Open Proposals as of June 2012 - tor-dev

18 Jun 2012


      This list of open Tor proposals is based on one I sent out in May of
last year.  Since I'd like to do this more regularly, I have added to
each description the date when I wrote it.  Most of the summaries from
older proposals are unchanged since last May;  the later ones in the
list for 6/2012 I wrote pretty quickly since I want to get out the
door tonight for an appointment, but I want to send this list out
without further delay.
OPEN, DRAFT, AND ACCEPTED PROPOSALS:
117 IPv6 exits
IPv6 is still the future, but now it's the kind of future
     that's unevenly distributed.  It's time to do this one so that
     IPv6 traffic can be sent over Tor.
It needs updating to work properly with microdescriptors; it
     also has some open questions about DNS. (6/2012)
127  Relaying dirport requests to Tor download site / website
The idea here was to make it easier to fetch and learn about
     Tor by making it easy for relays to automatically act as
     proxies to the Tor website.  It needs more discussion, and
     there are some significant details to work out.  It's not at
     all clear whether this is actually a good idea or not.
     (5/2011)
131  Help users to verify they are using Tor
Here's a proposal for making a torcheck-like website more reliable.
     If anybody wants to pick it up (especially somebody working on
     torcheck) and see whether it should be reopened or rejected, that
     would be a fine thing. (5/2011)
132  A Tor Web Service For Verifying Correct Browser Configuration
This proposal was meant to give users a way to see if their
     browser and privoxy (yes, it was a while ago) are correctly
     configured by running a local webserver on 127.0.0.1.  I'm not
     sure the status here. (5/2011)
133  Incorporate Unreachable ORs into the Tor Network
This proposal had an idea for letting ORs that can only make
     outgoing connections still relay data usefully in the network.
     It's something we should keep in mind, and it's a pretty neat
     idea, but it radically changes the network topology.  Anybody
     who wants to analyze new network topologies should definitely
     have a look. (5/2011)
140  Provide diffs between consensuses
This proposal describes a way to transmit less directory
     traffic by sending only differences between consensuses, rather
     than the consensuses themselves.  It is mainly languishing for
     lack of an appropriately licensed, well-written, very small,
     pure-C implementation of the "diff" and "patch" algorithms.
     (The good diffs seem to be GPL (which we can't use without
     changing Tor's license), or spaghetti code, or not easily
     usable as a library, or not written in C, or very large, or
     some combination of those.)  (5/2011)
141  Download server descriptors on demand
The idea of this proposal was for clients to only download the
     consensus, and later ask nodes for their own server descriptors
     while building the circuit through them.  It would make each
     circuit more time-consuming to build, but make bootstrapping
     much cheaper.
Microdescriptors obsolete a lot of this proposal, and present
     some difficulties in using in a way compatible with
     it. (6/2012)
143  Improvements of Distributed Storage for Tor Hidden Service Descriptors
Here's a proposal from Karsten about making the hidden service
     DHT more reliable and secure to use.  It could use more
     discussion and analysis. (5/2011)
144  Increase the diversity of circuits by detecting nodes
belonging the same provider
This is a version of the good idea, "Let's do routing in a way
     that tries to keep from routing traffic through the same
     provider too much!"  There are complex issues here that the
     proposal doesn't completely address, but I think it might be a
     fine idea for somebody to see how much more we know now than we
     did in 2008, particularly in light of the relevant paper(s) by
     Matt Edmann and Paul Syverson. (5/2011)
145  Separate "suitable as a guard" from "suitable as a new guard"
Currently, the Guard flag means both "You can use this node as a
     guard if you need to pick a new guard" and "If this node is
     currently your guard, you can keep using it as a guard."  This
     proposal tries to separate these two concepts, so that clients can
     stop picking a router once it is full of existing clients using it
     as a guard, but the clients currently on it won't all drop it.
