SlideShare a Scribd company logo

Why and How to use Onion Networking - #EMFCamp2018

A
Alec Muffett

Outlining the hows and whys of using Onion Networking to connect apps, devices and tools securely over the Internet, without suffering blocks, NAT issues, or many forms of security woe.

Internet
1 of 92
Download to read offline
why and how to use onion networking v3.7 - @alecmuffett 2018
Two things about the old Internet:
1) in the beginning, all
 Internet communication was "End-to-End" (E2E)
E2E is a bit like P2P
 except that
 there are only two of you
…if you only have two ends, it's a rope, not a net or mesh
A B
A B
NO FIREWALLS B A
B A NO INTERMEDIARIES
direct connections
no "men in the middle"
no impediments to communication
it works!
let's not talk about
 network security
 in that era…
SECONDLY:
2) …command-names were embarrassing:
/usr/ucb/finger
$ finger root PROBABLY VERY BAD TO SAY IN AUSTRALIA
Finger protocol ran on TCP port 79
(port) 79 + 1 = (port) 80 Coincidence? I don't think so...
create content
content visible to entire network = personal expression opportunity
proto-blogging
https://garbagecollected.org/2017/10/24/the-carmack-plan/
proto-flash-animation
glib assertion:
 
 E2E networking aids innovation in distributed computing and 
 information sharing and helped make the internet that we know, today
why use onion networking? • you have a community, or you have an audience • for some, ability to access content is hampered • for some, risk of fake websites, credential theft,
 or political repercussions for accessing content • for some, privacy, assurance & trust is paramount
why use onion networking? • you're building a disintermediated, distributed, E2E tool • examples: • #OnionShare - onionshare.org • @BriarApp - briarproject.org • …that IoT home-automation app which you always wanted to build, but which will suffer from NAT, firewall, and other security/config issues…
adoption?
https://perfectoid.space https://blog.cloudflare.com/welcome-hidden-resolver/ Cloudflare
it's not the "dark" web any more
social value of .onion? • greater assurance • facebookcorewwwi.onion => genuine facebook • greater availability & privacy • .onion => hard to block/surveil (if sometimes a little flaky) • fewer digital footprints • people using onions are perforce using tor browser • tor browser is generally better at data "hygiene"
tech value of .onion? <see second half of presentation>
client desktop? mobile? • Mac / Win / Linux • tor browser (integrated tor + custom-tuned firefox) • Android • orbot (tor) + orfox (browser) • iOS • onion browser (integrated)
My Tor Development Environment
what is .onion? "the top level domain name for the onion namespace"
what is a namespace? • namespace is "an address + what it means/looks like" • ipv4 addresses look like: 192.168.1.1 • ipv6 addresses look like: fe80::226:21ff:fed8:fbc2 • dns addresses look like: www.foo.com • onion addresses look like: ylzpg2givhwizoep.onion
how do addresses work? • all these addresses can be typed into a web browser: • http://192.168.1.1/- ipv4, supported everywhere • http://[fe80::226:21ff:fed8:fbc2]/ - ipv6, variable • http://www.foo.com/ - dns, supported everywhere • http://ylzpu2givhwizoep.onion/ - needs a Tor browser • …they all connect you to a remote computer
how is .onion unusual? • "under the bonnet", an onion is a raw network address • …just like 192.168.1.1 or fe80::226:21ff:fed8:fbc2 • but: formatted like a traditional dns domain name • ".onion" looks like ".com" or ".co.uk" • this means browsers treat the addresses equitably • including subdomains: www.facebookcorewwwi.onion
“subdomains”
 on a network address?!? • yes! this would never work with ipv4 … • www.192.168.1.1 would not mean anything sensible • but www.facebookcorewwwi.onion is meaningful to HTTP • …still means facebookcorewwwi.onion • …the "www." bit is transported in the Host: header • thus: standard HTTP/HTML/browser behaviour
how do you
 choose addresses? • ipv4 addresses: you take what you are given (eg: DHCP) • ipv6 addresses: ditto (mostly) • dns addresses: you choose a name, & register it • …unless someone beats you to it… • onion addresses: get a random one, or else "mine" one • more mining => "better quality"
how does it work? HiddenServiceDir /var/lib/tor/onion-1 # => random onion address in "hostname" file HiddenServicePort 22 127.0.0.1:22 Server: /etc/tor/torrc Host my-onion HostName xxxxxxxxxxxxxxxx.onion ProxyCommand= nc -x localhost:9150 %h %p # 9150 => builtin SOCKS5 in local TorBrowser Client: ~/.ssh/config software-defined listener port number what it forwards to
how to serve .onion websites? 3 options…
1. dedicated server • you have a dedicated web server, and it… • is configured to know about its onion address • essentially runs as a standalone service • perhaps serves duplicate content ?
2. onion-aware CMS • you have a web server, and it… • serves content to .com, .co.uk, .in, … • why not just add yet another domain name? • tag requests arriving from .onion reverse proxy • ensure that tagged requests are consistently responded-to, citing only your onion address(es)
3. onion shim • you have a web server, and it… • primarily serves content as (say) nytimes.com • install a shim between it and the tor reverse proxy… • shim bidirectionally rewrites requests & responses • nytimes.com <=> nytimes3xbfgragh.onion • custom engineering, or EOTK / Enterprise Onion Toolkit
 open-source shim for enterprise onions
examples
 (or: implement a blend…) 1. dedicated onion server (eg: various SecureDrop sites) • use-case dependent, probably involves anonymity 2. onion-aware CMS (eg: Facebook) • excellent for primarily-dynamically-generated content • modest engineering, ongoing commitment, can be 100% solution 3. onion shim EOTK (eg: NYT) • onionifies all content, including static or static/dynamic mix • minimal/zero engineering, some edge cases, 95..99%+ solution
