Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 9bbb4a1b40
Branches Tags
tor
/
doc
/
spec
/
bridges-spec.txt

bridges-spec.txt 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249 
  1. 

  2.                           Tor bridges specification
    3. 

  3. 

  4. 0. Preface
    5. 

  5. 

  6.   This document describes the design decisions around support for bridge
    7. 

  7.   users, bridge relays, and bridge authorities. It acts as an overview
    8. 

  8.   of the bridge design and deployment for developers, and it also tries
    9. 

  9.   to point out limitations in the current design and implementation.
    10. 

  10. 

  11.   For more details on what all of these mean, look at blocking.tex in
    12. 

  12.   /doc/design-paper/
    13. 

  13. 

  14. 1. Bridge relays
    15. 

  15. 

  16.   Bridge relays are just like normal Tor relays except they don't publish
    17. 

  17.   their server descriptors to the main directory authorities.
    18. 

  18. 

  19. 1.1. PublishServerDescriptor
    20. 

  20. 

  21.   To configure your relay to be a bridge relay, just add
    22. 

  22.     BridgeRelay 1
    23. 

  23.     PublishServerDescriptor bridge
    24. 

  24.   to your torrc. This will cause your relay to publish its descriptor
    25. 

  25.   to the bridge authorities rather than to the default authorities.
    26. 

  26. 

  27.   Alternatively, you can say
    28. 

  28.     BridgeRelay 1
    29. 

  29.     PublishServerDescriptor 0
    30. 

  30.   which will cause your relay to not publish anywhere. This could be
    31. 

  31.   useful for private bridges.
    32. 

  32. 

  33. 1.2. Recommendations.
    34. 

  34. 

  35.   Bridge relays should use an exit policy of "reject *:*". This is
    36. 

  36.   because they only need to relay traffic between the bridge users
    37. 

  37.   and the rest of the Tor network, so there's no need to let people
    38. 

  38.   exit directly from them.
    39. 

  39. 

  40.   We invented the RelayBandwidth* options for this situation: Tor clients
    41. 

  41.   who want to allow relaying too. See proposal 111 for details. Relay
    42. 

  42.   operators should feel free to rate-limit their relayed traffic.
    43. 

  43. 

  44. 1.3. Implementation note.
    45. 

  45. 

  46.   Vidalia 0.0.15 has turned its "Relay" settings page into a tri-state
    47. 

  47.   "Don't relay" / "Relay for the Tor network" / "Help censored users".
    48. 

  48. 

  49.   If you click the third choice, it forces your exit policy to reject *:*.
    50. 

  50. 

  51.   If all the bridges end up on port 9001, that's not so good. On the
    52. 

  52.   other hand, putting the bridges on a low-numbered port in the Unix
    53. 

  53.   world requires jumping through extra hoops. The current compromise is
    54. 

  54.   that Vidalia makes the ORPort default to 443 on Windows, and 9001 on
    55. 

  55.   other platforms.
    56. 

  56. 

  57.   At the bottom of the relay config settings window, Vidalia displays
    58. 

  58.   the bridge identifier to the operator (see Section 3.1) so he can pass
    59. 

  59.   it on to bridge users.
    60. 

  60. 

  61. 2. Bridge authorities.
    62. 

  62. 

  63.   Bridge authorities are like normal v3 directory authorities, except
    64. 

  64.   they don't create their own network-status documents or votes. So if
    65. 

  65.   you ask a bridge authority for a network-status document or consensus,
    66. 

  66.   they behave like a directory mirror: they give you one from one of
    67. 

  67.   the main authorities. But if you ask the bridge authority for the
    68. 

  68.   descriptor corresponding to a particular identity fingerprint, it will
    69. 

  69.   happily give you the latest descriptor for that fingerprint.
    70. 

  70. 

  71.   To become a bridge authority, add these lines to your torrc:
    72. 

  72.     AuthoritativeDirectory 1
    73. 

  73.     BridgeAuthoritativeDir 1
    74. 

  74. 

  75.   Right now there's one bridge authority, running on the Tonga relay.
    76. 

  76. 

  77. 2.1. Exporting bridge-purpose descriptors
    78. 

  78. 

  79.   We've added a new purpose for server descriptors: the "bridge"
    80. 

  80.   purpose. With the new router-descriptors file format that includes
    81. 

  81.   annotations, it's easy to look through it and find the bridge-purpose
    82. 

  82.   descriptors.
    83. 

  83. 

  84.   Currently we export the bridge descriptors from Tonga to the
    85. 

  85.   BridgeDB server, so it can give them out according to the policies
    86. 

  86.   in blocking.pdf.
    87. 

  87. 

  88. 2.2. Reachability/uptime testing
    89. 

  89. 

