tor-spec.txt 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621
  1. $Id$
  2. TOR Spec
  3. Note: This is an attempt to specify TOR as it exists as implemented in
  4. early June, 2003. It is not recommended that others implement this
  5. design as it stands; future versions of TOR will implement improved
  6. protocols.
  7. TODO: (very soon)
  8. - Specify truncate/truncated
  9. - Sendme w/stream0 is circuit sendme
  10. - Integrate -NM and -RD comments
  11. 0. Notation:
  12. PK -- a public key.
  13. SK -- a private key
  14. K -- a key for a symmetric cypher
  15. a|b -- concatenation of 'a' with 'b'.
  16. a[i:j] -- Bytes 'i' through 'j'-1 (inclusive) of the string a.
  17. All numeric values are encoded in network (big-endian) order.
  18. Unless otherwise specified, all symmetric ciphers are AES in counter
  19. mode, with an IV of all 0 bytes. Asymmetric ciphers are either RSA
  20. with 1024-bit keys and exponents of 65537, or DH with the safe prime
  21. from rfc2409, section 6.2, whose hex representation is:
  22. "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
  23. "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
  24. "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
  25. "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
  26. "49286651ECE65381FFFFFFFFFFFFFFFF"
  27. 1. System overview
  28. Tor is a connection-oriented anonymizing communication service. Users
  29. build a path known as a "virtual circuit" through the network, in which
  30. each node knows its predecessor and successor, but no others. Traffic
  31. flowing down the circuit is unwrapped by a symmetric key at each node,
  32. which reveals the downstream node.
  33. 2. Connections
  34. 2.1. Establishing connections to onion routers (ORs)
  35. There are two ways to connect to an OR. The first is as an onion
  36. proxy (OP), which allows any node to connect without providing any
  37. authentication or name. The second is as another OR, which allows
  38. strong authentication. In both cases the initiating party (called
  39. the 'client') sets up shared keys with the listening OR (called the
  40. 'server').
  41. Before the handshake begins, assume all parties know the {(1024-bit)
  42. public key, IPV4 address, and port} triplet of each OR.
  43. 1. Client connects to server:
  44. The client generates a pair of 16-byte symmetric keys (one
  45. [K_f] for the 'forward' stream from client to server, and one
  46. [K_b] for the 'backward' stream from server to client) to be
  47. used for link encryption.
  48. The client then generates a 'Client authentication' message [M]
  49. containing:
  50. (If client is an OP)
  51. The number 1 to signify OP handshake [2 bytes]
  52. Forward link key [K_f] [16 bytes]
  53. Backward link key [K_b] [16 bytes]
  54. [Total: 34 bytes]
  55. (If client is an OR)
  56. The number 2 to signify OR handshake [2 bytes]
  57. The client's published IPV4 address [4 bytes]
  58. The client's published port [2 bytes]
  59. The server's published IPV4 address [4 bytes]
  60. The server's published port [2 bytes]
  61. The forward key [K_f] [16 bytes]
  62. The backward key [K_b] [16 bytes]
  63. [Total: 46 bytes]
  64. The client then RSA-encrypts [M] with the server's public key
  65. and PKCS1 padding to give an encrypted message.
  66. The client then opens a TCP connection to the server, sends
  67. the 128-byte RSA-encrypted data to the server, and waits for a
  68. reply.
  69. 2. The server receives the first handshake:
  70. The OR waits for 128 bytes of data, and decrypts the resulting
  71. data with its private key, checking the PKCS1 padding. If
  72. the padding is invalid, it closes the connection. If the tag
  73. indicates the client is an OP, and the message is 34 bytes long,
  74. it performs step 2a. If the tag indicates the client is an OR,
  75. and the message is 46 bytes long, it performs step 2b. Else,
  76. it closes the connection.
