[tor-dev] Adding a NotDir router status flag
matthew.finkel at gmail.com
Fri May 29 00:58:26 UTC 2015
Sadly it took a few months for me to get back to prop 237 (All relays
are directory servers), but now I have a revised version of the proposal
and updated tor and torspec branches. These will benefit from
Previously, proposal 237 took advantage of the V2Dir flag because
Authorities already vote on it and it accomplished 90% of what we need.
But I realized that's not exactly what we want. Now the proposal
introduces a new status flag, NotDir. The reasoning for this is the
V2Dir flag indicates a router (is expected to) respond to directory
requests, usually, because the operator configured the router's DirPort.
But, in a network where nearly all relays are directory servers, why are
relays with the V2Dir flag special? Basically, after this proposal is
implemented nearly every relay should receive the V2Dir flag, so the
NotDir flag is the complement of V2Dir. This allows the V2Dir be
deprecated at some time in the future.
 https://git.torproject.org/user/sysrqb/tor.git, feature12538_rebased_6
 https://git.torproject.org/user/sysrqb/torspec.git, prop237_update
-------------- next part --------------
Title: All relays are directory servers
Author: Matthew Finkel
This proposal aims at simplying how users learn about the relays
in the Tor network. This is accomplished by changing the default
functionality of relays to include directory servers (also known as
directory caches), too. Currently, when an operator configures a
relay they may set it as a relay, a directory server, or both. This
proposal reduces and simplifies the options by having (nearly) all
relays cache and serve directory documents, without additional
When a client's guard is not a directory server, it
must choose and query a distinct directory server. For clients who
do not disable guards this should not be necessary, but as a
consequence, this adds another position within the network for
profiling and partitioning users. With the orthogonally proposed move
of clients using a single guard, the resulting benefits could be
reduced by clients using distinct directory servers. In addition, in
the case where the client does not use guards, it is important they
have the largest possible amount of diversity in the set of directory
servers. In a network where (almost) every relay is a directory
server, the profiling and partitioning attack vector is reduced to the
guard (for clients who use them), which is already in a privileged
position for similar behavior.
Currently all relays download and cache the majority of relay
documents in any case, so the slight increased memory usage from
downloading all of them should have minimal consequences. However,
taking into account the use of resource-constrained devices as relays,
we allow operators disable this option. For this proposal there are
necessary logical changes in the client, router, and directory code.
Currently directory servers are defined as such if they advertise
having an open directory port. We can not assume this is true
anymore. To this end, we introduce a new boolean server descriptor
The presence of this line indicates that the relay is caching
documents and accepts tunnelled directory requests. For a relay that
implements this proposal, this line MUST be added to its descriptor
if it does not advertise a directory port, and the line MAY be added
if it does advertise an open directory port. In addition to this,
relays now download and cache all descriptors and documents listed in
the consensus, regardless of whether they are deemed useful or usable,
exactly like the current directory server behavior. All relays will
also accept directory requests when they are tunnelled over a
connection established with a BEGIN_DIR cell, the same way these
connections are already accepted by bridges and directory servers with
an open DirPort.
Directory Authorities now assign a relay the NotDir flag if any
of these are true:
- it "does not support a version of the directory protocol which
is useful to clients" (version 3, at the time of writing)
- it has neither:
- an open directory port
- an open and reachable OR port
- it has an open and reachable OR port but does not advertise
"dir-cache" in its server descriptor.
In addition, we introduce a new networkstatus consensus parameter,
BelieveNotDir. This flag's default value is 0, specifying clients
should not trust the NotDir flag, or the implied meaning of it being
absent from a relay's status. Directory Authorities should set
this parameter as 1 after a sufficient number of Authorities upgrade
to a version of Tor which implements this proposal. If this parameter
is not set correctly, new, bootstrapping, clients may select a Guard
relay, without the NotDir flag, which actually is not a directory
server but the client will ask it for documents as if it were a cache.
Until this consensus parameter is 1, client should continue relying
upon the value of a relay's dir port.
Clients choose a directory by using the current criteria with the
additional criterion that a server must not have the NotDir status
Security Considerations and Implications:
Currently all directory servers are explicitly configured. This
is necessary because they must have a configured and reachable
external port. However, within Tor, this requires additional
configuration and results in a reduced number of directory servers in
the network. As a consequence, this could allow an adversary to
control a non-negligable fraction of the servers. By increasing the
number of directory servers in the network the likelihood of selecting
one that is malicious is reduced. Also, with this proposal, it will
be more likely that a client's entry guard is also a directory server
(as alluded to in Proposal 207). However, the reduced anonymity set
created when the guard does not have, or is unwilling to distribute, a
specific document still exists.
Another question that may need further consideration is whether we
trust bad directories to be good guards and exits.
The version 3 directory protocol specification does not
currently document the use of directory guards. This spec should be
updated to mention the preferred use of directory guards during
directory requests. In addition, the new criteria for assigning the
NotDir flag should be documented.
Impact on local resources:
Should relays download documents from another cache before asking
an authority? All relays, with minor exceptions, now contact the
authorities for documents, but this will not scale well and
partitions users from relays. This latter point seems like less
of a problem than the former. A future proposal should provide a way
for a directory cache to obtain the most recent directory documents
from non-authorities, perhaps using the directory sources instead.
If all relays become directory servers, they will choose to
download all documents, regardless of whether they are useful, in case
another client does want them. This will have very little impact on
the most relays, however on memory constrained relays (BeagleBone,
Raspberry Pi, and similar), every megabyte allocated to directory
documents is not available for new circuits. For this reason, a new
configuration option will be introduced within Tor for these systems,
named DirCache, which the operator may choose to set as 0, thus
disabling caching of directory documents and denying client directory
Should the DirPort be deprecated at some point in the future?
Write a proposal requiring that a relay must be a directory server
as part of the criteria for being a guard.
Proposal 185 originally proposed a very similar idea accomplishing
the same objective. Unfortunately this was missed and this proposal
was written. After reviewing 185, some ideas were reused as
improvement in this proposal.
Transitioning to a NotDir flag from the V2Dir flag is proposed
because the consensus status flags signify something special about the
relay. At this time, a relay is given the V2Dir flag if it provides a
dirport. This is something special. In the future based on this
proposal nearly every relay caches and serves documents, so that's not
a special trait anymore. The relays that are not caches are in the
minority and should be flagged as such. In addition, an added benefit
of this flag-name is that it is directory protocol version agnostic.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 630 bytes
Desc: Digital signature
More information about the tor-dev