commit b1f0569a20fa6dc519a1326e2f7af146d32ac8ea
parent 4886651a86127367f7ed89034e29fc386e25c323
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Mon, 17 Mar 2025 11:47:36 +0100
address locality-sensitive concerns in security considerations
Diffstat:
1 file changed, 43 insertions(+), 1 deletion(-)
diff --git a/draft-schanzen-r5n.xml b/draft-schanzen-r5n.xml
@@ -173,7 +173,7 @@
only to trusted participants.
</t>
</section>
- <section numbered="true" toc="default">
+ <section numbered="true" toc="default" anchor="security_model">
<name>Security Model</name>
<t>
We assume that the network is open and thus a fraction of
@@ -3232,6 +3232,48 @@ ComputeOutDegree(REPL_LVL, HOPCOUNT, L2NSE):
possible security downgrades.
</t>
</section>
+ <section>
+ <name>Availability versus security tradeoffs in routing table evictions</name>
+ <t>
+ R<sup>5</sup>N does not implement locality-sensitive as it does not
+ preferentially evict distant nodes (where distance is a metric based
+ on closeness in the physical network).
+ Locality-sensitive routing table eviction may offer performance improvements
+ especially if the local network and its resources can be leveraged
+ more efficiently.
+ Similarly, if requests (and responses) can be contained to the local
+ network, this can offer better privacy.
+ But, this an important security trade-off when choosing network locality over
+ R<sup>5</sup>N's eviction strategy (<xref target="routing_table"/>):
+ "Flash mob"-style attackers that quickly spin up a large number of nodes
+ a target node's proximity are displacing legitimate, benign neighbours.
+ In case of the R<sup>5</sup>N eviction strategy these will likely not
+ degrade the routing table to the same degree because long-lived connections
+ are preferred.
+ This in turn forces an attacker to run their nodes for a long time to run a
+ successful attack.
+ </t>
+ <t>
+ It is important to highlight that in order to address the R<sup>5</sup>N threat
+ and security model (<xref target="security_model"/>), the routing starts with a
+ random walk.
+ Should all nodes implement a locality sensitive eviction strategy, the theoretical
+ effectiveness of this measure would drastically decrease.
+ R<sup>5</sup>N puts security and availability under its threat model, over performance
+ and privacy.
+ </t>
+ <t>
+ It should be noted that any reasonable locality metric will choose nodes
+ that implicitly provide more stable network connections than distant nodes as
+ the probability for network failures grows with physical distance.
+ As a consequence it can be assumed that a locality-sensitive metric and
+ R<sup>5</sup>N's eviction strategy eventually converge into a similar
+ situation where a node primarily maintains a routing table consisting of
+ long-lived and somewhat local connections.
+ </t>
+ </section>
+
+
</section>
<section anchor="iana" numbered="true" toc="default">
<name>IANA Considerations</name>
