tor-dev September 2015

tor-dev@lists.torproject.org

61 participants
65 discussions

Draft proposal -- no number yet: How to safely drop support for old clients.
by Nick Mathewson 30 Sep '15

30 Sep '15

[This isn't done yet, but I've shown it to enough people that I should share it with the list.] 1. Introduction and background 1.1. Motivation Frequently, we find that very old versions of Tor should no longer be supported on the network. To remove relays is easy enough: we simply update the directory authorities to stop listing them. But to disable clients is harder. We can do as we did with v1 directories in Tor 0.2.0.5-alpha, and make them know about no relays at all. Stepping back -- why should we disable very old clients at all? Here are some reasons why: * Security. Anybody who hasn't updated their Tor client in 5 years is probably vulnerable to who-knows-what attacks. They aren't likely to get anonymity either. * Withstand zombie installations. Some Tors out there were once configured to start-on-boot on now-unmaintained systems. They put needless load on the network, and can't be easily disposed of. * Disable backward-compatibility code. Currently, Tor supports some truly ancient protocols in order to avoid breaking ancient versions. If we disable these protocols without turning off the clients that use them, we run the risk that those clients will run wild, retrying their connections to the network over and over. This document describes a designs for use with future versions of Tor to better support client deprecation and removal. It also describes how we can safely disable existing client versions that do not support this proposal. 1.2. History Early versions of Tor checked the recommended-versions field in the directory to see whether they should keep running. If they didn't recognize 1.3. Goals and requirements We need older clients to stop putting (much) load on the network. Having them stop working entirely is not sufficient: they need to stop working in such a way that they don't keep using up resources. In the future, when we disable a client, it would be a good thing to provide some means to warn users in advance that they need to upgrade, and to provide advice about doing so. It might be good to make any disable-switches advisory rather than mandatory. 2. Adding a disable-clients switch to consensus documents I specify a new consensus element: disable-versions. It may appear any number of times in a consensus document. The syntax is: disable-versions SP SOFTWARE SP ROLE SP DATE SP VERSIONS DATE = A date in YYYY-MM-DD format ROLE = "relay", or "all". SOFTWARE = "Tor" VERSIONS = VERSION_RANGE VERSIONS = VERSIONS SP VERSION_RANGE VERSION_RANGE = VERSION VERSION_RANGE = VERSION..VERSION [TODO: Specify voting.] If the current version is listed in any disabled-versions line for its current role, then we should warn the user. If the current date is on after the date specified (starting midnight UTC), we should disable the host as follows: * If 'relay' is the disabled role, then we should enter ClientOnly mode. * If 'all' is the disabled role, we should enter DisableNetwork mode. Note that the DisableNetwork behavior means that once a client is disabled, it will not fetch new consensuses. To override this, a Tor instance may include a configuration option, "IgnoreDisabledVersion VERSION". It is an error to set this option when *not* running with a disabled version. [ALTERNATIVE: Make RequireLinkProtocol, RequireCircuitProtocol, etc lines for the consensus. Any Tor not supporting those protocols should behave as above. This allows non-Tor implementations to respect these fields.] 3. Disabling current client versions. 3.1. Disabling versions that use the v2 handshake These versions (before 0.2.3.6-alpha) use a renegotiation-based handshake instead of our current handshake. When we detect a renegotiation attempt, we can close the connection, or stop reading on it. 3.2. Disabling versions prior to 0.2.4.11-alpha. Starting in version Tor 0.2.4.11-alpha, we implemented proposal 214. This proposal added a new link protocol, version 4. Earlier version of Tor never support it; newer versions of Tor always advertise their support for it. We could treat the presence of any link protocol of version 4 or later as indicating the presence of 0.2.4.11-alpha. Upon receiving a connection from such a version, we could throttle the bytes we give it, drop its circuits, or stop reading. [TODO: which?] 3.3. Disabling versions prior to 0.2.5.x In tor 0.2.5.1-alpha, we began ignoring the UseNTorHandshake option, and always preferring the ntor handshake where available. Unfortunately, we can't simply drop all TAP handshakes, since clients and relays can still use them in the hidden service protocol. But we could detect these versions by: Looking for use of a TAP handshake from an IP not associated with with any known relay, or on a connection where the client did not authenticate. (This could be from a bridge, but clients don't build circuits that go to an IntroPoint or RendPoint directly after a bridge.) In response, we can throttle the connection, drop all its circuits, or stop reading on it. [TODO: which?] 3.4. Disabling all versions that don't support this proposal We should allow 'n' (short for "node") as a synonym for 'r' in consensus documents. Later, if we want to disable all Tor versions before today, we can change the consensus algorithm so that the consensus (or perhaps only the microdesc consensus) is spelled with 'n' lines instead of 'r' lines. This will create a consensus which older clients and relays parse as having no nodes. 3.5. In the event of overzealous retries We need to be sure that client running versions from 0.2.1 through 0.2.6 respond gracefully to the responses above. In particular, we need to make sure that they don't continually retry the connections that fail in these ways: that would put a lot of extra load on the network. Above, I recommend stalling connections rather than just closing them. This may prevent the risk of retries, at the risk of using additional relay resources. To handle something like this, it could be necessary to use the trick of 3.4 above.

