[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] minor fixes throughout



Update of /home/or/cvsroot/doc
In directory moria.mit.edu:/home2/arma/work/onion/cvs/doc

Modified Files:
	TODO tor-design.tex 
Log Message:
minor fixes throughout


Index: TODO
===================================================================
RCS file: /home/or/cvsroot/doc/TODO,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -d -r1.34 -r1.35
--- TODO	2 Nov 2003 06:14:59 -0000	1.34
+++ TODO	2 Nov 2003 23:34:33 -0000	1.35
@@ -5,6 +5,7 @@
 rotate tls-level connections -- make new ones, expire old ones.
 dirserver shouldn't put you in running-routers list if you haven't
   uploading a descriptor recently
+look at having smallcells and largecells
 
 Legend:
 SPEC!!  - Not specified

Index: tor-design.tex
===================================================================
RCS file: /home/or/cvsroot/doc/tor-design.tex,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -d -r1.61 -r1.62
--- tor-design.tex	2 Nov 2003 22:11:49 -0000	1.61
+++ tor-design.tex	2 Nov 2003 23:34:33 -0000	1.62
@@ -52,7 +52,7 @@
 \begin{abstract}
 We present Tor, a circuit-based low-latency anonymous communication
 system. Tor is the successor to Onion Routing
-and addresses many limitations in the original Onion Routing design.
+and addresses various limitations in the original Onion Routing design.
 Tor works in a real-world Internet environment, requires no special
 privileges such as root- or kernel-level access,
 requires little synchronization or coordination between nodes, and
@@ -388,7 +388,8 @@
 
 Distributed-trust anonymizing systems need to prevent attackers from
 adding too many servers and thus compromising too many user paths.
-Tor relies on a centrally maintained set of well-known servers. Tarzan
+Tor relies on a small set of well-known servers to make
+decisions about which nodes can join. Tarzan
 and MorphMix allow unknown users to run servers, and limit an attacker
 from becoming too much of the network based on a limited resource such
 as number of IPs controlled. Crowds suggests requiring written, notarized
@@ -440,13 +441,13 @@
 anonymity systems.  Many of the open problems in low-latency anonymity
 networks, such as generating dummy traffic or preventing Sybil attacks
 \cite{sybil}, may be solvable independently from the issues solved by
-Tor. Hopefully future systems will not need to reinvent Tor's design
-decisions.  (But note that while a flexible design benefits researchers,
+Tor. Hopefully future systems will not need to reinvent Tor's design.
+(But note that while a flexible design benefits researchers,
 there is a danger that differing choices of extensions will make users
 distinguishable. Experiments should be run on a separate network.)
 
-\textbf{Conservative design:} The protocol's design and security
-parameters must be conservative. Additional features impose implementation
+\textbf{Simple design:} The protocol's design and security
+parameters must be well-understood. Additional features impose implementation
 and complexity costs; adding unproven techniques to the design threatens
 deployability, readability, and ease of security analysis. Tor aims to
 deploy a simple and stable system that integrates the best well-understood
@@ -454,14 +455,15 @@
 
 \SubSection{Non-goals}
 \label{subsec:non-goals}
-In favoring conservative, deployable designs, we have explicitly deferred
+In favoring simple, deployable designs, we have explicitly deferred
 a number of goals, either because they are solved elsewhere, or because
 they are an open research question.
 
 \textbf{Not Peer-to-peer:} Tarzan and MorphMix aim to scale to completely
 decentralized peer-to-peer environments with thousands of short-lived
 servers, many of which may be controlled by an adversary.  This approach
-is appealing, but still has many open problems.
+is appealing, but still has many open problems
+\cite{tarzan:ccs02,morphmix:fc04}.
 
