i2p.www/pages/how_threatmodel.html

<p>
There are a great many other applications and projects working on anonymous 
communication and I2P has been inspired by much of their efforts.  This is not 
a comprehensive list of anonymity resources - both freehaven's 
<a href="http://freehaven.net/anonbib/topic.html">Anonymity Bibliography</a>
and GNUnet's <a href="http://www.ovmj.org/GNUnet/links.php3">related projects</a> serve
that purpose well.  That said, a few systems stand out for further comparison:</p>

<UL>
<li> Morphmix and Tarzan
<li> TOR / Onion Routing
<li> Mixminion / Mixmaster
<li> Freenet
<li> JAP
</UL>

<H2>Morphmix and Tarzan</H2>

<i><a href="http://www.tik.ee.ethz.ch/~morphmix/">[Morphmix]</a> 
   <a href="http://www.pdos.lcs.mit.edu/tarzan/">[Tarzan]</a></i>

<p>
Morphmix and Tarzan are both fully distributed, peer to peer networks of 
anonymizing proxies, allowing people to tunnel out through the low latency 
mix network.  Morphmix includes some very interesting collusion detection 
algorithms and Sybil defenses, while Tarzan makes use of the scarcity of IP
addresses to accomplishs the same.  The two primary differences between 
these systems and I2P are related to I2P's <a href="/book/view/41?PHPSESSID=42d2b0545f243f2537476db228ce1636">threat model</a> 
and their out-proxy design (as opposed to providing both sender and receiver 
anonymity).  There is source code available to both systems, but we are not aware 
of their use outside of academic environments.</p>
<p>
Stealing quite directly from the Tarzan paper, the following includes a quick
comparison of Tarzan, Crowds, Onion Routing (OR), and I2P:</p>

<img src="http://i2p.net/~jrandom/wiki/comparison.png">

<H2>TOR / Onion Routing</H2>

<i><a href="http://freehaven.net/tor/">[TOR]</a> 
   <a href="http://www.onion-router.net">[Onion Routing]</a></i>
<p>
TOR and Onion Routing are both anonymizing proxy networks, allowing people
to tunnel out through their low latency mix network.  The two primary 
differences between TOR / OnionRouting and I2P are again related to differences
in the threat model and the out-proxy design (though TOR is working to provide 
redevous points within the mix network, which will provide recipient anonymity).
In addition, these networks take the directory based approach - providing a 
centralized point to manage the overall 'view' of the network, as well as gather 
and report statistics, as opposed to I2P's distributed 

<a href="/book/view/44?PHPSESSID=42d2b0545f243f2537476db228ce1636">network database</a> and <a href="/book/view/135?PHPSESSID=42d2b0545f243f2537476db228ce1636">peer selection</a>.</p>

<p>On the technical side, there are 5 main differences between TOR and I2P:</p>
<ul>
 <li>TOR is centrally managed (trusted directories, only some people fully participate
     in the network with cover traffic) while I2P is fully distributed.  This has serious
     anonymity implications for people using TOR that are not one of the TOR nodes,
     since a powerful attacker could determine your identity, or coerce the maintainer 
     of TOR's directory server to include untrustworthy nodes.</li>

 <li>TOR is circuit based (with reliable, ordered, bidirectional tunnels), while I2P
     is packet based (with unreliable, unordered, unidirectional tunnels).  As with the
     TCP/IP separation, I2P optionally adds TCL-like functionality on top of the packet
     based network by means of mihi's ministreaming library.</li>
 <li>TOR is low latency, while I2P is variable latency (both ASAP and stop+go).  This will
     allow I2P to provide a higher level of anonymity by blending the anonymity set of 
     different user bases together - for example, filesharing users and militants look 
     the same, though make use of different techniques to balance their own anonymity 
     and security needs)</li>

 <li>TOR is IP addressed, relying on the security of the IP layer for authenticating
     and securing the message delivery, while I2P is cryptographically addressed.</li>
 <li>TOR is written in C on *nix (windows port w/ cygwin?), while I2P is written in 
     Java and tested on *nix, windows, and macs</li>
</ul>

<H2>Mixminion / Mixmaster</H2>

<i><a href="http://mixminion.net/">[Mixminion]</a> 
   <a href="http://mixmaster.sourceforge.net/">[Mixmaster]</a></i>

<p>
Mixminion and Mixmaster are networks to support anonymous email against a very
powerful adversary.  I2P aims to provide an adequate means to meet their threat
model as we reach I2P 3.0 along side the needs of low latency users, providing
a significantly larger anonymity set.  As with TOR and Onion Routing above, 
both Mixminion and Mixmaster take the directory based approach as well.</p>

