tor-spec.txt 37 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863
  1. $Id$
  2. Tor Protocol Specification
  3. Roger Dingledine
  4. Nick Mathewson
  5. Note: This is an attempt to specify Tor as it exists as implemented in
  6. mid-August, 2004. It is not recommended that others implement this
  7. design as it stands; future versions of Tor will implement improved
  8. protocols.
  9. This is not a design document; most design criteria are not examined. For
  10. more information on why Tor acts as it does, see tor-design.pdf.
  11. TODO: (very soon)
  12. - REASON_CONNECTFAILED should include an IP.
  13. - Copy prose from tor-design to make everything more readable.
  14. 0. Notation:
  15. PK -- a public key.
  16. SK -- a private key
  17. K -- a key for a symmetric cypher
  18. a|b -- concatenation of 'a' and 'b'.
  19. [A0 B1 C2] -- a three-byte sequence, containing the bytes with
  20. hexadecimal values A0, B1, and C2, in that order.
  21. All numeric values are encoded in network (big-endian) order.
  22. Unless otherwise specified, all symmetric ciphers are AES in counter
  23. mode, with an IV of all 0 bytes. Asymmetric ciphers are either RSA
  24. with 1024-bit keys and exponents of 65537, or DH with the safe prime
  25. from rfc2409, section 6.2, whose hex representation is:
  26. "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
  27. "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
  28. "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
  29. "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
  30. "49286651ECE65381FFFFFFFFFFFFFFFF"
  31. All "hashes" are 20-byte SHA1 cryptographic digests.
  32. When we refer to "the hash of a public key", we mean the SHA1 hash of the
  33. ASN.1 encoding of an RSA public key (as specified in PKCS.1).
  34. 1. System overview
  35. Onion Routing is a distributed overlay network designed to anonymize
  36. low-latency TCP-based applications such as web browsing, secure shell,
  37. and instant messaging. Clients choose a path through the network and
  38. build a ``circuit'', in which each node (or ``onion router'' or ``OR'')
  39. in the path knows its predecessor and successor, but no other nodes in
  40. the circuit. Traffic flowing down the circuit is sent in fixed-size
  41. ``cells'', which are unwrapped by a symmetric key at each node (like
  42. the layers of an onion) and relayed downstream.
  43. 2. Connections
  44. There are two ways to connect to an onion router (OR). The first is
  45. as an onion proxy (OP), which allows the OP to authenticate the OR
  46. without authenticating itself. The second is as another OR, which
  47. allows mutual authentication.
  48. Tor uses TLS for link encryption. All implementations MUST support
  49. the TLS ciphersuite "TLS_EDH_RSA_WITH_DES_192_CBC3_SHA", and SHOULD
  50. support "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" if it is available.
  51. Implementations MAY support other ciphersuites, but MUST NOT
  52. support any suite without ephemeral keys, symmetric keys of at
  53. least 128 bits, and digests of at least 160 bits.
  54. [what kind of cert does an OP send? -RD]
  55. An OR always sends a two-certificate chain, consisting of a self-signed
  56. certificate containing the OR's identity key, and a second certificate
  57. using a short-term connection key. The commonName of the second
  58. certificate is the OR's nickname, and the commonName of the first
  59. certificate is the OR's nickname, followed by a space and the string
  60. "<identity>".
  61. All parties receiving certificates must confirm that the identity key is
  62. as expected. (When initiating a connection, the expected identity key is
  63. the one given in the directory; when creating a connection because of an
  64. EXTEND cell, the expected identity key is the one given in the cell.) If
  65. the key is not as expected, the party must close the connection.
  66. Once a TLS connection is established, the two sides send cells
  67. (specified below) to one another. Cells are sent serially. All
  68. cells are 512 bytes long. Cells may be sent embedded in TLS
  69. records of any size or divided across TLS records, but the framing
  70. of TLS records MUST NOT leak information about the type or contents
  71. of the cells.
  72. OR-to-OR connections are never deliberately closed. When an OR
  73. starts or receives a new directory, it tries to open new
  74. connections to any OR it is not already connected to.
  75. [not true, unused OR conns close after 5 mins too -RD]
  76. OR-to-OP connections are not permanent. An OP should close a
  77. connection to an OR if there are no circuits running over the
  78. connection, and an amount of time (KeepalivePeriod, defaults to 5
  79. minutes) has passed.
  80. 3. Cell Packet format
  81. The basic unit of communication for onion routers and onion
  82. proxies is a fixed-width "cell". Each cell contains the following
  83. fields:
  84. CircID [2 bytes]
  85. Command [1 byte]
  86. Payload (padded with 0 bytes) [509 bytes]
  87. [Total size: 512 bytes]
  88. The CircID field determines which circuit, if any, the cell is
  89. associated with.
