[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: quick circuit tear down question

To: or-talk@xxxxxxxxxxxxx
Subject: Re: quick circuit tear down question
From: Paul Syverson <syverson@xxxxxxxxxxxxxxxx>
Date: Mon, 28 Jan 2008 16:15:59 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 28 Jan 2008 16:16:10 -0500
In-reply-to: <20080128205351.GM20802@xxxxxxxxxxxxxx>
References: <d07542ab0801231109u66c4463l533574de11b07d8a@xxxxxxxxxxxxxx> <20080123195955.GF20802@xxxxxxxxxxxxxx> <4797B5FE.30403@xxxxxxx> <20080128205351.GM20802@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.2.1i

On Mon, Jan 28, 2008 at 03:53:51PM -0500, Roger Dingledine wrote:
> On Wed, Jan 23, 2008 at 03:47:42PM -0600, Jon McLachlan wrote:
> >  Maybe more for developers... but, does anyone know a way to tear down 
> > only the last relay on an already constructed anonymous Tor circuit, in 
> > such a way that the circuit remains unchanged except for the 
> > disappearance of the last hop?  It doesn't seem like this is 
> > documented/viable in the ControlPort given the spec @ 
> > http://www.torproject.org/svn/trunk/doc/spec/control-spec.txt, but maybe 
> > someone knows of a neat or hackish trick?  :)  Or maybe future releases 
> > of Tor might...
> 
> Check out Section 5.4 of tor-spec.txt, which includes:
> 
>    To tear down part of a circuit, the OP may send a RELAY_TRUNCATE cell
>    signaling a given OR (Stream ID zero).  That OR sends a DESTROY
>    cell to the next node in the circuit, and replies to the OP with a
>    RELAY_TRUNCATED cell.
> 
> I don't think we've added any interface for this into the control
> protocol, because we don't really have a safe use in mind yet. You
> can read about the feature in tor-design.pdf under the phrase "leaky
> pipe". But somebody needs to do more anonymity and performance analysis
> first, to tell us what the tradeoffs are between tearing down part of
> a certain and just starting a new one.
> 

One example concern we had was that someone who owned the first two hops
could kill the last part of the circuit and hope it was rebuilt to
a compromised node. Put much too succinctly, this makes the anonymity
roughly 1 - c^3/n^2 rather than 1 - c^2/n^2 , where c is the number
of compromised nodes out of n nodes total. That statement rides roughshod
over many important points. But there were enough concerns with this
and other aspects of leaky-pipes that we decided we should put off
deploying them until our analysis was holding water a little better.

aloha,
Paul

Follow-Ups:
- Re: quick circuit tear down question
  - From: Jon McLachlan

References:
- unusual connection activity?
  - From: john smith
- Re: unusual connection activity?
  - From: Roger Dingledine
- quick circuit tear down question
  - From: Jon McLachlan
- Re: quick circuit tear down question
  - From: Roger Dingledine

Prev by Author: Re: Possible attack method?? Question..
Next by Author: Re: Scripted exclusion of nodes? [Was: How to remove some useless nodes]
Previous by thread: Re: quick circuit tear down question
Next by thread: Re: quick circuit tear down question
Index(es):
- Author
- Thread