-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, as you know... [and here starts the outline of the attached proposal:] "Configuring a private Tor network has become a time-consuming and error-prone task with the introduction of the v3 directory protocol. In addition to that, operators of private Tor networks need to set an increasing number of non-trivial configuration options, and it is hard to keep FAQ entries describing this task up-to-date. In this proposal we (1) suggest to (optionally) accelerate timing of the v3 directory voting process and (2) introduce an umbrella config option specifically aimed at creating private Tor networks." There is also a patch attached including the changes required for this proposal. Comments are highly appreciated! :) - --Karsten -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIF4Ls0M+WPffBEmURAtpZAKCir1HSxkopseSsqNAZ+3lmJs1bKACgp3lu YQypabFCxZiUyHrr+A8pzx0= =IBVZ -----END PGP SIGNATURE-----
Filename: xxx-private-tor-networks.txt
Title: Simplify Configuration of Private Tor Networks
Version: $LastChangedRevision$
Last-Modified: $LastChangedDate$
Author: Karsten Loesing
Created: 29-Apr-2008
Status: Open
Change history:
29-Apr-2008 Initial proposal for or-dev
Overview:
Configuring a private Tor network has become a time-consuming and
error-prone task with the introduction of the v3 directory protocol. In
addition to that, operators of private Tor networks need to set an
increasing number of non-trivial configuration options, and it is hard
to keep FAQ entries describing this task up-to-date. In this proposal we
(1) suggest to (optionally) accelerate timing of the v3 directory voting
process and (2) introduce an umbrella config option specifically aimed at
creating private Tor networks.
Design:
1. Accelerate Timing of v3 Directory Voting Process
Tor has reasonable defaults for setting up a large, Internet-scale
network with comparably high latencies and possibly wrong server clocks.
However, those defaults are bad when it comes to quickly setting up a
private Tor network for testing, either on a single node or LAN (things
might be different when creating a test network on PlanetLab or
something). Some time constraints should be made configurable for private
networks. The general idea is to accelerate everything that has to do
with propagation of directory information, but nothing else, so that a
private network is available as soon as possible. (As a possible
safeguard, changing these configuration values could be made dependent on
the umbrella configuration option introduced in 2.)
1.1. Initial Voting Schedule
When a v3 directory does not know any consensus, it assumes an initial,
hard-coded VotingInterval of 30 minutes, VoteDelay of 5 minutes, and
DistDelay of 5 minutes. This is important for multiple, simultaneously
restarted directory authorities to meet at a common time and create an
initial consensus. Unfortunately, this means that it may take up to half
an hour (or even more) for a private Tor network to bootstrap.
We propose to make these three time constants configurable (note that
V3AuthVotingInterval, V3AuthVoteDelay, and V3AuthDistDelay do not have an
effect on the _initial_ voting schedule, but only on the schedule that a
directory authority votes for). This can be achieved by introducing three
new configuration options: V3AuthInitialVotingInterval,
V3AuthInitialVoteDelay, and V3AuthInitialDistDelay.
As first safeguards, Tor should only accept configuration values for
V3AuthInitialVotingInterval that divide evenly into the default value of
30 minutes. The effect is that even if people misconfigured their
directory authorities, they would meet at the default values at the
latest. The second safeguard is to allow configuration only when the
umbrella configuration option PrivateTorNetwork is set.
1.2. Immediately Provide Reachability Information (Running flag)
The default behavior of a directory authority is to provide the Running
flag only after the authority is available for at least 30 minutes. The
rationale is that before that time, an authority simply cannot deliver
useful information about other running nodes. But for private Tor
networks this may be different. This is currently implemented in the code
as:
/** If we've been around for less than this amount of time, our
* reachability information is not accurate. */
#define DIRSERV_TIME_TO_GET_REACHABILITY_INFO (30*60)
There should be another configuration option DirAssumeRunningDelay with
a default value of 30 minutes that can be changed when running private
Tor networks, e.g. to 0 minutes. The configuration value would simply
replace the quoted constant. Again, changing this option could be
safeguarded by requiring the umbrella configuration option
PrivateTorNetwork to be set.
1.3. Reduce Estimated Descriptor Propagation Time
Tor currently assumes that it takes up to 10 minutes until router
descriptors are propagated from the authorities to directory caches.
This is not very useful for private Tor networks, and we want to be able
to reduce this time, so that clients can download router descriptors in a
timely manner.
/** Clients don't download any descriptor this recent, since it will
* probably not have propagated to enough caches. */
#define ESTIMATED_PROPAGATION_TIME (10*60)
We suggest to introduce a new config option
EstimatedDescriptorPropagationTime which defaults to 10 minutes, but that
can be set to any lower non-negative value, e.g. 0 minutes. The same
safeguards as in 1.2 could be used here, too.
