- tor-dev - lists.torproject.org

rendezvous on non-OR circuit with purpose Acting as rendevous
by Ian Goldberg 23 Nov '17

23 Nov '17

I just restarted my node, and saw this in the log: Nov 23 14:07:21.000 [warn] Tried to establish rendezvous on non-OR circuit with purpose Acting as rendevous (pending) What does this mean? I'm a little worried someone out there is playing games with the protocol...

2 1

Proposal: Move IPv6 ORPorts to the Microdesc Consensus
by teor 21 Nov '17

21 Nov '17

Hi all, We would like to move IPv6 ORPorts from microdescriptors to the microdesc consensus. This makes it easier for IPv6 clients to bootstrap and choose reachable guards. The proposal is inlined below, it is also available with the corresponding dir-spec updates in my torspec branch bug23826-23828 on GitHub: https://github.com/teor2345/torspec.git The tor code that implements these new consensus methods is in my tor branch on bug23826-23828 on GitHub: https://github.com/teor2345/tor.git The parent ticket for these related changes is #20916. The code changes are being tracked in #23826 and #23828, and the spec changes and proposal in #23898: https://trac.torproject.org/projects/tor/ticket/20916 If we've spoken about this, and I've left you out as an author, please let me know! Here is the proposal text: Filename: xxx-ipv6-in-micro-consensus.txt Title: Move IPv6 ORPorts from microdescriptors to the microdesc consensus Author: Tim Wilson-Brown (teor) Created: 18-Oct-2017 Status: Open Target: 0.3.3.x 1. Summary Moving IPv6 ORPorts from microdescs to the microdesc consensus will make it easier for IPv6 clients to bootstrap and select reachable guards. Since consensus method 14, authorities have voted for IPv6 address/port pairs (ORPorts) in "a" lines. Unreachable IPv6 ORPorts are dropped from the full consensus. But for clients that use microdescriptors (the default), IPv6 ORPorts are placed in microdescriptors. So these clients can only tell if an IPv6 ORPort is unreachable when a majority of voting authorities mark the relay as not Running. This proposal puts reachable relay IPv6 ORPorts in an "a" line in the microdesc consensus. This allows clients to discover unreachable IPv6 ORPorts, even if a minority of voting authorities set AuthDirHasIPv6Connectivity 1. 2. Proposal We add two new consensus methods, here represented as M and N (M < N), to be allocated when this proposal's implementation is merged. These consensus methods move IPv6 ORPorts from microdescs to the microdesc consensus. We use two different methods because this allows us to modify client code based on each method. Also, if a bug is discovered in one of the methods, authorities can be patched to stop voting for it, and then we can implement a fix in a later method. 2.1. Add Reachable IPv6 ORPorts to the Microdesc Consensus We specify that microdescriptor consensuses created with methods M or later contain reachable IPv6 ORPorts. 2.2. Remove IPv6 ORPorts from Microdescriptors We specify that microdescriptors created with methods N or later do not contain any IPv6 ORPorts. 3. Retaining Existing Behaviour The following existing behaviour will be retained: 3.1. Authority IPv6 Reachability Only authorities configured with AuthDirHasIPv6Connectivity 1 will test IPv6 ORPort reachability, and vote for IPv6 ORPorts. This means that: * if no voting authorities set AuthDirHasIPv6Connectivity 1, there will be no IPv6 ORPorts in the consensus, * if a minority of voting authorities set AuthDirHasIPv6Connectivity 1, unreachable IPv6 ORPort lines will be dropped from the consensus, but the relay will still be listed as Running, * if a majority of voting authorities set AuthDirHasIPv6Connectivity 1, relays with unreachable IPv6 ORPorts will be dropped from the consensus. We will document this behaviour in the tor manual page, see #23870. 3.2. Full Consensus IPv6 ORPorts The full consensus will continue to contain reachable IPv6 ORPorts. 3.3. Clients that use Full Descriptors Tor clients that use full descriptors already ignore unreachable IPv6 ORPorts, and have done so since at least 0.2.8.x. 4. Impact and Related Changes 4.1. Directory Authority Configuration We will work to get a super-majority (75%) of authorities checking relay IPv6 reachability, to avoid Running-flag flapping. To do this, authorities need to get IPv6 connectivity, and set AuthDirHasIPv6Connectivity 1. 4.2. Relays and Bridges Tor relays and bridges do not currently use IPv6 ORPorts from the consensus. We expect that 2/3 of authorities will be voting for consensus method N before future Tor relay or bridge versions use IPv6 ORPorts from the consensus. 4.3. Clients 4.3.1. Legacy Clients 4.3.1.1. IPv6 ORPort Circuits Tor clients on versions 0.2.8.x to 0.3.2.x check directory documents for ORPorts in the following order: * descriptors (routerinfo, available if using bridges or full descriptors) * consensus (routerstatus) * microdescriptors (IPv6 ORPorts only) Their behaviour will be identical to the current behaviour for consensus methods M and earlier. When consensus method N is used, they will ignore unreachable IPv6 ORPorts without any code changes. 4.3.1.2. IPv6 ORPort Bootstrap Tor clients on versions 0.2.8.x and 0.2.9.x are currently unable to bootstrap over IPv6 only connections when using microdescriptors. This happens because the microdesc consensus does not contain IPv6 ORPorts. When consensus method M is used, they will be able to bootstrap over IPv6 only connections using microdescriptors, without any code changes. 4.3.2. Future Clients 4.3.2.1. Ignoring IPv6 ORPorts in Microdescs Tor clients on versions 0.3.3.x and later will ignore unreachable IPv6 ORPorts once consensus method M or later is in use. (See #23827.) 4.3.2.2. IPv6 ORPort Bootstrap If a bootstrapping IPv6-only client has a consensus made with method M or later, it should download microdescriptors from one of the IPv6 ORPorts in that consensus. Previously, IPv6-only clients would use fallback directory mirrors to download microdescs, because there were no IPv6 ORPorts in the microdesc consensus. (See #23827.) 4.3.2.3. Ignoring Addresses in Unused Directory Documents If a client doesn't use a particular directory document type for a node, it should ignore any addresses in that document type. (See #23975.) 5. Data Size This change removes 2-50 bytes from the microdescriptors of relays that have an IPv6 ORPort, and adds them to reachable IPv6 relays' microdesc consensus entries. As of October 2017, 600 relays (9%) have IPv6 ORPorts in the full consensus. Their "a" lines take up 19 KB, or 33 bytes each on average. The microdesc consensus is 1981 KB, so this represents about 1% of its uncompressed size. Most tor clients are already running 0.3.1.7, which implements consensus diffs. We expect that most directory mirrors will also implement consensus diffs by the time 2/3 of authorities are voting for consensus method M. So we expect that this change will have a minimal impact, which is made even smaller by compression and consensus diffs. 6. External Impacts We don't expect this change to impact Onionoo and similar projects, because they typically use the full consensus. Metrics doesn't currently graph IPv6 usage in Tor, but would like to in future. -- Tim / teor PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------

