Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d230827912
Branches Tags
tor-parallel...
/
doc
/
spec
/
proposals
/
158-microdescriptors.txt

158-microdescriptors.txt 9.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205 
  1. Filename: 158-microdescriptors.txt
    2. 

  2. Title: Clients download consensus + microdescriptors
    3. 

  3. Author: Roger Dingledine
    4. 

  4. Created: 17-Jan-2009
    5. 

  5. Status: Open
    6. 

  6. 

  7. 1. Overview
    8. 

  8. 

  9.   This proposal replaces section 3.2 of proposal 141, which was
    10. 

  10.   called "Fetching descriptors on demand". Rather than modifying the
    11. 

  11.   circuit-building protocol to fetch a server descriptor inline at each
    12. 

  12.   circuit extend, we instead put all of the information that clients need
    13. 

  13.   either into the consensus itself, or into a new set of data about each
    14. 

  14.   relay called a microdescriptor. The microdescriptor is a direct
    15. 

  15.   transform from the relay descriptor, so relays don't even need to know
    16. 

  16.   this is happening.
    17. 

  17. 

  18.   Descriptor elements that are small and frequently changing should go
    19. 

  19.   in the consensus itself, and descriptor elements that are small and
    20. 

  20.   relatively static should go in the microdescriptor. If we ever end up
    21. 

  21.   with descriptor elements that aren't small yet clients need to know
    22. 

  22.   them, we'll need to resume considering some design like the one in
    23. 

  23.   proposal 141.
    24. 

  24. 

  25. 2. Motivation
    26. 

  26. 

  27.   See
    28. 

  28.   http://archives.seul.org/or/dev/Nov-2008/msg00000.html and
    29. 

  29.   http://archives.seul.org/or/dev/Nov-2008/msg00001.html and especially
    30. 

  30.   http://archives.seul.org/or/dev/Nov-2008/msg00007.html
    31. 

  31.   for a discussion of the options and why this is currently the best
    32. 

  32.   approach.
    33. 

  33. 

  34. 3. Design
    35. 

  35. 

  36.   There are three pieces to the proposal. First, authorities will list in
    37. 

  37.   their votes (and thus in the consensus) what relay descriptor elements
    38. 

  38.   are included in the microdescriptor, and also list the expected hash
    39. 

  39.   of microdescriptor for each relay. Second, directory mirrors will serve
    40. 

  40.   microdescriptors. Third, clients will ask for them and cache them.
    41. 

  41. 

  42. 3.1. Consensus changes
    43. 

  43. 

  44.   V3 votes should include a new line:
    45. 

  45.     microdescriptor-elements bar baz foo
    46. 

  46.   listing each descriptor element (sorted alphabetically) that authority
    47. 

  47.   included when it calculated its expected microdescriptor hashes.
    48. 

  48. 

  49.   We also need to include the hash of each expected microdescriptor in
    50. 

  50.   the routerstatus section. I suggest a new "m" line for each stanza,
    51. 

  51.   with the base64 of the hash of the elements that the authority voted
    52. 

  52.   for above.
    53. 

  53. 

  54.   The consensus microdescriptor-elements and "m" lines are then computed
    55. 

  55.   as described in Section 3.1.2 below.
    56. 

  56. 

  57.   I believe that means we need a new consensus-method "6" that knows
    58. 

  58.   how to compute the microdescriptor-elements and add "m" lines.
    59. 

  59. 

  60. 3.1.1. Descriptor elements to include for now
    61. 

  61. 

  62.   To start, the element list that authorities suggest should be
    63. 

  63.     family onion-key
    64. 

  64. 

  65.   (Note that the or-dev posts above only mention onion-key, but if
    66. 

  66.   we don't also include family then clients will never learn it. It
    67. 

  67.   seemed like it should be relatively static, so putting it in the
    68. 

  68.   microdescriptor is smarter than trying to fit it into the consensus.)
    69. 

  69. 

  70.   We could imagine a config option "family,onion-key" so authorities
    71. 

  71.   could change their voted preferences without needing to upgrade.
    72. 

