TODO 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357
  1. Legend:
  2. SPEC!! - Not specified
  3. SPEC - Spec not finalized
  4. NICK - nick claims
  5. ARMA - arma claims
  6. - Not done
  7. * Top priority
  8. . Partially done
  9. o Done
  10. D Deferred
  11. X Abandoned
  12. Agenda to be resolved:
  13. remove truncate, truncated from spec?
  14. remove exit-from-middle from spec?
  15. add a bit of long-range dummy traffic -- talk to matt
  16. instrument 'connected' cell.
  17. find some way to report whether bandwidth limit is being hit.
  18. begin reputation architecture: kill -USR2 prints opinions about nodes.
  19. put IPs in directory, not hostnames. keeps OPs from stalling on resolves.
  20. key rotation:
  21. tls key rotation
  22. symmetric and asymmetric
  23. onion key rotation
  24. others?
  25. Advanced directory servers
  26. Figure out how to do threshold directory servers
  27. "secondary" directory servers?
  28. what does it mean for a directory to be valid? do they expire?
  29. productization:
  30. preferential per-connection bandwidth limiting
  31. pre- or post- tls alternate auth mechanisms.
  32. what we could get from windows developers.
  33. Look at having smallcells and largecells
  34. Bandwidth classes. How do we do this so it works?
  35. Rendezvous point design and spec.
  36. Non-clique topologies -- easy to implement, hard to decide topology.
  37. Certification/accreditation
  38. Extensible spec:
  39. - e.g. 'router' line more flexible in descriptor
  40. - split spec file into mini spec files? finalize some, leave others open?
  41. Usability
  42. - e.g. if no torrc, use acceptable defaults.
  43. Synchronous design?
  44. Helper nodes?
  45. Interoperability with morphmix
  46. plan the codecon talk.
  47. Bugs:
  48. - Sometimes it picks a middleman node as the exit for a circuit.
  49. - if you specify a non-dirserver as exitnode or entrynode, when it
  50. makes the first few circuits it hasn't yet fetched the directory,
  51. so it warns that it doesn't know the node.
  52. - make 'make test' exit(1) if a test fails.
  53. - fix buffer unit test so it passes
  54. Short-term:
  55. - when you hup, rewrite the router.desc file (and maybe others)
  56. - consider handling broken socks4 implementations
  57. - improve how it behaves when i remove a line from the approved-routers files
  58. - Make tls connections tls_close intentionally
  59. o Rename ACI to circID
  60. . integrate rep_ok functions, see what breaks
  61. - update tor faq
  62. o obey SocksBindAddress, ORBindAddress
  63. o warn if we're running as root
  64. o make connection_flush_buf() more obviously obsolete
  65. o let hup reread the config file, eg so we can get new exit
  66. policies without restarting
  67. o Put recommended_versions in a config entry
  68. X use times(2) rather than gettimeofday to measure how long it
  69. takes to process a cell
  70. o Separate trying to rebuild a circuit because you have none from trying
  71. to rebuild a circuit because the current one is stale
  72. X Continue reading from socks port even while waiting for connect.
  73. o Exit policies
  74. o Spec how to write the exit policies
  75. o Path selection algorithms
  76. o Choose path more incrementally
  77. o Let user request first/last node
  78. o And disallow certain nodes
  79. D Choose path by jurisdiction, etc?
  80. o Make relay end cells have failure status and payload attached
  81. X let non-approved routers handshake.
  82. - Dirserver shouldn't put you in running-routers list if you haven't
  83. uploaded a descriptor recently
  84. . migrate to using nickname rather than addr:port for routers
  85. o decide_aci_type
  86. - generate onion skins
  87. - circuit_send_next_onion_skin
  88. - circuit_extend
  89. - onion_generate_cpath
  90. - get_unique_aci_by_addr_port
  91. - circ->n_addr and circ->n_port
  92. - circuit_enumerate_by_naddr_nport
  93. - cpath layers
  94. - connection_or_connect
  95. - connection_exact_get_by_addr_port
  96. - connection_twin_get_by_addr_port
  97. - router_get_by_addr_port
  98. - connection_or_init_conn_from_router
  99. - tag_pack, tag_unpack, connection_cpu_process_inbuf
  100. - directory_initiate_command
  101. . Move from onions to ephemeral DH
  102. o incremental path building
  103. o transition circuit-level sendmes to hop-level sendmes
  104. o implement truncate, truncated
  105. o move from 192byte DH to 128byte DH, so it isn't so damn slow
  106. - exiting from not-last hop
  107. - OP logic to decide to extend/truncate a path
  108. - make sure exiting from the not-last hop works
  109. - logic to find last *open* hop, not last hop, in cpath
  110. o Remember address and port when beginning.
  111. - Extend by nickname/hostname/something, not by IP.