4 3

Anycast Exits (related : Special-use-TLD support)
by Jeff Burdges 30 Sep '15

30 Sep '15

I have attached below the second half of the Special-Use TLD proposal that discusses how a local name service tool contact a peer-to-peer application running on an exist node There is nothing specific here to providing name services, any peer-to -peer application might potentially want an anycast style gateway from Tor to its own network. At the same time, this proposal is *very* hackish since Tor seems almost able to provide the same functionality with a judiciously chosen ExitPolicy lines, and a bunch of work on the application's side. And maybe that's really the right way to do it in the end. There is no discussion here of dealing with bad exit gateways for protocols that Tor does not even know about, presumably that requires some thought as well. I donno if Tor combats exits doing highly targeted DNS manipulation all that well either though. Jeff Filename: xxx-anycast-exit.txt Title: Anycast Exit Author: Jeffrey Burdges Created: 28 September 2015 Status: ? Implemented-In: ? Abstract Provide an anycast operation to help bootstrap Tor aware peer-to-peer applications. Overview Peer-to-peer protocols must define a method by which new peers locate the existing swarm, but available techniques remain rather messy. We propose that Tor provide an "anycast" facility by which peer-to -peer applications built on top of Tor can easily find their peers using the full aka useless descriptors. Server Side We propose an AnycastExit Tor configuration option AnycastExit <protocol> <host>:<port> Here protocol must be a string consisting of letters, numbers, and underscores. There are two changes Tor's behavior resulting from this option : First, Tor adds the line "ACE <protocol> <host>:<port>" to the node's full descriptor. Second, Tor allows connections to ip:port as if the torrc contains : ExitPolicy allow<host>:<port> As ExitPolicyRejectPrivate defaults to 1, these policies should be allowed even if the ip lies in a range usually restricted. In particular localhost and 127.0.0.1 are potentially allowed. Client Side Users enable anycast usage by adding the configuration line FetchUselessDescriptors 1 Software queries the Anycast lines in the full descriptor by sending Tor control port the line : GETINFO anycast/<protocol>/<number> This query returns 250-anycast/<protocol>/<number>="<host>.<identity>.exit:<port>" where <identity> is a node identity for a node whose full descriptor contains the line "Anycast <protocol> <host>:<port>". After receiving such a query for anycast nodes supporting <protocol>, Tor builds, and later maintains, a list of nodes whose full descriptor contains an "ACE <protocol> .." line in lexicographic order according to <identity>. Tor returns the <number>th node from this list. Also, if <number> exceeds the number of nodes with Anycast <protocol> lines, then an error is returned. Clients contact the anycast server <host>.<identity>.exit on port <port>. As AllowDotExit defaults to off, applications should use the Tor control port to request a circuit to that particular exit using MapAddress: MapAddress <host>.<identity>.exit=<label> After this, the peer-to-peer application can connect to <label> over the Tor socks port. MapAddress usually produces a four hop circuit, but many peer-to-peer applications, including name service provides, can accept the small additional latency. Future Work Tor directory authorities could aggregate the lists of anycast supporting nodes, so that clients do not need to download the full descriptors. AnycastExit could support UNIX domain sockets. Hackish Alternative In principle, the ExitPolicy line produced by AnycastExit might suffice if both doing so bypasses ExitPolicyRejectPrivate, and the port could identify the protocol. Additionally, an application could parse the cached-descriptors* files themselves to locate exits with the desired exit policies. Acknowledgments Based on discussions with George Kadianakis, Christian Grothoff. Indirectly based on discussions between Christian Grothoff and Jacob Appelbaum about accessing the GNU Name System over Tor.