3 4

Re: [tor-dev] GAEuploader now supports Windows
by Katherine Li 21 Nov '17

21 Nov '17

Hello Tor-Dev Community, GAE(Google App Engine) uploader now supports Windows, in addition to Mac and Linux. GAEuploader automates the process of uploading the meek code to App Engine. If you already have a Google account, it's pretty easy: the program will open a browser so you can authenticate and accept the App Engine terms of service, then upload the code under a domain name you choose. At the end, GAEuploader prints out a bridge line to paste into Tor Browser. The difference between this and the old meek-google is that the App Engine code you upload is just for you, not shared with anyone else. I would really appreciate user testing on GAEuploader. You can download it at: https://github.com/katherinelitor/GAEuploader/releases README: https://github.com/katherinelitor/GAEuploader Tor wiki page, containing step-by-step screenshots of how to use: https://trac.torproject.org/projects/tor/wiki/doc/GAEuploader If you have any questions, feedback or bug reports, please email me at katherineli.tor(a)gmail.com. I will respond promptly. Best, Katherine Li On Sun, Jan 22, 2017 at 3:53 PM, Katherine Li <katherineli.tor(a)gmail.com> wrote: > Hello Tor-Dev Community, > > GAE(Google App Engine) uploader has just released v1.0-beta. GAEuploader > enables clients to set up their own private meek-google in one easy step: > just run it and paste the bridge line into Tor Browser. > > Background information: Meek > <https://trac.torproject.org/projects/tor/wiki/doc/meek#Overview> is > pluggable transport that uses domain fronting. Meek-google got suspended > <https://lists.torproject.org/pipermail/tor-talk/2016-June/041699.html>, > but clients can set up their own Google App Engine app and configure their > Tor Browser accordingly. However, the process of creating and deploying the > Google App Engine can be confusing. GAEuploader significantly simplifies > this process for clients. > > I would really appreciate user testing on GAEuploader. You can download it > at: https://github.com/katherinelitor/GAEuploader/releases > README: https://github.com/katherinelitor/GAEuploader > Tor wiki page, containing step-by-step screenshots of how to use: > https://trac.torproject.org/projects/tor/wiki/doc/GAEuploader > > *GAEuploader runs on Mac or Linux, but currently does not support Windows. > *GAEuploader uses the Google Cloud SDK > <https://cloud.google.com/sdk/docs/#linux>. If you are interested in how > GAEuploader works, the README contains the list of commands that were run. > > If you have any questions, feedback or bug reports, please email me at > katherineli.tor(a)gmail.com. I will respond promptly. > > Best, > Katherine Li >

