Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Commit notes from Friday mtg with arma.

svn:r676
Nick Mathewson 22 years ago
parent
b3497f989b
commit
866c449b8d
1 changed files with 46 additions and 20 deletions
Unified View Show Diff Stats
  1. 46 20
      doc/tor-design.tex

+ 46 - 20
doc/tor-design.tex
View File 

@@ -102,6 +102,8 @@ each successive hop in the circuit. Onion replay detection is no longer
 
 necessary, and the process of building circuits is more reliable, since
 
 necessary, and the process of building circuits is more reliable, since
 
 the initiator knows when a hop fails and can then try extending to a new node.
 
 the initiator knows when a hop fails and can then try extending to a new node.
 
 
 
+% Perhaps mention that not all of these are things that we invented. -NM
 
+
 
 \item \textbf{Separation of protocol cleaning from anonymity:}
 
 \item \textbf{Separation of protocol cleaning from anonymity:}
 
 The original Onion Routing design required a separate ``application
 
 The original Onion Routing design required a separate ``application
 
 proxy'' for each
 
 proxy'' for each
 
@@ -145,6 +147,9 @@ use is not practical or economical; and even full link padding is still
 
 vulnerable to active attacks \cite{defensive-dropping}.
 
 vulnerable to active attacks \cite{defensive-dropping}.
 
 %[An upcoming FC04 paper. I'll add a cite when it's out. -RD]
 
 %[An upcoming FC04 paper. I'll add a cite when it's out. -RD]
 
 
 
+%Say that: although some less resource-heavy traffic shaping approaches may 
+%help resist certain attacks, we aren't getting on the bandwagon yet?  -NM.
 
+
 
 \item \textbf{Leaky-pipe circuit topology:} Through in-band
 
 \item \textbf{Leaky-pipe circuit topology:} Through in-band
 
   signalling within the
 
   signalling within the
 
   circuit, Tor initiators can direct traffic to nodes partway down the
 
   circuit, Tor initiators can direct traffic to nodes partway down the
 
@@ -249,10 +254,12 @@ principal directions.  Some have attempted to maximize anonymity at
 
 the cost of introducing comparatively large and variable latencies,
 
 the cost of introducing comparatively large and variable latencies,
 
 for example, Babel\cite{babel}, Mixmaster\cite{mixmaster-spec}, and
 
 for example, Babel\cite{babel}, Mixmaster\cite{mixmaster-spec}, and
 
 Mixminion\cite{minion-design}.  Because of this
 
 Mixminion\cite{minion-design}.  Because of this
 
-decision, such \emph{high-latency} networks are well-suited for anonymous
 
+trade-off, such \emph{high-latency} networks are well-suited for anonymous
 
 email, but introduce too much lag for interactive tasks such as web browsing,
 
 email, but introduce too much lag for interactive tasks such as web browsing,
 
 internet chat, or SSH connections.
 
 internet chat, or SSH connections.
 
 
 
+% Parts of this graf belongs later in expository order.  Some of the
 
+% sentences seem superficially unrelated. 
 Tor belongs to the second category: \emph{low-latency} designs that
 
 Tor belongs to the second category: \emph{low-latency} designs that
 
 attempt to anonymize interactive network traffic.  Because such
 
 attempt to anonymize interactive network traffic.  Because such
 
 traffic tends to involve a relatively large numbers of packets, it is
 
 traffic tends to involve a relatively large numbers of packets, it is
 
@@ -272,8 +279,8 @@ been run for many years (the Java Anon Proxy, aka Web MIXes,
 
 \cite{web-mix}).
 
 \cite{web-mix}).
 
 
 
 Another low latency design that was proposed independently and at
 
 Another low latency design that was proposed independently and at
 
-about the same time as Onion Routing was PipeNet \cite{pipenet}.
 
-This provided anonymity protections that were stronger than Onion Routing's,
 
+about the same time as the original Onion Routing was PipeNet \cite{pipenet}.
 
+It provided anonymity protections that were stronger than Onion Routing's,
 
 but at the cost of allowing a single user to shut down the network simply
 
 but at the cost of allowing a single user to shut down the network simply
 
 by not sending. It was also never implemented or formally published.
 
 by not sending. It was also never implemented or formally published.
 
 
 
@@ -291,10 +298,11 @@ requires public-key cryptography, whereas relaying packets along a tunnel is
 
 comparatively inexpensive.  Because a tunnel crosses several servers, no
 
 comparatively inexpensive.  Because a tunnel crosses several servers, no
 
 single server can learn the user's communication partners.
 
 single server can learn the user's communication partners.
 
 
 
-Systems such as earlier versions of Freedom and Onion Routing
 
-build the anonymous channel all at once (using an onion). Later
 
-designs of Freedom and Onion Routing as described herein build
 
-the channel in stages as does AnonNet
 
+%[Ouch: We haven't said what an onion is yet, but we use the word here! -NM]
 
+Systems such as earlier versions of Freedom and the original Onion Routing
 
+build the anonymous channel all at once (using an onion). 
+Later designs of Freedom and Tor as described herein build
 
+the channel in stages, as does AnonNet
 
 \cite{anonnet}. Amongst other things, this makes perfect forward
 
 \cite{anonnet}. Amongst other things, this makes perfect forward
 
 secrecy feasible.
 
 secrecy feasible.
 
 
 
@@ -322,7 +330,7 @@ recipients.
 
 Distributed-trust anonymizing systems differ in how they prevent attackers
 
 Distributed-trust anonymizing systems differ in how they prevent attackers
 
 from controlling too many servers and thus compromising too many user paths.
 
 from controlling too many servers and thus compromising too many user paths.
 
 Some protocols rely on a centrally maintained set of well-known anonymizing
 
 Some protocols rely on a centrally maintained set of well-known anonymizing
 
-servers.  Current Tor design falls into this category.
 
+servers.  The current Tor design falls into this category.
 
 Others (such as Tarzan and MorphMix) allow unknown users to run
 
 Others (such as Tarzan and MorphMix) allow unknown users to run
 
 servers, while using a limited resource (DHT space for Tarzan; IP space for
 
 servers, while using a limited resource (DHT space for Tarzan; IP space for
 
 MorphMix) to prevent an attacker from owning too much of the network.
 
 MorphMix) to prevent an attacker from owning too much of the network.
 
@@ -371,7 +379,7 @@ cebolla\\
 
 
 
 
 
 \subsection{Goals}
 
 \subsection{Goals}
 
-% Are these really our goals? ;) -NM
 
+% Reformat this section like ``Adversary Model'' is formatted. -NM
 
 Like other low-latency anonymity designs, Tor seeks to frustrate
 
 Like other low-latency anonymity designs, Tor seeks to frustrate
 
 attackers from linking communication partners, or from linking
 
 attackers from linking communication partners, or from linking
 
 multiple communications to or from a single point.  Within this
 
 multiple communications to or from a single point.  Within this
 
@@ -392,7 +400,9 @@ Second, the system must be {\bf usable}.  A hard-to-use system has
 
 fewer users --- and because anonymity systems hide users among users, a
 
 fewer users --- and because anonymity systems hide users among users, a
 
 system with fewer users provides less anonymity.  Thus, usability is
 
 system with fewer users provides less anonymity.  Thus, usability is
 
 not only a convenience, but is a security requirement for anonymity
 
 not only a convenience, but is a security requirement for anonymity
 
-systems.
 
+systems.  In order to be usable, Tor should with most of a
 
+user's unmodified aplication; shouldn't introduce prohibitive delays; and 
+[XXX what else?].
 
 
 
 Third, the protocol must be {\bf extensible}, so that it can serve as
 
 Third, the protocol must be {\bf extensible}, so that it can serve as
 
 a test-bed for future research in low-latency anonymity systems.
 
 a test-bed for future research in low-latency anonymity systems.
 
@@ -401,29 +411,29 @@ a danger that differing choices of extensions will render users
 
 distinguishable.  Thus, implementations should not permit different
 
 distinguishable.  Thus, implementations should not permit different
 
 protocol extensions to coexist in a single deployed network.)
 
 protocol extensions to coexist in a single deployed network.)
 
 
 
+% We should mention that there's a specification someplace: the spec makes us 
+% easier to extend too. -NM
 
+
 
 The protocol's design and security parameters must be {\bf
 
 The protocol's design and security parameters must be {\bf
 
 conservative}.  Additional features impose implementation and
 
 conservative}.  Additional features impose implementation and
 
 complexity costs. [XXX Say that we don't want to try to come up with
 
 complexity costs. [XXX Say that we don't want to try to come up with
 
 speculative solutions to problems we don't KNOW how to solve? -NM]
 
 speculative solutions to problems we don't KNOW how to solve? -NM]
 
 
 
-[XXX mention something about robustness?  But we really aren't that
 
-  robust.  We just assume that tunneled protocols tolerate connection
 
-  loss. -NM]
 
-
 
 \subsection{Non-goals}
 
 \subsection{Non-goals}
 
 In favoring conservative, deployable designs, we have explicitly
 
 In favoring conservative, deployable designs, we have explicitly
 
 deferred a number of goals --- not because they are not desirable in
 
 deferred a number of goals --- not because they are not desirable in
 
-anonymity systems --- but because solving them is either solved
 
+anonymity systems --- but because they are either solved
 
 elsewhere, or an area of active research without a generally accepted
 
 elsewhere, or an area of active research without a generally accepted
 
 solution.
 
 solution.
 
 
 
 Unlike Tarzan or Morphmix, Tor does not attempt to scale to completely
 
 Unlike Tarzan or Morphmix, Tor does not attempt to scale to completely
 
 decentralized peer-to-peer environments with thousands of short-lived
 
 decentralized peer-to-peer environments with thousands of short-lived
 
-servers. 
+servers, many of which may be controlled by an adversary.
 
 
 
 Tor does not claim to provide a definitive solution to end-to-end
 
 Tor does not claim to provide a definitive solution to end-to-end
 
 timing or intersection attacks for users who do not run their own
 
 timing or intersection attacks for users who do not run their own
 
 Onion Routers.
 
 Onion Routers.
 
+% Mention would-be approaches. -NM
 
 % Does that mean we do claim to solve intersection attack for
 
 % Does that mean we do claim to solve intersection attack for
 
 % the enclave-firewall model? -RD
 
 % the enclave-firewall model? -RD
 
 
 
@@ -497,7 +507,7 @@ The basic adversary components we consider are:
 
 %  for later. -PS
 
 %  for later. -PS
 
 
 
   
   
-\item[Compromised Tor-node:] can arbitrarily manipulate the
 
+\item{Hostile Tor node:] can arbitrarily manipulate the
 
   connections under its control, as well as creating new connections
 
   connections under its control, as well as creating new connections
 
   (that pass through itself).
 
   (that pass through itself).
 
 \end{description}
 
 \end{description}
 
@@ -543,6 +553,7 @@ line refers to the immediately following SubSection.-PS]
 
 
 
 \SubSection{Known attacks against low-latency anonymity systems}
 
 \SubSection{Known attacks against low-latency anonymity systems}
 
 \label{subsec:known-attacks}
 
 \label{subsec:known-attacks}
 
+% Should be merged into ``Threat model'' and reiterated in Attacks. -NM
 
 
 
 We discuss each of these attacks in more detail below, along with the
 
 We discuss each of these attacks in more detail below, along with the
 
 aspects of the Tor design that provide defense. We provide a summary
 
 aspects of the Tor design that provide defense. We provide a summary
 
@@ -563,10 +574,13 @@ compromise entire path,
 
 selectively DOS servers,
 
 selectively DOS servers,
 
 introduce timing into messages,
 
 introduce timing into messages,
 
 directory attacks,
 
 directory attacks,
 
-tagging attacks
 
+tagging attacks,
 
+smear attacks,
 
+entrapment attacks
 
 
 
 
 
 \SubSection{Assumptions}
 
 \SubSection{Assumptions}
 
+% Should be merged into ``Threat model''.
 
 
 
 For purposes of this paper, we assume all directory servers are honest
 
 For purposes of this paper, we assume all directory servers are honest
 
 % No longer true, see subsec:dirservers below -RD
 
 % No longer true, see subsec:dirservers below -RD
 
@@ -763,11 +777,15 @@ addresses and ports the router will permit stream connections. On one end
 
 of the spectrum are \emph{open exit} nodes that will connect anywhere;
 
 of the spectrum are \emph{open exit} nodes that will connect anywhere;
 
 on the other end are \emph{middleman} nodes that only relay traffic to
 
 on the other end are \emph{middleman} nodes that only relay traffic to
 
 other Tor nodes, and \emph{private exit} nodes that only connect locally
 
 other Tor nodes, and \emph{private exit} nodes that only connect locally
 
-or to addresses internal to that node's organization. This private exit
 
+or to addresses internal to that node's organization. 
+This private exit
 
 node configuration is more secure for clients --- the adversary cannot
 
 node configuration is more secure for clients --- the adversary cannot
 
 see plaintext traffic leaving the network (e.g. to a webserver), so he
 
 see plaintext traffic leaving the network (e.g. to a webserver), so he
 
 is less sure of Alice's destination. More generally, nodes can require
 
 is less sure of Alice's destination. More generally, nodes can require
 
 a variety of forms of traffic authentication \cite{onion-discex00}.
 
 a variety of forms of traffic authentication \cite{onion-discex00}.
 