  77. 2a. If client is an OP:
  78. The connection is established, and the OR is ready to receive
  79. cells. The server sets its keys for this connection, setting K_f
  80. to the client's K_b, and K_b to the client's K_f. The handshake
  81. is complete.
  82. 2b. If the client is an OR:
  83. The server checks the list of known ORs for one with the address
  84. and port given in the client's authentication. If no such OR
  85. is known, or if the server is already connected to that OR, the
  86. server closes the current TCP connection and stops handshaking.
  87. The server sets its keys for this connection, setting K_f to
  88. the client's K_b, and K_b to the client's K_f.
  89. The server then creates a server authentication message [M2] as
  90. follows:
  91. Client's handshake [M] [44 bytes]
  92. A random nonce [N] [8 bytes]
  93. [Total: 52 bytes]
  94. The server encrypts M2 with the client's public key (found
  95. from the list of known routers), using PKCS1 padding.
  96. The server sends the 128-byte encrypted message to the client,
  97. and waits for a reply.
  98. 3. Client authenticates to server.
  99. Once the client has received 128 bytes, it decrypts them with
  100. its public key, and checks the PKCS1 padding. If the padding
  101. is invalid, or the decrypted message's length is other than 52
  102. bytes, the client closes the TCP connection.
  103. The client checks that the addresses and keys in the reply
  104. message are the same as the ones it originally sent. If not,
  105. it closes the TCP connection.
  106. The client generates the following authentication message [M3]:
  107. The client's published IPV4 address [4 bytes]
  108. The client's published port [2 bytes]
  109. The server's published IPV4 address [4 bytes]
  110. The server's published port [2 bytes]
  111. The server-generated nonce [N] [8 bytes]
  112. [Total: 20 bytes]
  113. Once again, the client encrypts this message using the
  114. server's public key and PKCS1 padding, and sends the resulting
  115. 128-byte message to the server.
  116. 4. Server checks client authentication
  117. The server once again waits to receive 128 bytes from the
  118. client, decrypts the message with its private key, and checks
  119. the PKCS1 padding. If the padding is incorrect, or if the
  120. message's length is other than 20 bytes, the server closes the
  121. TCP connection and stops handshaking.
  122. If the addresses in the decrypted message M3 match those in M
  123. and M2, and if the nonce in M3 is the same as in M2, the
  124. handshake is complete, and the client and server begin sending
  125. cells to one another. Otherwise, the server closes the TCP
  126. connection.
  127. 2.2. Sending cells and link encryption
  128. Once the handshake is complete, the two sides send cells
  129. (specified below) to one another. Cells are sent serially,
  130. encrypted with the AES-CTR keystream specified by the handshake
  131. protocol. Over a connection, communicants encrypt outgoing cells
  132. with the connection's K_f, and decrypt incoming cells with the
  133. connection's K_b.
  134. [Commentary: This means that OR/OP->OR connections are malleable; I
  135. can flip bits in cells as they go across the wire, and see flipped
  136. bits coming out the cells as they are decrypted at the next
  137. server. I need to look more at the data format to see whether
  138. this is exploitable, but if there's no integrity checking there
  139. either, I suspect we may have an attack here. -NM]
  140. [Yes, this protocol is open to tagging attacks. The payloads are
  141. encrypted inside the network, so it's only at the edge node and beyond
  142. that it's a worry. But adversaries can already count packets and
  143. observe/modify timing. It's not worth putting in hashes; indeed, it
  144. would be quite hard, because one of the sides of the circuit doesn't
  145. know the keys that are used for de/encrypting at each hop, so couldn't
  146. craft hashes anyway. See the Bandwidth Throttling (threat model)
  147. thread on http://archives.seul.org/or/dev/Jul-2002/threads.html. -RD]
  148. [Even if I don't control both sides of the connection, I can still
  149. do evil stuff. For instance, if I can guess that a cell is a
  150. TOPIC_COMMAND_BEGIN cell to www.slashdot.org:80 , I can change the
  151. address and port to point to a machine I control. -NM]
  152. [We're going to address this tagging issue with e2e-only hashes.
