[torspec/master] Add proposals 321 and 322 for walking-onions-related stuff - tor-commits

27 May 2020

commit 4f8d5a4b24741680c231a99f2f1af9172bf126e5
Author: Nick Mathewson nickm@torproject.org
Date:   Wed May 27 15:12:01 2020 -0400
Add proposals 321 and 322 for walking-onions-related stuff
---
 proposals/000-index.txt           |   4 +
 proposals/321-happy-families.md   | 231 ++++++++++++++++++++++++++++++++++++++
 proposals/322-dirport-linkspec.md |  41 +++++++
 3 files changed, 276 insertions(+)

diff --git a/proposals/000-index.txt b/proposals/000-index.txt
index 3374a26..512f64f 100644
--- a/proposals/000-index.txt
+++ b/proposals/000-index.txt
@@ -241,6 +241,8 @@ Proposals by number:
 318  Limit protover values to 0-63 [OPEN]
 319  RELAY_FRAGMENT cells [OPEN]
 320  Removing TAP usage from v2 onion services [OPEN]
+321  Better performance and usability for the MyFamily option (v2) [OPEN]
+322  Extending link specifiers to include the directory port [OPEN]
Proposals by status:
@@ -287,6 +289,8 @@ Proposals by status:
    318  Limit protover values to 0-63
    319  RELAY_FRAGMENT cells
    320  Removing TAP usage from v2 onion services
+   321  Better performance and usability for the MyFamily option (v2)
+   322  Extending link specifiers to include the directory port
  ACCEPTED:
    188  Bridge Guards and other anti-enumeration defenses
    249  Allow CREATE cells with >505 bytes of handshake data
diff --git a/proposals/321-happy-families.md b/proposals/321-happy-families.md
new file mode 100644
index 0000000..288ba66
--- /dev/null
+++ b/proposals/321-happy-families.md
@@ -0,0 +1,231 @@
+```
+Filename: 321-happy-families.md
+Title: Better performance and usability for the MyFamily option (v2)
+Author: Nick Mathewson
+Created: 27 May 2020
+Status: Open
+```
+
+## Problem statement.
+
+The current family mechanism allows well-behaved relays to
+identify that they all belong to the same 'family', and should
+not be used in the same circuits.
+
+Right now, families work by having every family member list every
+other family member in its server descriptor.  This winds up using
+O(n^2) space in microdescriptors and server descriptors. (For RAM,
+we can de-duplicate families which sometimes helps.)  Adding or
+removing a server from the family requires all the other servers to
+change their torrc settings.
+
+The is growth in size is not just a theoretical problem. Family
+declarations currently make up a little over 55% of the
+microdescriptors in the directory--around 24% after compression.
+The largest family has around 270 members.  With Walking Onions, 270
+members times a 160-bit hashed identifier leads to over 5 kilobytes
+per SNIP, which is much greater than we'd want to use.
+
+This is an updated version of proposal 242.  It differs by clarifying
+requirements and providing a more detailed migration plan.
+
+## Design overview.
+
+In this design, every family has a master ed25519 "family key".  A node
+is in the family iff its server descriptor includes a certificate of its
+ed25519 identity key with the family key.  The certificate
+format the one in the tor-certs.txt spec; we would allocate a new
+certificate type for this usage.  These certificates would need to
+include the signing key in the appropriate extension.
+
+Note that because server descriptors are signed with the node's
+ed25519 signing key, this creates a bidirectional relationship
+between the two keys, so that nodes can't be put in families without
+their consent.
+
+## Changes to router descriptors
+
+We add a new entry to server descriptors:
+
+    "family-cert" NL
+    "-----BEGIN FAMILY CERT-----" NL
+    cert
+    "-----END FAMILY CERT-----".
+
+This entry contains a base64-encoded certificate as described
+above.  It may appear any number of times; authorities MAY reject
+descriptors that include it more than three times.
