- tor-dev - lists.torproject.org

Towards a new version of the PT spec...
by Yawning Angel 16 Sep '15

16 Sep '15

So, we currently have a Pluggable Transport (PT) spec, and it kind-of sort-of works (The documentation is a mess that I'm working on cleaning up, but it's an orthogonal issue for how well it works). There are a number of problems with the current PT spec that require breaking backward compatibility to fix, so eventually I would like to do so. I'm soliciting input on what people would also like to see in a (currently hypothetical) PT spec 2.0 beyond what I already have in mind: MUST haves: * Support dual stack Bridges correctly (Multiple server endpoints per transport) * Increase the argument space beyond 510 bytes (Prop. #227). * Mandatory ExtORPort support (currently optional, but metrics are good). * Centralized logging by the calling process (Probably via stderr). * AF_UNIX support where sensible for better sandboxing. MIGHT haves: * Rename the env vars to not start with "TOR_PT". Some people claim that this is a good idea (I think it is stupid and cosmetic). * Ability to force at least clients to stop network activity without tearing the PT down. * Deprecate SOCKS4a, and make SOCKS5 mandatory for clients. UNLIKELY: * Specify an interface for where fork()/exec() isn't possible (iOS). I don't think this is makes sense because it is probably too platform/caller specific. * Allow operating both as a client and a server simultaneously. I don't see a problem with running 2 copies of something for this use case. I probably missed some things. If people have strong opinions about this, do reply, otherwise I *will* design something that I like, which will not include what other people want. Regards, -- Yawning Angel

5 6

[Measurement Team] Next IRC meeting happens on THURSDAY, Sep 17, 14:00 UTC in #TOR-DEV
by Karsten Loesing 15 Sep '15

15 Sep '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello list, This is an announcement/reminder that there will be an IRC meeting of the Measurement Team on THURSDAY, September 17, 2015, 14:00 UTC in #TOR-DEV https://www.timeanddate.com/worldclock/fixedtime.html?iso=20150917T14 Note that the meeting day changed from Wednesday to Thursday and the meeting room from #tor-project to #tor-dev. The goal of this change is to avoid the overlap with the little-t tor development meeting. Talk to you on Thursday! All the best, Karsten -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJV96DGAAoJEJD5dJfVqbCr2MEH/2GdYX+/S5s7e4Xhd9TU/GwU 8HtJCXRrF42pRM5wFoHeq50/FokAJpAN8RrYsARdj0JNPERZWninNmwrurUdawe1 nBirn4zaHA4dRJM6eVzYpoFjNv9FO0U8H3gM8mdhqIIYUmb+ghtqo8+M+0aoujSX vSh28j4Dcb/aHpHEYsEumqMsBU6Lj7GQdCu5jGm7ttlUynQ0nCXnQ1h6dhlF6GzC APQ6coBc9J733fEwM5Xcn7B3D+2sdAq7oLINaAZ0YnMMVdKehJ4+5qnfTlLsjGe0 Wz2OPm3VSj8vyTREKmPxywvS04QeAf3hI3kHIY0tqW5q8TtWh8o+0KzTChdGWY4= =yhJ6 -----END PGP SIGNATURE-----

1 0

Re: [tor-dev] tor-roster's geo diversity badge and self-ref relays
by Sean Saito 14 Sep '15

14 Sep '15

>> Can this be downgraded to an informational message? (or eliminated entirely?) >> >> Penalties can be quite discouraging, particularly for minor configuration variants. >> >> Tim > >I agree, and this one in particular is important to some operators: by allowing a relay to specify itself in the family, one can just have a single >configuration file for all relays in a family. I was not aware of that. I shall take down the penalty then. Sean

1 0

Re: [tor-dev] Let's identify which measurement-related tools need work when relays switch from RSA identities to ed25519 identities
by Damian Johnson 13 Sep '15