  72. 

  73. 3.1.2. Computing consensus for microdescriptor-elements and "m" lines
    74. 

  74. 

  75.   One approach is for the consensus microdescriptor-elements line to
    76. 

  76.   include every element listed by a majority of authorities, sorted. The
    77. 

  77.   problem here is that it will no longer be deterministic what the correct
    78. 

  78.   hash for the "m" line should be. We could imagine telling the authority
    79. 

  79.   to go look in its descriptor and produce the right hash itself, but
    80. 

  80.   we don't want consensus calculation to be based on external data like
    81. 

  81.   that. (Plus, the authority may not have the descriptor that everybody
    82. 

  82.   else voted to use.)
    83. 

  83. 

  84.   The better approach is to take the exact set that has the most votes
    85. 

  85.   (breaking ties by the set that has the most elements, and breaking
    86. 

  86.   ties after that by whichever is alphabetically first). That will
    87. 

  87.   increase the odds that we actually get a microdescriptor hash that
    88. 

  88.   is both a) for the descriptor we're putting in the consensus, and b)
    89. 

  89.   over the elements that we're declaring it should be for.
    90. 

  90. 

  91.   Then the "m" line for a given relay is the one that gets the most votes
    92. 

  92.   from authorities that both a) voted for the microdescriptor-elements
    93. 

  93.   line we're using, and b) voted for the descriptor we're using.
    94. 

  94. 

  95.   (If there's a tie, use the smaller hash. But really, if there are
    96. 

  96.   multiple such votes and they differ about a microdescriptor, we caught
    97. 

  97.   one of them lying or being buggy. We should log it to track down why.)
    98. 

  98. 

  99.   If there are no such votes, then we leave out the "m" line for that
    100. 

  100.   relay. That means clients should avoid it for this time period. (As
    101. 

  101.   an extension it could instead mean that clients should fetch the
    102. 

  102.   descriptor and figure out its microdescriptor themselves. But let's
    103. 

  103.   not get ahead of ourselves.)
    104. 

  104. 

  105.   It would be nice to have a more foolproof way to agree on what
    106. 

  106.   microdescriptor hash each authority should vote for, so we can avoid
    107. 

  107.   missing "m" lines. Just switching to a new consensus-method each time
    108. 

  108.   we change the set of microdescriptor-elements won't help though, since
    109. 

  109.   each authority will still have to decide what hash to vote for before
    110. 

  110.   knowing what consensus-method will be used.
    111. 

  111. 

  112.   Here's one way we could do it. Each vote / consensus includes
    113. 

  113.   the microdescriptor-elements that were used to compute the hashes,
    114. 

  114.   and also a preferred-microdescriptor-elements set. If an authority
    115. 

  115.   has a consensus from the previous period, then it should use the
    116. 

  116.   consensus preferred-microdescriptor-elements when computing its votes
    117. 

  117.   for microdescriptor-elements and the appropriate hashes in the upcoming
    118. 

  118.   period. (If it has no previous consensus, then it just writes its
    119. 

  119.   own preferences in both lines.)
    120. 

  120. 

  121. 3.2. Directory mirrors serve microdescriptors
    122. 

  122. 

  123.   Directory mirrors should then read the microdescriptor-elements line
    124. 

  124.   from the consensus, and learn how to answer requests. (Directory mirrors
    125. 

  125.   continue to serve normal relay descriptors too, a) to serve old clients
    126. 

  126.   and b) to be able to construct microdescriptors on the fly.)
    127. 

  127. 

  128.   The microdescriptors with hashes <D1>,<D2>,<D3> should be available at:
    129. 

  129.     http://<hostname>/tor/micro/d/<D1>+<D2>+<D3>.z
    130. 

  130. 

  131.   All the microdescriptors from the current consensus should also be
    132. 

  132.   available at:
    133. 

  133.     http://<hostname>/tor/micro/all.z
    134. 

  134.   so a client that's bootstrapping doesn't need to send a 70KB URL just
    135. 