  90. The 'Command' field holds one of the following values:
  91. 0 -- PADDING (Padding) (See Sec 6.2)
  92. 1 -- CREATE (Create a circuit) (See Sec 4)
  93. 2 -- CREATED (Acknowledge create) (See Sec 4)
  94. 3 -- RELAY (End-to-end data) (See Sec 5)
  95. 4 -- DESTROY (Stop using a circuit) (See Sec 4)
  96. The interpretation of 'Payload' depends on the type of the cell.
  97. PADDING: Payload is unused.
  98. CREATE: Payload contains the handshake challenge.
  99. CREATED: Payload contains the handshake response.
  100. RELAY: Payload contains the relay header and relay body.
  101. DESTROY: Payload is unused.
  102. Upon receiving any other value for the command field, an OR must
  103. drop the cell.
  104. The payload is padded with 0 bytes.
  105. PADDING cells are currently used to implement connection keepalive.
  106. If there is no other traffic, ORs and OPs send one another a PADDING
  107. cell every few minutes.
  108. CREATE, CREATED, and DESTROY cells are used to manage circuits;
  109. see section 4 below.
  110. RELAY cells are used to send commands and data along a circuit; see
  111. section 5 below.
  112. 4. Circuit management
  113. 4.1. CREATE and CREATED cells
  114. Users set up circuits incrementally, one hop at a time. To create a
  115. new circuit, OPs send a CREATE cell to the first node, with the
  116. first half of the DH handshake; that node responds with a CREATED
  117. cell with the second half of the DH handshake plus the first 20 bytes
  118. of derivative key data (see section 4.2). To extend a circuit past
  119. the first hop, the OP sends an EXTEND relay cell (see section 5)
  120. which instructs the last node in the circuit to send a CREATE cell
  121. to extend the circuit.
  122. The payload for a CREATE cell is an 'onion skin', which consists
  123. of the first step of the DH handshake data (also known as g^x).
  124. The data is encrypted to Bob's PK as follows: Suppose Bob's PK is
  125. L octets long. If the data to be encrypted is shorter than L-42,
  126. then it is encrypted directly (with OAEP padding). If the data is at
  127. least as long as L-42, then a randomly generated 16-byte symmetric
  128. key is prepended to the data, after which the first L-16-42 bytes
  129. of the data are encrypted with Bob's PK; and the rest of the data is
  130. encrypted with the symmetric key.
  131. So in this case, the onion skin on the wire looks like:
  132. RSA-encrypted:
  133. OAEP padding [42 bytes]
  134. Symmetric key [16 bytes]
  135. First part of g^x [70 bytes]
  136. Symmetrically encrypted:
  137. Second part of g^x [58 bytes]
  138. The relay payload for an EXTEND relay cell consists of:
  139. Address [4 bytes]
  140. Port [2 bytes]
  141. Onion skin [186 bytes]
  142. Public key hash [20 bytes]
  143. The port and address field denote the IPV4 address and port of the next
  144. onion router in the circuit; the public key hash is the SHA1 hash of the
  145. PKCS#1 ASN1 encoding of the next onion router's identity (signing) key.
  146. [XXXX Before 0.0.8, EXTEND cells did not include the public key hash.
  147. Servers running 0.0.8 distinguish the old-style cells based on the
  148. length of payloads. (Servers running 0.0.7 blindly pass on the extend
  149. cell regardless of length.) In a future release, old-style EXTEND
  150. cells will not be supported.]
  151. The payload for a CREATED cell, or the relay payload for an
  152. EXTENDED cell, contains:
  153. DH data (g^y) [128 bytes]
  154. Derivative key data (KH) [20 bytes] <see 4.2 below>
  155. The CircID for a CREATE cell is an arbitrarily chosen 2-byte integer,
  156. selected by the node (OP or OR) that sends the CREATE cell. To prevent
  157. CircID collisions, when one OR sends a CREATE cell to another, it chooses
  158. from only one half of the possible values based on the ORs' public
  159. identity keys: if the sending OR has a lower key, it chooses a CircID with
  160. an MSB of 0; otherwise, it chooses a CircID with an MSB of 1.
  161. Public keys are compared numerically by modulus.
  162. (Older versions of Tor compared OR nicknames, and did it in a broken and
  163. unreliable way. To support versions of Tor earlier than 0.0.9pre6,
  164. implementations should notice when the other side of a connection is
  165. sending CREATE cells with the "wrong" MSG, and switch accordingly.)
  166. 4.2. Setting circuit keys
  167. Once the handshake between the OP and an OR is completed, both
  168. servers can now calculate g^xy with ordinary DH. From the base key
  169. material g^xy, they compute derivative key material as follows.