1 0

[release] [protocol] Onionoo 4.3-1.7.1
by iwakeh 20 Nov '17

20 Nov '17

Hi there! Onionoo's protocol was extended and has a minor version jump to 4.3. In addition, this release *prepares* a major *upcoming version* jump 5.0. Take note of the field "next_major_version_scheduled":"2017-12-17" in documents. Download available at: https://dist.torproject.org/onionoo/4.3-1.7.1/ Protocol changes (also summarized in [0]): Added support for a new "host_name" parameter to filter by host name and a new "unreachable_or_addresses" field with declared but unreachable OR addresses [1]. The changes are already deployed on all onionoo.torproject.org instances. Please direct comments and questions to the metrics-team mailing list [2]. Cheers, iwakeh [0] https://metrics.torproject.org/onionoo.html#versions_4_3 [1] https://metrics.torproject.org/onionoo.html#details_relay_unreachable_or_ad… [2] https://lists.torproject.org/cgi-bin/mailman/listinfo/metrics-team

1 0

Tor Metrics Roadmap 2017/18
by Karsten Loesing 20 Nov '17

20 Nov '17

Hello everyone, we, the Tor Metrics Team, have finished writing our roadmap for the 12 months between October 2017 and September 2018: https://trac.torproject.org/projects/tor/raw-attachment/wiki/org/teams/Metr… https://trac.torproject.org/projects/tor/wiki/org/teams/MetricsTeam#Roadmap… In the process of writing this roadmap we incorporated feedback from various people in the Tor community, including suggestions made on this list. And if something didn't make it on this year's roadmap, we made a note to reconsider in about a year from now. In any case, thanks a lot for contributing to this process! Stay tuned for more Tor Metrics! All the best, Karsten

2 3

Re: [tor-dev] UX improvement proposal: Onion auto-redirects using Alt-Svc HTTP header
by Alec Muffett 19 Nov '17

19 Nov '17

Apologies, I am waiting for a train and don't have much bandwidth, so I will be brief: 1) There is no point in issuing <any header of any kind> to anyone unless they are accessing <website> via an exit node. 2) It's inefficient to issue the header upon every web access by every person in the world; when the header is only relevant to 1-in-a-few-thousand users, you will be imposing extra bandwidth cost upon the remaining 99.99...% -- which is unfair to them 3) Therefore: the header should only be issued to people arriving via an exit node. The means of achieving this are a) Location b) Bending Alt-Svc to fit and breaking web standards c) Creating an entirely new header 4) Location already works and does the right thing. Privacy International already use this and issue it to people who connect to their .ORG site from an Exit Node. 5) Bending Alt-Svc to fit, is pointless, because Location already works 6) Creating a new header? Given (4) and (5) above, the only potential material benefit of it that I can see would be to "promote Tor branding" - and (subjective opinion) this would actually harm the cause of Tor at all because it is *special*. 6 Rationale) The majority the "Dark Net" shade which had been thrown at Tor over the past 10 years has pivoted upon "needing special software to access", and creating (pardon me) a "special" header to onionify a fetch seems to be promoting the weirdness of Tor, again. The required goal of redirection to the corresponding Onion site does not require anything more than a redirect, and - pardon me - but there are already 4x different kinds of redirects that are supported by the Location header (301, 302, 307, 308) with useful semantics. Why reinvent 4 wheels specially for Tor? 7) Story: when I was implementing the Facebook onion, I built infra to support such (eventual) redirection and/or exit-node-usage tracking. Hit " facebook.com/si/proxy/" from Tor/NonTor to see it in action. The most challenging thing for me was to get a reliable and cheap way to look-up, locally, quickly, cheaply and reliably, whether a given IP address corresponded to an exit node. The closest that I could get to that idea was to scrape Onionoo every so often and to cache the results into a distributed, almost-memcache-like table for the entire site. ie: squillions of machines. This mechanism suffers from all the obvious flaws, notably Onionoo crashes and/or "lag" behind the state of the consensus. 8) So, to pass concrete advice on the basis of experience: rather than pursue novel headers and reinvent a bunch of established, widely-understood web redirection technologies, I would ask that Tor focus its efforts instead upon providing a service - perhaps a listener service embedded in little-t tor as an enable-able service akin to SOCKSListener - which can accept a request from <cidr-subnetmask>, receive an newline-terminated IP address, and return a set of flags associated with that IP (exit node, relay, whatever) - or "none" where the IP is not part of the tor network. Riff on this protocol as you see fit. This would mean more people running more tor daemons in more datacentres (and possibly configuring some of them as relays) - using this lookup service to establish quickly whether $CLIENT_ADDR is an exit node or not, and whether it should be issued "308 Permanent Redirect With Same Method" I think this is a better goal for Tor to be pursuing. What do you think? - alec