13 Sep '15

>> Hi Karsten. Quick question: with the switchover are relay fingerprints >> going away? That is to say, server descriptors no longer have a... >> >> fingerprint D203 4DDF 1275 A234 4F66 9935 A3EF B908 FFC7 AE9A >> >> ... line, and router status entries don't have it on their dir-source? If not, what in particular are being dropped? >> >> Cheers! -Damian > > yes, I think that's the plan. Please see proposal 220, Sections 8 and > 9 for some more details. Thanks Karsten. Now that I know this isn't a completely foolish question adding tor-dev@ back in. If we're dropping the fingerprint that's a lot more invasive. Fingerprints are relay's canonical identity, and simply dropping them will break... a lot. I'd suggest instead relays should continue to have a fingerprint but that it's the 40 character hex hash of the ed25519 identity. On a side note it would be nice to have a spec patch before changing things this time. Sections 8 and 9 are a fine summary, but it's not clear to me precisely how the descriptors are changing from it. They certainly don't say to me "we're dropping the fingerprint field". If that change went out without a spec patch first I'd borrow Mr. Potato Head's angry eyes to stare at its author. Cheers! -Damian

2 2

tor-roster's geo diversity badge and self-ref relays
by nusenu 12 Sep '15

12 Sep '15

Hi, tor-roster has a badge for in-family geo diversity: "Geo Diversity in Relays (Number of countries / Number of relays >= 0.5)" Do you consider in-family diversity so important - even though all of them are run by a single entity anyway? I'd consider the tor network's overall diversity far more important than in-family diversity because clients won't use more than one relay of a given family anyway. How about having a badge for tor network wide diversity? Something like: More than 4/5 of the family's CW is located in countries with a cw lower than 2%* (currently means non-top 7 country) and ASes lower than 1.5%* (currently means non-top 8 AS)? That implies some degree of in-family diversity since a big family would have to spread across multiple countries/ASes. potential problem: "growing" ASes/countries might cross the threshold in that case you would either have to accept the fact that someone else can take away that badge by adding relays to your AS/CC ;) or consider the diversity at relay signup time (less fun) *) these are arbitrary thresholds "No Self-Referencing Relays" I'm not sure what exactly you mean by that but I assume it is a MyFamily config where a relay includes his own fingerprint. Why does that hurt? The unnecessary descriptor space/bw? thanks

1 0

CollecTor data of the current month older than 72 hours
by nusenu 12 Sep '15

12 Sep '15

Hi, data in the /recent folder goes back 72 hours, /archive is updated "every few days" [1]. The latest file in the archive folder [2] is currently from 2015-09-07: votes-2015-08.tar.xz 07-Sep-2015 04:11 159M but does not contain any data from September 2015. is there currently any data for the time period between 2015-09-01 - 2015-09-07 9:00 on Collector or should I wait a few days? thanks! [1] https://collector.torproject.org/ [2] https://collector.torproject.org/archive/relay-descriptors/votes/

2 2

Reproducibility of Pluggable Transports python.msi
by Jeremy Rand 11 Sep '15

11 Sep '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I was looking at the Gitian descriptor for the pluggable transports at https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitia n/descriptors/windows/gitian-pluggable-transports.yml , and I noticed that it has an input file called "python.msi". Furthermore, I noticed the following line in https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitia n/versions : PYTHON_MSI_URL=https://www.python.org/ftp/python/${PYTHON_VER}/${PYTHON_ MSI_PACKAGE} - From this, I conclude that Python is not being built in Gitian, and the download from www.python.org is assumed to be safe / not backdoored. Is this correct? If I'm correct, is there a reason that Python is not being built in Gitian? Was it attempted and found that Python cannot easily be built for Windows in Gitian? Or was it not attempted and just still on the to-do list? I don't see any relevant ticket on Trac. Thanks, - -Jeremy Rand -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJV7Mt1AAoJEAHN/EbZ1y06nL8QAM4qhFMupoippBIvI4JwlLZ6 Vf4wNWA2/IY+62DQ4hpkPRPX/vT48lJIJnPXUxQ427ruX/txYs+T8Yw/RyiW6eq8 AWrkj3DZTYE4RtgEnTazA7NEpiv0YFOuRdyKoyjZyR1MAZTWpZ12TS/hkXaksWsx mZX7EJMv9GBNthMLGoJ5cpTdXymhbGgvOGcF1esxZlzEQnusbaMjCNHv+GzLXGBr xEFUzjuIeuvzZxHgmTqTujjMev9kMYqpRVoyg2JbRhZz/LwbfuQssDMlTRVOmpCu FwCw9RbyZyaBzrnoZLbJ9hs6JQz/cKYcv0kOmEncTprc6IVdZDnMj5guT0rwUycn r9x0ZB0Uz7FRPnqIgmeHLn9JmFPuF9IWc6Kl3fILNsYMCF+AyOBAB7QVFgSftXMQ 2+ifWG6OdAZfM0jau1L6phlILJtvc79ClHhp86wIeSQ7k0mEKn9JOzEg+YRXLS4L ZAoTFKSfNrukMtmdUhgb97yl7MA+wsdWCpMybZRpSJQYMiNlL33njG8kYMdbuhX/ uDTFmc1b3IGWhfRdAtaIK9sZzkTYTzFg30Ypr8uYte7McU+QOMHbWZGZ46KL79k7 uZxPt2bcKSzEP9KP28Pkz0Hc0v0qGYD0BrAzeYkYVB9FhLQF5vs1jDfn2YI7VQbI HSs0NTTkxWHkro3tnzeU =jg/n -----END PGP SIGNATURE-----