<H2>Freenet</H2>

<i><a href="http://freenetproject.org/">[Freenet]</a></i>
<p>
Freenet is a fully distributed, peer to peer anonymous publishing network.  
As such, generic anonymous communication over it requires the use of the global
blackboard model - storing data somewhere that the recipient will then check 
for a message.  Freenet also does not support the concept of user defined delays -
it stores and fetches data as quickly as it can, rather than queueing up, pooling,
delaying, and mixing the data, leaving a hole with regards to long term intersection
attacks.  In addition, there seem to be some performance issues that can arguably
be attributed to the global blackboard model which will likely rule out interactive
low latency communication.</p>

<H2>JAP</H2>

<i><a href="http://anon.inf.tu-dresden.de/index_en.html">[JAP]</a></i>

<p>
JAP (Java Anonymous Proxy) is a network of mix cascades for anonymizing web requests,
and as such it has a few centralized nodes (participants in the cascade) that blend
and mix requests from clients through the sequence of nodes (the cascade) before 
proxying out onto the web.  The scope, threat model, and security is substantially 
different from I2P, but for those who don't require significant anonymity but still
are not satisfied with an Anonymizer-like service, JAP is worth reviewing.  One
caution to note is that anyone under the jurisdiction of the German courts may want
to take care, as the German Federal Bureau of Criminal Investigation (FBCI) has has 
successfully mounted an 
<a href="http://www.datenschutzzentrum.de/material/themen/presse/anonip3_e.htm">[attack]</a> 
on the network.  Even though the method of this attack was later found to be illegal 
in the German courts, the fact that the data was successfully collected is the 
concern.  Courts change their minds based upon circumstance, and this is evidence that 
if a government body or intelligence agency wanted to, they could gather the data, even 
if it may be found inadmissible in some courts later)
</p>
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`<p>`
			`There are a great many other applications and projects working on anonymous`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`communication and I2P has been inspired by much of their efforts. This is not`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`a comprehensive list of anonymity resources - both freehaven's`
			`<a href="http://freehaven.net/anonbib/topic.html">Anonymity Bibliography</a>`
			`and GNUnet's <a href="http://www.ovmj.org/GNUnet/links.php3">related projects</a> serve`
			`that purpose well. That said, a few systems stand out for further comparison:</p>`

			`<UL>`
			`<li> Morphmix and Tarzan`
			`<li> TOR / Onion Routing`
			`<li> Mixminion / Mixmaster`
			`<li> Freenet`
			`<li> JAP`
			`</UL>`

			`<H2>Morphmix and Tarzan</H2>`

			`<i><a href="http://www.tik.ee.ethz.ch/~morphmix/">[Morphmix]</a>`
			`<a href="http://www.pdos.lcs.mit.edu/tarzan/">[Tarzan]</a></i>`

			`<p>`
			`Morphmix and Tarzan are both fully distributed, peer to peer networks of`
			`anonymizing proxies, allowing people to tunnel out through the low latency`
			`mix network. Morphmix includes some very interesting collusion detection`
			`algorithms and Sybil defenses, while Tarzan makes use of the scarcity of IP`
			`addresses to accomplishs the same. The two primary differences between`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`these systems and I2P are related to I2P's <a href="/book/view/41?PHPSESSID=42d2b0545f243f2537476db228ce1636">threat model</a>`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`and their out-proxy design (as opposed to providing both sender and receiver`
			`anonymity). There is source code available to both systems, but we are not aware`
			`of their use outside of academic environments.</p>`
			`<p>`
			`Stealing quite directly from the Tarzan paper, the following includes a quick`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`comparison of Tarzan, Crowds, Onion Routing (OR), and I2P:</p>`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00
			`<img src="http://i2p.net/~jrandom/wiki/comparison.png">`

			`<H2>TOR / Onion Routing</H2>`

			`<i><a href="http://freehaven.net/tor/">[TOR]</a>`
			`<a href="http://www.onion-router.net">[Onion Routing]</a></i>`
			`<p>`
			`TOR and Onion Routing are both anonymizing proxy networks, allowing people`
			`to tunnel out through their low latency mix network. The two primary`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`differences between TOR / OnionRouting and I2P are again related to differences`
			`in the threat model and the out-proxy design (though TOR is working to provide`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`redevous points within the mix network, which will provide recipient anonymity).`
			`In addition, these networks take the directory based approach - providing a`
			`centralized point to manage the overall 'view' of the network, as well as gather`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`and report statistics, as opposed to I2P's distributed`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00
			`<a href="/book/view/44?PHPSESSID=42d2b0545f243f2537476db228ce1636">network database</a> and <a href="/book/view/135?PHPSESSID=42d2b0545f243f2537476db228ce1636">peer selection</a>.</p>`

ungooglify (duck) 2004-07-06 21:38:20 +00:00			`<p>On the technical side, there are 5 main differences between TOR and I2P:</p>`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`<ul>`
			`<li>TOR is centrally managed (trusted directories, only some people fully participate`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`in the network with cover traffic) while I2P is fully distributed. This has serious`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`anonymity implications for people using TOR that are not one of the TOR nodes,`
			`since a powerful attacker could determine your identity, or coerce the maintainer`
			`of TOR's directory server to include untrustworthy nodes.</li>`

ungooglify (duck) 2004-07-06 21:38:20 +00:00			`<li>TOR is circuit based (with reliable, ordered, bidirectional tunnels), while I2P`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`is packet based (with unreliable, unordered, unidirectional tunnels). As with the`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`TCP/IP separation, I2P optionally adds TCL-like functionality on top of the packet`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`based network by means of mihi's ministreaming library.</li>`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`<li>TOR is low latency, while I2P is variable latency (both ASAP and stop+go). This will`
			`allow I2P to provide a higher level of anonymity by blending the anonymity set of`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`different user bases together - for example, filesharing users and militants look`
			`the same, though make use of different techniques to balance their own anonymity`
			`and security needs)</li>`

			`<li>TOR is IP addressed, relying on the security of the IP layer for authenticating`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`and securing the message delivery, while I2P is cryptographically addressed.</li>`
			`<li>TOR is written in C on *nix (windows port w/ cygwin?), while I2P is written in`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`Java and tested on *nix, windows, and macs</li>`
			`</ul>`

			`<H2>Mixminion / Mixmaster</H2>`

			`<i><a href="http://mixminion.net/">[Mixminion]</a>`
			`<a href="http://mixmaster.sourceforge.net/">[Mixmaster]</a></i>`

			`<p>`
			`Mixminion and Mixmaster are networks to support anonymous email against a very`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`powerful adversary. I2P aims to provide an adequate means to meet their threat`
			`model as we reach I2P 3.0 along side the needs of low latency users, providing`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`a significantly larger anonymity set. As with TOR and Onion Routing above,`
			`both Mixminion and Mixmaster take the directory based approach as well.</p>`

			`<H2>Freenet</H2>`

			`<i><a href="http://freenetproject.org/">[Freenet]</a></i>`
			`<p>`
			`Freenet is a fully distributed, peer to peer anonymous publishing network.`
			`As such, generic anonymous communication over it requires the use of the global`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`blackboard model - storing data somewhere that the recipient will then check`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`for a message. Freenet also does not support the concept of user defined delays -`
			`it stores and fetches data as quickly as it can, rather than queueing up, pooling,`
			`delaying, and mixing the data, leaving a hole with regards to long term intersection`
			`attacks. In addition, there seem to be some performance issues that can arguably`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`be attributed to the global blackboard model which will likely rule out interactive`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`low latency communication.</p>`

			`<H2>JAP</H2>`

			`<i><a href="http://anon.inf.tu-dresden.de/index_en.html">[JAP]</a></i>`

			`<p>`
			`JAP (Java Anonymous Proxy) is a network of mix cascades for anonymizing web requests,`
			`and as such it has a few centralized nodes (participants in the cascade) that blend`
			`and mix requests from clients through the sequence of nodes (the cascade) before`
ungooglify (duck) 2004-07-06 21:38:20 +00:00			`proxying out onto the web. The scope, threat model, and security is substantially`
			`different from I2P, but for those who don't require significant anonymity but still`
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`are not satisfied with an Anonymizer-like service, JAP is worth reviewing. One`
			`caution to note is that anyone under the jurisdiction of the German courts may want`
			`to take care, as the German Federal Bureau of Criminal Investigation (FBCI) has has`
			`successfully mounted an`
			`<a href="http://www.datenschutzzentrum.de/material/themen/presse/anonip3_e.htm">[attack]</a>`
			`on the network. Even though the method of this attack was later found to be illegal`
			`in the German courts, the fact that the data was successfully collected is the`
			`concern. Courts change their minds based upon circumstance, and this is evidence that`
			`if a government body or intelligence agency wanted to, they could gather the data, even`
			`if it may be found inadmissible in some courts later)`
			`</p>`