commit 043ac7d7aa9e0b48ef7f80e8cfb1b6b2f5ce2f39
Author: teor <teor(a)torproject.org>
Date: Tue Feb 4 19:19:12 2020 +1000
Prop 312: Rewrite authenticated address detection
All these changes are optional in the proposal:
* Add the NETINFO cell address detection method
(as suggested by Nick Mathewson)
* Defer decisions about ignoring some addresses, or using those
addresses as the lowest priority method
* Simplify the load-balancing design
Part of 33073.
---
proposals/312-relay-auto-ipv6-addr.txt | 359 ++++++++++++++++++++++++---------
1 file changed, 263 insertions(+), 96 deletions(-)
diff --git a/proposals/312-relay-auto-ipv6-addr.txt b/proposals/312-relay-auto-ipv6-addr.txt
index c167329..a6d89e4 100644
--- a/proposals/312-relay-auto-ipv6-addr.txt
+++ b/proposals/312-relay-auto-ipv6-addr.txt
@@ -519,6 +519,7 @@ Ticket: #33073
(also minimise consensus size)
* store a list of previous addresses in the state file, and use the most
recently used address that's currently available.
+
Operators who want to avoid address flipping should set the Address option
in the torrc. Operators who want to minimise the size of the consensus
should use all-zero IPv6 host identifiers.
@@ -531,13 +532,46 @@ Ticket: #33073
Some of these changes may be more appropriate in future releases, or
along with other proposed features.
-3.5.1. Only Use Authenticated Directory Header IPv4 and IPv6 Addresses
+ Some of these changes make tor ignore some potential IP addresses.
+
+ Ignoring addresses risks relays having no available ORPort addresses, and
+ refusing to publish their descriptor. So before we ignore any addresses, we
+ should make sure that:
+ * tor's other address detection methods are robust and reliable, and
+ * we would prefer relays to shut down, rather than use the ignored
+ address.
+
+ As a less severe alternative, low-quality methods can be put last in the
+ address resolution order. (See section 3.2.)
+
+ If relays prefer addresses from particular sources (for example: ORPorts),
+ they should try these sources regularly, so that their addresses do not
+ become too old.
+
+ If relays ignore addresses from some sources (for example: DirPorts), they
+ must regularly try other sources (for example: ORPorts).
+
+3.5.1. Using Authenticated IPv4 and IPv6 Addresses
We propose this optional change, to improve relay (and bridge) address
accuracy and reliability.
- Relays should only use authenticated directory fetches to discover their
- own IPv4 and IPv6 addresses.
+ Relays should try to use authenticated connections to discover their own
+ IPv4 and IPv6 addresses.
+
+ Tor supports two kinds of authenticated address information:
+ * authenticated directory connections, and
+ * authenticated NETINFO cells.
+ See the following sections for more details.
+
+ See also sections 3.5.2 (for preferring addresses from directory
+ authorities) and 3.5.3 (for load-balancing).
+
+3.5.1.1. Authenticated Directory Connections
+
+ We propose this optional change, to improve relay address accuracy and
+ reliability. (Bridges are not affected, because they already use
+ authenticated directory connections, just like clients.)
Tor supports authenticated, encrypted directory fetches using BEGINDIR over
ORPorts (see the [Tor Specification] for details).
@@ -548,82 +582,216 @@ Ticket: #33073
authenticated directory fetches.)
Using authenticated directory headers for relay addresses:
- * avoids caches (or other machines) mangling X-Your-Address-Is headers in
- transit, and
- * avoids attacks where directories are deliberately given an incorrect IP
- address.
+ * provides authenticated address information,
+ * reduces the number of attackers that can deliberately give a relay an
+ incorrect IP address, and
+ * avoids caches (or other machines) accidentally mangling, deleting, or
+ repeating X-Your-Address-Is headers.
