Making Peer-to-Peer Anonymous
Routing Resilient to Failures
Yingwu Zhu
Seattle University
http://fac-staff.seattleu.edu/zhuy
IPDPS 2007
Overview
• Background
• Evaluation
– P2P Anonymous Routing
– Research Problem
– Current Solutions
• Our Approach
– Experimental Setup
– Results
• Summary
– Erasure Coding
– Message and Path
Redundancy
– Wise Choice of Mixes
IPDPS 2007
P2P Anonymous Routing
• Using P2P networks as an anonymizing network
to achieve initiator/responder anonymity
• Using peer nodes as mixes or relay nodes to
relay messages, tunneling communication for
initiators/responders
• Many are based on Onion Routing
– Layered encryption creates an Onion
– Multi-hop routing: an anonymous message
represented by an Onion goes through a small
number of mixes (strip the Onion)
IPDPS 2007
P2P Anonymous Routing
• Why appealing?
– A potentially large anonymity set offered by the
open set of peer nodes
– Sidestep political background and local jurisdiction
issues due to the distribution of peer nodes
– Scalable compared to current static anonymizing
networks which operate a small set of fixed mixes
– Ideal for hiding anonymous traffics due to
communication patterns and heterogeneity of peer
nodes’ locations
– More?...
IPDPS 2007
P2P Anonymous Routing
• A big challenge: node churn in P2P
networks
• Problems
– Fragile and short-lived paths: node failures
disrupts anonymous paths/tunnels
– Message loss and communication failures
– Complicate path construction which is
expensive, i.e., usually incurs expensive
asymmetric encryption/decryption
IPDPS 2007
Overview
• Background
• Evaluation
– P2P Anonymous Routing
– Research Problem
– Current Solutions
• Our Approach
– Experimental Setup
– Results
• Summary
– Erasure Coding
– Message and Path
Redundancy
– Wise Choice of Mixes
IPDPS 2007
Research Problem
• Can we make P2P anonymous routing
resilient to node failures?
• We are not alone!
– Mix-base solutions
– Multicast-based solutions
IPDPS 2007
Overview
• Background
• Evaluation
– P2P Anonymous Routing
– Research Problem
– Current Solutions
• Our Approach
– Experimental Setup
– Results
• Summary
– Erasure Coding
– Message and Path
Redundancy
– Wise Choice of Mixes
IPDPS 2007
Current Solutions
• Mix-based
– Use a group of peer nodes as a mix to mask
single mix node failures
– The peer nodes in each group share secrecy
to encrypt/decrypt messages along the
path
– E.g., TAP and Cashmere
IPDPS 2007
Current Solutions
• Multicast-based
– Initiators and responders join a group
– Messages are multicasted to all group
members
– Cover/noise traffics are used to gain
initiator/responder anonymity
– Bandwidth overhead due to message
multicasting and cover traffics
– E.g., P5, APFS, Hordes
IPDPS 2007
Overview
• Background
• Evaluation
– P2P Anonymous Routing
– Research Problem
– Current Solutions
• Our Approach
– Experimental Setup
– Results
• Summary
– Erasure Coding
– Message and Path
Redundancy
– Wise Choice of Mixes
IPDPS 2007
Our Approach
• Based on a simple yet powerful idea
– Resilience can be achieved by redundancy
• Rely on Onion routing
– Layered encryption and multi-hop routing
• Techniques employed
– Message redundancy by erasure coding
– Path redundancy (coded messages are sent over
multiple disjoint paths)
– Wise choice of peer nodes as mixes in each single
path
IPDPS 2007
Overview
• Background
• Evaluation
– P2P Anonymous Routing
– Research Problem
– Current Solutions
• Our Approach
– Experimental Setup
– Results
• Summary
– Erasure Coding
– Message and Path
Redundancy
– Wise Choice of Mixes
IPDPS 2007
Erasure Coding
• Widely used in file & storage systems
– Tradeoff between data availability and
storage cost
• Breaks a message M into n coded
segments, each of length |M|/m
• m of n segments suffice to reconstruct
M
• Redundancy r = n/m
IPDPS 2007
Overview
• Background
• Evaluation
– P2P Anonymous Routing
