making peer-to-peer anonymous routing resilient to failures
DESCRIPTION
Making Peer-to-Peer Anonymous Routing Resilient to Failures. Yingwu Zhu Seattle University http://fac-staff.seattleu.edu/zhuy. Overview. Background P2P Anonymous Routing Research Problem Current Solutions Our Approach Erasure Coding Message and Path Redundancy Wise Choice of Mixes. - PowerPoint PPT PresentationTRANSCRIPT
IPDPS 2007
Making Peer-to-Peer Anonymous Routing Resilient to Failures
Yingwu Zhu
Seattle University
http://fac-staff.seattleu.edu/zhuy
IPDPS 2007
Overview
• Background– P2P Anonymous
Routing– Research Problem– Current Solutions
• Our Approach– Erasure Coding– Message and Path
Redundancy– Wise Choice of Mixes
• Evaluation– Experimental Setup– Results
• Summary
IPDPS 2007
P2P Anonymous Routing
• Using P2P networks as an anonymizing network to achieve initiator/responder anonymity
• Using peer nodes as mixes or relay nodes to relay messages, tunneling communication for initiators/responders
• Many are based on Onion Routing – Layered encryption creates an Onion– Multi-hop routing: an anonymous message
represented by an Onion goes through a small number of mixes (strip the Onion)
IPDPS 2007
P2P Anonymous Routing
• Why appealing?– A potentially large anonymity set offered by the
open set of peer nodes– Sidestep political background and local
jurisdiction issues due to the distribution of peer nodes
– Scalable compared to current static anonymizing networks which operate a small set of fixed mixes
– Ideal for hiding anonymous traffics due to communication patterns and heterogeneity of peer nodes’ locations
– More?...
IPDPS 2007
P2P Anonymous Routing
• A big challenge: node churn in P2P networks
• Problems– Fragile and short-lived paths: node
failures disrupts anonymous paths/tunnels– Message loss and communication failures– Complicate path construction which is
expensive, i.e., usually incurs expensive asymmetric encryption/decryption
IPDPS 2007
Overview
• Background– P2P Anonymous
Routing– Research Problem– Current Solutions
• Our Approach– Erasure Coding– Message and Path
Redundancy– Wise Choice of Mixes
• Evaluation– Experimental Setup– Results
• Summary
IPDPS 2007
Research Problem
• Can we make P2P anonymous routing resilient to node failures?
• We are not alone!– Mix-base solutions– Multicast-based solutions
IPDPS 2007
Overview
• Background– P2P Anonymous
Routing– Research Problem– Current Solutions
• Our Approach– Erasure Coding– Message and Path
Redundancy– Wise Choice of Mixes
• Evaluation– Experimental Setup– Results
• Summary
IPDPS 2007
Current Solutions
• Mix-based– Use a group of peer nodes as a mix to
mask single mix node failures– The peer nodes in each group share
secrecy to encrypt/decrypt messages along the path
– E.g., TAP and Cashmere
IPDPS 2007
Current Solutions
• Multicast-based– Initiators and responders join a group– Messages are multicasted to all group
members– Cover/noise traffics are used to gain
initiator/responder anonymity– Bandwidth overhead due to message
multicasting and cover traffics– E.g., P5, APFS, Hordes
IPDPS 2007
Overview
• Background– P2P Anonymous
Routing– Research Problem– Current Solutions
• Our Approach– Erasure Coding– Message and Path
Redundancy– Wise Choice of Mixes
• Evaluation– Experimental Setup– Results
• Summary
IPDPS 2007
Our Approach
• Based on a simple yet powerful idea– Resilience can be achieved by redundancy
• Rely on Onion routing– Layered encryption and multi-hop routing
• Techniques employed– Message redundancy by erasure coding– Path redundancy (coded messages are sent
over multiple disjoint paths)– Wise choice of peer nodes as mixes in each
single path
IPDPS 2007
Overview
• Background– P2P Anonymous
Routing– Research Problem– Current Solutions
• Our Approach– Erasure Coding– Message and Path
Redundancy– Wise Choice of Mixes
• Evaluation– Experimental Setup– Results
• Summary
IPDPS 2007
Erasure Coding
• Widely used in file & storage systems– Tradeoff between data availability and
storage cost