7 9

Connection, Channel and Scheduler - An Intense Trek
by David Goulet 16 Nov '17

16 Nov '17

Hello everyone! DISCLAIMER: The following is enormous and tries to describe in some level of details the situation in tor with connection<->channel<->scheduler. This comes after we've merged the KIST scheduler, we've realized many things we'ren't what they were suppose to be or meant for. In the end, I'm asking questions so we can move forward with development and fixing things. Last thing before you start your journey in the depth of Tor, the 3 subsystems I'm going to talk about and how they interact are kind of very complicated so it is very possible that I might have gotten things wrong or miss some details. Please, point them out so we can better document, better be informed and make good decisions. I plan to document as much as I can from this process for a new file in torguts.git repository. This is part of the work from ticket #23993. Enjoy! == Part One - The Distant Past == Once upon a time, Tor had 0.2.3 years old. It was before the "big change" and it was using connections and circuits in a simplistic but yet clever way. I'll briefly describe here how it worked out and why we wanted to change it. Roughly, once a cell comes in, it is put in the inbound buffer called "inbuf" of a connection_t and it is processed. Then, if it needs to be relayed that is sent along the circuit it came on, it is put in that circuit queue. Each connection_t had a priority queue of "active circuits" using the EWMA policy to prioritize. The first circuit was to be flushed of a certain amount of cells onto the connection_t outbound buffer or "outbuf" where libevent main loop takes over to actually write the bytes on the network from the outbuf. Then, the circuit pqueue is updated and we would move on. The following is a high level diagram of a relayed cell: +--------------+ +-----------+ +----------------+ |connection_t A| | circuit_t | | connection_t B| | (inbuf) |--->| (pqueue) |--->| (outbuf) |---> Network +--------------+ +-----------+ +----------------+ That had at least one big problem. Not considering the entire set of circuits could make one connection (with some circuits on it) bloat the network link of the relay. It would actually be worst than that if it had bandwidth limitation, you want to pick the connection that has the highest priority for the circuit on it to flush All in all, tor needed to move to a logic where _all_ circuits are considered using the EWMA policy, flushing the cell(s) of that picked circuit on the connection outbuf so it is prioritized on the network. Then in 0.2.4, everything changed! == Part Two - The Big Change == Two new abstractions were added to Tor 0.2.4 (#6465), channel and circuitmux (short for circuit multiplexer or multiplexing, history is unclear ;). Up until this day, this is what tor is using. The channel_t object was intended to provide a "transport" abstraction layer for relay to relay connection which is reprensented by a connection_t object. Each channel has a circuitmux_t object that encapsulates the queuing logic and selection policy of circuits of a channel. In other words, the circuits that goes through that connection are listed in that object so we can do cell prioritization. To summarize, this roughly looks like this now: +------------+ |connection_t| +------------+ | v 1 +---------+ |channel_t| +---------+ | v 0..n +---------+ |circuit_t| +---------+ Channels are suppose to work as a protocol abstraction on that connection. The original intent of this was to be able to implement more easily different protocl like for instance helping researchers to experiment with other things more easily. Decoupling TLS from connection_t and putting them in a subclass of channel_t and thus was born channel_tls_t. It implements the channel_t interface and is in theory designed to handle TLS layer of relay to relay connection (handshake, cells, etc). So far, tor only has that channel class. Now that we had this layer and a way to multiplex circuits on a single connection through the use of channel, we needed one last piece, a way to prioritize cells on the network considering all circuits. Along came the "cell scheduler" (scheduler.c) in Tor 0.2.6 and now called the Vanilla scheduler. In a nutshell, libevent main loop calls the scheduler at a constant rate and the subsystem will consider all channels between each other comparing circuits priority using the EWMA policy (an interface was created to implement more policies but I won't get into that in this email). So now, tor finally had a good infrastructure to prioritize cells on the network by looking at all circuits at once. TCP connections would be established between relays, the channel layer would be handling the TLS business and the scheduler would be flushing cells on the network by considering all circuits on all channels. It is a really nice modularized design and would make tor improve in performance. But, that's not entirely the reality of things right now. == Part Three - The Thruth == In 2014, a paper came out titled: Never Been KIST: Tor’s Congestion Management Blossoms with Kernel-Informed Socket Transport (http://www.robgjansen.com/publications/kist-sec2014.pdf) An improved way for tor to scheduled data transmission properly by asking the kernel information about the state of the TCP buffers so tor could flush data on the network without bloating the local link. Then in 2016 up to now, Matthew Traudt implemented KIST in tor which required an important refactoring of the scheduler subsystem in order to make it work with different multiple scheduling type. It is today the Scheduler option in torrc. And all 0.3.2 tor uses KIST by default. Many things were discovered during that piece of work by Matt. For instance, this very important #20459 bug for which we were badly comparing cmux policy thus ultimately prioritizing wrongly our circuits. But fundemental issues in the design of channels and the scheduler were found for which I'll list some here and will ultimately lead me to Part Four of this email about our next steps moving forward. 