Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b45b91a358
Branches Tags
tor-parallel...
/
doc
/
spec
/
proposals
/
110-avoid-infinite-circuits.txt

110-avoid-infinite-circuits.txt 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109 
  1. Filename: 110-avoid-infinite-circuits.txt
    2. 

  2. Title: Avoiding infinite length circuits
    3. 

  3. Version: $Revision$
    4. 

  4. Last-Modified: $Date$
    5. 

  5. Author: Roger Dingledine
    6. 

  6. Created: 13-Mar-2007
    7. 

  7. Status: Open
    8. 

  8. 

  9. Overview:
    10. 

  10. 

  11.   Right now, an attacker can add load to the Tor network by extending a
    12. 

  12.   circuit an arbitrary number of times. Every cell that goes down the
    13. 

  13.   circuit then adds N times that amount of load in overall bandwidth
    14. 

  14.   use. This vulnerability arises because servers don't know their position
    15. 

  15.   on the path, so they can't tell how many nodes there are before them
    16. 

  16.   on the path.
    17. 

  17. 

  18.   We propose a new set of relay cells that are distinguishable by
    19. 

  19.   intermediate hops as permitting extend cells. This approach will allow
    20. 

  20.   us to put an upper bound on circuit length relative to the number of
    21. 

  21.   colluding adversary nodes; but there are some downsides too.
    22. 

  22. 

  23. Motivation:
    24. 

  24. 

  25.   The above attack can be used to generally increase load all across the
    26. 

  26.   network, or it can be used to target specific servers: by building a
    27. 

  27.   circuit back and forth between two victim servers, even a low-bandwidth
    28. 

  28.   attacker can soak up all the bandwidth offered by the fastest Tor
    29. 

  29.   servers.
    30. 

  30. 

  31.   The general attacks could be used as a demonstration that Tor isn't
    32. 

  32.   perfect (leading to yet more media articles about "breaking" Tor), and
    33. 

  33.   the targetted attacks will come into play once we have a reputation
    34. 

  34.   system -- it will be trivial to DoS a server so it can't pass its
    35. 

  35.   reputation checks, in turn impacting security.
    36. 

  36. 

  37. Design:
    38. 

  38. 

  39.   We should split RELAY cells into two types: RELAY and RELAY_EXTEND.
    40. 

  40. 

  41.   Relay_extend cells can only be sent in the first K (say, 10) data
    42. 

  42.   cells sent across a circuit, and only relay_extend cells are allowed
    43. 

  43.   to contain extend requests. We still support obscuring the length of
    44. 

  44.   the circuit (if more research shows us what to do), because Alice can
    45. 

  45.   choose how many of the K to mark as relay_extend. Note that relay_extend
    46. 

  46.   cells *can* contain any sort of data cell; so in effect it's actually
    47. 

  47.   the relay type cells that are restricted. By default, she would just
    48. 

  48.   send the first K data cells over the stream as relay_extend cells,
    49. 

  49.   regardless of their actual type.
    50. 

  50. 

  51.   Each intermediate server would pass on the same type of cell that it
    52. 

  52.   received (either relay or relay_extend), and the cell's destination
    53. 

  53.   will be able to learn whether it's allowed to contain an Extend request.
    54. 

  54. 

  55.   If an intermediate server receives a relay_extend cell after it has
    56. 

  56.   already seen k data cells, or if it sees a relay cell that contains an
    57. 

  57.   extend request, then it tears down the circuit (protocol violation).
    58. 

  58. 

  59. Security implications:
    60. 

  60. 

  61.   The upside is that this limits the bandwidth amplification factor to
    62. 

  62.   K: for an individual circuit to become arbitrary-length, the attacker
    63. 

  63.   would need an adversary-controlled node every K hops, and at that
    64. 

  64.   point the attack is no worse than if the attacker creates N/K separate
    65. 

  65.   K-hop circuits.
    66. 

  66. 

  67.   On the other hand, we want to pick a large enough value of K that we
    68. 

  68.   don't mind the cap.
    69. 

  69. 

  70.   If we ever want to take steps to hide the number of hops in the circuit
    71. 

  71.   or a node's position in the circuit, this design probably makes that
    72. 

  72.   more complex.
    73. 

  73. 

  74. Migration:
    75. 

  75. 

  76.   Phase one: servers should recognize relay_extend cells and pass them
    77. 

  77.   on just like relay cells. Don't do any enforcement of the protocol
    78. 

  78.   yet. We could do this phase in the 0.2.0 timeline.
    79. 

  79. 

  80.   Phase two: once support in phase one is pervasive, clients could start
    81. 

  81.   using relay_extend cells when all nodes currently in the circuit would
    82. 

  82.   recognize them. We could conceivably do this phase during 0.2.0 too.
    83. 

  83. 

  84.   Phase three: once clients that don't use relay_extend cells are
    85. 

  85.   obsolete, servers should start enforcing the protocol.
    86. 

  86. 

  87.   (Another migration plan would be to coordinate this with proposal
    88. 

  88.   105's new link versions. Would that be better/worse? Can somebody
    89. 

  89.   sketch out what it might look like?)
    90. 

  90. 

  91. Spec:
    92. 

  92. 

  93.   [We can formalize this part once we think the design is a good one.]
    94. 

  94. 

  95. Additional complexity:
    96. 

  96. 

  97.   Rather than limiting the relay_extend cells to being in the first K
    98. 

  98.   data cells seen, we could instead permit up to K relay_extend cells
    99. 

  99.   in the lifetime of the circuit. This would let us extend the circuit
    100. 

  100.   later on in its life if we decided it was worth doing, though we would
    101. 

  101.   reveal our intent to each node in the circuit when we do.
    102. 

  102. 

  103. Acknowledgements:
    104. 

  104. 

  105.   This design has been kicking around since Christian Grothoff and I came
    106. 

  106.   up with it at PET 2004. (Nathan Evans, Christian Grothoff's student,
    107. 

  107.   is working on implementing a fix based on this design in the summer
    108. 

  108.   2007 timeframe.)
    109. 

  109.