[tor-commits] [torspec/master] Add three older documents removed from tor.git
nickm at torproject.org
nickm at torproject.org
Thu Jun 13 01:12:41 UTC 2013
commit 1e074bfe15908069f1b61d4f9d95a3168e997a57
Author: Nick Mathewson <nickm at torproject.org>
Date: Wed Jun 12 21:12:35 2013 -0400
Add three older documents removed from tor.git
---
attic/authority-policy.txt | 89 +++++++++++++++++++++
attic/torel-design.txt | 181 ++++++++++++++++++++++++++++++++++++++++++
attic/v3-authority-howto.txt | 84 ++++++++++++++++++++
3 files changed, 354 insertions(+)
diff --git a/attic/authority-policy.txt b/attic/authority-policy.txt
new file mode 100644
index 0000000..7072082
--- /dev/null
+++ b/attic/authority-policy.txt
@@ -0,0 +1,89 @@
+
+0. Overview.
+
+ This document contains various informal policies for how to operate
+ a directory authority, how to choose new ones, etc.
+
+1. How to pick a new directory authority.
+
+ Here's our current guidelines for how to pick new directory
+ authorities.
+
+ (These won't ever be formal criteria -- we need to keep this flexible
+ so we can adapt to new situations.)
+
+ o Stability:
+ - Must be a low-downtime Tor server (computer as well as network).
+ - Must have a static IP.
+ - The operator must have been running a stable Tor server for at least
+ 3 months.
+ - Must intend for this server to stick around for the next 12 months
+ or more.
+ - Must not hibernate.
+ - Should not be an exit node (as this increases the risk both of
+ downtime and of key compromise).
+
+ o Performance:
+ - Must have sufficient bandwidth: at least 10mbit/s symmetric,
+ though in practice the inbound traffic can be considerably less.
+
+ o Availability:
+ - Must be available to upgrade within a few days in most cases.
+ (While we're still developing Tor, we periodically find bugs that
+ impact the whole network and require authority upgrades.)
+ - Should have a well-known way to contact the administrator
+ via PGP-encrypted message.
+
+ o Integrity:
+ - Must promise not to censor or attack the network and users.
+ - Should be run by somebody that Tor (i.e. Roger) knows.
+ - Should be widely regarded as fair/trustworthy, or at least
+ known, by many people.
+ - If somebody asks you to backdoor or change your server, legally or
+ otherwise, you will fight it to the extent of your abilities. If
+ you fail to fight it, you must shut down the Tor server and notify
+ us that you have.
+
+ o Diversity
+ - We should avoid situations that make it likelier for multiple
+ authority failures to happen at the same time. Therefore...
+ - It's good when authorities are not all in the same country.
+ - It's good when authorities are not all in the same jurisdictions.
+ - It's good when authorities are not all running the same OS.
+ - It's good when authorities are not all using the same ISP.
+ - It's good when authorities are not all running the same
+ version of Tor.
+ - No two authorities should have the same operator.
+ - Maximal diversity, however, is not always practical. Sometimes,
+ for example, there is only one version of Tor that provides a
+ given consensus generation algorithm.
+ - A small group of authorities with the same country/jurisdiction/OS is
+ not a problem, until that group's size approaches quorum (half the
+ authorities).
+
+2. How to choose the recommended versions
+
+ The policy, in a nutshell, is to not remove versions without a good
+ reason. So this means we should recommend all versions except:
+
+ - Versions that no longer conform to the spec. That is, if they wouldn't
+ actually interact correctly with the current Tor network.
+ - Versions that have known security problems.
+ - Versions that have frequent crash or assert problems.
+ - Versions that harm the performance or stability of the current Tor
+ network or the anonymity of other users. For example, a version
+ that load balances wrong, or a version that hammers the authorities
+ too much.
+
+
+> some use the slight variant of requiring a *good* reason.
+> excellent reasons include "there's a security flaw"
+> good reasons include "that crashes every time you start it. you would think
++tor is dumb if you tried to use that version and think of it as tor."
+> good reasons include "those old clients do their load balancing wrong, and
++they're screwing up the whole network"
+> reasons include "the old one is really slow, clients should prefer the new
++one"
+> i try to draw the line at 'good reasons and above'
+
+
diff --git a/attic/torel-design.txt b/attic/torel-design.txt
new file mode 100644
index 0000000..610cbe2
--- /dev/null
+++ b/attic/torel-design.txt
@@ -0,0 +1,181 @@
+Design For A Tor DNS-based Exit List
+
+Status:
+
+ This is a suggested design for a DNS Exit List (DNSEL) for Tor exit nodes.
+ See http://exitlist.torproject.org/ for an implementation.
+
+Why?
+
+ It's useful for third parties to be able to tell when a given connection
+ is coming from a Tor exit node. Potential applications range from
+ "anonymous user" cloaks on IRC networks like oftc, to networks like
+ Freenode that apply special authentication rules to users from these
+ IPs, to systems like Wikipedia that may want to make a priority of
+ _unblocking_ shared IPs more liberally than non-shared IPs, since shared
+ IPs presumably have non-abusive users as well as abusive ones.