2. Umbrella Option for Setting Up Private Tor Networks
Setting up a private Tor network requires a number of specific settings
that are not required or useful when running Tor in the public Tor
network. Instead of writing down these options in a FAQ entry, there
should be a single configuration option, e.g. PrivateTorNetwork, that
changes all required settings at once. Newer Tor versions would keep the
set of configuration options up-to-date. It should still remain possible
to manually overwrite the settings that the umbrella configuration option
affects.
The following configuration options are set by PrivateTorNetwork:
- ServerDNSAllowBrokenResolvConf 1
Ignore the situation that private relays are not aware of any name
servers.
- DirAllowPrivateAddresses 1
Allow router descriptors containing private IP addresses.
- EnforceDistinctSubnets 0
Permit building circuits with relays in the same subnet.
- AssumeReachable 1
Omit self-testing for reachability.
- AuthDirMaxServersPerAddr 0
- AuthDirMaxServersPerAuthAddr 0
Permit an unlimited number of nodes on the same IP address.
- ClientDNSRejectInternalAddresses 0
Believe in DNS responses resolving to private IP addresses.
- ExitPolicyRejectPrivate 0
Allow exiting to private IP addresses. (This one is a matter of
taste---it might be dangerous to make this a default in a private
network, although people setting up private Tor networks should know
what they are doing.)
- V3AuthVotingInterval 5 minutes
- V3AuthVoteDelay 20 seconds
- V3AuthDistDelay 20 seconds
Accelerate voting schedule after first consensus has been reached.
V3AuthInitialVotingInterval 5 minutes
V3AuthInitialVoteDelay 20 seconds
V3AuthInitialDistDelay 20 seconds
Accelerate initial voting schedule until first consensus is reached.
DirAssumeRunningDelay 0 minutes
Consider routers as Running from the start of running an authority.
EstimatedDescriptorPropagationTime 0 minutes
Clients try downloading router descriptors from directory caches,
even when they are not 10 minutes old.
Index: /home/karsten/tor/tor-trunk-private-network/src/or/config.c
===================================================================
--- /home/karsten/tor/tor-trunk-private-network/src/or/config.c (revision 14508)
+++ /home/karsten/tor/tor-trunk-private-network/src/or/config.c (working copy)
@@ -174,6 +174,7 @@
V(DataDirectory, STRING, NULL),
OBSOLETE("DebugLogFile"),
V(DirAllowPrivateAddresses, BOOL, NULL),
+ V(DirAssumeRunningDelay, INTERVAL, "30 minutes"),
V(DirListenAddress, LINELIST, NULL),
OBSOLETE("DirFetchPeriod"),
V(DirPolicy, LINELIST, NULL),
@@ -185,6 +186,7 @@
V(DownloadExtraInfo, BOOL, "0"),
V(EnforceDistinctSubnets, BOOL, "1"),
V(EntryNodes, STRING, NULL),
+ V(EstimatedDescriptorPropagationTime, INTERVAL, "10 minutes"),
V(ExcludeNodes, STRING, NULL),
V(ExitNodes, STRING, NULL),
V(ExitPolicy, LINELIST, NULL),
@@ -243,6 +245,7 @@
V(OutboundBindAddress, STRING, NULL),
OBSOLETE("PathlenCoinWeight"),
V(PidFile, STRING, NULL),
+ V(PrivateTorNetwork, BOOL, "0"),
V(PreferTunneledDirConns, BOOL, "1"),
V(ProtocolWarnings, BOOL, "0"),
V(PublishServerDescriptor, CSV, "1"),
@@ -297,6 +300,9 @@
VAR("V1AuthoritativeDirectory",BOOL, V1AuthoritativeDir, "0"),
VAR("V2AuthoritativeDirectory",BOOL, V2AuthoritativeDir, "0"),
VAR("V3AuthoritativeDirectory",BOOL, V3AuthoritativeDir, "0"),
+ V(V3AuthInitialVotingInterval, INTERVAL, "30 minutes"),
+ V(V3AuthInitialVoteDelay, INTERVAL, "5 minutes"),
+ V(V3AuthInitialDistDelay, INTERVAL, "5 minutes"),
V(V3AuthVotingInterval, INTERVAL, "1 hour"),
V(V3AuthVoteDelay, INTERVAL, "5 minutes"),
V(V3AuthDistDelay, INTERVAL, "5 minutes"),
@@ -3306,6 +3312,91 @@
COMPLAIN("V3AuthVotingInterval does not divide evenly into 24 hours.");
}
+ if (options->V3AuthInitialVotingInterval != 30*60 &&
+ !options->PrivateTorNetwork) {
+ REJECT("V3AuthInitialVotingInterval may only be changed in private "
+ "Tor networks!");
