Resending, since the lines seemed to be wrapped poorly. On Sun, Jul 13, 2008 at 12:39:04PM -0400, Geoffrey Goodell wrote: > Please see attached my proposed solution to address Bug 768. > > Thanks! > > Geoff > > Filename: single-hop-circuits.txt > Title: Optionally allow exit from single-hop circuits > Version: > Last-Modified: > Author: Geoff Goodell > Created: 13-Jul-2008 > Status: Draft > > Overview > > Provide a special configuration option that adds a line to descriptors > indicating that a router can be used as an exit for one-hop circuits, and allow > clients to attach streams to one-hop circuits provided that the descriptor for > the router in the circuit includes this configuration option. > > Motivation > > At some point (r9735?), code was added to src/or/control.c that prevents > controllers from attaching streams to one-hop circuits. The idea seems to be > that we can use the cost of forking and maintaining a patch as a lever to > prevent people from writing controllers that jeopardize the operational > security of routers and the anonymity properties of the Tor network by creating > and using one-hop circuits rather than the standard three-hop circuits. It may > be, for example, that some users do not actually seek true anonymity but simply > reachability through network perspectives afforded by the Tor network, and > since anonymity is stronger in numbers, forcing users to contribute to > anonymity and decrease the risk to server operators by using full-length paths > may be reasonable. > > Whether or not we agree that the particular approach of using hardcoded, > immutable policy in the Tor client to limit self-determinism on the part of > clients is the right way to address the risks posed by one-hop circuit > utilization (for example, I think that routers ought to take responsibility for > ensuring that they are not allowing exit from one-hop circuits), it remains > true that as presently implemented, the sweeping restriction of one-hop > circuits for all routers limits the usefulness of Tor as a general-purpose > technology for building circuits. In particular, we should allow for > controllers, such as Blossom, that create and use single-hop circuits involving > routers that are not part of the Tor network. > > Design > > Introduce a configuration option for Tor servers that, when set, indicates that > a router is willing to provide exit from one-hop circuits. Routers with this > policy will not require that a circuit has at least two hops when it is used as > an exit. > > In addition, routers for which this configuration option has been set will have > a line in their descriptors, "opt exit-from-single-hop-circuits". Clients will > keep track of which routers have this option and allow streams to be attached > to single-hop circuits including such routers. > > Security Considerations > > This approach seems to eliminate the worry about operational router security, > since server operators will not set the configuraiton option unless they are > willing to take on such risk. > > To reduce the impact on anonymity of the network resulting from including such > "risky" routers in regular Tor path selection, clients may systematically > exclude routers with "opt exit-from-single-hop-circuits" when choosing random > paths through the Tor network. >
Filename: single-hop-circuits.txt
Title: Optionally allow exit from single-hop circuits
Version:
Last-Modified:
Author: Geoff Goodell
Created: 13-Jul-2008
Status: Draft
Overview
Provide a special configuration option that adds a line to descriptors
indicating that a router can be used as an exit for one-hop circuits,
and allow clients to attach streams to one-hop circuits provided
that the descriptor for the router in the circuit includes this
configuration option.
Motivation
At some point (r9735?), code was added to src/or/control.c that
prevents controllers from attaching streams to one-hop circuits.
The idea seems to be that we can use the cost of forking and
maintaining a patch as a lever to prevent people from writing
controllers that jeopardize the operational security of routers
and the anonymity properties of the Tor network by creating and
using one-hop circuits rather than the standard three-hop circuits.
It may be, for example, that some users do not actually seek true
anonymity but simply reachability through network perspectives
afforded by the Tor network, and since anonymity is stronger in
numbers, forcing users to contribute to anonymity and decrease the
risk to server operators by using full-length paths may be reasonable.
Whether or not we agree that the particular approach of
using hardcoded, immutable policy in the Tor client to limit
self-determinism on the part of clients is the right way to address
the risks posed by one-hop circuit utilization (for example, I think
that routers ought to take responsibility for ensuring that they are
not allowing exit from one-hop circuits), it remains true that as
presently implemented, the sweeping restriction of one-hop circuits
for all routers limits the usefulness of Tor as a general-purpose
technology for building circuits. In particular, we should allow
for controllers, such as Blossom, that create and use single-hop
circuits involving routers that are not part of the Tor network.
Design
Introduce a configuration option for Tor servers that, when set,
indicates that a router is willing to provide exit from one-hop
circuits. Routers with this policy will not require that a circuit
has at least two hops when it is used as an exit.
In addition, routers for which this configuration option
has been set will have a line in their descriptors, "opt
exit-from-single-hop-circuits". Clients will keep track of which
routers have this option and allow streams to be attached to
single-hop circuits that include such routers.
Security Considerations
This approach seems to eliminate the worry about operational router
security, since server operators will not set the configuraiton
option unless they are willing to take on such risk.
To reduce the impact on anonymity of the network resulting
from including such "risky" routers in regular Tor path
selection, clients may systematically exclude routers with "opt
exit-from-single-hop-circuits" when choosing random paths through
the Tor network.
Attachment:
signature.asc
Description: Digital signature