The circID is scoped under a given connection between adjacent nodes.
A relay node maintains a mapping of circIDs for a circuit - mapping the
forward and backward circID - for traffic it is relaying.
So for a circuit ...
client <-ID_a-> guard <-ID_b-> middle <-ID_c-> exit
... each of the ID_*s are independent, and any node only knows the IDs
immediately "adjacent" to it. Each connection (e.g. each client to that
guard) has a independent enumeration/allocation of IDs.
That is an awesome explanation, thank you ever so much.
If I read that right, to the most that an attacker with observability of the Cloudflare IP addresses could get, is either ...
1) correlation backwards to "Server Side Middle 1" for browsing a normal onion over Tor; or...
2) correlation backwards to "Client Side Middle" for browsing a single-hop onion over Tor
Am I correct?
I'm not sure what you mean by "correlation backwards".
The Onion Service and the Onion Service Guard (or Single Onion Service
Rendezvous Point) both know the circuit id sent from the Onion Service to the
proxy. If an attacker controls the Onion Service Guard (or Single Onion Service
Rendezvous Point), then they can correlate backwards to the Server Side Middle 1
(or Client Side Middle) by looking up linked circuit ids on the node they control.
The Rendezvous Point is chosen by the client, so it is just as likely to be malicious
as any other node.
That latter seems not very much worse than the information which a compromised exit node would be able to obtain ("Browsing Normal Web over Tor") although it would be a lot more available when the circID is presented to the any backbone observer who can sniff IPv6?
This IPv6 address isn't in the IP header of the packets between Cloudflare's
onion service and Cloudflare's proxy.
It's sent inside the TCP (or TLS?) connection between the Tor onion service
and the proxy instance, as a text header before any other inner TCP or TLS:
If Cloudflare encrypts their onion service to proxy connections (and they
should), the circuit id will only be known to the onion service and its guard
(or rendezvous point, for a single-hop onion service connection).
Alternately, if Cloudflare hosts its onions in the same data centre as the proxies
they talk to, then the risk of interception is low.
Then, if the proxy strips out this header before sending the request to the origin
site, or connects to the origin site using TLS, then this IP address shouldn't be
visible on the backbone.
Note: some origin sites still use HTTP to talk to CloudFlare:
Also note: the CloudFlare dashboard shows the circuit id to site owners:
I can't see how having the actual circuit id is useful to site owners.
They can't block it effectively, because it's transient.
(And the same circuit id can be re-used by independent connections.)
These are good questions for Mahrud, who I've CC'd.
T