[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] minor fixes throughout
Update of /home/or/cvsroot/doc
In directory moria.mit.edu:/home2/arma/work/onion/cvs/doc
Modified Files:
TODO tor-design.tex
Log Message:
minor fixes throughout
Index: TODO
===================================================================
RCS file: /home/or/cvsroot/doc/TODO,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -d -r1.34 -r1.35
--- TODO 2 Nov 2003 06:14:59 -0000 1.34
+++ TODO 2 Nov 2003 23:34:33 -0000 1.35
@@ -5,6 +5,7 @@
rotate tls-level connections -- make new ones, expire old ones.
dirserver shouldn't put you in running-routers list if you haven't
uploading a descriptor recently
+look at having smallcells and largecells
Legend:
SPEC!! - Not specified
Index: tor-design.tex
===================================================================
RCS file: /home/or/cvsroot/doc/tor-design.tex,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -d -r1.61 -r1.62
--- tor-design.tex 2 Nov 2003 22:11:49 -0000 1.61
+++ tor-design.tex 2 Nov 2003 23:34:33 -0000 1.62
@@ -52,7 +52,7 @@
\begin{abstract}
We present Tor, a circuit-based low-latency anonymous communication
system. Tor is the successor to Onion Routing
-and addresses many limitations in the original Onion Routing design.
+and addresses various limitations in the original Onion Routing design.
Tor works in a real-world Internet environment, requires no special
privileges such as root- or kernel-level access,
requires little synchronization or coordination between nodes, and
@@ -388,7 +388,8 @@
Distributed-trust anonymizing systems need to prevent attackers from
adding too many servers and thus compromising too many user paths.
-Tor relies on a centrally maintained set of well-known servers. Tarzan
+Tor relies on a small set of well-known servers to make
+decisions about which nodes can join. Tarzan
and MorphMix allow unknown users to run servers, and limit an attacker
from becoming too much of the network based on a limited resource such
as number of IPs controlled. Crowds suggests requiring written, notarized
@@ -440,13 +441,13 @@
anonymity systems. Many of the open problems in low-latency anonymity
networks, such as generating dummy traffic or preventing Sybil attacks
\cite{sybil}, may be solvable independently from the issues solved by
-Tor. Hopefully future systems will not need to reinvent Tor's design
-decisions. (But note that while a flexible design benefits researchers,
+Tor. Hopefully future systems will not need to reinvent Tor's design.
+(But note that while a flexible design benefits researchers,
there is a danger that differing choices of extensions will make users
distinguishable. Experiments should be run on a separate network.)
-\textbf{Conservative design:} The protocol's design and security
-parameters must be conservative. Additional features impose implementation
+\textbf{Simple design:} The protocol's design and security
+parameters must be well-understood. Additional features impose implementation
and complexity costs; adding unproven techniques to the design threatens
deployability, readability, and ease of security analysis. Tor aims to
deploy a simple and stable system that integrates the best well-understood
@@ -454,14 +455,15 @@
\SubSection{Non-goals}
\label{subsec:non-goals}
-In favoring conservative, deployable designs, we have explicitly deferred
+In favoring simple, deployable designs, we have explicitly deferred
a number of goals, either because they are solved elsewhere, or because
they are an open research question.
\textbf{Not Peer-to-peer:} Tarzan and MorphMix aim to scale to completely
decentralized peer-to-peer environments with thousands of short-lived
servers, many of which may be controlled by an adversary. This approach
-is appealing, but still has many open problems.
+is appealing, but still has many open problems
+\cite{tarzan:ccs02,morphmix:fc04}.
\textbf{Not secure against end-to-end attacks:} Tor does not claim
to provide a definitive solution to end-to-end timing or intersection
@@ -522,9 +524,10 @@
because of relationships in packet timing; relationships in the volume
of data sent; or relationships in any externally visible user-selected
options. The adversary can also mount active attacks by compromising
-routers or keys; by replaying traffic; by selectively DoSing trustworthy
-routers to encourage users to send their traffic through compromised
-routers, or DoSing users to see if the traffic elsewhere in the
+routers or keys; by replaying traffic; by selectively denying service
+to trustworthy routers to encourage users to send their traffic through
+compromised routers, or denying service to users to see if the traffic
+elsewhere in the
network stops; or by introducing patterns into traffic that can later be
detected. The adversary might attack the directory servers to give users
differing views of network state. Additionally, he can try to decrease
@@ -587,8 +590,10 @@
% I think we should describe connections before cells. -NM
Traffic passes from one OR to another, or between a user's OP and an OR,
-in fixed-size cells. Each cell is 256
-bytes, and consists of a header and a payload. The header includes an
+in fixed-size cells. Each cell is 256 bytes (but see
+Section~\ref{sec:conclusion}
+for a discussion of allowing large cells and small cells on the same
+network), and consists of a header and a payload. The header includes an
anonymous circuit identifier (ACI) that specifies which circuit the
% Should we replace ACI with circID ? What is this 'anonymous circuit'
% thing anyway? -RD
@@ -611,7 +616,8 @@
checking; the length of the relay payload; and a relay command. Relay
commands can be one of: \emph{relay
data} (for data flowing down the stream), \emph{relay begin} (to open a
-stream), \emph{relay end} (to close a stream), \emph{relay connected}
+stream), \emph{relay end} (to close a stream cleanly), \emph{relay
+teardown} (to close a broken stream), \emph{relay connected}
(to notify the OP that a relay begin has succeeded), \emph{relay
extend} and \emph{relay extended} (to extend the circuit by a hop,
and to acknowledge), \emph{relay truncate} and \emph{relay truncated}
@@ -621,9 +627,6 @@
We describe each of these cell types in more detail below.
-% Nick: should there have been a table here? -RD
-% Maybe. -NM
-
\SubSection{Circuits and streams}
\label{subsec:circuits}
@@ -638,8 +641,9 @@
In Tor, each circuit can be shared by many TCP streams. To avoid
delays, users construct circuits preemptively. To limit linkability
among the streams, users rotate connections by building a new circuit
-periodically (currently every minute) if the previous one has been
-used, and expire old used circuits that are no longer in use. Thus
+periodically if the previous one has been used,
+and expire old used circuits that are no longer in use. Tor considers
+making a new circuit once a minute: thus
even heavy users spend a negligible amount of time and CPU in
building circuits, but only a limited number of requests can be linked
to each other by a given exit node. Also, because circuits are built
@@ -745,25 +749,25 @@
In the case of Mozilla, we're fine: the filtering web proxy called Privoxy
does the SOCKS call safely, and Mozilla talks to Privoxy safely. But a
-portable general solution, such as for ssh, is an open problem. We could
+portable general solution, such as for ssh, is an open problem. We can
modify the local nameserver, but this approach is invasive, brittle, and
-not portable. We could encourage the resolver library to do resolution
+not portable. We can encourage the resolver library to do resolution
via TCP rather than UDP, but this approach is hard to do right, and also
-has portability problems. Our current answer is to encourage the use of
-privacy-aware proxies like Privoxy wherever possible, and also provide
-a tool similar to \emph{dig} that can do a private lookup through the
-Tor network.
+has portability problems. We can provide a tool similar to \emph{dig} that
+can do a private lookup through the Tor network. Our current answer is to
+encourage the use of privacy-aware proxies like Privoxy wherever possible,
Ending a Tor stream is analogous to ending a TCP stream: it uses a
two-step handshake for normal operation, or a one-step handshake for
errors. If one side of the stream closes abnormally, that node simply
sends a relay teardown cell, and tears down the stream. If one side
-% Nick: mention relay teardown in 'cell' subsec? good enough name? -RD
of the stream closes the connection normally, that node sends a relay
end cell down the circuit. When the other side has sent back its own
relay end, the stream can be torn down. This two-step handshake allows
for TCP-based applications that, for example, close a socket for writing
-but are still willing to read.
+but are still willing to read. Remember that all relay cells use layered
+encryption, so only the destination OR knows what type of relay cell
+it is.
\SubSection{Integrity checking on streams}
@@ -815,6 +819,7 @@
Volunteers are generally more willing to run services that can limit
their bandwidth usage. To accomodate them, Tor servers use a token
bucket approach to limit the number of bytes they
+% XXX cite token bucket?
receive. Tokens are added to the bucket each second (when the bucket is
full, new tokens are discarded.) Each token represents permission to
receive one byte from the network---to receive a byte, the connection
@@ -947,17 +952,6 @@
% What about link-to-link rate limiting?
