[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Proposal: GETINFO controller option for connection information
Here's an alternate proposal...
Yup, that removes a lot of ambiguity and works perfectly for this purpose so changed. Thanks!
But fetching our own descriptor is kind of needless; we generated it
ourself, after all. Is it not accessible via the control port? We do
*have* it; it's a static variable in router.c. What am I missing?
I'm not aware of it being available via GETINFO with the exception of running:
"desc/id/<my fingerprint>"
which I'm assuming means we get a stale version of our own descriptor if not fetching new descriptors.
Regardless, lets drop any addition concerning descriptors. With the addition of micro-descriptors any usage I have for them will soon be irrelevant. Currently I'm just using descriptors for two purposes:
- Our own descriptor for the observed bandwidth if...
... our tor version is too old, lacking consensus entries with the measured bandwidth (a more meaningful stat)
... or to figure out what the measured bandwidth stat represents. This usage is just a hack and will go away with: https://trac.torproject.org/projects/tor/ticket/1690
- Descriptors of other relays for the exit policy, platform, and tor version. Micro descriptors are providing the first of these and the rest are hardly worth downloading the descriptors unless specifically requested.
In other words I'll soon drop usage of descriptors except for fallback behavior in old tor versions... for which any new GETINFO options are useless anyways ;)
Cheers! -Damian
On Fri, Jul 9, 2010 at 6:38 PM, Nick Mathewson
<nickm@xxxxxxxxxxxxx> wrote:
On Tue, Jun 29, 2010 at 11:00 AM, Damian Johnson <
atagar1@xxxxxxxxx> wrote:
>> Hm. But we don't necessarily know this. Our "are we client-facing"
>> tests are approximate, not certain, and the only way to tell whether
>> we're intermediate or exiting is to wait and see if we're told to
>> exit.
>
> Understood that client facing tests fail by design when dealing with
> bridges. In the case of the outbound connection component it sounds like
> we'll need to wait until we're either asked to extend the circuit or exit
> before counting it as an 'established circuit' and reporting it.
Or we could drop the false notion that "middle" or "exit" or "entry"
make a partition of established relay or_circuits. (They aren't a
partition because: first, they don't cover or_circuits. A circuit
that has been just extended to us can't be called a middle or an exit.
Second, they aren't exclusive: a circuit that has been extended from
us and used as an exit can be called both a middle _and_ an exit.)
See below for another possibility.
>> In fact, the leaky-pipe topology means that we're potentially
>> intermediate _and_ exiting on a single circuit.
>
> (to save other readers the googling, this means that clients can exit the
> circuit prematurely, such as at a middle node if the exit policy permits it)
>
> You're right, that would mess with the classification. If/when this is
> implemented I'd suggest adding anther classification for middle hops when
> they're first used to exit traffic.
It *IS* implemented server-side. The clients just don't use it.
(Since the point of this design is to safely expose accurate circuit
status info via the control port, we might as well try to expose the
possible states of current circuits, including states that don't
typically occur. Otherwise, if some future weird client started using
them, you'd need to upgrade Tor *and* arm to get an accurate report.)
> The goal of these type flags are to indicate to controllers which circuits
> are sensitive and which are less so. In arm for instance most information
> for client/exit connections are scrubbed. Indicating via a change of the
> circuits status (an UPDATE event) when this begins exiting traffic seems
> good enough to me.
Here's an alternate proposal. The idea of type flags is good, but
instead of the ones in your proposal, let's only use circuit type
flags that have an unambiguous meaning from the point of view of Tor's
spec and implementation.
For instance,
(E)ntry : a connection from a node that doesn't appear to be a Tor server.
E(X)it : has been used for at least one exit stream
(R)elay : has been extended.
Rende(Z)vous : is being used for a rendezvous point
(I)ntroduction : is being used for a hidden service introduction
(N)one of the above: none of the above have happened yet.
These all have nice, clear-cut, easy-to-evaluate meanings, some of
which are mutually exclusive, and some of which aren't.
[...]
