
few members use regular centralized AXFR zone transfers and rely on a
web based resource claim manager instead)
dn42 uses monotone and changesets are propagated automatically, as
monotone allows for cryptographic authentication.
VAnet's approach is plain simple centralized DNS, with alternate root
zones.

As this thread is about naming, I won't go into more details but those
interested in alternate IP networks should definitely read about those
three ones.

Feel free to ask me more about how this approach to naming works in
practice, or about other subjects relative to darknets (governance,
routing, etc.)

Cheers !

-- 
mirsal

Hello,
We are from the future;
We come in peace.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110805/3aa6ef11/attachment-0001.pgp>

More information about the Freedombox-discuss mailing list