5 12

Re: [tor-dev] [tor-reports] Sebastian's August 2015
by ilv 11 Sep '15

11 Sep '15

On 06/09/15 13:01, Sebastian Hahn wrote: > Hi there, > Hi Sebastian, > Next up is more of the same, especially focusing on website tickets > and preparing the community team's dev meeting contributions. Maybe we could have a session at the dev meeting to talk about the website (content, structure, translations, etc.). What do you think? (cc'ing @tor-dev in case more people are interested) Saludos. --ilv

2 1

[PATCH] Update prop#188 to match implementation from #7144.
by Isis Lovecruft 11 Sep '15

11 Sep '15

* ADD a new section detailing loose-source routed circuits, including: - How the circuit should appear to the OP, the bridge, and the bridge guard, - How the hop(s) in the path is/are chosen, - How the first hop is handled and how circuit extension is handled, in a generalised sense (i.e. not specific to a bridge using bridge guards), - Which cell types are used and how they are chosen, - When the original create cell is answered (in relation to when cells are sent to the other additional hops), - What should be done when relay cells are received when the additional hops in the loose-source routed circuit are not fully constructed, - How the circuit crypto and cell digests for incoming/outgoing relay cells works (again, in a generalised sense, i.e. not specific to bridges using bridge guards), - How and whether a given relay cell is treated as "recognized", - Under what circumstances (based on whether a stream is attached and which relay command was sent) should cause a node which uses loose-source routed circuits to drop a relay cell or mark a circuit for close, and, - When and what statistics should be gathered for loose-source routed circuits. * UPDATE and clarify the example loose-source routed circuit construction (the original one from the proposal which was specific to a client using a bridge that uses bridge guards). * CHANGE the "Make it harder to tell clients from bridges" section which described the tradeoffs between using CREATE versus CREATE_FAST cells for the first additional hop (i.e. the bridge guard). Those concerns is no longer entirely relevant, since, in the meantime, we've introduced the NTor handshake and it's extremely likely that both the client and the bridge will use CREATE2 for all their hops. * ADD a new section on enumerating bridges via the behaviours inherent to bridge reachability testing. * REMOVE open question (from the very end of the proposal) regarding whether the standard guard selection algorithms are adequate. They are. (Even if they are convoluted and overly-complicated.) --- proposals/188-bridge-guards.txt | 458 ++++++++++++++++++++++++++++++++-------- 1 file changed, 369 insertions(+), 89 deletions(-) diff --git a/proposals/188-bridge-guards.txt b/proposals/188-bridge-guards.txt index 5a5a005..c4d354f 100644 --- a/proposals/188-bridge-guards.txt +++ b/proposals/188-bridge-guards.txt @@ -1,7 +1,8 @@ Filename: 188-bridge-guards.txt Title: Bridge Guards and other anti-enumeration defenses -Author: Nick Mathewson +Author: Nick Mathewson, Isis Lovecruft Created: 14 Oct 2011 +Modified: 10 Sep 2015 Status: Open 1. Overview @@ -76,111 +77,317 @@ Status: Open remove, and remove a layer of encryption on incoming cells on that circuit corresponding to the encryption that the guard will add. -3.1. An example +3.1. Loose-Source Routed Circuit Construction - This example doesn't add anything to the design above, but has some - interesting inline notes. + Alice, an OP, is using a bridge, Bob, and she has chosen the + following path through the network: - - Alice has connected to her bridge Bob, and built a circuit - through Bob, with the negotiated forward and reverse keys KB_f - and KB_r. + Alice -> Bob -> Charlie -> Deidra - - Alice then wants to extend the circuit to node Charlie. She - makes a hybrid-encrypted onionskin, encrypted to Charlie's - public key, containing her chosen g^x value. She puts this in - an extend cell: "Extend (Charlie's address) (Charlie's OR - Port) (Onionskin) (Charlie's ID)". She encrypts this with - KB_f and sends it as a RELAY_EARLY cell to Bob. + However, Bob has decided to take advantage of the loose-source + routing circuit characteristic (for example, in order to use a bridge + guard), and Bob has chosen N