implementation tips • don't forget to onionify your CDNs where possible • try to avoid content-leakage between domains • accidentally wandering-off to the cleartext/.com site • e.g. OAuth redirects, tracker embeds… • use horizontal load-balancing for scale • free solution: OnionBalance (EOTK supports) • onions (even via shim) are generally faster for Tor
https nits • you will probably need to buy a special HTTPS cert • cost: probably from mid $$$ to low $$$$ • plus: associated paperwork & faff • if you take payments / subscriptions? • you may want to restrict access to payments over tor? • payment providers often block tor, this can sometimes lead to poor user experiences…
TECH?
Onion Networking
 as a Layer-3 Network
How IP→Ethernet Works • Server: publishes mapping of IP to MAC address • Gratuitous ARP → populate ARP tables • Client: resolves mapping of IP to MAC address • Checks local ARP table (or makes ARP query) • Client: issues Ethernet frames to MAC address • Frames transport packets yielding TCP connections
How Onion→IP Works • Server: publishes mapping of Onion to IP address • Descriptor Publication → populate HSDir DHT Ring • Client: resolves mapping of Onion to IP address • Checks HSDir DHT Ring (source of truth) • Client: issues TCP connection to Tor relay • Connections transport Tor cells yielding Tor circuits
Important Takeaways
1) TCP/IP is the L2 "data-link layer" of Onionspace
# OSI Name Internet Onion 7 Application https, ssh, etc… https, ssh, etc… 6 Presentation socket* socks5 proxy 5 Session tcp/udp socket* tcp socket via socks5 4 Transport tcp/udp protocol tcp circuit 3 Network packet to IP addr cell to Onion addr 2 Data Link frames/MAC/LLC cells over tcp 1 Physical bit bit
2) Onionspace is E2E ("End-to-End")
Onion-E2E-ness • NAT/Firewalls are not an issue • Connections pretend to be direct, local-network TCP. • Services & Ports are published, not ad-hoc/promiscuous • Onionspace port-scanning is restricted to services and ports which are published by the owners: • HiddenServicePort 44422 localhost:22 • "consent-based networking", cf: NSAPs in X.25 ?
Returning to the disintermediated
 end-to-end Internet
3) Onionspace is circuit-switched
Circuit-switchyness • Long-term circuits between client/server are established • Traffic tunnels over circuits • A bit like X.25 Networking • sometimes circuits break • but then, so does TCP (i.e.: RST) • Circuits may carry multiple TCP/IP streams, be reused • Presentation: as a SOCKS5 relay
4) Rendezvous,
 not Client-Server
1 server sets up introduction point 2 server publishes descriptor 3 client looks-up descriptor / intro-point 4a client sets up rendez-point 4b client tells server "meet me at rendez-point" 5 data exchanged via circuit via rendez "Rendezvous",
 a safer "Client-Server" Server HSDir DHT Ring Client Introduction Point Tor "Cloud" 2 1 4b 3 4a5 Rendezvous Point nb: all connections established 
 "outbound" through the firewall(s); server can live in "enclave" firewallfirewall
"Rendezvous" at L7? • All this is hidden behind SOCKS5 for app presentation • Your app thinks that it is talking to a TCP/IP stream • Truth = more complex
5) Introduction points have redundancy, transience and migrate globally, leading to…
high-availabilityness (H/A) • DDoS Resistance • Harder to hit a moving target, key resources "at 1+ remove" • Built-in "GSLB" (global server load balancing) • You have little control of where Introduction, or Rendezvous Points are created, but they are distributed globally • Servers can be replicated globally, too; flatness = simpler • "DNSRR" equivalent (DNS Round Robin) • "OnionBalance" enables recombination of descriptors, shares load over servers like DSR (direct server return); or full H/A replicas
6) self-authentication
self-authenticatingness • Onion addresses are literally cryptographically-trustable layer-3 network addresses • If you type the address correctly, you are guaranteed to be communicating with someone who has the private key • Built-in IPsec ESP and AH • No PSK hassle • No CA hassle • No revocation, no X.509, no OpenSSL, no faff…
7) Internet Separation
BGP-Hijack Resistance • Tor is an over-the-top meta-network • It doesn't care what's happening at the IP layer
If you remember one thing: • Tor "treats censorship as damage, and routes around it" • literally its raison d'être… • Tor is actually pretty good at (eventually) routing around damage of pretty much any kind, nowadays. • Wasn't the Internet supposed to do this anyway? • qv: John Gilmore • Perhaps we got lazy and stopped aiming for that?
The Downsides?
Downside 1:
 latency, lag, circuit drops
"good enough for the right kinds of workload"
Downside 2:
 Learning New Stuff
Learning New Stuff • Tor is not TCP/IP (but feels similar) • Tor is not an in-kernel network • userspace daemons with SOCKS5 presentation • config files, not `ifconfig` • Tor is evolving • Just like TCP/IP was in 1992
Example: Wikipedia
entire config file
experiment works!
Wikipedia Experiment • Why? • Short-term test to prove the concept • Cheap, low resource-usage, borrowed hardware • Was DoS'd by <some asshole with bots> • Sustained few-hundreds of hits per second • Hardly noticeable impact on single quad-core server
summary: why onion? • build apps, tools, & devices which don't have to fret about NAT, and which don't need a $$$ central server • provide additional access, security & safety opportunities for your audiences & communities! • cutting-edge, experimental fun!
and finally: password-protect
 onion "network interfaces"? Server: /etc/tor/torrc …yields: the following hostname file
@alecmuffett