  112. - Need a relay teardown cell, separate from one-way ends.
  113. - remove per-connection rate limiting
  114. - Make it harder to circumvent bandwidth caps: look at number of bytes
  115. sent across sockets, not number sent inside TLS stream.
  116. On-going
  117. . Better comments for functions!
  118. . Go through log messages, reduce confusing error messages.
  119. . make the logs include more info (fd, etc)
  120. . Unit tests
  121. . Update the spec so it matches the code
  122. Mid-term:
  123. - Rotate tls-level connections -- make new ones, expire old ones.
  124. So we get actual key rotation, not just symmetric key rotation
  125. o Are there anonymity issues with sequential streamIDs? Sequential
  126. circIDs? Eg an attacker can learn how many there have been.
  127. The fix is to initialize them randomly rather than at 1.
  128. - Look at having smallcells and largecells
  129. . Redo scheduler
  130. o fix SSL_read bug for buffered records
  131. - make round-robining more fair
  132. - What happens when a circuit's length is 1? What breaks?
  133. . streams / circuits
  134. o Implement streams
  135. o Rotate circuits after N minutes?
  136. X Circuits should expire when circuit->expire triggers
  137. NICK . Handle half-open connections
  138. o openssh is an application that uses half-open connections
  139. o Figure out what causes connections to close, standardize
  140. when we mark a connection vs when we tear it down
  141. o Look at what ssl does to keep from mutating data streams
  142. o Put CPU workers in separate processes
  143. o Handle multiple cpu workers (one for each cpu, plus one)
  144. o Queue for pending tasks if all workers full
  145. o Support the 'process this onion' task
  146. D Merge dnsworkers and cpuworkers to some extent
  147. o Handle cpuworkers dying
  148. . Scrubbing proxies
  149. - Find an smtp proxy?
  150. - Check the old smtp proxy code
  151. o Find an ftp proxy? wget --passive
  152. D Wait until there are packet redirectors for Linux
  153. . Get socks4a support into Mozilla
  154. . Develop rendezvous points
  155. X Handle socks commands other than connect, eg, bind?
  156. o Design
  157. - Spec
  158. - Implement
  159. . Tests
  160. o Testing harness/infrastructure
  161. D System tests (how?)
  162. - Performance tests, so we know when we've improved
  163. . webload infrastructure (Bruce)
  164. . httperf infrastructure (easy to set up)
  165. . oprofile (installed in RH >8.0)
  166. NICK . Daemonize and package
  167. o Teach it to fork and background
  168. - Red Hat spec file
  169. o Debian spec file equivalent
  170. . Portability
  171. . Which .h files are we actually using?
  172. . Port to:
  173. o Linux
  174. o BSD
  175. . Solaris
  176. o Cygwin
  177. . Win32
  178. o OS X
  179. - deal with pollhup / reached_eof on all platforms
  180. o openssl randomness
  181. o inet_ntoa
  182. o stdint.h
  183. - Make a script to set up a local network on your machine
  184. o More flexibility in node addressing
  185. D Support IPv6 rather than just 4
  186. o Handle multihomed servers (config variable to set IP)
  187. In the distant future:
  188. D Load balancing between router twins
  189. D Keep track of load over links/nodes, to
  190. know who's hosed
  191. SPEC!! D Non-clique topologies
  192. D Implement our own memory management, at least for common structs
  193. (Not ever necessary?)
  194. D Advanced directory servers
  195. D Automated reputation management
  196. SPEC!! D Figure out how to do threshold directory servers
  197. D jurisdiction info in dirserver entries? other info?
  198. Older (done) todo stuff:
  199. For 0.0.2pre17:
  200. o Put a H(K | handshake) into the onionskin response
  201. o Make cells 512 bytes
  202. o Reduce streamid footprint from 7 bytes to 2 bytes
  203. X Check for collisions in streamid (now possible with
  204. just 2 bytes), and back up & replace with padding if so
  205. o Use the 4 reserved bytes in each cell header to keep 1/5
  206. of a sha1 of the ongoing relay payload (move into stream header)
  207. o Move length into the stream header too
  208. o Make length 2 bytes
  209. D increase DH key length
  210. D increase RSA key length
  211. D Spec the stream_id stuff. Clarify that nobody on the backward
  212. stream should look at stream_id.
  213. Cell:
  214. ACI (anonymous circuit identifier) [2 bytes]
  215. Command [1 byte]
  216. Payload (padded with 0 bytes) [509 bytes]
  217. Relay payload:
  218. Relay command [1 byte]
  219. Stream ID [7 bytes]
  220. Partial SHA-1 [4 bytes]
  221. Length [2 bytes]
  222. Relay payload [495 bytes]
  223. For 0.0.2pre15:
  224. o don't pick exit nodes which will certainly reject all things.
