[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r15842: Update proposal 110 based on discussions with arma and imple (in tor/trunk: . doc/spec/proposals)
Author: nickm
Date: 2008-07-11 13:08:08 -0400 (Fri, 11 Jul 2008)
New Revision: 15842
Modified:
tor/trunk/
tor/trunk/doc/spec/proposals/110-avoid-infinite-circuits.txt
Log:
r16918@tombo: nickm | 2008-07-11 13:04:01 -0400
Update proposal 110 based on discussions with arma and implementation status.
Property changes on: tor/trunk
___________________________________________________________________
svk:merge ticket from /tor/trunk [r16918] on 49666b30-7950-49c5-bedf-9dc8f3168102
Modified: tor/trunk/doc/spec/proposals/110-avoid-infinite-circuits.txt
===================================================================
--- tor/trunk/doc/spec/proposals/110-avoid-infinite-circuits.txt 2008-07-11 17:08:05 UTC (rev 15841)
+++ tor/trunk/doc/spec/proposals/110-avoid-infinite-circuits.txt 2008-07-11 17:08:08 UTC (rev 15842)
@@ -4,8 +4,14 @@
Last-Modified: $Date$
Author: Roger Dingledine
Created: 13-Mar-2007
-Status: Needs-Revision
+Status: Accepted
+History:
+
+ Revised 3 July 2008 by nickm: rename from relay_extend to
+ relay_early. Revise to current migration plan. Allow K cells
+ over circuit lifetime, not just at start.
+
Overview:
Right now, an attacker can add load to the Tor network by extending a
@@ -36,25 +42,25 @@
Design:
- We should split RELAY cells into two types: RELAY and RELAY_EXTEND.
+ We should split RELAY cells into two types: RELAY and RELAY_EARLY.
- Relay_extend cells can only be sent in the first K (say, 10) data
- cells sent across a circuit, and only relay_extend cells are allowed
- to contain extend requests. We still support obscuring the length of
- the circuit (if more research shows us what to do), because Alice can
- choose how many of the K to mark as relay_extend. Note that relay_extend
- cells *can* contain any sort of data cell; so in effect it's actually
- the relay type cells that are restricted. By default, she would just
- send the first K data cells over the stream as relay_extend cells,
- regardless of their actual type.
+ Only K (say, 10) Relay_early cells can be sent across a circuit, and
+ only relay_early cells are allowed to contain extend requests. We
+ still support obscuring the length of the circuit (if more research
+ shows us what to do), because Alice can choose how many of the K to
+ mark as relay_early. Note that relay_early cells *can* contain any
+ sort of data cell; so in effect it's actually the relay type cells
+ that are restricted. By default, she would just send the first K
+ data cells over the stream as relay_early cells, regardless of their
+ actual type.
Each intermediate server would pass on the same type of cell that it
- received (either relay or relay_extend), and the cell's destination
+ received (either relay or relay_early), and the cell's destination
will be able to learn whether it's allowed to contain an Extend request.
- If an intermediate server receives a relay_extend cell after it has
- already seen k data cells, or if it sees a relay cell that contains an
- extend request, then it tears down the circuit (protocol violation).
+ If an intermediate server receives more than K relay_early cells, or
+ if it sees a relay cell that contains an extend request, then it
+ tears down the circuit (protocol violation).
Security implications:
@@ -73,33 +79,26 @@
Migration:
- Phase one: servers should recognize relay_extend cells and pass them
- on just like relay cells. Don't do any enforcement of the protocol
- yet. We could do this phase in the 0.2.0 timeline.
+ In 0.2.0, servers speaking v2 or later of the link protocol accept
+ RELAY_EARLY cells, and pass them on. If the next OR in the circuit
+ is not speaking the v2 link protocol, the server relays the cell as
+ a RELAY cell.
- Phase two: once support in phase one is pervasive, clients could start
- using relay_extend cells when all nodes currently in the circuit would
- recognize them. We could conceivably do this phase during 0.2.0 too.
+ In 0.2.1.x, clients begin using RELAY_EARLY cells on v2 connections.
+ This functionality can be safely backported to 0.2.0.x. Clients
+ should pick a random number betweeen (say) 8 and 10 to send.
- Phase three: once clients that don't use relay_extend cells are
- obsolete, servers should start enforcing the protocol.
+ In 0.2.1.x, servers close any circuit in which more than K
+ relay_early cells are sent.
- (Another migration plan would be to coordinate this with proposal
- 105's new link versions. Would that be better/worse? Can somebody
- sketch out what it might look like?)
+ Once all versions the do not send RELAY_EARLY cells are obsolete,
+ servers can begin to reject any EXTEND requests not sent in a
+ RELAY_EARLY cell.
Spec:
[We can formalize this part once we think the design is a good one.]
-Additional complexity:
-
- Rather than limiting the relay_extend cells to being in the first K
- data cells seen, we could instead permit up to K relay_extend cells
- in the lifetime of the circuit. This would let us extend the circuit
- later on in its life if we decided it was worth doing, though we would
- reveal our intent to each node in the circuit when we do.
-
Acknowledgements:
This design has been kicking around since Christian Grothoff and I came