  153. See TODO file. -RD]
  154. 3. Cell Packet format
  155. The basic unit of communication for onion routers and onion
  156. proxies is a fixed-width "cell". Each cell contains the following
  157. fields:
  158. ACI (anonymous circuit identifier) [2 bytes]
  159. Command [1 byte]
  160. Length [1 byte]
  161. Sequence number (unused, set to 0) [4 bytes]
  162. Payload (padded with 0 bytes) [248 bytes]
  163. [Total size: 256 bytes]
  164. The 'Command' field holds one of the following values:
  165. 0 -- PADDING (Padding) (See Sec 6.2)
  166. 1 -- CREATE (Create a circuit) (See Sec 4)
  167. 2 -- CREATED (Acknowledge create) (See Sec 4)
  168. 3 -- RELAY (End-to-end data) (See Sec 5)
  169. 4 -- DESTROY (Stop using a circuit) (See Sec 4)
  170. The interpretation of 'Length' and 'Payload' depend on the type of
  171. the cell.
  172. PADDING: Neither field is used.
  173. CREATE: Length is 144; the payload contains the first phase of the
  174. DH handshake.
  175. CREATED: Length is 128; the payload contains the second phase of
  176. the DH handshake.
  177. RELAY: Length is a value between 8 and 248; the first 'length'
  178. bytes of payload contain useful data.
  179. DESTROY: Neither field is used.
  180. Unused fields are filled with 0 bytes. The payload is padded with
  181. 0 bytes.
  182. PADDING cells are currently used to implement connection
  183. keepalive. ORs and OPs send one another a PADDING cell every few
  184. minutes.
  185. CREATE and DESTROY cells are used to manage circuits; see section
  186. 4 below.
  187. RELAY cells are used to send commands and data along a circuit; see
  188. section 5 below.
  189. 4. Circuit management
  190. 4.1. CREATE and CREATED cells
  191. Users set up circuits incrementally, one hop at a time. To create
  192. a new circuit, users send a CREATE cell to the first node, with the
  193. first half of the DH handshake; that node responds with a CREATED cell
  194. with the second half of the DH handshake. To extend a circuit past
  195. the first hop, the user sends an EXTEND relay cell (see section 5)
  196. which instructs the last node in the circuit to send a CREATE cell
  197. to extend the circuit.
  198. The payload for a CREATE cell is an 'onion skin', consisting of:
  199. RSA-encrypted data [128 bytes]
  200. Symmetrically-encrypted data [16 bytes]
  201. The RSA-encrypted portion contains:
  202. Symmetric key [16 bytes]
  203. First part of DH data (g^x) [112 bytes]
  204. The symmetrically encrypted portion contains:
  205. Second part of DH data (g^x) [16 bytes]
  206. The two parts of the DH data, once decrypted and concatenated, form
  207. g^x as calculated by the client.
  208. The relay payload for an EXTEND relay cell consists of:
  209. Address [4 bytes]
  210. Port [2 bytes]
  211. Onion skin [144 bytes]
  212. The port and address field denote the IPV4 address and port of the
  213. next onion router in the circuit.
  214. 4.2. Setting circuit keys
  215. Once the handshake between the OP and an OR is completed, both
  216. servers can now calculate g^xy with ordinary DH. From the base key
  217. material g^xy, they compute two 16 byte keys, called Kf and Kb as
  218. follows. First, the server represents g^xy as a big-endian
  219. unsigned integer. Next, the server computes 40 bytes of key data
  220. as K = SHA1(g^xy | [00]) | SHA1(g^xy | [01]) where "00" is a single
  221. octet whose value is zero, and "01" is a single octet whose value
  222. is one. The first 16 bytes of K form Kf, and the next 16 bytes of
  223. K form Kb.
  224. Kf is used to encrypt the stream of data going from the OP to the
  225. OR, whereas Kb is used to encrypt the stream of data going from the
  226. OR to the OP.
  227. 4.3. Creating circuits
  228. When creating a circuit through the network, the circuit creator
  229. performs the following steps:
  230. 1. Choose a chain of N onion routers (R_1...R_N) to constitute
  231. the path, such that no router appears in the path twice.
  232. 2. If not already connected to the first router in the chain,
  233. open a new connection to that router.
  234. 3. Choose an ACI not already in use on the connection with the
  235. first router in the chain. If our address/port pair is
  236. numerically higher than the address/port pair of the other
  237. side, then let the high bit of the ACI be 1, else 0.
  238. 4. Send a CREATE cell along the connection, to be received by
  239. the first onion router.
  240. 5. Wait until a CREATED cell is received; finish the handshake
  241. and extract the forward key Kf_1 and the back key Kb_1.
  242. 6. For each subsequent onion router R (R_2 through R_N), extend
  243. the circuit to R.
  244. To extend the circuit by a single onion router R_M, the circuit
  245. creator performs these steps:
  246. 1. Create an onion skin, encrypting the RSA-encrypted part with
  247. R's public key.
  248. 2. Encrypt and send the onion skin in a RELAY_CREATE cell along
  249. the circuit (see section 5).
  250. 3. When a RELAY_CREATED cell is received, calculate the shared
  251. keys. The circuit is now extended.
  252. When an onion router receives an EXTEND relay cell, it sends a
  253. CREATE cell to the next onion router, with the enclosed onion skin
  254. as its payload. The initiating onion router chooses some random
  255. ACI not yet used on the connection between the two onion routers.
  256. As an extension (called router twins), if the desired next onion
  257. router R in the circuit is down, and some other onion router R'
  258. has the same key as R, then it's ok to extend to R' rather than R.
  259. When an onion router receives a CREATE cell, if it already has a
  260. circuit on the given connection with the given ACI, it drops the
  261. cell. Otherwise, sometime after receiving the CREATE cell, it completes
  262. the DH handshake, and replies with a CREATED cell, containing g^y
  263. as its [128 byte] payload. Upon receiving a CREATED cell, an onion
  264. router packs it payload into an EXTENDED relay cell (see section 5),
  265. and sends that cell up the circuit. Upon receiving the EXTENDED
  266. relay cell, the OP can retrieve g^y.
  267. (As an optimization, OR implementations may delay processing onions
  268. until a break in traffic allows time to do so without harming
  269. network latency too greatly.)
  270. 4.4. Tearing down circuits
  271. Circuits are torn down when an unrecoverable error occurs along
  272. the circuit, or when all streams on a circuit are closed and the
  273. circuit's intended lifetime is over. Circuits may be torn down
  274. either completely or hop-by-hop.
  275. To tear down a circuit completely, an OR or OP sends a DESTROY
  276. cell to the adjacent nodes on that circuit, using the appropriate
  277. direction's ACI.
  278. Upon receiving an outgoing DESTROY cell, an OR frees resources
  279. associated with the corresponding circuit. If it's not the end of
  280. the circuit, it sends a DESTROY cell for that circuit to the next OR
  281. in the circuit. If the node is the end of the circuit, then it tears
  282. down any associated edge connections (see section 5.1).
  283. After a DESTROY cell has been processed, an OR ignores all data or
  284. destroy cells for the corresponding circuit.
  285. To tear down part of a circuit, the OP sends a RELAY_TRUNCATE cell
  286. signaling a given OR (Stream ID zero). That OR sends a DESTROY
  287. cell to the next node in the circuit, and replies to the OP with a
  288. RELAY_TRUNCATED cell.
  289. When an unrecoverable error occurs along one connection in a
  290. circuit, the nodes on either side of the connection should, if they
  291. are able, act as follows: the node closer to the OP should send a
  292. RELAY_TRUNCATED cell towards the OP; the node farther from the OP
  293. should send a DESTROY cell down the circuit.
  294. [We'll have to reevaluate this section once we figure out cleaner
  295. circuit/connection killing conventions. -RD]
  296. 4.5. Routing data cells
  297. When an OR receives a RELAY cell, it checks the cell's ACI and
  298. determines whether it has a corresponding circuit along that
  299. connection. If not, the OR drops the RELAY cell.
  300. Otherwise, if the OR is not at the OP edge of the circuit (that is,
  301. either an 'exit node' or a non-edge node), it de/encrypts the length
  302. field and the payload with AES/CTR, as follows:
  303. 'Forward' relay cell (same direction as CREATE):
  304. Use Kf as key; encrypt.
  305. 'Back' relay cell (opposite direction from CREATE):
  306. Use Kb as key; decrypt.
  307. If the OR recognizes the stream ID on the cell (it is either the ID
  308. of an open stream or the signaling (zero) ID), the OR processes the
  309. contents of the relay cell. Otherwise, it passes the decrypted
  310. relay cell along the circuit if the circuit continues, or drops the
  311. cell if it's the end of the circuit. [Getting an unrecognized
  312. relay cell at the end of the circuit must be allowed for now;
  313. we can reexamine this once we've designed full tcp-style close
  314. handshakes. -RD]
  315. Otherwise, if the data cell is coming from the OP edge of the
  316. circuit, the OP decrypts the length and payload fields with AES/CTR as
  317. follows:
  318. OP sends data cell to node R_M:
  319. For I=1...M, decrypt with Kf_I.
  320. Otherwise, if the data cell is arriving at the OP edge if the
  321. circuit, the OP encrypts the length and payload fields with AES/CTR as
  322. follows:
  323. OP receives data cell:
  324. For I=N...1,
  325. Encrypt with Kb_I. If the stream ID is a recognized
  326. stream for R_I, or if the stream ID is the signaling
  327. ID (zero), then stop and process the payload.
  328. For more information, see section 5 below.
  329. 5. Application connections and stream management
  330. 5.1. Streams
  331. Within a circuit, the OP and the exit node use the contents of
  332. RELAY packets to tunnel end-to-end commands and TCP connections
  333. ("Streams") across circuits. End-to-end commands can be initiated
  334. by either edge; streams are initiated by the OP.
  335. The first 8 bytes of each relay cell are reserved as follows:
  336. Relay command [1 byte]
  337. Stream ID [7 bytes]
  338. The recognized relay commands are:
  339. 1 -- RELAY_BEGIN
  340. 2 -- RELAY_DATA
  341. 3 -- RELAY_END
  342. 4 -- RELAY_CONNECTED
  343. 5 -- RELAY_SENDME
  344. 6 -- RELAY_EXTEND
  345. 7 -- RELAY_EXTENDED
  346. 8 -- RELAY_TRUNCATE
  347. 9 -- RELAY_TRUNCATED
  348. All RELAY cells pertaining to the same tunneled stream have the
  349. same stream ID. Stream ID's are chosen randomly by the OP. A
  350. stream ID is considered "recognized" on a circuit C by an OP or an
  351. OR if it already has an existing stream established on that
  352. circuit, or if the stream ID is equal to the signaling stream ID,
  353. which is all zero: [00 00 00 00 00 00 00]
  354. To create a new anonymized TCP connection, the OP sends a
  355. RELAY_BEGIN data cell with a payload encoding the address and port
  356. of the destination host. The stream ID is zero. The payload format is:
  357. ADDRESS | ':' | PORT | '\000'
  358. where ADDRESS may be a DNS hostname, or an IPv4 address in
  359. dotted-quad format; and where PORT is encoded in decimal.
