From: root <root@einstein.ssz.com>
Date: Sat, 21 Jan 95 06:51:24 PST
To: usura@replay.com (Alex de Joode)
Subject: Re: Remailers-in-a-box
In-Reply-To: <199501211209.AA07362@xs1.xs4all.nl>
Message-ID: <199501211238.GAA00767@einstein.ssz.com>
MIME-Version: 1.0
Content-Type: text


> 
>  - The entry point of a remailer is entry@remail.org, 
> 
>  - entry@remail.org has a forward file to: batch@remail.org
>
I would state this is a security breach. entry@remail.org should not
know anything about the second level re-mailers other than a method to
identify them as legitimate.
 
>  - batch@remail.org does the actual remailing, since remail.org has
>    installed some sort of MX'ing all messages that leave batch@remail.org
>    will advertise themself as nobody@expendable.org .
>
The 'client' re-mailers should be the ones to initiate the call-up, not the
entry re-mailer. This way if the portal is compromised no information can
be gained such as the list of clients. The entry re-mailer should sit there
waiting for a call. When it gets one it goes through some kind of verification
process (akin to some comments I maid back in the summer relating to making
all the packets encrypted at all times).
 
>  - If you "loose" expendable.org, you simple set up a new account with
>    MX'ing, the remailer-users will only notice the change in exit-header,
>    the enrty-point of that remailer is still entry@remail.org
> 
If you make the entry point anonymous and have at least two of the entry points
slaved (sorta like collision avoidance on ethernet) then the entry point never
has to change. Also if one goes down the other takes up the slack. It might
also be possible to have it route over-flow packets from the main router to the
slave router when traffic maxes out.

The reality is that the main point of attack is going to be the incoming
since if you take that one (if it is a smalll and simple re-mailer network)
will bring the whole system to its knees.

Take care.


Take care.