path-spec.txt 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437
  1. Tor Path Specification
  2. Roger Dingledine
  3. Nick Mathewson
  4. Note: This is an attempt to specify Tor as currently implemented. Future
  5. versions of Tor will implement improved algorithms.
  6. This document tries to cover how Tor chooses to build circuits and assign
  7. streams to circuits. Other implementations MAY take other approaches, but
  8. implementors should be aware of the anonymity and load-balancing implications
  9. of their choices.
  10. THIS SPEC ISN'T DONE YET.
  11. 1. General operation
  12. Tor begins building circuits as soon as it has enough directory
  13. information to do so (see section 5 of dir-spec.txt). Some circuits are
  14. built preemptively because we expect to need them later (for user
  15. traffic), and some are built because of immediate need (for user traffic
  16. that no current circuit can handle, for testing the network or our
  17. reachability, and so on).
  18. When a client application creates a new stream (by opening a SOCKS
  19. connection or launching a resolve request), we attach it to an appropriate
  20. open circuit if one exists, or wait if an appropriate circuit is
  21. in-progress. We launch a new circuit only
  22. if no current circuit can handle the request. We rotate circuits over
  23. time to avoid some profiling attacks.
  24. To build a circuit, we choose all the nodes we want to use, and then
  25. construct the circuit. Sometimes, when we want a circuit that ends at a
  26. given hop, and we have an appropriate unused circuit, we "cannibalize" the
  27. existing circuit and extend it to the new terminus.
  28. These processes are described in more detail below.
  29. This document describes Tor's automatic path selection logic only; path
  30. selection can be overridden by a controller (with the EXTENDCIRCUIT and
  31. ATTACHSTREAM commands). Paths constructed through these means may
  32. violate some constraints given below.
  33. 1.1. Terminology
  34. A "path" is an ordered sequence of nodes, not yet built as a circuit.
  35. A "clean" circuit is one that has not yet been used for any traffic.
  36. A "fast" or "stable" or "valid" node is one that has the 'Fast' or
  37. 'Stable' or 'Valid' flag
  38. set respectively, based on our current directory information. A "fast"
  39. or "stable" circuit is one consisting only of "fast" or "stable" nodes.
  40. In an "exit" circuit, the final node is chosen based on waiting stream
  41. requests if any, and in any case it avoids nodes with exit policy of
  42. "reject *:*". An "internal" circuit, on the other hand, is one where
  43. the final node is chosen just like a middle node (ignoring its exit
  44. policy).
  45. A "request" is a client-side stream or DNS resolve that needs to be
  46. served by a circuit.
  47. A "pending" circuit is one that we have started to build, but which has
  48. not yet completed.
  49. A circuit or path "supports" a request if it is okay to use the
  50. circuit/path to fulfill the request, according to the rules given below.
  51. A circuit or path "might support" a request if some aspect of the request
  52. is unknown (usually its target IP), but we believe the path probably
  53. supports the request according to the rules given below.
  54. 1.1. A server's bandwidth
  55. Old versions of Tor did not report bandwidths in network status
  56. documents, so clients had to learn them from the routers' advertised
  57. server descriptors.
  58. For versions of Tor prior to 0.2.1.17-rc, everywhere below where we
  59. refer to a server's "bandwidth", we mean its clipped advertised
  60. bandwidth, computed by taking the smaller of the 'rate' and
  61. 'observed' arguments to the "bandwidth" element in the server's
  62. descriptor. If a router's advertised bandwidth is greater than
  63. MAX_BELIEVABLE_BANDWIDTH (currently 10 MB/s), we clipped to that
  64. value.
  65. For more recent versions of Tor, we take the bandwidth value declared
  66. in the consensus, and fall back to the clipped advertised bandwidth
  67. only if the consensus does not have bandwidths listed.
  68. 2. Building circuits
  69. 2.1. When we build
  70. 2.1.1. Clients build circuits preemptively
  71. When running as a client, Tor tries to maintain at least a certain
  72. number of clean circuits, so that new streams can be handled
  73. quickly. To increase the likelihood of success, Tor tries to
  74. predict what circuits will be useful by choosing from among nodes
  75. that support the ports we have used in the recent past (by default
  76. one hour). Specifically, on startup Tor tries to maintain one clean
  77. fast exit circuit that allows connections to port 80, and at least
  78. two fast clean stable internal circuits in case we get a resolve
  79. request or hidden service request (at least three if we _run_ a
  80. hidden service).
  81. After that, Tor will adapt the circuits that it preemptively builds
  82. based on the requests it sees from the user: it tries to have two fast
  83. clean exit circuits available for every port seen within the past hour
  84. (each circuit can be adequate for many predicted ports -- it doesn't
  85. need two separate circuits for each port), and it tries to have the
  86. above internal circuits available if we've seen resolves or hidden
  87. service activity within the past hour. If there are 12 or more clean
  88. circuits open, it doesn't open more even if it has more predictions.
