[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] Evaluating rendezvous circuit build up CPU usage
- To: juanjo <juanjo@xxxxxxxxx>, <tor-dev@xxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [tor-dev] Evaluating rendezvous circuit build up CPU usage
- From: Valentin Franck <gaspar_ilom@xxxxxxxxxxxxxxxx>
- Date: Fri, 17 Jan 2020 15:18:04 +0100
- Autocrypt: addr=gaspar_ilom@xxxxxxxxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFudM+MBEADT1T2s7xP4vE7IDIrjB6tF9oDBLH3Q2Nrd4Di476rT4dESpXk+RKXsVPps Jin3jH3U+BIdYClYAe1WK9dice3gS4rpA1X+8e/igOr7283+Ik1ITsDHgDkMH+16luYgZ05h 9d8xOHdm4BbSVZtvEVF04f52ygjyvf0dqPSPzhqqw/WhZD1DPadjcrurPoJFl72n1vx0DH3s O/5CIjC/xkOc8qcfYSc7bCq23IK7z/eIt/KfRkJ87ZtPO+olc5Rg4Dv9jFldWnhKieGCi1Fw 7LUoWIP5Q9f3Un8Gtp+p+P4yA8wj6T1xN1ePVlrmKVR+YJ89dhcdsMQ9Tt2NRoCkTC2vr8A9 srK65ODvoxmA8bbdt4+vZV/tC8FgSb/ZBoq1kOOp9xBXDhUFe/jrKfsZ2w62zRcPNK6Oq50L MnIBXgyeRKe5ccoslAftgD25vjFx67OfqmBqHW4Wxc3aPrEYn+MY+TINCTUuie0GZ57jMm1V 6sSKiG4sjFQJ1aLGOtu8D93jIalRS07+9XeoiK6Exon3y5wS+7bCOZqDbGV+G9ChorKoDrh9 wwAEvqENGyEM1ryw8FXZhAz/r2PsFXBg1zoHICAV7tWNLmAKjVEj6btMI/wofjSEjEiMUs3m it5+QH5ZcZfG6qyA7AIoUc3YlOwRz5cE2TkJRjiOOH2I3gdJIwARAQABzS5WYWxlbnRpbiBG cmFuY2sgPGdhc3Bhcl9pbG9tQHdpbi50dS1iZXJsaW4uZGU+wsGrBBMBCgA+FiEEdJA71s3r UTEC1wE+OemUgr/reFIFAl4cvJECGyMFCQlmAYAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AA IQkQOemUgr/reFIWIQR0kDvWzetRMQLXAT456ZSCv+t4UnASD/wOk8h81hTSBUjA8y3LYRNj h2dr+/YbFA8g4cv5z+jj+VMb1DUSIyCDn2azasiJ47evGXEjAaX9adZDdMbc8q869hjh59Tk +k9qU8XrsLYXcnmNjhmb91l61K175kn/sSxHTH4D4NeETAuNhPPXjYjg9NbYFzxlaP5eDkhz HiapUnhVmRtj1QQp0QhgEWAkqTbgWuRnv4A4/rQsd3mzwHHH24+1nMqWHflpOJ+fs9decfyL swM7yLgpc/8/Fw3stxl5hDOeOBJOQh2HJ8r+lpCodGOQniqywXTq7yNopEo2R7i9cW6uMf59 ngJSBKTDqe8StgRuhxZxgJq1t5ZtLKDmMv8A5BF7Jb5x5py7Zh9K9lSr85ZVhsRmKCc9cVV2 e0BUXyp8GGBnab9IdEVHNd76rj08GZKKFKtQPtvRtg/PrJlvW/vs8BuTv/+hxLb49s1mr8US vJRrzY2+lmkPEFkYLY4YrD47AJHpcRa/QQHfAY0w++HSj4MZEozvDnGFqCm2p5bx/ABLWBCR PVZb/K3Fy/GKZk6u7qFIEd34LoOLaYhCLIUgqx3BgXMDbA7Ssy5Svl/suvEo0OViZI9/Iw6a ukXuN5uscJN6NoN1HQHSpp7eflNKyTB4NsJTwgGiBPitUlfkFgP4SNYoHaVw9raBUhY/vx7U vamLdixhezQatM7BTQRbnTPjARAA1Ug49LpSqR2sfolXUCUHNpvbSEusOXu63yNDaQAakFIv SfSR6XCGWlEIcn7o/0j7vLoy3NxclDNwWiZIzP/SJOoa3OtWoboLBszh3DVkRj67oSYbpCsF RRZW5eLeNWhVjTdIb8e5OEOecz1/lUY5EU+wH0tXMiGC/dy0lxW9Bm0UPKWD40Wufw3wRNJv ZjuD+opfKseIh5gf6EldxIC+bmk6DcWtLNYDqg2BmXkS7h5eRWdXlnQ0M3aBPv5TYSWt138b