Recommended

03 sockets
03 sockets03 sockets
03 socketsPavan Illa
 
Socket programming-in-python
Socket programming-in-pythonSocket programming-in-python
Socket programming-in-pythonYuvaraja Ravi
 
Socket programming using C
Socket programming using CSocket programming using C
Socket programming using CAjit Nayak
 
Socket programming
Socket programming Socket programming
Socket programming Rajivarnan (Rajiv)
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in CDeepak Swain
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programmingKristian Arjianto
 
Sockets
SocketsSockets
Socketssivindia
 
Java sockets
Java socketsJava sockets
Java socketsStephen Pradeep
 

Recommended

03 sockets
03 sockets03 sockets
03 socketsPavan Illa
 
Socket programming-in-python
Socket programming-in-pythonSocket programming-in-python
Socket programming-in-pythonYuvaraja Ravi
 
Socket programming using C
Socket programming using CSocket programming using C
Socket programming using CAjit Nayak
 
Socket programming
Socket programming Socket programming
Socket programming Rajivarnan (Rajiv)
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in CDeepak Swain
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programmingKristian Arjianto
 
Sockets
SocketsSockets
Socketssivindia
 
Java sockets
Java socketsJava sockets
Java socketsStephen Pradeep
 
RHCE administration ii book by Moamen Hany
RHCE administration ii book by Moamen HanyRHCE administration ii book by Moamen Hany
RHCE administration ii book by Moamen HanyMoamen Hany ELNASHAR
 
Socket programming in c
Socket programming in cSocket programming in c
Socket programming in cMd. Golam Hossain
 