  89. Only stable circuits can "cover" a port that is listed in the
  90. LongLivedPorts config option. Similarly, hidden service requests
  91. to ports listed in LongLivedPorts make us create stable internal
  92. circuits.
  93. Note that if there are no requests from the user for an hour, Tor
  94. will predict no use and build no preemptive circuits.
  95. The Tor client SHOULD NOT store its list of predicted requests to a
  96. persistent medium.
  97. 2.1.2. Clients build circuits on demand
  98. Additionally, when a client request exists that no circuit (built or
  99. pending) might support, we create a new circuit to support the request.
  100. For exit connections, we pick an exit node that will handle the
  101. most pending requests (choosing arbitrarily among ties), launch a
  102. circuit to end there, and repeat until every unattached request
  103. might be supported by a pending or built circuit. For internal
  104. circuits, we pick an arbitrary acceptable path, repeating as needed.
  105. In some cases we can reuse an already established circuit if it's
  106. clean; see Section 2.3 (cannibalizing circuits) for details.
  107. 2.1.3. Servers build circuits for testing reachability and bandwidth
  108. Tor servers test reachability of their ORPort once they have
  109. successfully built a circuit (on start and whenever their IP address
  110. changes). They build an ordinary fast internal circuit with themselves
  111. as the last hop. As soon as any testing circuit succeeds, the Tor
  112. server decides it's reachable and is willing to publish a descriptor.
  113. We launch multiple testing circuits (one at a time), until we
  114. have NUM_PARALLEL_TESTING_CIRC (4) such circuits open. Then we
  115. do a "bandwidth test" by sending a certain number of relay drop
  116. cells down each circuit: BandwidthRate * 10 / CELL_NETWORK_SIZE
  117. total cells divided across the four circuits, but never more than
  118. CIRCWINDOW_START (1000) cells total. This exercises both outgoing and
  119. incoming bandwidth, and helps to jumpstart the observed bandwidth
  120. (see dir-spec.txt).
  121. Tor servers also test reachability of their DirPort once they have
  122. established a circuit, but they use an ordinary exit circuit for
  123. this purpose.
  124. 2.1.4. Hidden-service circuits
  125. See section 4 below.
  126. 2.1.5. Rate limiting of failed circuits
  127. If we fail to build a circuit N times in a X second period (see Section
  128. 2.3 for how this works), we stop building circuits until the X seconds
  129. have elapsed.
  130. XXXX
  131. 2.1.6. When to tear down circuits
  132. XXXX
  133. 2.2. Path selection and constraints
  134. We choose the path for each new circuit before we build it. We choose the
  135. exit node first, followed by the other nodes in the circuit. All paths
  136. we generate obey the following constraints:
  137. - We do not choose the same router twice for the same path.
  138. - We do not choose any router in the same family as another in the same
  139. path.
  140. - We do not choose more than one router in a given /16 subnet
  141. (unless EnforceDistinctSubnets is 0).
  142. - We don't choose any non-running or non-valid router unless we have
  143. been configured to do so. By default, we are configured to allow
  144. non-valid routers in "middle" and "rendezvous" positions.
  145. - If we're using Guard nodes, the first node must be a Guard (see 5
  146. below)
  147. - XXXX Choosing the length
  148. For circuits that do not need to be "fast", when choosing among
  149. multiple candidates for a path element, we choose randomly.
  150. For "fast" circuits, we pick a given router as an exit with probability
  151. proportional to its bandwidth.
  152. For non-exit positions on "fast" circuits, we pick routers as above, but
  153. we weight the bandwidth of Exit-flagged nodes depending
  154. on the fraction of bandwidth available from non-Exit nodes. Call the
  155. total bandwidth for Exit nodes under consideration E,
  156. and the total bandwidth for all nodes under
  157. consideration T. If E<T/3, we do not consider Exit-flagged nodes.
  158. Otherwise, we weight their bandwidth with the factor (E-T/3)/E. This
  159. ensures that bandwidth is evenly distributed over nodes in 3-hop paths.
  160. Similarly, guard nodes are weighted by the factor (G-T/3)/G, and not
  161. considered for non-guard positions if this value is less than 0.
  162. Additionally, we may be building circuits with one or more requests in
  163. mind. Each kind of request puts certain constraints on paths:
  164. - All service-side introduction circuits and all rendezvous paths
  165. should be Stable.
  166. - All connection requests for connections that we think will need to
  167. stay open a long time require Stable circuits. Currently, Tor decides
  168. this by examining the request's target port, and comparing it to a
  169. list of "long-lived" ports. (Default: 21, 22, 706, 1863, 5050,
  170. 5190, 5222, 5223, 6667, 6697, 8300.)
