123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312 |
- $Id$
- Legend:
- SPEC!! - Not specified
- SPEC - Spec not finalized
- NICK - nick claims
- ARMA - arma claims
- PHOBOS - phobos claims
- - Not done
- * Top priority
- . Partially done
- o Done
- D Deferred
- X Abandoned
- Non-Coding, Soon:
- N - Mark up spec; note unclear points about servers
- N - Clean up dir spec.
- N . contact umass folks
- N - Mention controller libs someplace.
- D FAQ entry: why gnutls is bad/not good for tor
- P - flesh out the rest of the section 6 of the faq
- P - gather pointers to livecd distros that include tor
- - put the logo on the website, in source form, so people can put it on
- stickers directly, etc.
- - more pictures from ren. he wants to describe the tor handshake, i want to
- talk about hidden services.
- * clean up the places where our docs are redundant (or worse, obsolete in
- one file and correct elsewhere). agl has a start on a global
- list-of-tor-docs.
- P - update windows docs to clarify which versions of windows, and why a
- DOS window, how it's used, for the less technical users
- NR- write a spec appendix for 'being nice with tor'
- - tor-in-the-media page
- - Ask schanzle@cas.homelinux.org about a patch for rpm spec fixes against
- tor-0.1.0.7.rc
- - Remove need for HACKING file.
- for 0.1.1.x:
- N - if they're trying to be a tor server and they're running
- win 98 or win me, don't let them be a server.
- R - are dirservers auto-verifying duplicate nicknames?
- o tor should auto-sort the recommended-versions strings
- (with the new smartlist sort stuff maybe)
- o setconf SocksBindAddress kills tor if it fails to bind
- o controller libs should support resetconf command.
- N . Additional controller features
- o Find a way to make event info more extensible
- - change circuit status events to give more details, like purpose,
- whether they're internal, when they become dirty, when they become
- too dirty for further circuits, etc.
- R - What do we want here, exactly?
- N - Specify and implement it.
- - Change stream status events analogously.
- R - What do we want here, exactly?
- N - Specify and implement it.
- - Make other events "better".
- - Change stream status events analogously.
- R - What do we want here, exactly?
- N - Specify and implement it.
- - Make other events "better" analogously
- R - What do we want here, exactly?
- N - Specify and implement it.
- . Expose more information via getinfo:
- - import and export rendezvous descriptors
- - Review all static fields for additional candidates
- - Allow EXTENDCIRCUIT to unknown server.
- - We need some way to adjust server status, and to tell tor not to
- download directories/network-status, and a way to force a download.
- - It would be nice to request address lookups from the controller
- without using SOCKS.
- . Helper nodes
- . More testing and debugging
- o On sighup, if usehelpernodes changed to 1, use new circuits?
- - If your helper nodes are unavailable, don't abandon them unless
- other nodes *are* reachable.
- R - If you think an OR conn is open but you can never establish a circuit
- to it, reconsider whether it's actually open.
- - Miscellaneous cleanups
- - switch accountingmax to count total in+out, not either in or
- out. it's easy to move in this direction (not risky), but hard to
- back, out if we decide we prefer it the way it already is. hm.
- . Come up with a coherent strategy for bandwidth buckets and TLS. (The
- logic for reading from TLS sockets is likely to overrun the bandwidth
- buckets under heavy load. (Really, the logic was never right in the
- first place.) Also, we should audit all users of get_pending_bytes().)
- - Make it harder to circumvent bandwidth caps: look at number of bytes
- sent across sockets, not number sent inside TLS stream.
- R o remove the warnings from rendezvous stuff that shouldn't be warnings.
- . Update the hidden service stuff for the new dir approach.
- - switch to an ascii format.
- - authdirservers publish blobs of them.
- - other authdirservers fetch these blobs.
- - hidserv people have the option of not uploading their blobs.
- - you can insert a blob via the controller.
- - and there's some amount of backwards compatibility.
- - teach clients, intro points, and hidservs about auth mechanisms.
- - come up with a few more auth mechanisms.
