Spec clarifications for circuit timeouts and related things in path-spec.txt

This branch tries to fix the issues I found while working on Arti's circuit timeout code.

Closes #61 (closed).

Closes #48 (closed).

Please ignore all the changes in this branch made before 27 August: Apparently the "main" branch on this repository is out-of-date.

requested review from @mikeperry

This should be: These build times only include the time required to build circuits up to the third hop. Circuits that are longer than the three hops are recorded at the point where the third hop is successfully extended, and are not recorded after that. Circuits shorter than three hops are not recorded.

See circuit_build_times_handle_completed_hop() and circuit_timeout_want_to_count_circ() -- we actually check the opened length before recording there.

This distinction is important because it allows us to still compute a timeout even if a client only builds onion service circuits.

Actually, the C tor implementation does not store the recent timeout count as persistent state. It is maintained independently from the build times in a circular bitarray in circuit_build_times_t.liveness.timeouts_after_firsthop, and is not written to disk.

Do you think it's worthwhile for the rust code to store it, or better to just drop the information? I don't mind ripping this out.

In the interest of simplicity, I think ripping out the storage of this data is good. I am not seeing a super-strong reason to store this data.

The purpose of this liveness code is to determine if Tor previously picked a timeout that is now too low to provide enough path diversity (due to changing characteristics of the local internet connection, or the Tor guard/network).

I think it is a reasonable enough assumption that if Tor has restarted, this kind data is no longer fresh enough to be accurate for this purpose. This is also only 20 circuits here, and typical timeouts are now around 1-2 seconds or less.. So a restarted client with a timeout that is too low for a new internet connection will figure this out pretty quickly. I think that is OK.

Hrmm, the C tor impl sets the default timeout and the close timeout to the initial timeout. It does not multiply by 1.5. See circuit_build_times_init().

Do you think that either behavior is better than the other? Currently arti does what I've written up here.

I don't think there is a practical difference here. As per Section 2.4.5, if 60 seconds is not enough and causes the liveness test to fail due to too many timeouts, we will double the initial timeout. (Also, as long as we don't mess up congestion control, circuit build times should never approach anywhere near 60s again :)

If for some reason it made your implementation simpler to have these values be initialized differently, perhaps this can be a MAY? (I don't think it fragments anonymity set to do this differently at implementation discretion, again because this should not affect circuits that are actually usable anyway.)

Ok I went through all the commits. The above were the only issues I spotted.

mentioned in commit arti@5d7b0899

mentioned in commit arti@74fa1845

added 1 commit

• 62ad3ea1 - path-spec corrections from Mike.

Compare with previous version

merged

Thanks! I've made your suggested changes in a new commit, and adjusted Arti's behavior as well. (In both cases, the changes let me throw away a tiny bit of code.)