  171. - DNS resolves require an exit node whose exit policy is not equivalent
  172. to "reject *:*".
  173. - Reverse DNS resolves require a version of Tor with advertised eventdns
  174. support (available in Tor 0.1.2.1-alpha-dev and later).
  175. - All connection requests require an exit node whose exit policy
  176. supports their target address and port (if known), or which "might
  177. support it" (if the address isn't known). See 2.2.1.
  178. - Rules for Fast? XXXXX
  179. 2.2.1. Choosing an exit
  180. If we know what IP address we want to connect to or resolve, we can
  181. trivially tell whether a given router will support it by simulating
  182. its declared exit policy.
  183. Because we often connect to addresses of the form hostname:port, we do not
  184. always know the target IP address when we select an exit node. In these
  185. cases, we need to pick an exit node that "might support" connections to a
  186. given address port with an unknown address. An exit node "might support"
  187. such a connection if any clause that accepts any connections to that port
  188. precedes all clauses (if any) that reject all connections to that port.
  189. Unless requested to do so by the user, we never choose an exit server
  190. flagged as "BadExit" by more than half of the authorities who advertise
  191. themselves as listing bad exits.
  192. 2.2.2. User configuration
  193. Users can alter the default behavior for path selection with configuration
  194. options.
  195. - If "ExitNodes" is provided, then every request requires an exit node on
  196. the ExitNodes list. (If a request is supported by no nodes on that list,
  197. and StrictExitNodes is false, then Tor treats that request as if
  198. ExitNodes were not provided.)
  199. - "EntryNodes" and "StrictEntryNodes" behave analogously.
  200. - If a user tries to connect to or resolve a hostname of the form
  201. <target>.<servername>.exit, the request is rewritten to a request for
  202. <target>, and the request is only supported by the exit whose nickname
  203. or fingerprint is <servername>.
  204. 2.3. Cannibalizing circuits
  205. If we need a circuit and have a clean one already established, in
  206. some cases we can adapt the clean circuit for our new
  207. purpose. Specifically,
  208. For hidden service interactions, we can "cannibalize" a clean internal
  209. circuit if one is available, so we don't need to build those circuits
  210. from scratch on demand.
  211. We can also cannibalize clean circuits when the client asks to exit
  212. at a given node -- either via the ".exit" notation or because the
  213. destination is running at the same location as an exit node.
  214. 2.4. Handling failure
  215. If an attempt to extend a circuit fails (either because the first create
  216. failed or a subsequent extend failed) then the circuit is torn down and is
  217. no longer pending. (XXXX really?) Requests that might have been
  218. supported by the pending circuit thus become unsupported, and a new
  219. circuit needs to be constructed.
  220. If a stream "begin" attempt fails with an EXITPOLICY error, we
  221. decide that the exit node's exit policy is not correctly advertised,
  222. so we treat the exit node as if it were a non-exit until we retrieve
  223. a fresh descriptor for it.
  224. XXXX
  225. 3. Attaching streams to circuits
  226. When a circuit that might support a request is built, Tor tries to attach
  227. the request's stream to the circuit and sends a BEGIN, BEGIN_DIR,
  228. or RESOLVE relay
  229. cell as appropriate. If the request completes unsuccessfully, Tor
  230. considers the reason given in the CLOSE relay cell. [XXX yes, and?]
  231. After a request has remained unattached for SocksTimeout (2 minutes
  232. by default), Tor abandons the attempt and signals an error to the
  233. client as appropriate (e.g., by closing the SOCKS connection).
  234. XXX Timeouts and when Tor auto-retries.
  235. * What stream-end-reasons are appropriate for retrying.
  236. If no reply to BEGIN/RESOLVE, then the stream will timeout and fail.
  237. 4. Hidden-service related circuits
  238. XXX Tracking expected hidden service use (client-side and hidserv-side)
  239. 5. Guard nodes
  240. We use Guard nodes (also called "helper nodes" in the literature) to
  241. prevent certain profiling attacks. Here's the risk: if we choose entry and
  242. exit nodes at random, and an attacker controls C out of N servers
  243. (ignoring bandwidth), then the
  244. attacker will control the entry and exit node of any given circuit with
  245. probability (C/N)^2. But as we make many different circuits over time,
  246. then the probability that the attacker will see a sample of about (C/N)^2
  247. of our traffic goes to 1. Since statistical sampling works, the attacker
  248. can be sure of learning a profile of our behavior.
  249. If, on the other hand, we picked an entry node and held it fixed, we would
  250. have probability C/N of choosing a bad entry and being profiled, and
  251. probability (N-C)/N of choosing a good entry and not being profiled.