additional loose-source routed hop(s), + through which he will transparently relays cells. - - Bob receives the RELAY_EARLY cell, and decrypts it with KB_f. - He then sees that it's an extend cell for him. + NOTE: For the purposes of bridge guards, N is always 1. However, for + completion's sake, the following details of the circuit construction + are generalized to include N > 1. Additionally, the following steps + should hold for a hop at any position in Alice's circuit that has + decided to take advantage of the loose-source routing feature, not + only for bridge ORs. - So far, this is exactly the same as the current procedure that - Alice and Bob would follow. Now we diverge: + From Alice's perspective, her circuit path matches the one diagrammed + above. However, the overall path of the circuit is: - - Instead of connecting to Charlie directly, Bob makes sure that - he is connected to his guard, Guillaume. Bob uses a - CREATE_FAST cell (or a CREATE cell, but see 4.1 below) to open a - circuit to Guillaume. Now Bob and Guillaume share keys KG_f - and KG_b. + Alice -> Bob -> Guillaume -> Charlie -> Deidra - - Now Bob encrypts the Extend cell body with KG_f and sends it - as a RELAY_EARLY cell to Guillaume. + From Bob's perspective, the circuit's path is: - - Guillaume receives it, decrypts it with KG_f, and sees: - "Extend (Charlie's address) (Charlie's OR Port) (Onionskin) - (Charlie's ID)". Guillaume acts accordingly: creating a - connection to Charlie if he doesn't have one, ensuring that - the ID is as expected, and then sending the onionskin in a - create cell on that connection. + Alice -> Bob -> Guillaume -> Charlie -> UNKNOWN - Note that Guillaume is behaving exactly as a regular node - would upon receiving an Extend cell. + Interestingly, because Bob's behaviour towards Guillaume and choices + of cell types is that of a normal OP, Guillaume's perspective of the + circuit's path is: - - Now the handshake finishes. Charlie receives the onionskin - and sends Guillaume "CREATED g^y,KH". Guillaume sends Bob - "E(KG_r, EXTENDED g^y KH)". (Charlie and Guillaume are still - running as regular Tor nodes do today). + Bob -> Guillaume -> Charlie -> UNKNOWN - - With this extend cell, and with all future relay cells - received on this circuit, Bob first decrypts the cell with - KG_r, then re-encrypts it with KB_r, then passes it to Alice. - When Alice receives the cell, it will be just as she would - have received if Bob had extended to Charlie directly. + That is, to Guillaume, Bob appears (for the most part) to be a + normally connecting client. (See §4.1 for more detailed analysis.) - - With all future outgoing cells that he receives from Alice, - Bob first decrypts the cell with KA_f, and if the cell does - not have Bob as its destination, Bob encrypts it with KG_f - before passing it to Guillaume. +3.1.1. Detailed Steps of Loose-Source Routed Circuit Construction - Note that this design does not require that our stream cipher - operations be commutative, even though they are. + 1. Connection from OP - Note also that this design requires no change in behavior from any - node other than Bob the bridge. + Alice has connected to Bob, and she has sent to Bob either a + CREATE/CREATE_FAST or CREATE2 cell. - Finally, observe that even though the circuit is one hop longer - than it would be otherwise, no relay's count of permissible - RELAY_EARLY cells falls lower than it otherwise would. This is - because the extra hop that Bob adds is done with a CREATE_FAST - cell, and so he does not need to send any RELAY_EARLY cells not - originated by Alice. + 2. Loose-Source Path Selection -4. Other ideas and alternative designs + In anticipation of Alice's first RELAY_EARLY cell (which will + contain an EXTEND cell to Alice's next hop), Bob begins + constructing a loose-source routed circuit. To do so, Bob chooses + N additional hop(s): - In addition to the design above, there are more ways to try to - prevent enumeration. + 2.a. For the first additional hop, H_1, Bob chooses a suitable + entry guard node, Guillaume, using the same algorithm as OPs. + See "§5 Guard nodes" of path-spec.txt for additional + information on the selection algorithm. -4.1. Make it harder to tell clients from bridges + 2.b. Each additional hop, [H_2, ..., H_N], is chosen at random + from a list of