+
+ Since Tor provides exit policies, not every Tor server will connect to
+ every address:port combination on the Internet. Unless you're trying to
+ penalize hosts for supporting anonymity, it makes more sense to answer
+ the fine-grained question "which Tor servers will connect to _me_?" than
+ the coarse-grained question "which Tor servers exist?" The fine-grained
+ approach also helps Tor server ops who share an IP with their Tor
+ server: if they want to access a site that blocks Tor users, they
+ can exclude that site from their exit policy, and the site can learn
+ that they won't send it anonymous connections.
+
+ Tor already ships with a tool (the "contrib/exitlist" script) to
+ identify which Tor nodes might open anonymous connections to any given
+ exit address. But this is a bit tricky to set up, so only sites like
+ Freenode and OFTC that are dedicated to privacy use it.
+ Conversely, providers of some DNSEL implementations are providing
+ coarse-grained lists of Tor hosts -- sometimes even listing servers that
+ permit no exit connections at all. This is rather a problem, since
+ support for DNSEL is pretty ubiquitous.
+
+
+How?
+
+ Keep a running Tor instance, and parse the cached-routers and
+ cached-routers.new files as new routers arrive. To tell whether a given
+ server allows connections to a certain address:port combo, look at the
+ definitions in dir-spec.txt or follow the logic of the current exitlist
+ script. If bug 405 is still open when you work on this
+ (https://bugs.torproject.org/flyspray/index.php?do=details&id=405), you'll
+ probably want to extend it to look at only the newest descriptor for
+ each server, so you don't use obsolete exit policy data.
+
+ FetchUselessDescriptors would probably be a good torrc option to enable.
+
+ If you're also running a directory cache, you get extra-fresh
+ information.
+
+
+The DNS interface
+
+ Standard DNSEL, if I understand right, looks like this: There's some
+ authoritative name server for foo.example.com. You want to know if
+ 1.2.3.4 is in the list, so you query for an A record for
+ 4.3.2.1.foo.example.com. If the record exists and has the value
+ 127.0.0.2[DNSBL-EMAIL], 1.2.3.4 is in the list. If you get an NXDOMAIN
+ error, 1.2.3.4 is not in the list. If you ask for a domain name outside
+ of the foo.example.com zone, you get a Server Failure error[RFC 1035].
+
+ Assume that the DNSEL answers queries authoritatively for some zone,
+ torhosts.example.com. Below are some queries that could be supported,
+ though some of them are possibly a bad idea.
+
+
+ Query type 1: "General IP:Port"
+
+ Format:
+ {IP1}.{port}.{IP2}.ip-port.torhosts.example.com
+
+ Rule:
+ Iff {IP1} is a Tor server that permits connections to {port} on
+ {IP2}, then there should be an A record with the value 127.0.0.2.
+
+ Example:
+ "1.0.0.10.80.4.3.2.1.ip-port.torhosts.example.com" should have the
+ value 127.0.0.2 if and only if there is a Tor server at 10.0.0.1
+ that allows connections to port 80 on 1.2.3.4.
+
+ Example use:
+ I'm running an IRC server at w.x.y.z:9999, and I want to tell
+ whether an incoming connection is from a Tor server. I set
+ up my IRC server to give a special mask to any user coming from
+ an IP listed in 9999.z.y.x.w.ip-port.torhosts.example.com.
+
+ Later, when I get a connection from a.b.c.d, my ircd looks up
+ "d.c.b.a.9999.z.y.x.w.ip-port.torhosts.example.com" to see
+ if it's a Tor server that allows connections to my ircd.
+
+
+ Query type 2: "IP-port group"
+
+ Format:
+ {IP}.{listname}.list.torhosts.example.com
+
+ Rule:
+ Iff this Tor server is configured with an IP:Port list named
+ {listname}, and {IP} is a Tor server that permits connections to
+ any member of {listname}, then there exists an A record.
+
+ Example:
+ Suppose torhosts.example.com has a list of IP:Port called "foo".
+ There is an A record for 4.3.2.1.foo.list.torhosts.example.com
+ if and only if 1.2.3.4 is a Tor server that permits connections
+ to one of the addresses in list "foo".
+
+ Example use:
+ Suppose torhosts.example.com has a list of hosts in "examplenet",
+ a popular IRC network. Rather than having them each set up to
+ query the appropriate "ip-port" list, they could instead all be
+ set to query a central examplenet.list.torhosts.example.com.
+
+ Problems:
+ We'd be better off if each individual server queried about hosts
+ that allowed connections to itself. That way, if I wanted to
+ allow anonymous connections to foonet, but I wanted to be able to
+ connect to foonet from my own IP without being marked, I could add
+ just a few foonet addresses to my exit policy.
+
+
+ Query type 3: "My IP, with port"
+
+ Format:
+ {IP}.{port}.me.torhosts.example.com
+
+ Rule:
+ An A record exists iff there is a tor server at {IP} that permits
+ connections to {port} on the host that requested the lookup.
+
+ Example:
+ "4.3.2.1.80.me.torhosts.example.com" should have an A record if
+ and only if there is a Tor server at 1.2.3.4 that allows
+ connections to port 80 of the querying host.
