[Freedombox-discuss] Hosting public services (was: Re: Bootstrapping a Freedombox contact list)

Anders Jackson anders.jackson at gmail.com
Mon Dec 23 14:04:35 UTC 2013 

2013/11/29 Tim Retout <diocles at debian.org>:
> On Fri, 2013-11-29 at 02:14 +0100, Anders Jackson wrote:
>> Of course it does, but the communication between the devices are
>> encrypted, so Tor, or something like that, on top of IPsec on IPv6
>> will give you both secrecy and anonymity.
>
> Yes; the point being that you need Tor as well as IPSec.

Yes?  Traffic in Tor isn't encrypted, it is annonymized.  So you still
need encryption when using Tor.

> A small nitpick to check my understanding: even if you use Tor on IPSec,
> it is possible to send traffic that will be unencrypted at the exit
> nodes.  So your anonymity is assured, but not your secrecy.

No, it isn't.  IPSec is encryption end to end.

>> > Therefore, for the peer-to-peer element, I have come to believe that
>> > governments should not able to see which other Freedomboxes you are
>> > communicating with.  If we used IPSec, it would still be possible to
>> > figure out who owned the addresses you were talking to.
>>
>> Government, what about ISP and other companies, like MS and Google?
>> It is still possible to figure out which other Tor nodes you talk to.
>
> And my assumption here is that knowing which Tor nodes you talk to is
> uninteresting - they're not people you know personally, so it doesn't
> matter who finds out.
>
> I think we're talking cross-purposes slightly - let me restate what I
> was trying to get at here:
>
> There are two situations I'm trying to solve:
>
> - Communication between Freedomboxes.  Here we can assume the existence
> of any software like Tor, so I'm proposing Tor hidden services.  This
> can be over IPv4 or IPv6, but you still need Tor.

Yes, you need a Tor-like system.  IPv6 or IPv4 doesn't annonymize your
communication.

> - Communication with 3rd parties over various protocols, which needs you
> to advertise a public service (like a mail server with port 25 open).
> Here we want to interoperate with people who aren't using Tor, and may
> be on either IPv4 or IPv6.  This is where we were talking about
> Pagekite, except Pagekite doesn't do SMTP.

But IPv6 does SMTP and all the other protocolls, and does it encrypted
with IPsec if you like, which IPv4 doesn't.  It's still possible to
run for example HTTPS on top of IPv6 with IPsec, if you want to.

> I hope that explains some of the statements in my previous mail.
>
>> I can't see why that will be a problem other than the usual mess with
>> NAT, double NAT and other problems you get with IPv4 when trying to
>> put a server on internet.
>> But machines usually need to have dual stack anyway, so you can still
>> do that if you really need IPv4.
>>
>> But this is problems you don't have with IPv6, where you only need to
>> open up the firewall and your server is public.
>>
>> For IPv4 to be able to reach IPv6 there are other solutions for doing
>> that, like NAT64. You are not the first with a need like that. ;-)
>
> Yes, I hope I'm not the first. :)  Can you elaborate on how to offer
> publically-available services that existing IPv4 mail servers could talk
> to?  Does NAT64 have to be offered by your ISP?

I would hope that nobody would have needed that, because that implies
that there are still IPv4 nodes out there.  ;-)

More and more ISP:s start to offer dual stack IPv4 and IPv6.  There
are also rumours that some ISP:s offer only IPv6, with extra fees for
IPv4 (no, I don't remember the names, thus it is second hand and I say
rumours).

No, NAT64 doesn't need to be offered by your ISP, but it's more
efficient to set it up in that way.  But you must have at least one
proper IPv4-address to be able to use NAT64.  But there are other
mechanisms to use for IPv4 <-> IPv6 translations.

As the boxes probably have some basic NAT:ed IPv4 you might be able to
set up a server behind NAT, as long there isn't multi level NAT from
the ISP.  If you are behind a multi level NAT, you are lost on trying
to do other stuff than to surf out of your net, as you have to
initialize any connections.  You can't set up your own service behind
your NAT.  In some countries in Asia and Africa it is rumoured (see
previous rumour about second hand information, you are third hand now)
start to show up from some ISP:s.

So, if we are serious about protecting the user, we need to address
this issue with IPv6.  And it would be one of the "killer
application"s of a freedombox. ;-)

> --
> Tim Retout <diocles at debian.org>

Happy Holidays
Anders

More information about the Freedombox-discuss mailing list