Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 69fa5be7b6
Branches Tags
tor
/
doc
/
dir-spec.txt

dir-spec.txt 3.9 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697 
  1. $Id$
    2. 

  2. 

  3.                       Tor network discovery protocol
    4. 

  4. 

  5. 0. Scope
    6. 

  6. 

  7. This document proposes a way of doing more distributed network discovery
    8. 

  8. while maintaining some amount of admission control. We don't recommend
    9. 

  9. you implement this as-is; it needs more discussion.
    10. 

  10. 

  11. Terminology:
    12. 

  12.   - Client: The Tor component that chooses paths.
    13. 

  13.   - Server: A relay node that passes traffic along.
    14. 

  14. 

  15. 1. Goals.
    16. 

  16. 

  17. We want more decentralized discovery for network topology and status.
    18. 

  18. In particular:
    19. 

  19. 

  20. 1a. We want to let clients learn about new servers from anywhere
    21. 

  21.     and build circuits through them if they wish. This means that
    22. 

  22.     Tor nodes need to be able to Extend to nodes they don't already
    23. 

  23.     know about. This is already implemented, but see the 'Extend policy'
    24. 

  24.     issue below.
    25. 

  25. 

  26. 1b. We want to provide a robust (available) and not-too-centralized
    27. 

  27.     mechanism for tracking network status (which nodes are up and working)
    28. 

  28.     and admission (which nodes are "recommended" for certain uses).
    29. 

  29. 

  30. 1c. [optional] We want to permit servers that can't route to all other
    31. 

  31.     servers, e.g. because they're behind NAT or otherwise firewalled.
    32. 

  32. 

  33. 2. Assumptions.
    34. 

  34. 

  35. People get the code from us, and they trust us (or our gpg keys, or
    36. 

  36. something down the trust chain that's equivalent).
    37. 

  37. 

  38. Even if the software allows humans to change the client configuration,
    39. 

  39. most of them will use the default that's provided, so we should provide
    40. 

  40. one that is the right balance of robust and safe.
    41. 

  41. 

  42. Assume that Sybil attackers can produce only a limited number of
    43. 

  43. independent-looking nodes.
    44. 

  44. 

  45. Roger has only a limited amount of time for approving nodes, and doesn't
    46. 

  46. want to be the time bottleneck anyway.
    47. 

  47. 

  48. We can trust servers to accurately report their characteristics (uptime,
    49. 

  49. capacity, exit policies, etc), as long as we have some mechanism for
    50. 

  50. notifying clients when we notice that they're lying.
    51. 

  51. 

  52. There exists a "main" core Internet in which most locations can access
    53. 

  53. most locations. We'll focus on it first.
    54. 

  54. 

  55. 3. Some notes on how to achieve.
    56. 

  56. 

  57. We ship with S (e.g. 3) seed keys.
    58. 

  58. We ship with N (e.g. 20) introducer locations and fingerprints.
    59. 

  59. We ship with some set of signed timestamped certs for those introducers.
    60. 

  60. 

  61. Introducers serve signed network-status pages, listing their opinions
    62. 

  62. of network status and which routers are good.
    63. 

  63. 

  64. They also serve descriptors in some way. These don't need to be signed by
    65. 

  65. the introducers, since they're self-signed and timestamped by each server.
    66. 

  66. 

  67. A DHT is not so appropriate for distributing server descriptors as long
    68. 

  68. as we expect each client to plan to collect all of them periodically. It
    69. 

  69. would seem that each introducer might as well just keep its own
    70. 

  70. big pile of descriptors, and they synchronize (pull) from each other
    71. 

  71. periodically. Clients then get network-status pages from a threshold of
    72. 

  72. introducers, fetch enough of the server descriptors to make them happy,
    73. 

  73. and proceed as now. Anything wrong with this?
    74. 

  74. 

  75. Notice that this doesn't preclude other approaches to discovering
    76. 

  76. different concurrent Tor networks. For example, a Tor network inside
    77. 

  77. China could ship Tor with a different torrc and poof, they're using
    78. 

  78. a different set of seed keys and a different set of introducers. Some
    79. 

  79. smarter clients could be made to learn about both networks, and be told
    80. 

  80. which nodes bridge the networks.
    81. 

  81. 

  82. 

  83. 

  84. 4. Unresolved:
    85. 

  85.   - What new features need to be added to server descriptors so they
    86. 

  86.     remain compact yet support new functionality?
    87. 

  87.   - How do we compactly describe seeds, introducers, and certs? Does
    88. 

  88.     Tor have built-in defaults still, that can be overridden?
    89. 

  89.   - How much cert functionality do we want in our PKI? Can we revoke
    90. 

  90.     introducers, or is that done by releasing a new version of the code?
    91. 

  91.   - By what mechanism will new servers contact the humans who run
    92. 

  92.     introducers, so they can be approved?
    93. 

  93.   - Is our network growing because of peoples' trust in Roger? Will it
    94. 

  94.     grow the same way, or as robustly, or more robustly, with no
    95. 

  95.     figurehead?
    96. 

  96.   - 'Extend policies' -- middleman doesn't really mean middleman, alas.
    97. 

  97.