[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Proposal idea: User path configuration

To: or-dev@xxxxxxxxxxxxx
Subject: Re: Proposal idea: User path configuration
From: Sebastian Hahn <hahn.seb@xxxxxx>
Date: Wed, 10 Mar 2010 21:09:36 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Wed, 10 Mar 2010 15:09:50 -0500
In-reply-to: <20100310043223.GI3407@xxxxxxxxxxxxxx>
References: <69B9DF56-4161-45FA-8CC7-4C8566CE633E@xxxxxxxxxxxxxxxxx> <20100310043223.GI3407@xxxxxxxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx


On Mar 10, 2010, at 5:32 AM, Roger Dingledine wrote:

On Thu, Mar 04, 2010 at 04:24:30AM +0100, Sebastian Hahn wrote:
  Users can alter the default behavior for path selection with
configuration
options. In case of conflicts (excluding and requiring the samenode)
the
  "StrictNodes" option is used to determine behaviour. If a nodes is
both
excluded and required via a configuration option, the exclusiontakes
  preference.
I think we should work out the situations where strictnodes is needed,
and the situations where we want to honor the config option evenwithout
strictnodes 1.
For example, if you set entrynodes or exitnodes, then imo you shouldgetone of the nodes you specified, or fail if none work. You asked forit,
you get it. Similarly, if you set Excludenodes or excludeexitnodes, I
think that should trump any entrynodes or exitnodes you set. And ifyouexclude everything that's possible, then you fail to make a circuit.It's
what you asked for. That's pretty much what I built in 0.2.2.7-alpha
(though I haven't finished the "excluding" part).

I think there's a misunderstanding here. I think we should make itclear thatexcluding trumps including, but it would be sad if we end up in astate wherepeople cannot say "ExcludeExitNodes xy, y, z" and still have theirhiddenservices work. This seems to be what you're trying to say below, and Ihadtried to capture it in my spec addition. "require" above is meant tomean"Tor requires this node because it is an intro point and all otherintro pointsare down", for example, not that someone used ExcludeNodes andEntryNodes

with overlapping nodes, for example.

So to make it clear, I want StrictNodes to only be considered at allwhen

we have a special case for a non-exit circuit.

* What if Tor as a client wants to reach an introduction point for
a hidden service that the user asked to visit, but that intro point
is in excludenodes? The complex answer is to avoid the excluded intro

points unless that would exclude all of them, in which case, eitherfail

if StrictNodes is 1 else choose one like normal. The simpler answer
coding-wise is to ignore ExcludeNodes when choosing which intro point
to contact, and then either fail or allow it depending on the value
of StrictNodes. I'm inclined toward the simpler answer here, because I
don't think you should care whether your Tor reaches some relay at the
end of your circuit, if that's all Tor uses the circuit for.

I don't think this is so controversial. We should do the complicatedthing,

at least according to how I wanted the spec change to be interpreted.

* If you ExcludeNodes a relay but your Tor wants to ask it fordirectory
information, do we? I think the answer is no, a) because there's a
plausible client-enumeration attack a reasonable person could to be
trying to avoid by excluding it, and b) because the informationshould beavailable from a different relay. And if you exclude all theauthorities
and then fail to bootstrap, that's your own fault.


No, we don't ask that node, once again unless all nodes are excluded and
strictnodes is set.

* How do we handle foo.exit when AllowDotExit is 1 but foo is in
ExcludeNodes or ExcludeExitNodes? The user both asked for it and asked
for not it. We could allow it if StrictNodes is 0, and refuse it if

StrictNodes is 1. I'm inclined to just refuse it in both cases, tomake

the code (and spec) simpler.


Just refuse it always.

* If we would _implicitly_ append the .exit because of exit enclaving,
but the exit is excluded, then we definitely shouldn't append it.


Right.

What other scenarios have I missed?

  - If "ExitNodes" is provided, then every request requires an exit
node on


More precisely, "then every exit circuit requires"

  - When any of the *Nodes settings are changed, all circuits are
expired
    immediately, to prevent a situation where a previously built
circuit
    is used even though some of its nodes are now excluded.


Right, we do that as of 0.2.2.7-alpha.

Compatibility:

  The old Strict*Nodes options are deprecated, and the StrictNodes
option is
  new. Tor users may need to update their configuration file.

In the current (0.2.2.x) behavior, setting any Strict*Nodes is analias

for setting StrictNodes. That way we don't break torrc files as people

upgrade. (Periodically we run into folks like the Ubuntu people whowantus to promise that if they give a newer version to their existingusers,

it won't break existing config files.)

I guess breaking the torrc format eventually isn't so bad, but doingthis

kind of fallback and warning about it seems ok for now?

--Roger


Thanks
Sebastian

References:
- Proposal idea: User path configuration
  - From: Sebastian Hahn
- Re: Proposal idea: User path configuration
  - From: Roger Dingledine

Prev by Author: Proposal idea: User path configuration
Next by Author: Proposal idea: Automatically promoting Tor clients to nodes
Previous by thread: Re: Proposal idea: User path configuration
Next by thread: Proposal 170: Configuration options regarding circuit building [was Re: Proposal idea: User path configuration ]
Index(es):
- Author
- Thread