2 2

Rate limiting of a hidden service
by Evan d'Entremont 30 Sep '15

30 Sep '15

I developed a scheme to rate limit hidden services using proof-of-work; https://gist.github.com/evandentremont/a3ad12a5cc3a924dae34 The server sends a semi-prime to the client, which then factors it. The client submits the factored primes back with the next request. The 'rate' can be throttled by sending a larger or smaller semiprime. The client has to spend time factoring that number, and the request can simply be dropped if the factored primes aren't correct. It would be effective to hinder brute force attacks on a login screen at the very least. Running as a script on the page isn't ideal as a lot of people disable javascript. There's always the option for a fallback where you calculate the primes yourself and submit them, but I feel like it would be better implemented as part of tor itself. Just throwing this out there for thoughts / feedback / opinions on rate-limiting hidden services.

1 0

Approaching Deadline: ICGCTI2015 - Malaysia
by Jackie Blanco 30 Sep '15

30 Sep '15

The Third International Conference on Green Computing, Technology and Innovation (ICGCTI2015) Universiti Putra Malaysia, Selangor, Malaysia 8-10 December 2015 http://sdiwc.net/conferences/icgcti2015/ The proposed conference on the above theme will held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lectures. ICGCTI2015 aims to enable researchers build connections between different digital applications. The conference welcomes papers on the following (but not limited to) research topics: - Benefits of, and barriers to, adopting greener IT practices - Carbon metering and user feedback - Climate and ecosystem monitoring - Energy harvesting, storage, and recycling - Energy-aware high performance computing and applications - Energy-aware software - Energy-efficient network services and operations - Green IT metrics, maturity models, standards, and regulations - Green computing models, methodologies and paradigms - Green networking and communication - Life-cycle analysis of IT equipment - Management and profiling tools for energy efficient systems - Modeling-representations, simulation and validation for energy consumption optimization problems - Online dynamic optimization for energy efficient systems - Power-aware algorithms and protocols - Power-efficient delivery and cooling - Renewable energy models and prediction - Smart buildings and urban development - Smart homes, buildings, offices, streets - Stability of smart energy systems - Using IT to reduce carbon emissions - Carbon management policies and ecology- related issues with ICT - Characterization, metrics, and modeling - Creating green awareness using IT - Energy-aware computing - Energy-aware large scale distributed systems, such as Grids, Clouds and service computing - Energy-efficient mass data storage and processing - Governments’ roles in fostering and enforcing green initiatives - Green business process reengineering and management - Green design, manufacture, use, disposal, and recycling of computers and communication systems - Green software engineering - Low-power electronics and systems - Matching energy supply and demand - Network design optimization - Optimization of energy-efficient protocols - Power-aware software and hardware - Reliability, thermal behavior and control - Robustness and performance guarantees - Smart grid and microgrids - Smart transportation and manufacturing - Sustainable computing Researchers are encouraged to submit their work electronically. All papers will be fully refereed by a minimum of two specialized referees. Before final acceptance, all referees comments must be considered. Important Dates ============== Submission Deadline : November 8, 2015 Final Notification : November 20, 2015 Camera Ready Deadline : November 28, 2015 Registration Deadline : November 28, 2015 Conference Dates : December 8-10, 2015 Drop us an email at icgcti15(a)sdiwc.net