  225. o don't pick nodes that the directory says are down
  226. o choose randomly from running dirservers, not just first one
  227. o install the man page
  228. o warn when client-side tries an address/port which no router in the dir accepts.
  229. For 0.0.2pre14:
  230. o More flexible exit policies (18.*, 18.0.0.0/8)
  231. o Work to succeed in the precense of exit policy violation
  232. o Replace desired_path_len with opaque path-selection specifier
  233. o Client-side DNS caching
  234. o Add entries to client DNS cache based on END cells
  235. o Remove port from END_REASON_EXITPOLICY cells
  236. o Start building new circuits when we get an exit-policy
  237. failure. (Defer exiting from the middle of existing
  238. circuits or extending existing circuits for later.)
  239. o Implement function to check whether a routerinfo_t
  240. supports a given exit addr.
  241. o Choose the exit node of an in-progress circuit based on
  242. pending AP connections.
  243. o Choose the exit node _first_, then beginning, then
  244. middle nodes.
  245. Previous:
  246. o Get tor to act like a socks server
  247. o socks4, socks4a
  248. o socks5
  249. o routers have identity key, link key, onion key.
  250. o link key certs are
  251. D signed by identity key
  252. D not in descriptor
  253. o not in config
  254. D not on disk
  255. o identity and onion keys are in descriptor (and disk)
  256. o upon boot, if it doesn't find identity key, generate it and write it.
  257. o also write a file with the identity key fingerprint in it
  258. o router generates descriptor: flesh out router_get_my_descriptor()
  259. o Routers sign descriptors with identity key
  260. o routers put version number in descriptor
  261. o routers should maybe have `uname -a` in descriptor?
  262. o Give nicknames to routers
  263. o in config
  264. o in descriptors
  265. o router posts descriptor
  266. o when it boots
  267. o every DirFetchPostPeriod seconds
  268. D when it changes
  269. o change tls stuff so certs don't get written to disk, or read from disk
  270. o make directory.c 'thread'safe
  271. o dirserver parses descriptor
  272. o dirserver checks signature
  273. D client checks signature?
  274. o dirserver writes directory to file
  275. o reads that file upon boot
  276. o directory includes all routers, up and down
  277. o add "up" line to directory, listing nicknames
  278. o instruments ORs to report stats
  279. o average cell fullness
  280. o average bandwidth used
  281. o configure log files. separate log file, separate severities.
  282. o what assumptions break if we fclose(0) when we daemonize?
  283. o make buffer struct elements opaque outside buffers.c
  284. o add log convention to the HACKING file
  285. o make 'make install' do the right thing
  286. o change binary name to tor
  287. o change config files so you look at commandline, else look in
  288. /etc/torrc. no cascading.
  289. o have an absolute datadir with fixed names for files, and fixed-name
  290. keydir under that with fixed names
  291. o Move (most of) the router/directory code out of main.c
  292. o Simple directory servers
  293. o Include key in source; sign directories
  294. o Signed directory backend
  295. o Document
  296. o Integrate
  297. o Add versions to code
  298. o Have directories list recommended-versions
  299. o Include line in directories
  300. o Check for presence of line.
  301. o Quit if running the wrong version
  302. o Command-line option to override quit
  303. o Add more information to directory server entries
  304. o Exit policies
  305. o Clearer bandwidth management
  306. o Do we want to remove bandwidth from OR handshakes?
  307. o What about OP handshakes?
  308. X Move away from openssl
  309. o Abstract out crypto calls
  310. X Look at nss, others? Just include code?
  311. o Use a stronger cipher
  312. o aes now, by including the code ourselves
  313. X On the fly compression of each stream
  314. o Clean up the event loop (optimize and sanitize)
  315. o Remove that awful concept of 'roles'
  316. o Terminology
  317. o Circuits, topics, cells stay named that
  318. o 'Connection' gets divided, or renamed, or something?
  319. o DNS farm
  320. o Distribute queries onto the farm, get answers
  321. o Preemptively grow a new worker before he's needed
  322. o Prune workers when too many are idle
  323. o DNS cache
  324. o Clear DNS cache over time
  325. D Honor DNS TTL info (how??)
  326. o Have strategy when all workers are busy
  327. o Keep track of which connections are in dns_wait
  328. o Need to cache positives/negatives on the tor side
  329. o Keep track of which queries have been asked
  330. o Better error handling when
  331. o An address doesn't resolve
  332. o We have max workers running
  333. o Consider taking the master out of the loop?
  334. X Implement reply onions
  335. o Total rate limiting
  336. o Look at OR handshake in more detail
  337. o Spec it
  338. o Merge OR and OP handshakes
  339. o rearrange connection_or so it doesn't suck so much to read
  340. D Periodic link key rotation. Spec?
  341. o wrap malloc with something that explodes when it fails
  342. o Clean up the number of places that get to look at prkey