Build some equivalent for KeepAliveIsolateSocksAuth
Summary
From the C tor manual comes this feature, which can be enabled on a per-socks-port basis.
KeepAliveIsolateSOCKSAuth;; If IsolateSOCKSAuth is enabled, keep alive circuits while they have at least one stream with SOCKS authentication active. After such a circuit is idle for more than MaxCircuitDirtiness seconds, it can be closed.
We should build something similar in Arti.
Rationale and history
The original purpose of MaxCircuitDirtiness
(introduced in 2005, called CircuitTiming::max_dirtiness
in arti) was to make sure that a circuit was not used for too many disparate requests, since doing so would make those requests linkable.
But when applications are using SOCKSAuth isolation (introduced in 2011), it's no longer necessary to use MaxCircuitDirtiness
to keep them from being used for too many requests: the applications are already tagging like and unlike requests in order to keep them isolated.
Thus, KeepAliveIsolateSOCKSAuth
was added (in 2015) to turn the definition of MaxCircuitDirtiness around: it becomes the maximum lifetime of an unused circuit, if the circuit has socks isolation turned on.
Potential steps
(We should solicit review on this part.)
Formalize the below logic, and turn it into a spec patch.
Add a timestamp to ClientCircuit to track when the circuit was last in use for a stream. (A circuit counts as being "in use" for a stream whenever there is at least one stream open on the circuit.)
Define "strict isolation" to mean "isolation is in use, an the application takes responsibility for declaring that it is managing isolation, so we don't have to do it."
Add a property to AbstractCircSpec to declare whether a circuit is "strictly isolated". Isolation objects need to define whether they are "strictly isolating" or not. A circuit is strictly isolated if its current isolation is "strictly isolating". Nothing is strictly isolating by default. Allow strict isolation to be specified as part of a per-socksport configuration option, via RPC, and via some Rust API.
Adjust CircuitTiming and related parts of CircMgr so that max_dirtiness
only applies to circuits that are not strictly isolated. Define a new "max_idleness" that applies to circuits that are strictly isolated, and only applies after they have been out of use for that time.
Apply the same logic to client rendezvous circuits.