 | This article has multiple issues. Please help improve it or discuss these issues on the talk page . (Learn how and when to remove these template messages)
|
| Initial release | 2005 |
|---|---|
| Type | Anonymity, Peer-to-peer |
| Website | http://anonet.org |
anoNet is a decentralized friend-to-friend network built using VPNs and software BGP routers. anoNet works by making it difficult to learn the identities of others on the network allowing them to anonymously host IPv4 and IPv6 services.
Implementing an anonymous network on a service by service basis has its drawbacks, and it is debatable if such work should be built at the application level. A simpler approach could be to design an IPv4/IPv6 network where its participants enjoyed strong anonymity. Doing so allows the use of any number of applications and services already written and available on the internet at large.
IPv4 networks do not preclude anonymity by design; it is only necessary to decouple the identity of the owner of an IP address from the address itself. Commercial internet connectivity and its need of billing records makes this impossible, but private IPv4 networks do not share that requirement. Assuming that a router administrator on such a metanet knows only information about the adjacent routers, standard routing protocols can take care of finding the proper path for a packet to take to reach its destination. All destinations further than one hop can for most people's threat models be considered anonymous. This is because only your immediate peers know your IP. Anyone not directly connected to you only knows you by an IP in the 21.0.0.0/8 range, and that IP is not necessarily tied to any identifiable information.
Everyone can build a profile of an anoNet IP address: what kind of documents it publishes or requests, in which language, about which countries or towns, etc. If this IP ever publishes a document that can lead to its owner's identity, then all other documents ever published or requested can be tied to this identity. Unlike some other Friend to Friend (F2F) programs, there is no automatic forwarding in anoNet that hides the IP of a node from all nodes that are not directly connected to it.
However, all existing F2F programs can be used inside anoNet, making it harder to detect that someone uses one of these F2F programs (only a VPN connection can be seen from the outside, but traffic analysis remain possible).
Since running fiber to distant hosts is prohibitively costly for the volunteer nature of such a network, the network uses off-the-shelf VPN software for both router to router, and router to user links. This offers other advantages as well, such as invulnerability to external eavesdropping and the lack of need for unusual software which might give notice to those interested in who is participating.
To avoid addressing conflict with the internet itself, anoNet initially used the IP range 1.0.0.0/8. This was to avoid conflicting with internal networks such as 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16, as well as assigned Internet ranges. In January 2010 IANA allocated 1.0.0.0/8 to APNIC. [1] In March 2017 anoNet changed the network to use the 21.0.0.0/8 subnetwork, which is assigned to the United States Department of Defense but is not currently in use on the internet.
The network itself is not arranged in any regular, repeating pattern of routers, although redundant (>1) links are desired. This serves to make it more decentralized, reduces choke points, and the use of BGP allows for redundancy.
Suitable VPN choices are available, if not numerous. Any robust IPsec package is acceptable, such as FreeS/WAN or Greenbow. Non-IPsec solutions also exist, such as OpenVPN and SSH tunneling. There is no requirement for a homogeneous network; each link could in fact use a different VPN daemon.
One of the primary goals of anoNet is to protect its participants' rights of speech and expression, especially those that have come under attack of late. Some examples of what might be protected by anoNet include:
It is impossible on the Internet to communicate with another host without knowing its IP address. Thus, the anoNet realizes that you will be known to your peer, along with the subnet mask used for communicating with them. A routing protocol, BGP, allows any node to advertise any routes they like, and this seemingly chaotic method is what provides users with anonymity. Once a node advertises a new route, it is hard for anyone else to determine if it is a route to another machine in another country via VPN, or just a dummy interface on that users machine.
It is possible that certain analysis could be used to determine if the subnet was remote (as in another country), or local (as in either a dummy interface, or a machine connected via Ethernet.) These include TCP timestamps, ping times, OS identification, user agents, and traffic analysis. Most of these are mitigable through action on the users' part.
There are 65536 ASNs available in BGP v4. Long before anoNet reaches that number of routers the network will have to be split into OSPF clouds, or switched to a completely different routing protocol or alter the BGP protocol to use a 32bit integer for ASNs, like the rest of the Internet will do, since 32-bit AS numbers now are standardised.
There are also only 65536 /24 subnets in the 21.0.0.0/8 subnet. This would be easier to overcome by adding a new unused /8 subnet if there were any.
Below is the list of allocated IPv4 and IPv6 subnets as of 4 March 2020.