  170. First, the server represents g^xy as a big-endian unsigned integer.
  171. Next, the server computes 100 bytes of key data as K = SHA1(g^xy |
  172. [00]) | SHA1(g^xy | [01]) | ... SHA1(g^xy | [04]) where "00" is
  173. a single octet whose value is zero, [01] is a single octet whose
  174. value is one, etc. The first 20 bytes of K form KH, bytes 21-40 form
  175. the forward digest Df, 41-60 form the backward digest Db, 61-76 form
  176. Kf, and 77-92 form Kb.
  177. KH is used in the handshake response to demonstrate knowledge of the
  178. computed shared key. Df is used to seed the integrity-checking hash
  179. for the stream of data going from the OP to the OR, and Db seeds the
  180. integrity-checking hash for the data stream from the OR to the OP. Kf
  181. is used to encrypt the stream of data going from the OP to the OR, and
  182. Kb is used to encrypt the stream of data going from the OR to the OP.
  183. 4.3. Creating circuits
  184. When creating a circuit through the network, the circuit creator
  185. (OP) performs the following steps:
  186. 1. Choose an onion router as an exit node (R_N), such that the onion
  187. router's exit policy does not exclude all pending streams
  188. that need a circuit.
  189. 2. Choose a chain of (N-1) chain of N onion routers
  190. (R_1...R_N-1) to constitute the path, such that no router
  191. appears in the path twice.
  192. 3. If not already connected to the first router in the chain,
  193. open a new connection to that router.
  194. 4. Choose a circID not already in use on the connection with the
  195. first router in the chain; send a CREATE cell along the
  196. connection, to be received by the first onion router.
  197. 5. Wait until a CREATED cell is received; finish the handshake
  198. and extract the forward key Kf_1 and the backward key Kb_1.
  199. 6. For each subsequent onion router R (R_2 through R_N), extend
  200. the circuit to R.
  201. To extend the circuit by a single onion router R_M, the OP performs
  202. these steps:
  203. 1. Create an onion skin, encrypted to R_M's public key.
  204. 2. Send the onion skin in a relay EXTEND cell along
  205. the circuit (see section 5).
  206. 3. When a relay EXTENDED cell is received, verify KH, and
  207. calculate the shared keys. The circuit is now extended.
  208. When an onion router receives an EXTEND relay cell, it sends a CREATE
  209. cell to the next onion router, with the enclosed onion skin as its
  210. payload. The initiating onion router chooses some circID not yet
  211. used on the connection between the two onion routers. (But see
  212. section 4.1. above, concerning choosing circIDs based on
  213. lexicographic order of nicknames.)
  214. As an extension (called router twins), if the desired next onion
  215. router R in the circuit is down, and some other onion router R'
  216. has the same public keys as R, then it's ok to extend to R' rather than R.
  217. When an onion router receives a CREATE cell, if it already has a
  218. circuit on the given connection with the given circID, it drops the
  219. cell. Otherwise, after receiving the CREATE cell, it completes the
  220. DH handshake, and replies with a CREATED cell. Upon receiving a
  221. CREATED cell, an onion router packs it payload into an EXTENDED relay
  222. cell (see section 5), and sends that cell up the circuit. Upon
  223. receiving the EXTENDED relay cell, the OP can retrieve g^y.
  224. (As an optimization, OR implementations may delay processing onions
  225. until a break in traffic allows time to do so without harming
  226. network latency too greatly.)
  227. 4.4. Tearing down circuits
  228. Circuits are torn down when an unrecoverable error occurs along
  229. the circuit, or when all streams on a circuit are closed and the
  230. circuit's intended lifetime is over. Circuits may be torn down
  231. either completely or hop-by-hop.
  232. To tear down a circuit completely, an OR or OP sends a DESTROY
  233. cell to the adjacent nodes on that circuit, using the appropriate
  234. direction's circID.
  235. Upon receiving an outgoing DESTROY cell, an OR frees resources
  236. associated with the corresponding circuit. If it's not the end of
  237. the circuit, it sends a DESTROY cell for that circuit to the next OR
  238. in the circuit. If the node is the end of the circuit, then it tears
  239. down any associated edge connections (see section 5.1).
  240. After a DESTROY cell has been processed, an OR ignores all data or
  241. destroy cells for the corresponding circuit.
  242. (The rest of this section is not currently used; on errors, circuits
  243. are destroyed, not truncated.)