RHCE administration iii book by moamen hany
RHCE administration iii book by moamen hanyRHCE administration iii book by moamen hany
RHCE administration iii book by moamen hanyMoamen Hany ELNASHAR
 
RHCE I Essential book by Moamen Hany
RHCE I Essential book by Moamen HanyRHCE I Essential book by Moamen Hany
RHCE I Essential book by Moamen HanyMoamen Hany ELNASHAR
 
Socket programming
Socket programmingSocket programming
Socket programmingharsh_bca06
 
Socket programming
Socket programmingSocket programming
Socket programmingAnurag Tomar
 
Network Sockets
Network SocketsNetwork Sockets
Network SocketsPeter R. Egli
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programmingelliando dias
 
Socket programming using java
Socket programming using javaSocket programming using java
Socket programming using javaUC San Diego
 
Symfony 4.0 + - Track Technique eZ Roadshow 2019 - PARIS
Symfony 4.0 + - Track Technique eZ Roadshow 2019 - PARISSymfony 4.0 + - Track Technique eZ Roadshow 2019 - PARIS
Symfony 4.0 + - Track Technique eZ Roadshow 2019 - PARISeZ Systems
 
Socket programming-tutorial-sk
Socket programming-tutorial-skSocket programming-tutorial-sk
Socket programming-tutorial-sksureshkarthick37
 
Java socket programming
Java socket programmingJava socket programming
Java socket programmingMohammed Abdalla Youssif
 
Networking & Socket Programming In Java
Networking & Socket Programming In JavaNetworking & Socket Programming In Java
Networking & Socket Programming In JavaAnkur Agrawal
 
socket programming
socket programming socket programming
socket programming prashantzagade
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
Python Sockets
Python SocketsPython Sockets
Python Socketspythontic
 
บทที่ 2 โพรโตคอล (protocol)
บทที่ 2 โพรโตคอล (protocol)บทที่ 2 โพรโตคอล (protocol)
บทที่ 2 โพรโตคอล (protocol)chrisman77
 
A Short Java Socket Tutorial
A Short Java Socket TutorialA Short Java Socket Tutorial
A Short Java Socket TutorialGuo Albert
 
Socket Programming
Socket ProgrammingSocket Programming
Socket Programmingelliando dias
 
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Derek Callaway
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05gameaxt
 

More Related Content

What's hot

RHCE administration ii book by Moamen Hany
RHCE administration ii book by Moamen HanyRHCE administration ii book by Moamen Hany
RHCE administration ii book by Moamen HanyMoamen Hany ELNASHAR
 
RHCE administration iii book by moamen hany
RHCE administration iii book by moamen hanyRHCE administration iii book by moamen hany
RHCE administration iii book by moamen hanyMoamen Hany ELNASHAR
 
RHCE I Essential book by Moamen Hany
RHCE I Essential book by Moamen HanyRHCE I Essential book by Moamen Hany
RHCE I Essential book by Moamen HanyMoamen Hany ELNASHAR
 
Socket programming
Socket programmingSocket programming
Socket programmingharsh_bca06
 
Socket programming
Socket programmingSocket programming
Socket programmingAnurag Tomar
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programmingelliando dias
 
Socket programming using java
Socket programming using javaSocket programming using java
Socket programming using javaUC San Diego
 
Symfony 4.0 + - Track Technique eZ Roadshow 2019 - PARIS
Symfony 4.0 + - Track Technique eZ Roadshow 2019 - PARISSymfony 4.0 + - Track Technique eZ Roadshow 2019 - PARIS
Symfony 4.0 + - Track Technique eZ Roadshow 2019 - PARISeZ Systems
 
Socket programming-tutorial-sk
Socket programming-tutorial-skSocket programming-tutorial-sk
Socket programming-tutorial-sksureshkarthick37
 
Networking & Socket Programming In Java
Networking & Socket Programming In JavaNetworking & Socket Programming In Java
Networking & Socket Programming In JavaAnkur Agrawal
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
Python Sockets
Python SocketsPython Sockets
Python Socketspythontic
 
บทที่ 2 โพรโตคอล (protocol)
บทที่ 2 โพรโตคอล (protocol)บทที่ 2 โพรโตคอล (protocol)
บทที่ 2 โพรโตคอล (protocol)chrisman77
 
A Short Java Socket Tutorial
A Short Java Socket TutorialA Short Java Socket Tutorial
A Short Java Socket TutorialGuo Albert
 
