[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Proposal: Optionally allow exit from single-hop circuits



Please see attached my proposed solution to address Bug 768.

Thanks!

Geoff

Filename: single-hop-circuits.txt
Title: Optionally allow exit from single-hop circuits
Version:
Last-Modified:
Author: Geoff Goodell
Created: 13-Jul-2008
Status: Draft

Overview

    Provide a special configuration option that adds a line to descriptors
    indicating that a router can be used as an exit for one-hop circuits, and allow
    clients to attach streams to one-hop circuits provided that the descriptor for
    the router in the circuit includes this configuration option.

Motivation

    At some point (r9735?), code was added to src/or/control.c that prevents
    controllers from attaching streams to one-hop circuits.  The idea seems to be
    that we can use the cost of forking and maintaining a patch as a lever to
    prevent people from writing controllers that jeopardize the operational
    security of routers and the anonymity properties of the Tor network by creating
    and using one-hop circuits rather than the standard three-hop circuits.  It may
    be, for example, that some users do not actually seek true anonymity but simply
    reachability through network perspectives afforded by the Tor network, and
    since anonymity is stronger in numbers, forcing users to contribute to
    anonymity and decrease the risk to server operators by using full-length paths
    may be reasonable.

    Whether or not we agree that the particular approach of using hardcoded,
    immutable policy in the Tor client to limit self-determinism on the part of
    clients is the right way to address the risks posed by one-hop circuit
    utilization (for example, I think that routers ought to take responsibility for
    ensuring that they are not allowing exit from one-hop circuits), it remains
    true that as presently implemented, the sweeping restriction of one-hop
    circuits for all routers limits the usefulness of Tor as a general-purpose
    technology for building circuits.  In particular, we should allow for
    controllers, such as Blossom, that create and use single-hop circuits involving
    routers that are not part of the Tor network.

Design

    Introduce a configuration option for Tor servers that, when set, indicates that
    a router is willing to provide exit from one-hop circuits.  Routers with this
    policy will not require that a circuit has at least two hops when it is used as
    an exit.

    In addition, routers for which this configuration option has been set will have
    a line in their descriptors, "opt exit-from-single-hop-circuits".  Clients will
    keep track of which routers have this option and allow streams to be attached
    to single-hop circuits including such routers.

Security Considerations

    This approach seems to eliminate the worry about operational router security,
    since server operators will not set the configuraiton option unless they are
    willing to take on such risk.  

    To reduce the impact on anonymity of the network resulting from including such
    "risky" routers in regular Tor path selection, clients may systematically
    exclude routers with "opt exit-from-single-hop-circuits" when choosing random
    paths through the Tor network.

Attachment: signature.asc
Description: Digital signature