[tor-dev] prop224: What should we do with torrc options?

teor teor2345 at gmail.com
Mon Dec 5 22:43:20 UTC 2016 

> On 6 Dec. 2016, at 08:02, David Goulet <dgoulet at ev0ke.net> wrote:
> 
> On 06 Dec (07:53:16), teor wrote:
>> 
>>> On 6 Dec. 2016, at 07:42, David Goulet <dgoulet at ev0ke.net> wrote:
>>> 
>>> On 22 Nov (17:36:33), David Goulet wrote:
>>>> Hi everyone!
>>>> 
>>>> We are soon at the stage of implementing the service part of proposal 224
>>>> (next gen. hidden service.). Parent ticket is #20657 but I'll be discussing
>>>> here ticket #18054.
>>>> 
>>>> In a nutshell, we need to figure out the interface for the torrc file[1]. We
>>>> currently have some options to configure an hidden service and the question is
>>>> now how do we proceed on using those for next version?
>>> 
>>> [snip]
>>> 
>>> (Please read original email for some initial context.)
>>> 
>>> So over the last week, we've mashed up all the things that were said in this
>>> thread, me and asn discussed it with some arma also on the side!
>>> 
>>> I think the following is the best of all the non ideal solutions we can come
>>> up with. Below is a superb ascii timeline of what we plan to do in terms of
>>> transition from v2 to v3:
>>> 
>>> 
>>> Our dystopian reality of now.
>>> (https://youtu.be/NrmMk1Myrxc
>>> it's not a Black Mirror SO3 trailer)
>>>       v
>>>       |             ~Aug '17          ~Dec '17        Unknown date
>>>       |-----------------|-----------------|----------------|---------->
>>>                         |                 ^                ^
>>>                         ^            v3 Network/Code       |
>>>                tor stable release       Maturity           |
>>>                  with v3 support                       No more v2
>>>                     (0.3.1)
>>> 
>>> Ok, might not be my best ascii art work but I hope it will do. In short:
>>> 
>>> - With 0.3.1 (scheduled for August 2017, subject to change), we'll have a tor
>>> with v3 support BUT v2 will still be the default value for *new* HS.
>>> (HiddenServiceVersion option)
>>> 
>>> - For a period of ~4 months we estimate, we'll hope that enough of the network
>>> has upgraded to support v3 (relay and HSDir support are in 030) and that the
>>> code as some sort of maturity that we are confident to switch and make all
>>> new HS be v3. This is the "v3 Network/Code Maturity" marker. Note that it
>>> could easily go to 2018 for this switch to happen.
>>> 
>>> - When the switch happens, there will be, most likely years, a long period of
>>> time where v2 will be deprecated and warnings given to users but still used.
>>> That "Unknown date" will be the time we will release a tor stable version
>>> _without_ v2 support at all. It's quite unknown when we'll be able to do it.
>>> Chances are that we'll rely on our HS statistics and metrics for that.
>>> 
>>> That being said, here are the conclusions based on this thread and f2f
>>> discussion considering the above "procedure":
>>> 
>>> 1) When v3 is released in a tor stable version, it will NOT be the default
>>>  version for new service, v2 will until maturity.
>>> 
>>> 2) HiddenServiceVersion is used to control which version of the service you
>>>  want. Starting from the first time v3 is supported, you'll be able to use
>>>  it but without any guarantee as we'll be entering the "stabilizing period"
>>>  but it should be usable.
>>> 
>>> 3) ADD_ONION "BEST" will map to whatever default value HiddenServiceVersion is
>>>  with the tor you have.
>>> 
>>> 4) In order to avoid relying on a tor stable version release to switch the
>>>  default version from 2 to 3, we'll use a consensus parameter. Meaning that
>>>  once we set that param. to v3, HiddenServiceVersion default value will be
>>>  that value unless explicitely defined in torrc. It will also allow us to
>>>  rollback to v2 if we see a swarm of badness occuring. To be clear, service
>>>  already v3 will stay v3 but the default version for creation will simply
>>>  change.
>>> ...
>> 
>> This is problematic: we validate and create onion services at torrc
>> load, before loading the consensus.
>> 
>> Do we plan to do it afterwards?
>> That seems like it could be really confusing.
> 
> You need a consensus anyway to pick your intro point or HSDir but yes the
> engineering part here will be that if you ever configured v2 service and you
> realize it's v3, we'll rollback all the things.
> 
> I agree with you that it could be confusing and will require some fun
> engineering but I think the advantages of having such a thing outweight the
> engineering effort. Unfun part will be on the user side as they will think
> their service is ready to start but then will have a warning after consensus
> download that it's not.
> 
> It also means we need to do key creation _after_ consensus download so we
> don't expose the wrong address to the user.
> 
> Fun... Maybe we can do better, not sure :S

I'd much prefer a #define for the default, and we can change it in the
next release.

That way, we ensure the code gets proper testing in an alpha series.

T

-- 
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------

More information about the tor-dev mailing list