+
+## Changes to microdescriptors
+
+We add a new entry to microdescriptors: `family-keys`.
+
+This line contains one or more space-separated strings describing
+families to which the node belongs.  These strings MUST be sorted in
+lexicographic order.  Clients MUST NOT depend on any particular property
+of these strings.
+
+## Changes to voting algorithm
+
+We allocate a new consensus method number for voting on these keys.
+
+When generating microdescriptors using a suitable consensus method,
+the authorities include a "family-keys" line if the underlying
+server descriptor contains any valid family-cert lines.  For each
+valid family-cert in the server descriptor, they add a
+base-64-encoded string of that family-cert's signing key.
+
+> See also "deriving family lines from family-keys?" below for an
+> interesting but more difficult extension mechanism that I would
+> not recommend.
+
+## Relay configuration
+
+There are several ways that we could configure relays to let them
+include family certificates in their descriptors.
+
+The easiest would be putting the private family key on each relay,
+so that the relays could generate their own certificates.  This is
+easy to configure, but slightly risky: if the private key is
+compromised on any relay, anybody can claim membership in the
+family.  That isn't so very bad, however -- all the relays would
+need to do in this event would be to move to a new private family
+key.
+
+A more orthodox method would be to keep the private key somewhere
+offline, and using it to generate a certificate for each relay in
+the family as needed.  These certificates should be made with
+long-enough lifetimes, and relays should warn when they are going to
+expire soon.
+
+## Changes to relay behavior
+
+Each relay should track which other relays they have seen using the
+same family-key as itself.  When generating a router descriptor,
+each relay should list all of these relays on the legacy 'family'
+line.  This keeps the "family" lines up-to-date with "family-keys"
+lines for compliant relays.
+
+Relays should continue listing relays in their family lines if they
+have seen a relay with that identity using the same family-key at
+any time in the last 7 days.
+
+The presence of this line should be configured by a network
+parameter, `derive-family-line`.
+
+Relays whose family lines do not stay at least mostly in sync with
+their family keys should be marked invalid by the authorities.
+
+## Client behavior
+
+Clients should treat node A and node B as belonging to the same
+family if ANY of these is true:
+
+* The client has descriptors for A and B, and A's descriptor lists B
+  in its family line, and B's descriptor lists A in its family line.
+
+* Client A has descriptors for A and B, and they both contain the
+  same entry in their family-keys or family-cert.
+
+## Migration
+
+For some time, existing relays and clients will not support family
+certificates.  Because of this, we try to make sure above the
+well-behaved relays will list the same entries in both places.
+
+Once enough clients have migrated to using family
+certificates, authorities SHOULD disable `derive-family-line`.
+
+## Security
+
+Listing families remains as voluntary in this design as in today's
+Tor, though bad-relay hunters can continue to look for families that
+have not adopted a family key.
+
+A hostile relay family could list a "family" line that did not match
+its "family-certs" values.  However, the only reason to do so would
+be in order to launch a client partitioning attack, which is
+probably less valuable than the kinds of attacks that they could run
+by simply not listing families at all.
+
+## Appendix: deriving family lines from family-keys?
+
+As an alternative, we might declare that _authorities_ should keep
+family lines in sync with family-certs.  Here is a design sketch of
+how we might do that, but I don't think it's actually a good idea,
+since it would require major changes to the data flow of the
+voting system.
+
+In this design, authorties would include a "family-keys" line in
+each router section in their votes corresponding to a relay with any
+family-cert.  When generating final microdescriptors using this
+method, the authorities would use these lines to add entries to the
+microdescriptors' family lines:
+
+1. For every relay appearing in a routerstatus's family-keys, the
+   relays calculate a consensus family-keys value by listing including
+   all those keys that are listed by a majority of those voters listing
+   the same router with the same descriptor.  (This is the algorithm we
+   use for voting on other values derived from the descriptor.)
