[mnet-devel] reconsidering fundamental Mnet architecture (fwd)
- A double forward, unusual for this list. On a technical level Friendnets
are interesting because they are a new kind of decentralized topology.
---------- Forwarded message ----------
Date: Sat, 14 Dec 2002 20:40:17 +0100 (CET)
From: Eugen Leitl <eugen@...>
Cc: forkit! <fork@...>
Subject: [mnet-devel] reconsidering fundamental Mnet architecture (fwd)
---------- Forwarded message ----------
Date: Sat, 14 Dec 2002 14:16:02 -0500
From: Zooko <zooko@...>
Subject: [mnet-devel] reconsidering fundamental Mnet architecture
the human context and the future of Mnet dura-link v1.0.1
The state of the art in emergent network design goes something like this:
step 1, treat everyone you talk to over the Internet identically. Whether the
other person is your best friend or the one millionth anonymous stranger from
a university network half-way around the world, you offer your resources to
them and request services from them just the same. step 2, design a wonderful,
infinitely scalable, efficient, elegant emergent network on top of this
substrate. step 3, observe that if all of the players aren't perfectly
well-behaved and altruistic, your wonderful design doesn't work, and start
trying to figure out how to salvage your beautiful design from being destroyed
by the ugly fact of malicious and/or selfish agents.
Now, solutions proposed by people in step 3 include very clever game-theoretic
tricks and cryptography, the addition of ubiquitous micropayments (as
pioneered by Mojo Nation), the addition of sophisticated redundancy so that as
long as the malicious/selfish nodes are not a sufficiently large subset their
misbehavior is drowned out by the majority, the addition of reputations so
that only people who have already done given something of value are allowed to
take something of value, and more.
But it seems to me that the first thing we should do is go back and reconsider
step 1: the part where you forget everything you know about your friends and
family and treat messages received over the Internet from strangers half-way
around the world the same as messages received over the Internet from your
best friend. I think that the emergent network designer should focus on the
human context, both because the human context is where our ultimate goals and
values are defined, and also because the human context is the best source of a
uniquely valuable network resource: trust.
(Raph Levien and Mark Miller are both thinking along these lines, although
they're thinking of dramatically different designs.)
This is the core consideration of what Lucas Gonze calls "friendnet".
"Friendnet" is similar to what business people use under the name "VPN" --
Virtual Private Network. A VPN is an "overlay network", in that it runs on top
of the Internet, but it acts like a private local network, in that all of the
computers and all of the human users on a VPN belong to the same company, obey
the same rules, and are loyal and altruistic toward one another. (Ahem.)
Now obviously there are some things we would like to do differently with
friendnet. For starters, I strongly prefer the emergent and human topology of
"I have some friends, and they have some friends, and some but not all of
their friends are also my friends.", over the centralized and, well, inhuman
topology of "Every user on this network is an employee/member of X
organization, and they are not allowed to have any network connections to
other people who are not also employees/members of X organization.".
For seconders, we could investigate the intriguing possibility of automated
transitive operations. This could be automated transitive proxying, where I
request something of my friend, and since he can't give it to me, but his
friend can, his computer automatically requests it of his friend and then
gives it over to me. It could also be automated transitive introduction, where
my friend's computer automatically introduces his friend to me (so that I can
then make direct requests of my friend's friend).
Raph's research is all about doing this automated transitive stuff in a
systemically constrained way. That is to say doing it safely -- without
letting it run out of control such that our computers offer all of our
resources and all of our privacy to a friend of a friend of a friend of a
friend, who turns out to be an enemy. I think that his research is promising
and will probably lead to very important techniques someday.
But when doing pragmatic design on the Mnet network, I would rather try the
variant without any automated transitive operations. This is simpler to
design, and almost certainly safer.
My current big issue in the design and evolution of Mnet is that this notion
of friendnet (with or without systemically contrained transitive operations)
is at odds with a fundamental architectural feature that it inherited from
Mojo Nation, as originally designed by Jim McCoy and Doug Barnes. This
architecture has it that the storage and transfer of bulk data is a global,
automatically transitively managed resource, while the encryption keys
necessary to download and decrypt the data can be private and can be shared by
actual human friends via telephone or e-mail. I always liked that idea, and
when I initially launched the Mnet project and named it a "universal
filestore", my goal was to focus the project on implementing that simple
abstraction (universal public data store, private keys).
