We need to split streamid into recognized and streamid

Paul Syverson syverson at itd.nrl.navy.mil
Thu Dec 18 17:46:30 UTC 2003

I'm confused by the problem.

On Wed, Dec 17, 2003 at 02:59:55AM -0500, Roger Dingledine wrote:
> I implemented end-to-end integrity checking for the payloads of relay
> cells. Turns out it doesn't work.
> To do end-to-end integrity checking, we must take into account every relay
> cell sent to or received on each hop in the circuit. Each stream has a
> streamid specific to it, which is used to address relay cells to that
> stream. A given hop can know a relay cell is addressed to it if a) the
> streamID is the control value "0", or b) the streamID is a known streamid
> for an already established stream at that hop. When a stream ends, that
> streamid is no longer recognized by that hop (which is reasonable),
> so that hop will pass the relay cell on to the next hop, or drop it if
> it's the last hop on the circ. But since it doesn't know it was supposed
> to get it, it doesn't know it should add those bytes to the sha1.
> So the sequence gets out of whack.

The sha1 hash is per stream not per circuit yes? And if the node has already
taken down that stream, which is why it doesn't recognize the stream ID,
then the integrity checking on it doesn't matter.

Are you concerned about the node passing on a cell it should have
removed, thus wrecking the circuit from then on in that direction?

> I think the proper fix is to separate 'is this relay cell destined for
> this hop' from 'which stream is this relay cell destined for'. We can
> probably make do with two bytes for each, assuming the "send a dummy
> instead if the encryption happens to make recognized='00' prematurely"
> idea (also not implemented yet) works.
> The semantics of the begin relay cell can change now too, since we can
> simply start using the new streamid directly.

What new streamid?

If I understand you in general, your proposal would stop
`accidentally' forwarding a cell from wrecking the circuit (by getting
the stream ciphers out of synch). I like the modularity as long as the
overhead isn't too high. The scenario is then something like: node
gets a cell that is for him but that he doesn't have a known streamid
for.  With the separation, node doesn't forward the cell but instead
kills the circuit (because something is wrong with it) as opposed to
wrecking it in one direction.


More information about the tor-dev mailing list