XPost: alt.winsock.programming, comp.arch, comp.dcom.lans.ethernet   
   XPost: sci.crypt   
   From: IntoTheFuture@hotmail.com   
      
   Hello,   
      
   The internet protocol version 4 could be extended with source   
   translation/source privacy.   
      
   The idea is as follows:   
      
   The ip.source is translated into something else/arbitrary along the path's   
   routers to it's destination.   
      
   Each router selects a random available ip from a table which is to replace   
   the ip.source of the packet.   
      
   A bit is set in the packet indicating the privacy option. This bit could be   
   bit 0 of the ip.flag, alternatively   
   it could also be an add-on option, the flag bit is to be preferred because   
   it would require little changes   
   to simple ip implementations.   
      
   If the router does not support this new option then the ip.source is left   
   intact.   
      
   Packets with the bit cleared are routed as normal.   
      
   Packets with the bit set indicate a special privacy packet and have to be   
   treated in a special way.   
      
   if ip.flag.bit0 is set it indicates a privacy packet then   
       if ip.TypeOfService.bit6 is set it indicates the ip.source is   
   translated.   
       if ip.TypeOfService.bit7 is set it indicates the ip.dest is translated.   
      
   Bit6 of ip.TypeOfService is used to indicate the ip.source is translated.   
   Bit7 of ip.TypeOfService is used to indicate the ip.destination is   
   translated.   
      
   These two bits are used to indicate if it's a regular/normal ip or a   
   translated ip.   
      
   Based on this information the router can make a decision if the packet is to   
   be routed freely/normally or if certain restrictions apply.   
      
   If the ip.TypeOfService.bit7 is set then a restriction applies. The router   
   can only route the packet towards the router which had the ip.dest   
   as an ip.source during previous transmissions/reception at the current   
   router.   
      
   Therefore each router on reception of a privacy packet must also remember   
   from which router it came. Therefore each ip.source (ip translated source)   
   is   
   unique per router and needs a seperate entry into the router's hash   
   table/data structure.   
      
   All translated ip's remain valid for a certain period of time which needs to   
   be standardized for example 5 minutes might be ok.   
      
   The goal of the idea is to keep the ip.source secret from end points of the   
   internet and also of other routers. At each stage/hops/router   
   that supports it translation happens, stages/hops/routers that don't support   
   it should function normally and still work:   
      
   A->B->C->D->E   
      
   C does not support translation.   
      
   A sends to E along path BCD.   
      
   Packet at A looks like:   
   ip.source = A   
   ip.dest = E   
   ip.flag.bit0 = 1   
   ip.tos.bit6 = 0   
   ip.tos.bit7 = 0   
      
   Packet at B looks like:   
   ip.source = Z   
       (z selected from ip_seen_table, (z not in ip_seen_table, z not in   
   translation tables))   
       (forward_translation_table[A].replacement = Z)   
       (backward_translation_table[Z].replacement = A)   
   ip.dest = E   
   ip.flag.bit0 = 1   
   ip.tos.bit6 = 1   
   ip.tos.bit7 = 0   
      
   Packet at C looks like:   
   ip.source = Z   
   ip.dest = E   
   ip.flag.bit0 = 1   
   ip.tos.bit6 = 1   
   ip.tos.bit7 = 0   
      
   Packet at D looks like:   
   ip.source = G   
       (G selected from ip_seen_table, (G not in ip_seen_table, G not in   
   translation tables))   
       (forward_translation_table[Z].replacement = G)   
       (backward_translation_table[G].replacement = Z)   
   ip.dest = E   
   ip.flag.bit0 = 1   
   ip.tos.bit6 = 1   
   ip.tos.bit7 = 0   
      
   Packet at E looks like:   
   ip.source = G   
   ip.dest = E   
   ip.flag.bit0 = 1   
   ip.tos.bit6 = 1   
   ip.tos.bit7 = 0   
      
   EndPoint E will believe the packet came from G.   
      
   EndPoint E wishes to communicate back to G which is actually A and proceeds   
   as normal and sends messages back:   
      
   EndPoint E does also not support privacy option therefore Packet E will send   
   the following:   
      
   Packet at E looks like:   
   ip.source = E   
   ip.dest = G   
   ip.flag.bit0 = 0   
   ip.tos.bit6 = 0   
   ip.tos.bit7 = 0   
      
   Packet at D looks like:   
      
   Router at D detects G and knows it was a translated IP, meanwhile it could   
   also have become the real G this is where it gets a little tricky.   
   if the real G was received by router at D and was also transmitted to E a   
   conflict has occured. This could be solved by translating conflicts   
   as well... therefore the real G could get a different IP for the time   
   being... which could further confuse E which is not desirable... so instead   
   the privacy "connection" is lost and the real G will prevail over the fake   
   G. The fake G can be removed and replaced with something else, resulting   
   in a short loss of a packet possibly a tcp connection and other udp related   
   connections... future protocols might need to be aware of suchs drops   
   and take it into account that it might happen, if clients start supporting   
   priacy option as well this might not be a problem anymore since the flags   
   will indicate if it was a translated ip or a real ip.   
      
   Anyway let's go on for a moment since these conflicts could be rare in   
   practice and might not really present that big of a problem...   
      
   As I was writing... the router at D detects G and translates it back via   
   it's backward translation table.   
   G is replaced with Z.   
      
   Since the router support privacy option, the E is also translated.   
      
   ip.source = Q   
       (Q selected from ip_seen_table, (Q not in ip_seen_table, Q not in   
   translation tables))   
       (forward_translation_table[E].replacement = Q)   
       (backward_translation_table[Q].replacement = E)   
   ip.dest = Z   
   ip.flag.bit0 = 1   
   ip.tos.bit6 = 1   
   ip.tos.bit7 = 1   
      
   Packet at C looks like:   
      
   ip.source = Q   
   ip.dest = Z   
   ip.flag.bit0 = 1   
   ip.tos.bit6 = 1   
   ip.tos.bit7 = 1   
      
   Router at C does not support privacy option and ignores it and routes the   
   packet forward to Z which came from the router at B.   
      
   Here another potential problem exists... if C does not copy over the tos   
   bits then B could get confused... I am not sure   
   what routers do and if they are allowed to modify tos bits from packets. If   
   they are allowed to modify tos bits than a solution   
   will have to be found, and some other kind of bits might have to be used. If   
   no solution can be found then perhaps this   
   idea could be implemented for ipv6 instead.   
      
   Packet at B looks like:   
      
   Router at B supports privacy option and applies it to the source as well...   
   Q is replaced with L   
      
   ip.source = L   
       (L selected from ip_seen_table, (L not in ip_seen_table, L not in   
   translation tables))   
       (forward_translation_table[Q].replacement = L)   
       (backward_translation_table[L].replacement = Q)   
   ip.dest = A   
       (Z is found in translation table)   
       (Z is replaced with A via backward translation table)   
   ip.flag.bit0 = 1   
   ip.tos.bit6 = 1   
   ip.tos.bit7 = 0   
      
   Bit7 could be turned off since it detected/found Z in table... and thus can   
   translate it back.   
      
   ip.tos.Bit7 could there prevent confusion among routers and to make them   
   understand if something is a real ip or a translated ip as to   
   be able to properly route real ip's. I am not completely sure if bit7 is   
   really required but I think so...   
      
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)