Etusivu Tutki Apua
Kirjaudu sisään
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Puu: df3911ded8
Branchit Tagit
tor-parallel...
/
doc
/
spec
/
proposals
/
ideas
/
xxx-automatic-node-promotion.txt

xxx-automatic-node-promotion.txt 5.3 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 
  1. Filename: xxx-automatic-node-promotion.txt
    2. 

  2. Title: Automatically promoting Tor clients to nodes
    3. 

  3. Author: Steven Murdoch
    4. 

  4. Created: 12-Mar-2010
    5. 

  5. Status: Draft
    6. 

  6. Target:
    7. 

  7. 

  8. 1. Overview
    9. 

  9. 

  10.    This proposal describes how Tor clients could determine when they
    11. 

  11.    have sufficient bandwidth capacity and are sufficiently reliable to
    12. 

  12.    become either bridges or Tor relays. When they meet this
    13. 

  13.    criteria, they will automatically promote themselves, based on user
    14. 

  14.    preferences. The proposal also defines the new controller messages
    15. 

  15.    and options which will control this process.
    16. 

  16. 

  17.    Note that for the moment, only transitions between client and
    18. 

  18.    bridge are being considered. Transitions to public relay will
    19. 

  19.    be considered at a future date, but will use the same
    20. 

  20.    infrastructure for measuring capacity and reliability.
    21. 

  21. 

  22. 2. Motivation and history
    23. 

  23. 

  24.    Tor has a growing user-base and one of the major impediments to the
    25. 

  25.    quality of service offered is the lack of network capacity. This is
    26. 

  26.    particularly the case for bridges, because these are gradually
    27. 

  27.    being blocked, and thus no longer of use to people within some
    28. 

  28.    countries. By automatically promoting Tor clients to bridges, and
    29. 

  29.    perhaps also to full public relays, this proposal aims to solve
    30. 

  30.    these problems.
    31. 

  31.  
    32. 

  32.    Only Tor clients which are sufficiently useful should be promoted,
    33. 

  33.    and the process of determining usefulness should be performed
    34. 

  34.    without reporting the existence of the client to the central
    35. 

  35.    authorities. The criteria used for determining usefulness will be
    36. 

  36.    in terms of bandwidth capacity and uptime, but parameters should be
    37. 

  37.    specified in the directory consensus. State stored at the client
    38. 

  38.    should be in no more detail than necessary, to prevent sensitive
    39. 

  39.    information being recorded.
    40. 

  40. 

  41. 3. Design
    42. 

  42. 

  43. 3.x Opt-in state model
    44. 

  44. 

  45.    Tor can be in one of five node-promotion states:
    46. 

  46. 

  47.    - off (O): Currently a client, and will stay as such
    48. 

  48.    - auto (A): Currently a client, but will consider promotion
    49. 

  49.    - bridge (B): Currently a bridge, and will stay as such
    50. 

  50.    - auto-bridge (AB): Currently a bridge, but will consider promotion
    51. 

  51.    - relay (R): Currently a public relay, and will stay as such
    52. 

  52. 

  53.    The state can be fully controlled from the configuration file or
    54. 

  54.    controller, but the normal state transitions are as follows:
    55. 

  55. 

  56.    Any state -> off: User has opted out of node promotion
    57. 

  57.    Off -> any state: Only permitted with user consent
    58. 

  58. 

  59.    Auto -> auto-bridge: Tor has detected that it is sufficiently
    60. 

  60.     reliable to be a *bridge*
    61. 

  61.    Auto -> bridge: Tor has detected that it is sufficiently reliable
    62. 

  62.     to be a *relay*, but the user has chosen to remain a *bridge*
    63. 

  63.    Auto -> relay: Tor has detected that it is sufficiently reliable
    64. 

  64.     to be *relay*, and will skip being a *bridge*
    65. 

  65.    Auto-bridge -> relay: Tor has detected that it is sufficiently
    66. 

  66.     reliable to be a *relay*
    67. 

  67. 

  68.    Note that this model does not support automatic demotion. If this
    69. 

  69.    is desirable, there should be some memory as to whether the
    70. 

  70.    previous state was relay, bridge, or auto-bridge. Otherwise the
    71. 

  71.    user may be prompted to become a relay, although he has opted to
    72. 

  72.    only be a bridge.
    73. 

  73. 

  74. 3.x User interaction policy
    75. 

  75. 

  76.    There are a variety of options in how to involve the user into the
    77. 

  77.    decision as to whether and when to perform node promotion. The
    78. 

  78.    choice also may be different when Tor is running from Vidalia (and
    79. 

  79.    thus can readily prompt the user for information), and standalone
    80. 

  80.    (where Tor can only log messages, which may or may not be read).
    81. 

  81. 

  82.    The option requiring minimal user interaction is to automatically
    83. 

  83.    promote nodes according to reliability, and allow the user to opt
    84. 

  84.    out, by changing settings in the configuration file or Vidalia user
    85. 

  85.    interface.
    86. 

  86. 

  87.    Alternatively, if a user interface is available, Tor could prompt
    88. 

  88.    the user when it detects that a transition is available, and allow
    89. 

  89.    the user to choose which of the available options to select. If
    90. 

  90.    Vidalia is not available, it still may be possible to solicit an
    91. 

  91.    email address on install, and contact the operator to ask whether
    92. 

  92.    a transition to bridge or relay is permitted.
    93. 

  93. 

  94.    Finally, Tor could by default not make any transition, and the user
    95. 

  95.    would need to opt in by stating the maximum level (bridge or
    96. 

  96.    relay) to which the node may automatically promote itself.
    97. 

  97. 

  98. 3.x New options
    99. 

  99. 

  100. 3.x New controller message
    101. 

  101. 

  102. 4. Migration plan
    103. 

  103. 

  104.    We should start by setting a high bandwidth and uptime requirement
    105. 

  105.    in the consensus, so as to avoid overloading the bridge authority
    106. 

  106.    with too many bridges. Once we are confident our systems can scale,
    107. 

  107.    the criteria can be gradually shifted down to gain more bridges.
    108. 

  108. 

  109. 5. Related proposals
    110. 

  110. 

  111. 6. Open questions:
    112. 

  112. 

  113.    - What user interaction policy should we take?
    114. 

  114. 

  115.    - When (if ever) should we turn a relay into an exit relay?
    116. 

  116. 

  117.    - What should the rate limits be for auto-promoted bridges/relays?
    118. 

  118.      Should we prompt the user for this?
    119. 

  119. 

  120.    - Perhaps the bridge authority should tell potential bridges
    121. 

  121.      whether to enable themselves, by taking into account whether
    122. 

  122.      their IP address is blocked
    123. 

  123. 

  124.    - How do we explain the possible risks of running a bridge/relay
    125. 

  125.      * Use of bandwidth/congestion
    126. 

  126.      * Publication of IP address
    127. 

  127.      * Blocking from IRC (even for non-exit relays)
    128. 

  128. 

  129.    - What feedback should we give to bridge relays, to encourage then
    130. 

  130.      e.g. number of recent users (what about reserve bridges)?
    131.