[tor-bugs] #7167 [Pluggable transport]: Combine traffic obfuscation with address diversity of flash proxy

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 4 17:33:59 UTC 2013

#7167: Combine traffic obfuscation with address diversity of flash proxy
 Reporter:  karsten                      |          Owner:  asn
     Type:  project                      |         Status:  new
 Priority:  normal                       |      Milestone:     
Component:  Pluggable transport          |        Version:     
 Keywords:  SponsorF20131101 flashproxy  |         Parent:     
   Points:                               |   Actualpoints:     

Comment(by asn):

 We had a discussion about this project with David and Ximin. We decided
 that we will probably build a super-proxy that chains PTs together.

 So the topology for the client-side will look like this:

 |tor client| -> ( |obfsproxy| -> |flashproxy| ) -> |INTERNET|

 where the parentheses is the super-proxy.

 The topology on the server-side is similar:

 |internet| -> ( |flashproxy| -> |obfsproxy| ) -> |Extended ORPort|


 We've been having some problems with the server-side, since
 |obfsproxy| is no longer aware of the client's IP address, and can't
 report it using the Extended ORPort.

 This means that the super-proxy is probably going to do the Extended
 ORPort handshake, since it's the entity who knows the IP address of
 the client (it also knows the name of the combined pluggable transport

 Thinking about it like this:

 |internet| -> |super_1| -> |flashproxy| -> |obfsproxy| -> |super_2| ->
 |Extended ORPort|

 the question now becomes:

 "How does |super_2| match up the connections it receives from
 |obfsproxy| with the connections received in |super_1|?"

 We have a few options. Unfortunately, all of them seem ugly.

 a) Make both |flashproxy| and |obfsproxy| Extended ORPort listeners,
 and chain up Extended ORPort connections.

 b) Implement yet-another-metadata protocol for this use case.

 So for example, |super_1| prepends the client IP to the traffic
 flow (with a delimiter) and both |flashproxy| and |obfsproxy| pass
 it on to |super_2| who does the Extended ORport connection with the

 c) Have |super_2| bind to different local ports to denote different

 So for example, when |super_1| receives connection X, it asks the
 transport proxies to forward this connection to a specific port
 number that |super_2| binds to. This way |super_2| knows that data
 received to that port is from connection X. Different connections
 use different ports.

 d) Put client IPs in a queue inside |super| and when |super_2|
 connects to the Extended ORPort pop the queue and report that
 IP. Of course, this doesn't guarantee that client IPs will match
 with the correct data :) Tor doesn't care about this currently, but
 it might in the future.

 The above solutions are hacky or/and cheap or/and evil.
 What other solutions exist?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7167#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list