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Derek Callaway
 

What's hot (20)

RHCE administration ii book by Moamen Hany
RHCE administration ii book by Moamen HanyRHCE administration ii book by Moamen Hany
RHCE administration ii book by Moamen Hany
 
Socket programming in c
Socket programming in cSocket programming in c
Socket programming in c
 
RHCE administration iii book by moamen hany
RHCE administration iii book by moamen hanyRHCE administration iii book by moamen hany
RHCE administration iii book by moamen hany
 
RHCE I Essential book by Moamen Hany
RHCE I Essential book by Moamen HanyRHCE I Essential book by Moamen Hany
RHCE I Essential book by Moamen Hany
 
Socket programming
Socket programmingSocket programming
Socket programming
 
Socket programming
Socket programmingSocket programming
Socket programming
 
Network Sockets
Network SocketsNetwork Sockets
Network Sockets
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programming
 
Socket programming using java
Socket programming using javaSocket programming using java
Socket programming using java
 
Symfony 4.0 + - Track Technique eZ Roadshow 2019 - PARIS
Symfony 4.0 + - Track Technique eZ Roadshow 2019 - PARISSymfony 4.0 + - Track Technique eZ Roadshow 2019 - PARIS
Symfony 4.0 + - Track Technique eZ Roadshow 2019 - PARIS
 
Socket programming-tutorial-sk
Socket programming-tutorial-skSocket programming-tutorial-sk
Socket programming-tutorial-sk
 
Java socket programming
Java socket programmingJava socket programming
Java socket programming
 
Networking & Socket Programming In Java
Networking & Socket Programming In JavaNetworking & Socket Programming In Java
Networking & Socket Programming In Java
 
socket programming
socket programming socket programming
socket programming
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
Python Sockets
Python SocketsPython Sockets
Python Sockets
 
บทที่ 2 โพรโตคอล (protocol)
บทที่ 2 โพรโตคอล (protocol)บทที่ 2 โพรโตคอล (protocol)
บทที่ 2 โพรโตคอล (protocol)
 
A Short Java Socket Tutorial
A Short Java Socket TutorialA Short Java Socket Tutorial
A Short Java Socket Tutorial
 
Socket Programming
Socket ProgrammingSocket Programming
Socket Programming
 
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
 

Similar to Why and How to use Onion Networking - #EMFCamp2018

Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05gameaxt
 
09 Systems Software Programming-Network Programming.pptx
09 Systems Software Programming-Network Programming.pptx09 Systems Software Programming-Network Programming.pptx
09 Systems Software Programming-Network Programming.pptxKushalSrivastava23
 
Small office Home office , network setup in details
Small office Home office , network setup in detailsSmall office Home office , network setup in details
Small office Home office , network setup in detailsapel7
 
SOHO Network Setup Tutorial
SOHO Network Setup Tutorial SOHO Network Setup Tutorial
SOHO Network Setup Tutorial junaidahmedsaba
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
WIFI MODEM Part-22
WIFI MODEM Part-22WIFI MODEM Part-22
WIFI MODEM Part-22Techvilla
 
Tcp Anonymous Authenticated ID
Tcp Anonymous Authenticated IDTcp Anonymous Authenticated ID
Tcp Anonymous Authenticated IDJim MacLeod
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)inwin stack
 
14 network tools
14 network tools14 network tools
14 network toolsShay Cohen
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCDerek Callaway
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
+ Network Programming.pdf
+ Network Programming.pdf+ Network Programming.pdf
+ Network Programming.pdfOluwafolakeOjo
 

Similar to Why and How to use Onion Networking - #EMFCamp2018 (20)

Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05
 
Networking basics PPT
Networking basics PPTNetworking basics PPT
Networking basics PPT
 
09 Systems Software Programming-Network Programming.pptx
09 Systems Software Programming-Network Programming.pptx09 Systems Software Programming-Network Programming.pptx
09 Systems Software Programming-Network Programming.pptx
 
Small office Home office , network setup in details
Small office Home office , network setup in detailsSmall office Home office , network setup in details
Small office Home office , network setup in details
 
SOHO Network Setup Tutorial
SOHO Network Setup Tutorial SOHO Network Setup Tutorial
SOHO Network Setup Tutorial
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Network security basics
Network security basicsNetwork security basics
Network security basics
 