+ } else if (options->V3AuthInitialVotingInterval < MIN_VOTE_INTERVAL) {
+ REJECT("V3AuthInitialVotingInterval is insanely low.");
+ } else if (options->V3AuthInitialVotingInterval > 24*60*60) {
+ REJECT("V3AuthInitialVotingInterval is insanely high.");
+ } else if (((30*60) % options->V3AuthInitialVotingInterval) != 0) {
+ REJECT("V3AuthInitialVotingInterval does not divide evenly into "
+ "30 minutes.");
+ }
+
+ if (options->V3AuthInitialVoteDelay != 5*60 &&
+ !options->PrivateTorNetwork) {
+ REJECT("V3AuthInitialVoteDelay may only be changed in private "
+ "Tor networks!");
+ } else if (options->V3AuthInitialVoteDelay < MIN_VOTE_SECONDS) {
+ REJECT("V3AuthInitialVoteDelay is way too low.");
+ }
+
+ if (options->V3AuthInitialDistDelay != 5*60 &&
+ !options->PrivateTorNetwork) {
+ REJECT("V3AuthInitialDistDelay may only be changed in private "
+ "Tor networks!");
+ } else if (options->V3AuthInitialDistDelay < MIN_DIST_SECONDS) {
+ REJECT("V3AuthInitialDistDelay is way too low.");
+ }
+
+ if (options->V3AuthInitialVoteDelay + options->V3AuthInitialDistDelay >=
+ options->V3AuthInitialVotingInterval/2) {
+ REJECT("V3AuthInitialVoteDelay plus V3AuthInitialDistDelay must be "
+ "less than half V3AuthInitialVotingInterval");
+ }
+
+ if (options->DirAssumeRunningDelay != 30*60 && !options->PrivateTorNetwork) {
+ REJECT("DirAssumeRunningDelay may only be changed in private "
+ "Tor networks!");
+ } else if (options->DirAssumeRunningDelay < 0) {
+ REJECT("DirAssumeRunningDelay must be non-negative.");
+ } else if (options->DirAssumeRunningDelay > 2*60*60) {
+ COMPLAIN("DirAssumeRunningDelay is insanely high.");
+ }
+
+ if (options->EstimatedDescriptorPropagationTime != 10*60 &&
+ !options->PrivateTorNetwork) {
+ REJECT("EstimatedDescriptorPropagationTime may only be changed in "
+ "private Tor networks!");
+ } else if (options->EstimatedDescriptorPropagationTime < 0) {
+ REJECT("EstimatedDescriptorPropagationTime must be non-negative.");
+ } else if (options->EstimatedDescriptorPropagationTime > 60*60) {
+ COMPLAIN("EstimatedDescriptorPropagationTime is insanely high.");
+ }
+
+ if (options->PrivateTorNetwork) {
+ log_warn(LD_CONFIG, "PrivateTorNetwork is set. This will make your node"
+ "almost unusable in the public Tor network, and is "
+ "therefore only advised if you are building a "
+ "private Tor network!");
+ options->ServerDNSAllowBrokenResolvConf = 1;
+ options->DirAllowPrivateAddresses = 1;
+ options->EnforceDistinctSubnets = 0;
+ options->AssumeReachable = 1;
+ options->AuthDirMaxServersPerAddr = 0;
+ options->AuthDirMaxServersPerAuthAddr = 0;
+ options->ClientDNSRejectInternalAddresses = 0;
+ options->ExitPolicyRejectPrivate = 0;
+ options->V3AuthVotingInterval = 5*60;
+ options->V3AuthVoteDelay = 20;
+ options->V3AuthDistDelay = 20;
+ options->V3AuthInitialVotingInterval = 5*60;
+ options->V3AuthInitialVoteDelay = 20;
+ options->V3AuthInitialDistDelay = 20;
+ options->DirAssumeRunningDelay = 0;
+ options->EstimatedDescriptorPropagationTime = 0;
+ }
+ /* TODO It should be possible to override those values that are set by
+ * "PrivateTorNetwork 1" with the original default values (or even some
+ * other value). Idea: Change default values of these configuration
+ * options to invalid value, e.g. -1, in order to distinguish default
+ * values (then -1) from overridden values, e.g. 0. Requires to safely
+ * change all -1 values back to the actual default values afterwards! Is
+ * this a hack? Well, of course it is, but is there a better way to
+ * achieve the same goal? -KL */
+
if (rend_config_services(options, 1) < 0)
REJECT("Failed to configure rendezvous options. See logs for details.");
Index: /home/karsten/tor/tor-trunk-private-network/src/or/dirserv.c
===================================================================
--- /home/karsten/tor/tor-trunk-private-network/src/or/dirserv.c (revision 14508)