-More worrisome are distributed denial of service attacks wherein an
-attacker uses a large number of compromised hosts throughout the network
-to consume the Tor network's resources. Although these attacks are not
-new to the networking literature, some proposed approaches are a poor
-fit to anonymous networks. For example, solutions based on backtracking
-harmful traffic \cite{XXX} could allow an anonymity-breaking
-adversary to exploit the backtracking mechanism.
-% XXX I don't see how you would do DDoS through Tor. And even if you
-% did, it seems ok to track you down. Should we remove this
-% paragraph? -RD
-
Attackers also have an opportunity to attack the Tor network by mounting
attacks on its hosts and network links. Disrupting a single circuit or
link breaks all currently open streams passing along that part of the
@@ -1001,7 +995,7 @@
for a client to connect to a given host or network---an external
adversary cannot eavesdrop traffic between the private exit and the
final destination, and so is less sure of Alice's destination and
-activities.) is less sure of Alice's destination. More generally,
+activities.) is less sure of Alice's destination. In general,
nodes can require a variety of forms of traffic authentication
\cite{or-discex00}.
@@ -1187,7 +1181,7 @@
must build circuits and use them to anonymously test router reliability
\cite{mix-acc}.
-When a client Alice retrieves a consensus directory, she uses it if it
+When Alice retrieves a consensus directory, she uses it if it
is signed by a majority of the directory servers she knows.
Using directory servers rather than flooding provides simplicity and
@@ -1221,8 +1215,9 @@
simply by sending many requests to talk to Bob. Thus, Bob needs a
way to filter incoming requests.
\item[Robust:] Bob should be able to maintain a long-term pseudonymous
- identity even in the presence of router failure. Thus, Bob's identity
- must not be tied to a single OR.
+ identity even in the presence of router failure. Thus, Bob's service
+ must not be tied to a single OR, and Bob must be able to tie his service
+ to new ORs.
\item[Smear-resistant:] An attacker should not be able to use rendezvous
points to smear an OR. That is, if a social attacker tries to host a
location-hidden service that is illegal or disreputable, it should not
@@ -1327,8 +1322,8 @@
information into the fully qualified domain name Alice uses when
establishing her connections. Location-hidden services use a virtual
top level domain called `.onion': thus hostnames take the form
-x.y.onion where x encodes the hash of PK, and y is the authentication
-cookie. Alice's onion proxy examines hostnames and recognizes when
+x.y.onion where x is the authentication cookie, and y encodes the hash
+of PK. Alice's onion proxy examines hostnames and recognizes when
they're destined for a hidden server. If so, it decodes the PK and
starts the rendezvous as described in the table above.
@@ -1342,7 +1337,7 @@
with confidence later on. His design also differs from ours in the
following ways: First, Goldberg suggests that the client should
manually hunt down a current location of the service via Gnutella;
-whereas our use of the DHT makes lookup faster, more robust, and
+whereas our use of CFS makes lookup faster, more robust, and
transparent to the user. Second, in Tor the client and server
negotiate ephemeral keys via Diffie-Hellman, so at no point in the
path is the plaintext exposed. Third, our design tries to minimize the
@@ -1546,7 +1541,9 @@
traffic once the circuits have been closed.) Additionally, building
circuits that cross jurisdictions can make legal coercion
harder---this phenomenon is commonly called ``jurisdictional
- arbitrage.''
+ arbitrage.'' The JAP project recently experienced this issue, when
+ the German government successfully ordered them to add a backdoor to
+ all of their nodes.
\item \emph{Run a recipient.} By running a Web server, an adversary
@@ -1890,7 +1887,8 @@
%% commented out for anonymous submission
%\Section{Acknowledgments}
-% Peter Palfrader for editing
+% Peter Palfrader, Geoff Goodell, Adam Shostack, Joseph Sokol-Margolis
+% for editing and comments
% Bram Cohen for congestion control discussions
% Adam Back for suggesting telescoping circuits