How to prevent blocking ALL IPs of safenet?

So it occurrwd to me the other day that it’s pretty trivial to find out all IP addresses of the network, given enough requests even in Kademlia DHT.

And then some agency can block all of them.

How to prevent something like that? The way I see it, the only three ways are:

  1. Having people host nodes on the same computers as servers people would hate to go offline, eg Amazon or Google or Netflix

  2. Having darknets which don’t reveal IP addresses

  3. Having mesh networks which don’t obey blocking rules

If a nation state simply tells ISPs to block IP addresses how will the nodes talk to each other?

How so? That would require at least one node in each section, or to be all the relay nodes.

You do know the IP address is removed on each hop,

If the network is large then blocking all those IP addresses means that people no longer have internet access and they will complain. Clients and nodes exhibit similar network patterns unless the client does little communicating.

This has been discussed before and is a central point of anonymity in the network. The packets also look similar to normal htts traffic or other encrypted packets.

1 Like

That doesn’t follow. Even if the network is large then blocking it doesn’t necessarily shut off the whole internet. All your nodes for example are currently hosted in one place. And later they will be hosted on many machines — but even blocking them all won’t affect most services for anyone unless condition #1 above is met.

To block a person running SAFE on their computer then that computer’s IP address has to be blocked.

SAFE uses multiple ports including port 80 & 443 so yes you have to block every user’s IP address if that user uses SAFE.

Both clients and nodes will appear like any other normal encrypted traffic. So its unlikely they will know a user is running SAFE, they may suspect but not know for sure. Then to block SAFE they need to block the ports SAFE runs on on each IP address they suspect is running SAFE. Since SAFE uses any port# including 80 & 443 then they have to totally block the IP address.

So now if 20% of the world’s internet connections has at least one client or Node behind the home router then they have to block that home’s IP address. And in this case that would be 20% of the population complaining they cannot get internet access.

2 Likes

People have been easily bypassing that in Russia (and other countries enforcing censorship, perhaps) using VPNs for quite sometime. This is also stated further down that article:

Despite the ban, we haven’t seen a significant drop in user engagement so far, since Russians tend to bypass the ban with VPNs and proxies,

Further, nodes in SAFE have random ports and if they go offline and come up again (because of relocation or just going offline) they will most likely have new ports or even IPs in many cases (DHCP changes or different NICs etc.).

3 Likes

But that’s because it’s only the beginning. Russia is far behind China in their capabilities. In China, running a VPN is illegal, and now it is in Russia, too. I am saying that with so many powers at their disposal, you’re going to need either 1, 2 or 3. It sounds like you have a very robust #1.

1 Like

You also seem to be ignoring that to block safe on a home computer (client OR node) they have to block the whole IP address because SAFE will use whatever port is available. Including the port 80 and 443 which is used for http://www and https://www.

This means the governments would be blocking the home users from the internet as well. And they cannot do that without slowly closing down the internet in their country.

So your options 1 2 and 3 are not addressing the real power of the SAFE protocol. Yes #1 would also work, but a country like Russia cannot block whole portions of their home users without economic disaster

If you’re envisioning the SAFE network servers running on home computers, then you run into serious issues due to NAT:

https://www.scuttlebutt.nz/stories/design-challenge-avoid-centralization-and-singletons.html

Even recent demos of IPFS use centralized STUN servers at Mozilla for WebRTC. It’s not an easy problem and you’re going to have servers out on the internet. Blocking those won’t block home users from anything.

And secondly, HTTP and HTTPS traffic etc looks very different than SAFE. You aren’t using steganography and tunneling through HTTPS as far as I know. In any case, fingerprinting and avoiding fingerprinting is an arms race and it’s not so simple to win it. So SAFE network can’t simply avoid being fingerprinted by being “encrypted”.

