TODO 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303
  1. Legend:
  2. SPEC!! - Not specified
  3. SPEC - Spec not finalized
  4. NICK - nick claims
  5. ARMA - arma claims
  6. - Not done
  7. * Top priority
  8. . Partially done
  9. o Done
  10. D Deferred
  11. X Abandoned
  12. For scalability:
  13. - Slightly smarter bandwidth management: use link capacity
  14. intelligently.
  15. - Handle full buffers without totally borking
  16. For 0.0.8:
  17. milestone 2:
  18. . refer to things by key:
  19. o extend cells need ip:port:identitykeyhash.
  20. o Lookup routers and connections by key digest; accept hex
  21. key digest in place of nicknames.
  22. o Audit all uses of lookup-by-hostname and lookup-by-addr-port
  23. to search by digest when appropriate.
  24. o make sure to use addr/port in cpuworker tasks, because
  25. OPs don't have keys.
  26. o and fix the function comments in rephist
  27. o Rep-hist functions need to store info by keyid
  28. - also use this in intro points and rendezvous points, and
  29. hidserv descs. [XXXX This isn't enough.]
  30. - figure out what to do about ip:port:differentkey
  31. o ORs connect on demand. attach circuits to new connections, keep
  32. create cells around somewhere, send destroy if fail.
  33. o nickname defaults to first piece of hostname
  34. o running-routers list refers to nickname if verified, else
  35. hash-base64'ed.
  36. o Mark routers as verified or unverified based on whether
  37. running-routers list includes nickname or id hash.
  38. o put OR uptime in descriptor
  39. o name the secret-key directory something to discourage people
  40. from mailing their identity key to tor-ops
  41. milestone 3:
  42. - users can set their bandwidth, or we auto-detect it:
  43. - advertised bandwidth defaults to 10KB
  44. o advertised bandwidth is the min of max seen in each direction
  45. in the past N seconds.
  46. o calculate this
  47. o not counting "local" connections
  48. - round detected bandwidth up to nearest 10KB
  49. - client software not upload descriptor until:
  50. - you've been running for an hour
  51. - it's sufficiently satisfied with its bandwidth
  52. - it decides it is reachable
  53. - start counting again if your IP ever changes.
  54. - never regenerate identity keys, for now.
  55. - you can set a bit for not-being-an-OR.
  56. NICK - Reputation info needs to give better weight to recent events than
  57. very old ones.
  58. - Have clients and dirservers preserve reputation info over
  59. reboots.
  60. - clients choose nodes proportional to advertised bandwidth
  61. o authdirserver includes descriptor.
  62. - and lists as running iff:
  63. - he can connect to you
  64. - he has successfully extended to you
  65. - he has sufficient mean-time-between-failures
  66. - Don't accept ORs with nicknames same as verified ORs' nicknames.
  67. - add new "Middleman 1" config variable?
  68. o if torrc not found, exitpolicy reject *:*
  69. o change if(options.ORPort) to what we really mean.
  70. o same with socksport.
  71. o get contrib/tor_resolve into the tarball and installed
  72. - and working
  73. post pre1:
  74. - Possible to get autoconf to easily install things into ~/.tor?
  75. - when we sigint tor, the dns/cpuworkers don't intercept sigint?
  76. - "AcceptOnlyVerifiedRouters" config option?
  77. - why does common/util.c build-depend on or/or.h ?
  78. - ORs use uniquer default nicknames
  79. - Tors deal appropriately when a newly-verified router has the
  80. same nickname as another router they know about
  81. X 007 can't extend to unverified 008. they will never be able to.
  82. - if a begin failed due to exit policy, but we believe the IP
  83. should have been allowed, switch that router to exitpolicy
  84. reject *:* until we get our next directory.
  85. - make advertised_server_mode() ORs fetch dirs more often.
  86. - should the running-routers list put unverified routers at the
  87. end?
  88. - tor-resolve needs a man page
  89. - tor-resolve should make use of cached answers?
  90. - defining an ORPort isn't necessary anymore, if you more
  91. ORAddress:port. Same with DirPort, SocksPort.
  92. - requiredentrynode vs preferredentrynode
  93. - per-month byte allowances
  94. o if using not-socks4a then warn, once.
  95. o if unverified server then warn, once.
