[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: quick circuit tear down question
On Mon, Jan 28, 2008 at 03:53:51PM -0500, Roger Dingledine wrote:
> On Wed, Jan 23, 2008 at 03:47:42PM -0600, Jon McLachlan wrote:
> > Maybe more for developers... but, does anyone know a way to tear down
> > only the last relay on an already constructed anonymous Tor circuit, in
> > such a way that the circuit remains unchanged except for the
> > disappearance of the last hop? It doesn't seem like this is
> > documented/viable in the ControlPort given the spec @
> > http://www.torproject.org/svn/trunk/doc/spec/control-spec.txt, but maybe
> > someone knows of a neat or hackish trick? :) Or maybe future releases
> > of Tor might...
> Check out Section 5.4 of tor-spec.txt, which includes:
> To tear down part of a circuit, the OP may send a RELAY_TRUNCATE cell
> signaling a given OR (Stream ID zero). That OR sends a DESTROY
> cell to the next node in the circuit, and replies to the OP with a
> RELAY_TRUNCATED cell.
> I don't think we've added any interface for this into the control
> protocol, because we don't really have a safe use in mind yet. You
> can read about the feature in tor-design.pdf under the phrase "leaky
> pipe". But somebody needs to do more anonymity and performance analysis
> first, to tell us what the tradeoffs are between tearing down part of
> a certain and just starting a new one.
One example concern we had was that someone who owned the first two hops
could kill the last part of the circuit and hope it was rebuilt to
a compromised node. Put much too succinctly, this makes the anonymity
roughly 1 - c^3/n^2 rather than 1 - c^2/n^2 , where c is the number
of compromised nodes out of n nodes total. That statement rides roughshod
over many important points. But there were enough concerns with this
and other aspects of leaky-pipes that we decided we should put off
deploying them until our analysis was holding water a little better.