# [or-cvs] Finish some content chewing and XXX resolving. More remains.

• To: or-cvs@xxxxxxxxxxxxx
• Subject: [or-cvs] Finish some content chewing and XXX resolving. More remains.
• From: nickm@xxxxxxxx (Nick Mathewson)
• Date: Mon, 7 Feb 2005 02:44:08 -0500 (EST)
• Delivered-to: archiver@seul.org
• Delivered-to: or-cvs-outgoing@seul.org
• Delivered-to: or-cvs@seul.org
• Delivery-date: Mon, 07 Feb 2005 02:44:28 -0500
• Sender: owner-or-cvs@xxxxxxxxxxxxx

Update of /home/or/cvsroot/tor/doc/design-paper
In directory moria.mit.edu:/tmp/cvs-serv9793

Modified Files:
challenges.tex
Log Message:
Finish some content chewing and XXX resolving. More remains.

Index: challenges.tex
===================================================================
RCS file: /home/or/cvsroot/tor/doc/design-paper/challenges.tex,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -d -r1.44 -r1.45
--- challenges.tex	7 Feb 2005 06:46:49 -0000	1.44
+++ challenges.tex	7 Feb 2005 07:44:06 -0000	1.45
@@ -277,7 +277,7 @@

\subsubsection{Distributed trust}
In practice Tor's threat model is based entirely on the goal of
-dispersal and diversity.
+dispersal and diversity.
Tor's defense lies in having a diverse enough set of servers
to prevent most real-world
adversaries from being in the right places to attack users.
@@ -369,24 +369,10 @@
the Internet impacts the security it can provide.
% No image, no sustainability -NM

-% Fold this into next subsec.
-As an example to motivate this section, some U.S.~Department of Energy
-penetration testing engineers are tasked with compromising DoE computers
-from the outside. They only have a limited number of ISPs from which to
-launch their attacks, and they found that the defenders were recognizing
-attacks because they came from the same IP space. These engineers wanted
-to use Tor to hide their tracks. First, from a technical standpoint,
-Tor does not support the variety of IP packets one would like to use in
-such attacks (see Section~\ref{subsec:tcp-vs-ip}). But aside from this,
-we also decided that it would probably be poor precedent to encourage
-such use---even legal use that improves national security---and managed
-
With this image issue in mind, this section discusses the Tor user base and
Tor's interaction with other services on the Internet.

-\subsection{Image and security}
-% Communicating security? - NM
+\subsection{Communicating security}

A growing field of papers argue that usability for anonymity systems
contributes directly to their security, because how usable the system
@@ -452,9 +438,7 @@
matter as much as we'd like, it still helps to have some other users
who use the network. We investigate this issue in the next section.

-\subsection{Reputability}
-% Maintaining image of social value?  Social value?  -NM
-
+\subsection{Reputability and perceived social value}
Another factor impacting the network's security is its reputability:
the perception of its social value based on its current user base. If Alice is
the only user who has ever downloaded the software, it might be socially
@@ -464,16 +448,19 @@
random citizens (cancer survivors, privacy enthusiasts, and so on)
and now she's harder to profile.

-The more cancer survivors on Tor, the better for the human rights
-activists. The more script kiddies, the worse for the normal users. Thus,
+Furthermore, the network's reputability effects its server base: more people
+are willing to run a service if they believe it will be used by human rights
+workers than if they believe it will be used exclusively for disreputable
+ends.  This effect becomes stronger if server operators themselves think they
+will be associated with these disreputable ends.
+
+So the more cancer survivors on Tor, the better for the human rights
+activists. The more malicious hackers, the worse for the normal users. Thus,
reputability is an anonymity issue for two reasons. First, it impacts
the sustainability of the network: a network that's always about to be
-shut down has difficulty attracting and keeping users, so its anonymity
-set suffers.
-% XXX but we said the anonymity set doesn't matter!
-Second, a disreputable network attracts the attention of
-powerful attackers who may not mind revealing the identities of all the
-users to uncover a few bad ones.
+shut down has difficulty attracting and keeping servers, so its diversity
+suffers. Second, a disreputable network is more vulnerable to legal and
+political attacks, since it will attract fewer supporters.

While people therefore have an incentive for the network to be used for
more reputable'' activities than their own, there are still tradeoffs
@@ -492,6 +479,18 @@
widely publicized uses of the network can dictate the types of users it
attracts next.

