1. 08 May, 2017 6 commits
    • Mike Perry's avatar
      Cache netflow-related consensus parameters. · 687a8595
      Mike Perry authored and Nick Mathewson's avatar Nick Mathewson committed
      Checking all of these parameter lists for every single connection every second
      seems like it could be an expensive waste.
      
      Updating globally cached versions when there is a new consensus will still
      allow us to apply consensus parameter updates to all existing connections
      immediately.
      687a8595
    • Mike Perry's avatar
      Fix a breakage in test_options.c. · ae4d8c9c
      Mike Perry authored and Nick Mathewson's avatar Nick Mathewson committed
      IMO, these tests should be calling options_init() to properly set everything
      to default values, but when that is done, about a dozen tests fail. Setting
      the one default value that broke the tests for my branch. Sorry for being
      lame.
      ae4d8c9c
    • Mike Perry's avatar
      Remove a PredictedPortsRelevantTime test. · 20a3d4ef
      Mike Perry authored and Nick Mathewson's avatar Nick Mathewson committed
      The option was deprecated by bug #17592.
      20a3d4ef
    • Mike Perry's avatar
      Bug 17604: Converge on only one long-lived TLS conn between relays. · 76c9330f
      Mike Perry authored and Nick Mathewson's avatar Nick Mathewson committed
      Accomplished via the following:
      
      1. Use NETINFO cells to determine if both peers will agree on canonical
         status. Prefer connections where they agree to those where they do not.
      2. Alter channel_is_better() to prefer older orconns in the case of multiple
         canonical connections, and use the orconn with more circuits on it in case
         of age ties.
      
      Also perform some hourly accounting on how many of these types of connections
      there are and log it at info or notice level.
      76c9330f
    • Mike Perry's avatar
      Bug 17592: Clean up connection timeout logic. · d5a151a0
      Mike Perry authored and Nick Mathewson's avatar Nick Mathewson committed
      This unifies CircuitIdleTimeout and PredictedCircsRelevanceTime into a single
      option, and randomizes it.
      
      It also gives us control over the default value as well as relay-to-relay
      connection lifespan through the consensus.
      
      Conflicts:
      	src/or/circuituse.c
      	src/or/config.c
      	src/or/main.c
      	src/test/testing_common.c
      d5a151a0
    • Mike Perry's avatar
      Netflow record collapsing defense. · b0e92634
      Mike Perry authored and Nick Mathewson's avatar Nick Mathewson committed
      This defense will cause Cisco, Juniper, Fortinet, and other routers operating
      in the default configuration to collapse netflow records that would normally
      be split due to the 15 second flow idle timeout.
      
      Collapsing these records should greatly reduce the utility of default netflow
      data for correlation attacks, since all client-side records should become 30
      minute chunks of total bytes sent/received, rather than creating multiple
      separate records for every webpage load/ssh command interaction/XMPP chat/whatever
      else happens to be inactive for more than 15 seconds.
      
      The defense adds consensus parameters to govern the range of timeout values
      for sending padding packets, as well as for keeping connections open.
      
      The defense only sends padding when connections are otherwise inactive, and it
      does not pad connections used solely for directory traffic at all. By default
      it also doesn't pad inter-relay connections.
      
      Statistics on the total padding in the last 24 hours are exported to the
      extra-info descriptors.
      b0e92634
  2. 22 Feb, 2017 1 commit
  3. 17 Feb, 2017 6 commits
  4. 16 Feb, 2017 1 commit
  5. 15 Feb, 2017 26 commits