Proposal 171 specifies the right way to isolate streams that arrive over (socks/trans/natd/dns)port. But there are streams that originate inside Tor. Specifically, these are resolve requests launched by the controller, and tunneled directory connections. As it stands, we already set **some** of their isolation fields, but not all. In particular, tunneled directory connections have: * ClientAddr set to unspec * DestPort set to the directory port * DestAddr set to the directory's IP * ClientProtocol set to (0,0), which matches no client connection * SocksAuth unset. * SessionGroup set to 0. * NymEpoch unset. * No isolation flags set. and controller-launched dns connections have: * ClientAddr unset. * DestPort unset * DestAddr set to the thing we'reresolving. * ClientProtocol set to (0,0), which matches no client connection * SocksAuth unset. * SessionGroup set to 0. * NymEpoch unset. * No isolation flags set. Some of these are reasonable; some are not. We need to decide which are which.