1 Like

Have you not heard that SAFE will do NAT traversal. That is a part of the protocol. This is essential for NODEs to run from home. Its not talked about much since its been a design feature for a long time. Yes there is difficulties, but its either done or mostly done.

The protocol being used for sending packets across the internet is designed to make the packets look like other encrypted packets. Also if you are sending to a port 443 then yes it will look like a https encrypted packet. And its been stated that if needed other methods can be incorporated like tunnelling or masquerading as other protocols can and will be done. This module can be changed without affecting the layers above it.

Do a search on NAT traversal and you should find some interesting discussions.

Maybe @ustulation can comment on the state of NAT traversal

The goal is to go through the GFW without being detected.

Of course NAT traversal can be bypassed by using UPnP in the router. So home nodes is always possible.

Oh and also by trying to block SAFE they also have to block the clients since the authorities could not be sure if they are also a NODE or not. Remember the NODES are not servers. They are simply sending and receiving packets, just like clients are. You might have a confidence level that a client is not a node, but they cannot be sure. So they would have to block clients too and that means blocking every port on the home IP address. Then you get the issue of slowly shutting down the internet as the home users DHCP change IP Addresses every so often.

1 Like

They don’t need to make the great firewall watertight to cause disruption and prevent mass adoption, so we should look into this. If they can prevent mass adoption by making the service unreliable, or so people learn that if they access SAFE they will lose access to the net for a few days (ie temporary blocks) that could have a dramatic impact on most people’s interest in and willingness to use SAFE.

I don’t think we should take threats which are easy to circumvent by a few, as insignificant because we aren’t trying to be Tor (a lifeline for a few) but a new Internet for everyone that is all but immune to blocking by governments.

The best defence against this IMO is to become too useful to block - ie vital to the security of not just individuals but business, civic entities and government themselves. That won’t happen overnight, so we may have to accept that parts of the world will wall themselves off from SAFE, but at a cost to their society. A bit like North Korea and the Internet.

China is an example to watch - does it serve them to wall themselves off from the rest of the world’s information, ideas and decentralised social innovations? So in time it may be the positive innovations of SAFE that will undermine those strategies, and those walls would eventually crumble from the inside.

Perhaps we won’t need to solve this problem, so long as enough of the world is not blocked in this way, which is not a given of course. So we do need to think about it and try to avoid this as best we can, while also growing the positives which add to the cost of cutting a country off from the benefits. Which is a similar argument to that which I quoted from @neo at the top!

3 Likes

It might be announced as illegal, but everyone i know of from China (and i know a lot as many of my folks live around indo-china border, also Tibetans who suffer far serious promulgation of censorship laws) uses VPN, and i don’t think they took permission from the Govt to do so. IMO (or rather in my experience) nothing depends on the law, but the degree of enforcement of it. Anyway it’s a subjective debate at that point and as pointed by others, if the country (Govt) absolutely does not want you to do something, well then… you can’t. What if it changes blacklisting to white-listing (would N Korea fall into this category) ? That’ll probably be game-over in that country, IDK.

It’s done and published - minor improvements are on-going but that’s just perennial, it’s integrated into crust and only cross crate testings remain. That lib went a major refactor switching to tokio, but it was in fully working condition even before that as far as functionality was concerned.

2 Likes

Newbie here. I’ve not studied the SAFE routing methods yet, but if most files are broken into 1 MB chunks, might that regularized chunk-size (once packetized) become a recognizable-to-NSA-etc feature of SAFE traffic, after which ISPs could then attempt to selectively block it using DPI/filters, whenever the traffic passes through a repressive jurisdiction? I hope that’s been thought of. Another (of many) fascinating project, principles of which might be a contribution here, is the Phantom Protocol (see: https://lwn.net/Articles/446623/
“Phantom: Decentralized anonymous networking”
and
http://www.magnusbrading.com/phantom/phantom-design-paper.pdf
“Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol”), etc.
SAFE may have already studied such and covered these bases, but if not, there’s an idea.