158-microdescriptors.txt 9.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207
  1. Filename: 158-microdescriptors.txt
  2. Title: Clients download consensus + microdescriptors
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Roger Dingledine
  6. Created: 17-Jan-2009
  7. Status: Open
  8. 1. Overview
  9. This proposal replaces section 3.2 of proposal 141, which was
  10. called "Fetching descriptors on demand". Rather than modifying the
  11. circuit-building protocol to fetch a server descriptor inline at each
  12. circuit extend, we instead put all of the information that clients need
  13. either into the consensus itself, or into a new set of data about each
  14. relay called a microdescriptor. The microdescriptor is a direct
  15. transform from the relay descriptor, so relays don't even need to know
  16. this is happening.
  17. Descriptor elements that are small and frequently changing should go
  18. in the consensus itself, and descriptor elements that are small and
  19. relatively static should go in the microdescriptor. If we ever end up
  20. with descriptor elements that aren't small yet clients need to know
  21. them, we'll need to resume considering some design like the one in
  22. proposal 141.
  23. 2. Motivation
  24. See
  25. http://archives.seul.org/or/dev/Nov-2008/msg00000.html and
  26. http://archives.seul.org/or/dev/Nov-2008/msg00001.html and especially
  27. http://archives.seul.org/or/dev/Nov-2008/msg00007.html
  28. for a discussion of the options and why this is currently the best
  29. approach.
  30. 3. Design
  31. There are three pieces to the proposal. First, authorities will list in
  32. their votes (and thus in the consensus) what relay descriptor elements
  33. are included in the microdescriptor, and also list the expected hash
  34. of microdescriptor for each relay. Second, directory mirrors will serve
  35. microdescriptors. Third, clients will ask for them and cache them.
  36. 3.1. Consensus changes
  37. V3 votes should include a new line:
  38. microdescriptor-elements bar baz foo
  39. listing each descriptor element (sorted alphabetically) that authority
  40. included when it calculated its expected microdescriptor hashes.
  41. We also need to include the hash of each expected microdescriptor in
  42. the routerstatus section. I suggest a new "m" line for each stanza,
  43. with the base64 of the hash of the elements that the authority voted
  44. for above.
  45. The consensus microdescriptor-elements and "m" lines are then computed
  46. as described in Section 3.1.2 below.
  47. I believe that means we need a new consensus-method "6" that knows
  48. how to compute the microdescriptor-elements and add "m" lines.
  49. 3.1.1. Descriptor elements to include for now
  50. To start, the element list that authorities suggest should be
  51. family onion-key
  52. (Note that the or-dev posts above only mention onion-key, but if
  53. we don't also include family then clients will never learn it. It
  54. seemed like it should be relatively static, so putting it in the
  55. microdescriptor is smarter than trying to fit it into the consensus.)
  56. We could imagine a config option "family,onion-key" so authorities
  57. could change their voted preferences without needing to upgrade.
  58. 3.1.2. Computing consensus for microdescriptor-elements and "m" lines
  59. One approach is for the consensus microdescriptor-elements line to
  60. include every element listed by a majority of authorities, sorted. The
  61. problem here is that it will no longer be deterministic what the correct
  62. hash for the "m" line should be. We could imagine telling the authority
  63. to go look in its descriptor and produce the right hash itself, but
  64. we don't want consensus calculation to be based on external data like
  65. that. (Plus, the authority may not have the descriptor that everybody
  66. else voted to use.)
  67. The better approach is to take the exact set that has the most votes
  68. (breaking ties by the set that has the most elements, and breaking
  69. ties after that by whichever is alphabetically first). That will
  70. increase the odds that we actually get a microdescriptor hash that
  71. is both a) for the descriptor we're putting in the consensus, and b)
  72. over the elements that we're declaring it should be for.
  73. Then the "m" line for a given relay is the one that gets the most votes
  74. from authorities that both a) voted for the microdescriptor-elements
  75. line we're using, and b) voted for the descriptor we're using.
  76. (If there's a tie, use the smaller hash. But really, if there are
  77. multiple such votes and they differ about a microdescriptor, we caught
  78. one of them lying or being buggy. We should log it to track down why.)
  79. If there are no such votes, then we leave out the "m" line for that
  80. relay. That means clients should avoid it for this time period. (As
  81. an extension it could instead mean that clients should fetch the
  82. descriptor and figure out its microdescriptor themselves. But let's
  83. not get ahead of ourselves.)