It's not clear whether this has anonymity issues, and it's not
     clear whether the imagined performance gains are actually
     worthwhile. (5/2011)
146  Add new flag to reflect long-term stability
From time to time we get the idea of having clients ship with a
     reasonably recent consensus (or a list of directory mirrors),
     so instead of bootstrapping from one of the authorities, they
     can bootstrap from a regular directory cache.  The problem here
     is that by the time the client is run, most of the directory
     mirrors will be down or will have changed their IP.  This
     proposal tries to address that.
It needs analysis based on behavior of actual routers on the
     network to see whether it could work, and what parameters might
     work.
Nevertheless, we should really do something like this, so that
     we can ship a list of initial directory mirrors with Tor
     (possibly via the "fallback consensus" deisgn), so that new
     bootstrapping Tor clients don't all hammer the directory
     authorities. (6/2012)
147  Eliminate the need for v2 directories in generating v3 directories
This proposal explains a way that we can phase out the
     vestigial use of v2 directory documents in keeping authorities
     well-informed enough to generating the v3 consensus.  It's
     still correct; somebody should implement it before the v2
     directory code rots any further. (5/2011)
156  Tracking blocked ports on the client side
This proposal provides a way for clients to learn which ports
     they are (and aren't) able to connect to, and connect to the
     ones that work.  It comes with a patch, too.  It also lets
     routers track ports that _they_ can't connect to.
I'm a little unconvinced that this will help a great deal: most
     clients that have some ports blocked will need bridges, not
     just restriction to a smaller set of ports.  This could be good
     behind restrictive firewalls, though.
The router-side part is a little iffy: routers that can't
     connect to each other violate one of our network topology
     assumptions, and even if we do want to track failed
     router->router connections, the routers need to be sure that
     they aren't fooled into trying to connect repeatedly to a
     series of nonexistent addresses in an attempt to make them
     believe that (say) they can't reach port 443.
This one is a paradigmatic "open" proposal: it needs more
     discussion.  The patch probably also needs to be ported to
     0.2.3.x; it touches some code that has changed. (5/2011)
157  Make certificate downloads specific
This proposal added cross-certification and
     signing-key-specific download URLs for directory authority
     certificates.  It is IIRC mostly implemented on the server
     side; there are just some SHOULDs that we should turn into
     MUSTS if all sufficiently old authority certificates are now
     obsolete, and a client-side portion that we need to implement.
     (6/2012)
159  Exit Scanning
This is an overview of SoaT, with some ideas for how to integrate
     it into Tor. (5/2011)
162  Publish the consensus in multiple flavors
The initial proposal here is done, but more work is needed for
     forward-compatibility: we'd like to have caches be willing to
     cache and serve consensus flavors which they do not currently
     recognize. (6/2012)
164  Reporting the status of server votes
This proposal explains a way for authorities to provide a
     slightly more verbose document that relay operators can use to
     diagnose reasons that their router was or was not listed in the
     consensus.  These documents would be like slightly more verbose
     versions of the authorities' votes, and would explain *why* the
     authority voted as it did.  It wouldn't be too hard to
     implement, and would be a fine project for somebody who wants
     to get to know the directory code. (5/2011)
165  Easy migration for voting authority sets
This is a design for how to change the set of authorities without
     having a flag day where the authority operators all reconfigure
     their authorities at once.  It needs more discussion.  One
     difficulty here is that we aren't talking much about changing the
     set of authorities, but that may be a chicken-and-egg issue, since
     changing the set is so onerous.
If anybody is interested, it would be great to move the discussion
     ahead here. (5/2011)
168  Reduce default circuit window
This proposal reduces the default window for circuit sendme cells.
