Write a proposal for "circuit plugging"
When a client DESTROY
s a circuit for misbehavior, it's possible for a hostile guard not to propagate the client's DESTROY
message to the rest of the circuit, and continue to observe inbound traffic patterns from later relays on the circuit.
We could resist this attack by adding a new relay command telling later relays to accept no further traffic in either direction. This could be similar to TRUNCATE
, and perhaps based on it.
With this relay command, clients could tell the middle hop to "plug" the circuit, wait a moment, and then send a DESTROY to the guard. Of course, the client wouldn't have a way to know that the "plug" cell wasn't dropped, but if it was, no later traffic would be decryptable.
We'd need to make sure this feature wasn't used in a way that would leak excessive information to the middle hop.
Suggested by @mikeperry who attributes it to Florentin.