105-handshake-revision.txt 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292
  1. Filename: 105-handshake-revision.txt
  2. Title: Version negotiation for the Tor protocol.
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Nick Mathewson, Roger Dingledine
  6. Created:
  7. Status: Open
  8. Overview:
  9. This document was extracted from a modified version of tor-spec.txt that we
  10. had written before the proposal system went into place. It adds two new
  11. cells types to the Tor link connection setup handshake: one used for
  12. version negotiation, and another to prevent MITM attacks.
  13. This is an open proposal.
  14. Motivation: Tor versions
  15. Our *current* approach to versioning the Tor protocol(s) has been as
  16. follows:
  17. - All changes must be backward compatible.
  18. - It's okay to add new cell types, if they would be ignored by previous
  19. versions of Tor.
  20. - It's okay to add new data elements to cells, if they would be
  21. ignored by previous versions of Tor.
  22. - For forward compatibility, Tor must ignore cell types it doesn't
  23. recognize, and ignore data in those cells it doesn't expect.
  24. - Clients can inspect the version of Tor declared in the platform line
  25. of a router's descriptor, and use that to learn whether a server
  26. supports a given feature. Servers, however, aren't assumed to all
  27. know about each other, and so don't know the version of who they're
  28. talking to.
  29. This system has these problems:
  30. - It's very hard to change fundamental aspects of the protocol, like the
  31. cell format, the link protocol, any of the various encryption schemes,
  32. and so on.
  33. - The router-to-router link protocol has remained more-or-less frozen
  34. for a long time, since we can't easily have an OR use new features
  35. unless it knows the other OR will understand them.
  36. We need to resolve these problems because:
  37. - Our cipher suite is showing its age: SHA1/AES128/RSA1024/DH1024 will
  38. not seem like the best idea for all time.
  39. - There are many ideas circulating for multiple cell sizes; while it's
  40. not obvious whether these are safe, we can't do them at all without a
  41. mechanism to permit them.
  42. - There are many ideas circulating for alternative circuit building and
  43. cell relay rules: they don't work unless they can coexist in the
  44. current network.
  45. - If our protocol changes a lot, it's hard to describe any coherent
  46. version of it: we need to say "the version that Tor versions W through
  47. X use when talking to versions Y through Z". This makes analysis
  48. harder.
  49. Motivation: Preventing MITM attacks
  50. TLS prevents a man-in-the-middle attacker from reading or changing the
  51. contents of a communication. It does not, however, prevent such an
  52. attacker from observing timing information. Since timing attacks are some
  53. of the most effective against low-latency anonymity nets like Tor, we
  54. should take more care to make sure that we're not only talking to who
  55. we think we're talking to, but that we're using the network path we
  56. believe we're using.
  57. Motivation: Signed clock information
  58. It's very useful for Tor instances to know how skewed they are relative
  59. to one another. The only way to find out currently has been to download
  60. directory information, and check the Date header--but this is not
  61. authenticated, and hence subject to modification on the wire. Using
  62. BEGIN_DIR to create an authenticated directory stream through an existing
  63. circuit is better, but that's an extra step and it might be nicer to
  64. learn the information in the course of the regular protocol.
  65. Proposal:
  66. 1.0. Version numbers
  67. The node-to-node TLS-based "OR connection" protocol and the multi-hop
  68. "circuit" protocol are versioned quasi-independently.
  69. Of course, some dependencies will continue to exist: Certain versions
  70. of the circuit protocol may require a minimum version of the connection
  71. protocol to be used. The connection protocol affects:
  72. - Initial connection setup, link encryption, transport guarantees,
  73. etc.
  74. - The allowable set of cell commands
  75. - Allowable formats for cells.
  76. The circuit protocol determines:
  77. - How circuits are established and maintained
  78. - How cells are decrypted and relayed
  79. - How streams are established and maintained.
  80. Version numbers are incremented for backward-incompatible protocol changes
  81. only. Backward-compatible changes are generally implemented by adding
  82. additional fields to existing structures; implementations MUST ignore
  83. fields they do not expect. Unused portions of cells MUST be set to zero.