  360. Upon receiving this packet, the exit node resolves the address as
  361. necessary, and opens a new TCP connection to the target port. If
  362. the address cannot be resolved, or a connection can't be
  363. established, the exit node replies with a RELAY_END cell.
  364. Otherwise, the exit node replies with a RELAY_CONNECTED cell.
  365. The OP waits for a RELAY_CONNECTED cell before sending any data.
  366. Once a connection has been established, the OP and exit node
  367. package stream data in RELAY_DATA cells, and upon receiving such
  368. cells, echo their contents to the corresponding TCP stream.
  369. 5.2. Closing streams
  370. [Note -- TCP streams can only be half-closed for reading. Our
  371. Bickford's conversation was incorrect. -NM]
  372. Because TCP connections can be half-open, we follow an equivalent
  373. to TCP's FIN/FIN-ACK/ACK protocol to close streams.
  374. A exit conneection can have a TCP stream in one of three states:
  375. 'OPEN', 'DONE_PACKAGING', and 'DONE_DELIVERING'. For the purposes
  376. of modeling transitions, we treat 'CLOSED' as a fourth state,
  377. although connections in this state are not, in fact, tracked by the
  378. onion router.
  379. A stream begins in the 'OPEN' state. Upon receiving a 'FIN' from
  380. the corresponding TCP connection, the edge node sends a 'RELAY_END'
  381. cell along the circuit and changes its state to 'DONE_PACKAGING'.
  382. Upon receiving a 'RELAY_END' cell, an edge node sends a 'FIN' to
  383. the corresponding TCP connection (e.g., by calling
  384. shutdown(SHUT_WR)) and changing its state to 'DONE_DELIVERING'.
  385. When a stream in already in 'DONE_DELIVERING' receives a 'FIN', it
  386. also sends a 'RELAY_END' along the circuit, and changes its state
  387. to 'CLOSED'. When a stream already in 'DONE_PACKAGING' receives a
  388. 'RELAY_END' cell, it sends a 'FIN' and changes its state to
  389. 'CLOSED'.
  390. [Note: Please rename 'RELAY_END2'. :) -NM ]
  391. If an edge node encounters an error on any stram, it sends a
  392. 'RELAY_END2' cell along the circuit (if possible) and closes the
  393. TCP connection immediately. If an edge node receives a
  394. 'RELAY_END2' cell for any stream, it closes the TCP connection
  395. completely, and sends nothing along the circuit.
  396. 6. Flow control
  397. 6.1. Link throttling
  398. Each node should do appropriate bandwidth throttling to keep its
  399. user happy.
  400. Communicants rely on TCP's default flow control to push back when they
  401. stop reading.
  402. 6.2. Link padding
  403. Currently nodes are not required to do any sort of link padding or
  404. dummy traffic. Because strong attacks exist even with link padding,
  405. and because link padding greatly increases the bandwidth requirements
  406. for running a node, we plan to leave out link padding until this
  407. tradeoff is better understood.
  408. 6.3. Circuit-level flow control
  409. To control a circuit's bandwidth usage, each OR keeps track of
  410. two 'windows', consisting of how many RELAY_DATA cells it is
  411. allowed to package for transmission, and how many RELAY_DATA cells
  412. it is willing to deliver to streams outside the network.
  413. Each 'window' value is initially set to 1000 data cells
  414. in each direction (cells that are not data cells do not affect
  415. the window). When an OR is willing to deliver more cells, it sends a
  416. RELAY_SENDME cell towards the OP, with Stream ID zero. When an OR
  417. receives a RELAY_SENDME cell with stream ID zero, it increments its
  418. packaging window.
  419. Either of these cells increment the corresponding window by 100.
  420. The OP behaves identically, except that it must track a packaging
  421. window and a delivery window for every OR in the circuit.
  422. An OR or OP sends cells to increment its delivery window when the
  423. corresponding window value falls under some threshold (900).
