ArkC & ArkC Network
Technology Overview — Original documents when our work started
Part A. ArkC Protocol
- Protocol Description
ArkC protocol includes various connection wrappers and both TCP and UDP transmission support. It transmits proxy traffic in the form of ordinary connections, using plug-ins called “wrapper”. When data is transmitted using TCP connections, it allows server to take the position to initialize connections, thus create a virtually reverse TCP connection. (Reverse-initialization)
During transmission, all the data should be encrypted, using various available algorithms.
- Protocol Features
Typical wrappers for ArkC protocol includes SMTP (MTA to MTA), SMTP (Client to Server), HTTP and etc. The abundance of wrappers makes it harder to detect and reset ArkC connections, or locate server IP addresses. In particular, the ordinary essence of wrapping protocols hides ArkC connections in ordinary (even essential) Internet service. Massive unstable Internet service conditions deter censurers from reset all suspicious connections.
The reverse-initialization feature, provides further tools for hiding server IP addresses. Since server may initialize a connection using Tor or other public proxies, censurers cannot discover the real server. Such feature is similar to Tor Hidden Service, but different in that the clients need not connect to the Tor network.
The feature of SMTP (MTA to MTA) makes obfuscation with third-party servers possible. Mail servers and Web servers are both decentralized.
Various features of ArkC protocol depends on client and server network conditions. Considerable number of family users are behind NAT and unless preset, incoming TCP requests can’t be answered. However, UDP-pouching may be used instead.
It probably can be solved using ArkC Network, though.
Wrappers and encryption may delays the connection speed, especially when initializing a new connection. Buffer and heartbeat maybe implemented so that connections can be smoother.
Part B. ArkC Network
The ArkC network is composed of users (clients) within censored countries (e.g. China Mainland) and servers in uncensored countries or uncensored Internet environment. It is a centered network with certain trusted authorities.
The ArkC network provides geographically optimized connections and ensure that users behind NAT can access to ArkC servers abroad. Optimized proxy connections may yield higher speed that direct connections in certain ISP environments.
The ArkC network further helps to conceal real IPs of overseas ArkC servers, making it harder to block them. Owner of those server can more confidently set up an ArkC network daemon, without worrying that there server may be blocked.
Central authority servers determine that fastest route for clients of the network to send/receive data from overseas servers. Static contents may be buffered to increase its speed. [Encryption may be compromised, though.]
Nodes of the network in censored countries interact with overseas servers, using reversed connections. Those nodes also listen to connection from other domestic clients. Relay between those nodes may be implemented to conceal origin IP (similar to Tor). Clients behind NAT only connects to domestic nodes, using standard encrypted TCP connections. Censorship of all internal traffic is extremely costly and hard to deploy.
- Detailed Structure & Technologies
Clients and nodes use DNS query to locate other nodes. DNS authority is set to certain authority servers with global DNS relay.
CDN network and “Attached Freedom” principle helps to make authority servers available to users. Authority servers allocate routes and receive reports only, thus transmission between them and users are trivial.
ICMP (Ping) protocol maybe used to ensure connection between domestic users and authority servers.
The authority servers need to deliver commands of obfuscation, start SMTP traffic or internal relay data.
The authority servers need to assess the conditions of each nodes, and enforce continual audit. (Refer to Tor project)
Domestic nodes are often unreliable. The regime may use MITM attacks for origin server IPs.
Host of domestic nodes may be threatened with imprisonment or persecution.