[tor-bugs] #16260 [Tor]: HS can repick an expired intro points or one that we've already picked

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jun 1 19:23:57 UTC 2015 

#16260: HS can repick an expired intro points or one that we've already picked
------------------------------+------------------------------------
 Reporter:  dgoulet           |          Owner:
     Type:  defect            |         Status:  new
 Priority:  normal            |      Milestone:  Tor: 0.2.7.x-final
Component:  Tor               |        Version:
 Keywords:  SponsorR, tor-hs  |  Actual Points:
Parent ID:                    |         Points:
------------------------------+------------------------------------
 Let's assume here we are about to cycle our intro points in
 `rend_services_introduce()`, we do a dance and at the end we choose 3 new
 ones. To do that, we use `router_choose_random_node()` that picks a random
 node using the torrc `ExcludeNodes` list but also an exclude_nodes list
 that we've populated before which contains expired intro points.

 After that, we happily launch an intro circuit by calling
 `rend_service_launch_establish_intro()` and then
 `circuit_launch_by_extend_info()`. In there, a circuit can be cannibalized
 and if so, the exit node is NOT extended to our intro points that we
 picked earlier because of our purpose:

 {{{
   case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO:
     /* it's ready right now */
 }}}

 The IP is then changed to the one we just cannibalized once we have our
 circuit. This is not desirable for two reasons:
  1) We ignore the exclude nodes list thus we can end up picking an expired
 IP.
  2) We can use to the same IP multiple times for a single descriptor.

 All of the above, I was able to reproduce in a chutney network that is
 having a set of IPs that expired in the previous period and a set of IPs
 that are all the same.

 It's not that terrible in the real network because the probability of that
 happening is roughly `1/<relay count>` which is < 1% currently, still
 worth fixing imo.

 Possible solution for this:
  i) Use a 4th hop for the IP circuit meaning we allow cannibalization but
 we extend the circuit to the intro point.

  ii) Disable cannibalization for intro point thus always creating a fresh
 circuit ending up at the right place.

 My pick here would be i) because I think a 4th hop is cheaper than a
 creating a new circuit.

 Comments welcome!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16260>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list