125-bridges.txt 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339
  1. Filename: 125-bridges.txt
  2. Title: Behavior for bridge users, bridge relays, and bridge authorities
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Roger Dingledine
  6. Created: 11-Nov-2007
  7. Status: Open
  8. 0. Preface
  9. This document describes the design decisions around support for bridge
  10. users, bridge relays, and bridge authorities. It acts as an overview
  11. of the bridge design and deployment for developers, and it also tries
  12. to point out limitations in the current design and implementation.
  13. For more details on what all of these mean, look at blocking.tex in
  14. /doc/design-paper/
  15. 1. Bridge relays
  16. Bridge relays are just like normal Tor relays except they don't publish
  17. their server descriptors to the main directory authorities.
  18. 1.1. PublishServerDescriptor
  19. To configure your relay to be a bridge relay, just add
  20. BridgeRelay 1
  21. PublishServerDescriptor bridge
  22. to your torrc. This will cause your relay to publish its descriptor
  23. to the bridge authorities rather than to the default authorities.
  24. Alternatively, you can say
  25. BridgeRelay 1
  26. PublishServerDescriptor 0
  27. which will cause your relay to not publish anywhere. This could be
  28. useful for private bridges.
  29. 1.2. Defining DirPort
  30. Bridges need to answer BEGIN_DIR requests, both so they can answer
  31. "/server/authority" questions ("what's your descriptor?") and so they
  32. can supply their bridge users with cached copies of all the various
  33. Tor network information.
  34. As for Tor 0.2.0.13-alpha, bridges will answer begin_dir questions
  35. (and cache dir info they see so the answers will be more useful)
  36. whether their DirPort is enabled or not. (After all, we don't care if
  37. they have an open or reachable DirPort to answer begin_dir questions.)
  38. We need to investigate if there are any anonymity worries with answering
  39. BEGIN_DIR requests when our DirPort is off. I claim that we don't open
  40. any new attacks: it's still a fine question to ask what partitioning
  41. attacks there are when you can query a Tor client about its current
  42. directory opinions, but these attacks already exist when DirPort is on.
  43. We should investigate this in 0.2.1.x.
  44. 1.3. Exit policy
  45. Bridge relays should use an exit policy of "reject *:*". This is
  46. because they only need to relay traffic between the bridge users
  47. and the rest of the Tor network, so there's no need to let people
  48. exit directly from them.
  49. 1.4. RelayBandwidthRate / RelayBandwidthBurst
  50. We invented the RelayBandwidth* options for this situation: Tor clients
  51. who want to allow relaying too. See proposal 111 for details. Relay
  52. operators should feel free to rate-limit their relayed traffic.
  53. 1.5. Helping the user with port forwarding, NAT, etc.
  54. Just as for operating normal relays, our documentation and hints for
  55. how to make your ORPort reachable are inadequate for normal users.
  56. We need to work harder on this step, perhaps in 0.2.1.x.
  57. 1.6. Vidalia integration
  58. Vidalia 0.0.15 has turned its "Relay" settings page into a tri-state
  59. "Don't relay" / "Relay for the Tor network" / "Help censored users".
  60. If you click the third choice, it forces your exit policy to reject *:*,
  61. and it forces your DirPort to 9030 (but see Sec 1.2 above about DirPort).
  62. If all the bridges end up on port 9001, that's not so good. On the
  63. other hand, putting the bridges on a low-numbered port in the Unix
  64. world requires jumping through extra hoops. The current compromise is
  65. that Vidalia makes the ORPort default to 443 on Windows, and 9001 on
  66. other platforms.
  67. At the bottom of the relay config settings window, Vidalia displays
  68. the bridge identifier to the operator (see Section 3.1) so he can pass
  69. it on to bridge users.
  70. 1.7. What if the default ORPort is already used?
  71. If the user already has a webserver or some other application
  72. bound to port 443, then Tor will fail to bind it and complain to the
  73. user, probably in a cryptic way. Rather than just working on a better
  74. error message (though we should do this), we should consider an
  75. "ORPort auto" option that tells Tor to try to find something that's
  76. bindable and reachable. This would also help us tolerate ISPs that
  77. filter incoming connections on port 80 and port 443. But this should
  78. be a different proposal, and can wait until 0.2.1.x.
  79. 2. Bridge authorities.
  80. Bridge authorities are like normal directory authorities, except they
  81. don't create their own network-status documents or votes. So if you
  82. ask an authority for a network-status document or consensus, they
  83. behave like a directory mirror: they give you one from one of the main
  84. authorities. But if you ask the bridge authority for the descriptor
  85. corresponding to a particular identity fingerprint, it will happily
  86. give you the latest descriptor for that fingerprint.