• Breaks a message M into n coded segments, each of length |M|/m
• m of n segments suffice to reconstruct M
• Redundancy r = n/m
IPDPS 2007
Overview
• Background– P2P Anonymous
Routing– Research Problem– Current Solutions
• Our Approach– Erasure Coding– Message and Path
Redundancy– Wise Choice of Mixes
• Evaluation– Experimental Setup– Results
• Summary
IPDPS 2007
Message and Path Redundancy
……
M1
Mk
Mn
M: original message Mi: coded segment with length of |M|/m, 1≤ i ≤ n
M1
Mk
Mn
M1
Mk
Mn
……
M1
Mk
Mn
Bob Alice
Onion Routing
Alice can reconstruct M upon the first m arrived coded segments
IPDPS 2007
Allocation of Coded Segments
• Message M n coded segments with length of|M|/m, redundancy r = n/m
• k disjoint paths from Bob to Alice• Idea: equally distribute n segments over k paths (k ≤
n, assume k is a multiple of r for simplicity)• P(k) = Psuccess (Alice receives M)
= Prob(≥k/r paths succeed in message delivery)
Goal: maximize P(k) with respect to k and r
p = (pnode_availability)L
L: # of nodes in a path
IPDPS 2007
Allocation of Coded Segments
Guideline to maximize routing resilience upon different node availabilities and message redundancy degrees
IPDPS 2007
Validation of 3 Observations
Impact of different ks on success of routing under different node availabilities of 0.70, 0.86, and 0.95, where L = 3 and r = 2.
IPDPS 2007
Overview
• Background– P2P Anonymous
Routing– Research Problem– Current Solutions
• Our Approach– Erasure Coding– Message and Path
Redundancy– Wise Choice of Mixes
• Evaluation– Experimental Setup– Results
• Summary
IPDPS 2007
Wise Choice of Mixes• Problem
– Current mix-based protocols do NOT consider node lifetime when choosing mixes
– Random selection in mixes• Our goal
– Choose nodes that tend to live longer as mixes
– Improve path durability (prolong path lifetime)
• Challenge– Can we predict node lifetime?
IPDPS 2007
Node Lifetime Distribution
Figure 1: Cumulative dist. of the measured Gnutella node lifetime dist. comparedwith a Pareto dist. with α=0.83 and β = 1560 sec.
IPDPS 2007
Wise Choice of Mixes
• Based on the Pareto distribution– Prediction: Nodes that have stayed a long time
tend to stay longer in the system
• Each node gossips node liveness information they have learned
• Each node seeking anonymity makes mix choices to construct anonymous paths based on node liveness prediction
IPDPS 2007
Overview
• Background– P2P Anonymous
Routing– Research Problem– Current Solutions
• Our Approach– Erasure Coding– Message and Path
Redundancy– Wise Choice of Mixes
• Evaluation– Experimental Setup– Results
• Summary
IPDPS 2007
Experimental Setup
• Simulator built from P2psim 3.0 by MIT• Augment OneHop
– Membership management is essentially a hierarchical gossip protocol
– Learn node liveness information • Node lifetime dist. to simulate churn
– Pareto– Uniform– Exponential
IPDPS 2007
Results
• Main results are omitted here. • Security analysis
– Similar to Onion Routing
• Please see paper for details
IPDPS 2007
Impact of wise choice of mixes on path durability (the duration that a sender can successfully route messages to a destination
over 4 disjoint paths with redundancy degree of 4)
0
1
2
3
4
5
6
Pareto Uniform Exponential
Node lifetime dist.
Pat
h du
rabi
lity
impr
ovem
ent
IPDPS 2007
Overview
• Background– P2P Anonymous
Routing– Research Problem– Current Solutions
• Our Approach– Erasure Coding– Message and Path
Redundancy– Wise Choice of Mixes
• Evaluation– Experimental Setup– Results
• Summary
IPDPS 2007
Summary• Strike a balance between routing resilience
and bandwidth cost while preserving sender anonymity
• Message redundancy by erasure coding and path redundancy– Improve path construction and routing resilience– Tolerate up to path failures
• Choice of mixes based on node lifetime prediction– Based on Pareto dist.– Surprisingly, work very well for other dist. like
Uniform and Exponential dist. (significantly better than random selection)
• Bandwidth cost by erasure coding is modest
IPDPS 2007
Questions ?