Phantom: Decentralized anonymous networking [LWN.net]

By Jake Edge
June 8, 2011

Anonymity on the internet is an interesting problem, for which several different solutions have been implemented (e.g. Tor, Freenet). Creating such a network is an interesting exercise for one thing, but using one is also highly useful to avoid various kinds of internet activity monitoring. While people in relatively free countries may find it useful to avoid their ISP and government's monitoring, activists and others living under more repressive regimes may find it to be much more than that—in some cases, it could make a life-or-death difference. Phantom is another mechanism for providing internet anonymity that has a number of interesting properties.

The Phantom protocol was introduced at DEFCON 16 in 2008 by Magnus Bråding (slides [PPT]) and is designed to provide decentralized anonymity. The idea is that there is no central weak point that can be shut down or attacked to stop the use of Phantom. It also requires end-to-end encryption, unlike Tor and others, so that there is no "exit node" problem, where a compromised or malicious participant can eavesdrop on the communication. In addition, Phantom is designed for higher performance so that large data volumes can be transferred through the network.

One of the most interesting aspects of Phantom is that it requires no changes to existing internet applications. From the perspective of a web browser or other application, it is just using standard-looking IP addresses. In reality, those addresses are Anonymous Protocol (AP) addresses that are handled by the Phantom software. One of the assumptions that Phantom makes is that IP addresses can be mapped to real-life identities (a very sensible assumption), so one of the major goals is to ensure that those cannot leak.

While the internet is used to carry all of the Phantom traffic, that traffic is virtually partitioned from the rest of the internet. Service providers that want to enable anonymous access to their services (e.g. a web server) have to register that service within the Phantom network. Obviously, that registry could be a problem from a decentralization standpoint, but Phantom uses a distributed hash table (DHT) to contain the information. Various large-scale implementations of DHTs, like Kademlia that was used by the eMule peer-to-peer system, are already in existence.

The DHT is known as the "network database" and contains two separate tables. One lists the IP addresses, ports, and properties of the currently connected nodes in the network, while the other has the AP addresses and properties of connected and registered nodes. The two tables are, obviously, not directly correlated as that would defeat the whole purpose. In order to get a "copy" of the DHT, a new node just needs to contact one existing node and join into the distributed database. Lists of valid IP addresses to connect to could come via nearly any mechanism: web sites, email, or even distributed on pieces of paper. If even one of the listed nodes is still valid, a new node can use it to join in.

A client that wants to communicate on the network must set up its own exit node. It does so by choosing a number of other nodes in the network with which to establish a routing path, the last one of which is the exit node. Unlike Tor, there isn't an established set of exit nodes as any system participating in the network can potentially be an exit node. Also unlike Tor, it is the endpoint that chooses its routing path, rather than the network making those decisions. There is a detailed description of the protocol for establishing a routing path in the Phantom design white paper [PDF]. Each step along the path is encrypted using SSL and the paper shows the details of the complicated process of creating the exit node.

Similarly, any services on the network need to create a routing path to an "entry node". In some cases, where the service itself does not require anonymity but wants to provide access for anonymous clients, the entry node may be the server itself. In any case, services register their AP-to-IP address mapping in the DHT using the IP address of the entry node. For services that do wish to remain anonymous, they will still be hidden behind the routing path from that entry node.

Furthermore, nodes create routing tunnels between themselves and their exit or entry node. These tunnels are under the control of the endpoints, not the network or any intermediary (including entry/exit) nodes. Making a connection is then a process of connecting the two routing tunnels together with the exit node of the client connecting to the entry node of the server. These tunnels are bi-directional, and encrypted in such a way that the intermediaries cannot decrypt the traffic, nor can a man-in-the-middle interfere with the communication without detection.

One of the important properties of the system is that nodes do not know whether they are talking to an endpoint or just another node in a routing path. The routing paths themselves can be arbitrarily long, and could even be chained together to provide further isolation as desired.

While the whole scheme seems fiendishly complex, it has been implemented [PDF] by Johannes Schlumberger as part of his Masters Degree work. Performance is, perhaps surprisingly, said to be reasonable: "maxing out a 100 Mb/s network connection for data transfers over multi-hop Phantom routing tunnels, so the crypto overhead does not seem to be significant at all". The code is available under the Hacktivismo Enhanced-Source Software License Agreement (HESSLA), which seems to be a GPL-inspired license with some additional "political" objectives. Based on the README, the implementation uses a tun virtual network device and may be fairly complicated to set up.

Overall, Phantom looks very interesting. Like Tor and others, though, it requires a fairly large number of participating nodes in order to truly be of use. One of the biggest barriers for Tor has been that exit nodes get blamed for the behavior of the traffic that emanates from them. Since that traffic can't be traced further back than the exit nodes (at least hopefully), any criminal or malicious traffic is associated with whoever runs the Tor node. Because services will have to specifically enable anonymous access for Phantom, that may be less of a problem. It may also make Phantom adoption less likely.