     I think it's implemented, isn't it?  If so, we should make sure
     that tor-spec.txt is updated and close it.XXXXXXX (5/2011)
172  GETINFO controller option for circuit information
   173  GETINFO Option Expansion
These would help controllers (particularly arm) provide more
     useful information about a running Tor process.  They're
     accepted and some parts of 173 are even implemented: somebody
     just needs to implement the rest. (5/2011)
175  Automatically promoting Tor clients to nodes
Here's Steven's proposal for adding a mode between "client
     mode" and "relay mode" for "self-test to see if you would be a
     good relay, and if so become one."  It didn't get enough
     attention when it was posted to the list; more people should
     review it. (5/2011)
177  Abstaining from votes on individual flags
Here's my proposal for letting authorities have opinions about some
     (flag,router) combinations without voting on whether _every_ router
     should have that flag.  It's simple, and I think it's basically
     right.  With more discussion and review, somebody could/should
     build it for 0.2.4.x, I think. (6/2012)
182  Credit Bucket
This proposal suggests an alternative approach to our current
     token-bucket based rate-limiting, that promises better
     performance, less buffering insanity, and a possible end to
     double-gating issues. (6/2012)
185  Directory caches without DirPort
The old HTTP directory port feature is no longer used by
     clients and relays under most circumstances.  The proposal
     explains how we can get rid of the requirement that non-bridge
     directories have an open directory port. (6/2012)
186  Multiple addresses for one OR or bridge
This one is partially implemented, in that bridges can have
     IPv6 addresses.  Still to go: we need to let ORs have IPv6
     addresses too.  Undecided: is one IPv4 and one IPv6 enough for
     anybody? (6/2012)
188  Bridge Guards and other anti-enumeration defenses
This proposal suggests some ways to make it harder for a relay
     on the Tor network to enumerate a list of Tor bridges. Worth
     investigating and possibly implementing. (6/2012)
189  AUTHORIZE and AUTHORIZED cells
   190  Bridge Client Authorization Based on a Shared Secret
   191  Bridge Detection Resistance against MITM-capable Adversaries
Proposal 187 reserved the AUTHORIZE cell type; these proposals
     suggests how it could work to try to make it harder to probe
     for Tor bridges. They need more alternatives and attention, and
     possibly some revision and analysis. (6/2012)
192  Automatically retrieve and store information about bridges
This proposal gives an enhancement to the bridge information
     protocol, where clients remember more things about bridges, and
     are able to update what they know about them over time.  Could
     help a lot with bridge churn. (6/2012)
194  Mnemonic .onion URLs
Here's one of several competing "let's make .onion URLs
     human-usable" proposals.  This one makes sentences using a
     fixed map. (6/2012)
195  TLS certificate normalization for Tor 0.2.4.x
Here's the followup to proposal 179, containing all the parts
     of proposal 179 that didn't get built, and a couple of other
     tricks besides to try to make Tor's default protocol less
     detectable.  I'm pretty psychoed about the part where we let
     relays drop in any any self-signed or CA-issued certificate
     that they like. (6/2012)
196  Extended ORPort and TransportControlPort
Here are some remaining pieces of the pluggable transport
     protocol that give Tor finer control over the behavior of its
     transports. (6/2012)
197  Message-based Inter-Controller IPC Channel
This proposal is for an architectural enhancement in Tor
     deployments, where Tor coordinates communications between the
     various programs (Vidalia, TorBrowser, etc) that are using
     it. (6/2012)
198  Restore semantics of TLS ClientHello
Partially implemented. We have the new client behavior in place
     in 0.2.3.x, but not the new server behavior which it
     permits. (6/2012)
199  Integration of BridgeFinder and BridgeFinderHelper
Here's a proposal for how Tor can integrate with a client
     program that finds bridges for it. (6/2012)
200  Adding new, extensible CREATE, EXTEND, and related cells
We'd like to moved to better authentication and key agreement
     mechanisms in future versions of Tor. This proposal gives us an
     extensible replacement for our current CREATE/CREATED cell
     mechanism. (6/2012)
201  Make bridges report statistics on daily v3 network status requests
Here's a proposal for bridges to better estimate the number of
     bridge users. (6/2012)