1 0

Second release of OnioNS beta
by Jesse V 30 Sep '15

30 Sep '15

Hello everyone, I am pleased to announce the second release of the Onion Name System (OnioNS) for beta testing. This release represents about 180 commits and is a major update from my last release. The two servers should be up long-term, so feel free to play around with it. "Example.tor" is live and new registrations should be available client-side about 20 seconds after upload. As usual, the code, pre-built binaries, and instructions are available in the four OnioNS repositories at https://github.com/Jesse-V?tab=repositories Please star them if they work well for you. Most people will probably just want OnioNS-client, which integrates into the Tor Browser. The big changes include: * Servers are now powered by hidden services. This means that they utilize existing Tor connections (circuits and TLS links) which is a major improvement over the direct communication in the last release. In the process, I switched all communications from SOCKS4 to SOCKS5 and it seems to work well. The OnioNS servers would be excellent candidates for single-onion services (Tor-embedded servers with only client-side anonymity) so I will switch to that when they becomes available. * Servers now manage Ed25519 keys and I'm using floodberry's ed25519-donna implementation. All responses from a server are signed, so communication is automatically authenticated. The private key is held in the main working directory, which is ~/.OnioNS/ for the time being. Due to this, it's not currently possible to run two distinct servers as the same user. * The trusted Quorum server now generates a Merkle tree and signs the root, which the client uses to authenticate Records (registrations) and to provide authenticated denial-of-existence. In effect, this prevents the client's name server from falsely returning a 404 or from forging a Record. * I overhauled most of the networking code. It's significantly more stable, closely follows a request-response pattern, and I don't anticipate needing to change the networking format in the near future. * The hidden service software now saves the generated Record to disk, so that it can try again if the upload fails. * I introduced two static analysis tools: cppcheck and Clang's scan-build and created the scanBuild.sh script to facilitate analysis. They found one small memory leak, which I fixed, so now all of the repositories pass inspection. * I'm now using the Travis continual integration system, which watches for commits in Github and then rebuilds the project. I get notifications in #tor-bots if the repo fails to build into a .deb, which is handy. Any pull requests are also checked in the same way. * Many bugs were identified and fixed. I need some help with: * Testing a linking bug that is sometimes encountered when compiling from source. The ticket is https://github.com/Jesse-V/OnioNS-server/issues/79 I don't know whether the issue is dependent on Debian Wheezy, Ubuntu Trusty, or my CMakeLists. I'm not sure how to fix it, either. * Testing an experimental .rpm format. I used the "alien" program to convert Wheezy and Trusty .deb files to .rpm, so as to better cater to Fedora. The rpm's are available in the Releases page on Github. I don't know if the packages work correctly, so if you are on Fedora, please try them out and let me know. If they don't work, I would appreciate instructions on how to build them properly. * General testing: does the HS-side and client-side code work well and perform reliable for you? Related notes: * Earlier this month someone in Egypt created the ".tor" article on Wikipedia, which has a few details about this project. Thanks for that! * S7r, I couldn't contact you on IRC, but if you're still up for running a name server to handle client connections, please let me know. I'll need your HS address and your server's Ed25519 public key, which is shown when the server starts. Then I'll push out an update that should transition clients over to you. It'll be nice to spread out ownership of the infrastructure. Next on the list: * I'm planning to focus the next release on stability, security, unit tests (I'm looking into coveralls.io), and doxygen documentation. The code is currently a bit fragile, so I'd like the next release to improve error handling. I'll be maintaining this version until the next one comes out, so I made a "stable" branch which will be for bug fixes and the like. I recommend that Ubuntu/Mint users use the PPA so that it's easy to deploy updates. * I need to let servers update themselves if they are out-of-date. Once I fix this, it should be straightforward to add more servers to this system. Thanks for the support everyone, and enjoy testing! Jesse V.