21.3.3.0/24 21.3.37.0/24 21.4.9.200/30 21.3.4.0/24 21.0.0.0/24 21.22.1.0/24 21.4.9.153/32 21.3.3.96/30 21.50.0.0/24 21.71.12.0/24 21.41.41.0/24 21.3.3.8/32 21.0.99.11/32 21.63.70.0/24 21.4.9.53/32 21.3.3.1/32 21.78.0.53/32 21.3.3.7/32 21.255.222.0/24 21.3.3.10/32 21.255.112.0/24 21.255.113.0/24 21.79.3.153/32 21.3.3.3/32 21.104.100.0/24 21.255.114.0/24 fd63:1e39:6f73:ff72::/64 fd63:1e39:6f73:ff75::/64 fd63:1e39:6f73:325::/64 fd63:1e39:6f73:1601::/64 fd63:1e39:6f73:304::/64 fd63:1e39:6f73:2929::/64 fd63:1e39:6f73:1c6a::/64 fd63:1e39:6f73:303::/64 fd63:1e39:6f73:3f46::/64 fd63:1e39:6f73:3f45::/64 fd63:1e39:6f73:470c::/64
Since there is no identifiable information tied to a user of anoNet, one might assume that the network would drop into complete chaos. Unlike other anonymous networks, on anoNet if a particular router or user is causing a problem it is easy to block them with a firewall. In the event that they are affecting the entire network, their peers would drop their tunnel.
With the chaotic nature of random addressing, it is not necessary to hide link IP addresses. These are already known. If however, a user wants to run services, or participate in discussions anonymously, he can advertise a new route, and bind his services or clients to the new IP addresses.
Similar software:
An Internet Protocol address is a numerical label such as 192.0.2.1 that is connected to a computer network that uses the Internet Protocol for communication. An IP address serves two main functions: network interface identification and location addressing.
Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.
Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion, and is intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, which subsequently ratified it as an Internet Standard on 14 July 2017.
A router is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions between networks and on the global Internet. Data sent through a network, such as a web page or email, is in the form of data packets. A packet is typically forwarded from one router to another router through the networks that constitute an internetwork until it reaches its destination node.
Classless Inter-Domain Routing is a method for allocating IP addresses and for IP routing. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous classful network addressing architecture on the Internet. Its goal was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.
Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP is classified as a path-vector routing protocol, and it makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator.
Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS).
A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.
A subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting.
Anycast is a network addressing and routing methodology in which a single destination IP address is shared by devices in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and DNS hosts, to bring their content closer to end users.
Multihoming is the practice of connecting a host or a computer network to more than one network. This can be done in order to increase reliability or performance.
In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 and the IPv6 specifications define private IP address ranges.
A route distinguisher is an address qualifier used only within a single internet service provider's Multiprotocol Label Switching (MPLS) network. It is used to distinguish the distinct virtual private network (VPN) routes of separate customers who connect to the provider.
Mobile IP is an Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow mobile device users to move from one network to another while maintaining a permanent IP address. Mobile IP for IPv4 is described in IETF RFC 5944, and extensions are defined in IETF RFC 4721. Mobile IPv6, the IP mobility implementation for the next generation of the Internet Protocol, IPv6, is described in RFC 6275.
A routing protocol specifies how routers communicate with each other to distribute information that enables them to select routes between nodes on a computer network. Routers perform the traffic directing functions on the Internet; data packets are forwarded through the networks of the internet from router to router until they reach their destination computer. Routing algorithms determine the specific choice of route. Each router has a prior knowledge only of networks attached to it directly. A routing protocol shares this information first among immediate neighbors, and then throughout the network. This way, routers gain knowledge of the topology of the network. The ability of routing protocols to dynamically adjust to changing conditions such as disabled connections and components and route data around obstructions is what gives the Internet its fault tolerance and high availability.
A unique local address (ULA) is an Internet Protocol version 6 (IPv6) address in the address range fc00::/7. These addresses are non-globally reachable. For this reason, ULAs are somewhat analogous to IPv4 private network addressing, but with significant differences. Unique local addresses may be used freely, without centralized registration, inside a single site or organization or spanning a limited number of sites or organizations.
Locator/ID Separation Protocol (LISP) is a "map-and-encapsulate" protocol which is developed by the Internet Engineering Task Force LISP Working Group. The basic idea behind the separation is that the Internet architecture combines two functions, routing locators and identifiers in one number space: the IP address. LISP supports the separation of the IPv4 and IPv6 address space following a network-based map-and-encapsulate scheme. In LISP, both identifiers and locators can be IP addresses or arbitrary elements like a set of GPS coordinates or a MAC address.
An Internet Protocol Version 6 address is a numeric label that is used to identify and locate a network interface of a computer or a network node participating in a computer network using IPv6. IP addresses are included in the packet header to indicate the source and the destination of each packet. The IP address of the destination is used to make decisions about routing IP packets to other networks.
dn42 is a decentralized peer-to-peer network built using VPNs and software/hardware BGP routers.
A network extrusion is a kind of VPN tunnel where a subnet is moved to another location, without any router advertisement changes. Such a subnet is routed to normally, but then send via a VPN tunnel to appear anywhere else on the internet. This type of VPN connection is often used for:
Consideration of User Preference on Internet-based Overlay Network, T Gu, JB Yoo, CY Park - ..., Networking, and Parallel/Distributed Computing, 2008 ..., 2008 - ieeexplore.ieee.org