  424. If a packaging window reaches 0, the OR or OP stops reading from
  425. TCP connections for all streams on the corresponding circuit, and
  426. sends no more RELAY_DATA cells until receiving a RELAY_SENDME cell.
  427. 6.4. Stream-level flow control
  428. Edge nodes use RELAY_SENDME cells to implement end-to-end flow
  429. control for individual connections across circuits. Similarly to
  430. circuit-level flow control, edge nodes begin with a window of cells
  431. (500) per stream, and increment the window by a fixed value (50)
  432. upon receiving a RELAY_SENDME cell. Edge nodes initiate RELAY_SENDME
  433. cells when both a) the window is <= 450, and b) there are less than
  434. ten cell payloads remaining to be flushed at that edge.
  435. 7. Directories and routers
  436. 7.1. Router descriptor format.
  437. (Unless otherwise noted, tokens on the same line are space-separated.)
  438. Router ::= Router-Line Public-Key Signing-Key? Exit-Policy NL
  439. Router-Line ::= "router" address ORPort OPPort APPort DirPort bandwidth
  440. NL
  441. Public-key ::= a public key in PEM format NL
  442. Signing-Key ::= "signing-key" NL signing key in PEM format NL
  443. Exit-Policy ::= Exit-Line*
  444. Exit-Line ::= ("accept"|"reject") string NL
  445. ORport ::= port where the router listens for other routers (speaking cells)
  446. OPPort ::= where the router listens for onion proxies (speaking cells)
  447. APPort ::= where the router listens for applications (speaking socks)
  448. DirPort ::= where the router listens for directory download requests
  449. bandwidth ::= maximum bandwidth, in bytes/s
  450. Example:
  451. router moria.mit.edu 9001 9011 9021 9031 100000
  452. -----BEGIN RSA PUBLIC KEY-----
  453. MIGJAoGBAMBBuk1sYxEg5jLAJy86U3GGJ7EGMSV7yoA6mmcsEVU3pwTUrpbpCmwS
  454. 7BvovoY3z4zk63NZVBErgKQUDkn3pp8n83xZgEf4GI27gdWIIwaBjEimuJlEY+7K
  455. nZ7kVMRoiXCbjL6VAtNa4Zy1Af/GOm0iCIDpholeujQ95xew7rQnAgMA//8=
  456. -----END RSA PUBLIC KEY-----
  457. signing-key
  458. -----BEGIN RSA PUBLIC KEY-----
  459. 7BvovoY3z4zk63NZVBErgKQUDkn3pp8n83xZgEf4GI27gdWIIwaBjEimuJlEY+7K
  460. MIGJAoGBAMBBuk1sYxEg5jLAJy86U3GGJ7EGMSV7yoA6mmcsEVU3pwTUrpbpCmwS
  461. f/GOm0iCIDpholeujQ95xew7rnZ7kVMRoiXCbjL6VAtNa4Zy1AQnAgMA//8=
  462. -----END RSA PUBLIC KEY-----
  463. reject 18.0.0.0/24
  464. Note: The extra newline at the end of the router block is intentional.
  465. 7.2. Directory format
  466. Directory ::= Directory-Header Directory-Router Router* Signature
  467. Directory-Header ::= "signed-directory" NL Software-Line NL
  468. Software-Line: "recommended-software" comma-separated-version-list
  469. Directory-Router ::= Router
  470. Signature ::= "directory-signature" NL "-----BEGIN SIGNATURE-----" NL
  471. Base-64-encoded-signature NL "-----END SIGNATURE-----" NL
  472. Note: The router block for the directory server must appear first.
  473. The signature is computed by computing the SHA-1 hash of the
  474. directory, from the characters "signed-directory", through the newline
  475. after "directory-signature". This digest is then padded with PKCS.1,
  476. and signed with the directory server's signing key.
  477. 7.3. Behavior of a directory server
  478. lists nodes that are connected currently
  479. speaks http on a socket, spits out directory on request