Gnutella's current trick for avoiding firewalls is one example of a simple solution to the kinds of problems I am talking about. Using the SSL HTTP or SSH protocol to hide the Gnutella protocol is a better example. If Gnutella was modified to use SSL HTTP or SSH with a large key size then it's protocol would be polynomial time indistinguishable from a legitimate SSL HTTP or SSH connection, i.e. the router would need at least months on a Beowulf to crack your session key and discover that you were not a legitimate connection. This pretty effectively ends the discussion about colleges routers blocking Gnutella / Napster based on packet signature.
The school can still charge students for extra bandwidth or spy on the network. The bandwidth analysis question depends on the specifics of the bandwidth monitoring, but I doubt there will be anything the students can do to prevent bandwidth monitoring.
The issue of the RIAA or colleges spying on the network is a much more interesting problem from the math / cs point of view. The question is can network topology and authentication / reputation of nodes be used to prevent an attacker from learning much about the network. The network topology question can be stated "Can we build a network where the RIAA need to own O(log(network size)) (or maybe O(network size)) node of the network to identify everyone on the network?" The authentication / reputation question can be stated "Can we build a network which forces every node to contribute meaningful content to the network?" I think the answers to these two questions are yes and yes, but I have not really done any proofs. The answer to the network topology question should say "localize the network and just don't let every node talk to every other node. People will still be able to get the mp3s which are spread around."
Now, there are many interesting questions regarding Gnutella which are not mathematical. The question of "Are mp3s spread around enough for network localization to work" is a scientific question and not a mathematical question. There are also psychological questions about "will the RIAA be willing to run thousands of servers which give away mp3s to learn the identities of the people on the network," but these are not the questions I'm interested in seeing answered since they are not math problems.
There are legal questions too, like can you prevent colleges from revoking student network access for using Gnutella by writing a Gnutella installing virus to provide plausable deniability. This is an ammusing idea, but it's not part of what I would call "Gnutella Theory" sicne it's a political / legal question and not a science question.
Comments? Anyone been thinking about this stuff?