Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d230827912
Branches Tags
tor
/
doc
/
spec
/
proposals
/
110-avoid-infinite-circuits.txt

110-avoid-infinite-circuits.txt 4.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120 
  1. Filename: 110-avoid-infinite-circuits.txt
    2. 

  2. Title: Avoiding infinite length circuits
    3. 

  3. Author: Roger Dingledine
    4. 

  4. Created: 13-Mar-2007
    5. 

  5. Status: Accepted
    6. 

  6. Target: 0.2.1.x
    7. 

  7. Implemented-In: 0.2.1.3-alpha
    8. 

  8. 

  9. History:
    10. 

  10. 

  11.   Revised 28 July 2008 by nickm: set K.
    12. 

  12.   Revised 3 July 2008 by nickm: rename from relay_extend to
    13. 

  13.      relay_early.  Revise to current migration plan.  Allow K cells
    14. 

  14.      over circuit lifetime, not just at start.
    15. 

  15. 

  16. Overview:
    17. 

  17. 

  18.   Right now, an attacker can add load to the Tor network by extending a
    19. 

  19.   circuit an arbitrary number of times. Every cell that goes down the
    20. 

  20.   circuit then adds N times that amount of load in overall bandwidth
    21. 

  21.   use. This vulnerability arises because servers don't know their position
    22. 

  22.   on the path, so they can't tell how many nodes there are before them
    23. 

  23.   on the path.
    24. 

  24. 

  25.   We propose a new set of relay cells that are distinguishable by
    26. 

  26.   intermediate hops as permitting extend cells. This approach will allow
    27. 

  27.   us to put an upper bound on circuit length relative to the number of
    28. 

  28.   colluding adversary nodes; but there are some downsides too.
    29. 

  29. 

  30. Motivation:
    31. 

  31. 

  32.   The above attack can be used to generally increase load all across the
    33. 

  33.   network, or it can be used to target specific servers: by building a
    34. 

  34.   circuit back and forth between two victim servers, even a low-bandwidth
    35. 

  35.   attacker can soak up all the bandwidth offered by the fastest Tor
    36. 

  36.   servers.
    37. 

  37. 

  38.   The general attacks could be used as a demonstration that Tor isn't
    39. 

  39.   perfect (leading to yet more media articles about "breaking" Tor), and
    40. 

  40.   the targetted attacks will come into play once we have a reputation
    41. 

  41.   system -- it will be trivial to DoS a server so it can't pass its
    42. 

  42.   reputation checks, in turn impacting security.
    43. 

  43. 

  44. Design:
    45. 

  45. 

  46.   We should split RELAY cells into two types: RELAY and RELAY_EARLY.
    47. 

  47. 

  48.   Only K (say, 10) Relay_early cells can be sent across a circuit, and
    49. 

  49.   only relay_early cells are allowed to contain extend requests. We
    50. 

  50.   still support obscuring the length of the circuit (if more research
    51. 

  51.   shows us what to do), because Alice can choose how many of the K to
    52. 

  52.   mark as relay_early. Note that relay_early cells *can* contain any
    53. 

  53.   sort of data cell; so in effect it's actually the relay type cells
    54. 

  54.   that are restricted. By default, she would just send the first K
    55. 

  55.   data cells over the stream as relay_early cells, regardless of their
    56. 

  56.   actual type.
    57. 

  57. 

  58.   (Note that a circuit that is out of relay_early cells MUST NOT be
    59. 

  59.   cannibalized later, since it can't extend.  Note also that it's always okay
    60. 

  60.   to use regular RELAY cells when sending non-EXTEND commands targetted at
    61. 

  61.   the first hop of a circuit, since there is no intermediate hop to try to
    62. 

  62.   learn the relay command type.)
    63. 

  63. 

  64.   Each intermediate server would pass on the same type of cell that it
    65. 

  65.   received (either relay or relay_early), and the cell's destination
    66. 

  66.   will be able to learn whether it's allowed to contain an Extend request.
    67. 

  67. 

  68.   If an intermediate server receives more than K relay_early cells, or
    69. 

  69.   if it sees a relay cell that contains an extend request, then it
    70. 

  70.   tears down the circuit (protocol violation).
    71. 

  71. 

  72. Security implications:
    73. 

  73. 

  74.   The upside is that this limits the bandwidth amplification factor to
    75. 

  75.   K: for an individual circuit to become arbitrary-length, the attacker
    76. 

  76.   would need an adversary-controlled node every K hops, and at that
    77. 

  77.   point the attack is no worse than if the attacker creates N/K separate
    78. 

  78.   K-hop circuits.
    79. 

  79. 

  80.   On the other hand, we want to pick a large enough value of K that we
    81. 

  81.   don't mind the cap.
    82. 

  82. 

  83.   If we ever want to take steps to hide the number of hops in the circuit
    84. 

  84.   or a node's position in the circuit, this design probably makes that
    85. 

  85.   more complex.
    86. 

  86. 

  87. Migration:
    88. 

  88. 

  89.   In 0.2.0, servers speaking v2 or later of the link protocol accept
    90. 

  90.   RELAY_EARLY cells, and pass them on.  If the next OR in the circuit
    91. 

  91.   is not speaking the v2 link protocol, the server relays the cell as
    92. 

  92.   a RELAY cell.
    93. 

  93. 

  94.   In 0.2.1.3-alpha, clients begin using RELAY_EARLY cells on v2
    95. 

  95.   connections.  This functionality can be safely backported to
    96. 

  96.   0.2.0.x.  Clients should pick a random number betweeen (say) K and
    97. 

  97.   K-2 to send.
    98. 

  98. 

  99.   In 0.2.1.3-alpha, servers close any circuit in which more than K
    100. 

  100.   relay_early cells are sent.
    101. 

  101. 

  102.   Once all versions the do not send RELAY_EARLY cells are obsolete,
    103. 

  103.   servers can begin to reject any EXTEND requests not sent in a
    104. 

  104.   RELAY_EARLY cell.
    105. 

  105. 

  106. Parameters:
    107. 

  107. 

  108.   Let K = 8, for no terribly good reason.
    109. 

  109. 

  110. Spec:
    111. 

  111. 

  112.   [We can formalize this part once we think the design is a good one.]
    113. 

  113. 

  114. Acknowledgements:
    115. 

  115. 

  116.   This design has been kicking around since Christian Grothoff and I came
    117. 

  117.   up with it at PET 2004. (Nathan Evans, Christian Grothoff's student,
    118. 

  118.   is working on implementing a fix based on this design in the summer
    119. 

  119.   2007 timeframe.)
    120. 

  120.