  84. Though versioning the protocol will make it easier to maintain backward
  85. compatibility with older versions of Tor, we will nevertheless continue to
  86. periodically drop support for older protocols,
  87. - to keep the implementation from growing without bound,
  88. - to limit the maintenance burden of patching bugs in obsolete Tors,
  89. - to limit the testing burden of verifying that many old protocol
  90. versions continue to be implemented properly, and
  91. - to limit the exposure of the network to protocol versions that are
  92. expensive to support.
  93. The Tor protocol as implemented through the 0.1.2.x Tor series will be
  94. called "version 1" in its link protocol and "version 1" in its relay
  95. protocol. Versions of the Tor protocol so old as to be incompatible with
  96. Tor 0.1.2.x can be considered to be version 0 of each, and are not
  97. supported.
  98. 2.1. VERSIONS cells
  99. When a Tor connection is established, both parties normally send a
  100. VERSIONS cell before sending any other cells. (But see below.)
  101. NumVersions [1 byte]
  102. Versions [NumVersions bytes]
  103. "Versions" is a sequence of NumVersions link connection protocol versions,
  104. each one byte long. Parties should list all of the versions which they
  105. are able and willing to support. Parties can only communicate if they
  106. have some connection protocol version in common.
  107. Version 0.2.0.x-alpha and earlier don't understand VERSIONS cells,
  108. and therefore don't support version negotiation. Thus, waiting until
  109. the other side has sent a VERSIONS cell won't work for these servers:
  110. if the other side sends no cells back, it is impossible to tell
  111. whether they
  112. have sent a VERSIONS cell that has been stalled, or whether they have
  113. dropped our own VERSIONS cell as unrecognized. Thus, immediately after
  114. a TLS connection has been established, the parties check whether the
  115. other side has an obsolete certificate (organizationName equal to "Tor"
  116. or "TOR"). If the other party presented an obsolete certificate,
  117. we assume a v1 connection. Otherwise, both parties send VERSIONS
  118. cells listing all their supported versions. Upon receiving the
  119. other party's VERSIONS cell, the implementation begins using the
  120. highest-valued version common to both cells. If the first cell from
  121. the other party has a recognized command, and is _not_ a VERSIONS cell, we
  122. assume a v1 protocol.
  123. Implementations MUST discard VERSIONS cells that are not the first
  124. recognized cells sent on a connection.
  125. The VERSIONS cell must be sent as a v1 cell (2 bytes of circuitID, 1
  126. byte of command, 509 bytes of payload).
  127. 2.2. MITM-prevention and time checking
  128. If we negotiate a v2 connection or higher, the second cell we send SHOULD
  129. be a NETINFO cell. Implementations SHOULD NOT send NETINFO cells at other
  130. times.
  131. A NETINFO cell contains:
  132. Timestamp [4 bytes]
  133. This OR's address [variable]
  134. Other OR's address [variable]
  135. Timestamp is the OR's current Unix time, in seconds since the epoch. If
  136. an implementation receives time values from many ORs that
  137. indicate that its clock is skewed, it SHOULD try to warn the
  138. administrator. (We leave the definition of 'many' intentionally vague
  139. for now.)
  140. Each address contains Type/Length/Value as used in Section 6.4 of
  141. tor-spec.txt. The first address is the address of the interface the
  142. party sending the NETINFO cell
  143. used to connect to or accept connections from the other -- we include it
  144. to block a man-in-the-middle attack on TLS that lets an attacker bounce
  145. traffic through his own computers to enable timing and packet-counting
  146. attacks.
  147. The second address is the one that the party sending the NETINFO cell
  148. believes the other has -- it can be used to learn what your IP address
  149. is if you have no other hints.
  150. Discussion: Versions versus feature lists
  151. Many protocols negotiate lists of available features instead of (or in
  152. addition to) protocol versions. While it's possible that some amount of
  153. version negotiation could be supported in a later Tor, we should prefer to
  154. use protocol versions whenever possible, for reasons discussed in
  155. the "Anonymity Loves Company" paper.
  156. Discussion: Bytes per version, versions per cell
  157. This document provides for a one-byte count of how many versions a Tor
  158. supports, and allows one byte per version. Thus, it can only support only
  159. 254 more versions of the protocol beyond the unallocated v0 and the
  160. current v1. If we ever need to split the protocol into 255 incompatible
  161. versions, we've probably screwed up badly somewhere.