  90.   Right now the bridge authorities do active reachability testing of
    91. 

  91.   bridges, so we know which ones to recommend for users.
    92. 

  92. 

  93.   But in the design document, we suggested that bridges should publish
    94. 

  94.   anonymously (i.e. via Tor) to the bridge authority, so somebody watching
    95. 

  95.   the bridge authority can't just enumerate all the bridges. But if we're
    96. 

  96.   doing active measurement, the game is up. Perhaps we should back off on
    97. 

  97.   this goal, or perhaps we should do our active measurement anonymously?
    98. 

  98. 

  99.   Answering this issue is scheduled for 0.2.1.x.
    100. 

  100. 

  101. 2.3. Future work: migrating to multiple bridge authorities
    102. 

  102. 

  103.   Having only one bridge authority is both a trust bottleneck (if you
    104. 

  104.   break into one place you learn about every single bridge we've got)
    105. 

  105.   and a robustness bottleneck (when it's down, bridge users become sad).
    106. 

  106. 

  107.   Right now if we put up a second bridge authority, all the bridges would
    108. 

  108.   publish to it, and (assuming the code works) bridge users would query
    109. 

  109.   a random bridge authority. This resolves the robustness bottleneck,
    110. 

  110.   but makes the trust bottleneck even worse.
    111. 

  111. 

  112.   In 0.2.2.x and later we should think about better ways to have multiple
    113. 

  113.   bridge authorities.
    114. 

  114. 

  115. 3. Bridge users.
    116. 

  116. 

  117.   Bridge users are like ordinary Tor users except they use encrypted
    118. 

  118.   directory connections by default, and they use bridge relays as both
    119. 

  119.   entry guards (their first hop) and directory guards (the source of
    120. 

  120.   all their directory information).
    121. 

  121. 

  122.   To become a bridge user, add the following line to your torrc:
    123. 

  123.     UseBridges 1
    124. 

  124. 

  125.   and then add at least one "Bridge" line to your torrc based on the
    126. 

  126.   format below.
    127. 

  127. 

  128. 3.1. Format of the bridge identifier.
    129. 

  129. 

  130.   The canonical format for a bridge identifier contains an IP address,
    131. 

  131.   an ORPort, and an identity fingerprint:
    132. 

  132.     bridge 128.31.0.34:9009 4C17 FB53 2E20 B2A8 AC19 9441 ECD2 B017 7B39 E4B1
    133. 

  133. 

  134.   However, the identity fingerprint can be left out, in which case the
    135. 

  135.   bridge user will connect to that relay and use it as a bridge regardless
    136. 

  136.   of what identity key it presents:
    137. 

  137.     bridge 128.31.0.34:9009
    138. 

  138.   This might be useful for cases where only short bridge identifiers
    139. 

  139.   can be communicated to bridge users.
    140. 

  140. 

  141.   In a future version we may also support bridge identifiers that are
    142. 

  142.   only a key fingerprint:
    143. 

  143.     bridge 4C17 FB53 2E20 B2A8 AC19 9441 ECD2 B017 7B39 E4B1
    144. 

  144.   and the bridge user can fetch the latest descriptor from the bridge
    145. 

  145.   authority (see Section 3.4).
    146. 

  146. 

  147. 3.2. Bridges as entry guards
    148. 

  148. 

  149.   For now, bridge users add their bridge relays to their list of "entry
    150. 

  150.   guards" (see path-spec.txt for background on entry guards). They are
    151. 

  151.   managed by the entry guard algorithms exactly as if they were a normal
    152. 

  152.   entry guard -- their keys and timing get cached in the "state" file,
    153. 

  153.   etc. This means that when the Tor user starts up with "UseBridges"
    154. 

  154.   disabled, he will skip past the bridge entries since they won't be
    155. 

  155.   listed as up and usable in his networkstatus consensus. But to be clear,
    156. 

  156.   the "entry_guards" list doesn't currently distinguish guards by purpose.
    157. 

  157. 

  158.   Internally, each bridge user keeps a smartlist of "bridge_info_t"
    159. 

  159.   that reflects the "bridge" lines from his torrc along with a download
    160. 

  160.   schedule (see Section 3.5 below). When he starts Tor, he attempts
    161. 

  161.   to fetch a descriptor for each configured bridge (see Section 3.4
    162. 

  162.   below). When he succeeds at getting a descriptor for one of the bridges
    163. 

  163.   in his list, he adds it directly to the entry guard list using the
    164. 

  164.   normal add_an_entry_guard() interface. Once a bridge descriptor has
    165. 

  165.   been added, should_delay_dir_fetches() will stop delaying further
    166. 

  166.   directory fetches, and the user begins to bootstrap his directory
    167. 

  167.   information from that bridge (see Section 3.3).
    168. 

  168. 

