In #15, I noted that utilizing this additional part of the address space breaks the routing metrics, making the addresses useful only to client peers. This proposal extends the utility of these leased addresses by creating encrypted tunnels. This system allows a distant node to lease an address as if it was a physically present peer. The router then has additional callbacks that will receive from the proxy client node encrypted Packages with an internal Packet that will be sent to another destination (but the source address will always be rewritten to be that of the leased address to prevent spoofing). When the router receives a Packet destined for the leased address, it will encapsulate it in an encrypted Package and send that to the proxy client node.

A node will be able to route traffic to request a proxy address through a tunnel, adding a layer of encryption and identity obfuscation with every proxy address received. A node can then proxy through proxies, which enables onion routing.

Having a ttl field be cumulative value for the whole path through all tunnels will leak identity information and allow an attacker to correlate traffic fairly easily. To defend against this, the proxy router will add a random integer between [-5, 5] to the ttl field before proxying in either direction.

As an additional safeguard against traffic analysis, the proxy application will configure a setting for minimum and maximum target delays which will be set when the proxy address is leased, and proxies will introduce a random delay when proxying in either direction. This gives proxy routers a probabilistic mixnet feature in addition to the onion routing feature.