Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Súbory Issues 0 Pull requesty 0 Wiki
Strom: 01cd23ef62
Branche Tagy
tor-parallel...
/
doc
/
dir-spec.txt

dir-spec.txt 13 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260 
  1. $Id$
    2. 

  2. 

  3.                       Tor network discovery protocol
    4. 

  4. 

  5. 0. Scope
    6. 

  6. 

  7. This document proposes a way of doing more distributed network discovery
    8. 

  8. while maintaining some amount of admission control. We don't recommend
    9. 

  9. you implement this as-is; it needs more discussion.
    10. 

  10. 

  11. Terminology:
    12. 

  12.   - Client: The Tor component that chooses paths.
    13. 

  13.   - Server: A relay node that passes traffic along.
    14. 

  14. 

  15. 1. Goals.
    16. 

  16. 

  17. We want more decentralized discovery for network topology and status.
    18. 

  18. In particular:
    19. 

  19. 

  20. 1a. We want to let clients learn about new servers from anywhere
    21. 

  21.     and build circuits through them if they wish. This means that
    22. 

  22.     Tor nodes need to be able to Extend to nodes they don't already
    23. 

  23.     know about.
    24. 

  24. 

  25. 1b. We want to let servers limit the addresses and ports they're
    26. 

  26.     willing to extend to. This is necessary e.g. for middleman nodes
    27. 

  27.     who have jerks trying to extend from them to badmafia.com:80 all
    28. 

  28.     day long and it's drawing attention.
    29. 

  29. 

  30. 1b'. While we're at it, we also want to handle servers that *can't*
    31. 

  31.     extend to some addresses/ports, e.g. because they're behind NAT or
    32. 

  32.     otherwise firewalled. (See section 5 below.)
    33. 

  33. 

  34. 1c. We want to provide a robust (available) and not-too-centralized
    35. 

  35.     mechanism for tracking network status (which nodes are up and working)
    36. 

  36.     and admission (which nodes are "recommended" for certain uses).
    37. 

  37. 

  38. 2. Assumptions.
    39. 

  39. 

  40. 2a. People get the code from us, and they trust us (or our gpg keys, or
    41. 

  41.     something down the trust chain that's equivalent).
    42. 

  42. 

  43. 2b. Even if the software allows humans to change the client configuration,
    44. 

  44.     most of them will use the default that's provided. so we should
    45. 

  45.     provide one that is the right balance of robust and safe. That is,
    46. 

  46.     we need to hard-code enough "first introduction" locations that new
    47. 

  47.     clients will always have an available way to get connected.
    48. 

  48. 

  49. 2c. Assume that the current "ask them to email us and see if it seems
    50. 

  50.     suspiciously related to previous emails" approach will not catch
    51. 

  51.     the strong Sybil attackers. Therefore, assume the Sybil attackers
    52. 

  52.     we do want to defend against can produce only a limited number of
    53. 

  53.     not-obviously-on-the-same-subnet nodes.
    54. 

  54. 

  55. 2d. Roger has only a limited amount of time for approving nodes; shouldn't
    56. 

  56.     be the time bottleneck anyway; and is doing a poor job at keeping
    57. 

  57.     out some adversaries.
    58. 

  58. 

  59. 2e. Some people would be willing to offer servers but will be put off
    60. 

  60.     by the need to send us mail and identify themselves.
    61. 

  61. 2e'. Some evil people will avoid doing evil things based on the perception
    62. 

  62.     (however true or false) that there are humans monitoring the network
    63. 

  63.     and discouraging evil behavior.
    64. 

  64. 2e''. Some people will trust the network, and the code, more if they
    65. 

  65.     have the perception that there are trustworthy humans guiding the
    66. 

  66.     deployed network.
    67. 

  67. 

  68. 2f. We can trust servers to accurately report their characteristics
    69. 

  69.     (uptime, capacity, exit policies, etc), as long as we have some
    70. 

  70.     mechanism for notifying clients when we notice that they're lying.
    71. 

  71. 

  72. 2g. There exists a "main" core Internet in which most locations can access
    73. 

  73.     most locations. We'll focus on it (first).
    74. 

  74. 

  75. 3. Some notes on how to achieve.
    76. 

  76. 

  77. Piece one: (required)
    78. 

  78. 

  79.   We ship with N (e.g. 20) directory server locations and fingerprints.
    80. 

  80. 

  81.   Directory servers serve signed network-status pages, listing their
    82. 

  82.   opinions of network status and which routers are good (see 4a below).
    83. 

  83. 

  84.   Dirservers collect and provide server descriptors as well. These don't
    85. 

  85.   need to be signed by the dirservers, since they're self-certifying
    86. 

  86.   and timestamped.
    87. 

  87. 

  88.   (In theory the dirservers don't need to be the ones serving the
    89. 

  89.   descriptors, but in practice the dirservers would need to point people
    90. 

  90.   at the place that does, so for simplicity let's assume that they do.)
    91. 

  91. 

  92.   Clients then get network-status pages from a threshold of dirservers,
    93. 

  93.   fetch enough of the corresponding server descriptors to make them happy,
    94. 