Tcpip Intro
Tcpip IntroTcpip Intro
Tcpip Intro
 
WIFI MODEM Part-22
WIFI MODEM Part-22WIFI MODEM Part-22
WIFI MODEM Part-22
 
Networking
NetworkingNetworking
Networking
 
Part 6 : Internet applications
Part 6 : Internet applicationsPart 6 : Internet applications
Part 6 : Internet applications
 
Tcp Anonymous Authenticated ID
Tcp Anonymous Authenticated IDTcp Anonymous Authenticated ID
Tcp Anonymous Authenticated ID
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
 
14 network tools
14 network tools14 network tools
14 network tools
 
Internetworking
InternetworkingInternetworking
Internetworking
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
+ Network Programming.pdf
+ Network Programming.pdf+ Network Programming.pdf
+ Network Programming.pdf
 
Net prog
Net progNet prog
Net prog
 

More from Alec Muffett

Setting-up a .Onion address for your Website, v1.5
Setting-up a .Onion address for your Website, v1.5Setting-up a .Onion address for your Website, v1.5
Setting-up a .Onion address for your Website, v1.5Alec Muffett
 
How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2Alec Muffett
 
Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Alec Muffett
 
You and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the NetYou and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the NetAlec Muffett
 
Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2Alec Muffett
 
How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1Alec Muffett
 
Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1Alec Muffett
 

More from Alec Muffett (7)

Setting-up a .Onion address for your Website, v1.5
Setting-up a .Onion address for your Website, v1.5Setting-up a .Onion address for your Website, v1.5
Setting-up a .Onion address for your Website, v1.5
 
How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2
 
Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3
 
You and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the NetYou and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the Net
 
Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2
 
How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1
 
Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1
 

Recently uploaded

VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfMilind Agarwal
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 

Recently uploaded (20)

VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 

Why and How to use Onion Networking - #EMFCamp2018

  • 1. why and how to use onion networking v3.7 - @alecmuffett 2018
  • 2. Two things about the old Internet:
  • 3. 1) in the beginning, all
 Internet communication was "End-to-End" (E2E)
  • 4. E2E is a bit like P2P
 except that
 there are only two of you
  • 5. …if you only have two ends, it's a rope, not a net or mesh
  • 6.
  • 7. A B
  • 8. A B
  • 12. no "men in the middle"
  • 15. let's not talk about
 network security
 in that era…
  • 19. $ finger root PROBABLY VERY BAD TO SAY IN AUSTRALIA
  • 20.
  • 21. Finger protocol ran on TCP port 79
  • 22. (port) 79 + 1 = (port) 80 Coincidence? I don't think so...
  • 24. content visible to entire network = personal expression opportunity
  • 26.
  • 29.
  • 30.
  • 31. glib assertion:
 
