[anti-censorship-team] Snowflake rendezvous design meeting 2021-05-18 14:00

Mon May 17 21:38:06 UTC 2021

We'll have a meeting tomorrow to talk about redesigning changing the
format of client–broker rendezvous messages, in order to support client
registration methods other than domain-fronted HTTPS. To save time, this
message has a proposed agenda and background information to read before
the meeting.

- Answer questions about background, the status quo, and future broker
  development goals.
- Message versioning
  - Inside or outside JSON?
  - Backward compatibility with legacy-format messages.
  - Future need for encrypted/signed messages.
- How do alternative rendezvous methods interface with the broker?
  - Same process or separate processes?
  - If separate, then how does IPC with the broker work? Convert
    registrations to localhost HTTP, or create some other local
    communication protocol?

Recent work on this topic is:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29293
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/36

Background

A client sends a message to the Snowflake broker to request proxy
service. See https://www.bamsoftware.com/papers/thesis/#p279 for a
high-level description. Concretely, the client sends a domain-fronted
HTTP POST request with a body that is a JSON serialization of an SDP
offer (https://pkg.go.dev/github.com/pion/webrtc/v3#SessionDescription):
	https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client/lib/rendezvous.go?id=0054cb2dec19e89e07b8c5a6d8b9d23589842deb#n89
A request looks like this:
	POST /client HTTP/1.1
	Snowflake-NAT-Type: restricted

	{"type":"offer","sdp":"v=0\r\n..."}
If the broker can match the client with a proxy, the response has status
200 and the body is the JSON serialization of an SDP answer:
	HTTP/1.1 200 OK

	{"type":"answer","sdp":"v=0\r\n..."}
If the broker cannot make a match, the response has a status of 503 or
504, and an empty body:
	HTTP/1.1 503 Service Unavailable
If there is a syntax problem with the client's offer, the response has
status 400:
	HTTP/1.1 400 Bad Request

The problem with the current message formats is that they rely of
features of HTTP not present in other protocols, and they are not easily
extensible. The HTTP bodies are assumed to contain an SDP offer/answer
and that only, so any side information has to go somewhere else, such as
Snowflake-NAT-Type which is sent in an HTTP header (#34129). The
200/503/400 status codes also are not present in other protocols.

Parts of what is conceptually a single message are scattered across the
HTTP body, header, and status code. The goal is to move all the
information into a common message format that can also be used by other
rendezvous channels. That means *all* the necessary information will be
present in the HTTP body, and status codes will always be 200.

Some past design sketches:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29293#note_2592968
	When the client requests /client, the broker returns either a
	200 with a response body, an empty 503, or an empty 400. This is
	awkward when doing rendezvous over non-HTTP channels, or even
	over AMP cache, which doesn't reliably pass through the server's
	original status code... It would be easier if all the necessary
	information in the broker's response were in the HTTP body,
	because that's easier to port to other channels.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/25985#note_2592357
	I propose to remove this ambiguity by including the data payload
	inside the JSON object that represents an error. Just like in an
	HTTP response, we have two things—a status code and a
	message—inside one package.

We have already made a similar change to /proxy messages, for example
changing status codes 200 and 504 to the strings "client match" and
"no match":
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29207#note_2592837
https://github.com/cohosh/snowflake/pull/8/files
We don't have plans to use anything other than HTTP for proxy–broker
messages, so it was less important in that case to remove all reliance
on HTTP. We are also generally less concerned about backward
compatibility for proxies than we are for clients.

cohosh has drafted a merge request that moves almost all message
information into JSON in HTTP bodies:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/36
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/eec9d6838f29ee13b2b6c4d6e0a5724ca5a0b43b/common/messages/client.go#L14-45
The above client request would become:
	POST /client HTTP/1.1

	{"Version":"1.0","Offer":{"type":"offer","sdp":"v=0\r\n..."},"NAT":"restricted"}
In the event of a match, the responses would be:
	HTTP/1.1 200 OK

	{"Answer":{"type":"answer","sdp":"v=0\r\n..."}}
If no match:
	HTTP/1.1 200 OK

	{"Error":"timed out waiting for answer!"}
Parsing errors currently still use an HTTP status code:
	HTTP/1.1 400 Bad Request

This work is primarily towards the goal of supporting other rendezvous
methods:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/25594
But we also want to keep in mind other development goals for the
Snowflake broker. We want to encrypt and authenticate broker messages in
the future, and the message format should facilitate that, without our
having to think of another backcompat scheme in the future:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/22945
And we want to be able to move the broker away from being one big
process that manages everything. Ideally, different rendezvous methods
run in different processes, with reduced privileges, and can crash and
be restarted independently of the main broker.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/26092