  96. - add a listener for a ui
  97. - and a basic gui
  98. - faq and doc-wiki
  99. - knoppix distro
  100. - win32 installer using privoxy's installer
  101. o win32 problems with pre1
  102. . asn.1 issues?
  103. o Switch dirservers entries to config lines:
  104. - read in and parse each TrustedDir config line.
  105. - stop reading dirservers file.
  106. - add some default TrustedDir lines if none defined, or if
  107. no torrc.
  108. - remove notion of ->is_trusted_dir from the routerlist. that's
  109. no longer where you look.
  110. - clean up router parsing flow, since it's simpler now?
  111. - when checking signature on a directory, look it up in
  112. options.TrustedDirs, and make sure there's a descriptor
  113. with that nickname, whose key hashes to the fingerprint,
  114. and who correctly signed the directory.
  115. - when fetching a directory, if you want a trusted one,
  116. choose from the trusteddir list.
  117. - which means keeping track of which ones are "up"
  118. - if you don't need a trusted one, choose from the routerinfo
  119. list if you have one, else from the trusteddir list.
  120. - compress the directory. client sends http header
  121. "accept-transfer-encoding: gzip", server might send http header
  122. "transfer-encoding: gzip". ta-da.
  123. - grow a zlib dependency. keep a cached compressed directory.
  124. - Why is the first entry of kill -USR1 a router with a 0 key?
  125. ongoing:
  126. . rename/rearrange functions for what file they're in
  127. - generalize our transport: add transport.c in preparation for
  128. http, airhook, etc transport.
  129. For September:
  130. NICK . Windows port
  131. o works as client
  132. - deal with pollhup / reached_eof on all platforms
  133. . robust as a client
  134. . works as server
  135. - can be configured
  136. - robust as a server
  137. . Usable as NT service
  138. - docs for building in win
  139. - installer
  140. - Docs
  141. - FAQ
  142. o overview of tor. how does it work, what's it do, pros and
  143. cons of using it, why should I use it, etc.
  144. - a howto tutorial with examples
  145. o tutorial: how to set up your own tor network
  146. - (need to not hardcode dirservers file in config.c)
  147. . correct, update, polish spec
  148. - document the exposed function api?
  149. - document what we mean by socks.
  150. NICK . packages
  151. . rpm
  152. - find a long-term rpm maintainer
  153. - code
  154. - better warn/info messages
  155. o let tor do resolves.
  156. o extend socks4 to do resolves?
  157. o make script to ask tor for resolves
  158. - tsocks
  159. - gather patches, submit to maintainer
  160. - intercept gethostbyname and others, do resolve via tor
  161. - redesign and thorough code revamp, with particular eye toward:
  162. - support half-open tcp connections
  163. - conn key rotation
  164. - other transports -- http, airhook
  165. - modular introduction mechanism
  166. - allow non-clique topology
  167. Other details and small and hard things:
  168. - tor should be able to have a pool of outgoing IP addresses
  169. that it is able to rotate through. (maybe)
  170. - tie into squid
  171. - buffer size pool, to let a few buffers grow huge or many buffers
  172. grow a bit
  173. - hidserv offerers shouldn't need to define a SocksPort
  174. - when the client fails to pick an intro point for a hidserv,
  175. it should refetch the hidserv desc.
  176. . should maybe make clients exit(1) when bad things happen?
  177. e.g. clock skew.
  178. - should retry exitpolicy end streams even if the end cell didn't
  179. resolve the address for you
  180. - Add '[...truncated]' or similar to truncated log entries (like the directory
  181. in connection_dir_process_inbuf()).
  182. . Make logs handle it better when writing to them fails.
  183. o Dirserver shouldn't put you in running-routers list if you haven't
  184. uploaded a descriptor recently
  185. . Refactor: add own routerinfo to routerlist. Right now, only
  186. router_get_by_nickname knows about 'this router', as a hack to
  187. get circuit_launch_new to do the right thing.
  188. . Scrubbing proxies
  189. - Find an smtp proxy?
  190. . Get socks4a support into Mozilla
  191. - Extend by hostname, not by IP.
  192. - Need a relay teardown cell, separate from one-way ends.
  193. - Make it harder to circumvent bandwidth caps: look at number of bytes
  194. sent across sockets, not number sent inside TLS stream.
