[tor-dev] Proposal status, with suggestions for fun stuff to do

Nick Mathewson nickm at torproject.org
Wed Mar 2 06:35:12 UTC 2011

Hi, everybody!  This is a long mail, but if you're interested in Tor
development, it could be a good one to read.

As promised at the dev meeting, I've spent a while going over all the
current Tor proposals in state "Accepted", "Open", and "Draft", plus
the documents in proposals/ideas.  With any luck, this will help us
move design discussion forward, and point out some neglected
designs/discussions that people could pick up to

I've also summarized the stuff in proposals/ideas: I think we should
be more aggressive at putting proposal drafts in "Proposals", and in
making a place for design overviews and/or proposal-proposal documents
that are not themselves proposals.

Of course, if you're looking for a programming project, this isn't the
only place to look: you can also head over to the tracker, and look at
the tickets, particularly those with keyword "easy".

If this is useful to people, I'm hoping to do this once every month or two.

(A reminder: We've moved the tor specifications and proposals to their
own repository.  You can get the latest versions from
https://gitweb.torproject.org/torspec.git .  For an overview on how
the proposal process is supposed to work, see proposal 001, at


   110  Avoiding infinite length circuits

    This proposal solves a potential DoS attack.

    This has been nearly completely implemented for a while.  All we
    need to do is verify that there are no clients that do not send
    RELAY_EARLY cells correctly, and if so, turn on the code that
    drops EXTEND cells not sent via RELAY_EARLY.  The hard part here
    is double-checking that all the clients that send EXTEND commands
    inside non-RELAY_EARLY cells are really and truly obsolete.

   117  IPv6 exits [for 0.2.1.x]

    This proposal describes how to transmit IPv6 traffic over Tor.

    It needs updating to work properly with microdescriptors; it
    also has some open questions about DNS.

    I think this should move to 'needs-revision'.

   118  Advertising multiple ORPorts at once

    This proposal describes how an OR can advertise more than one
    address and OR port at a time.  It needs to be updated to work
    with microdescriptors, and to explain how much information can
    be transmitted in the consensus and how (the original proposal
    was written before consensus directories were really figured

    I think this should move to 'needs-revision'

   140  Provide diffs between consensuses

    This proposal describes a way to transmit less directory traffic
    by sending only differences between consensuses, rather than the
    consensuses themselves.  It is mainly languishing for lack of an
    appropriately licensed, well-written, very small, pure-C
    implementation of the "diff" and "patch" algorithms.  (The good
    diffs seem to be GPL (which we can't use without changing Tor's
    license), or spaghetti code, or not easily usable as a library,
    or not written in C, or very large, or some combination of

    ACTION: Move to 'needs-revision', or find a suitable library

   147  Eliminate the need for v2 directories in generating v3 directories

    This proposal explains a way that we can phase out the vestigial
    use of v2 directory documents in keeping authorities
    well-informed enough to generating the v3 consensus.  It's still
    correct; somebody should implement it before the v2 directory
    code rots any further.

   157  Make certificate downloads specific

    This proposal added cross-certification and signing-key-specific
    download URLs for directory authority certificates.  It is IIRC
    mostly implemented; there are just some SHOULDs that we should
    turn into MUSTS if all sufficiently old authority certificates
    are now obsolete.

   166  Including Network Statistics in Extra-Info Documents

    I think this one is implemented (or mostly implemented) by
    Karsten in 0.2.2.x.  If so, we just need to make sure it is
    merged into dir-spec, and closed.  Karsten, is there something
    left here?

    (NOTE TO SELF: I should remember to ask Karsten if he doesn't
    notice the above.)

   172  GETINFO controller option for circuit information
   173  GETINFO Option Expansion

    These would help controllers (particularly arm) provide more useful
    information about a running Tor process.  They're accepted and
    some parts of 173 are even implemented: somebody just needs to
    implement the rest.