 E2E networking aids innovation in distributed computing and 
 information sharing and helped make the internet that we know, today
  • 32. why use onion networking? • you have a community, or you have an audience • for some, ability to access content is hampered • for some, risk of fake websites, credential theft,
 or political repercussions for accessing content • for some, privacy, assurance & trust is paramount
  • 33. why use onion networking? • you're building a disintermediated, distributed, E2E tool • examples: • #OnionShare - onionshare.org • @BriarApp - briarproject.org • …that IoT home-automation app which you always wanted to build, but which will suffer from NAT, firewall, and other security/config issues…
  • 35.
  • 36.
  • 37.
  • 39. it's not the "dark" web any more
  • 40. social value of .onion? • greater assurance • facebookcorewwwi.onion => genuine facebook • greater availability & privacy • .onion => hard to block/surveil (if sometimes a little flaky) • fewer digital footprints • people using onions are perforce using tor browser • tor browser is generally better at data "hygiene"
  • 41. tech value of .onion? <see second half of presentation>
  • 42. client desktop? mobile? • Mac / Win / Linux • tor browser (integrated tor + custom-tuned firefox) • Android • orbot (tor) + orfox (browser) • iOS • onion browser (integrated)
  • 43.
  • 44. My Tor Development Environment
  • 45. what is .onion? "the top level domain name for the onion namespace"
  • 46. what is a namespace? • namespace is "an address + what it means/looks like" • ipv4 addresses look like: 192.168.1.1 • ipv6 addresses look like: fe80::226:21ff:fed8:fbc2 • dns addresses look like: www.foo.com • onion addresses look like: ylzpg2givhwizoep.onion
  • 47. how do addresses work? • all these addresses can be typed into a web browser: • http://192.168.1.1/- ipv4, supported everywhere • http://[fe80::226:21ff:fed8:fbc2]/ - ipv6, variable • http://www.foo.com/ - dns, supported everywhere • http://ylzpu2givhwizoep.onion/ - needs a Tor browser • …they all connect you to a remote computer
  • 48. how is .onion unusual? • "under the bonnet", an onion is a raw network address • …just like 192.168.1.1 or fe80::226:21ff:fed8:fbc2 • but: formatted like a traditional dns domain name • ".onion" looks like ".com" or ".co.uk" • this means browsers treat the addresses equitably • including subdomains: www.facebookcorewwwi.onion
  • 49. “subdomains”
 on a network address?!? • yes! this would never work with ipv4 … • www.192.168.1.1 would not mean anything sensible • but www.facebookcorewwwi.onion is meaningful to HTTP • …still means facebookcorewwwi.onion • …the "www." bit is transported in the Host: header • thus: standard HTTP/HTML/browser behaviour
  • 50. how do you
 choose addresses? • ipv4 addresses: you take what you are given (eg: DHCP) • ipv6 addresses: ditto (mostly) • dns addresses: you choose a name, & register it • …unless someone beats you to it… • onion addresses: get a random one, or else "mine" one • more mining => "better quality"
  • 51. how does it work? HiddenServiceDir /var/lib/tor/onion-1 # => random onion address in "hostname" file HiddenServicePort 22 127.0.0.1:22 Server: /etc/tor/torrc Host my-onion HostName xxxxxxxxxxxxxxxx.onion ProxyCommand= nc -x localhost:9150 %h %p # 9150 => builtin SOCKS5 in local TorBrowser Client: ~/.ssh/config software-defined listener port number what it forwards to
  • 52. how to serve .onion websites? 3 options…
  • 53. 1. dedicated server • you have a dedicated web server, and it… • is configured to know about its onion address • essentially runs as a standalone service • perhaps serves duplicate content ?
  • 54. 2. onion-aware CMS • you have a web server, and it… • serves content to .com, .co.uk, .in, … • why not just add yet another domain name? • tag requests arriving from .onion reverse proxy • ensure that tagged requests are consistently responded-to, citing only your onion address(es)
  • 55. 3. onion shim • you have a web server, and it… • primarily serves content as (say) nytimes.com • install a shim between it and the tor reverse proxy… • shim bidirectionally rewrites requests & responses • nytimes.com <=> nytimes3xbfgragh.onion • custom engineering, or EOTK / Enterprise Onion Toolkit
 open-source shim for enterprise onions
  • 56. examples
 (or: implement a blend…) 1. dedicated onion server (eg: various SecureDrop sites) • use-case dependent, probably involves anonymity 2. onion-aware CMS (eg: Facebook) • excellent for primarily-dynamically-generated content • modest engineering, ongoing commitment, can be 100% solution 3. onion shim EOTK (eg: NYT) • onionifies all content, including static or static/dynamic mix • minimal/zero engineering, some edge cases, 95..99%+ solution
  • 57. implementation tips • don't forget to onionify your CDNs where possible • try to avoid content-leakage between domains • accidentally wandering-off to the cleartext/.com site • e.g. OAuth redirects, tracker embeds… • use horizontal load-balancing for scale • free solution: OnionBalance (EOTK supports) • onions (even via shim) are generally faster for Tor