+++ /home/karsten/tor/tor-trunk-private-network/src/or/dirserv.c (working copy)
@@ -2122,10 +2122,6 @@
router->is_bad_exit = router->is_bad_directory = 0;
}
-/** If we've been around for less than this amount of time, our reachability
- * information is not accurate. */
-#define DIRSERV_TIME_TO_GET_REACHABILITY_INFO (30*60)
-
/** Return a new networkstatus_t* containing our current opinion. (For v3
* authorities) */
networkstatus_t *
@@ -2155,7 +2151,7 @@
tor_assert(private_key);
tor_assert(cert);
- if (now - time_of_process_start < DIRSERV_TIME_TO_GET_REACHABILITY_INFO)
+ if (now - time_of_process_start < options->DirAssumeRunningDelay)
vote_on_reachability = 0;
if (resolve_my_address(LOG_WARN, options, &addr, &hostname)<0) {
@@ -2241,7 +2237,7 @@
last_consensus_interval = current_consensus->fresh_until -
current_consensus->valid_after;
else
- last_consensus_interval = DEFAULT_VOTING_INTERVAL_WHEN_NO_CONSENSUS;
+ last_consensus_interval = options->V3AuthInitialVotingInterval;
v3_out->valid_after =
dirvote_get_start_of_next_interval(now, (int)last_consensus_interval);
format_iso_time(tbuf, v3_out->valid_after);
Index: /home/karsten/tor/tor-trunk-private-network/src/or/dirvote.c
===================================================================
--- /home/karsten/tor/tor-trunk-private-network/src/or/dirvote.c (revision 14508)
+++ /home/karsten/tor/tor-trunk-private-network/src/or/dirvote.c (working copy)
@@ -1224,8 +1224,9 @@
vote_delay = consensus->vote_seconds;
dist_delay = consensus->dist_seconds;
} else {
- interval = DEFAULT_VOTING_INTERVAL_WHEN_NO_CONSENSUS;
- vote_delay = dist_delay = 300;
+ interval = options->V3AuthInitialVotingInterval;
+ vote_delay = options->V3AuthInitialVoteDelay;
+ dist_delay = options->V3AuthInitialDistDelay;
}
tor_assert(interval > 0);
Index: /home/karsten/tor/tor-trunk-private-network/src/or/or.h
===================================================================
--- /home/karsten/tor/tor-trunk-private-network/src/or/or.h (revision 14508)
+++ /home/karsten/tor/tor-trunk-private-network/src/or/or.h (working copy)
@@ -2339,6 +2339,14 @@
/** The number of intervals we think a consensus should be valid. */
int V3AuthNIntervalsValid;
+ /** DOCDOC */
+ int V3AuthInitialVotingInterval;
+ int V3AuthInitialVoteDelay;
+ int V3AuthInitialDistDelay;
+ int DirAssumeRunningDelay;
+ int EstimatedDescriptorPropagationTime;
+ int PrivateTorNetwork;
+
/** File to check for a consensus networkstatus, if we don't have one
* cached. */
char *FallbackNetworkstatusFile;
@@ -3181,9 +3189,6 @@
/** Smallest allowable voting interval. */
#define MIN_VOTE_INTERVAL 300
-/** If there is no consensus, what interval do we default to? */
-#define DEFAULT_VOTING_INTERVAL_WHEN_NO_CONSENSUS (30*60)
-
void dirvote_free_all(void);
/* vote manipulation */
Index: /home/karsten/tor/tor-trunk-private-network/src/or/routerlist.c
===================================================================
--- /home/karsten/tor/tor-trunk-private-network/src/or/routerlist.c (revision 14508)
+++ /home/karsten/tor/tor-trunk-private-network/src/or/routerlist.c (working copy)
@@ -3664,10 +3664,6 @@
tor_free(resource);
}
-/** Clients don't download any descriptor this recent, since it will probably
- * not have propagated to enough caches. */
-#define ESTIMATED_PROPAGATION_TIME (10*60)
-
/** Return 0 if this routerstatus is obsolete, too new, isn't
* running, or otherwise not a descriptor that we would make any
* use of even if we had it. Else return 1. */
@@ -3679,7 +3675,7 @@
* But, if we want to have a complete list, fetch it anyway. */
return 0;
}
- if (rs->published_on + ESTIMATED_PROPAGATION_TIME > now) {
+ if (rs->published_on + options->EstimatedDescriptorPropagationTime > now) {
/* Most caches probably don't have this descriptor yet. */
return 0;
}
Attachment:
xxx-private-tor-networks.txt.sig
Description: Binary data
Attachment:
private-tor-networks-patch.diff.sig
Description: Binary data