Hacker News new | ask | show | jobs
by dstaesse 2346 days ago
I'm one of the developers. Thank you all for your interest in this project. This website is still under construction, and we're well aware that it's severely lacking in information, I'll try to find some time to update everything. Unfortunately marketing is not one of my skills.

The cleaner architecture is the whole point of the exercise.

I'm trying to avoid arguments why this would be "better" than anything else. Just some examples of things that I personally don't like about IP, and that Ouroboros does differently. These points may not matter to you, and that is perfectly fine. I'm not a salesman trying to make a sell.

1) IP (and Ethernet etc) has source addresses in every packet. Ouroboros negotiates them at the start of the communication, and only has the destination address in the packets. This improves end-user privacy a great deal.

2) The Ouroboros end-to-end protocol, (which has the RTT estimator and retransmisison timeout (RTO) timer), runs in the library between the actual server and client programs. It runs at sub-millisecond accuracy. If there is an underestimation of RTT, at worst it retransmits a few extra packets (See 3). But these improve the RTT estimate.

3) Default TCP congestion control doesn't play nice in lossy situations, having severe issues with throughput because of AIMD. Ouroboros completely splits the network and end-to-end protocol. Therefore the architecture only allows congestion control using Forward ECN at the network protocol (and only the network protocol). This is similar to the operation of DCTCP, but DCTCP has the ECN in the network protocol (IP), and the notification in the end-to-end protocol (TCP). I'm not fond of that as a solution (however, if I would run a commercial datacenter, I would run DCTCP, no doubt about that).

4) The Ouroboros end-to-end protocol is based on Delta-t, which doesn't require the 3-way handshake of TCP. It does have a two-way handshake (called flow allocation) to negotiate endpoints and the peer addresses (as to avoid sending src in every packet). But it can also do a ECDHE key exchange at that time. So it can establish an encrypted end-to-end connection in 1 RTT. The implementation still does it in 2 phases, (it's on my to-do list to piggyback the public keys).

5) Ouroboros has 2 types of layers, one for unicast and one for broadcast. This is where I think it really shines. The broadcast layer allows easy implementation of what is known as a "multicast service". A PoC is in the obc program.

Some of this may still seem nebulous, and I apologize. It's an unfunded pet project. But if I find interested people that ask interested questions, it will help me to update the documentation and make things more digestible/palatable.

Thank you again for your interest.
3 comments
grok2 2346 days ago
You should put this up on your site as a link to "Technical Details"! For anyone who knows networking stacks, this really clarifies the features/benefits and also shows there is some substance behind the protocol/stack. Otherwise, like everyone else pointed out, the web-site itself doesn't provide a clue as to why one would use this.
link
beagle3 2346 days ago
> only has the destination address in the packets. This improves end-user privacy a great deal.

Does it? If someone is in a position to see the beginning of the flow, then they know both endpoints, don't they?

link
dstaesse 2346 days ago
Sure. It's an odds game. But, do you have a counter-example where sending the source address in every packet has better privacy than not doing so?

As another fun addition, we investigated an algorithm to distribute the actual data packets along different paths: https://lib.ugent.be/fulltxt/RUG01/002/494/958/RUG01-0024949...

link
beagle3 2346 days ago
> But, do you have a counter-example where sending the source address in every packet has better privacy than not doing so?

No, but I would not describe it as "helping a great deal". I would describe it as "potentially help" or "help somewhat".

link
dstaesse 2345 days ago
Well, fair enough. Let me explain a bit how it would be done. Finding the "first packets" is not as easy as you may think.

The two fields in the network protocol that matter are the destination address (DST) and the endpoint ID (EID). These identify the flow uniquely. I'll write this header as DST:EID.

So you find some packet that has, let's say 1000:100 as the header. Now, that flow was established at some point in the past with two packets, that are sent between components called the flow allocators. Flow allocator packets are all sent to a fixed EID, 1. So there will have been an exchange in the network of a packet with 1000:1, and a packet send back from 1000 to the source, SRC:1 (you don't know the source yet).

The contents of the first packet will be (relevant fields only) 1000:1:SRC:X with SRC the source address, and X an endpoint ID chosen by the source. When the destination receives this, it generates its EID=100 and sends the following information to the source's flow allocator: SRC:1:X:100

The source knows from X that the message is from 1000. This is enough information for both endpoints to know the <ADDR, EID> pair of their peers. An interceptor doesn't know SRC or X. You could look for all packets and find that "100" field, but how do you know it was sent by 1000?

It will take quite some traffic flow analysis to match these two packets. Probably it will be easier to try to match the actual data flows.

Now take into account that networks have multiple layers, and all flows are established this way.

It's definitely not impossible. But it's harder than just reading the first X bytes off a packet.

link
still_grokking 2346 days ago
Fascinating!
link
dstaesse 2346 days ago
thank you :)
link