1. Channels implemented cell queues that weren't really queues. If you look at the channel_t object, you'll notice "incoming_queue" and "outgoing_queue" which basically allow the transition of a cell from a connection_t inbuf to the circuit queue and then to the connection_t oubuf. It looks like this for a relayed cell: conn inbuf -> chan in_queue -> circ queue -> chan out_queue -> conn outbuf The idea behind this is to quickly empty the conncetion inbuf to an intermediary object (channel) leaving the kernel inbound TCP queue as much room as we can. In other words, offloading the kernel buffer to user space since we need to run some processing on that data and there was no need to leave that data on the kernel buffer during that time. Then from the channel, a cell would be put on the circuit queue and in turn would be process by the scheduler. The scheduler would select a circuit (EWMA policy), flush cells from its queue onto the channel outgoing queue and then it would be flushed to the connection outbuf which is taken care of by libevent to write on the socket (to the network). One could argue here that in terms of design we have too many queues but that would be true if the channel queues were actually acting like queues. It turns out that the incoming and outgoing queues of a channel are always empty (#23709) and this is due to the fact that the code queues a cell then processes it immediately meaning either put it on the circuit queue or connection outbuf. Each cell is memcpy() over the a channel queue and then processed right away just to be copied again into the circuit queue or outbuf. This has a performance cost over time as a relay sees thousands of cells a second. But also it makes the channel subsystem much more complicated in terms of code with trying to handle those queues every part of the way in and out of the channel subsystem. But the worst part is that the scheduler subsystem assumed some decisions based on the outgoing queue size. And when it is always 0, issue arise like #23676. 2. DESTROY cells handling Within a circuitmux object, there is a "destroy cell queue" on which a DESTROY cell is put in for one of the circuit on the cmux. An important thing for tor is that when it needs to send a DESTROY, it needs to _stop_ sending any queued cell on that circuit, dump them and only send the DESTROY cell. Many things are problematic currently. For starter, sending a DESTROY cell bypasses the scheduler (#23712). Tor will immediately try to flush the cell on the network *if* the channel doesn't have queued *writes* which means if the connection outbuf is empty. If not, once it is sufficiently drained, the channel will be scheduled in and the DESTROY cell finally sent. I've observed this process going from 0.5 seconds up to 10 seconds on a normal relay if the outbuf has data on it. Second, because of this concept of different queue for the DESTROY cell, tor will back and forth between that queue and the normal queue of a circuit. Remember, that the destroy queue is *not* per circuit but per circuitmux. This is used by the "cmux->last_cell_was_destroy" which is set to 1 if the last cell the cmux handled was a DESTROY or 0 if not. This has a side effect. Before sending a DESTROY cell, the circuit queue is cleared out without changing the circuit EWMA priority, in order to make sure we don't send cells from that point on. However, because we back and forth, the EWMA policy will pick the right channel based on the overall state of the circuits (see scheduler_compare_channels()) on it but will not prioritize the circuit with the DESTROY cell on using that policy. Furthermore, the destroy cell queue is a FIFO so if 10 DESTROY cells were queued bu th 10th one is actually on the circuit with the highest priority, we won't process it until those 9 previous who came in before are flushed. 3. Connection and Channel decoupling is kind of a lie The connection_t object is bound to be a TCP connection except for DNSPort which will be a UDP. That object also has a "TLS connection state" (tor_tls_t) and a channel_tls_t object (chan). First, it turns out that the connection subsystem will establish the TLS session and not the channel tls layer. When opening a circuit, it looks like this: channel_connect_for_circuit() |- channel_connect() |- channel_tls_connect() |- connection_or_connect() |- connection_tls_start_handshake() Second, when processing a cell from the connection inbuf in connection_or_process_cells_from_inbuf(), we'll directly call channel_tls_handle_cell(). The channel_tls_t layer handles PADDING, VERSIONS, CERTS, AUTH_CHALLENGE, AUTHENTICATE and NETINFO cells. The other cell types will be queued on the corresponding circuit queue. Third, once the TLS session has been established, a VERSIONS cell can be sent which is done by the connection subsystem with connection_or_send_versions(). But it is bypassing the channel_tls_t layer that processes them and should write them using channel_tls_write_cell_method(). Futhermore, the channel_tls_t layer is using the connection layer to send those cells using connection_or_send_certs_cell() and cie. My point here is that the channel abstraction is kind of violated in many ways by either directly calling the TLS channel layer or not using it to send specific cells that are for the TLS handshake. And also, the TLS state is baked in the connection subsystem. This means that anyone wanting to implement a new channel will need to do a major refactoring first which unfortunately leaves this abstraction kind of pointless. And do not make the mistake to label the channel subsystem as a "transport layer", it is at best a protocol layer, connection_t handles transport, not channels. 4. Vanilla scheduler is not really a scheduler. It turns out that the Vanilla scheduler is not really scheduling things but rather shoving as much as it could onto the connection outbuf. This ain't ideal because tor is selecting circuit based on a policy (EWMA) and when the circuit is selected, we would push on the connection outbuf by either writing as much as we can on the outbuf or stop at 1000 cells (see MAX_FLUSH_CELLS) which is 512 * 1000 bytes == 0.5MB. One can argue, is it too little to only write 0.5MB per scheduler tick or actually too much? So imagine tor flushed 1000 cells everytime it picks a circuit and then moves on to the next circuit. I'm not sure this is playing well with a relay with bandwidth limitation for instance. If you have 100 circuits, and 100KB to spend, you might not want to spend it all on one single circuit? Also, because this scheduler runs as often as possible, only one channel was considered everytime. Matt's experiment showed that in practice which means that a scheduler that is only considering one channel doesn't make good priority decision because there is none in the first place. Finally, when trying to bloat the outbuf as much as possible, and for that I'm not sure how libevent operates, but it leaves the decision of when and what to flush on the network to the process that handles outbuf. In other words, the scheduler doesn't actually control when the data is written to the socket so the scheduling decision aren't necessarly followed through on the transport layer. This is something the scheduler and connection subsystem should be thightly connected. == Part Four - The Conclusion == Through this epic journey, we've discovered some issues as well as design problems. Now the question is what should and can do about it? In a nutshell, there are a couple of questions we should ask our selfves and try to answer so we can move forward: * I believe now that we should seriously discuss the relevance of channels. Originally, the idea was good that is providing an abstraction layer for the relay to relay handshake and send/process cells related to the protocol. But, as of now, they are half doing it. There is an important cost in code and maintanance of something that is not properly implemented/finished (channel abstraction) and also something that is unused. An abstraction implemented only for one thing is not really useful except maybe to offer an example for others? But we aren't providing a good example right now imo... That being said, we can spend time fixing the channel subsystem, trying to turn it in a nicer interface, fixing all the issues I've described above (and I suspect there might be more) so the cell scheduler can play nicely with channels. Or, we could rip them off eliminating lots of code and reducing our technical debt. I would like us to think about what we want seriously because that channel subsystem is _complicated_ and very few of us fully understands it afaict. Which would bring us back to (which is btw basically what we have now considering the channel queues are useless): conn inbuf -> circ queue -> conn outbuf If we don't want to get rid of channel, the fixes are non trivial. For starter, we have to decide if we want to keep the channel queue or not and if yes, we need to almost start from square 1 in terms of testing because we would basically introduce a new layer of queuing cells. * Dealing with the DESTROY cell design issue will require a bit more tricky work I think. We must not starve circuit with a DESTROY cell pending to be sent else the other side keeps sending data. But we should also not starve all the circuits because if we ever need to send a gazillion DESTROY cell in priority, we'll make the relay useless (DoS vector). The question is, do we trust our EWMA policy to be wise enough to pick the circuit in a reasonable amount of time so we can flush the DESTROY cell from the circuit queue? Or we really need to bypass or prioritize somehow that cell in order to send them asap in order to avoid load on the network because the other side of the circuit is still sending? * In the short term, we should get rid of Vanilla scheduler because it complefixies a lot the scheduler code by adding uneeded things to channel_t but also bloated the scheduler interface with pointless function pointers for instance. And in my opinion, it is not helping performance the way it is done right now. Cheers! David -- tU3F3BDoF3rwk9y3O+UAixfuPnil7VNkwl0LGe2cdpA=

7 12

UX improvement proposal #2: Encrypted bookmarks for onions
by George Kadianakis 16 Nov '17

16 Nov '17

Hello, here is another onion-related UX improvement proposal. We still don't have a plan for how to concretely fix the onion naming issue, and we recently released next gen onions so names just got bigger. Ideally we should start experimenting with solutions sooner than later (also see https://blog.torproject.org/cooking-onions-names-your-onions) I think a local-solution akin to bookmarks makes sense to start with, so I opened a trac ticket today about encrypted bookmarks on Tor Browser: https://trac.torproject.org/projects/tor/ticket/24310 Please let me know if you are aware of firefox addon projects that do encrypted bookmarks that we could use or start basing our work on. Cheers!

2 1

Understanding the guard/md issue (#21969)
by George Kadianakis 15 Nov '17

15 Nov '17

Hey Tim, just wanted to ask a clarifying question wrt #21969. First of all there are various forms of #21969 (aka the "missing descriptors for some of our primary entry guards" issue). Sometimes it occurs for 10 mins and then goes away, whereas for other people it disables their service permanently (until restart). I call this the hardcore case of #21969. It has happened to me and disabled my service for days, and I've also seen it happen to other people (e.g. dgoulet). So. We have found various md-related bugs and put them as children of #21969. Do you think we have found the bugs that can cause the hardcore case of #21969? That is, is any of these bugs (or a bug combo) capable of permanently disabling an onion service? It seems to me that all the bugs identified so far can only cause #21969 to occur for a few hours before it self-heals itself. IIUC, even the most fundamental bugs like #23862 and #23863 are only temporarily, since eventually one of the dirguards will fetch the missing mds and give them to the client. Do you think that's the case? I'm asking you because I plan to spend some serious time next week on #21969-related issues, and I'd like to prioritize between bug hunting and bug fixing. That is, if the root cause of the hardcore case of #21969 is still out there, I'd like to continue bug hunting until I find it. Let me know what you think! Perhaps you have other ideas here of how we should approach this issue. Cheers!! :) PS: Sending this as an email since our timezones are making it kind hard to synch up on IRC.

2 5

Question on Tor Design (current and maybe past and future)
by ng0 11 Nov '17

11 Nov '17

Hi, can one of the core developers tell me if there exists a current summary of the design of Tor? I've started looking into OR for GNUnet and as far as I know from the papers in the anonbib and one 2013 presentation slides I've read so far, Tor went through many changes over the years. I'm interested in what you use today, where you are heading (or what you are considering for the future) and maybe reasons why past designs were changed. Best regards, ng0 -- GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://dist.ng0.infotropique.org/dist/keys/ WWW: https://ng0.infotropique.org

4 5