– Research Problem
– Current Solutions
• Our Approach
– Experimental Setup
– Results
• Summary
– Erasure Coding
– Message and Path
Redundancy
– Wise Choice of Mixes
IPDPS 2007
Message and Path Redundancy
M: original message
Mi: coded segment with length of |M|/m, 1≤ i ≤ n
M1
M1
M1
Mk
Mk
…
…
Bob
Mk
…
…
Mk
M1
Mn
Alice
Mn
Mn
Mn
Onion Routing
Alice can reconstruct M upon the first m arrived coded segments
IPDPS 2007
Allocation of Coded Segments
• Message M  n coded segments with length of|M|/m,
redundancy r = n/m
• k disjoint paths from Bob to Alice
• Idea: equally distribute n segments over k paths (k ≤
n, assume k is a multiple of r for simplicity)
• P(k) = Psuccess (Alice receives M)
= Prob(≥k/r paths succeed in message delivery)
p = (pnode_availability)L
L: # of nodes in a path
Goal: maximize P(k) with respect to k and r
IPDPS 2007
Allocation of Coded Segments
Guideline to maximize routing resilience upon different
IPDPS 2007
node availabilities and message
redundancy degrees
Validation of 3 Observations
Impact of different ks on success of routing under different node
availabilities of 0.70, 0.86, and 0.95, where L = 3 and r = 2.
IPDPS 2007
Overview
• Background
• Evaluation
– P2P Anonymous Routing
– Research Problem
– Current Solutions
• Our Approach
– Experimental Setup
– Results
• Summary
– Erasure Coding
– Message and Path
Redundancy
– Wise Choice of Mixes
IPDPS 2007
Wise Choice of Mixes
• Problem
– Current mix-based protocols do NOT
consider node lifetime when choosing mixes
– Random selection in mixes
• Our goal
– Choose nodes that tend to live longer as
mixes
– Improve path durability (prolong path
lifetime)
• Challenge
– Can we predict node
lifetime?
IPDPS 2007
Node Lifetime Distribution
Figure 1: Cumulative dist. of the measured Gnutella node lifetime dist. compared
with a Pareto dist. with α=0.83 and β = 1560 sec.
IPDPS 2007
Wise Choice of Mixes
• Based on the Pareto distribution
– Prediction: Nodes that have stayed a long time
tend to stay longer in the system
• Each node gossips node liveness information
they have learned
• Each node seeking anonymity makes mix
choices to construct anonymous paths based
on node liveness prediction
IPDPS 2007
Overview
• Background
• Evaluation
– P2P Anonymous Routing
– Research Problem
– Current Solutions
• Our Approach
– Experimental Setup
– Results
• Summary
– Erasure Coding
– Message and Path
Redundancy
– Wise Choice of Mixes
IPDPS 2007
Experimental Setup
• Simulator built from P2psim 3.0 by MIT
• Augment OneHop
– Membership management is essentially a
hierarchical gossip protocol
– Learn node liveness information
• Node lifetime dist. to simulate churn
– Pareto
– Uniform
– Exponential
IPDPS 2007
Results
• Main results are omitted here.
• Security analysis
– Similar to Onion Routing
• Please see paper for details
IPDPS 2007
Impact of wise choice of mixes on path durability
(the duration that a sender can successfully route messages to a destination over 4
disjoint paths with redundancy degree of 4)
Path durability improvement
6
5
4
3
2
1
0
Pareto
Uniform
Node lifetime dist.
IPDPS 2007
Exponential
Overview
• Background
• Evaluation
– P2P Anonymous Routing
– Research Problem
– Current Solutions
• Our Approach
– Experimental Setup
– Results
• Summary
– Erasure Coding
– Message and Path
Redundancy
– Wise Choice of Mixes
IPDPS 2007
Summary
• Strike a balance between routing resilience
and bandwidth cost while preserving sender
anonymity
• Message redundancy by erasure coding and
path redundancy
– Improve path construction and routing resilience
– Tolerate up to
path failures
• Choice of mixes based on node lifetime
prediction
– Based on Pareto dist.
– Surprisingly, work very well for other dist. like
Uniform and Exponential dist. (significantly better
than random selection)
• Bandwidth cost by erasure
coding
is
modest
IPDPS 2007
Questions ?
IPDPS 2007