1 0

Proposal: Merging Hidden Service Directories and Introduction Points
by John Brooks 29 Sep '15

29 Sep '15

Hello! George and I, along with the other participants of this hidden services meeting, have written a proposal for the idea to merge hidden service directories and introduction points into the same entity along with proposal 224. Comments are encouraged, especially if there are downsides or side effects that we haven’t written about yet, or that you have a different opinion on. The intent is that we can decide to do this before implementing proposal 224, so they can be implemented together. The proposal is attached, and also available from: https://raw.githubusercontent.com/special/torspec/224-no-hsdir/proposals/id… Thanks! - John

11 19

Re: [tor-dev] Special-use-TLD support
by str4d 29 Sep '15

29 Sep '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Jeff Burdges wrote: > Very interesting. Yes, this sounds reasonable in the short run. In > the longer run, there are several people with an interest in > externalizing Tor's DNS handling, which changes things. I'll > check out OnioNS and discuss this with people at the meeting. > Thanks for making this proposal! I am very interested in seeing it become a more general-purpose method for externalizing DNS handling. I2P has supported pluggable NamingServices for a long time, and it is trivial to add new methods. Now that Tor is considering them, I would like to see whatever protocol is decided on standardized in some way, so that GNS, Namecoin etc. can implement one protocol and be interoperable with both Tor and I2P. I include some comments below to this effect. I would expect that if this went ahead, this spec would be split into a) a general spec for the RPC protocol, and b) how Tor itself uses the protocol. > > > Filename: xxx-special-use-tld-support.txt Title: Special-Use TLD > Support Author: Jeffrey Burdges Created: ?? Sept 2015 Status: Draft > Implemented-In: ? > > Abstract > > Suppose Special-Use TLDs in Tor via external Domain Name System > (DNS) suppliers, such as the GNU Name System and Namecoin. > > Background > > Special-use TLD supplier software integrates with the host > operating system's DNS layer so that other software resolves the > special-use TLD identically to standard DNS TLDs. On Linux for > example, a Special -Use TLD package could create a plugin for the > Name Service Switch (NSS) subsystem of the GNU C Library. > > Tor cannot safely use the local system's own DNS for name > resolution, as doing so risks deanonmizing a user through their > DNS queries. Instead Tor does DNS resolution at a circuit's exit > relay. It follows that Tor users cannot currently use special-use > TLDs packages in a safe manor. > > In addition, there are projects to add public key material to DNS, > like TLSA records and DNSSEC, that necessarily go beyond NSS. > > Design > > We denote by N an abstract name service supplier package. There > are two steps required to integrate N safely with Tor : > > Of course, N must be modified so as to (a) employ Tor for its own > traffic and (b) to use Tor in a safe way. We deem this step > outside the scope of the present document since it concerns > modifications to N that depend upon N's design. We caution > however that peer-to-peer technologies are famous for sharing > unwanted information and producing excessively distinctive traffic > profiles, making (b) problematic. Another proposal seeks to > provide rudimentary tools to assist with (a). This "must" would need to be generalized to "employ anonymizing services for its own traffic" if left in the general spec. In practice this will probably just be Tor if exit nodes are the means for communicating with clearnet N nodes, but the spec shouldn't be restrictive in this regard (e.g. N nodes run from Tor HSs or inside I2P) . > > We shall instead focus on modifying Tor to route some-but-not-all > DNS queries to N. For this, we propose a NameService configuration > option that tells Tor where to obtain the DNS record lying under > some specific TLD. > > Anytime Tor resolves a DNS name ending in an Special-Use TLD > appearing in an NameService configuration line then Tor makes an > RPC request for the name record using given UNIX domain socket or > address and port. > > We should allow CNAME records to refer to .onion domains, and to > regular DNS names, but care must be taken in handling CNAME records > that refer to Special-Use TLDs handled by NameService lines. Tor > should reject CNAME records that refer to .exit domains. > > Configuration > > We propose two Tor configuration options : > > NameService [.]<dnspath> <socketspec> [noncannonical] [timeout=num] > [-- service specific options] > > We require that <socketspec> be either the path to a UNIX domain > socket or an address of the form IP:port. We also require that > each <dnspath> be a string conforming to RFC 952 and RFC 1123 sec. > 2.1. In other words, a dnsspec consists of a series of labels > separated by periods . with each label of up to 63 characters > consisting of the letters a-z in a case insensitive manor, the > digits 0-9, and the hyphen -, but hyphens may not appear at the > beginning or end of labels. > > NameService rules route matching queries to appropriate name > service supplier software. If a trailing substring of a query > matches <dnspath> then a query is sent to the <socketspec> using > the RPC protocol described below. NameService rules