+Most onnion routers will function as \emph{limited exits} that permit
 
+connections to the world at large, but restrict access to certain abuse-prone
 
+addresses and services.
 
 
 
 Tor offers more reliability than the high-latency fire-and-forget
 
 Tor offers more reliability than the high-latency fire-and-forget
 
 anonymous email networks, because the sender opens a TCP stream
 
 anonymous email networks, because the sender opens a TCP stream
 
@@ -795,6 +813,7 @@ even occurs to people that it wasn't you.
 
 
 
 Preventing abuse of open exit nodes is an unsolved problem. Princeton's
 
 Preventing abuse of open exit nodes is an unsolved problem. Princeton's
 
 CoDeeN project \cite{darkside} gives us a glimpse of what we're in for.
 
 CoDeeN project \cite{darkside} gives us a glimpse of what we're in for.
 
+% This is more speculative than a description of our design. 
 
 
 but their solutions, which mainly involve rate limiting and blacklisting
 
 but their solutions, which mainly involve rate limiting and blacklisting
 
 nodes which do bad things, don't translate directly to Tor. Rate limiting
 
 nodes which do bad things, don't translate directly to Tor. Rate limiting
 
@@ -845,7 +864,7 @@ in-band network status updates: each router flooded a signed statement
 
 to its neighbors, which propagated it onward. But anonymizing networks
 
 to its neighbors, which propagated it onward. But anonymizing networks
 
 have different security goals than typical link-state routing protocols.
 
 have different security goals than typical link-state routing protocols.
 
 For example, we worry more about delays (accidental or intentional)
 
 For example, we worry more about delays (accidental or intentional)
 
-which cause different parts of the network to have different pictures
 
+that can cause different parts of the network to have different pictures
 
 of link-state and topology. We also worry about attacks to deceive a
 
 of link-state and topology. We also worry about attacks to deceive a
 
 client about the router membership list, topology, or current network
 
 client about the router membership list, topology, or current network
 
 state. Such \emph{partitioning attacks} on client knowledge help an
 
 state. Such \emph{partitioning attacks} on client knowledge help an
 
@@ -925,6 +944,7 @@ all the other onion routers (or even elsewhere). Thus directory servers
 
 are not a performance bottleneck when we have many users, and also they
 
 are not a performance bottleneck when we have many users, and also they
 
 won't aid traffic analysis by forcing clients to periodically announce
 
 won't aid traffic analysis by forcing clients to periodically announce
 
 their existence to any central point.
 
 their existence to any central point.
 
+% Mention Hydra as an example of non-clique topologies. -NM, from RD
 
 
 
 \Section{Rendezvous points: location privacy}
 
 \Section{Rendezvous points: location privacy}
 
 \label{sec:rendezvous}
 
 \label{sec:rendezvous}
 
@@ -1162,6 +1182,11 @@ it could give you a bad IP that sends you somewhere else.
 
 \item foo
 
 \item foo
 
 \end{itemize}
 
 \end{itemize}
 
 
 
+\item \textbf{Attacks against rendezvous points}
 
+\begin{itemize}
 
+\item foo
 
+\end{itemize}
 
+
 
 \end{enumerate}
 
 \end{enumerate}
 
 
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
@@ -1208,6 +1233,7 @@ gain experience in deploying an anonymizing overlay network, and learn
 
 from having actual users. We are now at the point where we can start
 
 from having actual users. We are now at the point where we can start
 
 deploying a wider network. We will see what happens!
 
 deploying a wider network. We will see what happens!
 
 % ok, so that's hokey. fix it. -RD
 
 % ok, so that's hokey. fix it. -RD
 
+\item \emph{Further specification review:} Foo.
 
 \end{itemize}
 
 \end{itemize}
 
 
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%