[tor-commits] [torspec/master] Add three older documents removed from tor.git

nickm at torproject.org nickm at torproject.org
Thu Jun 13 01:12:41 UTC 2013

commit 1e074bfe15908069f1b61d4f9d95a3168e997a57
Author: Nick Mathewson <nickm at torproject.org>
Date:   Wed Jun 12 21:12:35 2013 -0400

    Add three older documents removed from tor.git
 attic/authority-policy.txt   |   89 +++++++++++++++++++++
 attic/torel-design.txt       |  181 ++++++++++++++++++++++++++++++++++++++++++
 attic/v3-authority-howto.txt |   84 ++++++++++++++++++++
 3 files changed, 354 insertions(+)

diff --git a/attic/authority-policy.txt b/attic/authority-policy.txt
new file mode 100644
index 0000000..7072082
--- /dev/null
+++ b/attic/authority-policy.txt
@@ -0,0 +1,89 @@
+0. Overview.
+   This document contains various informal policies for how to operate
+   a directory authority, how to choose new ones, etc.
+1. How to pick a new directory authority.
+   Here's our current guidelines for how to pick new directory
+   authorities.
+   (These won't ever be formal criteria -- we need to keep this flexible
+   so we can adapt to new situations.)
+   o Stability:
+     - Must be a low-downtime Tor server (computer as well as network).
+     - Must have a static IP.
+     - The operator must have been running a stable Tor server for at least
+       3 months.
+     - Must intend for this server to stick around for the next 12 months
+       or more.
+     - Must not hibernate.
+     - Should not be an exit node (as this increases the risk both of
+       downtime and of key compromise).
+   o Performance:
+     - Must have sufficient bandwidth: at least 10mbit/s symmetric,
+       though in practice the inbound traffic can be considerably less.
+   o Availability:
+     - Must be available to upgrade within a few days in most cases.
+       (While we're still developing Tor, we periodically find bugs that
+       impact the whole network and require authority upgrades.)
+     - Should have a well-known way to contact the administrator
+       via PGP-encrypted message.
+   o Integrity:
+     - Must promise not to censor or attack the network and users.
+     - Should be run by somebody that Tor (i.e. Roger) knows.
+     - Should be widely regarded as fair/trustworthy, or at least
+       known, by many people.
+     - If somebody asks you to backdoor or change your server, legally or
+       otherwise, you will fight it to the extent of your abilities. If
+       you fail to fight it, you must shut down the Tor server and notify
+       us that you have.
+   o Diversity
+     - We should avoid situations that make it likelier for multiple
+       authority failures to happen at the same time.  Therefore...
+       - It's good when authorities are not all in the same country.
+       - It's good when authorities are not all in the same jurisdictions.
+       - It's good when authorities are not all running the same OS.
+       - It's good when authorities are not all using the same ISP.
+       - It's good when authorities are not all running the same
+         version of Tor.
+       - No two authorities should have the same operator.
+     - Maximal diversity, however, is not always practical.  Sometimes,
+       for example, there is only one version of Tor that provides a
+       given consensus generation algorithm.
+     - A small group of authorities with the same country/jurisdiction/OS is
+       not a problem, until that group's size approaches quorum (half the
+       authorities).
+2. How to choose the recommended versions
+  The policy, in a nutshell, is to not remove versions without a good
+  reason. So this means we should recommend all versions except:
+  - Versions that no longer conform to the spec. That is, if they wouldn't
+    actually interact correctly with the current Tor network.
+  - Versions that have known security problems.
+  - Versions that have frequent crash or assert problems.
+  - Versions that harm the performance or stability of the current Tor
+    network or the anonymity of other users. For example, a version
+    that load balances wrong, or a version that hammers the authorities
+    too much.
+> some use the slight variant of requiring a *good* reason.
+> excellent reasons include "there's a security flaw"
+> good reasons include "that crashes every time you start it. you would think
++tor is dumb if you tried to use that version and think of it as tor."
+> good reasons include "those old clients do their load balancing wrong, and
++they're screwing up the whole network"
+> reasons include "the old one is really slow, clients should prefer the new
+> i try to draw the line at 'good reasons and above'
diff --git a/attic/torel-design.txt b/attic/torel-design.txt
new file mode 100644
index 0000000..610cbe2
--- /dev/null
+++ b/attic/torel-design.txt
@@ -0,0 +1,181 @@
+Design For A Tor DNS-based Exit List
+  This is a suggested design for a DNS Exit List (DNSEL) for Tor exit nodes.
+  See http://exitlist.torproject.org/ for an implementation.
+  It's useful for third parties to be able to tell when a given connection
+  is coming from a Tor exit node.  Potential applications range from
+  "anonymous user" cloaks on IRC networks like oftc, to networks like
+  Freenode that apply special authentication rules to users from these