are applied > only after all MapAddress rules. > > There is no way to know in advance if N handles caching itself, > much less if it handles caching in a way suitable for Tor. > Ideally, we should demands that N return an appropriate expiration > time, which Tor can respect without harming safety or > performance. If this proves problematic, then configuration > options could be added to adjust Tor's caching behavior. > > Seconds is the unit for the timeout option, which defaults to 60 > and applies only to the name service supplier lookup. Tor DNS > queries, or attempts to contact .onion addresses, that result from > CNAME records should be given the full timeout allotted to > standard Tor DNS queries, .onion lookups, etc. > > Any text following -- is passed verbatim to the name service > supplier as service specific options, according to the RPC > protocol described below. > > Control Protocol > > An equivalent of NameService should be added to the Tor control > protocol, so that multiple users using the same Tor daemon can > have different name resolution rules. > > RPC protocol > > We require an RPC format that communicates two values, first any > service specific options give on the NameService line, and second > the query name itself of course. We might however discuss if there > are any standardized flags, distinct from these options, and > whether they should be communicated separately. > > In principle, Tor could make due with simply receiving a strong in > "strong" -> "string" > return. We recommend however that Tor expect a return format as > or more powerful than full DNS queries. In particular, we should > endever to return TLSA records at the same time as the underlying > DNS record, so that Tor Browser can utilize that key material. > The GNS Record format used by the GNU Name System addresses this > and other issues, so it should be taken as a candidate. See : > https://github.com/GNUnet/gnunet/blob/gnunet/src/include/gnunet_gns > > > record_lib.h For host names that the external service maps to I2P servers, I2P would ideally like the record to contain the full Destination, because then only one lookup is required. This is not a domain name-like value, like foo.onion or bar.b32.i2p, so the ability for the returned record to support these kinds of return values should be considered. If a domain name-like value is required, then I2P would need to do two lookups - one for spam.gnu -> bar.b32.i2p, and then a second (internal) for bar.b32.i2p -> DESTINATION. This partly also depends on what kind of records the external service supports, but IMHO the RPC protocol should not be limiting in this regard, given that it will likely only be used by networks like Tor and I2P that cater to more than IPv4 and IPv6. > > Sepcial-use tLD suppliers should internally process CNAME records "Sepcial" -> "Special" > that fall into their own domains, but they should return CNAME > records to Tor that refer to .onion or .exit domains, or to normal > DNS names. Initially, Tor should issue an error if it receives a > CNAME record that matches an NameService line. If however that > NameService line contains the noncannonical option, then CNAME > records should instead bypass it, and use Tor's DNS system. It's not clear to me a) where this is useful for Tor, and b) where this is useful in general. Can you provide an example? > > At present, alternative DNS packages should not pass CNAME records > between themselves, despite speaking the same RPC protocol, as > this creates unknown risks. As such forwarding can be done most > safely by Tor itself, the Tor Project reserves the right to > forward CNAME records between NameService lines in the future. > Applications should therefore not depend upon the above error > being returned. One thing that the I2P NamingService impl doesn't do is recursive lookups, because we haven't had a need for them yet (we instead have an optional fallback system where if a lookup fails with one configured service, it can try another one). But it wouldn't be hard to implement, and I agree with having the RPC user handle CNAME records instead of the external service. str4d > > Variations > > Tor would conceivably benefit from externalizing its own DNS > handling as a separate process. This might however require that > Tor have the ability to start name service suppliers. A fuller > consideration of this might alter our design of the NameService > configuration option. > > Acknowledgments > > Based on extensive discussions with Christian Grothoff and George > Kadianakis. > > > > > > _______________________________________________ tor-dev mailing > list tor-dev(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWCfHfAAoJEBO17ljAn7Pg5xsP/A+6JT4/ZZ0ZIBJ3YTPefAd7 D42WCHDKc8F5u2SC3NzqlryvfmXN6INlEDHx7JzGg2j52AdjhXbzpR58U6rZS1LE El/mzh3ZnIV8PpzfojY+SU7eQ/4cAgr8hJW3/x8rIRBlt2ZRBpWyKYPKBDtZtOzp ptbNs7rjio28ymaPEpdyT7by9SzE6GiC4k4LGJnDxMUhk/f2EzjwpQJ7Um4pkKmV ziV1FpUcuWbnXlz4rVs08DO/aULQs6d7He494XoA06HgFnTqXRirg3DdsxffbDDR 7UkL5DzM1IXb0yv2VXyB3DfUI4L5w5kZoDtaGsYtUoIZdtHJlrcV96eodAjp1PTJ PpubSRZc/pC0tL5ol9FyGkDg/Gh+HWSHyVYkY+RJo7/4pSJc6lt/ruUQNvpRqYty BpW8YtVHURRoThjkJ5SAWjXC96ET0yLpAXo3O9aFeNQt36vG33GmqdNHzA6x2vb8 yHjB7YlxtDsoj+o+O9cJ/9vPLKeeMjOhd6xFQaujFIOCxFT374R3WMUyniIEmrPv dI86kalXyDM8HZ80Q4QVqDZkEZKSWdigp149cTMhU279CpmsIVPjAXWucXChtT6E +u2MSFsGSN6mRZEGosJty18HBgS218IvYUI1IQbYfGM3mD6gL0+SEq8hNT/Bj500 r8yIwBccfe1IXEXdxyn7 =X7ur -----END PGP SIGNATURE-----

