Cebolla - Pragmatic IP anonymity

This is the new home of the cebolla IP anonymity project.

Cebolla provides multi-hop anonymous IP tunnels which use UDP for transport. The tunnel end-points are presented as networking devices on the client and on the final hop. The current implementation is linux only.

If you want to contribute to the project see the source download link below.

Cebolla was written by Zach Brown; I Adam Back, am it's current interim maintainer.

Etymology: "Cebolla" is "Onion" in Spanish.


For details see Zach Brown's paper at the OLS 2002:


Download source code from [source].

Tech details


Cebolla's threat model is pragmatic: it does not attempt to be secure against an all powerful passive attacker -- if the attacker is able to observe both the entry and exit points of traffic entering the network the game is over. However the entry node alone should not be able to determine the exit node; similarly the exit node should not be able to determine the entry-node (or user of the entry-node). This model means link padding is not used.


The cebolla network is not fully connected, rather encrypted links are maintained between some nodes, and this topology information is available to clients.


Cebolla creates multi-hop tunnels in stages. First a single hop tunnel is made to the first node selected by the client. Then a new tunnel is established by tunneling through the first hop to the 2nd hop. This can be repeated to provide multi-hop tunnels. The Diffie-Hellman protocol is used to negotiate keys, so tunnels are forward-secret. In addition a symmetric re-keying technique is used to provide forward-secrecy during the life-time of a tunnel.

The tunnel establishment process negotiates keys shared between the client and each node along the path. The keys are associated with the tunnel ID, packets travelling down the tunnel have tunnel IDs at the link layer. The links between nodes are in addition encrypted to hide the tunnel IDs.


The nested tunnel scheme described above allows Cebolla to provide end-to-end forward-anonymity. The means no single node can compromise forward-anonymity -- to compromise forward-anonymity, all nodes in the tunnel have to collude.

Without end-to-end forward-anonymity, ie with the weaker hop-by-hop forward-anonymity offered by most other anonymity related systems, a single rogue node in the path can compromise forward-anonymity by recording information which would allow him to later compromise the anonymity of the connection by coercing other nodes to hand over long term private keys.

Cebolla's symmetric re-keying scheme is also forward-secret (keys are replaced with the one-way hash of the previous key). The symmetric re-keying scheme is much cheaper than a Diffie-Hellman key negotiation, which allows Cebolla to offer pretty immediate forward-anonymity (down to the level of seconds).