>> It sounds like it should be a torrc option saying "Don't stop
>> refetching descriptors when there's no network activity." Actually,
>> do we have one of those already?
>
> Yup, we have FetchUselessDescriptors. However, setting this causes an extra
> load on the directory authorities, hence the desire to be able to do this a
> bit more selectively (for instance just fetching our own descriptor every
> hour but letting the rest go stale).
But fetching our own descriptor is kind of needless; we generated it
ourself, after all. Is it not accessible via the control port? We do
*have* it; it's a static variable in router.c. What am I missing?
yrs,
--
Nick
Filename: xxx-circ-getinfo-option.txt
Title: GETINFO controller option for circuit information
Author: Damian Johnson
Created: 03-June-2010
Status: Draft
Overview:
This details an additional GETINFO option that would provide information
concerning a relay's current circuits.
Motivation:
The original proposal was for connection related information, but Jake make
the excellent point that any information retrieved from the control port
is...
1. completely ineffectual for auditing purposes since either (a) these
results can be fetched from netstat already or (b) the information would
only be provided via tor and can't be validated.
2. The more useful uses for connection information can be achieved with
much less (and safer) information.
Hence the proposal is now for circuit based rather than connection based
information. This would strip the most controversial and sensitive data
entirely (ip addresses, ports, and connection based bandwidth breakdowns)
while still being useful for the following purposes:
- Basic Relay Usage Questions
How is the bandwidth I'm contributing broken down? Is it being evenly
distributed or is someone hogging most of it? Do these circuits belong to
the hidden service I'm running or something else? Now that I'm using exit
policy X am I desirable as an exit, or are most people just using me as a
relay?
- Debugging
Say a relay has a restrictive firewall policy for outbound connections,
with the ORPort whitelisted but doesn't realize that tor needs random high
ports. Tor would report success ("your orport is reachable - excellent")
yet the relay would be nonfunctional. This proposed information would
reveal numerous RELAY -> YOU -> UNESTABLISHED circuits, giving a good
indicator of what's wrong.
- Visualization
A nice benefit of visualizing tor's behavior is that it becomes a helpful
tool in puzzling out how tor works. For instance, tor spawns numerous
client connections at startup (even if unused as a client). As a newcomer
to tor these asymmetric (outbound only) connections mystified me for quite
a while until until Roger explained their use to me. The proposed
TYPE_FLAGS would let controllers clearly label them as being client
related, making their purpose a bit clearer.
At the moment connection data can only be retrieved via commands like
netstat, ss, and lsof. However, providing an alternative via the control
port provides several advantages:
- scrubbing for private data
Raw connection data has no notion of what's sensitive and what is
not. The relay's flags and cached consensus can be used to take
educated guesses concerning which connections could possibly belong
to client or exit traffic, but this is both difficult and inaccurate.
Anything provided via the control port can scrubbed to make sure we
aren't providing anything we think relay operators should not see.
- additional information
All connection querying commands strictly provide the ip address and
port of connections, and nothing else. However, for the uses listed
above the far more interesting attributes are the circuit's type,
bandwidth usage and uptime.
- improved performance
Querying connection data is an expensive activity, especially for
busy relays or low end processors (such as mobile devices). Tor
already internally knows its circuits, allowing for vastly quicker
lookups.
- cross platform capability
The connection querying utilities mentioned above not only aren't
available under Windows, but differ widely among different *nix
platforms. FreeBSD in particular takes a very unique approach,
dropping important options from netstat and assigning ss to a
spreadsheet application instead. A controller interface, however,
would provide a uniform means of retrieving this information.
Security Implications:
This is an open question. This proposal lacks the most controversial pieces
of information (ip addresses and ports) and insight into potential threats
this would pose would be very welcomed!
Specification:
The following addition would be made to the control-spec's GETINFO section:
"rcirc/id/<Circuit identity>" -- Provides entry for the associated relay
circuit, formatted as:
CIRC_ID=<circuit ID> CREATED=<timestamp> UPDATED=<timestamp> TYPE=<flag>
READ=<bytes> WRITE=<bytes>
none of the parameters contain whitespace, and additional results must be
ignored to allow for future expansion. Parameters are defined as follows:
CIRC_ID - Unique numeric identifier for the circuit this belongs to.