+
+ Example use:
+ Somebody wants to set up a quick-and-dirty Tor detector for a
+ single webserver: just point them at 80.me.torhosts.example.com.
+
+ Problem:
+ This would be easiest to use, but DNS gets in the way. If you
+ create DNS records that give different results depending on who is
+ asking, you mess up caching. There could be a fix here, but might
+ not.
+
+
+ RECOMMENDATION: Just build ip-port for now, and see what demand is
+ like. There's no point in building mechanisms nobody wants.
+
+Web interface:
+
+ Should provide the same data as the dns interface.
+
+Other issues:
+
+ After a Tor server op turns off their server, it stops publishing server
+ descriptors. We should consider that server's IP address to still
+ represent a Tor node until 48 hours after its last descriptor was
+ published.
+
+ 30-60 minutes is not an unreasonable TTL.
+
+ There could be some demand for address masks and port lists. Address
+ masks wider than /8 make me nervous here, as do port ranges.
+
+ We need an answer for what to do about hosts which exit from different
+ IPs than their advertised IP. One approach would be for the DNSEL
+ to launch periodic requests to itself through all exit servers whose
+ policies allow it -- and then see where the requests actually come from.
+
+References:
+
+ [DNSBL-EMAIL] Levine, J., "DNS Based Blacklists and Whitelists for
+ E-Mail", http://tools.ietf.org/html/draft-irtf-asrg-dnsbl-02, November
+ 2005.
+
+ [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
+ Specification", RFC 1035, November 1987.
diff --git a/attic/v3-authority-howto.txt b/attic/v3-authority-howto.txt
new file mode 100644
index 0000000..e4470e8
--- /dev/null
+++ b/attic/v3-authority-howto.txt
@@ -0,0 +1,84 @@
+
+ How to add a v3 directory authority.
+
+What we'll be doing:
+
+ We'll be configuring your Tor server as a v3 directory authority,
+ generating a v3 identity key plus certificates, and adding your v3
+ identity fingerprint to the list of default directory authorities.
+
+The steps:
+
+0) Make sure you're running ntp, and that your time is correct.
+
+ Make sure you have Tor version at least r12724. In the short term,
+ running a working authority may mean running the latest version of
+ Tor from SVN trunk. Later on, we hope that it will become easier
+ and you can just run a recent development release (and later still,
+ a recent stable release).
+
+1) First, you'll need a certificate. Run ./src/tools/tor-gencert to
+ generate one.
+
+ Run tor-gencert in a separate, very secure directory. Maybe even on
+ a more secure computer. The first time you run it, you will need to
+ run it with the --create-identity-key option to make a v3 authority
+ identity key. Subsequent times, you can just run it as-is.
+
+ tor-gencert will make 3 files:
+
+ authority_identity_key -- THIS IS VERY SECRET AND VERY SENSITIVE.
+ DO NOT LEAK IT. DO NOT LOSE IT.
+
+ authority_signing_key -- A key for signing votes and v3 conensuses.
+
+ authority_certificate -- A document authenticating your signing key
+ with your identity-key.
+
+ You will need to rotate your signing key periodically. The current
+ default lifetime is 1 year. We'll probably take this down to a month or
+ two some time soon. To rotate your key, run tor-gencert as before,
+ but without the --create-identity-key option.
+
+2) Copy authority_signing_key and authority_certificate to your Tor keys
+ directory.
+
+ For example if your data directory is /var/lib/tor/, you should run
+ cp authority_signing_key authority_certificate /var/lib/tor/keys/
+
+ You will need to repeat this every time you rotate your certificate.
+
+3) Tell your Tor to be a v3 authority by adding these lines to your torrc:
+
+ AuthoritativeDirectory 1
+ V3AuthoritativeDirectory 1
+
+4) Now your authority is generating a networkstatus opinion (called a
+ "vote") every period, but none of the other authorities care yet. The
+ next step is to get a Tor developer (likely Roger or Nick) to add
+ your v3 identity fingerprint to the default list of dirservers.
+
+ First, you need to learn your authority's v3 identity fingerprint.
+ It should be in your authority_certificate file in a line like:
+
+ fingerprint 3041632465FA8847A98B2C5742108C72325532D9
+
+ One of the Tor developers then needs to add this fingerprint to
+ the add_default_trusted_dirservers() function in config.c, using
+ the syntax "v3ident=<fingerprint>". For example, if moria1's new v3
+ identity fingerprint is FOO, the moria1 dirserver line should now be:
+
+ DirServer moria1 v1 orport=9001 v3ident=FOO 128.31.0.34:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441
+
+ The v3ident item must appear after the nickname and before the IP.
+
+5) Once your fingerprint has been added to config.c, we will try to
+ get a majority of v3 authorities to upgrade, so they know about you
+ too. At that point your vote will automatically be included in the
+ networkstatus consensus, and you'll be a fully-functioning contributing
+ v3 authority.
+
+ Note also that a majority of the configured v3 authorities need to
+ agree in order to generate a consensus: so this is also the point
+ where extended downtime on your server means missing votes.
+
More information about the tor-commits
mailing list