[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] How to integrate an external name resolver into Tor

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] How to integrate an external name resolver into Tor
From: Nick Mathewson <nickm@xxxxxxxxxxxx>
Date: Thu, 4 Aug 2016 09:09:05 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 04 Aug 2016 09:09:55 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=6J0PR4HyHQ3Psn7TYWSK+cxDR6XkqCm+H7YJuQlotb8=; b=PeNgtpFS0oVRL5+5GNaNrQ7cwiT9rk7qEzB/HEo545+hs6l1/o96zIaGwVdcjV4RdT 7TgrNiPlED74koGk5Dld+Rt/th54kFqhfbFkjJJDeDSYPoKxQEiMTpUUcuHLvfLKU5gw FjhS0bAgJhM9vU8wJ8YH3eC6VYL9W68sXAO6cytMbuS3QBsn0+lMgHP7eRN3qtbFZx/z vvgUhBZhA0cnOwlUv8lLlEbzIUX5PqM/44//k7EvneLII+8hkDqZK4UFxGHnnoVdYoji DQT1pDBzdtST+G/IYAsRAiRCnps9QgvXtyETxSK/QxV3l/Db3led4FxLPTzA1KH6nOx8 z3+g==
In-reply-to: <62bd48c4-bbb9-b35f-9a9e-9c4948ea9da3@airmail.cc>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuxgh2PmfdOoyRug_LHNzLzzNb5d90iY_OuLR054_aQf9A@mail.gmail.com> <62bd48c4-bbb9-b35f-9a9e-9c4948ea9da3@airmail.cc>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Tue, Aug 2, 2016 at 5:10 PM, Jeremy Rand <jeremyrand@xxxxxxxxxx> wrote:
> Nick Mathewson:
>> Hi, all!
>>
>> I've seen a couple of emails from people looking into new ways to do
>> naming for onion services.  That's great!  Before anybody gets too
>> far, I'd like to send this quick note to let you know that integrating
>> stuff like this into Tor is actually easier than you think.
>>
>> Here's how you do it, using a Tor controller.  (See control-spec.txt
>> for protocol documentation. Also see one of the several friendly
>> libraries, like steam, that exist to interface with Tor over this
>> protocol.)
>>
>> First, you set the Tor option "__LeaveStreamsUnattached".  This tells
>> Tor that it shouldn't try to handle new client requests immediately,
>> but it should instead let the controller take responsibility.
>>
>> In the controller, you make sure that you are watching STREAM events
>> so that you find out about new streams.
>>
>> Whenever there's a new stream, you check its address.  If the address
>> is one that you don't want to rewrite, you just call ATTACHSTREAM on
>> it, with a circuit ID of 0. (The 0 means "Tor, you figure out how to
>> attach this one.".
>>
>> Otherwise, you do whatever magic dance you do in order to find out the
>> real address for the stream.
>>
>> If the lookup operation is successful, you say "REDIRECTSTREAM (stream
>> ID) (new address".  And then you ATTACHSTREAM as above.
>>
>> If the lookup operation fails, you call "CLOSESTREAM (stream ID) 2".
>> (The 2 means "resolve failed".
>>
>> And that's it for the Tor integration!  All you need to do now is
>> figure out how the name lookup works.
>>
>> cheers,
>>
>
> Hi Nick,
>
> Let's say that the name lookup operation will generate network traffic,
> and therefore should be subject to stream isolation.  (This is the case
> for a subset of Namecoin-based lookup methods.)
>
> How can a Tor controller obtain the needed information to perform stream
> isolation on the lookup, prior to issuing ATTACHSTREAM?

Conceptually, a controller doesn't isolate streams: the streams are
isolated based on their own properties, so that's more of a client
thiing.

One of the properties that you can use for isolation here is the SOCKS
username and password: two streams with different SOCKS credentials
should never be sent over the same circuit.  This should make stream
isolation happen just fine.

[This is assuming that you use 'ATTACHSTREAM' with a circuit ID of 0,
and let Tor make its own isolation decisions.]

Is that about what you wanted to know?

cheers,
-- 
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] How to integrate an external name resolver into Tor
  - From: Jeremy Rand

References:
- [tor-dev] How to integrate an external name resolver into Tor
  - From: Nick Mathewson
- Re: [tor-dev] How to integrate an external name resolver into Tor
  - From: Jeremy Rand

Prev by Author: Re: [tor-dev] Alternative Implementations of Tor
Next by Author: [tor-dev] Bored C programmers? I've got some warnings for you....
Previous by thread: Re: [tor-dev] How to integrate an external name resolver into Tor
Next by thread: Re: [tor-dev] How to integrate an external name resolver into Tor
Index(es):
- Author
- Thread