Motivation
Implementing an anonymous network on a service by service basis has its drawbacks, and it is debatable if such work should be built at the application level. A simpler approach could be to design an IPv4/IPv6 network where its participants enjoyed strong anonymity. Doing so allows the use of any number of applications and services already written and available on the internet at large.
IPv4 networks do not preclude anonymity by design; it is only necessary to decouple the identity of the owner of an IP address from the address itself. Commercial internet connectivity and its need of billing records makes this impossible, but private IPv4 networks do not share that requirement. Assuming that a router administrator on such a metanet knows only information about the adjacent routers, standard routing protocols can take care of finding the proper path for a packet to take to reach its destination. All destinations further than one hop can for most people's threat models be considered anonymous. This is due to the fact that only your immediate peers know your IP. Anyone not directly connected to you only knows you by an IP in the 1.0.0.0/8 range, and that IP is not tied to any identifiable information.
Architecture
Since running fiber to distant hosts is prohibitively costly for the volunteer nature of such a network, the network uses off-the-shelf VPN software for both router to router, and router to user links. This offers other advantages as well, such as invulnerability to external eavesdropping and the lack of need for unusual software which might give notice to those interested in who is participating.
To avoid addressing conflict with the internet itself, the range 1.0.0.0/8 is used. This is to avoid conflicting with internal networks such as 10/8, 172.16/12 and 192.168/16, as well as assigned Internet ranges. In the event that 1.0.0.0/8 is assigned by IANA, anoNet could move to the next unassigned /8, though such an event is unlikely, as 1.0.0.0/8 has been reserved since September 1981.
The network itself is not arranged in any regular, repeating pattern of routers, although redundant (>1) links are desired. This serves to make it more decentralized, reduces choke points, and the use of BGP allows for redundancy.
Suitable VPN choices are available, if not numerous. Any robust IPsec package is acceptable, such as FreeSWAN or Greenbow. Non-IPsec solutions also exist, such as OpenVPN and SSH tunneling. There is no requirement for a homogeneous network; each link could in fact use a different VPN daemon.
Reply With Quote
Bookmarks