# [or-cvs] give us a conclusion

Update of /home2/or/cvsroot/tor/doc/design-paper
In directory moria.mit.edu:/home2/arma/work/onion/cvs/tor/doc/design-paper

Modified Files:
challenges.tex
Log Message:
give us a conclusion

Index: challenges.tex
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/design-paper/challenges.tex,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -d -r1.50 -r1.51
--- challenges.tex	8 Feb 2005 05:43:12 -0000	1.50
+++ challenges.tex	8 Feb 2005 06:54:47 -0000	1.51
@@ -8,7 +8,7 @@

\setlength{\textwidth}{6in}
\setlength{\textheight}{8in}
-\setlength{\topmargin}{0in}
+\setlength{\topmargin}{.5in}
\setlength{\oddsidemargin}{1cm}
\setlength{\evensidemargin}{1cm}

@@ -31,7 +31,7 @@
Naval Research Lab \email{<syverson@xxxxxxxxxxxxxxxx>}}

\maketitle
-%\pagestyle{empty}
+\pagestyle{plain}

\begin{abstract}
There are many unexpected or unexpectedly difficult obstacles to
@@ -491,7 +491,7 @@
cf.\ Section \ref{subsec:mid-latency}.} Therefore, since under this threat
model the number of concurrent users does not seem to have much impact
on the anonymity provided, we suggest that JAP's anonymity meter is not
-correctly communicating security levels to its users.
+accurately communicating security levels to its users.

% because more users don't help anonymity much, we need to rely more
% on other incentive schemes, both policy-based (see sec x) and
@@ -924,14 +924,14 @@
to learn as much as we can about how traffic flows so we can improve the
network, but we want to prevent others from learning how traffic flows in
order to trace users' connections through the network.  Furthermore, many
-mechanisms that help Tor run efficiently (such as having clients choose nodes
-based on their capacities) require measurements about the network.
+mechanisms that help Tor run efficiently

-Currently, nodes record their bandwidth use in 15-minute intervals and
-include this information in the descriptors they upload to the directory.
-They also try to deduce their own available bandwidth (based on how
-much traffic they have been able to transfer recently) and upload this
-information as well.
+Currently, nodes try to deduce their own available bandwidth (based on how
+much traffic they have been able to transfer recently) and include this
+information in the descriptors they upload to the directory. Clients
+choose servers weighted by their bandwidth, neglecting really slow
+servers and capping the influence of really fast ones.

This is, of course, eminently cheatable.  A malicious node can get a
disproportionate amount of traffic simply by claiming to have more bandwidth
@@ -1320,8 +1320,8 @@
or South America.

Many open questions remain. First, it will be an immense engineering
-challenge to get an entire BGP routing table to each Tor client, or at
-least summarize it sufficiently. Without a local copy, clients won't be
+challenge to get an entire BGP routing table to each Tor client, or to
+summarize it sufficiently. Without a local copy, clients won't be
able to safely predict what ASes will be traversed on the various paths
through the Tor network to the final destination. Tarzan~\cite{tarzan:ccs02}
and MorphMix~\cite{morphmix:fc04} suggest that we compare IP prefixes to
@@ -1330,10 +1330,11 @@
IP prefixes. When the network has scaled to thousands of nodes, does IP
prefix comparison become a more useful approximation?
%
-Second, can take advantage of caching certain content at the exit nodes, to
-limit the number of requests that need to leave the network at all.
+Second, we can take advantage of caching certain content at the
+exit nodes, to limit the number of requests that need to leave the
+network at all. What about taking advantage of caches like Akamai or
+Google~\cite{shsm03}? (Note that they're also well-positioned as global
%
Third, if we follow the paper's recommendations and tailor path selection
to avoid choosing endpoints in similar locations, how much are we hurting
@@ -1344,9 +1345,9 @@
would most improve our robustness to this class of attack, and go recruit
new nodes with those ASes in mind?

-Tor's security relies in large part on the dispersal properties of its
-network. We need to be more aware of the anonymity properties of various
-approaches we can make better design decisions in the future.
+%Tor's security relies in large part on the dispersal properties of its
+%network. We need to be more aware of the anonymity properties of various
+%approaches so we can make better design decisions in the future.

\subsection{The China problem}
\label{subsec:china}
@@ -1473,20 +1474,36 @@
\section{The Future}
\label{sec:conclusion}

-we should put random thoughts here until there are enough for a
-conclusion.
+Tor is the largest and most diverse low-latency anonymity network
+available, but we are still in the beginning stages of deployment. Several
+major questions remain.

-will our sustainability approach work? we'll see.
+First, will our volunteer-based approach to sustainability work in the
+long term? As we add more features and destabilize the network, the
+developers spend a lot of time keeping the server operators happy. Even
+though Tor is free software, the network would likely stagnate and die at
+this stage if the developers stopped actively working on it. We may get
+an unexpected boon from the fact that we're a general-purpose overlay
+network: as Tor grows more popular, other groups who need an overlay
+network on the Internet are starting to adapt Tor to their needs.

-Applications that leak data: we can say they're not our problem, but
-they're somebody's problem.
-The more widely deployed Tor becomes, the more people who need a
-deployed overlay network tell us they'd like to use us if only we added
-the following more features.
+Second, Tor is only one of many components that preserve privacy online.
+To keep identifying information out of application traffic, we must build
+more and better protocol-aware proxies that are usable by ordinary people.

-"These are difficult and open questions, yet choosing not to solve them
+Third, we need to gain a reputation for social good, and learn how to
+coexist with the variety of Internet services and their established
+authentication mechanisms. We can't just keep escalating the blacklist
+standoff forever.
+
+Fourth, as described in Section~\ref{sec:scaling}, the current Tor
+architecture does not scale even to handle current user demand. We must
+find designs and incentives to let clients relay traffic too, without
+sacrificing too much anonymity.
+
+These are difficult and open questions, yet choosing not to solve them
means leaving most users to a less secure network or no anonymizing
-network at all."
+network at all.

\bibliographystyle{plain} \bibliography{tor-design}

@@ -1500,22 +1517,25 @@
%\put(3,1){\makebox(0,0)[c]{\epsfig{figure=graphnodes,width=6in}}}
%\end{picture}
\mbox{\epsfig{figure=graphnodes,width=5in}}
-\caption{Number of Tor nodes over time. Lowest line is number of exit
+\caption{Number of Tor nodes over time, through January 2005. Lowest
+line is number of exit
nodes that allow connections to port 80. Middle line is total number of
verified (registered) Tor nodes. The line above that represents nodes
-that are not yet registered.}
+that are running but not yet registered.}
\label{fig:graphnodes}
\end{figure}

\begin{figure}[t]
\centering
\mbox{\epsfig{figure=graphtraffic,width=5in}}
-\caption{The sum of traffic reported by each node over time. The bottom
+\caption{The sum of traffic reported by each node over time, through
+January 2005. The bottom
pair show average throughput, and the top pair represent the largest 15
minute burst in each 4 hour period.}
\label{fig:graphtraffic}
\end{figure}

+\end{document}

Making use of nodes with little bandwidth, or high latency/packet loss.

@@ -1524,5 +1544,3 @@
style doesn't work because we don't want just *one* path. Point to
Geoff's stuff.

-\end{document}
-