- To make this change, we need to modify two different parts of tor:
+ To make this change, we need to modify tor's directory connection code:
* when making directory requests, relays should fetch some directory
- documents using BEGINDIR over ORPorts, and
- * when using the X-Your-Address-Is HTTP header to guess their own IPv4 or
- IPv6 addresses, relays ignore directory documents that were not fetched
- using BEGINDIR over ORPorts.
+ documents using BEGINDIR over ORPorts.
- See also sections 3.5.2 (for preferring addresses from directory
- authorities) and 3.5.3 (for load-balancing).
+ Once tor regularly gets authenticated X-Your-Address-Is headers, relays can
+ change how they handle unauthenticated addresses. When they receive an
+ unauthenticated address suggestion, relays can:
+ * ignore the address, or
+ * use the address as the lowest priority address method.
+ See section 3.5 for some factors to consider when making this design
+ decision.
-3.5.2. Preferring IPv4 and IPv6 Addresses from Directory Authorities
+ For anonymity reasons, bridges are unable to fetch directory documents over
+ IPv6, until clients start to do so. (See
+ [Proposal 306: Client Auto IPv6 Connections].)
+
+ Bridges currently use authenticated IPv4 connections for all their
+ directory fetches, to imitate default client behaviour.
+
+ We describe a related change, which is also optional:
+
+ We can increase the number of ORPort directory fetches:
+ * if tor has an existing ORPort connection to a relay that it has selected
+ for a directory fetch, it should use an ORPort fetch, rather than
+ opening an additional DirPort connection.
+
+ Using an existing ORPort connection:
+ * saves one DirPort connection and file descriptor,
+ * but slightly increases the cryptographic processing done by the relay,
+ and by the directory server it is connecting to.
+ However, the most expensive cryptographic operations have already happened,
+ when the ORPort connection was opened.
+
+ This change does not increase the number of NETINFO cells, because it
+ re-uses existing OR connections. See the next section for more details.
+
+3.5.1.2. Authenticated NETINFO Cells
We propose this optional change, to improve relay (and bridge) address
+ accuracy and reliability. (Bridge IPv6 addresses are not affected, because
+ bridges only make OR connections over IPv4, to imitate default client
+ behaviour.)
+
+ Tor supports authenticated IPv4 and IPv6 address information, using the
+ NETINFO cells exchanged at the beginning of each ORPort connection (see the
+ [Tor Specification] for details).
+
+ Relays do not currently use any address information from NETINFO cells.
+
+ Using authenticated NETINFO cells for relay addresses:
+ * provides authenticated address information,
+ * reduces the number of attackers that can deliberately give a relay an
+ incorrect IP address, and
+ * does not require a directory fetch (NETINFO cells are sent during
+ connection setup).
+
+ To make this change, we need to modify tor's cell processing:
+ * when processing NETINFO cells, tor should store the OTHERADDR field,
+ like it currently does for X-Your-Address-Is HTTP headers, and
+ * IPv4 and IPv6 addresses should be stored separately.
+ See the previous section, and section 3.2.5 for more details about the
+ X-Your-Address-Is HTTP header.
+
+ Once tor uses NETINFO cell addresses, relays can change how they handle
+ unauthenticated X-Your-Address-Is headers. When they receive an
+ unauthenticated address suggestion, relays can:
+ * ignore the address, or
+ * use the address as the lowest priority address method.
+ See section 3.5 for some factors to consider when making this design
+ decision.
+
+ We propose that tor continues to use the X-Your-Address-Is header, and adds
+ support for addresses in NETINFO cells. X-Your-Address-Is headers are sent
+ once per directory document fetch, but NETINFO cells are only sent once per
+ OR connection.
+
+ If a relay:
+ * only gets addresses from NETINFO cells from authorities, and
+ * has an existing, long-term connection to every authority,
+ then it may struggle to detect address changes.
+
+ Once all supported tor versions use NETINFO cells for address detection, we
+ should review this design decision. If we are confident that almost all
+ relays will be forced to make new connections when their address changes,
+ then tor may be able to stop using X-Your-Address-Is HTTP headers.