  244. To tear down part of a circuit, the OP may send a RELAY_TRUNCATE cell
  245. signaling a given OR (Stream ID zero). That OR sends a DESTROY
  246. cell to the next node in the circuit, and replies to the OP with a
  247. RELAY_TRUNCATED cell.
  248. When an unrecoverable error occurs along one connection in a
  249. circuit, the nodes on either side of the connection should, if they
  250. are able, act as follows: the node closer to the OP should send a
  251. RELAY_TRUNCATED cell towards the OP; the node farther from the OP
  252. should send a DESTROY cell down the circuit.
  253. 4.5. Routing relay cells
  254. When an OR receives a RELAY cell, it checks the cell's circID and
  255. determines whether it has a corresponding circuit along that
  256. connection. If not, the OR drops the RELAY cell.
  257. Otherwise, if the OR is not at the OP edge of the circuit (that is,
  258. either an 'exit node' or a non-edge node), it de/encrypts the payload
  259. with AES/CTR, as follows:
  260. 'Forward' relay cell (same direction as CREATE):
  261. Use Kf as key; decrypt.
  262. 'Back' relay cell (opposite direction from CREATE):
  263. Use Kb as key; encrypt.
  264. The OR then decides whether it recognizes the relay cell, by
  265. inspecting the payload as described in section 5.1 below. If the OR
  266. recognizes the cell, it processes the contents of the relay cell.
  267. Otherwise, it passes the decrypted relay cell along the circuit if
  268. the circuit continues. If the OR at the end of the circuit
  269. encounters an unrecognized relay cell, an error has occurred: the OR
  270. sends a DESTROY cell to tear down the circuit.
  271. When a relay cell arrives at an OP, the OP decrypts the payload
  272. with AES/CTR as follows:
  273. OP receives data cell:
  274. For I=N...1,
  275. Decrypt with Kb_I. If the payload is recognized (see
  276. section 5.1), then stop and process the payload.
  277. For more information, see section 5 below.
  278. 5. Application connections and stream management
  279. 5.1. Relay cells
  280. Within a circuit, the OP and the exit node use the contents of
  281. RELAY packets to tunnel end-to-end commands and TCP connections
  282. ("Streams") across circuits. End-to-end commands can be initiated
  283. by either edge; streams are initiated by the OP.
  284. The payload of each unencrypted RELAY cell consists of:
  285. Relay command [1 byte]
  286. 'Recognized' [2 bytes]
  287. StreamID [2 bytes]
  288. Digest [4 bytes]
  289. Length [2 bytes]
  290. Data [498 bytes]
  291. The relay commands are:
  292. 1 -- RELAY_BEGIN
  293. 2 -- RELAY_DATA
  294. 3 -- RELAY_END
  295. 4 -- RELAY_CONNECTED
  296. 5 -- RELAY_SENDME
  297. 6 -- RELAY_EXTEND
  298. 7 -- RELAY_EXTENDED
  299. 8 -- RELAY_TRUNCATE
  300. 9 -- RELAY_TRUNCATED
  301. 10 -- RELAY_DROP
  302. 11 -- RELAY_RESOLVE
  303. 12 -- RELAY_RESOLVED
  304. The 'Recognized' field in any unencrypted relay payload is always
  305. set to zero; the 'digest' field is computed as the first four bytes
  306. of the running SHA-1 digest of all the bytes that have travelled
  307. over this circuit, seeded from Df or Db respectively (obtained in
  308. section 4.2 above), and including this RELAY cell's entire payload
  309. (taken with the digest field set to zero).
  310. When the 'recognized' field of a RELAY cell is zero, and the digest
  311. is correct, the cell is considered "recognized" for the purposes of
  312. decryption (see section 4.5 above).
  313. All RELAY cells pertaining to the same tunneled stream have the
  314. same stream ID. StreamIDs are chosen randomly by the OP. RELAY
  315. cells that affect the entire circuit rather than a particular
  316. stream use a StreamID of zero.
  317. The 'Length' field of a relay cell contains the number of bytes in
  318. the relay payload which contain real payload data. The remainder of
  319. the payload is padded with NUL bytes.
  320. 5.2. Opening streams and transferring data
  321. To open a new anonymized TCP connection, the OP chooses an open
  322. circuit to an exit that may be able to connect to the destination
  323. address, selects an arbitrary StreamID not yet used on that circuit,
  324. and constructs a RELAY_BEGIN cell with a payload encoding the address
  325. and port of the destination host. The payload format is:
  326. ADDRESS | ':' | PORT | [00]
  327. where ADDRESS can be a DNS hostname, or an IPv4 address in
  328. dotted-quad format, or an IPv6 address surrounded by square brackets;
  329. and where PORT is encoded in decimal.
  330. [What is the [00] for? -NM]
  331. [It's so the payload is easy to parse out with string funcs -RD]
  332. Upon receiving this cell, the exit node resolves the address as
  333. necessary, and opens a new TCP connection to the target port. If the
  334. address cannot be resolved, or a connection can't be established, the
  335. exit node replies with a RELAY_END cell. (See 5.4 below.)
