[Freedombox-discuss] Hosting public services (was: Re: Bootstrapping a Freedombox contact list)

Anders Jackson anders.jackson at gmail.com
Fri Nov 29 01:14:14 UTC 2013


Den 27 nov 2013 23:51 skrev "Tim Retout" <diocles at debian.org>:
>
> On Wed, 2013-11-27 at 09:23 +0100, Anders Jackson wrote:
> > Sorry, my fault. I was thinking of IPSec,
> > http://en.m.wikipedia.org/wiki/IPsec
> >
> > > I think IPv6 will eventually mean that everyone has static IP
> > addresses
> > > at home, but in the meantime not everyone can access IPv6-only
> > services,
> > > can they?  So do the transition mechanisms make it possible to run
> > > services accessible by IPv4-only users?
> >
> > Do you need IPv4 access in to your machine? We would still have IPv4
> > access through IPv4 NAT. If all Freedomboxes have IPv6, they have peer
> > to peer access through encrypted connection. No need for fighting with
> > NAT traversal through one or more NAT routers.
>
> Ah, I see where you're going, but I think we may need more than this.

Like what more?

> Eben Moglen's recent talks have persuaded me that privacy requires both
> secrecy and anonymity:
> http://snowdenandthefuture.info/PartII.html

Of course it does, but the communication between the devices are encrypted,
so Tor, or something like that, on top of IPsec on IPv6 will give you both
secrecy and anonymity.

> Therefore, for the peer-to-peer element, I have come to believe that
> governments should not able to see which other Freedomboxes you are
> communicating with.  If we used IPSec, it would still be possible to
> figure out who owned the addresses you were talking to.

Government, what about ISP and other companies, like MS and Google?
It is still possible to figure out which other Tor nodes you talk to.

> Tor hidden services are easy to set up, they work even if the Freedombox
> is behind a firewall, and they have the advantage that you keep the same
> onion address even if your home IP is dynamic.  I envisage this
> communication as happening mostly between the software on the boxes,
> rather than directly from any user's browser, so the end user never has
> to know that this is implemented on top of Tor.

And you seems to miss that you are talking about different levels in the
communication stack.

> (This use of Tor is always encrypted end-to-end, and there are no "exit
> nodes" which can see your raw traffic.  This avoids all the potential
> issues discussed on this list a few weeks ago with sending the user's
> unencrypted HTTP traffic over Tor.)

And with IPsec all traffic can be encrypted, not just HTTP traffic between
Tor nodes.

> Note that a connection from e.g. my own mobile phone to my Freedombox
> does not have the same anonymity requirement.  GCHQ is going to know my
> phone and my home are linked together, because my identity is already
> associated with them both, and this is fine.  This connection could very
> well use an IPsec VPN, if we could figure out how to make that work.

IPsec isn't like TLS, SSL or SSH, it is in network layer the encryption is
done.

> However, I also believe that in order to be at all useful, Freedomboxes
> need to interoperate at some level with people who don't yet use
> Freedomboxes.  So I still want to keep my same email address for now,
> and hopefully my same XMPP address, etc.  To start with, I envisage that
> we do not actually host these on the Freedombox, but intercept and
> augment them (e.g. adding OpenPGP encryption to my email where
> possible).

What does XMPP or Email addresses have anything to do with IPv4 or IPv6
adresses?
I do run both my SMTP and XMPP traffic on IPv6 as we speak. I use IPv6 with
Google and other big web sites daily.
The only common protocol that I know of that actually uses IP-adresses in
them that I know of is SIP. And that is worked on to solve.

> We can then start transparently re-routing mail I send to other
> Freedombox users.  Deliver via their Tor hidden service address, rather
> than over the open internet.

I can't see why that can't be done with IPv6? It is done already

> Later, if I want to, say, make my Freedombox's pump.io installation
> available to the internet at large, we need a way for other people with
> only IPv4 connections to see my site (ideally hosted on my own domain),
> even though my home only has a dynamic IPv4 address.  This is where
> tools like Pagekite come in, and I can't see how I'd achieve this with
> IPv6.

I can't see why that will be a problem other than the usual mess with NAT,
double NAT and other problems you get with IPv4 when trying to put a server
on internet.
But machines usually need to have dual stack anyway, so you can still do
that if you really need IPv4.

But this is problems you don't have with IPv6, where you only need to open
up the firewall and your server is public.

For IPv4 to be able to reach IPv6 there are other solutions for doing that,
like NAT64. You are not the first with a need like that. ;-)

> --
> Tim Retout <diocles at debian.org>

/Anders J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20131129/5ea6a838/attachment.html>


More information about the Freedombox-discuss mailing list