|
|
@@ -0,0 +1,43 @@
|
|
|
+Filename: 149-using-netinfo-data.txt
|
|
|
+Title: Using data from NETINFO cells
|
|
|
+Version: $Revision$
|
|
|
+Last-Modified: $Date$
|
|
|
+Author: Nick Mathewson
|
|
|
+Created: 2-Jul-2008
|
|
|
+Status: Open
|
|
|
+
|
|
|
+Overview
|
|
|
+
|
|
|
+ Current Tor versions send signed IP and timestamp information in
|
|
|
+ NETINFO cells, but don't use them to their fullest. This proposal
|
|
|
+ describes how they should start using this info in 0.2.1.x.
|
|
|
+
|
|
|
+Motivation
|
|
|
+
|
|
|
+ Our directory system relies on clients and routers having
|
|
|
+ reasonably accurate clocks to detect replayed directory info, and
|
|
|
+ to set accurate timestamps on directory info they publish
|
|
|
+ themselves. NETINFO cells contain timestamps.
|
|
|
+
|
|
|
+ Also, the directory system relies on routers having a reasonable
|
|
|
+ idea of their own IP addresses, so they can publish correct
|
|
|
+ descriptors. This is also in NETINFO cells.
|
|
|
+
|
|
|
+Learning the time and IP
|
|
|
+
|
|
|
+ We need to think about attackers here. Just because a router tells
|
|
|
+ us that we have a given IP or a given clock skew doesn't mean that
|
|
|
+ it's true. We believe this information only if we've heard it from
|
|
|
+ a majority of the routers we've connected to recently, including at
|
|
|
+ least 3 routers. Routers only believe this information if the
|
|
|
+ majority inclues at least one authority.
|
|
|
+
|
|
|
+Avoiding MITM attacks
|
|
|
+
|
|
|
+ Current Tors use the IP addresses published in the other router's
|
|
|
+ NETINFO cells to see whether the connection is "canonical". Right
|
|
|
+ now, we prefer to extend circuits over "canonical" connections. In
|
|
|
+ 0.2.1.x, we should refuse to extend circuits over non-canonical
|
|
|
+ connections without first trying to build a canonical one.
|
|
|
+
|
|
|
+
|
Nick Mathewson