   174  Optimistic Data for Tor: Server Side

     This proposal would make streams start faster by allowing
     clients to send DATA cells immediately, without waiting for a
     CONNECTED cell.  There's a patch under review as trac ticket
     #1795: it has some issues that need to get fixed before we can
     merge it.  I really want to get it fixed up soon, and merged in
     the next week or two.

=====  OPEN:

   143  Improvements of Distributed Storage for Tor Hidden Service Descriptors

     Here's a proposal from Karsten about making the hidden service
     DHT more reliable and secure to use.  It could use more
     discussion and analysis.

   145  Separate "suitable as a guard" from "suitable as a new guard"

     Currently, the Guard flag means both "You can use this node as
     a guard if you need to pick a new guard" and "If this node is
     currently your guard, you can keep using it as a guard."  This
     proposal tries to separate these two concepts, so that clients
     can stop picking a router once it is full of existing clients
     using it as a guard, but the clients currently on it won't all
     drop it.

     It's not clear whether this has anonymity issues, and it's not
     clear whether the imagined performance gains are actually

   146  Add new flag to reflect losing-term stability

     From time to time we get the idea of having clients ship with a
     reasonably recent consensus (or a list of directory mirrors),
     so instead of bootstrapping from one of the authorities, they
     can bootstrap from a regular directory cache.  The problem here
     is that by the time the client is run, most of the directory
     mirrors will be down or will have changed their IP.  This
     proposal tries to address that.

     It needs analysis based on behavior of actual routers on the
     network to see whether it could work, and what parameters might

   156  Tracking blocked ports on the client side

     This proposal provides a way for clients to learn which ports
     they are (and aren't) able to connect to, and connect to the
     ones that work.  It comes with a patch, too.  It also lets
     routers track ports that _they_ can't connect to.

     I'm a little unconvinced that : most clients that have some ports
     blocked will need bridges, not just restriction to a smaller
     set of ports.  This could be good behind restrictive firewalls,

     The router-side part is a little iffy: routers that can't
     connect to each other violate one of our network topology
     assumptions, and even if we do want to track failed
     router->router connections, the routers need to be sure that
     they aren't fooled into trying to connect repeatedly to a
     series of nonexistent addresses in an attempt to make them
     believe that (say) they can't reach port 443.

     This one is a paradigmatic "open" proposal: it needs more
     discussion.  The patch probably also needs to be ported to
     0.2.3.x; it touches some code that has changed.

   158  Clients download consensus + microdescriptors

     This proposal provides a way for clients to download
     authority-provided summaries of router descriptors instead of
     the descriptors themselves; I'm working on this one; it's going
     in 0.2.3.x.  It needs some cleanup, but it's basically right.

     (NOTE TO SELF: Clean this up and move it to "Accepted!")

   159  Exit Scanning

     This is an overview of SoaT, with some ideas for how to
     integrate it into Tor.

     Mike, is this implemented? Done?  Superseded?  Still open?

     (NOTE TO SELF: I should remember to ask Mike if he doesn't
     notice the above.)

   162  Publish the consensus in multiple flavors

     This proposal describes a way for authorities to migrate from
     one format of consensus to another without bloating the
     consensus forever.  It is mostly implemented in 0.2.3.x, though
     some parts of it need to get work.  I should clean it up too.

     (NOTE TO SELF: Clean this up and move it to "Accepted!")

   163  Detecting whether a connection comes from a client

     This one describes a number of ways to distinguish clients from
     non-clients when rejecting single-hop connections.  Some are
     implemented; others are rejected; others are still
     discussable.  Somebody should figure out what happened here,
     and reopen discussion as interested.

   164  Reporting the status of server votes

     This proposal explains a way for authorities to provide a
     slightly more verbose document that relay operators can use to
     diagnose reasons that their router was or was not listed in the
     consensus.  These documents would be like slightly more verbose
     versions of the authorities' votes, and would explain *why* the
     authority voted as it did.  It wouldn't be too hard to
     implement, and would be a fine project for somebody who wants
     to get to know the directory code.

   165  Easy migration for voting authority sets

     This is a design for how to change the set of authorities
     without having a flag day where the authority operators all
     reconfigure their authorities at once.  It needs more
     discussion.  One difficulty here is that we aren't talking much
     about changing the set of authorities, but that may be a
     chicken-and-egg issue, since changing the set is so onerous.

     If anybody is interested, it would be great to move the
     discussion ahead here.

   168  Reduce default circuit window

     This proposal reduces the default window for circuit sendme
     cells.  I think it's implemented, isn't it?  If so, we should
     make sure that tor-spec.txt is updated and close it.

     (NOTE TO SELF: Ask Roger; This should probably be called
     "Finished", or "Closed" if we have updated the spec.)

   171  Separate streams across circuits by connection metadata

     This proposal describes a way to prevent cross-application
     linking of different anonymized sessions by isolating different
     kinds of streams on different circuits based on their

     I want this one in 0.2.3.x; it would improve client anonymity.
     A patch would be great; there are efficiency issues to
     consider, though.

     ACTION: This should be "accepted", I believe, unless somebody
     has lingering objections.

   176  Proposed version-3 link handshake for Tor

     Here's my proposal for how to improve our TLS handshake to
     eliminate renegotiation, become less fingerprintable, and
     generally make the world a better place.  It needs more review
     by actual crypto people, but I would like to get it into

   177  Abstaining from votes on individual flags

     Here's my proposal for letting authorities have opinions about
     some (flag,router) combinations without voting on whether
     _every_ router should have that flag.  It's simple, and I think
     it's basically right.  With more discussion and review,
     somebody could/should build it for 0.2.3.x, I think.

===== DRAFT:

   127  Relaying dirport requests to Tor download site / website

    The idea here was to make it easier to fetch and learn about Tor
    by making it easy for relays to automatically act as proxies to
    the Tor website.  It needs more discussion, and there are some
    significant details to work out.  It's not at all clear whether
    this is actually a good idea or not.

   132  A Tor Web Service For Verifying Correct Browser Configuration

    This proposal was meant to give users a way to see if their
    browser and privoxy (yes, it was a while ago) are correctly
    configured by running a local webserver on  I'm not
    sure the status here.

   133  Incorporate Unreachable ORs into the Tor Network

    This proposal had an idea for letting ORs that can only make
    outgoing connections still relay data usefully in the network.
    It's something we should keep in mind, and it's a pretty neat
    idea, but it radically changes the network topology.  Anybody
    who wants to analyze new network topologies should definitely
    have a look.

   141  Download server descriptors on demand

    The idea of this proposal was for clients to only download the
    consensus, and later ask nodes for their own server descriptors
    while building the circuit through them.  It would make each
    circuit more time-consuming to build, but make bootstrapping
    much cheaper.

    A microdescriptor-based version of this would be even better,
    and microdescriptors would solve a lot of the problem that this
    was meant to resolve.  It still is not wholly superseded by the
    microdescriptor system, though.

   144  Increase the diversity of circuits by detecting nodes
belonging the same provider

    This is a version of the good idea, "Let's do routing in a way
    that tries to keep from routing traffic through the same
    provider too much!"  There are complex issues here that the
    proposal doesn't completely address, but I think it might be a
    fine idea for somebody to see how much more we know now than we
    did in 2008, particularly in light of the relevant paper(s) by
    Matt Edmann and Paul Syverson.

   149  Using data from NETINFO cells

    NETINFO cells currently contain time and address information
    that could be used to estimate skew and provide yet another way
    to learn our IP address.  This proposal starts to discuss ways
    that we could try to use that information safely, but doesn't
    really get anywhere.  See trac issues #2628 for some discussion
    about this stuff.  It would be neat if we had a working design
    here, though I suspect that with the slow and grinding death of
    older operating systems, systems with radically skewed clocks
    may become a thing of the past.