  94.   and proceed as now.
    95. 

  95. 

  96. Piece two: (optional)
    97. 

  97. 

  98.   We ship with S (e.g. 3) seed keys (trust anchors), and ship with
    99. 

  99.   signed timestamped certs for each dirserver. Dirservers also serve a
    100. 

  100.   list of certs, maybe including a "publish all certs since time foo"
    101. 

  101.   functionality. If at least two seeds agree about something, then it
    102. 

  102.   is so.
    103. 

  103. 

  104.   Now dirservers can be added, and revoked, without requiring users to
    105. 

  105.   upgrade to a new version. If we only ship with dirserver locations
    106. 

  106.   and not fingerprints, it also means that dirservers can rotate their
    107. 

  107.   signing keys transparently.
    108. 

  108. 

  109.   But, keeping track of the seed keys becomes a critical security issue.
    110. 

  110.   And rotating them in a backward-compatible way adds complexity. Also,
    111. 

  111.   dirserver locations must be at least somewhere static, since each lost
    112. 

  112.   dirserver degrades reachability for old clients. So as the dirserver
    113. 

  113.   list rolls over we have no choice but to put out new versions.
    114. 

  114. 

  115. 

  116. Piece three: (optional)
    117. 

  117. 

  118.   Notice that this doesn't preclude other approaches to discovering
    119. 

  119.   different concurrent Tor networks. For example, a Tor network inside
    120. 

  120.   China could ship Tor with a different torrc and poof, they're using
    121. 

  121.   a different set of dirservers. Some smarter clients could be made to
    122. 

  122.   learn about both networks, and be told which nodes bridge the networks.
    123. 

  123.   ...
    124. 

  124. 

  125. 4. Unresolved issues.
    126. 

  126. 

  127. 4a. How do the dirservers decide whether to recommend a server? We
    128. 

  128.     could have them do it based on contact from the human, but by
    129. 

  129.     assumptions 2c and 2d above, that's going to be less effective, and
    130. 

  130.     more of a hassle, as we scale up. Thus I propose that they simply
    131. 

  131.     do some basic automatic measuring themselves, starting with the
    132. 

  132.     current "are they connected to me" measurement, and that's all
    133. 

  133.     that is done.
    134. 

  134. 

  135.     We could blacklist as we notice evil servers, but then we're in
    136. 

  136.     the same boat all the irc networks are in. We could whitelist as we
    137. 

  137.     notice new servers, and stop whitelisting (maybe rolling back a bit)
    138. 

  138.     once an attack is in progress. If we assume humans aren't particularly
    139. 

  139.     good at this anyway, we could just do automated delayed whitelisting,
    140. 

  140.     and have a "you're under attack" switch the human can enable for a
    141. 

  141.     while to start acting more conservatively.
    142. 

  142. 

  143.     Once upon a time we collected contact info for servers, which was
    144. 

  144.     mainly used to remind people that their servers are down and could
    145. 

  145.     they please restart. Now that we have a critical mass of servers,
    146. 

  146.     I've stopped doing that reminding. So contact info is less important.
    147. 

  147. 

  148. 4b. What do we do about recommended-versions? Do we need a threshold of
    149. 

  149.     dirservers to claim that your version is obsolete before you believe
    150. 

  150.     them? Or do we make it have less effect -- e.g. print a warning but
    151. 

  151.     never actually quit? Coordinating all the humans to upgrade their
    152. 

  152.     recommended-version strings at once seems bad. Maybe if we have
    153. 

  153.     seeds, the seeds can sign a recommended-version and upload it to
    154. 

  154.     the dirservers.
    155. 

  155. 

  156. 4c. What does it mean to bind a nickname to a key? What if each dirserver
    157. 

  157.     does it differently, so one nickname corresponds to several keys?
    158. 

  158.     Maybe the solution is that nickname<=>key bindings should be
    159. 

  159.     individually configured by clients in their torrc (if they want to
    160. 

  160.     refer to nicknames in their torrc), and we stop thinking of nicknames
    161. 

  161.     as globally unique.
    162. 

  162. 

  163. 4d. What new features need to be added to server descriptors so they
    164. 

  164.     remain compact yet support new functionality? Section 5 is a start
    165. 

  165.     of discussion of one answer to this.
    166. 

  166. 

  167. 

  168. 

  169. 5. Regarding "Blossom: an unstructured overlay network for end-to-end
    170. 

  170. connectivity."
    171. 

  171. 

  172. In this section we address possible solutions to the problem of how to allow
    173. 

  173. Tor routers in different transport domains to communicate.
    174. 

  174. 

  175. [Can we have a one-sentence definition of transport domain here? If there
    176. 

  176. are 5 servers on the Internet as we know it and suddenly one link between
    177. 

  177. a pair of them catches fire, how many transport domains are involved now?
    178. 

  178. What if one link is down permanently but the rest work? Is "in the same
    179. 

  179. transport domain as" a symmetric property?]
    180. 

  180. 