  • 58. https nits • you will probably need to buy a special HTTPS cert • cost: probably from mid $$$ to low $$$$ • plus: associated paperwork & faff • if you take payments / subscriptions? • you may want to restrict access to payments over tor? • payment providers often block tor, this can sometimes lead to poor user experiences…
  • 59. TECH?
  • 60. Onion Networking
 as a Layer-3 Network
  • 61. How IP→Ethernet Works • Server: publishes mapping of IP to MAC address • Gratuitous ARP → populate ARP tables • Client: resolves mapping of IP to MAC address • Checks local ARP table (or makes ARP query) • Client: issues Ethernet frames to MAC address • Frames transport packets yielding TCP connections
  • 62. How Onion→IP Works • Server: publishes mapping of Onion to IP address • Descriptor Publication → populate HSDir DHT Ring • Client: resolves mapping of Onion to IP address • Checks HSDir DHT Ring (source of truth) • Client: issues TCP connection to Tor relay • Connections transport Tor cells yielding Tor circuits
  • 64. 1) TCP/IP is the L2 "data-link layer" of Onionspace
  • 65. # OSI Name Internet Onion 7 Application https, ssh, etc… https, ssh, etc… 6 Presentation socket* socks5 proxy 5 Session tcp/udp socket* tcp socket via socks5 4 Transport tcp/udp protocol tcp circuit 3 Network packet to IP addr cell to Onion addr 2 Data Link frames/MAC/LLC cells over tcp 1 Physical bit bit
  • 66. 2) Onionspace is E2E ("End-to-End")
  • 67. Onion-E2E-ness • NAT/Firewalls are not an issue • Connections pretend to be direct, local-network TCP. • Services & Ports are published, not ad-hoc/promiscuous • Onionspace port-scanning is restricted to services and ports which are published by the owners: • HiddenServicePort 44422 localhost:22 • "consent-based networking", cf: NSAPs in X.25 ?
  • 70. Circuit-switchyness • Long-term circuits between client/server are established • Traffic tunnels over circuits • A bit like X.25 Networking • sometimes circuits break • but then, so does TCP (i.e.: RST) • Circuits may carry multiple TCP/IP streams, be reused • Presentation: as a SOCKS5 relay
  • 72. 1 server sets up introduction point 2 server publishes descriptor 3 client looks-up descriptor / intro-point 4a client sets up rendez-point 4b client tells server "meet me at rendez-point" 5 data exchanged via circuit via rendez "Rendezvous",
 a safer "Client-Server" Server HSDir DHT Ring Client Introduction Point Tor "Cloud" 2 1 4b 3 4a5 Rendezvous Point nb: all connections established 
 "outbound" through the firewall(s); server can live in "enclave" firewallfirewall
  • 73. "Rendezvous" at L7? • All this is hidden behind SOCKS5 for app presentation • Your app thinks that it is talking to a TCP/IP stream • Truth = more complex
  • 74. 5) Introduction points have redundancy, transience and migrate globally, leading to…
  • 75. high-availabilityness (H/A) • DDoS Resistance • Harder to hit a moving target, key resources "at 1+ remove" • Built-in "GSLB" (global server load balancing) • You have little control of where Introduction, or Rendezvous Points are created, but they are distributed globally • Servers can be replicated globally, too; flatness = simpler • "DNSRR" equivalent (DNS Round Robin) • "OnionBalance" enables recombination of descriptors, shares load over servers like DSR (direct server return); or full H/A replicas
  • 77. self-authenticatingness • Onion addresses are literally cryptographically-trustable layer-3 network addresses • If you type the address correctly, you are guaranteed to be communicating with someone who has the private key • Built-in IPsec ESP and AH • No PSK hassle • No CA hassle • No revocation, no X.509, no OpenSSL, no faff…
  • 79. BGP-Hijack Resistance • Tor is an over-the-top meta-network • It doesn't care what's happening at the IP layer
  • 80. If you remember one thing: • Tor "treats censorship as damage, and routes around it" • literally its raison d'être… • Tor is actually pretty good at (eventually) routing around damage of pretty much any kind, nowadays. • Wasn't the Internet supposed to do this anyway? • qv: John Gilmore • Perhaps we got lazy and stopped aiming for that?
  • 83. "good enough for the right kinds of workload"
  • 85. Learning New Stuff • Tor is not TCP/IP (but feels similar) • Tor is not an in-kernel network • userspace daemons with SOCKS5 presentation • config files, not `ifconfig` • Tor is evolving • Just like TCP/IP was in 1992
  • 89. Wikipedia Experiment • Why? • Short-term test to prove the concept • Cheap, low resource-usage, borrowed hardware • Was DoS'd by <some asshole with bots> • Sustained few-hundreds of hits per second • Hardly noticeable impact on single quad-core server
  • 90. summary: why onion? • build apps, tools, & devices which don't have to fret about NAT, and which don't need a $$$ central server • provide additional access, security & safety opportunities for your audiences & communities! • cutting-edge, experimental fun!
  • 91. and finally: password-protect
 onion "network interfaces"? Server: /etc/tor/torrc …yields: the following hostname file