It's a bit difficult to see widespread adoption of Phantom (or any of the other anonymous network protocols), though the Electronic Frontier Foundation has been pushing Tor adoption recently. Some kind of solution is clearly needed but, so far, the logistical and legal hurdles seem to be too large for many to overcome. Unfortunately, anonymous networks may fall into the category of "things that are not set up until it's too late". But it is good to see that people are still thinking about, and working on, this problem.

(Log in to post comments)

Exit node problem

Posted Jun 10, 2011 21:39 UTC (Fri) by Creideiki (subscriber, #38747) [Link]

Isn't this what exit policies have always done?

Exit node problem

Posted Jun 10, 2011 22:06 UTC (Fri) by rwmj (subscriber, #5474) [Link]

I always understood that exit policies were just to prevent people connecting to port 25 (to send spam) or "private" (to attack your RFC 1918 private network). I've just checked the manual and I'm actually still unclear on whether they can be used for what I suggested ...

Maybe a Tor expert can help here.

Exit node problem

Posted Jun 10, 2011 22:12 UTC (Fri) by Creideiki (subscriber, #38747) [Link]

I'm no expert, but seeing as the manual says

For example, "accept 18.7.22.69:*,reject 18.0.0.0/8:*,accept *:*" would reject any traffic destined for MIT except for web.mit.edu, and accept anything else.

I don't understand what you think is lacking.

Exit node problem

Posted Jun 10, 2011 22:18 UTC (Fri) by rwmj (subscriber, #5474) [Link]

Right, but if I go to the bother of finding out and listing all the BBC's networks (in itself an ever-changing task), and list them in a long series of 'accept' statements, do those get properly propagated out to the directory?

The manual is unclear. It says that (some?) exit policies are propagated out. Long complex lists? It doesn't seem to be the intended use of this feature.

I'd want to hear it from a Tor developer, one way or the other.

Exit node problem

Posted Jun 13, 2011 19:04 UTC (Mon) by adisaacs (subscriber, #53996) [Link]

I'm not a Tor developer, but I follow the mailing lists somewhat.

IIUC, every unique exit policy must be propagated out in the consensus. Adding thousands of unique exit policies (one per "custom" exit node) would make the Tor consensus grow quite large, which would slow down the entire network. I *think* (not entirely certain) that end user nodes have to retrieve the consensus before establishing circuits, so it would slow down Tor startup for all users.

If I understand correctly, then it wouldn't scale for every exit node to pick its own set of allowed IPs.

Besides, how would you decide what networks to exit for? Just BBC? Do you want to allow CNN as well? How about Wikipedia?

Exit node problem

Posted Jun 13, 2011 19:34 UTC (Mon) by rwmj (subscriber, #5474) [Link]

Since the issue is I could well be arrested and have all my computer equipment seized if someone used Tor to access child porn or terrorist material from my network, I'd want to choose sites that wouldn't contain this. And I would like to push the political objectives of Tor without letting people do things that I don't approve off (it's my network access after all). So in my case it'd just be the BBC networks.

Exit node problem

Posted Jul 16, 2011 15:07 UTC (Sat) by fuhchee (guest, #40059) [Link]

"So in my case it'd just be the BBC networks."

OK, but why would someone want to use tor to access the bbc?

Exit node problem

Posted Jul 17, 2011 17:42 UTC (Sun) by anselm (subscriber, #2796) [Link]

AFAIR, the BBC's back content is officially only available to people with a paid-up British television licence. Since you can't get a British television licence unless you're in the UK, the BBC, maybe understandably, restricts access to the relevant servers to clients with an IP address that is located in the UK.

There seems to be a market for UK-based proxy servers especially to allow people from outside the UK to get at the BBC servers. Presumably using a Tor exit node inside the UK would also do the trick.

Personally I'd be happy to pay the Beeb to be allowed to access their programming from here in Germany. For all the griping the Brits do about the BBC, much of what they're broadcasting is still way better than the vile stuff we're stuck with hereabouts.

Exit node problem

Posted Jul 17, 2011 18:41 UTC (Sun) by fuhchee (guest, #40059) [Link]

"AFAIR, the BBC's back content is officially only available to people with a paid-up British television licence."

That's true, but there are two problems with that. I'm pretty sure rwmj is not interested in become a high-bandwidth multimedia proxy. Also, it is somewhat likely that he is not interested in assisting vicarious copyright infringement.

Exit node problem

Posted Jul 17, 2011 23:21 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

The current legal state is that you only need a license to watch the BBC's live streams, not the back content. http://iplayerhelp.external.bbc.co.uk/help/playing_tv_pro... has more on this.

Exit node problem

Posted Jul 18, 2011 7:12 UTC (Mon) by anselm (subscriber, #2796) [Link]

OK, but you can still only get at the BBC's back content from UK-based IP addresses (for the time being, anyway). So there's a certain demand for shady arrangements that let people appear to be in the UK when in reality they aren't.

Exit node problem

Posted Jun 16, 2011 6:23 UTC (Thu) by eduperez (guest, #11232) [Link]

The "exit node problem" in TOR is, AFAIK, not what you describe (node operators facing problems because of the actions of TOR users), but the ability of "rogue" operators to eavesdrop any traffic leaving their node.