  252. When guard nodes are enabled, Tor maintains an ordered list of entry nodes
  253. as our chosen guards, and stores this list persistently to disk. If a Guard
  254. node becomes unusable, rather than replacing it, Tor adds new guards to the
  255. end of the list. When choosing the first hop of a circuit, Tor
  256. chooses at
  257. random from among the first NumEntryGuards (default 3) usable guards on the
  258. list. If there are not at least 2 usable guards on the list, Tor adds
  259. routers until there are, or until there are no more usable routers to add.
  260. A guard is unusable if any of the following hold:
  261. - it is not marked as a Guard by the networkstatuses,
  262. - it is not marked Valid (and the user hasn't set AllowInvalid entry)
  263. - it is not marked Running
  264. - Tor couldn't reach it the last time it tried to connect
  265. A guard is unusable for a particular circuit if any of the rules for path
  266. selection in 2.2 are not met. In particular, if the circuit is "fast"
  267. and the guard is not Fast, or if the circuit is "stable" and the guard is
  268. not Stable, or if the guard has already been chosen as the exit node in
  269. that circuit, Tor can't use it as a guard node for that circuit.
  270. If the guard is excluded because of its status in the networkstatuses for
  271. over 30 days, Tor removes it from the list entirely, preserving order.
  272. If Tor fails to connect to an otherwise usable guard, it retries
  273. periodically: every hour for six hours, every 4 hours for 3 days, every
  274. 18 hours for a week, and every 36 hours thereafter. Additionally, Tor
  275. retries unreachable guards the first time it adds a new guard to the list,
  276. since it is possible that the old guards were only marked as unreachable
  277. because the network was unreachable or down.
  278. Tor does not add a guard persistently to the list until the first time we
  279. have connected to it successfully.
  280. 6. Router descriptor purposes
  281. There are currently three "purposes" supported for router descriptors:
  282. general, controller, and bridge. Most descriptors are of type general
  283. -- these are the ones listed in the consensus, and the ones fetched
  284. and used in normal cases.
  285. Controller-purpose descriptors are those delivered by the controller
  286. and labelled as such: they will be kept around (and expire like
  287. normal descriptors), and they can be used by the controller in its
  288. CIRCUITEXTEND commands. Otherwise they are ignored by Tor when it
  289. chooses paths.
  290. Bridge-purpose descriptors are for routers that are used as bridges. See
  291. doc/design-paper/blocking.pdf for more design explanation, or proposal
  292. 125 for specific details. Currently bridge descriptors are used in place
  293. of normal entry guards, for Tor clients that have UseBridges enabled.
  294. X. Old notes
  295. X.1. Do we actually do this?
  296. How to deal with network down.
  297. - While all helpers are down/unreachable and there are no established
  298. or on-the-way testing circuits, launch a testing circuit. (Do this
  299. periodically in the same way we try to establish normal circuits
  300. when things are working normally.)
  301. (Testing circuits are a special type of circuit, that streams won't
  302. attach to by accident.)
  303. - When a testing circuit succeeds, mark all helpers up and hold
  304. the testing circuit open.
  305. - If a connection to a helper succeeds, close all testing circuits.
  306. Else mark that helper down and try another.
  307. - If the last helper is marked down and we already have a testing
  308. circuit established, then add the first hop of that testing circuit
  309. to the end of our helper node list, close that testing circuit,
  310. and go back to square one. (Actually, rather than closing the
  311. testing circuit, can we get away with converting it to a normal
  312. circuit and beginning to use it immediately?)
  313. [Do we actually do any of the above? If so, let's spec it. If not, let's
  314. remove it. -NM]
  315. X.2. A thing we could do to deal with reachability.
  316. And as a bonus, it leads to an answer to Nick's attack ("If I pick
  317. my helper nodes all on 18.0.0.0:*, then I move, you'll know where I
  318. bootstrapped") -- the answer is to pick your original three helper nodes
  319. without regard for reachability. Then the above algorithm will add some
  320. more that are reachable for you, and if you move somewhere, it's more
  321. likely (though not certain) that some of the originals will become useful.
  322. Is that smart or just complex?
  323. X.3. Some stuff that worries me about entry guards. 2006 Jun, Nickm.
  324. It is unlikely for two users to have the same set of entry guards.
  325. Observing a user is sufficient to learn its entry guards. So, as we move
  326. around, entry guards make us linkable. If we want to change guards when
  327. our location (IP? subnet?) changes, we have two bad options. We could
  328. - Drop the old guards. But if we go back to our old location,
  329. we'll not use our old guards. For a laptop that sometimes gets used
  330. from work and sometimes from home, this is pretty fatal.
  331. - Remember the old guards as associated with the old location, and use
  332. them again if we ever go back to the old location. This would be
  333. nasty, since it would force us to record where we've been.
  334. [Do we do any of this now? If not, this should move into 099-misc or
  335. 098-todo. -NM]