FNsIFfcyo9we4aJBjNua9Er4VCqEyXpRZpO7Urmjsgf+eEs+pzKmbivnpFdC0Nu9wSJJ6G9s vy8L+s/m9SdBWBlcEsuw/mlZzgkNm83+SSxS8D1zTBD7c5/vRWnAT2uXLJvoRTwcpdS25nXl DAPDfHkP/CPfhkCB7/aQ3F+o0xrp/lEKU8JfiQVKAn+D4X99yB/mxaKe649Yakg9M+0RYV9t ExaxvjI/Ggu5RjG/X1wkYogmPpk423YIKEfY4sgbwwFRhfUk/FuhiaksWZwxvNub84jb4TVA CT2bW5SuaKuAjmP7TzpdreCgErbxfWn1NqkZEJE2qK7XHCT9kbmSmgZzoJzSSXV6+BVcrY8u vA7dgzmkSKeBG6596J9kh9sMHHq1fsu+ZrCz5khdGpEWwxObbqh13SjtI6QJ3+sAEQEAAcLB kwQYAQoAJhYhBHSQO9bN61ExAtcBPjnplIK/63hSBQJbnTPjAhsMBQkJZgGAACEJEDnplIK/ 63hSFiEEdJA71s3rUTEC1wE+OemUgr/reFK1fhAAiH08j+oJStR6rAQaakjbhF9H42/kMj0o d/Xu6idymlA97miAG8xrsSh6t6fJ056ypP0719MkbWWSlNFuhyX9evChJ868UhVQOO1LnTnq +ys1VVnDnr5uYrGvvnrGH2jPHcQGA0pFLlO12PdaQ2XvNv9y1szynseXXEtR9yZavR6B9g/S kymeS2qnLyoA8PCftZi9SK+aOsgaEI5IF8nAhiwTp2gUaGl81WsF6QdltBTq22RlkkHSfg/I 6WUmOU4lGogqc7WmmIbKWZ34Qi1ieP6t9WZWPpTB/Vtdu+fO6qpRcMMFx6pIHDU258Ik3C3e OZtTZmqQEg++IVj0CbG1z7hEYX+M3O9yoG4rlu1/qYPgblpG56PA3Ct7wZ0PeFn9G9AKrRp7 OY4rCoI9ftoqxNO+Pl2e4FKxSmcMffc96dGxuqe/8s8RW6Lejy2qU+1Ao/rFmzyGFGkFzW6F Kskf7aotHmUkwqkWcOduWgwL3w4UZeDQ45rMNQF5iytdtjwBwysSjQggrubS1ct2yVR4zGcb Yp9EMnhgepvSMqrrKlMLolptigY8BK+g6bTQMtUvmREKQPto+KSvCl8qgppwIW6VXrcoecBm eZkanCUSqwFfwwYQ7D6Jzo/iS605VwCn8X+tGEKQyQe8pW1+pc884kExS80BBqjfkekM5qrQ pdU=
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Fri, 17 Jan 2020 10:03:40 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=campus.tu-berlin.de; h=subject:to:references:from:message-id:date:mime-version:in-reply-to:content-type:content-transfer-encoding; s=dkim-tub; bh=rOzxRifcaaUDQ2LIXcPFLzZwk64EkA4Bjo0F/lbk2ew=; b=WBufkciAFP20PUfuDXxcqD1t7omBpJZlye2OE6aN1yvD107X3KyWGcXZuMN55eTqYZXI1xEkpAhU3t56d0ggZIOZMOQo7GuJ5I+dOst4ln7XxOnRtkSFI6JEvC9qpcWe/WxNYlGUoMaHgTWrC/sLIRH6k5ODYez3gu4RSbxTkYM=
- In-reply-to: <4dd6b249-c1ea-ff10-838f-55748dd3868a@avanix.es>
- List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
- List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
- List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
- List-post: <mailto:tor-dev@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
- References: <20191219180940.fupniseqh2oc7oso@raoul> <667bb1dc-c96b-4a56-d0f5-eb7581782aa6@win.tu-berlin.de> <4dd6b249-c1ea-ff10-838f-55748dd3868a@avanix.es>
- Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
Hello,
thanks for you mail. my comments are below.