  87. To become a bridge authority, add these lines to your torrc:
  88. AuthoritativeDirectory 1
  89. BridgeAuthoritativeDir 1
  90. Right now there's one bridge authority, running on the Tonga relay.
  91. 2.1. Exporting bridge-purpose descriptors
  92. We've added a new purpose for server descriptors: the "bridge"
  93. purpose. With the new router-descriptors file format that includes
  94. annotations, it's easy to look through it and find the bridge-purpose
  95. descriptors.
  96. We should work with Tonga to export its router-descriptors file to
  97. some place where we can distribute the bridge addresses according to
  98. the policies in blocking.pdf. It might even be easier to have it write
  99. out a separate file, just for export, that includes only the bridge
  100. descriptors; or maybe a six-liner perl postprocessing script is the
  101. better plan there to create a file for export.
  102. 2.2. Reachability/uptime testing
  103. Right now the bridge authorities just passively collect bridge
  104. descriptors, and give them out on request. At some point we are going
  105. to want to recommend new bridges to users, and we'll want to have
  106. some way of deciding which ones are up right now, which ones have
  107. been around for a while, etc. We should have the bridge authorities
  108. do active measurements of bridges just as the normal authorities do
  109. active measurements of normal relays. Then we can export the results
  110. just like in Section 2.1. above.
  111. In the design document, we suggested that bridges should publish
  112. anonymously (i.e. via Tor) to the bridge authority, so somebody watching
  113. the bridge authority can't just enumerate all the bridges. But if we're
  114. doing active measurement, the game is up. Perhaps we should back off on
  115. this goal, or perhaps we should do our active measurement anonymously?
  116. Answering this issue is scheduled for 0.2.1.x.
  117. 2.3. Migrating to multiple bridge authorities
  118. Having only one bridge authority is both a trust bottleneck (if you
  119. break into one place you learn about every single bridge we've got)
  120. and a robustness bottleneck (when it's down, bridge users become sad).
  121. Right now if we put up a second bridge authority, all the bridges would
  122. publish to it, and (assuming the code works) bridge users would query
  123. a random bridge authority. This resolves the robustness bottleneck,
  124. but makes the trust bottleneck even worse.
  125. In 0.2.1.x and later we should think about better ways to have multiple
  126. bridge authorities.
  127. 3. Bridge users.
  128. Bridge users are like ordinary Tor users except they use encrypted
  129. directory connections by default, and they use bridge relays as both
  130. entry guards (their first hop) and directory guards (the source of
  131. all their directory information).
  132. To become a bridge user, add the following two lines to your torrc:
  133. UseBridges 1
  134. TunnelDirConns 1
  135. and then add at least one "Bridge" line to your torrc based on the
  136. format below.
  137. 3.1. Format of the bridge identifier.
  138. The canonical format for a bridge identifier contains an IP address,
  139. an ORPort, and an identity fingerprint:
  140. bridge 128.31.0.34:9009 4C17 FB53 2E20 B2A8 AC19 9441 ECD2 B017 7B39 E4B1
  141. However, the identity fingerprint can be left out, in which case the
  142. bridge user will connect to that relay and use it as a bridge regardless
  143. of what identity key it presents:
  144. bridge 128.31.0.34:9009
  145. This might be useful for cases where only short bridge identifiers
  146. can be communicated to bridge users.
  147. In a future version we may also support bridge identifiers that are
  148. only a key fingerprint:
  149. bridge 4C17 FB53 2E20 B2A8 AC19 9441 ECD2 B017 7B39 E4B1
  150. and the bridge user can fetch the latest descriptor from the bridge
  151. authority (see Section 3.4).
  152. 3.2. Bridges as entry guards
  153. For now, bridge users add their bridge relays to their list of "entry
  154. guards" (see path-spec.txt for background on entry guards). They are
  155. managed by the entry guard algorithms exactly as if they were a normal
  156. entry guard -- their keys and timing get cached in the "state" file,
  157. etc. This means that when the Tor user starts up with "UseBridges"
  158. disabled, he will skip past the bridge entries since they won't be
  159. listed as up and usable in his networkstatus consensus. But to be clear,
  160. the "entry_guards" list doesn't currently distinguish guards by purpose.
  161. Internally, each bridge user keeps a smartlist of "bridge_info_t"
  162. that reflects the "bridge" lines from his torrc along with a download
  163. schedule (see Section 3.5 below). When he starts Tor, he attempts
  164. to fetch a descriptor for each configured bridge (see Section 3.4
  165. below). When he succeeds at getting a descriptor for one of the bridges
  166. in his list, he adds it directly to the entry guard list using the
  167. normal add_an_entry_guard() interface. Once a bridge descriptor has
  168. been added, should_delay_dir_fetches() will stop delaying further
  169. directory fetches, and the user begins to bootstrap his directory
  170. information from that bridge (see Section 3.3).