+
+ Bridges only make OR connections, and those OR connections are only over
+ IPv4, to imitate default client behaviour.
+
+ For anonymity reasons, bridges are unable to make regular connections over
+ IPv4 and IPv6, until clients start to do so. (See
+ [Proposal 306: Client Auto IPv6 Connections].)
+
+ As an alternative design, if tor's addresses are stale, it could close some
+ of its open directory authority connections. (Similar to section 4.4.2
+ in [Proposal 311: Relay IPv6 Reachability], where relays close existing OR
+ connections, before testing their own reachability.) However, this design is
+ more complicated, because it involves tracking address age, as well as the
+ address itself.
+
+3.5.2. Preferring IPv4 and IPv6 Addresses from Directory Authorities
+
+ We propose this optional change, to improve relay (but not bridge) address
accuracy and reliability.
- Relays store the latest IPv4 and IPv6 addresses received from:
- * a directory authority, and
- * a directory mirror,
- and prefer the address from a directory authority, as long as it is not
- too old.
-
- Relays should also store a timestamp for each address, and ignore addresses
- where:
- * the timestamp is too old, or
- * the timestamp for the preferred address (from a directory authority)
- is much older than the timestamp for the other address (from a directory
- mirror).
-
- Relays should try directory authorities often enough, that their addresses
- usually do not become too old. (And if the addresses do become too old,
- relays should try directory authorities more often.)
-
- As an alternative, relays could ignore addresses from other relays:
- * when using the X-Your-Address-Is HTTP header to guess their own IPv4 or
- IPv6 addresses, relays ignore directory documents that were not fetched
- from directory authorities.
- However, this implementation is not ideal, because it is better for a relay
- to use an address from a directory mirror, than have no address at all.
+ Relays prefer IPv4 and IPv6 address suggestions received from Directory
+ Authorities.
+
+ When they receive an address suggestion from a directory mirror, relays can:
+ * ignore the address, or
+ * use the address as the lowest priority address method.
+ See section 3.5 for some factors to consider when making this design
+ decision.
+
+ Bridges only make OR connections, and those OR connections are only over
+ IPv4, to imitate default client behaviour.
+
+ For anonymity reasons, bridges are unable to make regular connections over
+ IPv6, until clients start to do so. (See
+ [Proposal 306: Client Auto IPv6 Connections].)
See also sections 3.5.1 (for only using addresses from authenticated
connections) and 3.5.3 (for load-balancing).
3.5.3. Load Balancing
- We propose some optional changes to improve load-balancing.
+ We propose some optional changes to improve relay (and bridge)
+ load-balancing across directory authorities.
3.5.3.1. Directory Authority Load Balancing
- Ideally, we would like all relays (and bridges) to do frequent directory
- fetches:
+ Relays may prefer:
+ * authenticated connections (section 3.5.1).
+
+ Relays and bridges may prefer:
+ * connecting to Directory Authorities (section 3.5.2).
+
+ Both these changes are optional, so they might not be implemented.
+
+ If both changes are implemented, we would like all relays (and bridges) to
+ do frequent directory fetches:
* using BEGINDIR over ORPorts,
* to directory authorities.
- However, this change may be unsustainable during high network load
- (see [Ticket 33018: Dir auths using an unsustainable 400+ mbit/s]).
+ However, this extra load from relays may be unsustainable during high
+ network load (see
+ [Ticket 33018: Dir auths using an unsustainable 400+ mbit/s]).
+
+ For anonymity reasons, bridges should avoid connecting to directory
+ authorities too frequently, to imitate default client behaviour.
Therefore, we propose a simple load-balancing scheme between address
resolution and non-address resolution requests:
- * when relays do not know their own IP addresses, they should make as many
- directory authority ORPort directory fetches as is sustainable, and
- * when relays know their own IP addresses, they should make an occasional
- directory authority ORPort directory fetch, to learn if their address
- has changed.