- - Christian Grothoff's attack of infinite-length circuit.
- the solution is to have a separate 'extend-data' cell type
- which is used for the first N data cells, and only
- extend-data cells can be extend requests.
- - Specify, including thought about
- - Implement
- N - Destroy and truncated cells should have reasons.
- N - Add private:* alias in exit policies to make it easier to ban all the
- fiddly little 192.168.foo addresses.
- (AGL had a patch; consider applying it.)
- N - warn if listening for SOCKS on public IP.
- - cpu fixes:
- - see if we should make use of truncate to retry
- o hardware accelerator support (configure engines.)
- o hardware accelerator support (use instead of aes.c when reasonable)
- - Benchmark this somehow to see whether using EVP_foo is slower in the
- non-engine case than AES_foo. If so, check for AES engine and fall
- back to AES_foo when it's not found.
- R - kill dns workers more slowly
- . Directory changes
- o recommended-versions for client / server ?
- . Some back-out mechanism for auto-approval
- o dirservers have blacklist of IPs and keys they hate
- - a way of rolling back approvals to before a timestamp
- - have new people be in limbo and need to demonstrate usefulness
- before we approve them
- - other?
- R . Dirservers verify reachability claims
- o basic reachability testing, influencing network-status list.
- X rate-limiting the reporting of trouble servers
- R - check reachability as soon as you hear about a new server
- - Decentralization
- - Figure out what to do about hidden service descriptors.
- - find 10 dirservers.
- - (what are criteria to be a dirserver?)
- o Dirservers publish compressed network-status objects.
- o Support retrieving several-at-once
- o Everyone downloads network-status objects
- o Clients: from all directories, round-robin
- o Basic implementation: disable until 0.1.1.x is out.
- o On failure, mark trusted_dir_server as having failed
- o Retry, up to a point.
- - Launch retry immediately on failure.
- o Parse them
- o Cache them, reload on restart
- o Serve cached directories
- o Directories expose individual descriptors
- X By 'if-newer-than' (Does the spec require this??)
- o Support compression.
- o Alice acts on network-status objects
- o Alice downloads descriptors as needed.
- o Figure out what's needed
- o Store it
- o Implement store
- o Implement reload-from-store
- o Store downloaded descriptors
- o Download it
- o As-needed if we have 2 network-status objs.
- o Download "all" if we have less than 2 network-status objs.
- (This has vulnerabilities if we're not careful)
- o Call directory_has_arrived as needed; rename it.
- o Set has_fetched_directory properly.
- o Retry descriptors on failure
- o Give up after a while.
- - But try again after a long while (???)
- o Check software versions according to some sane plan.
- - Warn again after 24 hours.
- o Alice sets descriptor status from network-status
- o Implement
- o Use
- N . Routerdesc download changes
- o Refactor combined-status to be its own type.
- o Change rule from "do not launch new connections when one exists" to
- "do not request any fingerprint that we're currently requesting."
- o Launch connections every minute, or whenever a download fails
- o Retry failed routerdescs after 0, 1, 5, 10 minutes.
- o Mirrors retry harder and more often. (0, 0, 1, 1, 2, 5, and 15)
- o Reset failure count every 60 minutes
- o Drop fallback to download-all. Also, always split download.
- - Only use a routerdesc if you recognize its hash.
- - (Must defer till dirservers are upgraded to latest code, which
- actually generates these hashes.)
- - Of course, authdirservers must not do this.
- - Should directory mirrors do something else entirely?
- - Use has_fetched_directory sanely, whatever that means.
- - What *does* that mean?
- o If we have a routerdesc for Bob, and he says, "I'm 0.1.0.x", don't
- fetch a new one if it was published in the last 2 hours.
- - How does this interact with the 'recognized hash' rule?
- . Downgrade new directory events from notice to info
- - Clients should estimate their skew as median of skew from directory
- connections over last N seconds.
- o Call dirport_is_reachable from somewhere else.
- o Networkstatus should list who's an authority.
- o Add nickname element to dirserver line. Log this along with IP:Port.
- o Warn when using non-default directory servers.