Nowadays I'm less keen on that abstraction, since the global part of it will
eventually require some "step 3" answer, and I'm doubting that layering step 3
on top of step 2 is the right approach, compared to the approach of revisiting
step 1 and building a unified and elegant emergent network from step 1 up.
There are also technical problems with the abstraction which I'll save for a
Now, a lot (all?) of my fellow Mnet Hackers are very keen on micropayments,
and even if I were to actively oppose the micropayment notion, they would go
ahead and implement it and give it another go. So that's one future of Mnet
(or a branch of Mnet): another try at Mojo Nation's architecture wherein step
3 (integrated automatic ubiquitous micropayments) is layered on top and
provides attack resistance and resource management for step 2 (universal data
store and transport). Another future of Mnet, which is almost certainly going
to happen in the near future, is just deploying a good implementation of step
2 without any step 3. This would be more or less on par with other emergent
networks in current theory and practice, and will form an excellent base for
more experiments. A third future of Mnet (or a branch thereof), is to break
the universal filestore abstraction and return to step 1, building a
friendnet-Mnet in which any two computers are allowed to have a relationship
if and only if their human users already have a similar human relationship.
Intriguingly, all three of these possible future Mnets can in principle
interoperate with one another...
- There is a lot of interesting stuff in Zooko's post, but I think this is
the most important:
>I think the fundamental question is: What are the fundamental building
> Intriguingly, all three of these possible future Mnets can in principle
> interoperate with one another...
blocks that a given system needs in order to interop with a friendnet
For interop reasons, is it sufficient to treat a given friendnet as a
virtual supernode, thus allowing individual members to remain anonymous,
or is it necessary to interact with individuals directly?
This is definately a taste of whats to come.
Justin Chapweske, Onion Networks
- Lucas wrote:
| A double forward, unusual for this list. On a technical level Friendnets
| are interesting because they are a new kind of decentralized topology.
Assuming membership overlap in all three lists, is a double-forward (in lieu of crosspost):
- implied endorsement (reputation metric)
- disclosed collusion (buzz metric)
- emergent network (taste discovery)
The double-forward / crosspost distinction arises from a specific topology.
| substrate. step 3, observe that if all of the players aren't perfectly
| well-behaved and altruistic, your wonderful design doesn't work, and start
| trying to figure out how to salvage your beautiful design from being destroyed
| by the ugly fact of malicious and/or selfish agents.
Prevent destruction, yes, Prevent damage, no. It's useful to allow malicious agents to self-identify through malicious behavior. Suppression of all opportunity for malice would make it impossible to identify agents that decline such opportunities. It would also delay immune system response to malice.
| best friend. I think that the emergent network designer should focus on the
| human context, both because the human context is where our ultimate goals and
| values are defined, and also because the human context is the best source of a
| uniquely valuable network resource: trust.
There's a useful analogy between trust and information theory, from http://www.sandelman.ottawa.on.ca/spki/html/1998/winter/msg00058.html :
'... Trust being "that which is essential to a communication channel but which cannot be transferred from a source to a destination using that channel" ...'
| the universal filestore abstraction and return to step 1, building a
| friendnet-Mnet in which any two computers are allowed to have a relationship
| if and only if their human users already have a similar human relationship.
Humans have relationships in contexts.
Any pair of humans is tied by multiple relationships. Case in point, the crosspost / double-forward distinction.
- Lucas Gonze <lgonze@...> wrote:
William Gibson's "Walled City" in the Idoru series. This was a subset of
the net which was complete of itself but who's members chose not to
interact with the rest of it. Whenever I've raised this in conversation,
poeple have always thought of it in terms of firewalls (viz the great
firewall of China) but it actually makes more sense as a logical
overlay. Some of the private discussion groups behave like this such as
Howard Rheingold's Brainstorms (or The Well?). There's no need for a
moderation or trust metric system because everyone is there by
invitation and hence has a vested interest in playing cooperatively.
The second concept came from Consume.net and was a protocol for deciding
if a "Guest" should have access to a WiFi community. It's known as the
"cup of tea" protocol. You can't join and use the service until you've
sat down and had a cup of tea with a member or node owner. We seem to be
moving towards similar whitelist approaches in several areas, notably
One last point. I like the feel of trust and relationship algorithms
that are only positive and have no concept of enemy. Where you can mark
someone up as a friend but there's no facility to mark people down.
These also have the advantage that they are easier to implement as side
effects of other behaviour rather than a specific action.
Julian Bond Email&MSM: julian.bond@...
Personal WebLog: http://www.voidstar.com/
M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433