Refraction Networking

Internet freedom in the network’s core

What is refraction networking?

Note: For a colorful, visual explanation of one way that refraction can work, see the overview of Telex provided by the Telex team.

Most of today’s censorship circumvention tools use the same fundamental approach to help users in censored network environments: They encrypt the user’s traffic to make it look innocuous, and channel it to a proxy server located outside the censored network. This leads to a fundamental problem: Once authorities in an Internet-censoring regime detect a proxy server, the proxy itself becomes just another site to block. Circumvention tool providers are forced to play a game of cat and mouse, because they must somehow let censored individuals find and use their proxy servers, without letting the censoring government find and block those same servers.  

In this race to find and use — or find and block — proxy servers, censoring governments enjoy natural, growing advantages over censored users. For example, they can examine all data flowing across their borders in search of telltale signatures or traffic patterns of disfavored activity, and they can react in real time using a range of increasingly sophisticated commercial products. Indicators of censors’ growing capabilities are everywhere: In Iran, the regime created VPN outages ahead of the 2013 presidential election. In China, new Tor bridges last less than 48 hours before being blocked. Strategies that rely on friendly servers are failing against increasingly sophisticated state-level censors who can see and control a country’s entire network.

Refraction networking* takes a different approach. Rather than trying to hide individual proxies from censors, refraction locates proxy functionality in the core of the network. This makes censorship much more costly, because it is no longer possible to selectively block only those servers used to provide Internet freedom. Instead, whole networks outside the censored country provide Internet freedom to users—and any data exchange between a censored nation’s Internet and a participating friendly network can become a conduit for the free flow of information.

What work is happening now?

Refraction networking was independently invented in 2011 by three separate engineering teams — at the University of Michigan, the University of Illinois, and BBN — who each built running code to show that the approach really works.

Five laboratory prototypes exist: Cirripede at the University of Illinois, Curveball and Rebound at BBN, and Telex and TapDance at the University of Michigan. The Michigan team has run a small Telex prototype for three years and has provided basic service to over 100,000 clients, primarily in China and Iran. BBN, with funding from DARPA, built a Curveball prototype and subjected it to intensive red team security testing. These existing designs share the same basic premise but represent a range of design choices and technical tradeoffs.

Right now, researchers from Michigan, Illinois, BBN and elsewhere are collaborating to make refraction networking a widespread and powerful practical tool for Internet freedom, with support from the U.S. State Department's Bureau of Democracy, Human Rights, and Labor. In the spring of 2017, the team organized and executed a large-scale real world trial — the first of its kind — providing refraction to more than 50,000 users. This project is the subject of a forthcoming FOCI research paper.

What research has been published?

The papers are:

Who else is thinking about refraction networking?

There have been several other research papers that directly address issues connected with refraction networking:

* Early conversations about this strategy used the term decoy routing to refer both to this overall family of approaches and to the specific scheme described by Karlin et al. in 2011. We use refraction networking as an umbrella term to refer to all schemes.