Commit d0acbe86 authored by Roger Dingledine's avatar Roger Dingledine
Browse files

prioritize and rearrange the TODO


svn:r789
parent 5a6bb033
Issues identified while writing paper:
- Rotate tls-level connections -- make new ones, expire old ones.
- Dirserver shouldn't put you in running-routers list if you haven't
uploaded a descriptor recently
- Look at having smallcells and largecells
- separate trying to rebuild a circuit because you have none from trying
to rebuild a circuit because the current one is stale
<nickm> If I compromise a node, and streamIDs are sequential, I learn
how many streams have been open and closed on this circuit at this point.
> hm. you learn this for circuits too, do you not?
<nickm> True. But how-many-circuits-from-A-to-B only leaks how long
the connection from A to B has been alive and how much use it's seen.
> ok. needs more investigation.
Nick, can you remember why we wanted to do this?
Legend:
SPEC!! - Not specified
......@@ -27,28 +14,36 @@ ARMA - arma claims
X Abandoned
Short-term:
- Rename ACI to circID
- Make tls connections tls_close intentionally
o Rename ACI to circID
. integrate rep_ok functions, see what breaks
- update tor faq
o obey SocksBindAddress, ORBindAddress
- warn if we're running as root
o make connection_flush_buf() more obviously obsolete
. let hup reread the config file, eg so we can get new exit
.* let hup reread the config file, eg so we can get new exit
policies without restarting
- use times(2) rather than gettimeofday to measure how long it
takes to process a cell
. Exit policies
- Separate trying to rebuild a circuit because you have none from trying
to rebuild a circuit because the current one is stale
- Continue reading from socks port even while waiting for connect.
.* Exit policies
o Spec how to write the exit policies
- Path selection algorithms
- Let user request certain nodes
-* More flexible policies (18.*, 18.0.0.0/8)
-* Path selection algorithms
-* Choose path more incrementally
-* Let user request first/last node
- And disallow certain nodes
D Choose path by jurisdiction, etc?
- Make relay end cells have failure status and payload attached
- Streams that fail due to exit policy must reextend to new node
- Add extend_wait state to edge connections, thumb through them
. Make relay end cells have failure status and payload attached
-* Streams that fail due to exit policy must reextend to new node
-* Add extend_wait state to edge connections, thumb through them
when the AP get an extended cell.
- let non-approved routers handshake.
- just list approved routers in directory.
-* let non-approved routers handshake.
-* just list approved routers in directory.
- Dirserver shouldn't put you in running-routers list if you haven't
uploaded a descriptor recently
. migrate to using nickname rather than addr:port for routers
o decide_aci_type
- generate onion skins
......@@ -66,18 +61,19 @@ Short-term:
- connection_or_init_conn_from_router
- tag_pack, tag_unpack, connection_cpu_process_inbuf
- directory_initiate_command
. Move from onions to ephemeral DH
.* Move from onions to ephemeral DH
o incremental path building
o transition circuit-level sendmes to hop-level sendmes
o implement truncate, truncated
o move from 192byte DH to 128byte DH, so it isn't so damn slow
- exiting from not-last hop
- OP logic to decide to extend/truncate a path
- make sure exiting from the not-last hop works
- logic to find last *open* hop, not last hop, in cpath
- choose exit nodes by exit policies
- Remember address and port when beginning.
-* exiting from not-last hop
-* OP logic to decide to extend/truncate a path
-* make sure exiting from the not-last hop works
-* logic to find last *open* hop, not last hop, in cpath
-* choose exit nodes by exit policies
o Remember address and port when beginning.
- Extend by nickname/hostname/something, not by IP.
- Need a relay teardown cell, separate from one-way ends.
On-going
. Better comments for functions!
......@@ -86,6 +82,9 @@ On-going
. Unit tests
Mid-term:
- Are there anonymity issues with sequential streamIDs? Sequential
circIDs? Eg an attacker can learn how many there have been.
- Look at having smallcells and largecells
. Redo scheduler
o fix SSL_read bug for buffered records
- make round-robining more fair
......
......@@ -991,18 +991,17 @@ to slow down other users when they build new circuits.
% What about link-to-link rate limiting?
Attackers also have an opportunity to attack the Tor network by mounting
attacks on its hosts and network links. Disrupting a single circuit or
link breaks all currently open streams passing along that part of the
circuit. Indeed, this same loss of service occurs when a router crashes
or its operator restarts it. The current Tor design treats such attacks
as intermittent network failures, and depends on users and applications
to respond or recover as appropriate. A future design could use an
end-to-end TCP-like acknowledgment protocol, so that no streams are
lost unless the entry or exit point itself is disrupted. This solution
would require more buffering at the network edges, however, and the
performance and anonymity implications from this extra complexity still
require investigation.
Adversaries can also attack the Tor network's hosts and network
links. Disrupting a single circuit or link breaks all streams passing
along that part of the circuit. Indeed, this same loss of service
occurs when a router crashes or its operator restarts it. The current
Tor design treats such attacks as intermittent network failures, and
depends on users and applications to respond or recover as appropriate. A
future design could use an end-to-end TCP-like acknowledgment protocol,
so that no streams are lost unless the entry or exit point itself is
disrupted. This solution would require more buffering at the network
edges, however, and the performance and anonymity implications from this
extra complexity still require investigation.
\SubSection{Exit policies and abuse}
\label{subsec:exitpolicies}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment