[tor-commits] [torspec/master] Introduce prop279: "A Name System API for Tor Onion Services"

asn at torproject.org asn at torproject.org
Wed Mar 29 11:08:39 UTC 2017


commit 7418f65d0ebc7d982b080ecde93b276062f2f3d5
Author: George Kadianakis <desnacked at riseup.net>
Date:   Wed Mar 29 13:02:00 2017 +0200

    Introduce prop279: "A Name System API for Tor Onion Services"
---
 proposals/279-naming-layer-api.txt | 521 +++++++++++++++++++++++++++++++++++++
 proposals/proposal-status.txt      |   6 +
 2 files changed, 527 insertions(+)

diff --git a/proposals/279-naming-layer-api.txt b/proposals/279-naming-layer-api.txt
new file mode 100644
index 0000000..73616aa
--- /dev/null
+++ b/proposals/279-naming-layer-api.txt
@@ -0,0 +1,521 @@
+Filename: 279-naming-layer-api.txt
+Title: A Name System API for Tor Onion Services
+Author: George Kadianakis, Yawning Angel, David Goulet
+Created: 04-Oct-2016
+Status: Draft
+
+  Table Of Contents:
+
+			1. Introduction
+				1.1. Motivation
+				1.2. Design overview and rationale
+			2. System Specification
+				2.1. System overview [SYSTEMOVERVIEW]
+				2.2. System Illustration
+				2.3. System configuration [TORRC]
+					2.3.1. Tor name resolution logic
+				2.4. Name system initialization [INITPROTOCOL]
+				2.5. Name resolution using NS API
+					2.5.1. Message format
+					2.5.2. RESOLVED status codes
+					2.5.3. Further name resolution behavior
+				2.6. Cancelling a name resolution request
+				2.7. Launching name plugins [INITENVVARS]
+				2.8. Name plugin workflow [NSBEHAVIOR]
+					2.8.1. Name plugin shutdown [NSSHUTDOWN]
+				2.9. Further details of stdin/stdout communication
+					2.9.1. Message Format
+			3. Discussion
+				3.1. Using second-level domains instead of tld
+				3.2. Name plugins handling all tlds '*'
+				3.3. Deployment strategy
+				3.4. Miscellaneous discussion topics
+			4. Acknowledgements
+			A.1: Example communication Tor <-> name plugin [PROTOEXAMPLE]
+			A.2: Example plugins [PLUGINEXAMPLES]
+
+1. Introduction
+
+   This proposal specifies a modular API for integrating name systems with Tor.
+
+1.1. Motivation
+
+   Tor onion service addresses are decentralized and self-authenticated but
+   they are not human-memorable (e.g. 3g2upl4pq6kufc4m.onion). This is a source
+   of poor usability, since Internet users are familiar with the convenient
+   naming of DNS and are not used to addresses being random text.
+
+   In particular, onion addresses are currently composed of 16 random base32
+   characters, and they look like this:
+
+                      3g2upl4pq6kufc4m.onion
+                      vwakviie2ienjx7t.onion
+                      idnxcnkne4qt76tg.onion
+                      vwakviie2ienjx6t.onion
+
+   When Proposal 224 get deployed, onion addresses will become even
+   bigger: 53 base32 characters. That's:
+
+        llamanymityx4fi3l6x2gyzmtmgxjyqyorj9qsb5r543izcwymle.onion
+        lfels7g3rbceenuuqmpsz45z3lswakqf56n5i3bvqhc22d5rrsza.onion
+        odmmeotgcfx65l5hn6ejkaruvai222vs7o7tmtllszqk5xbysola.onion
+        qw3yvgovok3dsarhqephpu2pkiwzjdk2fgdfwwf3tb3vgzxr5kba.onion
+
+   Over the years Tor users have come up with various ad-hoc ways of handling
+   onion addresses. For example people memorize them, or use third-party
+   centralized directories, or just google them everytime.
+
+   We believe that the UX problem of non-human-memorable addresses is not
+   actually solved with the above ad-hoc solutions and remains a critical
+   usability barrier that prevents onion services from being used by a wider
+   audience.
+
+1.2. Design overview and rationale
+
+   During the past years there has been lots of research on secure naming and
+   various such systems have been proposed (e.g. GNS, Namecoin, etc.).
+
+   Turns out securely naming things is a very hard research problem, and hence
+   none of the proposed systems is a clear winner: all of them carry various
+   trade-offs. Furthermore, none of the proposed systems has seen widespread use
+   so far, which makes it even harder to pick a single project.
+
+   Given the plenitude of options, one approach to decide which system
+   is best is to make various decent name systems available and let the
+   Tor community and the sands of time pick the winner. Also, it might
+   be that there is no single winner, and perhaps different specialized
+   name system should be used in different situations. We believe that
+   by getting secure name systems actually get utilized by real users,
+   the whole field will mature and existing systems will get battle-hardened.
+
+   Hence, the contribution of this proposal is a modular Name System API
+   (NSA) that allows developers to integrate their own name systems in
+   Tor. The interface design is name-system-agnostic, and it's heavily
+   based on the pluggable transports API (proposal 180). It should be
+   flexible enough to accommodate all sorts of name systems (see [PLUGINEXAMPLES]).
+
+2. System Specification
+
+   A developer that wants to integrate a name system with Tor needs to first
+   write a wrapper that understands the Tor Name System API (NS API). Using the
+   Name System API, Tor asks the name system to perform name queries, and
+   receives the query results. The NS API works using environment variables and
+   stdin/stdout communication. It aims to be portable and easy to implement.
+
+2.1. System overview [SYSTEMOVERVIEW]
+
+   Here is an overview of the Tor name system:
+
+   Alice, a Tor user, can activate various name systems by editing her
+   torrc file and specifying which tld each name system is responsible
+   for. For this section, let's consider a simple fictional name system,
+   unicorn, which magically maps domains with the .corn tld to the
+   correct onion address. Here it is:
+
+       OnionNamePlugin 0 .corn   /usr/local/bin/unicorn
+
+   After Alice enables the unicorn plugin, she attempts connecting to
+   elephantforum.corn. Tor will intercept the SOCKS request, and use the
+   executable at /usr/local/bin/unicorn to query the unicorn name system
+   for elephantforum.corn. Tor communicates with the unicorn plugin
+   using the Tor NS API through which name queries and their results can
+   be transported using stdin/stdout.
+
+   If elephantforum.corn corresponds to an onion address in the unicorn
+   name system, unicorn should return the onion address to Tor using the
+   Tor NS API. Tor must then internally rewrite the elephantforum.corn
+   address to the actual onion address, and initiate a connection to it.
+
+2.2. System Illustration
+
+   Here is a diagram illustrating how the Tor Name System API works. The name
+   system used in this example is GNS, but there is nothing GNS-specific here
+   and GNS could be swapped for any other name system (like hosts files, or
+   Namecoin).
+
+   The example below illustrates how a user who types debian.zkey in their Tor
+   browser gets redirected to sejnfjrq6szgca7v.onion after Tor consults the GNS
+   network.
+
+   Please revisit this illustration after reading the rest of the proposal.
+
+       |                                    $~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~$
+       |  1.                                $          4. GNS magic!!              $
+       |  User: SOCKS CONNECT to            $ debian.zkey -> sejnfjrq6szgca7v.onion$
+       |        http://debian.zkey/         $~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~$~~~~~~~$
+       |                                                                   $
+ +-----|-----------------------------------------+                         $
+ |+----v-----+     2.                 +---------+|       3.                $
+ ||Tor       |     debian.zkey        |Tor      ||       debian.zkey     +-$-------+
+ ||Networking------------------------->Naming   ------------------------->         |
+ ||Submodule |                        |Submodule||  Tor Name System API  |  GNS    |
+ ||          <-------------------------         <-------------------------  wrapper|
+ ||          | 6.                     |         ||5.                     |         |
+ |+----|-----+ sejnfjrq6szgca7v.onion +---------+|sejnfjrq6szgca7v.onion +---------+
+ +-----|-----------------------------------------+
+       |  7.
+       |  Tor: Connect to
+       |       http://sejnfjrq6szgca7v.onion/
+       v
+
+
+2.3. System configuration [TORRC]
+
+   As demonstrated in [SYSTEMOVERVIEW], a Tor user who wants to use a name
+   system has to edit their configuration file appropriately. Here is the torrc
+   line format:
+
+       OnionNamePlugin <priority> <tld> <path>
+
+   where <priority> is a positive integer denoting the priority with which this
+   name plugin should be consulted. <tld> is a string which restricts the scope
+   of this plugin to a particular tld.  Finally, <path> is a filesystem path to
+   an executable that speaks the Tor Name System API and can act as an
+   intermediary between Tor and the name system.
+
+   For example here is a snippet from a torrc file:
+       OnionNamePlugin 0 .hosts      /usr/local/bin/local-hosts-file
+       OnionNamePlugin 1 .zkey       /usr/local/bin/gns-tor-wrapper
+       OnionNamePlugin 2 .bit        /usr/local/bin/namecoin-tor-wrapper
+       OnionNamePlugin 3 .scallion   /usr/local/bin/community-hosts-file
+
+2.3.1. Tor name resolution logic
+
+   When Tor receives a SOCKS request to an address that has a name
+   plugin assigned to it, it needs to perform a query for that address
+   using that name plugin.
+
+   If there are multiple name plugins that correspond to the requested
+   address, Tor queries all relevant plugins sorted by their priority
+   value, until one of them returns a successful result. If two plugins
+   have the same priority value, Tor MUST abort.
+
+   If all plugins fail to successfuly perform the name resolution, Tor SHOULD
+   default to using the exit node for name resolution.
+   XXX or not?  because of leaks?
+
+2.4. Name system initialization [INITPROTOCOL]
+
+   When Tor finds OnionNamePlugin lines in torrc, it launches and initializes
+   their respective executables.
+
+   When launching name plugins, Tor sets various environment variables to pass
+   data to the name plugin (e.g. NS API version, state directory, etc.). More
+   information on the environment variables at [INITENVVARS].
+
+   After a name plugin initializes and parses all needed environment
+   variables, it communicates with Tor using its stdin/stdout.
+
+   The first line that a name plugin sends to stdout signifies that it's ready
+   to receive name queries. This line looks like this:
+
+      INIT <VERSION> <STATUS_CODE> [<STATUS_MSG>]
+
+   where VERSION is the Tor NS API protocol version that the plugin supports,
+   STATUS_CODE is an integer status code, and STATUS_MSG is an optional string
+   error message. STATUS_CODE value 0 is reserved for "success", and all other
+   integers are error codes.
+
+   See [PROTOEXAMPLE] for an example of this protocol.
+
+2.5. Name resolution using NS API
+
+   Here is how actual name resolution requests are performed in NS API.
+
+2.5.1. Message format
+
+   When Tor receives a SOCKS request to an address with a tld that has a name
+   plugin assigned to it, Tor performs an NS API name query for that address.
+
+   Tor does this by printing lines on the name plugin stdout as follows:
+
+      RESOLVE <QUERY_ID> <NAME_STRING>
+
+   where QUERY_ID is a unique integer corresponding to this query, and
+   NAME_STRING is the name to be queried.
+
+   When the name plugin completes the name resolution, it prints the following
+   line in its stdout:
+
+      RESOLVED <QUERY_ID> <STATUS_CODE> <RESULT>
+
+   where QUERY_ID is the corresponding query ID and STATUS_CODE is an integer
+   status code. RESULT is the resolution result (an onion address) or an error
+   message if the resolution was not succesful.
+
+   See [PROTOEXAMPLE] for an example of this protocol.
+
+   XXX Should <RESULT> be optional in the case of failure?
+
+2.5.2. RESOLVED status codes
+
+   Name plugins can deliver the following status codes:
+
+   0 -- The name resolution was successful.
+
+   1 -- Name resolution generic failure.
+
+   2 -- Name tld not recognized.
+
+   3 -- Name not registered.
+
+   4 -- Name resolution timeout exceeded.
+
+   XXX add more status codes here as needed
+
+2.5.3. Further name resolution behavior
+
+   Tor and name plugins MAY cache name resolution results in memory as
+   needed. Caching results on disk should be avoided.
+
+   Tor SHOULD abort (or cancel) an ongoing name resolution request, if it takes
+   more than NAME_RESOLUTION_TIMEOUT seconds.
+   XXX NAME_RESOLUTION_TIMEOUT = ???
+
+   Tor MUST validate that the resolution result is a valid .onion name.
+   XXX should we also accept IPs and regular domain results???
+   XXX perhaps we should make sure that results are not names that need
+       additional name resolution to avoid endless loops. e.g. imagine
+       some sort of loop like this:
+        debian.zkey -> debian-bla.zkey -> debian.zkey -> etc.
+
+2.6. Cancelling a name resolution request
+
+   Tor might need to cancel an ongoing name resolution request
+   (e.g. because a timeout passed, or the client is not interested in
+   that address anymore). In this case, Tor sends the following line to
+   the plugin stdout as follows:
+
+     CANCEL <QUERY_ID>
+
+   to which the name plugin, after performing the cancellation, SHOULD
+   answer with:
+
+     CANCELED <QUERY_ID>
+
+2.7. Launching name plugins [INITENVVARS]
+
+   As described in [INITPROTOCOL], when Tor launches a name plugin, it sets
+   certain environment variables. At a minimum, it sets (in addition to the
+   normal environment variables inherited from Tor):
+
+    "TOR_NS_STATE_LOCATION" -- A filesystem directory path where the
+       plugin should store state if it wants to.  This directory is not
+       required to exist, but the plugin SHOULD be able to create it if
+       it doesn't.  The plugin MUST NOT store state elsewhere.
+      Example: TOR_NS_STATE_LOCATION=/var/lib/tor/ns_state/
+
+    "TOR_NS_PROTO_VERSION" -- To tell the plugin which versions of this
+       configuration protocol Tor supports. Future versions will give a
+       comma-separated list.  Plugins MUST accept comma-separated lists
+       containing any version that they recognize, and MUST work correctly even
+       if some of the versions they don't recognize are non-numeric.  Valid
+       version characters are non-space, non-comma printing ASCII characters.
+      Example: TOR_NS_PROTO_VERSION=1,1a,2,4B
+
+    "TOR_NS_PLUGIN_OPTIONS" -- Specifies configuration options for this
+       name plugin as a semicolon-separated list of k=v strings with
+       options that are to be passed to the plugin.
+
+       Colons, semicolons, equal signs and backslashes MUST be escaped with a
+       backslash.
+
+       If there are no arguments that need to be passed to any of the
+       plugins, "TOR_NS_PLUGIN_OPTIONS" MAY be omitted.
+
+       For example consider the following options for the "banana" name plugin:
+
+         TOR_NS_PLUGIN_OPTIONS=timeout=5;url=https://bananacake.com
+
+         Will pass to banana the parameters 'timeout=5' and
+         'url=https://bananacake.com'.
+
+       XXX Do we like this option-passing interface? Do we have any lessons
+           from our PT experiences?
+
+   XXX Add ControlPort/SocksPort environment variables.
+
+   See [PROTOEXAMPLE] for an example of this environment
+
+2.8. Name plugin workflow [NSBEHAVIOR]
+
+   Name plugins follow the following workflow:
+
+     1) Tor sets the required environment values and launches the name plugin
+        as a sub-process (fork()/exec()). See [INITENVVARS].
+
+     2) The name plugin checks its environment, and determines the supported NS
+        API versions using the env variable TOR_NS_PROTO_VERSION.
+
+        2.1) If there are no compatible versions, the name plugin writes
+             an INIT message with a failure status code as in
+             [INITPROTOCOL], and then shuts down.
+
+     3) The name plugin parses and handles the rest of the environment values.
+
+        3.1) If the environment variables are malformed, or otherwise
+             invalid, the name plugin writes an INIT message with a
+             failure status code as in [INITPROTOCOL], and then shuts
+             down.
+
+     4) After the name plugin completely initializes, it sends a successful
+        INIT message to stdout as in [INITPROTOCOL]. Then it continues
+        monitoring its stdin for incoming RESOLVE messages.
+
+     6) When the name plugin receives a RESOLVE message, it performs the name
+        resolution and replies with the appropriate RESOLVED message.
+
+     7) Upon being signaled to terminate by the parent process [NSSHUTDOWN], the
+        name plugin gracefully shuts down.
+
+2.8.1. Name plugin shutdown [NSSHUTDOWN]
+
+   To ensure clean shutdown of all name plugins when Tor shuts down, the
+   following rules apply for name plugins:
+
+   Name plugins MUST handle OS specific mechanisms to gracefully terminate
+   (e.g. SIGTERM).
+
+   Name plugins SHOULD monitor their stdin and exit gracefully when it is
+   closed.
+
+2.9. Further details of stdin/stdout communication
+
+2.9.1. Message Format
+
+   Tor communicates with its name plugins by writing NL-terminated lines to
+   stdout.  The line metaformat is
+
+      <Line> ::= <Keyword> <OptArgs> <NL>
+      <Keyword> ::= <KeywordChar> | <Keyword> <KeywordChar>
+      <KeyWordChar> ::= <any US-ASCII alphanumeric, dash, and underscore>
+      <OptArgs> ::= <Args>*
+      <Args> ::= <SP> <ArgChar> | <Args> <ArgChar>
+      <ArgChar> ::= <any US-ASCII character but NUL or NL>
+      <SP> ::= <US-ASCII whitespace symbol (32)>
+      <NL> ::= <US-ASCII newline (line feed) character (10)>
+
+   Tor MUST ignore lines with keywords that it doesn't recognize.
+
+3. Discussion
+
+3.1. Using second-level domains instead of tld
+
+   People have suggested that users should try to connect to reddit.zkey.onion
+   instead of reddit.zkey. That is, we should always preserve .onion as the
+   tld, and only utilize second-level domains for naming.
+
+   The argument for this is that this way users cannot accidentally leak
+   addresses to DNS, as the .onion domain is reserved by RFC 7686.
+
+   The counter-argument here is that this might be confusing to users since
+   they are not used to the second-level domain being special (e.g. co.uk).
+   Also, what happens when someone registers a 16-character name, that matches
+   the length of a vanilla onion address?
+
+   We should consider the concerns here and take the right decision.
+
+3.2. Name plugins handling all tlds '*'
+
+   In [TORRC], we assigned a single tld to each name plugin.  Should we also
+   accept catch-all tlds using '*'? I'm afraid that this way a name system
+   could try to resolve even normal domains like reddit.com .
+
+   Perhaps we trust the name plugin itself, but maybe the name system
+   network could exploit this? Also, the catch-all tld will probably
+   cause some engineering complications in this proposal (as it did for PTs).
+
+3.3. Deployment strategy
+
+   We need to devise a deployment strategy that will allow us to improve
+   the UX of our users as soon as possible, but without taking hasty,
+   sloppy or uneducated decisions.
+
+   For starters, we should make it easy for developers to write wrappers around
+   their secure name systems. We should develop libraries that speak the NS API
+   protocol and can be used to quickly write wrappers. Similar libraries were quite
+   successful during pluggable transport deployment; see pyptlib and goptlib.
+
+   In the beginning, name plugins should be third-party applications that can
+   be installed by interested users manually or through package managers. Users
+   will also have to add the appropriate OnionNamePlugin line to their torrc.
+   This will be a testing phase, and also a community-growing phase.
+
+   After some time, and when we get a better idea of how name plugins
+   work for the community, we can start considering how to make them
+   more easily usable.  For example, we can start by including some name
+   plugins into TBB in an optional opt-in fashion. We should be careful
+   here, as people have real incentives for attacking name systems and
+   we should not put our users unwillingly in danger.
+
+3.4. Miscellaneous discussion topics
+
+   1. The PT spec tries hard so that a single executable can expose multiple
+      PTs. In this spec, it's clear that each executable is a single name
+      plugin. Is this OK or a bad idea? Should we change interfaces so that
+      each name plugin has an identifier, and then use that identifier for
+      things?
+
+   2. Should we make our initialization protocol _identical_ to the PT API
+      initialization protocol? That is, use ENV-ERROR etc. instead of INT?
+
+   3. Does it make sense to support reverse queries, from .onion to names? So
+      that people auto-learn the names of the onions they use?
+
+4. Acknowledgements
+
+   Proposal details discussed during Tor hackfest in Seattle between
+   Yawning, David and me. Thanks to Lunar and indolering for more
+   discussion and feedback.
+
+Appendix A.1: Example communication Tor <-> name plugin [PROTOEXAMPLE]
+
+   Environemnt variables:
+
+     TOR_NS_STATE_LOCATION=/var/lib/tor/ns_state
+     TOR_NS_PROTO_VERSION=1
+     TOR_NS_PLUGIN_OPTIONS=timeout=5;cache=/home/user/name_cache
+
+   Messages between Tor and the banana name plugin:
+
+     Name plugin (banana) -> Tor:
+        INIT 1 0
+
+     Tor -> Name plugin (banana):
+        RESOLVE 1 daewonskate.banana
+
+     Name plugin (banana) -> Tor:
+        RESOLVED 1 0 jqkscnkne4qt91iq.onion
+
+     Tor -> Name plugin (banana):
+        RESOLVE 1 architecturedirect.zkey
+
+     Name plugin (banana) -> Tor (banana):
+        RESOLVE 1 2 "zkey not recognized tld"
+
+     Tor -> Name plugin (banana):
+        RESOLVE 1 origamihub.banana
+
+     Name plugin (banana) -> Tor (banana):
+        RESOLVE 1 2 wdxfpaxar4dg12vd.onion
+
+Appendix A.2: Example plugins [PLUGINEXAMPLES]
+
+   Here are a few examples of name plugins for brainstorming:
+
+   a) Simplest plugin: A local hosts file. Basically a local petname system
+      that maps names to onion addresses.
+
+   b) A remote hosts file. A centralized community hosts file that people trust.
+
+   c) Multiple remote hosts files. People can add their own favorite community
+      hosts file.
+
+   d) Multiple remote hosts files with notaries and reputation
+      trust. Like moxie's convergence tool but for names.
+
+   e) GNS
+
+   f) OnioNS
+
+   g) Namecoin/Blockstart
diff --git a/proposals/proposal-status.txt b/proposals/proposal-status.txt
index 105dca4..f9cf218 100644
--- a/proposals/proposal-status.txt
+++ b/proposals/proposal-status.txt
@@ -541,3 +541,9 @@ again to remind me!
      security against malicious exit nodes, by specifying their own set of exit
      nodes.
 
+279  A Name System API for Tor Onion Services [DRAFT]
+
+     The proposal specifies a modular system for integrating naming systems
+     (GNS, Namecoin, etc.) with Tor onion services.
+
+



More information about the tor-commits mailing list