Skip to content

Conflux and the memory quota system

We will soon start supporting multipath tunnels1, which need to participate in the memory quota system. There are two main parts to this: the integration with the tor-memquota system proper (i.e. creating a new TunnelAccount(?) account type), and the management of the out-of-order cell queue from the tunnel reactor.

A tunnel account?

Before we can design the potential tunnel memquota integration, we need to answer these questions:

  • assuming we're going to define a TunnelAccount type for tracking the memory usage of a tunnel, where does TunnelAccount fit into the existing account hierarchy? (more on this in the last question below)
  • what should happen to the tunnel if one of its N circuits is selected for reclaim? IMO, the entire tunnel should be selected for reclaim too. However, there's currently no way to express this relationship in the memquota system (for instance, we can't make the TunnelAccount a child of CircuitAccount, because there's a 1:N relationship between a tunnel and its circuits)
  • should we have a way of selecting a whole tunnel (TunnelAccount) for reclaim? If so, TunnelAccount would need to be the parent of CircuitAccount (because when a circuit whose parent tunnel is selected for reclaim needs to be selected for reclaim too). However, this doesn't seem straightforward, because CircuitAccount already has ChannelAccount as its parent (and an account cannot have more than one parent)
  • alternatively, should all circuits from the same tunnel share a CircuitAccount (or TunnelAccount?)?

The out-of-order cell queue

The tunnel reactor maintains a (currently unbounded) out-of-order conflux cell buffer (see MEMORY_DOS). This buffer is a memory DoS vector that can be abused by adversarial clients to DoS exits (and vice-versa, but that's less of a concern).

We could deal with this by

  • bounding the buffer by a fixed amount, or
  • somehow integrating it in the memquota system

AFAICT, there is currently no way for us to integrate this into memquota (IIUC memquota only supports MPSC channels).

cc @Diziet @dgoulet

  1. a multipath tunnel is a tunnel that consists of N > 1 circuits