+  IPs, to systems like Wikipedia that may want to make a priority of
+  _unblocking_ shared IPs more liberally than non-shared IPs, since shared
+  IPs presumably have non-abusive users as well as abusive ones.
+  Since Tor provides exit policies, not every Tor server will connect to
+  every address:port combination on the Internet.  Unless you're trying to
+  penalize hosts for supporting anonymity, it makes more sense to answer
+  the fine-grained question "which Tor servers will connect to _me_?" than
+  the coarse-grained question "which Tor servers exist?"  The fine-grained
+  approach also helps Tor server ops who share an IP with their Tor
+  server: if they want to access a site that blocks Tor users, they
+  can exclude that site from their exit policy, and the site can learn
+  that they won't send it anonymous connections.
+  Tor already ships with a tool (the "contrib/exitlist" script) to
+  identify which Tor nodes might open anonymous connections to any given
+  exit address.  But this is a bit tricky to set up, so only sites like
+  Freenode and OFTC that are dedicated to privacy use it.
+  Conversely, providers of some DNSEL implementations are providing
+  coarse-grained lists of Tor hosts -- sometimes even listing servers that
+  permit no exit connections at all.  This is rather a problem, since
+  support for DNSEL is pretty ubiquitous.
+  Keep a running Tor instance, and parse the cached-routers and
+  cached-routers.new files as new routers arrive.  To tell whether a given
+  server allows connections to a certain address:port combo, look at the
+  definitions in dir-spec.txt or follow the logic of the current exitlist
+  script. If bug 405 is still open when you work on this
+  (https://bugs.torproject.org/flyspray/index.php?do=details&id=405), you'll
+  probably want to extend it to look at only the newest descriptor for
+  each server, so you don't use obsolete exit policy data.
+  FetchUselessDescriptors would probably be a good torrc option to enable.
+  If you're also running a directory cache, you get extra-fresh
+  information.
+The DNS interface
+  Standard DNSEL, if I understand right, looks like this: There's some
+  authoritative name server for foo.example.com.  You want to know if
+ is in the list, so you query for an A record for
+  If the record exists and has the value
+[DNSBL-EMAIL], is in the list.  If you get an NXDOMAIN
+  error, is not in the list.  If you ask for a domain name outside
+  of the foo.example.com zone, you get a Server Failure error[RFC 1035].
+  Assume that the DNSEL answers queries authoritatively for some zone,
+  torhosts.example.com.  Below are some queries that could be supported,
+  though some of them are possibly a bad idea.
+  Query type 1: "General IP:Port"
+    Format:
+        {IP1}.{port}.{IP2}.ip-port.torhosts.example.com
+    Rule:
+        Iff {IP1} is a Tor server that permits connections to {port} on
+        {IP2}, then there should be an A record with the value
+    Example:
+        "" should have the
+        value if and only if there is a Tor server at
+        that allows connections to port 80 on
+    Example use:
+        I'm running an IRC server at w.x.y.z:9999, and I want to tell
+        whether an incoming connection is from a Tor server.  I set
+        up my IRC server to give a special mask to any user coming from
+        an IP listed in 9999.z.y.x.w.ip-port.torhosts.example.com.
+        Later, when I get a connection from a.b.c.d, my ircd looks up
+        "d.c.b.a.9999.z.y.x.w.ip-port.torhosts.example.com" to see
+        if it's a Tor server that allows connections to my ircd.
+  Query type 2: "IP-port group"
+    Format:
+        {IP}.{listname}.list.torhosts.example.com
+    Rule:
+        Iff this Tor server is configured with an IP:Port list named
+        {listname}, and {IP} is a Tor server that permits connections to
+        any member of {listname}, then there exists an A record.
+    Example:
+        Suppose torhosts.example.com has a list of IP:Port called "foo".
+        There is an A record for
+        if and only if is a Tor server that permits connections
+        to one of the addresses in list "foo".
+    Example use:
+        Suppose torhosts.example.com has a list of hosts in "examplenet",
+        a popular IRC network.  Rather than having them each set up to
+        query the appropriate "ip-port" list, they could instead all be
+        set to query a central examplenet.list.torhosts.example.com.
+    Problems:
+        We'd be better off if each individual server queried about hosts
+        that allowed connections to itself.  That way, if I wanted to
+        allow anonymous connections to foonet, but I wanted to be able to
+        connect to foonet from my own IP without being marked, I could add
+        just a few foonet addresses to my exit policy.
+  Query type 3: "My IP, with port"
+    Format:
+        {IP}.{port}.me.torhosts.example.com
+    Rule:
+        An A record exists iff there is a tor server at {IP} that permits
+        connections to {port} on the host that requested the lookup.
+    Example:
+        "" should have an A record if
+        and only if there is a Tor server at that allows
+        connections to port 80 of the querying host.
+    Example use:
+        Somebody wants to set up a quick-and-dirty Tor detector for a
+        single webserver: just point them at 80.me.torhosts.example.com.
+    Problem:
+        This would be easiest to use, but DNS gets in the way. If you
+        create DNS records that give different results depending on who is
+        asking, you mess up caching.  There could be a fix here, but might
+        not.
+  RECOMMENDATION: Just build ip-port for now, and see what demand is
+  like.  There's no point in building mechanisms nobody wants.
+Web interface:
+  Should provide the same data as the dns interface.
+Other issues:
+  After a Tor server op turns off their server, it stops publishing server
+  descriptors. We should consider that server's IP address to still
+  represent a Tor node until 48 hours after its last descriptor was
+  published.
+  30-60 minutes is not an unreasonable TTL.
+  There could be some demand for address masks and port lists. Address
+  masks wider than /8 make me nervous here, as do port ranges.
+  We need an answer for what to do about hosts which exit from different
+  IPs than their advertised IP. One approach would be for the DNSEL
+  to launch periodic requests to itself through all exit servers whose
+  policies allow it -- and then see where the requests actually come from.
+  [DNSBL-EMAIL] Levine, J., "DNS Based Blacklists and Whitelists for
+  E-Mail", http://tools.ietf.org/html/draft-irtf-asrg-dnsbl-02, November
+  2005.
+  [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
+  Specification", RFC 1035, November 1987.
diff --git a/attic/v3-authority-howto.txt b/attic/v3-authority-howto.txt
new file mode 100644
index 0000000..e4470e8
--- /dev/null
+++ b/attic/v3-authority-howto.txt
@@ -0,0 +1,84 @@
+                    How to add a v3 directory authority.
+What we'll be doing:
+   We'll be configuring your Tor server as a v3 directory authority,
+   generating a v3 identity key plus certificates, and adding your v3
+   identity fingerprint to the list of default directory authorities.
+The steps:
+0) Make sure you're running ntp, and that your time is correct.
+   Make sure you have Tor version at least r12724. In the short term,
+   running a working authority may mean running the latest version of
+   Tor from SVN trunk. Later on, we hope that it will become easier
+   and you can just run a recent development release (and later still,
+   a recent stable release).
+1) First, you'll need a certificate.  Run ./src/tools/tor-gencert to
+   generate one.
+   Run tor-gencert in a separate, very secure directory.  Maybe even on
+   a more secure computer.  The first time you run it, you will need to
+   run it with the --create-identity-key option to make a v3 authority
+   identity key.  Subsequent times, you can just run it as-is.
+   tor-gencert will make 3 files:
+      authority_identity_key -- THIS IS VERY SECRET AND VERY SENSITIVE.
+      authority_signing_key -- A key for signing votes and v3 conensuses.
+      authority_certificate -- A document authenticating your signing key
+         with your identity-key.
+   You will need to rotate your signing key periodically.  The current
+   default lifetime is 1 year.  We'll probably take this down to a month or
+   two some time soon.  To rotate your key, run tor-gencert as before,
+   but without the --create-identity-key option.
+2) Copy authority_signing_key and authority_certificate to your Tor keys
+   directory.
+   For example if your data directory is /var/lib/tor/, you should run
+     cp authority_signing_key authority_certificate /var/lib/tor/keys/
+   You will need to repeat this every time you rotate your certificate.
+3) Tell your Tor to be a v3 authority by adding these lines to your torrc:
+   AuthoritativeDirectory 1
+   V3AuthoritativeDirectory 1
+4) Now your authority is generating a networkstatus opinion (called a
+   "vote") every period, but none of the other authorities care yet. The
+   next step is to get a Tor developer (likely Roger or Nick) to add
+   your v3 identity fingerprint to the default list of dirservers.
+   First, you need to learn your authority's v3 identity fingerprint.
+   It should be in your authority_certificate file in a line like:
+     fingerprint 3041632465FA8847A98B2C5742108C72325532D9
+   One of the Tor developers then needs to add this fingerprint to
+   the add_default_trusted_dirservers() function in config.c, using
+   the syntax "v3ident=<fingerprint>". For example, if moria1's new v3
+   identity fingerprint is FOO, the moria1 dirserver line should now be:
+     DirServer moria1 v1 orport=9001 v3ident=FOO FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441
+   The v3ident item must appear after the nickname and before the IP.
+5) Once your fingerprint has been added to config.c, we will try to
+   get a majority of v3 authorities to upgrade, so they know about you
+   too. At that point your vote will automatically be included in the
+   networkstatus consensus, and you'll be a fully-functioning contributing
+   v3 authority.
+   Note also that a majority of the configured v3 authorities need to
+   agree in order to generate a consensus: so this is also the point
+   where extended downtime on your server means missing votes.

More information about the tor-commits mailing list