首页 发现 帮助
登录
piros
/
tor
3
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: c0c7868250
分支列表 标签列表
tor
/
doc
/
spec
/
proposals
/
163-detecting-clients.txt

163-detecting-clients.txt 4.1 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 
  1. Filename: 163-detecting-clients.txt
    2. 

  2. Title: Detecting whether a connection comes from a client
    3. 

  3. Author: Nick Mathewson
    4. 

  4. Created: 22-May-2009
    5. 

  5. Target: 0.2.2
    6. 

  6. Status: Open
    7. 

  7. 

  8. 

  9. Overview:
    10. 

  10. 

  11.    Some aspects of Tor's design require relays to distinguish
    12. 

  12.    connections from clients from connections that come from relays.
    13. 

  13.    The existing means for doing this is easy to spoof.  We propose
    14. 

  14.    a better approach.
    15. 

  15. 

  16. Motivation:
    17. 

  17. 

  18.    There are at least two reasons for which Tor servers want to tell
    19. 

  19.    which connections come from clients and which come from other
    20. 

  20.    servers:
    21. 

  21. 

  22.      1) Some exits, proposal 152 notwithstanding, want to disallow
    23. 

  23.         their use as single-hop proxies.
    24. 

  24.      2) Some performance-related proposals involve prioritizing
    25. 

  25.         traffic from relays, or limiting traffic per client (but not
    26. 

  26.         per relay).
    27. 

  27. 

  28.    Right now, we detect client vs server status based on how the
    29. 

  29.    client opens circuits.  (Check out the code that implements the
    30. 

  30.    AllowSingleHopExits option if you want all the details.)  This
    31. 

  31.    method is depressingly easy to fake, though.  This document
    32. 

  32.    proposes better means.
    33. 

  33. 

  34. Goals:
    35. 

  35. 

  36.    To make grabbing relay privileges at least as difficult as just
    37. 

  37.    running a relay.
    38. 

  38. 

  39.    In the analysis below, "using server privileges" means taking any
    40. 

  40.    action that only servers are supposed to do, like delivering a
    41. 

  41.    BEGIN cell to an exit node that doesn't allow single hop exits,
    42. 

  42.    or claiming server-like amounts of bandwidth.
    43. 

  43. 

  44. Passive detection:
    45. 

  45. 

  46.    A connection is definitely a client connection if it takes one of
    47. 

  47.    the TLS methods during setup that does not establish an identity
    48. 

  48.    key.
    49. 

  49. 

  50.    A circuit is definitely a client circuit if it is initiated with
    51. 

  51.    a CREATE_FAST cell, though the node could be a client or a server.
    52. 

  52. 

  53.    A node that's listed in a recent consensus is probably a server.
    54. 

  54. 

  55.    A node to which we have successfully extended circuits from
    56. 

  56.    multiple origins is probably a server.
    57. 

  57. 

  58. Active detection:
    59. 

  59. 

  60.    If a node doesn't try to use server privileges at all, we never
    61. 

  61.    need to care whether it's a server.
    62. 

  62. 

  63.    When a node or circuit tries to use server privileges, if it is
    64. 

  64.    "definitely a client" as per above, we can refuse it immediately.
    65. 

  65. 

  66.    If it's "probably a server" as per above, we can accept it.
    67. 

  67. 

  68.    Otherwise, we have either a client, or a server that is neither
    69. 

  69.    listed in any consensus or used by any other clients -- in other
    70. 

  70.    words, a new or private server.
    71. 

  71. 

  72.    For these servers, we should attempt to build one or more test
    73. 

  73.    circuits through them.  If enough of the circuits succeed, the
    74. 

  74.    node is a real relay.  If not, it is probably a client.
    75. 

  75. 

  76.    While we are waiting for the test circuits to succeed, we should
    77. 

  77.    allow a short grace period in which server privileges are
    78. 

  78.    permitted.  When a test is done, we should remember its outcome
    79. 

  79.    for a while, so we don't need to do it again.
    80. 

  80. 

  81. Why it's hard to do good testing:
    82. 

  82. 

  83.    Doing a test circuit starting with an unlisted router requires
    84. 

  84.    only that we have an open connection for it.  Doing a test
    85. 

  85.    circuit starting elsewhere _through_ an unlisted router--though
    86. 

  86.    more reliable-- would require that we have a known address, port,
    87. 

  87.    identity key, and onion key for the router.  Only the address and
    88. 

  88.    identity key are easily available via the current Tor protocol in
    89. 

  89.    all cases.
    90. 

  90. 

  91.    We could fix this part by requiring that all servers support
    92. 

  92.    BEGIN_DIR and support downloading at least a current descriptor
    93. 

  93.    for themselves.
    94. 

  94. 

  95. Open questions:
    96. 

  96. 

  97.    What are the thresholds for the needed numbers of circuits
    98. 

  98.    for us to decide that a node is a relay?
    99. 

  99. 

  100.       [Suggested answer: two circuits from two distinct hosts.]
    101. 

  101. 

  102.    How do we pick grace periods?  How long do we remember the
    103. 

  103.    outcome of a test?
    104. 

  104. 

  105.       [Suggested answer: 10 minute grace period; 48 hour memory of
    106. 

  106.       test outcomes.]
    107. 

  107. 

  108.    If we can build circuits starting at a suspect node, but we don't
    109. 

  109.    have enough information to try extending circuits elsewhere
    110. 

  110.    through the node, should we conclude that the node is
    111. 

  111.    "server-like" or not?
    112. 

  112. 

  113.       [Suggested answer: for now, just try making circuits through
    114. 

  114.       the node.  Extend this to extending circuits as needed.]
    115. 

  115.