suitable, non-excluded ORs. - Right now, there are multiple ways for the node after a bridge to - distinguish a circuit extended through the bridge from one - originating at the bridge. (This lets the node after the bridge - tell that a bridge is talking to it.) + 3. Loose-Source Routed Circuit Extension and Cell Types - One of the giveaways here is that the first hop in a circuit is - created with CREATE_FAST cells, but all subsequent hops are created - with CREATE cells. In the above design, it's no longer quite so - simple to tell, since all of the circuits that extend through a - bridge now reach its guards through CREATE_FAST cells, whether the - bridge originated them or not. + Bob now follows the same procedure as OPs use to complete the key + exchanges with his chosen additional hop(s). - (If we adopt a faster circuit extension algorithm -- for example, - Goldberg, Stebila, and Ustaoglu's design instantiated over - curve25519 -- we could also solve this issue by eliminating - CREATE_FAST/CREATED_FAST entirely, which would also help our - security margin a little.) + While undergoing these following substeps, Bob SHOULD continue to + proceed with Step 4, below, in parallel, as an optimization for + speeding up circuit construction. - The CREATE/CREATE_FAST distinction is not the only way for a - bridge's guard to tell bridges from orginary clients, however. - Most importantly, a busy bridge will open far more circuits than a - client would. More subtly, the timing on response from the client - will be higher and more highly variable that it would be with an - ordinary client. I don't think we can make bridges behave wholly - indistinguishably from clients: that's why we should go with guard - nodes for bridges. + 3.a. Create Cells + + Bob sends the appropriate type of create cell to Guillaume. + For ORs new enough to support the NTor handshake (nearly all + of them at this point), Bob sends a CREATE2 cell. Otherwise, + for ORs which only support the older TAP handshake, Bob sends + either a CREATE or CREATE_FAST cell, using the same + decision-making logic as OPs. + + See §4.1 for more information the distinguishability of + bridges based upon whether they use CREATE versus + CREATE_FAST. Also note that the CREATE2 cell has since + become ubiquitous after this proposal was originally drafted. + Thus, because we prefer ORs which use loose-source routing to + behave (as much as possible) like OPs, we now prefer to use + CREATE2. + + 3.b. Created Cells + + Later, when Bob receives a corresponding CREATED/CREATED_FAST + or CREATED2 cell from Guillaume, Bob extracts key material + for the shared forward and reverse keys, KG_f and KG_b, + respectively. + + 3.c. Extend Cells + + When N > 1, for each additional hop, H_i, in [H_2, ..., H_N], + Bob chooses the appropriate type of extend cell for H_i, and + sends this extend cell to H_i-1, who transforms it into a + create cell in order to perform the extension. To choose + which type of extend cell to send, Bob uses the same + algorithm as an OP to determine whether to use EXTEND or + EXTEND2. Similar to the CREATE* cells above, for most modern + ORs, this will very likely mean an EXTEND2 cell. + + 3.d. Extended Cells + + When a corresponding EXTENDED/EXTENDED2 cell is received for + an additional hop, H_i, Bob extracts the shared forward and + reverse keys, Ki_f and Ki_b, respectively. + + 4. Responding to the OP + + Now that the additional hops in Bob's loose-source routed circuit + are chosen, and construction of the loose-source routed circuit + has begun, Bob answers Alice's original CREATE/CREATE_FAST or + CREATE2 cell (from Step 1) by sending the corresponding created + cell type. + + Alice has now built a circuit through Bob, and the two share the + negotiated forward and reverse keys, KB_n and KB_p, respectively. + + Note that Bob SHOULD do this step in tandem with the loose-source + routed circuit construction procedure outlined in Step 3, above. + + 5. OP Circuit Extension + + Alice then wants to extend the circuit to node Charlie. She makes + a hybrid-encrypted onionskin, encrypted to Charlie's public key, + containing her chosen g^x value. She puts this in an extend cell: + "Extend (Charlie's address) (Charlie's OR Port) (Onionskin) + (Charlie's ID)". She encrypts this with KB_n and sends it as a + RELAY_EARLY cell to Bob. + + Bob's behaviour is now dependent on whether the loose-source + routed circuit construction steps (as outlined in Step 3, above) + have already completed. + + 5.a. The Loose-Source Routed Circuit Construction is Incomplete + + If Bob has not yet finished the loose-source routed circuit + construction, then Bob MUST store the first outgoing + (i.e. exitward) RELAY_EARLY cell received from Alice until + the loose-source routed circuit construction has been + completed. + + If any incoming (i.e. toward the OP) RELAY* cell is received + while the loose-source routed circuit is not fully + constructed, Bob MUST drop the cell. + + If Bob has already stored Alice's first RELAY_EARLY cell, and + Alice sends any additional RELAY* cell, then Bob SHOULD mark + the entire circuit for close with END_CIRC_REASON_TORPROTOCOL. + + 5.b. The Loose-Source Routed Circuit Construction is Completed + + Later, when the loose-source routed circuit is fully + constructed, Bob MUST send any stored cells from Alice + outward by following the procedure described in Step 6.a. + + 6. Relay Cells + + When receiving a RELAY* cell in either direction, Bob MAY keep + statistics on the number of relay cells encountered, as well as + the number of relay cells relayed. + + 6.a. Outgoing Relay Cells + + Bob decrypts the RELAY* cell with KB_n. If the cell becomes + recognized, Bob should now follow the relay command checks + described in Step 6.c. + + Bob MUST encrypt the relay cell's underlying payload to each + additional hop in the loose-source routed circuit, in + reverse: for each additional hop, H_i, in [H_N, ..., H_1], + Bob encrypts the relay cell payload to Ki_f, the shared + forward key for the hop H_i. + + Bob MUST update the forward digest, DG_f, of the relay cell, + regardless of whether or not the cell is recognized. See + 6.c. for additional information on recognized cells. + + Bob now sends the cell outwards through the additional hops. + At each hop, H_i, the hop removes a layer of the onionskin by + decrypting the cell with Ki_f, and then hop H_i forwards the + cell to the next addition additional hop H_i+1. When the + final additional hop, H_N, received the cell, the OP's cell + command and payload should be processed by H_N in the normal + manner for an OR. + + 6.b. Incoming Relay Cells + + Bob MUST decrypt the relay cell's underlying payload from + each additional hop in the loose-source routed circuit (in + forward order, this time): For each additional hop, H_i, in + [H_1, ..., H_N], Bob decrypts the relay cell payload with + Ki_b, the shared backward key for the hop H_i. + + If the cell has becomes recognized after all decryptions, Bob + should now follow the relay command checks described in Step + 6.c. + + Bob MUST update the backward digest, DG_b, of the relay cell, + regardless of whether or not the cell is recognized. See + 6.c. for additional information on recognized cells. + + Bob encrypts the cell towards the OP with KB_p, and sends the + cell inwards. + + 6.c. Recognized Cells + + If a relay cell, either incoming or outgoing, becomes + recognized (i.e. Bob sees that the cell was intended for him) + after decryption, and there is no stream attached to the + circuit, then Bob SHOULD mark the circuit for close if the + relay command contained within the cell is any of the + following types: + + - RELAY_BEGIN + - RELAY_CONNECTED + - RELAY_END + - RELAY_RESOLVE + - RELAY_RESOLVED + - RELAY_BEGIN_DIR + + Apart from the above checks, Bob SHOULD essentially treat + every cell as "unrecognized" by following the en-/de-cryption + procedures in Steps 6.a. and 6.b. regardless of whether the + cell is actually recognized or not. That is, since this is a + loose-source routed circuit, Bob SHOULD relay cells not + intended for him *and* cells intended for him through the + leaky pipe, no matter what the cell's underlying payload and + command are. + +3.1.2. Example Loose-Source Circuit Construction + + For example, given the following circuit path chosen by Alice: + + Alice -> Bob -> Charlie -> Deidra + + when Alice wishes to extend to node Charlie, and Bob the bridge is + using only one additional loose-source routed hop, Guillaume, as his + bridge guard, the following steps are taken: + + - Alice packages the extend into a RELAY_EARLY cell and encrypts + the RELAY_EARLY cell with KB_f to Bob. + + - Bob receives the RELAY_EARLY cell from Alice, and he follows + the procedure (outlined in §3.1.1. Step 6.a.) by: + + * Decrypting the cell with KB_f, + * Encrypting the cell to the forward key, KG_f, which Bob + shares with his guard node, Guillaume, + * Updating the cell forward digest, DG_f, and + * Sending the cell as a RELAY_EARLY cell to Guillaume. + + - When Guillaume receives the cell from Bob, he processes it by: + + * Decrypting the cell with KG_f. Guillaume now sees that it + is a RELAY_EARLY cell containing an extend cell "intended" + for him, containing: "Extend (Charlie's address) (Charlie's + OR Port) (Onionskin) (Charlie's ID)". + * Performing the circuit extension to the specified node, + Charlie, by acting accordingly: creating a connection to + Charlie if he doesn't have one, ensuring that the ID is as + expected, and then sending the onionskin in a create cell + on that connection. Note that Guillaume is behaving + exactly as a regular node would upon receiving an Extend + cell. + * Now the handshake finishes. Charlie receives the onionskin + and sends Guillaume "CREATED g^y,KH". + * Making an extended cell for Bob which contains + "E(KG_b, EXTENDED g^y KH)", and + * Sending the extended cell to Bob. Note that Charlie and + Guillaume are both still behaving in a manner identical to + regular ORs. + + - Bob receives the extended cell from Guillaume, and he follows + the procedure (outlined in §3.1.1. Step 6.b.) by: + + * Decrypting the cell with KG_b, + * Encrypting the cell to Alice with KB_b, + * Updating the cell backward digest, DG_b, and + * Sending the cell to Alice. + + - Alice receives the cell, and she decrypts it with KB_b, just + as she would have if Bob had extended to Charlie directly. + She then processes the extended cell contained within to + extract shared keys with Charlie. Note that Alice's behaviour + is identical to regular OPs. + +3.2. Additional Notes on the Construction -4.2. Client-enforced bridge guards + Note that this design does not require that our stream cipher + operations be commutative, even though they are. + + Note also that this design requires no change in behavior from any + node other than Bob, and as we can see in the above example in §3.1.2 + for Alice's circuit extension, Alice, Guillaume, and Charlie behave + identical to a normal OP and normal ORs. + + Finally, observe that even though the circuit N hops longer than it + would be otherwise, no relay's count of permissible RELAY_EARLY cells + falls lower than it otherwise would. This is because the extra hop + that Bob adds is done with RELAY_EARLY cells, then he continues to + relay Alice's cells as RELAY_EARLY, until the appropriate maximum + number of RELAY_EARLY cells is reached. Afterwards, further + RELAY_EARLY cells from Alice are repackaged by Bob as normal RELAY + cells. + +4. Alternative designs + +4.1. Client-enforced bridge guards What if Tor didn't have loose source routing? We could have bridges tell clients what guards to use by advertising those guard @@ -191,7 +398,7 @@ Status: Open Fortunately, we don't need to go down this path. So let's not! -4.3. Separate bridge-guards and client-guards +4.2. Separate bridge-guards and client-guards In the design above, I specify that bridges should use the same guard nodes for extending client circuits as they use for their own @@ -209,11 +416,84 @@ Status: Open through the bridge to a node it controls, and finding out where the extend request arrives from). -5. Other considerations +5. Additional bridge enumeration methods and protections + + In addition to the design above, there are more ways to try to + prevent enumeration. + + Right now, there are multiple ways for the node after a bridge to + distinguish a circuit extended through the bridge from one + originating at the bridge. (This lets the node after the bridge + tell that a bridge is talking to it.) + +5.1. Make it harder to tell clients from bridges + + When using the older TAP circuit handshake protocol, one of the + giveaways is that the first hop in a circuit is created with + CREATE_FAST cells, but all subsequent hops are created with CREATE + cells. + + However, because nearly everything in the network now uses the newer + NTor circuit handshake protocol, clients send CREATE2 cells to all + hops, regardless of position. Therefore, in the above design, it's + no longer quite so simple to distinguish an OP connecting through + bridge from an actual OP, since all of the circuits that extend + through a bridge now reach its guards through CREATE2 cells (whether + the bridge originated them or not), and only as a fallback (e.g. if + an additional node in the loose-source routed path does not support + NTor) will the bridge ever use CREATE/CREATE_FAST. (Additionally, + when using the fallback mathod, the behaviour for choosing either + CREATE or CREATE_FAST is identical to normal OP behaviour.) + + The CREATE/CREATE_FAST distinction is not the only way for a + bridge's guard to tell bridges from orginary clients, however. + Most importantly, a busy bridge will open far more circuits than a + client would. More subtly, the timing on response from the client + will be higher and more highly variable that it would be with an + ordinary client. I don't think we can make bridges behave wholly + indistinguishably from clients: that's why we should go with guard + nodes for bridges. + + [XXX For further research: we should study the methods by which a + bridge guard can determine that they are acting as a guard for a + bridge, rather than for a normal OP, and which methods are likely to + be more accurate or efficient than others. -IL] + +5.2. Bridge Reachability Testing + + Currently, a bridge's reachability is tested both by the bridge + itself (called "self-testing") and by the BridgeAuthority. + +5.2.1. Bridge Reachability Self-Testing + + Before a bridge uploads its descriptors to the BridgeAuthority, it + creates a special type of testing circuit which ends at itself: + + Bob -> Guillaume -> Charlie -> Bob + + Thus, going to all this trouble to later use loose-source routing in + order to relay Alice's traffic through Guillaume (rather than + connecting directly to Charlie, as Alice intended) is diminished by + the fact that Charlie can still passively enumerate bridges by + waiting to be asked to connect to a node which is not contained + within the consensus. + + We could get around this option by disabling self-testing for bridges + entirely, by automatically setting "AssumeReachable 1" for all bridge + relays… although I am not sure if this is wise. + +5.2.2. Bridge Reachability Testing by the BridgeAuthority + + After receiving Bob's descriptors, the BridgeAuthority attempts to + connect to Bob's ORPort by making a direct TLS connection to the + bridge's advertised ORPort. + + Should we change this behaviour? One the one hand, at least this + does not enable any random OR in the entire network to enumerate + bridges. On the other hand, any adversary who can observe packets + from the BridgeAuthority is capable of enumeration. + +6. Other considerations What fraction of our traffic is bridge traffic? Will this alter our circuit selection weights? - - Are the current guard selection/evaluation/replacement mechanisms - adequate for bridge guards, or do bridges need to get more - sophisticated? -- 2.1.4

1 0

Re: [tor-dev] How to introduce new RELAY_COMMAND_* types and newcell fields?
by tordev123＠Safe-mail.net 10 Sep '15

10 Sep '15

>> 3. Additional RELAY_COMMAND_* types for clients to request out-of-band >> HMAC request cells for Proposal 253. Do you need to request that data? How about always sending it from middle nodes? (Less leakage about the client.) >> 4. Additional RELAY_COMMAND_* opcodes for clients to request padding >> from relays (for an upcoming padding negotiation proposal). >> >> However, for items #3 and #4, if I introduce a new RELAY_COMMAND type >> and send it to a relay that doesn't support it, then that relay will >> emit a warning log message from connection_edge_process_relay_cell() in >> relay.c. How should I detect support? Based on advertised relay version >> in the consensus? What about non-standard relay implementations that >> don't use Tor's versioning? > > I don't think you can use the consensus for this: for HS connections you > wont have any relay info. Wouldn't matter for 4, right? > How about introducing very basic version info into > created2/extended/rendezvous cells? You'd have to be really careful to > not leak too much version info, of course. It seems much better to avoid that, if there is a workaround.

2 1