CREATED - Unix timestamp (as seconds since the Epoch) for when the
circuit was created.
UPDATED - Unix timestamp for when this information was last updated.
TYPE - Single character flags indicating attributes in the circuit:
(E)ntry : has a connection that doesn't belong to a known Tor server,
indicating that this is either the first hop or bridged
E(X)it : has been used for at least one exit stream
(R)elay : has been extended
Rende(Z)vous : is being used for a rendezvous point
(I)ntroduction : is being used for a hidden service introduction
(N)one of the above: none of the above have happened yet.
READ - Total bytes transmitted toward the exit over the circuit.
WRITE - Total bytes transmitted toward the client over the circuit.
"rcirc/all" -- The 'rcirc/id/*' output for all current circuits, joined by
newlines.
The following would be included for circ info update events.
4.1.X. Relay circuit status changed
The syntax is:
"650" SP "RCIRC" SP CircID SP Notice [SP Created SP Updated SP Type SP
Read SP Write] CRLF
Notice =
"NEW" / ; first information being provided for this circuit
"UPDATE" / ; update for a previously reported circuit
"CLOSED" ; notice that the circuit no longer exists
Notice indicating that queryable information on a relay related circuit has
changed. If the Notice parameter is either "NEW" or "UPDATE" then this
provides the same fields that would be given by calling "GETINFO rcirc/id/"
with the CircID.
Filename: xxx-getinfo-option-expansion.txt
Title: GETINFO Option Expansion
Author: Damian Johnson
Created: 02-June-2010
Status: Draft
Overview:
Over the course of developing arm there's been numerous hacks and
workarounds to gleam pieces of basic, desirable information about the tor
process. As per Roger's request I've compiled a list of these pain points
to try and improve the control protocol interface.
Motivation:
The purpose of this proposal is to expose additional process and relay
related information that is currently unavailable in a convenient,
dependable, and/or platform independent way. Examples of this are...
- The relay's total contributed bandwidth. This is a highly requested
piece of information and, based on the following patch from pipe, looks
trivial to include.
http://www.mail-archive.com/or-talk@xxxxxxxxxxxxx/msg13085.html
- The process ID of the tor process. There is a high degree of guess work
in obtaining this. Arm for instance uses pidof, netstat, and ps yet
still fails on some platforms, and Orbot recently got a ticket about
its own attempt to fetch it with ps:
https://trac.torproject.org/projects/tor/ticket/1388
This just includes the pieces of missing information I've noticed
(suggestions or questions of their usefulness are welcome!).
Security Implications:
None that I'm aware of. From a security standpoint this seems decently
innocuous.
Specification:
The following addition would be made to the control-spec's GETINFO section:
"relay/bw-limit" -- Effective relayed bandwidth limit.
"relay/burst-limit" -- Effective relayed burst limit.
"relay/read-total" -- Total bytes relayed (download).
"relay/write-total" -- Total bytes relayed (upload).
"relay/flags" -- Space separated listing of flags currently held by the
relay as repored by the currently cached consensus.
"process/user" -- Username under which the tor process is running,
providing an empty string if none exists.
"process/pid" -- Process id belonging to the main tor process, -1 if none
exists for the platform.
"process/uptime" -- Total uptime of the tor process (in seconds).
"process/uptime-reset" -- Time since last reset (startup, sighup, or RELOAD
signal, in seconds).
"process/descriptors-used" -- Count of file descriptors used.
"process/descriptor-limit" -- File descriptor limit (getrlimit results).
"ns/authority" -- Router status info (v2 directory style) for all
recognized directory authorities, joined by newlines.
"state/names" -- A space-separated list of all the keys supported by this
version of Tor's state.
"state/val/<key>" -- Provides the current state value belonging to the
given key. If undefined, this provides the key's default value.