  336. Otherwise, the exit node replies with a RELAY_CONNECTED cell, whose
  337. payload is the 4-byte IPv4 address or the 16-byte IPv6 address to which
  338. the connection was made.
  339. The OP waits for a RELAY_CONNECTED cell before sending any data.
  340. Once a connection has been established, the OP and exit node
  341. package stream data in RELAY_DATA cells, and upon receiving such
  342. cells, echo their contents to the corresponding TCP stream.
  343. RELAY_DATA cells sent to unrecognized streams are dropped.
  344. Relay RELAY_DROP cells are long-range dummies; upon receiving such
  345. a cell, the OR or OP must drop it.
  346. 5.3. Closing streams
  347. When an anonymized TCP connection is closed, or an edge node
  348. encounters error on any stream, it sends a 'RELAY_END' cell along the
  349. circuit (if possible) and closes the TCP connection immediately. If
  350. an edge node receives a 'RELAY_END' cell for any stream, it closes
  351. the TCP connection completely, and sends nothing more along the
  352. circuit for that stream.
  353. The payload of a RELAY_END cell begins with a single 'reason' byte to
  354. describe why the stream is closing, plus optional data (depending on
  355. the reason.) The values are:
  356. 1 -- REASON_MISC (catch-all for unlisted reasons)
  357. 2 -- REASON_RESOLVEFAILED (couldn't look up hostname)
  358. 3 -- REASON_CONNECTFAILED (couldn't connect to host/port)
  359. 4 -- REASON_EXITPOLICY (OR refuses to connect to host or port)
  360. 5 -- REASON_DESTROY (circuit is being destroyed [???-NM])
  361. 6 -- REASON_DONE (anonymized TCP connection was closed)
  362. 7 -- REASON_TIMEOUT (OR timed out while connecting [???-NM])
  363. (With REASON_EXITPOLICY, the 4-byte IPv4 address or 16-byte IPv6 address
  364. forms the optional data; no other reason currently has extra data.)
  365. *** [The rest of this section describes unimplemented functionality.]
  366. Because TCP connections can be half-open, we follow an equivalent
  367. to TCP's FIN/FIN-ACK/ACK protocol to close streams.
  368. An exit connection can have a TCP stream in one of three states:
  369. 'OPEN', 'DONE_PACKAGING', and 'DONE_DELIVERING'. For the purposes
  370. of modeling transitions, we treat 'CLOSED' as a fourth state,
  371. although connections in this state are not, in fact, tracked by the
  372. onion router.
  373. A stream begins in the 'OPEN' state. Upon receiving a 'FIN' from
  374. the corresponding TCP connection, the edge node sends a 'RELAY_FIN'
  375. cell along the circuit and changes its state to 'DONE_PACKAGING'.
  376. Upon receiving a 'RELAY_FIN' cell, an edge node sends a 'FIN' to
  377. the corresponding TCP connection (e.g., by calling
  378. shutdown(SHUT_WR)) and changing its state to 'DONE_DELIVERING'.
  379. When a stream in already in 'DONE_DELIVERING' receives a 'FIN', it
  380. also sends a 'RELAY_FIN' along the circuit, and changes its state
  381. to 'CLOSED'. When a stream already in 'DONE_PACKAGING' receives a
  382. 'RELAY_FIN' cell, it sends a 'FIN' and changes its state to
  383. 'CLOSED'.
  384. If an edge node encounters an error on any stream, it sends a
  385. 'RELAY_END' cell (if possible) and closes the stream immediately.
  386. 5.4. Remote hostname lookup
  387. To find the address associated with a hostname, the OP sends a
  388. RELAY_RESOLVE cell containing the hostname to be resolved. The OR
  389. replies with a RELAY_RESOLVED cell containing a status byte, and any
  390. number of answers. Each answer is of the form:
  391. Type (1 octet)
  392. Length (1 octet)
  393. Value (variable-width)
  394. "Length" is the length of the Value field.
  395. "Type" is one of:
  396. 0x04 -- IPv4 address
  397. 0x06 -- IPv6 address
  398. 0xF0 -- Error, transient
  399. 0xF1 -- Error, nontransient
  400. If any answer has a type of 'Error', then no other answer may be given.
  401. The RELAY_RESOLVE cell must use a nonzero, distinct streamID; the
  402. corresponding RELAY_RESOLVED cell must use the same streamID. No stream
  403. is actually created by the OR when resolving the name.
  404. 6. Flow control
  405. 6.1. Link throttling
  406. Each node should do appropriate bandwidth throttling to keep its
  407. user happy.