- o When giving up on a non-finished dir request, log how many bytes
- dropped, to see whether it's worthwhile to use partial info.
- - Security
- - Alices avoid duplicate class C nodes.
- - Analyze how bad the partitioning is or isn't.
- - Flags
- - Clients use Stable and Fast instead of uptime and bandwidth to
- pick which servers are stable/fast.
- - Make authorities rate-limit logging their complaints about given
- servers?
- N . Naming and validation:
- o Separate naming from validation in authdirs.
- o Authdirs need to be able to decline to validate based on
- IP range and key
- o Authdirs need to be able to decline to include baased on
- IP range and key.
- o Not all authdirs name.
- o Change naming rule: N->K iff any naming authdir says N->K,
- and none says N->K' or N'->K.
- o Clients choose names based on network-status options.
- o Names are remembered in client state (?)
- - Okay to have two valid servers with same nickname, but not
- two named servers with same nickname. Update logic.
- - packaging and ui stuff:
- . multiple sample torrc files
- - uninstallers
- . for os x
- . something, anything, for sys tray on Windows.
- . figure out how to make nt service stuff work?
- . Document it.
- . Add version number to directory.
- N - Vet all pending installer patches
- - Win32 installer plus privoxy, sockscap/freecap, etc.
- - Vet win32 systray helper code
- o openssl patch to check for degenerate keys in DH handshake
- o accepted and put into openssl
- Reach (deferrable) items for 0.1.1.x:
- - Start using create-fast cells as clients
- o Let more config options (e.g. ORPort) change dynamically.
- - start handling server descriptors without a socksport?
- o Add TTLs to DNS-related replies, and use them (when present) to adjust
- addressmap values.
- . Research memory use on Linux: what's happening?
- - Is it threading? (Maybe, maybe not)
- - Is it the buf_shrink bug? (Quite possibly)
- - Instrument the 0.1.1 code to figure out where our memory is going;
- apply the results. (all platforms?)
- - Make router_is_general_exit() a bit smarter once we're sure what it's for.
- For 0.1.1.x, if we can figure out how:
- - rewrite how libevent does select() on win32 so it's not so very slow.
- o enclaves (at least preliminary)
- - Write limiting; separate token bucket for write
- - Audit everything to make sure rend and intro points are just as likely to
- be us as not.
- - Do something to prevent spurious EXTEND cells from making middleman
- nodes connect all over. Rate-limit failed connections, perhaps?
- Future version:
- - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
- - Handle full buffers without totally borking
- - Rate-limit OR and directory connections overall and per-IP and
- maybe per subnet.
- - Hold-open-until-flushed now works by accident; it should work by
- design.
- - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
- - Specify?
- - tor-resolve script should use socks5 to get better error messages.
- - make min uptime a function of the available choices (say, choose 60th
- percentile, not 1 day.)
- - config option to publish what ports you listen on, beyond ORPort/DirPort
- - hidserv offerers shouldn't need to define a SocksPort
- * figure out what breaks for this, and do it.
- - auth mechanisms to let hidden service midpoint and responder filter
- connection requests.
- - Relax clique assumptions.
- - tor should be able to have a pool of outgoing IP addresses
- that it is able to rotate through. (maybe)
- Blue-sky:
- - Patch privoxy and socks protocol to pass strings to the browser.
- - Standby/hotswap/redundant hidden services.
- - Robust decentralized storage for hidden service descriptors.
- - The "China problem"
- - Allow small cells and large cells on the same network?
- - Cell buffering and resending. This will allow us to handle broken
- circuits as long as the endpoints don't break, plus will allow
- connection (tls session key) rotation.
- - Implement Morphmix, so we can compare its behavior, complexity, etc.
- - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
- link crypto, unless we can bully openssl into it.
- - Conn key rotation.
- - Need a relay teardown cell, separate from one-way ends.
- (Pending a user who needs this)
- - Handle half-open connections: right now we don't support all TCP
- streams, at least according to the protocol. But we handle all that
- we've seen in the wild.
- (Pending a user who needs this)
|