[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17604 [Tor]: Try to use only one canonical connection
#17604: Try to use only one canonical connection
-----------------------+------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: needs_review
Priority: Medium | Milestone:
Component: Tor | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: #16861 | Points:
Sponsor: |
-----------------------+------------------------------
Changes (by mikeperry):
* status: needs_revision => needs_review
Comment:
Ok, after implementing the periodic check that Roger suggested, and after
much chutney testing and code spelunking, I changed strategies here.
Instead of granting canonical status to *more* things, I decided to add
some checks so that relays are more likely to *agree* on their canonical
status (inspired in part by Roger's comment at
https://trac.torproject.org/projects/tor/ticket/6799#comment:14). For
this, I use NETINFO peer address information to compare against what we
are advertising for our router address, and if they disagree, the other
side probably won't think we are canonical.
I then changed channel_is_better() to not only prefer older connections,
but also prefer connections where we think the peer will decide we are
canonical. With these updates to channel_is_better(),
connection_or_set_bad_connections() will mark all of these "half-
canonical" orcons as bad for circs if we ever have a "full-canonical"
option available for use instead. It will also mark younger orcons as bad
for circs, as it is actually better to prefer old orcons when defending
against Torscan attacks. Orcons will still live for a max of 1 week
regardless, though. I did not change that.
Here is the commit:
https://gitweb.torproject.org/mikeperry/tor.git/commit/?h=netflow_padding-v4&id=d0a3ddd7814745a0760cc38b7d86e113e9be8b51
Oh, it also turns out that we're already vulnerable to the attack in
comment:1, because all a rogue node has to do is list its rogue address in
its NETINFO cells, and it gets marked canonical. It is only non-canonical
connections that get their real_addr checked by
channel_tls_matches_target_method(). Do we care about that? I did not
change that behavior in this patch at all. I merely noted the issue with
an XXX in the source.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17604#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs