Connection to directory authorities

Roger Dingledine arma at
Sat Apr 14 06:06:19 UTC 2007

On Fri, Apr 13, 2007 at 01:01:32PM +0200, Karsten Loesing wrote:
> How do nodes connect anonymously to directory authorities (DA)?

They act like they just got the request as a socks connection, and
handle it like any other application connection.

(By "nodes", I assume you mean clients accessing hidden services
and hidden services publishing their descriptors.)

> My idea is that nodes reuse existing circuits and extend them using
> RELAY_BEGIN_DIR cells to the five DAs (possibly in parallel). Those
> cells are encrypted and contain the actual directory requests. The DAs
> create responses and send them in encrypted form back through the
> anonymous circuits.

That would probably be a good move. But we don't do that currently.

Note that doing 5 connections at once is only for publishing hidden
service descriptors -- when fetching, clients only fetch from one.

Right now we rely on the 'exit enclave' model to keep these connections
safe: see the last two paragraphs of
This means that we might extend a circuit to a given DA to exit there.

I just looked through the code briefly to confirm what behavior we get
when we try to do 5 exit enclave connections at once. I think it demands
a clean circuit if it's going to extend it, which means we probably
won't have enough clean circuits lying around and we'll have to build
a few more.

> My questions are:
> - - Is the above description correct?
> - - How many hops do circuits to the DAs contain?

3 hops. They're normal Tor circuits.

> - - What kind of existing circuits are reused? Exit circuits, internal
> circuits, unfinished circuits with n-1 hops, or any of them?

Exit circuits.

Some of this is described in doc/spec/path-spec.txt btw. But that
document needs more work. Please feel free to send patches for new
paragraphs or fixes. :)

> - - Do all circuits to the DAs share the same n-1 routers or are different
> circuits used for each DA? How often do circuits change?

We'll probably use different circuits because it will try to do a separate
exit enclave for each. Same as for 5 application connections that arrive
and are each destined to a different website running at a Tor server.

> - - Are circuits to DAs used for other purposes afterwards?

Yes, maybe. Or beforehand, or during, if we happen to already have a
circuit which ends at that dir authority. Are there anonymity issues
here? There might be. :)

> - - What for can requests to directory mirrors be sent directly and not
> via RELAY_BEGIN_DIR? Aren't DAs the only nodes used for bootstrapping,
> or are mirrors used for that purpose, too? In the former case, who
> connects to mirrors directly? Is it merely provided for debugging
> purposes, old Tor versions, or something I missed?

I'm not sure I quite understand the question.

The BEGIN_DIR stuff is new, so it isn't used much yet. We envision it
to be used when the local network won't appreciate http requests with
obvious Tor signatures in them. We also have some designs sketched out
down the road where you can ask a server for its descriptor in-band
via begin_dir, so maybe you don't even need to get the status line,
but just an IP and ORPort. See doc/design-paper/blocking.pdf for some
more details.

But in this context, clients would use begin_dir for mirrors as well --
they would use it for every case where they talk to a directory mirror
or authority right now.

Hope that helps. Let me know which questions I missed. :)

More information about the tor-dev mailing list