+ * when relays first start up, they should make two directory authority
+ ORPort fetch attempts, one on IPv4, and one on IPv6,
+ * relays should also make occasional directory authority ORPort directory
+ fetch attempts, on IPv4 and IPv6, to learn if their addresses have
+ changed.
- We use the load-balancing criteria in section 3.5.3.3, to select the ratio
- between:
- * ORPort connections to directory authorities, and
- * ORPort or DirPort connections to directory mirrors.
+ We propose a new torrc option and consensus parameter:
- It should be possible for relays to choose between ORPort and DirPort
- connections to directory mirrors at random: they typically have enough spare
- CPU and bandwidth.
+ RelayMaxIntervalWithoutAddressDetectionRequest N seconds|minutes|hours
+
+ Relays make most of their directory requests via directory mirror DirPorts,
+ to reduce the load on directory authorities.
+
+ When this amount of time has passed since a relay last connected to a
+ directory authority ORPort, the relay makes its next directory request via
+ a directory authority ORPort. (Default: 15 minutes)
+
+ The final name and description for this option will depend on which optional
+ changes are actually implemented in tor. In particular, this option should
+ only consider requests that tor may use to discover its IP addresses.
+ For example:
+ * if tor uses NETINFO cells for addresses (section 3.5.1.2), then all
+ OR connections to an authority should be considered,
+ * if tor does not use NETINFO cells for addresses, and only uses
+ X-Your-Address-Is headers, then only directory fetches from authorities
+ should be considered.
+
+ We set the default value of this option to 15 minutes, because:
+ * tor's reachability tests fail if the ORPort is unreachable after 20
+ minutes. So we want to do at least two address detection requests in
+ the first 20 minutes;
+ * the minimum consensus period is 30 minutes, and we want to do at least
+ one address detection per consensus period. (Consensuses are usually
+ created every hour. But if there is no fresh consensus, directory
+ authorities will try to create a consensus every 30 minutes); and
+ * the default value for TestingAuthDirTimeToLearnReachability is 30
+ minutes. So directory authorities will make reachability test OR
+ connections to each relay, at least every 30 minutes. Therefore, relays
+ will see NETINFO cells from directory authorities about this often.
+ (Relays may use NETINFO cells for address detection, see section
+ 3.5.1.2.)
+
+ See also section 3.5.3.3, for some general load balancing criteria, that
+ may help when tuning the address detection interval.
+
+ We propose a related change, which is also optional:
+
+ If relays use address suggestions from directory mirrors, they may choose
+ between ORPort and DirPort connections to directory mirrors at random.
+ Directory mirrors typically have enough spare CPU and bandwidth to handle
+ ORPort directory requests. (And the most expensive cryptography happens
+ when the ORPort connection is opened.)
See also sections 3.5.1 (for only using addresses from authenticated
connections) and 3.5.2 (for preferring addresses from directory
@@ -633,36 +801,34 @@ Ticket: #33073
We propose this optional change, to improve the load-balancing between IPv4
and IPv6 directories, when used by relays to find their IPv4 and IPv6
- addresses (see section 3.2.6).
+ addresses (see section 3.2.5).
+
+ For anonymity reasons, bridges are unable to make regular connections over
+ IPv6, until clients start to do so. (See
+ [Proposal 306: Client Auto IPv6 Connections].)
This change may only be necessary if the following changes result in poor
load-balancing, or other relay issues:
- * randomly selecting IPv4 or IPv6 directories (see section 3.2.6), or
- * preferring directory header addresses, from directory authorities,
- via an authenticated connection (see sections 3.5.1 and 3.5.2).
+ * randomly selecting IPv4 or IPv6 directories (see section 3.2.5), or
+ * preferring addresses from directory authorities, via an authenticated
+ connection (see sections 3.5.1 and 3.5.2).
- We propose a new torrc option and consensus parameter:
- MaxNumIPv4DirectoryAttempts. This option limits the number of IPv4 directory
- requests, before the relay makes an IPv6 directory request. It should only
- apply to attempts that are expected to provide a usable IPv4 or IPv6
- address in their directory header. (Based on sections 3.2.6, 3.5.1, and
- 3.5.2.)