   170  Configuration options regarding circuit building

    This is Sebastian's take on how the *Nodes options should work.
    Roger preferred a more minimal approach that may or may not be
    right; see the discussion starting at
    for his approach.  I'm not going to call this "superseded" or
    "rejected" until  my 1090 code is done, though.  :(

   175  Automatically promoting Tor clients to nodes

    Here's Steven's proposal for adding a mode between "client mode"
    and "relay mode" for "self-test to see if you would be a good
    relay, and if so become one."  It didn't get enough attention
    when it was posted to the list; more people should review it.

   178  Require majority of authorities to vote for consensus parameters

    This is a proposal for making it a little harder for a small
    number of authorities to influence the value of a consensus
    parameter.  It needs more discussion; Sebastian has a draft
    implementation in his "safer_params" branch.

    (NOTE TO SELF: I think this could fairly become "open"; I should ask

   131  Help users to verify they are using Tor

     Here's a proposal for making a torcheck-like website more
     reliable.  If anybody wants to pick it up (especially somebody
     working on torcheck) and see whether it should be reopened or
     rejected, that would be a fine thing.

======  "IDEAS":


     Here's a note about better round-robin calculations for rate
     limiting.  Mike wrote it; I don't understand what's going on
     with it.


     Here's the start of a considerations document that Marian was
     writing about how to pick new crypto algorithms to migrate to.


     Here's an old idea from Geoff Goodell about letting controllers
     intercept EXTEND commands.  It is partially superseded by
     Damian's 172, though there is an additional feature that
     doesn't make sense for the Tor network, but might make sense
     for experimental stuff like Geoff was working on.


     Here's the document I wrote in December about which parts of
     our crypto there are to migrate, and what might be involved.
     This isn't a draft or pre-draft of a design proposal; it is
     more of a new category of "survey of stuff we need to design
     and think about", or "proposal for proposals" or something.


     Here's Robert Ransom's draft for what crypto properties,
     exactly, we're trying to get out of our circuit crypto.
     It is not a proposal draft or pre-draft: it is again a "design
     considerations" document, and one worth reading.


     Here's Jacob's proposal for certificate normalization.  It
     should get renamed, given a proposal number, and called "Open"
     or "Draft" depending on how much the details are likely to


     This is a start-of-a-proposal of Rogers that somebody should
     pick up and finish some time: The idea is to use the hidden
     service mechanism to provide a secure naming and encrypted
     connection facility for hosting sites that do not actually want
     anonymity themselves.  There's been more interest in this topic
     lately.  It might also turn into "exit enclaves done right".


     Looks like this was superseded by 159?


     Here's an old document I wrote a while ago about tracking usage
     by country.  Probably it should go into the metrics
     documentation somewhere (if we do this), or get thrown into
     "old" (if we won't do this), or updated (if we might someday do


     Here are some notes on scaling that Roger wrote in 2008.  There
     might be some smart ideas here!  Have a look some time.


     Here's a proposal pre-draft that says we should normalize the
     platform string.  Somebody could turn this into a proposal
     pretty easily.


     Here's a survey of what we need to do for IPv6 support that
     I started writing.  It's not a proposal; it's a survey of
     proposal and implementation statuses.


     Here's the thing Jacob and I have been working on for pluggable
     obfuscation techniques.  It should get turned into "Draft"
     status asap, if not "Open".  We should finish writing the
     missing sections, like, yesterday.


     Here's a pre-proposal from Jacob about using port knocking to
     make bridges harder to fingerprint.  This could be a good idea
     for somebody to do in terms of the pluggable transport spec.


     Here are some notes of Roger's from 2008 claiming that we
     should rate-limit stream creation at exit nodes.  It could help
     avoid port-scans if we do it right, but we would need to be
     exceedingly careful not to disrupt useful traffic.


     Here's a document from Steven about opportunistic use of SPDY
     over Tor.

     This should be a "Draft" proposal IMO.


     Here's the beginnings of a survey of where Tor uses SHA1, with
     an eye to stopping.  This really isn't a design proposal; it
     might fall into a new category of "issue survey" or
     "information" or something.

More information about the tor-dev mailing list