[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: quick circuit tear down question

On Mon, Jan 28, 2008 at 03:53:51PM -0500, Roger Dingledine wrote:
> On Wed, Jan 23, 2008 at 03:47:42PM -0600, Jon McLachlan wrote:
> >  Maybe more for developers... but, does anyone know a way to tear down 
> > only the last relay on an already constructed anonymous Tor circuit, in 
> > such a way that the circuit remains unchanged except for the 
> > disappearance of the last hop?  It doesn't seem like this is 
> > documented/viable in the ControlPort given the spec @ 
> > http://www.torproject.org/svn/trunk/doc/spec/control-spec.txt, but maybe 
> > someone knows of a neat or hackish trick?  :)  Or maybe future releases 
> > of Tor might...
> Check out Section 5.4 of tor-spec.txt, which includes:
>    To tear down part of a circuit, the OP may send a RELAY_TRUNCATE cell
>    signaling a given OR (Stream ID zero).  That OR sends a DESTROY
>    cell to the next node in the circuit, and replies to the OP with a
> I don't think we've added any interface for this into the control
> protocol, because we don't really have a safe use in mind yet. You
> can read about the feature in tor-design.pdf under the phrase "leaky
> pipe". But somebody needs to do more anonymity and performance analysis
> first, to tell us what the tradeoffs are between tearing down part of
> a certain and just starting a new one.

One example concern we had was that someone who owned the first two hops
could kill the last part of the circuit and hope it was rebuilt to
a compromised node. Put much too succinctly, this makes the anonymity
roughly 1 - c^3/n^2 rather than 1 - c^2/n^2 , where c is the number
of compromised nodes out of n nodes total. That statement rides roughshod
over many important points. But there were enough concerns with this
and other aspects of leaky-pipes that we decided we should put off
deploying them until our analysis was holding water a little better.