|
|
@@ -0,0 +1,63 @@
|
|
|
+Filename: 152-single-hop-circuits.txt
|
|
|
+Title: Optionally allow exit from single-hop circuits
|
|
|
+Version:
|
|
|
+Last-Modified:
|
|
|
+Author: Geoff Goodell
|
|
|
+Created: 13-Jul-2008
|
|
|
+Status: Draft
|
|
|
+
|
|
|
+Overview
|
|
|
+
|
|
|
+ Provide a special configuration option that adds a line to descriptors
|
|
|
+ indicating that a router can be used as an exit for one-hop circuits,
|
|
|
+ and allow clients to attach streams to one-hop circuits provided
|
|
|
+ that the descriptor for the router in the circuit includes this
|
|
|
+ configuration option.
|
|
|
+
|
|
|
+Motivation
|
|
|
+
|
|
|
+ At some point, code was added to restrict the attachment of streams
|
|
|
+ to one-hop circuits.
|
|
|
+
|
|
|
+ The idea seems to be that we can use the cost of forking and
|
|
|
+ maintaining a patch as a lever to prevent people from writing
|
|
|
+ controllers that jeopardize the operational security of routers
|
|
|
+ and the anonymity properties of the Tor network by creating and
|
|
|
+ using one-hop circuits rather than the standard three-hop circuits.
|
|
|
+ It may be, for example, that some users do not actually seek true
|
|
|
+ anonymity but simply reachability through network perspectives
|
|
|
+ afforded by the Tor network, and since anonymity is stronger in
|
|
|
+ numbers, forcing users to contribute to anonymity and decrease the
|
|
|
+ risk to server operators by using full-length paths may be reasonable.
|
|
|
+
|
|
|
+ As presently implemented, the sweeping restriction of one-hop circuits
|
|
|
+ for all routers limits the usefulness of Tor as a general-purpose
|
|
|
+ technology for building circuits. In particular, we should allow
|
|
|
+ for controllers, such as Blossom, that create and use single-hop
|
|
|
+ circuits involving routers that are not part of the Tor network.
|
|
|
+
|
|
|
+Design
|
|
|
+
|
|
|
+ Introduce a configuration option for Tor servers that, when set,
|
|
|
+ indicates that a router is willing to provide exit from one-hop
|
|
|
+ circuits. Routers with this policy will not require that a circuit
|
|
|
+ has at least two hops when it is used as an exit.
|
|
|
+
|
|
|
+ In addition, routers for which this configuration option
|
|
|
+ has been set will have a line in their descriptors, "opt
|
|
|
+ exit-from-single-hop-circuits". Clients will keep track of which
|
|
|
+ routers have this option and allow streams to be attached to
|
|
|
+ single-hop circuits that include such routers.
|
|
|
+
|
|
|
+Security Considerations
|
|
|
+
|
|
|
+ This approach seems to eliminate the worry about operational router
|
|
|
+ security, since server operators will not set the configuraiton
|
|
|
+ option unless they are willing to take on such risk.
|
|
|
+
|
|
|
+ To reduce the impact on anonymity of the network resulting
|
|
|
+ from including such "risky" routers in regular Tor path
|
|
|
+ selection, clients may systematically exclude routers with "opt
|
|
|
+ exit-from-single-hop-circuits" when choosing random paths through
|
|
|
+ the Tor network.
|
|
|
+
|
Nick Mathewson