  408. Communicants rely on TCP's default flow control to push back when they
  409. stop reading.
  410. 6.2. Link padding
  411. Currently nodes are not required to do any sort of link padding or
  412. dummy traffic. Because strong attacks exist even with link padding,
  413. and because link padding greatly increases the bandwidth requirements
  414. for running a node, we plan to leave out link padding until this
  415. tradeoff is better understood.
  416. 6.3. Circuit-level flow control
  417. To control a circuit's bandwidth usage, each OR keeps track of
  418. two 'windows', consisting of how many RELAY_DATA cells it is
  419. allowed to package for transmission, and how many RELAY_DATA cells
  420. it is willing to deliver to streams outside the network.
  421. Each 'window' value is initially set to 1000 data cells
  422. in each direction (cells that are not data cells do not affect
  423. the window). When an OR is willing to deliver more cells, it sends a
  424. RELAY_SENDME cell towards the OP, with Stream ID zero. When an OR
  425. receives a RELAY_SENDME cell with stream ID zero, it increments its
  426. packaging window.
  427. Each of these cells increments the corresponding window by 100.
  428. The OP behaves identically, except that it must track a packaging
  429. window and a delivery window for every OR in the circuit.
  430. An OR or OP sends cells to increment its delivery window when the
  431. corresponding window value falls under some threshold (900).
  432. If a packaging window reaches 0, the OR or OP stops reading from
  433. TCP connections for all streams on the corresponding circuit, and
  434. sends no more RELAY_DATA cells until receiving a RELAY_SENDME cell.
  435. [this stuff is badly worded; copy in the tor-design section -RD]
  436. 6.4. Stream-level flow control
  437. Edge nodes use RELAY_SENDME cells to implement end-to-end flow
  438. control for individual connections across circuits. Similarly to
  439. circuit-level flow control, edge nodes begin with a window of cells
  440. (500) per stream, and increment the window by a fixed value (50)
  441. upon receiving a RELAY_SENDME cell. Edge nodes initiate RELAY_SENDME
  442. cells when both a) the window is <= 450, and b) there are less than
  443. ten cell payloads remaining to be flushed at that edge.
  444. 7. Directories and routers
  445. 7.1. Extensible information format
  446. Router descriptors and directories both obey the following lightweight
  447. extensible information format.
  448. The highest level object is a Document, which consists of one or more Items.
  449. Every Item begins with a KeywordLine, followed by one or more Objects. A
  450. KeywordLine begins with a Keyword, optionally followed by a space and more
  451. non-newline characters, and ends with a newline. A Keyword is a sequence of
  452. one or more characters in the set [A-Za-z0-9-]. An Object is a block of
  453. encoded data in pseudo-Open-PGP-style armor. (cf. RFC 2440)
  454. More formally:
  455. Document ::= (Item | NL)+
  456. Item ::= KeywordLine Object*
  457. KeywordLine ::= Keyword NL | Keyword SP ArgumentsChar+ NL
  458. Keyword = KeywordChar+
  459. KeywordChar ::= 'A' ... 'Z' | 'a' ... 'z' | '0' ... '9' | '-'
  460. ArgumentChar ::= any printing ASCII character except NL.
  461. Object ::= BeginLine Base-64-encoded-data EndLine
  462. BeginLine ::= "-----BEGIN " Keyword "-----" NL
  463. EndLine ::= "-----END " Keyword "-----" NL
  464. The BeginLine and EndLine of an Object must use the same keyword.
  465. When interpreting a Document, software MUST reject any document containing a
  466. KeywordLine that starts with a keyword it doesn't recognize.
  467. The "opt" keyword is reserved for non-critical future extensions. All
  468. implementations MUST ignore any item of the form "opt keyword ....." when
  469. they would not recognize "keyword ....."; and MUST treat "opt keyword ....."
  470. as synonymous with "keyword ......" when keyword is recognized.
  471. 7.1. Router descriptor format.
  472. Every router descriptor MUST start with a "router" Item; MUST end with a
  473. "router-signature" Item and an extra NL; and MUST contain exactly one
  474. instance of each of the following Items: "published" "onion-key" "link-key"
  475. "signing-key" "bandwidth". Additionally, a router descriptor MAY contain any
  476. number of "accept", "reject", "fingerprint", "uptime", and "opt" Items.
  477. Other than "router" and "router-signature", the items may appear in any
  478. order.
  479. The items' formats are as follows:
  480. "router" nickname address (ORPort SocksPort DirPort)?
  481. Indicates the beginning of a router descriptor. "address" must be an
  482. IPv4 address in dotted-quad format. The Port values will soon be
  483. deprecated; using them here is equivalent to using them in a "ports"
  484. item.