  195. - fix router_get_by_* functions so they can get ourselves too,
  196. and audit everything to make sure rend and intro points are
  197. just as likely to be us as not.
  198. ***************************Future tasks:****************************
  199. Rendezvous and hidden services:
  200. make it fast:
  201. - preemptively build and start rendezvous circs.
  202. - preemptively build n-1 hops of intro circs?
  203. - cannibalize general circs?
  204. make it reliable:
  205. - standby/hotswap/redundant services.
  206. - store stuff to disk? dirservers forget service descriptors when
  207. they restart; nodes offering hidden services forget their chosen
  208. intro points when they restart.
  209. make it robust:
  210. - auth mechanisms to let midpoint and bob selectively choose
  211. connection requests.
  212. make it scalable:
  213. - right now the hidserv store/lookup system is run by the dirservers;
  214. this won't scale.
  215. Tor scalability:
  216. Relax clique assumptions.
  217. Redesign how directories are handled.
  218. - Separate running-routers lookup from descriptor list lookup.
  219. - Resolve directory agreement somehow.
  220. - Cache directory on all servers.
  221. Find and remove bottlenecks
  222. - Address linear searches on e.g. circuit and connection lists.
  223. Reputation/memory system, so dirservers can measure people,
  224. and so other people can verify their measurements.
  225. - Need to measure via relay, so it's not distinguishable.
  226. Bandwidth-aware path selection. So people with T3's are picked
  227. more often than people with DSL.
  228. Reliability-aware node selection. So people who are stable are
  229. preferred for long-term circuits such as intro and rend circs,
  230. and general circs for irc, aim, ssh, etc.
  231. Let dissidents get to Tor servers via Tor users. ("Backbone model")
  232. Anonymity improvements:
  233. Is abandoning the circuit the only option when an extend fails, or
  234. can we do something without impacting anonymity too much?
  235. Is exiting from the middle of the circuit always a bad idea?
  236. Helper nodes. Decide how to use them to improve safety.
  237. DNS resolution: need to make tor support resolve requests. Need to write
  238. a script and an interface (including an extension to the socks
  239. protocol) so we can ask it to do resolve requests. Need to patch
  240. tsocks to intercept gethostbyname, else we'll continue leaking it.
  241. Improve path selection algorithms based on routing-zones paper. Be sure
  242. to start and end circuits in different ASs. Ideally, consider AS of
  243. source and destination -- maybe even enter and exit via nearby AS.
  244. Intermediate model, with some delays and mixing.
  245. Add defensive dropping regime?
  246. Make it more correct:
  247. Handle half-open connections: right now we don't support all TCP
  248. streams, at least according to the protocol. But we handle all that
  249. we've seen in the wild.
  250. Support IPv6.
  251. Efficiency/speed/robustness:
  252. Congestion control. Is our current design sufficient once we have heavy
  253. use? Need to measure and tweak, or maybe overhaul.
  254. Allow small cells and large cells on the same network?
  255. Cell buffering and resending. This will allow us to handle broken
  256. circuits as long as the endpoints don't break, plus will allow
  257. connection (tls session key) rotation.
  258. Implement Morphmix, so we can compare its behavior, complexity, etc.
  259. Use cpuworker for more heavy lifting.
  260. - Signing (and verifying) hidserv descriptors
  261. - Signing (and verifying) intro/rend requests
  262. - Signing (and verifying) router descriptors
  263. - Signing (and verifying) directories
  264. - Doing TLS handshake (this is very hard to separate out, though)
  265. Buffer size pool: allocate a maximum size for all buffers, not
  266. a maximum size for each buffer. So we don't have to give up as
  267. quickly (and kill the thickpipe!) when there's congestion.
  268. Exit node caching: tie into squid or other caching web proxy.
  269. Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
  270. link crypto, unless we can bully openssl into it.
  271. P2P Tor:
  272. Do all the scalability stuff above, first.
  273. Incentives to relay. Not so hard.
  274. Incentives to allow exit. Possibly quite hard.
  275. Sybil defenses without having a human bottleneck.
  276. How to gather random sample of nodes.
  277. How to handle nodelist recommendations.
  278. Consider incremental switches: a p2p tor with only 50 users has
  279. different anonymity properties than one with 10k users, and should
  280. be treated differently.