One missing piece of rend-spec-ng.txt [0] is a section on how HSes should pick their Introduction Points (IPs). There are three main questions here: - How many IPs should an HS have? - Which relays can be IPs? - What's the lifetime of an IP?
==Introduction Points attacks==
Before exploring these questions it's a good idea to state a rough threat model for IPs. First, let's get a visual taste, here is how IPs work in the current HS protocol: https://people.torproject.org/~asn/hs/ip_placement_currently.jpg (number of IPs reduced to 2 to make it more readable)
As you can see, IPs are in a good position to conduct any of the following attacks:
a) IPs can count the number of introductions for a subset of clients (i.e. in the figure above, IP_1 would be able to count introductions from the clients above it). Since clients pick IPs uniformly at random, it's not hard to extrapolate from that to the total number of introductions.
b) IPs have presense information about the HS. That is, they know whether the HS is up or down at a given time since they have a long-term stable circuit to it.
FWIW, regular clients also have this ability by continuously "pinging" the HS and noticing when it's down.
And, of course, an attacker who controls all the IPs of an HS can trivially DoS the HS (till the HS refreshes its IPs).
Furthermore, as part of the Next Generation HSes initiative [0], we are considering enhancing the availability of HSes by allowing multiple nodes per Hidden Service. A plausible idea for achieving that is to allow multiple IP circuits per Introduction Point, as explained in [tor-dev] by Christopher Baines [1]. This means that IPs would work like this: https://people.torproject.org/~asn/hs/ip_placement_scaling.jpg where HS_1, HS_2 and HS_3 are the various nodes of the HS.
This allows the IPs to launch the following attacks:
a) IPs can learn the number of nodes of an HS, by counting the number of IP circuits on them. Also, the IPs can learn the prsense of the nodes of an HS, by looking at the state of their circuit.
b) IPs can choose which HS node will receive traffic.
==How many IPs should an HS have?==
Now let's investigate how many IPs an HS should have.
The current situation is that HSes attempt to estimate their own popularity [2], and then they launch a number of IPs between 3 and 10 depending on how popular they think they are. FWIW, we don't really understand whether the formula works properly [3].
There are a few options for the future here:
a) Fix the formula and keep number of IPs dynamic based on the popularity of the HS.
This is not a bad idea. However, we should make sure that from the number of IPs you can't easily derive the number of clients of the HS. Also we should make sure that the formula works properly.
b) Have a static amount of IPs per HS. For example '5' of them.
I'm not sure what kind of calculations we need to do to find the right constant here (same for the (a) option).
c) Have a static amount of IPs per HS, but also allow this to be configurable by the HS operator.
The idea here is that popular HSes can pump up the number of IPs to make the service more reachable. It's worth noting that HSes who do so will stand out as manually configured; not sure if any other partition attacks can happen here. Also, there is also the danger of all HS operators thinking they are special and pumping the number of IPs to 42.
Generally, we want to have a healthy amount of IPs (so that they don't get DoSed, and that requests get load balanced nicely), but also not too many because every HS having many IP circuits will put a load to the network (especially with services like Torchat where each client is an HS), and also because we want to avoid too many nodes becoming our IPs over time (more on this below).
==Which relays can be IPs?==
This seems to be the easiest question here and Tor is currently handling it well by only restricting IPs to be Stable nodes [4].
This means that with the current network, we have about 4000 possible IPs to choose from [5].
This makes sense since we want to maximize the set of possible IPs, but we also want them to be stable to decrease their natural churn.
==What's the lifetime of an IP?==
Another hard question: How long should we keep IPs for?
Currently, Tor keeps IPs for a random time between 18 to 24 hours [6].
This seems like too short of a period if we actually want to protect against adversarial nodes ever becoming our IPs: Consider an HS with 5 IPs that rotates them every 24 hours, in only two months it will use 300 nodes as IPs plus the natural churn (which is not negligible at all).
With that in mind we need to look at all the possible attacks that IPs could launch and decide whether they should be short-lived or long-lived. For example, waldo in a related thread [7] [8] asks for short-lived IPs, but recent entry guard research has shown that making guards more long-lived is actually beneficial for security [9].
I'm personally leaning towards more long-lived IPs but I still don't know what our constants should be. I could see anything from a week, to a month, to 5 months as reasonable IP lifetimes.
We also need to look at INTRO_POINT_LIFETIME_INTRODUCTIONS, since apparently in the current code, IPs will expire on their own if they perform more than 16384 introductions.
==Conclusion==
I hope that this thread serves as a good start on discussing Introduction Point security. After we take some decisions, we will need to write them down as a proposal and incorporate them in rend-spec-ng.txt.
Also, this thread does not explore other IP matters, like how many HS nodes should correspond to each IP if we go ahead with the scaling ideas [10]. I decided to not include this in the discussion, so that we keep it simple and also so that we don't focus on a particular scaling scheme.
References:
[0]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec...
[1]: https://lists.torproject.org/pipermail/tor-dev/2014-April/006788.html
[2]: https://gitweb.torproject.org/tor.git/blob/ab3d5c049032651a9c9164262f9a8f81d...
[3]: https://trac.torproject.org/projects/tor/ticket/8950
[4]: https://gitweb.torproject.org/tor.git/blob/bb68c731b897a967a4b7eb138728fa077...
[5]: https://metrics.torproject.org/network.html#relayflags
[6]: https://gitweb.torproject.org/tor.git/blob/bb68c731b897a967a4b7eb138728fa077... https://gitweb.torproject.org/tor.git/blob/bb68c731b897a967a4b7eb138728fa077...
[7]: https://lists.torproject.org/pipermail/tor-dev/2014-May/006815.html
[8]: waldo also mentions an IP guard discovery attack in another reply of his: https://lists.torproject.org/pipermail/tor-dev/2014-May/006843.html
However, I'm not sure if it's actually doable, since I think that HSes will discard an IP that has failed a circuit. We need to look into this more seriously.
[9]: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-par...
[10]:https://lists.torproject.org/pipermail/tor-dev/2013-October/005615.html https://lists.torproject.org/pipermail/tor-dev/2013-October/005683.html