+As an example, some some U.S.~Department of Energy
+penetration testing engineers are tasked with compromising DoE computers
+from the outside. They only have a limited number of ISPs from which to
+launch their attacks, and they found that the defenders were recognizing
+attacks because they came from the same IP space. These engineers wanted
+to use Tor to hide their tracks. First, from a technical standpoint,
+Tor does not support the variety of IP packets one would like to use in
+such attacks (see Section~\ref{subsec:tcp-vs-ip}). But aside from this,
+we also decided that it would probably be poor precedent to encourage
+such use---even legal use that improves national security---and managed
+
%% "outside of academia, jap has just lost, permanently".  (That is,
%% even though the crime detection issues are resolved and are unlikely
%% to go down the same way again, public perception has not been kind.)
@@ -527,19 +526,19 @@
of deniability'' for traffic that originates at that exit node.  For
example, it is likely in practice that HTTP requests from a Tor server's IP
will be assumed to be from the Tor network.
-XXXX clarify.
-\item Maintain the sustainability of the network. XXX sentencize
+\item People and organizations who use Tor for anonymity depend on the
+  continued existence of the Tor network to do so; running a server helps to
+  keep the network operational.
%\item Local Tor entry and exit servers allow users on a network to run in an
%  enclave' configuration.  [XXXX need to resolve this. They would do this
%   for E2E encryption + auth?]
\end{tightlist}

-First, we try to make the costs of running a Tor server easily minimized.
+We must try to make the costs of running a Tor server easily minimized.
Since Tor is run by volunteers, the most crucial software usability issue is
usability by operators: when an operator leaves, the network becomes less
usable by everybody.  To keep operators pleased, we must try to keep Tor's
-resource and administrative demands as low as possible. [XXXX say more. E.g.,
-exit policies.]
+resource and administrative demands as low as possible.

Because of ISP billing structures, many Tor operators have underused capacity
that they are willing to donate to the network, at no additional monetary
@@ -549,15 +548,21 @@
giving billing cycle, to become dormant once its bandwidth is exhausted, and
to reawaken at a random offset into the next billing cycle.  This feature has
interesting policy implications, however; see
-section~\ref{subsec:bandwidth-and-usability} below.
+section~\ref{subsec:bandwidth-and-filesharing} below.

-[XXXX say more.  Why else would you run a server? What else can we do/do we
-  already do to make running a server more attractive?]
-[We can enforce incentives; see Section 6.1. We can rate-limit clients.
-  We can put "top bandwidth servers lists" up a la seti@home.]
+Exit policies help to limit administrative costs by limiting the frequency of
+abuse complaints.

-\subsection{Bandwidth and usability}
-\label{subsec:bandwidth-and-usability}
+%[XXXX say more.  Why else would you run a server? What else can we do/do we
+%  already do to make running a server more attractive?]
+%[We can enforce incentives; see Section 6.1. We can rate-limit clients.
+%  We can put "top bandwidth servers lists" up a la seti@home.]
+
+
+\subsection{Bandwidth and filesharing}
+\label{subsec:bandwidth-and-filesharing}
+%One potentially problematical area with deploying Tor has been our response
+%to file-sharing applications.
Once users have configured their applications to work with Tor, the largest
remaining usability issue is bandwidth.  When websites feel slow,'' users
begin to suffer.
@@ -569,22 +574,14 @@
receive if she weren't using Tor, unless far more servers join the network
(see above).

-Limited capacity does not destroy the network, however.  Instead, usage tends
-towards an equilibrium: when performance suffers, users who value performance
-over anonymity tend to leave the system, thus freeing capacity until the
-remaining users on the network are exactly those willing to use that capacity
-there is.
-
-XXX But is it the right equilibirum?  And if it's the wrong one, we lose
-XXX users.  And if we lose the wrong users, servers won't want to help.
-
-XXX what if the file-sharers are more persistent than the journalists?
+%Limited capacity does not destroy the network, however.  Instead, usage tends
+%towards an equilibrium: when performance suffers, users who value performance
+%over anonymity tend to leave the system, thus freeing capacity until the
+%remaining users on the network are exactly those willing to use that capacity
+%there is.

-\subsection{Tor and file-sharing}
-%One potentially problematical area with deploying Tor has been our response
-%to file-sharing applications.
-File-sharing applications make up an enormous
-fraction of the traffic on the Internet today, and provide two challenges to
+Much of Tor's recent bandwidth difficulties have come from file-sharing
+applications.  These applications provide two challenges to
any anonymizing network: their intensive bandwidth requirement, and the
degree to which they are associated (correctly or not) with copyright
violation.
@@ -615,33 +612,35 @@
not frequently associated with file sharing.  There are increasingly few such
ports.

