IPDPS 2007 Making Peer-to-Peer Anonymous Routing Resilient to Failures Yingwu Zhu Seattle University

IPDPS 2007 Overview Background –P2P Anonymous Routing –Research Problem –Current Solutions Our Approach –Erasure Coding –Message and Path Redundancy –Wise Choice of Mixes Evaluation –Experimental Setup –Results Summary

IPDPS 2007 P2P Anonymous Routing Using P2P networks as an anonymizing network to achieve initiator/responder anonymity Using peer nodes as mixes or relay nodes to relay messages, tunneling communication for initiators/responders Many are based on Onion Routing –Layered encryption creates an Onion –Multi-hop routing: an anonymous message represented by an Onion goes through a small number of mixes (strip the Onion)

IPDPS 2007 P2P Anonymous Routing Why appealing? –A potentially large anonymity set offered by the open set of peer nodes –Sidestep political background and local jurisdiction issues due to the distribution of peer nodes –Scalable compared to current static anonymizing networks which operate a small set of fixed mixes –Ideal for hiding anonymous traffics due to communication patterns and heterogeneity of peer nodes’ locations –More?...

IPDPS 2007 P2P Anonymous Routing A big challenge: node churn in P2P networks Problems –Fragile and short-lived paths: node failures disrupts anonymous paths/tunnels –Message loss and communication failures –Complicate path construction which is expensive, i.e., usually incurs expensive asymmetric encryption/decryption

IPDPS 2007 Overview Background –P2P Anonymous Routing –Research Problem –Current Solutions Our Approach –Erasure Coding –Message and Path Redundancy –Wise Choice of Mixes Evaluation –Experimental Setup –Results Summary

IPDPS 2007 Research Problem Can we make P2P anonymous routing resilient to node failures? We are not alone! –Mix-base solutions –Multicast-based solutions

IPDPS 2007 Overview Background –P2P Anonymous Routing –Research Problem –Current Solutions Our Approach –Erasure Coding –Message and Path Redundancy –Wise Choice of Mixes Evaluation –Experimental Setup –Results Summary

IPDPS 2007 Current Solutions Mix-based –Use a group of peer nodes as a mix to mask single mix node failures –The peer nodes in each group share secrecy to encrypt/decrypt messages along the path –E.g., TAP and Cashmere

IPDPS 2007 Current Solutions Multicast-based –Initiators and responders join a group –Messages are multicasted to all group members –Cover/noise traffics are used to gain initiator/responder anonymity –Bandwidth overhead due to message multicasting and cover traffics –E.g., P 5, APFS, Hordes

IPDPS 2007 Overview Background –P2P Anonymous Routing –Research Problem –Current Solutions Our Approach –Erasure Coding –Message and Path Redundancy –Wise Choice of Mixes Evaluation –Experimental Setup –Results Summary

IPDPS 2007 Our Approach Based on a simple yet powerful idea –Resilience can be achieved by redundancy Rely on Onion routing –Layered encryption and multi-hop routing Techniques employed –Message redundancy by erasure coding –Path redundancy (coded messages are sent over multiple disjoint paths) –Wise choice of peer nodes as mixes in each single path

IPDPS 2007 Overview Background –P2P Anonymous Routing –Research Problem –Current Solutions Our Approach –Erasure Coding –Message and Path Redundancy –Wise Choice of Mixes Evaluation –Experimental Setup –Results Summary

IPDPS 2007 Erasure Coding Widely used in file & storage systems –Tradeoff between data availability and storage cost Breaks a message M into n coded segments, each of length |M|/m m of n segments suffice to reconstruct M Redundancy r = n/m

IPDPS 2007 Overview Background –P2P Anonymous Routing –Research Problem –Current Solutions Our Approach –Erasure Coding –Message and Path Redundancy –Wise Choice of Mixes Evaluation –Experimental Setup –Results Summary

IPDPS 2007 Message and Path Redundancy … … M1M1 MkMk MnMn M: original message M i : coded segment with length of |M|/m, 1≤ i ≤ n M1M1 MkMk MnMn M1M1 MkMk MnMn … … M1M1 MkMk MnMn Bob Alice Onion Routing Alice can reconstruct M upon the first m arrived coded segments

IPDPS 2007 Allocation of Coded Segments Message M  n coded segments with length of|M|/m, redundancy r = n/m k disjoint paths from Bob to Alice Idea: equally distribute n segments over k paths (k ≤ n, assume k is a multiple of r for simplicity) P(k) = P success (Alice receives M) = Prob(≥k/r paths succeed in message delivery) Goal: maximize P(k) with respect to k and r p = (p node_availability ) L L: # of nodes in a path

IPDPS 2007 Allocation of Coded Segments Guideline to maximize routing resilience upon different node availabilities and message redundancy degrees

IPDPS 2007 Validation of 3 Observations Impact of different k s on success of routing under different node availabilities of 0.70, 0.86, and 0.95, where L = 3 and r = 2.

IPDPS 2007 Overview Background –P2P Anonymous Routing –Research Problem –Current Solutions Our Approach –Erasure Coding –Message and Path Redundancy –Wise Choice of Mixes Evaluation –Experimental Setup –Results Summary

IPDPS 2007 Wise Choice of Mixes Problem –Current mix-based protocols do NOT consider node lifetime when choosing mixes –Random selection in mixes Our goal –Choose nodes that tend to live longer as mixes –Improve path durability (prolong path lifetime) Challenge –Can we predict node lifetime?

IPDPS 2007 Node Lifetime Distribution Figure 1: Cumulative dist. of the measured Gnutella node lifetime dist. compared with a Pareto dist. with α=0.83 and β = 1560 sec.

IPDPS 2007 Wise Choice of Mixes Based on the Pareto distribution –Prediction: Nodes that have stayed a long time tend to stay longer in the system Each node gossips node liveness information they have learned Each node seeking anonymity makes mix choices to construct anonymous paths based on node liveness prediction

IPDPS 2007 Overview Background –P2P Anonymous Routing –Research Problem –Current Solutions Our Approach –Erasure Coding –Message and Path Redundancy –Wise Choice of Mixes Evaluation –Experimental Setup –Results Summary

IPDPS 2007 Experimental Setup Simulator built from P2psim 3.0 by MIT Augment OneHop –Membership management is essentially a hierarchical gossip protocol –Learn node liveness information Node lifetime dist. to simulate churn –Pareto –Uniform –Exponential

IPDPS 2007 Results Main results are omitted here. Security analysis –Similar to Onion Routing Please see paper for details

IPDPS 2007 Impact of wise choice of mixes on path durability (the duration that a sender can successfully route messages to a destination over 4 disjoint paths with redundancy degree of 4)

IPDPS 2007 Overview Background –P2P Anonymous Routing –Research Problem –Current Solutions Our Approach –Erasure Coding –Message and Path Redundancy –Wise Choice of Mixes Evaluation –Experimental Setup –Results Summary

IPDPS 2007 Summary Strike a balance between routing resilience and bandwidth cost while preserving sender anonymity Message redundancy by erasure coding and path redundancy –Improve path construction and routing resilience –Tolerate up to path failures Choice of mixes based on node lifetime prediction –Based on Pareto dist. –Surprisingly, work very well for other dist. like Uniform and Exponential dist. (significantly better than random selection) Bandwidth cost by erasure coding is modest

IPDPS 2007 Questions ?