Write a proposal about handling/rejecting unrecognized cells on circuits
First, allowing parties to send unexpected ignored traffic opens side channels, so we must do something about it. And secondly, you must be Jon Postel for his Law to apply, and you're not. And thirdly, Postel's Law is more what you'd call "guidelines" than actual rules.
To constrain side-channels, @mikeperry thinks and I agree that we should be more restrictive about accepting unrecognized cell types and formats.
We should figure out how this interacts with proposal 325 (packed cells), and we should make sure that we don't write something that precludes future extensions to the protocol.
My intuition favors an approach something like this, though of course it might be wrong:
- Exits accept any well-authenticated cell that the client sends.
- Clients and onion services reject anything that they do not recognize.
- To add new relay message types in the future, we can declare that the exit may only send them in response to the client sending them first (or some other signal). We can declare that onion services must advertise that they accept them in their descriptors.
I bet there will be a lot of corner cases.
Assigning to @mikeperry with permission.