On Wed, 2013-11-27 at 09:23 +0100, Anders Jackson wrote: > Sorry, my fault. I was thinking of IPSec, > http://en.m.wikipedia.org/wiki/IPsec > > > I think IPv6 will eventually mean that everyone has static IP > addresses > > at home, but in the meantime not everyone can access IPv6-only > services, > > can they? So do the transition mechanisms make it possible to run > > services accessible by IPv4-only users? > > Do you need IPv4 access in to your machine? We would still have IPv4 > access through IPv4 NAT. If all Freedomboxes have IPv6, they have peer > to peer access through encrypted connection. No need for fighting with > NAT traversal through one or more NAT routers.
Ah, I see where you're going, but I think we may need more than this. Eben Moglen's recent talks have persuaded me that privacy requires both secrecy and anonymity: http://snowdenandthefuture.info/PartII.html Therefore, for the peer-to-peer element, I have come to believe that governments should not able to see which other Freedomboxes you are communicating with. If we used IPSec, it would still be possible to figure out who owned the addresses you were talking to. Tor hidden services are easy to set up, they work even if the Freedombox is behind a firewall, and they have the advantage that you keep the same onion address even if your home IP is dynamic. I envisage this communication as happening mostly between the software on the boxes, rather than directly from any user's browser, so the end user never has to know that this is implemented on top of Tor. (This use of Tor is always encrypted end-to-end, and there are no "exit nodes" which can see your raw traffic. This avoids all the potential issues discussed on this list a few weeks ago with sending the user's unencrypted HTTP traffic over Tor.) Note that a connection from e.g. my own mobile phone to my Freedombox does not have the same anonymity requirement. GCHQ is going to know my phone and my home are linked together, because my identity is already associated with them both, and this is fine. This connection could very well use an IPSec VPN, if we could figure out how to make that work. However, I also believe that in order to be at all useful, Freedomboxes need to interoperate at some level with people who don't yet use Freedomboxes. So I still want to keep my same email address for now, and hopefully my same XMPP address, etc. To start with, I envisage that we do not actually host these on the Freedombox, but intercept and augment them (e.g. adding OpenPGP encryption to my email where possible). We can then start transparently re-routing mail I send to other Freedombox users. Deliver via their Tor hidden service address, rather than over the open internet. Later, if I want to, say, make my Freedombox's pump.io installation available to the internet at large, we need a way for other people with only IPv4 connections to see my site (ideally hosted on my own domain), even though my home only has a dynamic IPv4 address. This is where tools like Pagekite come in, and I can't see how I'd achieve this with IPv6. -- Tim Retout <[email protected]>
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