  181. First, we presume that for every interface between transport domains A and B,
    182. 

  182. one Tor router T_A exists in transport domain A, one Tor router T_B exists in
    183. 

  183. transport domain B, and (without loss of generality) T_A can open a persistent
    184. 

  184. connection to T_B.  Any Tor traffic between the two routers will occur over
    185. 

  185. this connection, which effectively renders the routers equal partners in
    186. 

  186. bridging between the two transport domains.  We refer to the established link
    187. 

  187. between two transport domains as a "bridge" (we use this term because there is
    188. 

  188. no serious possibility of confusion with the notion of a layer 2 bridge).
    189. 

  189. 

  190. Next, suppose that the universe consists of transport domains connected by
    191. 

  191. persistent connections in this manner.  An individual router can open multiple
    192. 

  192. connections to routers within the same foreign transport domain, and it can
    193. 

  193. establish separate connections to routers within multiple foreign transport
    194. 

  194. domains.
    195. 

  195. 

  196. As in regular Tor, each Blossom router pushes its descriptor to directory
    197. 

  197. servers.  These directory servers can be within the same transport domain, but
    198. 

  198. they need not be.  The trick is that if a directory server is in another
    199. 

  199. transport domain, then that directory server must know through which Tor
    200. 

  200. routers to send messages destined for the Tor router in question.
    201. 

  201. [We are assuming that routers in the non-primary transport domain (the
    202. 

  202. primary one being the one with dirservers) know how to get to the primary
    203. 

  203. transport domain, either through Tor or other voodoo, to publish to the
    204. 

  204. hard-coded dirservers.]
    205. 

  205. Descriptors
    206. 

  206. for Blossom routers held by the directory server must contain a special field
    207. 

  207. for specifying a path through the overlay (i.e. an ordered list of router
    208. 

  208. names/IDs) to a router in a foreign transport domain.  (This field may be a set
    209. 

  209. of paths rather than a single path.)  A new router publishing to a directory
    210. 

  210. server in a foreign transport should include a list of routers.  This list
    211. 

  211. should be either:
    212. 

  212. 

  213. a. ...a list of routers to which the router has persistent connections, or, if
    214. 

  214. the new router does not have any persistent connections,
    215. 

  215. 

  216. b. ...a (not necessarily exhaustive) list of fellow routers that are in the
    217. 

  217. same transport domain.
    218. 

  218. 

  219. The directory server will be able to use this information to derive a path to
    220. 

  220. the new router, as follows.  If the new router used approach (a), then the
    221. 

  221. directory server will define the same path(s) in the descriptors for the
    222. 

  222. router(s) specified in the list, with the corresponding specified router
    223. 

  223. appended to each path.  If the new router used approach (b), then the directory
    224. 

  224. server will define the same path(s) in the descriptors for the routers
    225. 

  225. specified in the list.  The directory server will then insert the newly defined
    226. 

  226. path into the descriptor from the router.
    227. 

  227. [Dirservers can't modify server descriptors; they're self-certifying. -RD]
    228. 

  228. 

  229. If all directory servers are within the same transport domain, then the problem
    230. 

  230. is solved: routers can exist within multiple transport domains, and as long as
    231. 

  231. the network of transport domains is fully connected by bridges, any router will
    232. 

  232. be able to access any other router in a foreign transport domain simply by
    233. 

  233. extending along the path specified by the directory server.  However, we want
    234. 

  234. the system to be truly decentralized, which means not electing any particular
    235. 

  235. transport domain to be the master domain in which entries are published.
    236. 

  236. 

  237. Generally speaking, directory servers share information with each other about
    238. 

  238. routers.  In order for a directory server to share information with a directory
    239. 

  239. server in a foreign transport domain to which it cannot speak directly, it must
    240. 

  240. use Tor, which means referring to the other directory server by using a router
    241. 

  241. in the foreign transport domain.  However, in order to use Tor, it must be able
    242. 

  242. to reach that router, which means that a descriptor for that router must exist
    243. 

  243. in its table, along with a means of reaching it.  Therefore, in order for a
    244. 

  244. mutual exchange of information between routers in transport domain A and those
    245. 

  245. in transport domain B to be possible, when routers in transport domain A cannot
    246. 

  246. establish direct connections with routers in transport domain B, then some
    247. 

  247. router in transport domain B must have pushed its descriptor to a directory
    248. 

  248. server in transport domain A, so that the directory server in transport domain
    249. 

  249. A can use that router to reach the directory server in transport domain B.
    250. 

  250. 

  251. When confronted with the choice of multiple different paths to reach the same
    252. 

  252. router, the Blossom nodes may use a route selection protocol similar in design
    253. 

  253. to that used by BGP (may be a simple distance-vector route selection procedure
    254. 

  254. that only takes into account path length, or may be more complex to avoid
    255. 

  255. loops, cache results, etc.) in order to choose the best one.
    256. 

  256. 

  257. [How does this work with exit policies (how do we enumerate all resources
    258. 

  258. in our transport domain?), and translating resources that we want to
    259. 

  259. get to to servers that can reach them?]
    260. 

  260.