On 1/15/20 6:17 PM, juanjo wrote:
> Hi, thanks for working on it.
>
> At first I thought about using a PoW on the Introduction Point (I.P.)
> side.
>
> Maybe a dynamic PoW? I mean only ask for PoW under load (Hidden
> services sets the INTRO1s/second on the I.P.) or ask for every new
> circuit.
From what I know this would most likely require a more than 1-RTT
(interactive) introduction protocol. I think we definitely want to avoid
that.
>
> Then I thought that we need to fix the Rendezvous verification issue
> too. We do not verify if the client/user/attacker actually opened a
> circuit to the Rend point. And I thought we could make the Rend sing a
> message and the I.P verify the signature before sending the INTRO2 to
> the HS.
Such a signature would have to be zero knowledge. Otherwise we would
leak the chosen RP to the IP and make deanonymization more likely.
Designing an unforgeable proof of rendezvous is non-trivial (even if it
is was verified by the service and not the IP), because we have to
assume that adversaries run their own relays. Therefore they could most
likely precompute/forge these proofs of rendezvous. Of course, we could
try and cache which RPs have been used, but this seems a lot of work for
relatively little security benefits. I doubt that this approach is
suitable to discourage resourceful adversaries from DoSing services.
>
> But now I think we need to merge designs and make just one proposal
> fixing both problems at the same time.
>
> If we don't want to make a PoW for every new circuit, we could make
> the client generate a private Identity (KeyPair) mixed with some sort
> of PoW, generating it for every HS a client want to connect. This way
> we only make PoW for each onion and the IP can have a replay cache (or
> something like that) with each identity and the last time it requested
> a new circuit. We can better control with this way the number of
> individual clients and we "save the planet" by not making a PoW for
> each new circuit. (Maybe this approach is what your are working at
> with the "token based approach").
I believe, we should avoid making different connections to an onion
service by the same user linkable by the IP/service as this would turn
anonymity into pseudonymity and therefore ease user identification. Of
course, there are crypto schemes that allow us to use anonymous
credentials/ authentication. Unfortunately, I am not sure how such
anonymous credentials could be useful for DoS mitigation. We would
somehow need a mechanism to detect misbehavior and revoke the
credentials or limit their use to a certain number of authentications. I
am not sure, how this can be done if different authentications using the
same credentials are truely unlinkable.
>
> Sorry for my english...
>
>
> El 13/1/20 a las 13:39, Valentin Franck escribió:
>> Hello tor-devs,
>>
>> I am currently working on a DoS mitigation system aiming to protect the
>> availability of onion services flooded with INTRO2 cells. My idea is
>> using a (Privacy Pass like) token based approach as suggested in
>> https://trac.torproject.org/projects/tor/ticket/31223#comment:6
>>
>> For the evaluation of a first prototype I would like to compare CPU
>> usage times at the onion service when a) launching a rendezvous circuit
>> and b) validating a (potentially invalid) token. Is there an easy way,
>> to measure the CPU time a service spends for all operations triggered
>> when launching a new rendezvous circuit? Has somebody done that before?
>> Basically, I want to measure how much CPU time we save, if we do not
>> launch the rendezvous circuit. So far I have identified the following
>> functions: launch_rendezvous_point_circuit() and
>> service_rendezvous_circ_has_opened(). I understand that there is more
>> operations involved for building new circuits, since circuits are built
>> hop by hop. How can I identify all relevant functions triggered after
>> launching the rendezvous circuit and include them in my measurements?
>>
>> Once I have some reliable results I will provide you with more
>> information on what I am doing and how it is working so far.
>>
>> Cheers
>> Valentin
>>
>> This is my first post on this list :-). So have mercy, if I overlooked
>> resources to answer my question. Also, I am only beginning to
>> familiarize myself with the existing code base.
>>
>> _______________________________________________
>> tor-dev mailing list
>> tor-dev@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev