123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349 |
- $Id$
- Legend:
- SPEC!! - Not specified
- SPEC - Spec not finalized
- N - nick claims
- R - arma claims
- P - phobos claims
- - Not done
- * Top priority
- . Partially done
- o Done
- D Deferred
- X Abandoned
- . <nickm> "Let's try to find a way to make it run and make the version
- match, but if not, let's just make it run."
- - <arma> "should we detect if we have a --with-ssl-dir and try the -R
- by default, if it works?"
- Items for 0.1.2.x:
- - Bug: We are willing to build circuits using not-up-to-date descriptors,
- when we get a request and we've been idle a long time.
- - We should ship with a list of stable dir mirrors -- they're not
- trusted like the authorities, but they'll provide more robustness
- and diversity for bootstrapping clients.
- - Servers are easy to setup and run: being a relay is about as easy as
- being a client.
- - Reduce resource load
- - look into "uncounting" bytes spent on local connections. so
- we can bandwidthrate but still have fast downloads.
- - Write limiting; separate token bucket for write
- o dir answers include a your-ip-address-is header, so we can
- break our dependency on dyndns.
- - Count TLS bandwidth more accurately
- - Write-limit directory responses.
- N . Improve memory usage on tight-memory machines.
- - Directory-related fixes.
- o Remember offset and location of each descriptor in the cache/journal
- o When sending a big pile of descs to a client, don't shove them all
- on the buffer at once. Keep a list of the descriptor digests for
- the descriptors we still want to send. We might end up truncating
- some replies by returning fewer descriptors than were requested (if
- somebody requests a desc that we throw away before we deliver it),
- but this happens only when somebody wants an obsolete desc, and
- clients can already handle truncated replies.
- o But what do we do about compression? That's the part that makes
- stuff hard.
- o Implement compress/decompress-on-the-fly support.
- o Use it for returning lists of descriptors.
- o Use it for returning lists of network status docs. (This will
- take a hybrid approach; let's get the other bits working first.)
- o Make clients handle missing Content-Length tags. (Oh, they do.)
- o Verify that this has happened for a long time.
- o Try a similar trick for spooling out v1 directories. These we
- _uncompress_ on the fly.
- - Look into pulling serverdescs off buffers as they arrive.
- . Mmap cache files where possible.
- o Mmap cached-routers file; when building it, go oldest-to-newest.
- - More unit tests and asserts for cached-routers file: ensure digest
- for the right router. Verify dl by digest, fp, etc.
- . Make sure cached-routers values and offsets are correct in the
- presence of windows FS insanity.
- - Save and mmap v1 directories; store them zipped, not
- uncompressed.
- - Store networkstatus docs zipped, not uncompressed. Maaaybe mmap
- them too.
- o Be a little more OO to save memory in frequently
- replicated structs.
- o Split circuit_t into origin circuits and or circuits
- o Move as many fields as reasonable out of base class.
- o Re-pack structs to avoid wasted bytes.
- o Split connection_t based on type field.
- - "bandwidth classes", for incoming vs initiated-here conns.
- o Asynchronous DNS
- o And test it
- . Make it work on windows.
- o Implement
- . Enable
- - Test
- - Make the Nameservers option documented, and make it work right on
- reload.
- - Fail when we have no configured nameservers!
- - Make it the default on platforms where it works
- - Security improvements
- - Directory guards
- R - remember the last time we saw one of our entry guards labelled with
- the GUARD flag. If it's been too long, it is not suitable for use.
- If it's been really too long, remove it from the list.
- - Make reverse DNS work.
- - Specify
- - Implement with dnsworkers
- - Implement in eventdns
- - Connect to resolve cells, server-side.
- - Add client-side interface
- - Performance improvements
- - Better estimates in the directory of whether servers have good uptime
- (high expected time to failure) or good guard qualities (high
- fractional uptime).
- - AKA Track uptime as %-of-time-up, as well as time-since-last-down.
- - Clients should prefer to avoid exit nodes for non-exit path positions.
- (bug 200)
- - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
- - A more efficient dir protocol.
- N - Clients stop dumping old descriptors if the network-statuses
- claim they're still valid.
- - Later, servers will stop generating new descriptors simply
- because 18 hours have passed.
- - Authorities should fetch the network-statuses amongst each
- other, consensus them, and advertise a communal network-status.
- This is not so much for safety/complexity as it is to reduce
- bandwidth requirements for Alice.
- - How does this interact with our goal of being able to choose
- your own dir authorities? I guess we're now assuming that all
- dir authorities know all the other authorities in their "group"?
- - Should we also look into a "delta since last network-status
- checkpoint" scheme, to reduce overhead further?
- - Extend the "r" line in network-status to give a set of buckets (say,
- comma-separated) for that router.
- - Buckets are deterministic based on IP address.
- - Then clients can choose a bucket (or set of buckets) to
- download and use.
- - Critical but minor bugs, backport candidates.
- - If the client's clock is too far in the past, it will drop (or
- just not try to get) descriptors, so it'll never build circuits.
- R - Failed rend desc fetches sometimes don't get retried.
- . If we fail to connect via an exit enclave, (warn and) try again
- without demanding that exit node.
- - And recognize when extending to the enclave node is failing,
- so we can abandon then too.
- R - non-v1 authorities should not accept rend descs.
- - We need a separate list of "hidserv authorities" if we want to
- retire moria1 from the main list.
- - support dir 503s better
- o clients don't log as loudly when they receive them
- - they don't count toward the 3-strikes rule
- - should there be some threshold of 503's after which we give up?
- - think about how to split "router is down" from "dirport shouldn't
- be tried for a while"?
- - authorities should *never* 503 a cache, but *should* 503 clients
- when they feel like it.
- - update dir-spec with what we decided for each of these
- - provide no-cache no-index headers from the dirport?
- - Windows server usability
- - Solve the ENOBUFS problem.
- - make tor's use of openssl operate on buffers rather than sockets,
- so we can make use of libevent's buffer paradigm once it has one.
- - make tor's use of libevent tolerate either the socket or the
- buffer paradigm; includes unifying the functions in connect.c.
- - We need a getrlimit equivalent on Windows so we can reserve some
- file descriptors for saving files, etc. Otherwise we'll trigger
- asserts when we're out of file descriptors and crash.
- M - rewrite how libevent does select() on win32 so it's not so very slow.
- - Add overlapped IO
- N - When we connect to a Tor server, it sends back a cell listing
- the IP it believes it is using. Use this to block dvorak's attack.
- Also, this is a fine time to say what time you think it is.
- o Verify that a new cell type is okay with deployed codebase
- . Specify HELLO cells
- . Figure out v0 compatibility.
- - Implement
- N - Exitlist should avoid outputting the same IP address twice.
- N - Write path-spec.txt
- - Break the dir v1 stuff out of tor-spec.txt into dir-spec-v1.txt,
- and change the new dir-spec.txt to dir-spec-v2.txt.
- - Packaging
- - Tell people about OSX Uninstaller
- - Quietly document NT Service options
- - Docs
- - More prominently, we should have a recommended apps list.
- - recommend gaim.
- - unrecommend IE because of ftp:// bug.
- - torrc.complete.in needs attention?
- Topics to think about during 0.1.2.x development:
- * Figure out incentives.
- - (How can we make this tolerant of a bad v0?)
- * Figure out non-clique.
- * Figure out China.
- - Figure out avoiding duplicate /24 lines
- - Figure out partial network knowledge.
- - Figure out hidden services.
- Minor items for 0.1.2.x as time permits.
- - Tor should bind its ports before dropping privs, so users don't
- have to do the ipchains dance.
- - Make --verify-config return a useful error code.
- - Rate limit exit connections to a given destination -- this helps
- us play nice with websites when Tor users want to crawl them; it
- also introduces DoS opportunities.
- - The bw_accounting file should get merged into the state file.
- - Streamline how we define a guard node as 'up'.
- - Better installers and build processes.
- - Commit edmanm's win32 makefile to tor cvs contrib, or write a new one.
- - Christian Grothoff's attack of infinite-length circuit.
- the solution is to have a separate 'extend-data' cell type
- which is used for the first N data cells, and only
- extend-data cells can be extend requests.
- - Specify, including thought about anonymity implications.
- - Display the reasons in 'destroy' and 'truncated' cells under some
- circumstances?
- - We need a way for the authorities to declare that nodes are
- in a family. Also, it kinda sucks that family declarations use O(N^2)
- space in the descriptors.
- - If the server is spewing complaints about raising your ulimit -n,
- we should add a note about this to the server descriptor so other
- people can notice too.
- - rate limit the number of exit connections to a given destination, to
- help with DoS/crawling issues.
- - cpu fixes:
- - see if we should make use of truncate to retry
- - kill dns workers more slowly
- . Directory changes
- . Some back-out mechanism for auto-approval
- - a way of rolling back approvals to before a timestamp
- - Consider minion-like fingerprint file/log combination.
- - packaging and ui stuff:
- . multiple sample torrc files
- . figure out how to make nt service stuff work?
- . Document it.
- - Vet all pending installer patches
- - Win32 installer plus privoxy, sockscap/freecap, etc.
- - Vet win32 systray helper code
- - Improve controller
- - change circuit status events to give more details, like purpose,
- whether they're internal, when they become dirty, when they become
- too dirty for further circuits, etc.
- - What do we want here, exactly?
- - Specify and implement it.
- - Change stream status events analogously.
- - What do we want here, exactly?
- - Specify and implement it.
- - Make other events "better".
- - Change stream status events analogously.
- - What do we want here, exactly?
- - Specify and implement it.
- - Make other events "better" analogously
- - What do we want here, exactly?
- - Specify and implement it.
- . Expose more information via getinfo:
- - import and export rendezvous descriptors
- - Review all static fields for additional candidates
- - Allow EXTENDCIRCUIT to unknown server.
- - We need some way to adjust server status, and to tell tor not to
- download directories/network-status, and a way to force a download.
- - It would be nice to request address lookups from the controller
- without using SOCKS.
- - Make everything work with hidden services
- - Directory system improvements
- - config option to publish what ports you listen on, beyond
- ORPort/DirPort. It should support ranges and bit prefixes (?) too.
- - Parse this.
- - Relay this in networkstatus.
- Future version:
- - Tor should have a "DNS port" so we don't need to ship with (and
- write) a clean portable dns proxy.
- . Update the hidden service stuff for the new dir approach.
- - switch to an ascii format, maybe sexpr?
- - authdirservers publish blobs of them.
- - other authdirservers fetch these blobs.
- - hidserv people have the option of not uploading their blobs.
- - you can insert a blob via the controller.
- - and there's some amount of backwards compatibility.
- - teach clients, intro points, and hidservs about auth mechanisms.
- - come up with a few more auth mechanisms.
- - auth mechanisms to let hidden service midpoint and responder filter
- connection requests.
- - Bind to random port when making outgoing connections to Tor servers,
- to reduce remote sniping attacks.
- - Have new people be in limbo and need to demonstrate usefulness
- before we approve them.
- - Clients should estimate their skew as median of skew from servers
- over last N seconds.
- - Make router_is_general_exit() a bit smarter once we're sure what it's for.
- - Audit everything to make sure rend and intro points are just as likely to
- be us as not.
- - Do something to prevent spurious EXTEND cells from making middleman
- nodes connect all over. Rate-limit failed connections, perhaps?
- - Automatically determine what ports are reachable and start using
- those, if circuits aren't working and it's a pattern we recognize
- ("port 443 worked once and port 9001 keeps not working").
- - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
- - Handle full buffers without totally borking
- - Rate-limit OR and directory connections overall and per-IP and
- maybe per subnet.
- - Hold-open-until-flushed now works by accident; it should work by
- design.
- - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
- - Specify?
- - tor-resolve script should use socks5 to get better error messages.
- - hidserv offerers shouldn't need to define a SocksPort
- * figure out what breaks for this, and do it.
- - tor should be able to have a pool of outgoing IP addresses
- that it is able to rotate through. (maybe)
- - let each hidden service (or other thing) specify its own
- OutboundBindAddress?
- - Have a mode that doesn't write to disk much, so we can run Tor on
- flash memory (e.g. Linksys routers).
- Blue-sky:
- - Patch privoxy and socks protocol to pass strings to the browser.
- - Standby/hotswap/redundant hidden services.
- - Robust decentralized storage for hidden service descriptors.
- - The "China problem"
- - Allow small cells and large cells on the same network?
- - Cell buffering and resending. This will allow us to handle broken
- circuits as long as the endpoints don't break, plus will allow
- connection (tls session key) rotation.
- - Implement Morphmix, so we can compare its behavior, complexity, etc.
- - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
- link crypto, unless we can bully openssl into it.
- - Need a relay teardown cell, separate from one-way ends.
- (Pending a user who needs this)
- - Handle half-open connections: right now we don't support all TCP
- streams, at least according to the protocol. But we handle all that
- we've seen in the wild.
- (Pending a user who needs this)
- Non-Coding:
- - Mark up spec; note unclear points about servers
- - Mention controller libs someplace.
- P - flesh out the rest of the section 6 of the faq
- . more pictures from ren. he wants to describe the tor handshake
- NR- write a spec appendix for 'being nice with tor'
- - tor-in-the-media page
- - Remove need for HACKING file.
- - Figure out licenses for website material.
- Website:
- - and remove home and make the "Tor" picture be the link to home.
- - put the logo on the website, in source form, so people can put it on
- stickers directly, etc.
- R - make a page with the hidden service diagrams.
- - ask Jan to be the translation coordinator? add to volunteer page.
|