Core Tor Roadmap

This is a overview of core tor issues that impact the anti-censorship team. This is the result of roadmap planning with the network team and can be used as a reference and updated as needed.

Prioritized issues are grouped by topic.

IPv6 support

Our current story is that IPv6 only really works for vanilla bridges, because while you can only specify a single IP address in the "transport" line of extrainfo docs, you can specify multiple OR addresses. We have a suggested workaround (rdsys#73 (closed)) to optimistically test all IPs in our OR addresses with bridgestrap, but this isn't a great solution. Ideally, we could include multiple transport lines in the extrainfo doc.

• Fix IPv6 bridges with a private/dynamic IPv4 address (tpo/core/tor#4847 (closed))

• Multiple ServerTransportListenAddr entries should be allowed per transport (tpo/core/tor#11211)

• Make IPv6-only bridges work (#23824)

• No IPv6 support when suggesting a bindaddr to a PT (tpo/core/tor#12138)

  • note: related to IPv6 but should probably close

• Which address should a multi-ORPort Tor put in its "transport" extra-info line? (tpo/core/tor#7962)

• Implement Bridge Guards and other anti-enumeration defenses (tpo/core/tor#7144)

  • note: prereq for fixing tpo/core/tor#23824 (closed)?
  • Alternative design instead of needing to do tpo/core/tor#7144: For a truly v6-only bridge, which doesn't know how to reach any v4 address: Add a line in the bridge descriptor that says "I can't reach v4" and then the client can see that line and choose its paths better.

The following tickets are related and/or adjacent to this problem:

• Support spawning multiple transport instances (tpo/core/tor#31228 (closed))
  • note: tangentially related, possible related fix
• If I have two bridge lines with the same fingerprint, Tor only tries one of them (tpo/core/tor#40193 (closed))
  • note: will possible be a problem if we fix the above
• Clients cannot use multiple transports with a single bridge (tpo/core/tor#14579 (closed))
  • note: possible duplicate of above
• Looking up bridge by ID may choose the wrong bridge (tpo/core/tor#14581 (closed))

User side improvements

Make sure the bridges work for users and that they can bootstrap quickly and effectively.

• tor fails to kill its pluggable transports when it's done using them (tpo/core/tor#21967)
• We fetch bridge descriptors on every setconf and we retry way too aggressively (tpo/core/tor#40513)
• Slow clients can't bootstrap because they expire their consensus fetch but then receive all the bytes from it anyway, making them expire their next fetch, putting them in a terrible loop (tpo/core/tor#16844) (every user on a bad network hits this)
• Good bridge + bad bridge = no bootstrap (tpo/core/tor#40396 (closed))
• Don't kill the managed proxy if a transport failed to launch (tpo/core/tor#7362 (closed))
• "Pluggable Transport process terminated" but Tor keeps on going (and of course doesn't work) (tpo/core/tor#33669 (closed))

Network Health

Do we have enough bridges? Are these bridges working well? Are client circuits good?

• Bridge Authority never assigns a Stable flag to bridges (tpo/core/tor#40449)
• Option to start as a bridge by default, but change to relay if bw is super-high (tpo/core/tor#9323 (closed))
  • note: could be really cool, but looks like a lot of work
• If your bridge is near your exit, Tor might surprise you by failing your circuit (tpo/core/tor#2998 (moved)) (also user improvement) (high priority)
  • notes: collaboration with network health, needs more information, probably low priority

UX for bridge operators

Making it easy to run bridges and keep them up to date

• Place complete obfs4 bridge line in accessible location (tpo/core/tor#29128)
• Bridge-Relay HOWTO wiki update for distros with apparmor, escalade log level when transport plugin process is killed (tpo/core/tor#40459)
• Bridges should report implementation versions of their pluggable transports (tpo/core/tor#11101 (closed))

Make bridges more able to circumvent censorship

• Obfsbridges should be able to "disable" their ORPort (tpo/core/tor#7349)

PT spec (Putting off for arti? Lower priority)

• Optional heartbeat message from PT's (tpo/core/tor#40439)
• Add support for Pluggable Transports 2.0 (tpo/core/tor#21816 (closed))
• Handle dormant mode in process library and for PT's (tpo/core/tor#28849 (closed))
• Improve semantics for pluggable transports with dummy addresses (tpo/core/tor#18611 (moved))

Unsorted

• WIP: Reject bridge descriptors posted to non-bridge authorities (tpo/core/tor#16564)

• We're missing descriptors for some of our primary entry guards (tpo/core/tor#21969 (closed))

• When our directory guards don't have each others' microdescs, we should try an authority or fallback (tpo/core/tor#23863 (closed))

• "ORConn connect failure cache" interferes with "Optimistically retrying bridges" (tpo/core/tor#40499 (closed))

• Make bridges work when the authorities are blocked (tpo/core/tor#24483)

• UpdateBridgesFromAuthority isn't actually usable (tpo/core/tor#6010 (closed))

• Make bridges publish additional ORPort addresses in their descriptor (tpo/core/tor#9729 (closed))

• Update specifications for bridge download after tpo/core/tor#40497 (closed) and friends landed (tpo/core/tor#40510 (moved))

Low priority

• Tor lets transports advertise private IP addresses in descriptor (tpo/core/tor#31009)
• Make the bridge authority reject private PT addresses when DirAllowPrivateAddresses is 0 (tpo/core/tor#31011 (closed))
• Allow dynamically and statically linked PTs to be loaded into a Tor binary (tpo/core/tor#33019 (closed))
  • note: maybe we want to leave this open for arti work
• Enable supporting multiple bridge authorities (tpo/core/tor#26778 (moved))
• Better handling and UX for missing and expired guard descriptors (tpo/core/tor#31707 (closed))
• Make bridges wait until they have bootstrapped, before publishing their descriptor (tpo/core/tor#33582 (closed))
• Can authorities use multihop circuits rather than direct connections to detect running routers? (tpo/core/tor#24020 (closed))
• rewrite_node_address_for_bridge and networkstatus_set_current_consensus can conflict (tpo/core/tor#20531)
• Provide "users-per-transport-per-country" statistics for obfsbridges (tpo/core/tor#10218)
• Add extra-info line that tracks the number of consensus downloads over each pluggable transport (tpo/core/tor#8786 (closed))
• Bridge authority should sign its bridge networkstatus doc? Or maybe change format to v3-style vote? (tpo/core/tor#12254 (moved))
• obfsproxy makes tor warn when one bridge is down (tpo/core/tor#8001 (closed))
• ServerTransportPlugin process when the underlying binary changes or requests it? (tpo/core/tor#5081 (closed))
• Accounting should work with pluggable transports (tpo/core/tor#3587 (closed))
• Bring sanity to the tor side of the PT shutdown process (tpo/core/tor#40517 (closed))
• ServerTransportListenAddr validation should validate that transport-name is well-formed (tpo/core/tor#8727)
• Add pluggable transports to Tor's chutney CI job (tpo/core/tor#30885)
• Meek and ReachableAddresses (tpo/core/tor#19487 (closed))
• Support ORPort picking a random port that persists across restarts (tpo/core/tor#31103 (closed))