1 0

Interruption in patch workshop and (online) tor dev meeting this week
by Nick Mathewson 28 Sep '15

28 Sep '15

Hi, all! I hope things are going well for you. This week, many tor developers are all at a meeting in Berlin. So, there will probably be far fewer people than usual at the Tuesday patch workshop time or at the Wednesday tor status meeting. We should be back as usual next week! peace, -- Nick

1 0

Reminder for weekly OONI dev meeting Monday 2015-09-28 17:00 UTC (19:00 CET)
by Vasilis 28 Sep '15

28 Sep '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, This is a reminder that today there will be the weekly OONI meeting. It will happen as usual on the #ooni channel on irc.oftc.net at 17:00 UTC (19:00 CET, 13:00 EST, 10:00 PST). Everybody is welcome to join us and bring their questions and feedback. See you later, ~ Vasilis -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWCVPXAAoJEF+/cLHRJgFiyfEP/3MXP6nHjk9Q9ixRS+FOyKgt qqyeDWdrgrO5wrtoz3cuaeKqwmvACPAJdlXJUNhVOtwM7msziNZug9g7wWi/W7Tv 0LJZ0+YTRyQ9RPGV+ldAM+n0ZELywP6l3trh9Yoa9Q/wgOwhrulVpsuxtgh2DkfJ KZXGI5dR1io+N90/9f5lk0Ed45P1w4JWMw4qtOGJ+5YA0W3Du0R25shgkfglZJpt Wx9hZilingxqrbtqczc8JFet8QFmkZifrO/+SkX8iTCYGTxhRihsLjlE4yxZd5hS k0PNeFlfB13x3tgESwY4prIe1oTch5qVWAgGDcMeSgnK/2Om8xiwdWMufTuHHgE/ 2GkbQ0pRNNn8a1B+MnVOelVktC7Cv8znAP9Aq6V7bwLSRKaBIYBjKyAd+5NmpuGl UxGPeUvSPSyIDlnPV68tfHtNrj65HuZ2mcs7a8dWmD6ODboETxTXkf5aDAMG2sly wQ6GuNCZKCJa0bHhQE9ADk7QnR8LUDRbzi4hJ9TSQrFmi1hlJhHZGDxO3ihw2nGe qz0PBkagbb6RIMHbXy6GObezIf9l14N+CUiCsg93CKKZaPpjgyqR2kkCsSX/Vi9r eN9CjxPP6rbQ/8H0T5MQy2V6Oq8YAoEGOGTUpOnwfnONk4Za39nKwwuk5JeGSTyr NL6UnDm/bhvSd24Sp4Vv =xZmR -----END PGP SIGNATURE-----

1 0

Simplifying load balancing by removing Guard+Exit?
by Mike Perry 28 Sep '15

28 Sep '15

Hey all, I am playing with the load balancing equations in 3.8.3 in dir-spec.txt (https://gitweb.torproject.org/torspec.git/tree//dir-spec.txt#n2454) in order to account for padding, hidden/onion services, and directory traffic, and I've noticed that the fact that nodes can be both Exits and Guards not only vastly complicates the current equations, but will make any attempt at accounting for this additional overhead nearly impossible. If you've previously tried to understand the current load balancing equations, or wondered why they have 3 major sub-cases and roughly 9 sub-cases, this is entirely to account for Guard+Exit nodes, and to handle relative scarcity of pure Guard and pure Exit nodes in various conditions. Removing the Guard+Exit ('D') nodes makes all of those cases condense to one single, simple set of solutions: ⎧ E + G + M E + G + M 2⋅E - M - G 2⋅G - M - E ⎫ ⎨Wee: ─────────, Wgg: ─────────, Wme: ───────────, Wmg: ────────────⎬ ⎩ 3⋅E 3⋅G 3⋅E 3⋅G ⎭ No missing constraints, no sub-cases, no boundary conditions. Easy to reason about. Easy to intuitively convince yourself that the solutions are correct. What I want to do is add two variables to the consensus that allow us to specify expected (or measured) overhead at Guard nodes (G_o) and at Middle nodes (M_o). These two variables would represent the sum of padding, directory overhead, and hidden service traffic experienced by Guard and Middle nodes, respectively. If we ignore Guard+Exit nodes, this makes the load balancing equations become: (1-G_o)*Wgg*G == (1-M_o)*(M + Wme*E + Wmg*G) # Guard bw == middle bw (1-G_o)*Wgg*G == Wee*E # Guard bw == exit bw Wmg*G + Wgg*G == G # Guards can be middles or Guards Wme*E + Wee*E == E # Exits can be middles or Exits These solutions are a bit longer so I won't paste them here, but they are still reasonable if we ditch the Guard+Exit idea. They can be simplified even further by using a similar approach as the GuardFraction idea from Proposal 236 (Section 1.3): We can simply adjust each Guard's bandwidth by G_o either before solving the equations, or by adjusting Wgg and Wmg after the solution, then we only need to include the (1-M_o) factor in the equations themselves. We can't really do this simplification if we keep Guard+Exit, because of the interplay between Exit and Guard weights in the system of equations and cases. Additionally, if we keep Guard+Exit, the solutions literally consume an entire page of text to represent symbolically, and the sub-cases become even more complicated to evaluate and check for proper bounds and correctness. In fact, George has already run into such edge cases while trying to implement Proposal 236 (See https://trac.torproject.org/projects/tor/ticket/16255). Moreover, I've been thinking about the surveillance incentives for Guard+Exit nodes, and I actually think it is a net risk to the network for nodes to be both Guards and Exits. It's easy to find an excuse to watch an Exit node. If anything bad ever happens from an Exit, you may be able to convince someone to let you keep an eye on it** "just in case". A Guard-only node shouldn't cause anybody any problems, though, and should be much harder to justify monitoring. So this means that Guard+Exit nodes allow an adversary to justify monitoring large portions of both the entry and exit traffic of the network without any strange/technical/esoteric arguments about the need to perform complicated statistical attacks with questionable accuracy and high collateral damage, and instead force them to justify their monitoring another way. I also hear from large node operators that it is still the Exit flag that causes their nodes to really become overloaded, so if that's actually true, then it's likely that Exit nodes make poor Guards anyway, especially if Exit bandwidth is scarce (which it often is). So, what do people think? Does anyone violently disagree with removing the Guard flag from Guard+Exit nodes? ** I used to run an Exit node, and my lawyer at the time was told exactly this at one point during a police visit about a nonsensical bomb threat to some 4chan equivalent. He was specifically told "We will be monitoring this node from now on" by one of the visiting officers. I was unable to ever discover what that actually meant, and the EFF unfortunately did not feel it was worth pursuing to help me find out. It may have been a scare tactic, but it could just as easily have not been, and for all I know they may have been actually able to convince a judge to let them do this. -- Mike Perry

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev September 2015