  135.   to name every microdescriptor it's looking for.
    136. 

  136. 

  137.   The format of a microdescriptor is the header line
    138. 

  138.   "microdescriptor-header"
    139. 

  139.   followed by each element (keyword and body), alphabetically. There's
    140. 

  140.   no need to mention what hash it's for, since it's self-identifying:
    141. 

  141.   you can hash the elements to learn this.
    142. 

  142. 

  143.   (Do we need a footer line to show that it's over, or is the next
    144. 

  144.   microdescriptor line or EOF enough of a hint? A footer line wouldn't
    145. 

  145.   hurt much. Also, no fair voting for the microdescriptor-element
    146. 

  146.   "microdescriptor-header".)
    147. 

  147. 

  148.   The hash of the microdescriptor is simply the hash of the concatenated
    149. 

  149.   elements -- not counting the header line or hypothetical footer line.
    150. 

  150.   Unless you prefer that?
    151. 

  151. 

  152.   Is there a reasonable way to version these things? We could say that
    153. 

  153.   the microdescriptor-header line can contain arguments which clients
    154. 

  154.   must ignore if they don't understand them. Any better ways?
    155. 

  155. 

  156.   Directory mirrors should check to make sure that the microdescriptors
    157. 

  157.   they're about to serve match the right hashes (either the hashes from
    158. 

  158.   the fetch URL or the hashes from the consensus, respectively).
    159. 

  159. 

  160.   We will probably want to consider some sort of smart data structure to
    161. 

  161.   be able to quickly convert microdescriptor hashes into the appropriate
    162. 

  162.   microdescriptor. Clients will want this anyway when they load their
    163. 

  163.   microdescriptor cache and want to match it up with the consensus to
    164. 

  164.   see what's missing.
    165. 

  165. 

  166. 3.3. Clients fetch them and cache them
    167. 

  167. 

  168.   When a client gets a new consensus, it looks to see if there are any
    169. 

  169.   microdescriptors it needs to learn. If it needs to learn more than
    170. 

  170.   some threshold of the microdescriptors (half?), it requests 'all',
    171. 

  171.   else it requests only the missing ones.
    172. 

  172. 

  173.   Clients maintain a cache of microdescriptors along with metadata like
    174. 

  174.   when it was last referenced by a consensus. They keep a microdescriptor
    175. 

  175.   until it hasn't been mentioned in any consensus for a week. Future
    176. 

  176.   clients might cache them for longer or shorter times.
    177. 

  177. 

  178. 3.3.1. Information leaks from clients
    179. 

  179. 

  180.   If a client asks you for a set of microdescs, then you know she didn't
    181. 

  181.   have them cached before. How much does that leak? What about when
    182. 

  182.   we're all using our entry guards as directory guards, and we've seen
    183. 

  183.   that user make a bunch of circuits already?
    184. 

  184. 

  185.   Fetching "all" when you need at least half is a good first order fix,
    186. 

  186.   but might not be all there is to it.
    187. 

  187. 

  188.   Another future option would be to fetch some of the microdescriptors
    189. 

  189.   anonymously (via a Tor circuit).
    190. 

  190. 

  191. 4. Transition and deployment
    192. 

  192. 

  193.   Phase one, the directory authorities should start voting on
    194. 

  194.   microdescriptors and microdescriptor elements, and putting them in the
    195. 

  195.   consensus. This should happen during the 0.2.1.x series, and should
    196. 

  196.   be relatively easy to do.
    197. 

  197. 

  198.   Phase two, directory mirrors should learn how to serve them, and learn
    199. 

  199.   how to read the consensus to find out what they should be serving. This
    200. 

  200.   phase could be done either in 0.2.1.x or early in 0.2.2.x, depending
    201. 

  201.   on how messy it turns out to be and how quickly we get around to it.
    202. 

  202. 

  203.   Phase three, clients should start fetching and caching them instead
    204. 

  204.   of normal descriptors. This should happen post 0.2.1.x.
    205. 

  205.