Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: c4d2a55a88
Branches Tags
tor
/
doc
/
spec
/
proposals
/
171-separate-streams.txt

171-separate-streams.txt 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. Filename: 171-separate-streams-by-port-or-host.txt
    2. 

  2. Title: Separate streams across circuits by destination port or destination host
    3. 

  3. Author: Robert Hogan, Jacob Appelbaum, Damon McCoy
    4. 

  4. Created: 21-Oct-2008
    5. 

  5. Modified: 30-Aug-2010
    6. 

  6. Status: Draft
    7. 

  7. 

  8. Motivation:
    9. 

  9. 

  10. Streams are currently attached to circuits without regard to their content,
    11. 

  11. destination host, or destination port. We propose three options,
    12. 

  12. IsolateBySOCKSUser, IsolateStreamsByPort and IsolateStreamsByHost to change the
    13. 

  13. default behavior.
    14. 

  14. 

  15. The contents of some streams will always have revealing plain text information;
    16. 

  16. these streams should be treated differently than other streams that may or may
    17. 

  17. not have unencrypted PII content. DNS, with the exception of DNSCurve, is
    18. 

  18. always unencrypted. It is reasonable to assume that other protocols may exist
    19. 

  19. that have a similar issue and may cause user concern. It is also the case that
    20. 

  20. we must balance network load issues and stream privacy. The Tor network will not
    21. 

  21. currently scale to one circuit per application connection nor should it anytime
    22. 

  22. soon.
    23. 

  23. 

  24. Circuits are currently created with a few constraints and are rotated within
    25. 

  25. a reasonable time window. This allows a rogue exit node to correlate all
    26. 

  26. streams on a given circuit.
    27. 

  27. 

  28. Design:
    29. 

  29. 

  30. We propose two options for isolation of streams that lessen the observability
    31. 

  31. and linkability of the Tor client's traffic.
    32. 

  32. 

  33. IsolateStreamsByPort will take a list of ports or optionally the keyword 'All'
    34. 

  34. in place of a port list. The use of the keyword 'All' will ensure that all
    35. 

  35. application connections attached to streams will be isolated to separate
    36. 

  36. circuits by port number.
    37. 

  37. 

  38. IsolateStreamsByHost will take a boolean value. When enabled, all application
    39. 

  39. connections, regardless of port number will be isolated with separate circuits
    40. 

  40. per host. If this option is enabled, we should ensure that the client has a
    41. 

  41. reasonable number of pre-built circuits to ensure perceived performance. This
    42. 

  42. should also intentionally limit the total number of circuits a client will
    43. 

  43. build to ten circuits to prevent abuse and load on the network. This is a
    44. 

  44. trade-off of performance for anonymity. Tor will issue a warning if a client
    45. 

  45. encounters this limit.
    46. 

  46. 

  47. IsolateBySOCKSUser will take a boolean value. When enabled, all application
    48. 

  48. connections, regardless of port number will be isolated with separate circuits
    49. 

  49. per SOCKS username. This options ensures that any two streams that were created
    50. 

  50. with different SOCKS usernames will be sent over different circuits.  The empty
    51. 

  51. username will be treated as its own username different from all other usernames.
    52. 

  52. 

  53. Security implications:
    54. 

  54. 

  55. It is believed that the proposed changes will improve the anonymity for end
    56. 

  56. user stream privacy.  The end user will no longer link all streams at a single
    57. 

  57. exit node during a given time window.
    58. 

  58. 

  59. There is a possible attack where a hostile web page possibly in collusion with
    60. 

  60. an exit node contains image links for images at (say) "evil.example.com:53" and
    61. 

  61. "evil.example.com:31337", and thereby (if they're lucky) correlate port-80
    62. 

  62. circuits with port-53 and port-31337 circuits.
    63. 

  63. 

  64. Specification:
    65. 

  65. 

  66. The Tor client circuit selection process is not entirely specified. Any client
    67. 

  67. circuit specification must take these changes into account.
    68. 

  68. 

  69. Compatibility:
    70. 

  70. 

  71. The proposed changes should not create any compatibility issues. New Tor clients
    72. 

  72. will be able to take advantage of this without any modification to the network.
    73. 

  73. 

  74. Implementation:
    75. 

  75. 

  76. It is further proposed that IsolateStreamsByPort will be enabled by default
    77. 

  77. for port 22, 53, and port 80.
    78. 

  78. 

  79. It is further proposed that IsolateStreamsByHost will be disabled by default.
    80. 

  80. 

  81. Implementation notes:
    82. 

  82. 

  83. The implementation of this option may want to consider cases where the same
    84. 

  84. exit node is shared by two or more circuits and IsolateStreamsByPort is in
    85. 

  85. force. Since the purpose of the option is to reduce the opportunity of Exit
    86. 

  86. Nodes to attack traffic from the same source on multiple ports, the
    87. 

  87. implementation may need to ensure that circuits reserved for the exclusive use
    88. 

  88. of given ports do not share the same exit node.
    89. 

  89. 

  90. Circuits should not be shared by unique clients. Tor should check to ensure
    91. 

  91. that peer IP addresses are identical when they connect to the SOCKS listener or
    92. 

  92. the TransPort listener before sharing a circuit. If the addresses are not
    93. 

  93. identical, Tor should ensure that the circuits are not shared.
    94. 

  94. 

  95. Performance and scalability notes:
    96. 

  96. 

  97. It is further proposed that IsolateStreamsByPort will be enabled by default for
    98. 

  98. all ports after a reasonable assessment is performed. Specifically, we should
    99. 

  99. determine the impact this option has on Tor clients and the Tor network.
    100.