+
+2. The authorities then compute a set of "expanded families": one
+   for each family key.  Each "expanded family" is a set containing
+   every router in the consensus associated with that key in its consensus
+   family-keys value.
+
+3. The authorities discard all "expanded families" of size 1 or
+   smaller.
+
+4. Every router listed for the "expanded family" has every other
+   router added to the "family" line in its microdescriptor.  (The
+   "family" line is then re-canonicalized according to the rules of
+   proposal 298 to remove its )
+
+5. Note that the final microdescriptor consensus will include the
+   digest of the derived microdescriptor in step 4, rather than the
+   digest of the microdescriptor listed in the original votes.  (This
+   calculation is deterministic.)
+
+The problem with this approach is that authorities would have to s
+to fetch microdescriptors they do not have in order to replace their
+family lines.  Currently, voting never requires an authority to
+fetch a microdescriptor from another authority.  If we implement
+vote compression and diffs as in the Walking Onions proposal,
+however, we might suppose that votes could include microdescriptors
+directly.
+
+Still, this is likely more complexity than we want for a transition
+mechanism.
+
+## Appendix: Deriving family-keys from families??
+
+We might also imagine that authorities could infer which families
+exist from the graph of family relationships, and then include
+synthetic "family-keys" entries for routers that belong to the same
+family.
+
+This has two challenges: first, to compute these synthetic family
+keys, the authorities would need to have the same graph of family
+relationships to begin with, which once again would require them to
+include the complete list of families in their votes.
+
+Secondly, finding all the families is equivalent to finding all
+maximal cliques in a graph.  This problem is NP-hard in its general
+case.  Although polynomial solutions exist for nice well-behaved
+graphs, we'd still need to worry about hostile relays including
+strange family relationships in order to drive the algorithm into
+its exponential cases.
+
+## Appendix: New assigned values
+
+We need a new assigned value for the certificate type used for
+family signing keys.
+
+We need a new consensus method for placing family-keys lines in
+microdescriptors.
+
+## Appendix: New network parameters
+
+* `derive-family-line`: If 1, relays should derive family lines from
+  observed family-keys.  If 0, they do not. Min: 0, Max: 1. Default: 1.
+
diff --git a/proposals/322-dirport-linkspec.md b/proposals/322-dirport-linkspec.md
new file mode 100644
index 0000000..5fd42ac
--- /dev/null
+++ b/proposals/322-dirport-linkspec.md
@@ -0,0 +1,41 @@
+```
+Filename: 322-dirport-linkspec.md
+Title: Extending link specifiers to include the directory port
+Author: Nick Mathewson
+Created: 27 May 2020
+Status: Open
+```
+
+## Motivation
+
+Directory ports remain the only way to contact a (non-bridge) Tor
+relay that isn't expressible as a Link Specifier.  We haven't
+specified a link specifier of this kind so far, since it isn't a way
+to contact a relay to create a channel.
+
+But authorities still expose directory ports, and encourage relays
+to use them preferentially for uploading and downloading.  And with
+Walking Onions, it would be convenient to try to make every kind of
+"address" a link specifier -- we'd like want authorities to be able
+to specify a list of link specifiers that can be used to contact
+them for uploads and downloads.
+
+> It is possible that after revision, Walking Onions won't need a way
+> to specify this information.  If so, this proposal should be moved
+> to "Reserve" status as generally unuseful.
+
+## Proposal
+
+We reserve a new link specifier type "dir-url", for use with the
+directory system.  This is a variable-length link specifier, containing
+a URL prefix.  The only currently supported URL schema is "http://".
+Implementations SHOULD ignore unrecognized schemas.  IPv4 and IPv6
+addresses MAY be used directory; hostnames are also allowed.
+Implementations MAY ignore hostnames and only use raw addresses.
+
+The URL prefix includes everything through the string "tor" in the
+directory hierarchy.
+
+A dir-url link specifier SHOULD NOT appear in an EXTEND cell;
+implementations SHOULD reject them if they do appear.
+

    