  162. Nevertheless, here are two ways we could support more versions:
  163. - Change the version count to a two-byte field that counts the number of
  164. _bytes_ used, and use a UTF8-style encoding: versions 0 through 127
  165. take one byte to encode, versions 128 through 2047 take two bytes to
  166. encode, and so on. We wouldn't need to parse any version higher than
  167. 127 right now, since all bytes used to encode higher versions would
  168. have their high bit set.
  169. We'd still have a limit of 380 simultaneously versions that could be
  170. declared in any version. This is probably okay.
  171. - Decide that if we need to support more versions, we can add a
  172. MOREVERSIONS cell that gets sent before the VERSIONS cell. The spec
  173. above requires Tors to ignore unrecognized cell types that they get
  174. before the first VERSIONS cell, and still allows version negotiation to
  175. succeed.
  176. Discussion: Reducing round-trips
  177. It might be appealing to see if we can cram more information in the
  178. initial VERSIONS cell. For example, the contents of NETINFO will pretty
  179. soon be sent by everybody before any more information is exchanged, but
  180. decoupling them from the version exchange increases round-trips.
  181. Instead, we could speculatively include handshaking information at
  182. the end of a VERSIONS cell, wrapped in a marker to indicate, "if we wind
  183. up speaking VERSION 2, here's the NETINFO I'll send. Otherwise, ignore
  184. this." This could be extended to opportunistically reduce round trips
  185. when possible for future versions when we guess the versions right.
  186. Of course, we'd need to be careful about using a feature like this:
  187. - We don't want to include things that are expensive to compute,
  188. like PK signatures or proof-of-work.
  189. - We don't want to speculate as a mobile client: it may leak our
  190. experience with the server in question.
  191. Discussion: Advertising versions in routerdescs and networkstatuses.
  192. In network-statuses:
  193. The networkstatus "v" line now has the format:
  194. "v" IMPLEMENTATION IMPL-VERSION "Link" LINK-VERSION-LIST
  195. "Circuit" CIRCUIT-VERSION-LIST NL
  196. LINK-VERSION-LIST and CIRCUIT-VERSION-LIST are comma-separated lists of
  197. supported version numbers. IMPLEMENTATION is the name of the
  198. implementation of the Tor protocol (e.g., "Tor"), and IMPL-VERSION is the
  199. version of the implementation.
  200. Examples:
  201. v Tor 0.2.5.1-alpha Link 1,2,3 Circuit 2,5
  202. v OtherOR 2000+ Link 3 Circuit 5
  203. Implementations that release independently of the Tor codebase SHOULD NOT
  204. use "Tor" as the value of their IMPLEMENTATION.
  205. Additional fields on the "v" line MUST be ignored.
  206. In router descriptors:
  207. The router descriptor should contain a line of the form,
  208. "protocols" "Link" LINK-VERSION-LIST "Circuit" CIRCUIT_VERSION_LIST
  209. Additional fields on the "protocols" line MUST be ignored.
  210. [Versions of Tor before 0.1.2.5-alpha rejected router descriptors with
  211. unrecognized items; the protocols line should be preceded with an "opt"
  212. until these Tors are obsolete.]
  213. Security issues:
  214. Client partitioning is the big danger when we introduce new versions; if a
  215. client supports some very unusual set of protocol versions, it will stand
  216. out from others no matter where it goes. If a server supports an unusual
  217. version, it will get a disproportionate amount of traffic from clients who
  218. prefer that version. We can mitigate this somewhat as follows:
  219. - Do not have clients prefer any protocol version by default until that
  220. version is widespread. (First introduce the new version to servers,
  221. and have clients admit to using it only when configured to do so for
  222. testing. Then, once many servers are running the new protocol
  223. version, enable its use by default.)
  224. - Do not multiply protocol versions needlessly.
  225. - Encourage protocol implementors to implement the same protocol version
  226. sets as some popular version of Tor.
  227. - Disrecommend very old/unpopular versions of Tor via the directory
  228. authorities' RecommmendedVersions mechanism, even if it is still
  229. technically possible to use them.