 \textbf{Not secure against end-to-end attacks:} Tor does not claim
 to provide a definitive solution to end-to-end timing or intersection
@@ -522,9 +524,10 @@
 because of relationships in packet timing; relationships in the volume
 of data sent; or relationships in any externally visible user-selected
 options. The adversary can also mount active attacks by compromising
-routers or keys; by replaying traffic; by selectively DoSing trustworthy
-routers to encourage users to send their traffic through compromised
-routers, or DoSing users to see if the traffic elsewhere in the
+routers or keys; by replaying traffic; by selectively denying service
+to trustworthy routers to encourage users to send their traffic through
+compromised routers, or denying service to users to see if the traffic
+elsewhere in the
 network stops; or by introducing patterns into traffic that can later be
 detected. The adversary might attack the directory servers to give users
 differing views of network state. Additionally, he can try to decrease
@@ -587,8 +590,10 @@
 % I think we should describe connections before cells. -NM
 
 Traffic passes from one OR to another, or between a user's OP and an OR,
-in fixed-size cells. Each cell is 256
-bytes, and consists of a header and a payload. The header includes an
+in fixed-size cells. Each cell is 256 bytes (but see
+Section~\ref{sec:conclusion}
+for a discussion of allowing large cells and small cells on the same
+network), and consists of a header and a payload. The header includes an
 anonymous circuit identifier (ACI) that specifies which circuit the
 % Should we replace ACI with circID ? What is this 'anonymous circuit'
 % thing anyway? -RD
@@ -611,7 +616,8 @@
 checking; the length of the relay payload; and a relay command. Relay
 commands can be one of: \emph{relay
 data} (for data flowing down the stream), \emph{relay begin} (to open a
-stream), \emph{relay end} (to close a stream), \emph{relay connected}
+stream), \emph{relay end} (to close a stream cleanly), \emph{relay
+teardown} (to close a broken stream), \emph{relay connected}
 (to notify the OP that a relay begin has succeeded), \emph{relay
 extend} and \emph{relay extended} (to extend the circuit by a hop,
 and to acknowledge), \emph{relay truncate} and \emph{relay truncated}
@@ -621,9 +627,6 @@
 
 We describe each of these cell types in more detail below.
 
-% Nick: should there have been a table here? -RD
-% Maybe. -NM
-
 \SubSection{Circuits and streams}
 \label{subsec:circuits}
 
@@ -638,8 +641,9 @@
 In Tor, each circuit can be shared by many TCP streams.  To avoid
 delays, users construct circuits preemptively.  To limit linkability
 among the streams, users rotate connections by building a new circuit
-periodically (currently every minute) if the previous one has been
-used, and expire old used circuits that are no longer in use. Thus
+periodically if the previous one has been used,
+and expire old used circuits that are no longer in use. Tor considers
+making a new circuit once a minute: thus
 even heavy users spend a negligible amount of time and CPU in
 building circuits, but only a limited number of requests can be linked
 to each other by a given exit node. Also, because circuits are built
@@ -745,25 +749,25 @@
 
 In the case of Mozilla, we're fine: the filtering web proxy called Privoxy
 does the SOCKS call safely, and Mozilla talks to Privoxy safely. But a
-portable general solution, such as for ssh, is an open problem. We could
+portable general solution, such as for ssh, is an open problem. We can
 modify the local nameserver, but this approach is invasive, brittle, and
-not portable. We could encourage the resolver library to do resolution
+not portable. We can encourage the resolver library to do resolution
 via TCP rather than UDP, but this approach is hard to do right, and also
-has portability problems. Our current answer is to encourage the use of
-privacy-aware proxies like Privoxy wherever possible, and also provide
-a tool similar to \emph{dig} that can do a private lookup through the
-Tor network.
+has portability problems. We can provide a tool similar to \emph{dig} that
+can do a private lookup through the Tor network. Our current answer is to
+encourage the use of privacy-aware proxies like Privoxy wherever possible,
 
 Ending a Tor stream is analogous to ending a TCP stream: it uses a
 two-step handshake for normal operation, or a one-step handshake for
 errors. If one side of the stream closes abnormally, that node simply
 sends a relay teardown cell, and tears down the stream. If one side
-% Nick: mention relay teardown in 'cell' subsec? good enough name? -RD
 of the stream closes the connection normally, that node sends a relay
 end cell down the circuit. When the other side has sent back its own
 relay end, the stream can be torn down. This two-step handshake allows
 for TCP-based applications that, for example, close a socket for writing
-but are still willing to read.
+but are still willing to read. Remember that all relay cells use layered
+encryption, so only the destination OR knows what type of relay cell
+it is.
 
 \SubSection{Integrity checking on streams}
 
@@ -815,6 +819,7 @@
 Volunteers are generally more willing to run services that can limit
 their bandwidth usage.  To accomodate them, Tor servers use a token
 bucket approach to limit the number of bytes they
+% XXX cite token bucket?
 receive. Tokens are added to the bucket each second (when the bucket is
 full, new tokens are discarded.) Each token represents permission to
 receive one byte from the network---to receive a byte, the connection
@@ -947,17 +952,6 @@
 
 % What about link-to-link rate limiting?
 