  485. "ports" ORPort SocksPort DirPort
  486. Indicates the TCP ports at which this OR exposes functionality.
  487. ORPort is a port at which this OR accepts TLS connections for the main
  488. OR protocol; SocksPort is the port at which this OR accepts SOCKS
  489. connections; and DirPort is the port at which this OR accepts
  490. directory-related HTTP connections. If any port is not supported, the
  491. value 0 is given instead of a port number.
  492. "bandwidth" bandwidth-avg bandwidth-burst bandwidth-observed
  493. Estimated bandwidth for this router, in bytes per second. The
  494. "average" bandwidth is the volume per second that the OR is willing
  495. to sustain over long periods; the "burst" bandwidth is the volume
  496. that the OR is willing to sustain in very short intervals. The
  497. "observed" value is an estimate of the capacity this server can
  498. handle. The server remembers the max bandwidth sustained output
  499. over any ten second period in the past day, and another sustained
  500. input. The "observed" value is the lesser of these two numbers.
  501. [bandwidth-observed was not present before 0.0.8.]
  502. "platform" string
  503. A human-readable string describing the system on which this OR is
  504. running. This MAY include the operating system, and SHOULD include
  505. the name and version of the software implementing the Tor protocol.
  506. "published" YYYY-MM-DD HH:MM:SS
  507. The time, in GMT, when this descriptor was generated.
  508. "fingerprint"
  509. A fingerprint (20 byte SHA1 hash of asn1 encoded public key, encoded
  510. in hex, with spaces after every 4 characters) for this router's
  511. identity key.
  512. "uptime"
  513. The number of seconds that this OR process has been running.
  514. "onion-key" NL a public key in PEM format
  515. This key is used to encrypt EXTEND cells for this OR. The key MUST
  516. be accepted for at least XXXX hours after any new key is published in
  517. a subsequent descriptor.
  518. "signing-key" NL a public key in PEM format
  519. The OR's long-term identity key.
  520. "accept" exitpattern
  521. "reject" exitpattern
  522. These lines, in order, describe the rules that an OR follows when
  523. deciding whether to allow a new stream to a given address. The
  524. 'exitpattern' syntax is described below.
  525. "router-signature" NL Signature NL
  526. The "SIGNATURE" object contains a signature of the PKCS1-padded SHA1
  527. hash of the entire router descriptor, taken from the beginning of the
  528. "router" line, through the newline after the "router-signature" line.
  529. The router descriptor is invalid unless the signature is performed
  530. with the router's identity key.
  531. "dircacheport" port NL
  532. Same as declaring "port" as this OR's directory port in the 'router'
  533. line. At most one of dircacheport and the directory port in the router
  534. line may be non-zero.
  535. [Obsolete; will go away once 0.0.8 is dead. Older versions of Tor
  536. did poorly when non-authoritative directories had a non-zero directory
  537. port. To transition, Tor 0.0.8 used dircacheport for
  538. nonauthoritative directories.]
  539. "contact" info NL
  540. Describes a way to contact the server's administrator, preferably
  541. including an email address and a PGP key fingerprint.
  542. "family" names NL
  543. 'Names' is a space-separated list of server nicknames. If two ORs
  544. list one another in their "family" entries, then OPs should treat
  545. them as a single OR for the purpose of path selection.
  546. For example, if node A's descriptor contains "family B", and node B's
  547. descriptor contains "family A", then node A and node B should never
  548. be used on the same circuit.
  549. "read-history" YYYY-MM-DD HH:MM:SS (NSEC s) NUM,NUM,NUM,NUM,NUM... NL
  550. "write-history" YYYY-MM-DD HH:MM:SS (NSEC s) NUM,NUM,NUM,NUM,NUM... NL
  551. Declare how much bandwidth the OR has used recently. Usage is divided
  552. into intervals of NSEC seconds. The YYYY-MM-DD HH:MM:SS field defines
  553. the end of the most recent interval. The numbers are the number of
  554. bytes used in the most recent intervals, ordered from oldest to newest.
  555. nickname ::= between 1 and 19 alphanumeric characters, case-insensitive.
  556. exitpattern ::= addrspec ":" portspec
  557. portspec ::= "*" | port | port "-" port
  558. port ::= an integer between 1 and 65535, inclusive.
  559. addrspec ::= "*" | ip4spec | ip6spec
  560. ipv4spec ::= ip4 | ip4 "/" num_ip4_bits | ip4 "/" ip4mask
  561. ip4 ::= an IPv4 address in dotted-quad format
  562. ip4mask ::= an IPv4 mask in dotted-quad format
  563. num_ip4_bits ::= an integer between 0 and 32
  564. ip6spec ::= ip6 | ip6 "/" num_ip6_bits
  565. ip6 ::= an IPv6 address, surrounded by square brackets.
