[tor-dev] Revisiting prop224 time periods and HS descriptor upload/downloads

George Kadianakis desnacked at riseup.net
Tue Apr 12 10:47:46 UTC 2016 

David Goulet <dgoulet at ev0ke.net> writes:

> [ text/plain ]
> On 11 Apr (14:42:02), George Kadianakis wrote:
>> David Goulet <dgoulet at ev0ke.net> writes:
>> 
>> > [ text/plain ]
>> > On 04 Apr (19:13:39), George Kadianakis wrote:
>> >> Hello,
>> >> 
>> >> during March we discussed the cell formats of prop224:
>> >>   https://lists.torproject.org/pipermail/tor-dev/2016-March/010534.html
>> >> 
>> >> The prop224 topic for this month has to do with the way descriptors get
>> >> uploaded and downloaded, how this is scheduled using time periods and how the
>> >> shared randomness subsystem interacts with all that.
>> >> 
>> >> Here are some discussion topics. Lots of text on the first two, less text on the rest:
>> >> 
>> >> <snip>
>> >> 
>> >>   In any case, this is how this might look like:
>> >> 
>> >> 
>> >> 	  +------------------------------------------------------------------+
>> >> 	  |                                                                  |
>> >> 	  | 00:00      12:00       00:00       12:00       00:00       12:00 |
>> >> 	  | SRV#1      TP#1        SRV#2       TP#2        SRV#3       TP#3  |
>> >> 	  |                                                                  |
>> >> 	  |   $         |-----------$-----======|-----------$-----======|    |
>> >> 	  |                            overlap12               overlap23     |
>> >> 	  |                                                                  |
>> >> 	  +------------------------------------------------------------------+
>> >> 
>> >>                                       Legend:    [TP#1 = Time Period #1]
>> >>                                                  [SRV#1 = Shared Random Value #1]
>> >> 
>> >> <snip>
>> >> 
>> 
>> How else could we simplify this logic?
>
> It seems simple enough. Maybe the algorithm I sketched out above makes it
> simpler? Maybe not!... It's basically the _same_ end results as you.
>

Yes, both approaches seem equivalent.

> The logic I sketched out above makes it that we would need parameters (from
> the consensus) like so (or hardcode them):
>
> - TIME_PERIOD_ROTATION_TIME (currently 12:00)
>
> - TIME_PERIOD_[LIFETIME | SPAN | DURATION] (currently 24h)
>
> - SHARED_RANDOM_VALUE_[CREATION | ROTATION]_TIME (currently 00:00)
>
> - SHARED_RANDOM_VALUE_[LIFETIME | SPAN | DURATION] (currently 24h)
>
> I doubt we can go simpler than that. Both algorithms have one single check
> ending in two outcomes that is either use previous or current.
>

So, should we update prop250 and add SHARED_RANDOM_VALUE_CREATION_TIME and
SHARED_RANDOM_VALUE_LIFETIME as consensus parameters?

>> 
>> >> <snip>
>> >> 
>> >>   + HSDir behavior
>> >> 
>> >>     Currently the spec says the following:
>> >> 
>> >> 	   Hidden service directories should accept descriptors at least [TODO:
>> >> 	   how much?] minutes before they would become valid, and retain them
>> >> 	   for at least [TODO: how much?] minutes after the end of the period.
>> >> 
>> >>     After discussion with David, we thought of chopping off the first part of
>> >>     that paragraph and not imposing any such weak restrictions for accepting
>> >>     descriptors (see #18332).
>> >> 
>> >>     We still have not decided about the second part of that paragraph, that is
>> >>     how long descriptors should be retained after the end of the period. We
>> >>     currently think clock skew is the only thing that can bring clients to the
>> >>     wrong HSDir after the end of the period. Maybe an hour is OK? David
>> >>     suggested 12 hours. The current Tor is doing 48 hours... Any ideas?
>> >
>> > It should at least be 24 hours (maximum possible) with an adjustment of at the
>> > _very_ least the overlap period. If the overlap period is 6 hours, we can then
>> > add the "maximum clock skew" we think is reasonable and we would end up with
>> > an OK value imo.
>> >
>> > Descriptor maximum lifetime:    24 hours
>> > Overlap period span:            6 hours (taken from your diagram)
>> > Maximum acceptable clock skew:  6 hours (dgoulet opinion!)
>> >
>> > Thus we are talking of a 36 hours lifetime in the cache. Let's work with that
>> > as a baseline :).
>> >
>> 
>> Hm, I see you are calculating the total lifetime here. How often do hidden
>> services refresh (reupload) their descriptor in this case? I think in the
>> current system, hidden services do so every hour. Do we keep this feature?
>
> I think we can re-upload only when needed that is key rotation, IP rotation,
> etc... No need to do that every hour (maybe).
>

Sounds good to me.

I wonder if there are any negatives to this behavior.

>> 
>> Let's consider a hidden service that uploads a single descriptor during its
>> overlap period and then disappears completely: should the HSDir keep and serve
>> that descriptor for 36 hours? It's unlikely that the HS is still up and
>> maintaining its intro circuits if it can't keep on refreshing its descriptor.
>
> The issue here is for the HSDir to notice that the HS might be gone? And we
> can't rely on RendPostPeriod value since it's service side. So an operator
> could litterally have set that to 7 hours meaning we might not see any new
> revision counter for that period and still unable to tell if the HS is gone or
> not.
>
> This is why our best bet is to compute a "maximum crazy time" that descriptor
> could be valid.
>
> An other option is to add a valid-until field in the cleartext part of the
> descriptor and the HSDir could use that to expire entries plus a clock skew
> delta.
>

Yes, I also thought of adding a valid-until to the cleartext part of the
descriptor so that its lifetime can be tweaked by the hidden service itself.
Of course, HSDirs would also have a maximum desc lifetime that they would enforce.

I wonder if we should do this or maybe it's overengineering and a global
non-configurable default lifetime is OK.

>> 
>> Also consider that whatever "maximum acceptable clock skew" we choose, the
>> hidden service needs to keep its introduction circuits up for that time as
>> well, otherwise the descriptor will be useless to the clock skewed clients.
>
> Yup! This is why I think above 6 hours of clock skewed you won't do much as a
> client... maybe even less!
>
>> 
>> ---
>> 
>> FWIW, I'm personally not sure how to choose the best "maximum acceptable clock skew"
>> value here. My intuition tells me to choose a big number so that even very
>> skewed clients can visit hidden services. I see the following two negatives here:
>> 
>> - Hidden services need to retain their old intro circuits for the duration of
>>   the acceptable clock skew.
>
> I pretty sure we don't do that currently. However, we could start doing that
> and collect stats on how frequent it is and with how much skew! That would be
> a very useful information to have imo.
>

Yes sounds useful, although we should assume that skewed clients exist in general.

Collecting these statistics on the intro point side requires us to write a
proper statistics patch and do the corresponding security analysis. Collecting
these statistics on the hidden service side, requires us to write a non-trivial
patch that implements this feature and also find volunteers with busy hidden
services to run it. I wonder if it's worth it.

More information about the tor-dev mailing list