-More worrisome are distributed denial of service attacks wherein an
-attacker uses a large number of compromised hosts throughout the network
-to consume the Tor network's resources.  Although these attacks are not
-new to the networking literature, some proposed approaches are a poor
-fit to anonymous networks.  For example, solutions based on backtracking
-harmful traffic \cite{XXX} could allow an anonymity-breaking
-adversary to exploit the backtracking mechanism.
-% XXX I don't see how you would do DDoS through Tor. And even if you
-%     did, it seems ok to track you down. Should we remove this
-%     paragraph? -RD
-
 Attackers also have an opportunity to attack the Tor network by mounting
 attacks on its hosts and network links. Disrupting a single circuit or
 link breaks all currently open streams passing along that part of the
@@ -1001,7 +995,7 @@
 for a client to connect to a given host or network---an external
 adversary cannot eavesdrop traffic between the private exit and the
 final destination, and so is less sure of Alice's destination and
-activities.)  is less sure of Alice's destination. More generally,
+activities.)  is less sure of Alice's destination. In general,
 nodes can require a variety of forms of traffic authentication
 \cite{or-discex00}.
 
@@ -1187,7 +1181,7 @@
 must build circuits and use them to anonymously test router reliability
 \cite{mix-acc}.
 
-When a client Alice retrieves a consensus directory, she uses it if it
+When Alice retrieves a consensus directory, she uses it if it
 is signed by a majority of the directory servers she knows.
 
 Using directory servers rather than flooding provides simplicity and
@@ -1221,8 +1215,9 @@
   simply by sending many requests to talk to Bob.  Thus, Bob needs a
   way to filter incoming requests.
 \item[Robust:] Bob should be able to maintain a long-term pseudonymous
-  identity even in the presence of router failure.  Thus, Bob's identity
-  must not be tied to a single OR.
+  identity even in the presence of router failure.  Thus, Bob's service
+  must not be tied to a single OR, and Bob must be able to tie his service
+  to new ORs.
 \item[Smear-resistant:] An attacker should not be able to use rendezvous
   points to smear an OR.  That is, if a social attacker tries to host a 
   location-hidden service that is illegal or disreputable, it should not
@@ -1327,8 +1322,8 @@
 information into the fully qualified domain name Alice uses when
 establishing her connections.  Location-hidden services use a virtual
 top level domain called `.onion': thus hostnames take the form
-x.y.onion where x encodes the hash of PK, and y is the authentication
-cookie. Alice's onion proxy examines hostnames and recognizes when
+x.y.onion where x is the authentication cookie, and y encodes the hash
+of PK. Alice's onion proxy examines hostnames and recognizes when
 they're destined for a hidden server. If so, it decodes the PK and
 starts the rendezvous as described in the table above.
 
@@ -1342,7 +1337,7 @@
 with confidence later on. His design also differs from ours in the
 following ways: First, Goldberg suggests that the client should
 manually hunt down a current location of the service via Gnutella;
-whereas our use of the DHT makes lookup faster, more robust, and
+whereas our use of CFS makes lookup faster, more robust, and
 transparent to the user. Second, in Tor the client and server
 negotiate ephemeral keys via Diffie-Hellman, so at no point in the
 path is the plaintext exposed. Third, our design tries to minimize the
@@ -1546,7 +1541,9 @@
   traffic once the circuits have been closed.)  Additionally, building
   circuits that cross jurisdictions can make legal coercion
   harder---this phenomenon is commonly called ``jurisdictional
-  arbitrage.''
+  arbitrage.'' The JAP project recently experienced this issue, when
+  the German government successfully ordered them to add a backdoor to
+  all of their nodes.
 
   
 \item \emph{Run a recipient.} By running a Web server, an adversary
@@ -1890,7 +1887,8 @@
 
 %% commented out for anonymous submission
 %\Section{Acknowledgments}
-% Peter Palfrader for editing
+% Peter Palfrader, Geoff Goodell, Adam Shostack, Joseph Sokol-Margolis
+%   for editing and comments
 % Bram Cohen for congestion control discussions
 % Adam Back for suggesting telescoping circuits