  566. num_ip6_bits ::= an integer between 0 and 128
  567. Ports are required; if they are not included in the router
  568. line, they must appear in the "ports" lines.
  569. 7.2. Directory format
  570. A Directory begins with a "signed-directory" item, followed by one each of
  571. the following, in any order: "recommended-software", "published",
  572. "router-status", "directory-signing-key". It may include any number of "opt"
  573. items. After these items, a directory includes any number of router
  574. descriptors, and a single "directory-signature" item.
  575. "signed-directory"
  576. Indicates the start of a directory.
  577. "published" YYYY-MM-DD HH:MM:SS
  578. The time at which this directory was generated and signed, in GMT.
  579. "directory-signing-key"
  580. The key used to sign this directory; see "signing-key" for format.
  581. "recommended-software" comma-separated-version-list
  582. A list of which versions of which implementations are currently
  583. believed to be secure and compatible with the network.
  584. "running-routers" space-separated-list
  585. A description of which routers are currently believed to be up or
  586. down. Every entry consists of an optional "!", followed by either an
  587. OR's nickname, or "$" followed by a hexadecimal encoding of the hash
  588. of an OR's identity key. If the "!" is included, the router is
  589. believed not to be running; otherwise, it is believed to be running.
  590. If a router's nickname is given, exactly one router of that nickname
  591. will appear in the directory, and that router is "approved" by the
  592. directory server. If a hashed identity key is given, that OR is not
  593. "approved". [XXXX The 'running-routers' line is only provided for
  594. backward compatibility. New code should parse 'router-status'
  595. instead.]
  596. "router-status" space-separated-list
  597. A description of which routers are currently believed to be up or
  598. down, and which are verified or unverified. Contains one entry for
  599. every router that the directory server knows. Each entry is of the
  600. format:
  601. !name=$digest [Verified router, currently not live.]
  602. name=$digest [Verified router, currently live.]
  603. !$digest [Unverified router, currently not live.]
  604. or $digest [Unverified router, currently live.]
  605. (where 'name' is the router's nickname and 'digest' is a hexadecimal
  606. encoding of the hash of the routers' identity key).
  607. When parsing this line, clients should only mark a router as
  608. 'verified' if its nickname AND digest match the one provided.
  609. [XXXX 'router-status' was added in 0.0.9pre5; older directory code
  610. uses 'running-routers' instead.]
  611. "directory-signature" nickname-of-dirserver NL Signature
  612. Note: The router descriptor for the directory server MUST appear first.
  613. The signature is computed by computing the SHA-1 hash of the
  614. directory, from the characters "signed-directory", through the newline
  615. after "directory-signature". This digest is then padded with PKCS.1,
  616. and signed with the directory server's signing key.
  617. If software encounters an unrecognized keyword in a single router descriptor,
  618. it should reject only that router descriptor, and continue using the
  619. others. If it encounters an unrecognized keyword in the directory header,
  620. it should reject the entire directory.
  621. 7.3. Network-status descriptor
  622. A "network-status" (a.k.a "running-routers") document is a truncated
  623. directory that contains only the current status of a list of nodes, not
  624. their actual descriptors. It contains exactly one of each of the following
  625. entries.
  626. "network-status"
  627. Must appear first.
  628. "published" YYYY-MM-DD HH:MM:SS
  629. (see 7.2 above)
  630. "router-status" list
  631. (see 7.2 above)
  632. "directory-signature" NL signature
  633. (see 7.2 above)
  634. 7.4. Behavior of a directory server
  635. lists nodes that are connected currently
  636. speaks HTTP on a socket, spits out directory on request
  637. Directory servers listen on a certain port (the DirPort), and speak a
  638. limited version of HTTP 1.0. Clients send either GET or POST commands.
  639. The basic interactions are:
  640. "%s %s HTTP/1.0\r\nContent-Length: %lu\r\nHost: %s\r\n\r\n",
  641. command, url, content-length, host.
  642. Get "/tor/" to fetch a full directory.
  643. Get "/tor/dir.z" to fetch a compressed full directory.
  644. Get "/tor/running-routers" to fetch a network-status descriptor.
  645. Post "/tor/" to post a server descriptor, with the body of the
  646. request containing the descriptor.
  647. "host" is used to specify the address:port of the dirserver, so
  648. the request can survive going through HTTP proxies.
  649. A.1. Differences between spec and implementation
  650. - The current specification requires all ORs to have IPv4 addresses, but
  651. allows servers to exit and resolve to IPv6 addresses, and to declare IPv6
  652. addresses in their exit policies. The current codebase has no IPv6
  653. support at all.