  171. Currently bridge users cache their bridge descriptors to the
  172. "cached-descriptors" file (annotated with purpose "bridge"), but
  173. they don't make any attempt to reuse descriptors they find in this
  174. file. The theory is that either the bridge is available now, in which
  175. case you can get a fresh descriptor, or it's not, in which case an
  176. old descriptor won't do you much good.
  177. We could disable writing out the bridge lines to the state file, if
  178. we think this is a problem.
  179. As an exception, if we get an application request when we have one
  180. or more bridge descriptors but we believe none of them are running,
  181. we mark them all as running again. This is similar to the exception
  182. already in place to help long-idle Tor clients realize they should
  183. fetch fresh directory information rather than just refuse requests.
  184. 3.3. Bridges as directory guards
  185. In addition to using bridges as the first hop in their circuits, bridge
  186. users also use them to fetch directory updates. Other than initial
  187. bootstrapping to find a working bridge descriptor (see Section 3.4
  188. below), all further non-anonymized directory fetches will be redirected
  189. to the bridge.
  190. This means that bridge relays need to have cached answers for all
  191. questions the bridge user might ask. This makes the upgrade path
  192. tricky --- for example, if we migrate to a v4 directory design, the
  193. bridge user would need to keep using v3 so long as his bridge relays
  194. only knew how to answer v3 queries.
  195. In a future design, for cases where the user has enough information
  196. to build circuits yet the chosen bridge doesn't know how to answer a
  197. given query, we might teach bridge users to make an anonymized request
  198. to a more suitable directory server.
  199. 3.4. How bridge users get their bridge descriptor
  200. Bridge users can fetch bridge descriptors in two ways: by going directly
  201. to the bridge and asking for "/tor/server/authority", or by going to
  202. the bridge authority and asking for "/tor/server/fp/ID". By default,
  203. they will only try the direct queries. If the user sets
  204. UpdateBridgesFromAuthority 1
  205. in his config file, then he will try querying the bridge authority
  206. first for bridges where he knows a digest (if he only knows an IP
  207. address and ORPort, then his only option is a direct query).
  208. If the user has at least one working bridge, then he will do further
  209. queries to the bridge authority through a full three-hop Tor circuit.
  210. But when bootstrapping, he will make a direct begin_dir-style connection
  211. to the bridge authority.
  212. As of Tor 0.2.0.10-alpha, if the user attempts to fetch a descriptor
  213. from the bridge authority and it returns a 404 not found, the user
  214. will automatically fall back to trying a direct query. Therefore it is
  215. recommended that bridge users always set UpdateBridgesFromAuthority,
  216. since at worst it will delay their fetches a little bit and notify
  217. the bridge authority of the identity fingerprint (but not location)
  218. of their intended bridges.
  219. 3.5. Bridge descriptor retry schedule
  220. Bridge users try to fetch a descriptor for each bridge (using the
  221. steps in Section 3.4 above) on startup. Whenever they receive a
  222. bridge descriptor, they reschedule a new descriptor download for 1
  223. hour from then.
  224. If on the other hand it fails, they try again after 15 minutes for the
  225. first attempt, after 15 minutes for the second attempt, and after 60
  226. minutes for subsequent attempts.
  227. In 0.2.1.x we should come up with some smarter retry schedules.
  228. 3.6. Vidalia integration
  229. Vidalia 0.0.15 has a new checkbox in its Network config window called
  230. "My ISP blocks connections to the Tor network." Users who click that
  231. box change their configuration to:
  232. TunnelDirConns 1
  233. PreferTunneledDirConns 1
  234. Once the box is checked, there is also a section for adding bridge
  235. identifiers. When at least one bridge identifier is present, Vidalia
  236. also changes their config to:
  237. UseBridges 1
  238. UpdateBridgesFromAuthority 1
  239. and updates their Bridge config option accordingly.
  240. 3.7. When should we make TunnelDirConns default
  241. Right now Tor's directory requests can be filtered on the network,
  242. and some tools used by Middle Eastern governments even do this. A user
  243. who wants to circumvent these filters should click the above box in
  244. Vidalia 0.0.15. But at what point should we make tunneled directory
  245. requests the default?
  246. Once proposal 124 (modified TLS handshake) is in place, we should
  247. consider doing the switch. This might even be in the 0.2.0.x timeframe.
  248. 3.8. Do we need a second layer of entry guards?
  249. If the bridge user uses the bridge as its entry guard, then the
  250. triangulation attacks from Lasse and Paul's Oakland paper work to
  251. locate the user's bridge(s).
  252. Worse, this is another way to enumerate bridges: if the bridge users
  253. keep rotating through second hops, then if you run a few fast servers
  254. (and avoid getting considered an Exit or a Guard) you'll quickly get
  255. a list of the bridges in active use.
  256. That's probably the strongest reason why bridge users will need to
  257. pick second-layer guards. Would this mean bridge users should switch
  258. to four-hop circuits?
  259. We should figure this out in the 0.2.1.x timeframe.