  84. It would be nice to have a more foolproof way to agree on what
  85. microdescriptor hash each authority should vote for, so we can avoid
  86. missing "m" lines. Just switching to a new consensus-method each time
  87. we change the set of microdescriptor-elements won't help though, since
  88. each authority will still have to decide what hash to vote for before
  89. knowing what consensus-method will be used.
  90. Here's one way we could do it. Each vote / consensus includes
  91. the microdescriptor-elements that were used to compute the hashes,
  92. and also a preferred-microdescriptor-elements set. If an authority
  93. has a consensus from the previous period, then it should use the
  94. consensus preferred-microdescriptor-elements when computing its votes
  95. for microdescriptor-elements and the appropriate hashes in the upcoming
  96. period. (If it has no previous consensus, then it just writes its
  97. own preferences in both lines.)
  98. 3.2. Directory mirrors serve microdescriptors
  99. Directory mirrors should then read the microdescriptor-elements line
  100. from the consensus, and learn how to answer requests. (Directory mirrors
  101. continue to serve normal relay descriptors too, a) to serve old clients
  102. and b) to be able to construct microdescriptors on the fly.)
  103. The microdescriptors with hashes <D1>,<D2>,<D3> should be available at:
  104. http://<hostname>/tor/micro/d/<D1>+<D2>+<D3>.z
  105. All the microdescriptors from the current consensus should also be
  106. available at:
  107. http://<hostname>/tor/micro/all.z
  108. so a client that's bootstrapping doesn't need to send a 70KB URL just
  109. to name every microdescriptor it's looking for.
  110. The format of a microdescriptor is the header line
  111. "microdescriptor-header"
  112. followed by each element (keyword and body), alphabetically. There's
  113. no need to mention what hash it's for, since it's self-identifying:
  114. you can hash the elements to learn this.
  115. (Do we need a footer line to show that it's over, or is the next
  116. microdescriptor line or EOF enough of a hint? A footer line wouldn't
  117. hurt much. Also, no fair voting for the microdescriptor-element
  118. "microdescriptor-header".)
  119. The hash of the microdescriptor is simply the hash of the concatenated
  120. elements -- not counting the header line or hypothetical footer line.
  121. Unless you prefer that?
  122. Is there a reasonable way to version these things? We could say that
  123. the microdescriptor-header line can contain arguments which clients
  124. must ignore if they don't understand them. Any better ways?
  125. Directory mirrors should check to make sure that the microdescriptors
  126. they're about to serve match the right hashes (either the hashes from
  127. the fetch URL or the hashes from the consensus, respectively).
  128. We will probably want to consider some sort of smart data structure to
  129. be able to quickly convert microdescriptor hashes into the appropriate
  130. microdescriptor. Clients will want this anyway when they load their
  131. microdescriptor cache and want to match it up with the consensus to
  132. see what's missing.
  133. 3.3. Clients fetch them and cache them
  134. When a client gets a new consensus, it looks to see if there are any
  135. microdescriptors it needs to learn. If it needs to learn more than
  136. some threshold of the microdescriptors (half?), it requests 'all',
  137. else it requests only the missing ones.
  138. Clients maintain a cache of microdescriptors along with metadata like
  139. when it was last referenced by a consensus. They keep a microdescriptor
  140. until it hasn't been mentioned in any consensus for a week. Future
  141. clients might cache them for longer or shorter times.
  142. 3.3.1. Information leaks from clients
  143. If a client asks you for a set of microdescs, then you know she didn't
  144. have them cached before. How much does that leak? What about when
  145. we're all using our entry guards as directory guards, and we've seen
  146. that user make a bunch of circuits already?
  147. Fetching "all" when you need at least half is a good first order fix,
  148. but might not be all there is to it.
  149. Another future option would be to fetch some of the microdescriptors
  150. anonymously (via a Tor circuit).
  151. 4. Transition and deployment
  152. Phase one, the directory authorities should start voting on
  153. microdescriptors and microdescriptor elements, and putting them in the
  154. consensus. This should happen during the 0.2.1.x series, and should
  155. be relatively easy to do.
  156. Phase two, directory mirrors should learn how to serve them, and learn
  157. how to read the consensus to find out what they should be serving. This
  158. phase could be done either in 0.2.1.x or early in 0.2.2.x, depending
  159. on how messy it turns out to be and how quickly we get around to it.
  160. Phase three, clients should start fetching and caching them instead
  161. of normal descriptors. This should happen post 0.2.1.x.