-
- The design is similar to MaxNumIPv4BootstrapAttempts in
- [Proposal 306: Client Auto IPv6 Connections].
-
- Here is a quick sketch of the design:
- * when MaxNumIPv4DirectoryAttempts is reached, select an IPv6-capable
- directory, and make an IPv6 connection attempt,
- * use a directory authority, or an ORPort, if required (see sections
- 3.5.1 and 3.5.2),
- * use a default value between 2 and 4:
- * the ideal value for load-balancing is >= 2
- (because 6/9 directory authorities are already on IPv6)
- * the ideal value for minimising failures is ~4
- (because relays won't waste too much CPU or bandwidth)
- * choose the default value based on the load-balancing criteria in section
- 3.5.3.3.
+ We propose that the RelayMaxIntervalWithoutAddressDetection option is
+ counted separately for IPv4 and IPv6 (see the previous section for details).
+
+ For example:
+ * if 30 minutes has elapsed since the last IPv4 address detection request,
+ then the next directory request should be an IPv4 address detection
+ request, and
+ * if 30 minutes has elapsed since the last IPv6 address detection request,
+ then the next directory request should be an IPv6 address detection
+ request.
+
+ If both intervals have elapsed at the same time, the relay should choose
+ between IPv4 and IPv6 at random.
+
+ See also section 3.5.3.3, for some general load balancing criteria, that
+ may help when tuning the address detection interval.
Alternately, we could wait until
[Proposal 306: Client Auto IPv6 Connections] is implemented, and use the
@@ -670,20 +836,15 @@ Ticket: #33073
3.5.3.3. General Load Balancing Criteria
- We propose the following criteria for choosing load-balancing ratios:
+ We propose the following criteria for choosing load-balancing intervals:
- The selected ratios should be chosen based on the following factors:
- * the current number of directory fetches that a relay makes:
- * when bootstrapping with an empty cache directory, and
- * in a steady state (per hour, or per new consensus),
- (these numbers aren't currently collected by tor, so we may need to
- write some extra code to include them in the heartbeat logs),
+ The selected interval should be chosen based on the following factors:
* relays need to discover their IPv4 and IPv6 addresses to publish their
descriptors,
* it only takes one successful directory fetch from one authority for a
relay to discover its IP address (see section 3.5.2),
- * relays will fall back to addresses from directory mirrors, if directory
- authorities are unavailable (see section 3.5.2),
+ * if relays fall back to addresses discovered from directory mirrors,
+ when directory authorities are unavailable (see section 3.5.2),
* BEGINDIR over ORPort requires and TLS connection, and some additional
tor cryptography, so it is more expensive for authorities than a
DirPort fetch (and it can not be cached by a HTTP cache)
@@ -693,14 +854,20 @@ Ticket: #33073
* other potential changes to relay directory fetches (see
[Ticket 33018: Dir auths using an unsustainable 400+ mbit/s])
- The selected ratios should allow almost all relays to update both their IPv4
- and IPv6 addresses:
- * at least twice when they bootstrap (to allow for fetch failures),
- * at least once per directory fetch (or per hour), and
- * from a directory authority (if available).
+ The selected interval should allow almost all relays to update both their
+ IPv4 and IPv6 addresses:
+ * at least twice when they bootstrap and test reachability (to allow for
+ fetch failures),
+ * at least once per consensus interval (that is, every 30 minutes), and
+ * from a directory authority (if required).
+
+ For anonymity reasons, bridges are unable to make regular connections over
+ IPv6, until clients start to do so. (See
+ [Proposal 306: Client Auto IPv6 Connections].)
In this proposal, relays choose between IPv4 and IPv6 directory fetches
- at random (see section 3.2.6 for more detail).
+ at random (see section 3.2.5 for more detail). But if this change causes
+ issues on IPv4-only relays, we may have to try IPv6 less often.
3.5.4. Detailed Address Resolution Logs