  169.   Currently bridge users cache their bridge descriptors to the
    170. 

  170.   "cached-descriptors" file (annotated with purpose "bridge"), but
    171. 

  171.   they don't make any attempt to reuse descriptors they find in this
    172. 

  172.   file. The theory is that either the bridge is available now, in which
    173. 

  173.   case you can get a fresh descriptor, or it's not, in which case an
    174. 

  174.   old descriptor won't do you much good.
    175. 

  175. 

  176.   We could disable writing out the bridge lines to the state file, if
    177. 

  177.   we think this is a problem.
    178. 

  178. 

  179.   As an exception, if we get an application request when we have one
    180. 

  180.   or more bridge descriptors but we believe none of them are running,
    181. 

  181.   we mark them all as running again. This is similar to the exception
    182. 

  182.   already in place to help long-idle Tor clients realize they should
    183. 

  183.   fetch fresh directory information rather than just refuse requests.
    184. 

  184. 

  185. 3.3. Bridges as directory guards
    186. 

  186. 

  187.   In addition to using bridges as the first hop in their circuits, bridge
    188. 

  188.   users also use them to fetch directory updates. Other than initial
    189. 

  189.   bootstrapping to find a working bridge descriptor (see Section 3.4
    190. 

  190.   below), all further non-anonymized directory fetches will be redirected
    191. 

  191.   to the bridge.
    192. 

  192. 

  193.   This means that bridge relays need to have cached answers for all
    194. 

  194.   questions the bridge user might ask. This makes the upgrade path
    195. 

  195.   tricky --- for example, if we migrate to a v4 directory design, the
    196. 

  196.   bridge user would need to keep using v3 so long as his bridge relays
    197. 

  197.   only knew how to answer v3 queries.
    198. 

  198. 

  199.   In a future design, for cases where the user has enough information
    200. 

  200.   to build circuits yet the chosen bridge doesn't know how to answer a
    201. 

  201.   given query, we might teach bridge users to make an anonymized request
    202. 

  202.   to a more suitable directory server.
    203. 

  203. 

  204. 3.4. How bridge users get their bridge descriptor
    205. 

  205. 

  206.   Bridge users can fetch bridge descriptors in two ways: by going directly
    207. 

  207.   to the bridge and asking for "/tor/server/authority", or by going to
    208. 

  208.   the bridge authority and asking for "/tor/server/fp/ID". By default,
    209. 

  209.   they will only try the direct queries. If the user sets
    210. 

  210.     UpdateBridgesFromAuthority 1
    211. 

  211.   in his config file, then he will try querying the bridge authority
    212. 

  212.   first for bridges where he knows a digest (if he only knows an IP
    213. 

  213.   address and ORPort, then his only option is a direct query).
    214. 

  214. 

  215.   If the user has at least one working bridge, then he will do further
    216. 

  216.   queries to the bridge authority through a full three-hop Tor circuit.
    217. 

  217.   But when bootstrapping, he will make a direct begin_dir-style connection
    218. 

  218.   to the bridge authority.
    219. 

  219. 

  220.   As of Tor 0.2.0.10-alpha, if the user attempts to fetch a descriptor
    221. 

  221.   from the bridge authority and it returns a 404 not found, the user
    222. 

  222.   will automatically fall back to trying a direct query. Therefore it is
    223. 

  223.   recommended that bridge users always set UpdateBridgesFromAuthority,
    224. 

  224.   since at worst it will delay their fetches a little bit and notify
    225. 

  225.   the bridge authority of the identity fingerprint (but not location)
    226. 

  226.   of their intended bridges.
    227. 

  227. 

  228. 3.5. Bridge descriptor retry schedule
    229. 

  229. 

  230.   Bridge users try to fetch a descriptor for each bridge (using the
    231. 

  231.   steps in Section 3.4 above) on startup. Whenever they receive a
    232. 

  232.   bridge descriptor, they reschedule a new descriptor download for 1
    233. 

  233.   hour from then.
    234. 

  234. 

  235.   If on the other hand it fails, they try again after 15 minutes for the
    236. 

  236.   first attempt, after 15 minutes for the second attempt, and after 60
    237. 

  237.   minutes for subsequent attempts.
    238. 

  238. 

  239.   In 0.2.2.x we should come up with some smarter retry schedules.
    240. 

  240. 

  241. 3.6. Implementation note.
    242. 

  242. 

  243.   Vidalia 0.1.0 has a new checkbox in its Network config window called
    244. 

  244.   "My ISP blocks connections to the Tor network." Users who click that
    245. 

  245.   box change their configuration to:
    246. 

  246.     UseBridges 1
    247. 

  247.     UpdateBridgesFromAuthority 1
    248. 

  248.   and should add at least one bridge identifier.
    249. 

  249.