+Other possible approaches might include rate-limiting connections, especially
+long-lived connections or connections to file-sharing ports, so that
+high-bandwidth connections do not flood the network.  We might also want to
+give priority to cells on low-bandwidth connections to keep them interactive,
+but this could have negative anonymity implications.
+
For the moment, it seems that Tor's bandwidth issues have rendered it
unattractive for bulk file-sharing traffic; this may continue to be so in the
future.  Nevertheless, Tor will likely remain attractive for limited use in
-  filesharing protocols that have separate control and data channels.
-
-[xxxx We should say more -- but what?  That we'll see a similar
-  equilibriating effect as with bandwidth, where sensitive ops switch to
-  middleman, and we become less useful for filesharing, so the filesharing
-  people back off, so we get more ops since there's less filesharing, so the
-  filesharers come back, etc.]
+filesharing protocols that have separate control and data channels.

-in practice, plausible deniability is hypothetical and doesn't seem very
-convincing. if ISPs find the activity antisocial, they don't care *why*
-your computer is doing that behavior.
+%[We should say more -- but what?  That we'll see a similar
+%  equilibriating effect as with bandwidth, where sensitive ops switch to
+%  middleman, and we become less useful for filesharing, so the filesharing
+%  people back off, so we get more ops since there's less filesharing, so the
+%  filesharers come back, etc.]

-XXXX deliberately give priority to quiet circuits?
-XXXX or non file-sharing ports??
-XXXX Point is not to beat them off the network, but to keep them from
-XXXX    hogging the network.
+%XXXX
+%in practice, plausible deniability is hypothetical and doesn't seem very
+%convincing. if ISPs find the activity antisocial, they don't care *why*
+%your computer is doing that behavior.

\subsection{Tor and blacklists}

It was long expected that, alongside Tor's legitimate users, it would also
attract troublemakers who exploited Tor in order to abuse services on the
-Internet.
-[XXX we're not talking bandwidth abuse here, we're talking vandalism,
-hate mails via hotmail, attacks, etc.]
+Internet with vandalism, rude mail, and so on.
+%[XXX we're not talking bandwidth abuse here, we're talking vandalism,
+%hate mails via hotmail, attacks, etc.]
Our initial answer to this situation was to use exit policies''
to allow individual Tor servers to block access to specific IP/port ranges.
This approach was meant to make operators more willing to run Tor by allowing
@@ -675,13 +674,16 @@
only those Tor servers that allow access to a specific IP or port, even
though this information is readily available.  One IP blacklist even bans
every class C network that contains a Tor server, and recommends banning SMTP
-from these networks even though Tor does not allow SMTP at all.)
-[****Since this is stupid and we oppose it, shouldn't we name names here -pfs]
-[XXX also, they're making \emph{middleman nodes leave} because they're caught
- up in the standoff!]
-[XXX Mention: it's not dumb, it's strategic!]
-[XXX Mention: for some servops, any blacklist is a blacklist too many,
-  because it is risky.  (Guy lives in apt with one IP.)]
+from these networks even though Tor does not allow SMTP at all.  This
+coarse-grained approach is typically a strategic decision to discourage the
+operation of anything resembling an open proxy by encouraging its neighbors
+to shut it down in order to get unblocked themselves.)
+%[****Since this is stupid and we oppose it, shouldn't we name names here -pfs]
+%[XXX also, they're making \emph{middleman nodes leave} because they're caught
+% up in the standoff!]
+%[XXX Mention: it's not dumb, it's strategic!]
+%[XXX Mention: for some servops, any blacklist is a blacklist too many,
+%  because it is risky.  (Guy lives in apt with one IP.)]

Problems of abuse occur mainly with services such as IRC networks and
Wikipedia, which rely on IP blocking to ban abusive users.  While at first
@@ -698,10 +700,10 @@
would-be IRC users, for instance, to register accounts if they wanted to
access the IRC network from Tor.  But in practise, this would not
significantly impede abuse if creating new accounts were easily automatable;
-[ XXX yahoo uses captchas in exactly this situation]
this is why services use IP blocking.  In order to deter abuse, pseudonymous
identities need to require a significant switching cost in resources or human
time.

%One approach, similar to that taken by Freedom, would be to bootstrap some
@@ -737,12 +739,13 @@
%by implementing the Morphmix-specific node discovery and path selection
%pieces.

-[XXX Mention correct DNS-RBL implementation. -NM]
+%[XXX Mention correct DNS-RBL implementation. -NM]

`