Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d5b2dab31d
Branches Tags
tor
/
doc
/
spec
/
proposals
/
133-unreachable-ors.txt

133-unreachable-ors.txt 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. Filename: 133-unreachable-ors.txt
    2. 

  2. Title: Incorporate Unreachable ORs into the Tor Network
    3. 

  3. Author: Robert Hogan
    4. 

  4. Created: 2008-03-08
    5. 

  5. Status: Draft
    6. 

  6. 

  7. Overview:
    8. 

  8. 

  9.   Propose a scheme for harnessing the bandwidth of ORs who cannot currently
    10. 

  10.   participate in the Tor network because they can only make outbound
    11. 

  11.   TCP connections.
    12. 

  12. 

  13. Motivation: 
    14. 

  14. 

  15.   Restrictive local and remote firewalls are preventing many willing
    16. 

  16.   candidates from becoming ORs on the Tor network.These
    17. 

  17.   ORs have a casual interest in joining the network but their operator is not
    18. 

  18.   sufficiently motivated or adept to complete the necessary router or firewall
    19. 

  19.   configuration. The Tor network is losing out on their bandwidth. At the
    20. 

  20.   moment we don't even know how many such 'candidate' ORs there are.
    21. 

  21. 

  22. 

  23. Objective:
    24. 

  24. 

  25.   1. Establish how many ORs are unable to qualify for publication because
    26. 

  26.      they cannot establish that their ORPort is reachable.
    27. 

  27. 

  28.   2. Devise a method for making such ORs available to clients for circuit
    29. 

  29.      building without prejudicing their anonymity.
    30. 

  30. 

  31. Proposal:
    32. 

  32. 

  33.   ORs whose ORPort reachability testing fails a specified number of
    34. 

  34.   consecutive times should:
    35. 

  35.   1. Enlist themselves with the authorities setting a 'Fallback' flag. This
    36. 

  36.       flag indicates that the OR is up and running but cannot connect to
    37. 

  37.       itself.
    38. 

  38.   2. Open an orconn with all ORs whose fingerprint begins with the same
    39. 

  39.       byte as their own. The management of this orconn will be transferred
    40. 

  40.       entirely to the OR at the other end.
    41. 

  41.   2. The fallback OR should update it's router status to contain the
    42. 

  42.       'Running' flag if it has managed to open an orconn with 3/4 of the ORs
    43. 

  43.       with an FP beginning with the same byte as its own.
    44. 

  44. 

  45.   Tor ORs who are contacted by fallback ORs requesting an orconn should:
    46. 

  46.    1. Accept the orconn until they have reached a defined limit of orconn
    47. 

  47.       connections with fallback ORs.
    48. 

  48.    2. Should only accept such orconn requests from listed fallback ORs who
    49. 

  49.       have an FP beginning with the same byte as its own.
    50. 

  50. 

  51.   Tor clients can include fallback ORs in the network by doing the
    52. 

  52.   following:
    53. 

  53.    1. When building a circuit, observe the fingerprint of each node they
    54. 

  54.       wish to connect to.
    55. 

  55.    2. When randomly selecting a node from the set of all eligible nodes,
    56. 

  56.       add all published, running fallback nodes to the set where the first
    57. 

  57.       byte of the fingerprint matches the previous node in the circuit.
    58. 

  58. 

  59. Anonymity Implications:
    60. 

  60. 

  61.   At least some, and possibly all, nodes on the network will have a set
    62. 

  62.   of nodes that only they and a few others can build circuits on.
    63. 

  63. 

  64.     1. This means that fallback ORs might be unsuitable for use as middlemen
    65. 

  65.        nodes, because if the exit node is the attacker it knows that the
    66. 

  66.        number of nodes that could be the entry guard in the circuit is
    67. 

  67.        reduced to roughly 1/256th of the network, or worse 1/256th of all
    68. 

  68.        nodes listed as Guards. For the same reason, fallback nodes would
    69. 

  69.        appear to be unsuitable for two-hop circuits.
    70. 

  70. 

  71.     2. This is not a problem if fallback ORs are always exit nodes. If
    72. 

  72.        the fallback OR is an attacker it will not be able to reduce the
    73. 

  73.        set of possible nodes for the entry guard any further than a normal,
    74. 

  74.        published OR.
    75. 

  75. 

  76. Possible Attacks/Open Issues:
    77. 

  77. 

  78.   1. Gaming Node Selection
    79. 

  79.     Does running a fallback OR customized for a specific set of published ORs
    80. 

  80.     improve an attacker's chances of seeing traffic from that set of published
    81. 

  81.     ORs? Would such a strategy be any more effective than running published
    82. 

  82.     ORs with other 'attractive' properties?
    83. 

  83. 

  84.   2. DOS Attack
    85. 

  85.     An attacker could prevent all other legitimate fallback ORs with a
    86. 

  86.     given byte-1 in their FP from functioning by running 20 or 30 fallback ORs
    87. 

  87.     and monopolizing all available fallback slots on the published ORs. 
    88. 

  88.     This same attacker would then be in a position to monopolize all the
    89. 

  89.     traffic of the fallback ORs on that byte-1 network segment. I'm not sure
    90. 

  90.     what this would allow such an attacker to do.
    91. 

  91. 

  92.   4. Circuit-Sniffing
    93. 

  93.     An observer watching exit traffic from a fallback server will know that the
    94. 

  94.     previous node in the circuit is one of a  very small, identifiable
    95. 

  95.     subset of the total ORs in the network. To establish the full path of the
    96. 

  96.     circuit they would only have to watch the exit traffic from the fallback
    97. 

  97.     OR and all the traffic from the 20 or 30 ORs it is likely to be connected
    98. 

  98.     to. This means it is substantially easier to establish all members of a
    99. 

  99.     circuit which has a fallback OR as an exit (sniff and analyse 10-50 (i.e.
    100. 

  100.     1/256 varying) + 1 ORs) rather than a normal published OR (sniff all 2560
    101. 

  101.     or so ORs on the network). The same mechanism that allows the client to
    102. 

  102.     expect a specific fallback OR to be available from a specific published OR
    103. 

  103.     allows an attacker to prepare his ground.
    104. 

  104. 

  105.     Mitigant:
    106. 

  106.     In terms of the resources and access required to monitor 2000 to 3000
    107. 

  107.     nodes, the effort of the adversary is not significantly diminished when he
    108. 

  108.     is only interested in 20 or 30. It is hard to see how an adversary who can
    109. 

  109.     obtain access to a randomly selected portion of the Tor network would face
    110. 

  110.     any new or qualitatively different obstacles in attempting to access much
    111. 

  111.     of the rest of it.
    112. 

  112. 

  113. 

  114. Implementation Issues:
    115. 

  115. 

  116.   The number of ORs this proposal would add to the Tor network is not known.
    117. 

  117.   This is because there is no mechanism at present for recording unsuccessful
    118. 

  118.   attempts to become an OR. If the proposal is considered promising it may be
    119. 

  119.   worthwhile to issue an alpha series release where candidate ORs post a
    120. 

  120.   primitive fallback descriptor to the authority directories. This fallback
    121. 

  121.   descriptor would not contain any other flag that would make it eligible for
    122. 

  122.   selection by clients. It would act solely as a means of sizing the number of
    123. 

  123.   Tor instances that try and fail to become ORs.
    124. 

  124. 

  125.   The upper limit on the number of orconns from fallback ORs a normal,
    126. 

  126.   published OR should be willing to accept is an open question. Is one
    127. 

  127.   hundred, mostly idle, such orconns too onerous?
    128. 

  128.