, , , , , , ,

It’s around this time of year that INFOSEC vendors and bloggers post their industry predictions for the year to come. Here I’ll tell of something I’m pretty confident will happen in roughly ten years.

OpenVPN is still working nicely, by the way, but the fact it’s become a necessity for getting decent Internet shows that I’m missing the boat in not following up my dissertation project with something tangible. Currently I haven’t gone much further than designing the communications protocol for this, creating a nice interface in VB.NET and outlining roughly how it should work in theory.
I revisited one of my sources, a research paper, ‘P2P social networking for the rest of US‘, authored back in 2009 by Zoe Antoniou, Sacha Zyto and Dimitris Kalofonus, who outlined a joint project between the Nokia Research Centre and MIT to develop a prototype Peer-to-Peer social network called MyNet. There are also two publicly-available papers (actually PDFs) for this: ‘MyNet: a Platform for Secure P2P Personal and Social Networking Services‘ and ‘A Hybrid P2P/Infrastructure Platform for Personal and Social Internet Services‘.

Whenever ‘Peer-to-Peer’ or P2P networking gets mentioned, the average person would think piracy, illegal file-sharing, BitTorrent and… whatnot. This isn’t really fair, as the term simply refers to a serverless, point-to-point, way of communicating. The Internet should actually now be almost entirely Peer-to-Peer. Except for the need to centrally manage stuff in enterprise networks, the main reason we still have a client-server Internet is because of technological limitations that used to exist – the IPv4 address space was badly assigned and exhausted some time ago, and personal computers didn’t always have the resources to host content for multiple users. The latter point was also made by the authors of the MyNet paper.
P2P is intrinsically a good thing, a more efficient, decentralised and secure way of communicating, and it’s where we need to go in order for the Internet to survive as a free and open communications medium.

At the core of the MyNet idea are the following concepts:
(1) – Users create Personal Networks of their devices, and these Personal Networks interlink to form Social Networks. This seems either a development of the Personal Area Network of the 1990s, or the Microsoft Active Directory feature (the name of which I can’t recall) that ties multiple devices to a given user.
(2) – One-to-many relationship, which I think refers to hosting content on a personal device.
(3) – Routing is based around the Personal and Social networks, but the researchers don’t explain how in the first journal paper.
(4) – Users share content by issuing ‘Passlets’ to each other. This would probably work in a similar way to ACLs and tokens in Microsoft Windows and Active Directory.
(5) – Social networks can be, or are, built offline, by using Near Field Communication to exchange details between users’ Personal Networks.

MyNet (MIT and Nokia Research Center, 2009)

MyNet (MIT and Nokia Research Center, 2009)

So the advantages to this are obvious – users have total control over what they access and share, and they won’t have to give that control to a third-party if the ‘Passlet’ thing works as it should. It also uses out-of-band communications (NFC) for some of its authentication.

This idea looks very promising. In fact, I’m quite certain that something like this will emerge in maybe 10-5 years, and become another phenomenon just like FaceBook did. It might even become popular as the email client. Why? Because it’s the only way peoples’ need to share and openly communicate could be balanced with their need for privacy and security. We also know that encryption, Tor and VPNs – which almost nobody bothered with 15 years ago – are becoming mainstream for a reason. The client-server way of doing things is outdated.
If MyNet could be made to work at the application layer of a typical device, it would only take an initial handful of average Joes to install an ‘app’.

Usability, Convenience and Ubiquity
The paper’s abstract recognises one of the classic problems encountered when developing something like this:
‘The user experience of current P2P Personal and Social networking systems does not meet the usability needs of the technically naïve users. This is the motivation behind MyNet, a P2P platform that enables non-expert users to easily organize their resources and share them in their immediate social neighborhood.’

As the authors pointed out, it’s already possible to configure an average home network to function like a MyNet Personal Network, but it’s unreasonable to expect the average person to do so. Most people are consumers, and this is the underlying reason why numerous privacy and anti-censorship technologies, most of them really innovative, failed to become mainstream.

So there we have ‘business requirements’ – we’re supposed to be developing solutions, not creating new problems. The solution must work with minimal effort, and using the resources on a typical PC, smartphone or laptop. As an example, OpenVPN works because it’s just a matter of installing an application and importing a text file, and it quickly solves a problem most people will encounter as more sites get blocked in the UK. Something like FreedomBox, on the other hand, is still proof-of-concept because most of us aren’t going to spend time and effort buying the hardware. These are requirements that should be central to the design.

Following that comes the design stage: what can developers re-use in creating a solution? This question was central to my dissertation, largely because my own engineering and programming skills are passable at best. We could do quite a lot with IPv6, and there are already various libraries available for IPsec, sockets, encryption and key exchange. Everything can hopefully be bundled and deployed anywhere.
As for MyNet, the developers made use of C++ and Python libraries, and apparently used Remote Procedure Calls for the underlying stuff.

Routing and Infrastructure
The real specifics of how the data would be routed between devices is addressed in ‘MyNet: a Platform for Secure P2P Personal and Social Networking Services‘.

This is where I’ll describe my own alternative for P2P comms, which was actually inspired by The Second Internet (Lawrence Hughes). It goes something like this: Every device could have its own IPv6 address. In fact, as there are something like 10e25 IPv6 addresses to every square centimetre of the Earth’s surface, there’s no technical reason why each device can’t have a considerably large block of IP addresses. We wouldn’t need NAT, so Peer-to-Peer IPsec tunnels should be possible between remote devices, between the endpoints. While that protects the confidentiality of communications, the channels still wouldn’t be secure unless they’re resilient against discovery, filtering and disruption. The solution: the IPv6 Layered Security Protocol that buries the data under several layers of encryption and tunnels it through a channel hidden from third-parties. As far as I’m aware, I’m the first to come up with a fairly solid (but still unrefined) idea for an IPv6 ‘darknet’ or ‘stealth network’, with Lawrence Hughes, Sam Bowne and lecturers at Newport university laying much of the groundwork.

What’s interesting is Arbor Networks cited a study that claimed P2P accounted for roughly 60% of IPv6 traffic in 2009, along with its own measurements that put the figure at 61% in late-2010 across North America and Europe. So it does look like P2P might be the killer application of IPv6, although the current activity could be attributed to a lack of firewall configuration for IPv6. The P2P OS blog has an interesting post describing how this might work during the transition to IPv6, if it’s going to be done in stages between now and 2030.