[tor-dev] Much-revised draft, RFC: removing current obsolete clients from the network

Sebastian G. <bastik.tor> bastik.tor at googlemail.com
Thu Jan 7 18:42:39 UTC 2016 

07.01.2016, 18:12 Nick Mathewson:

Mostly spelling corrections and one question at the bottom.

I have not enough insight to comment on the proposed ideas.

>   [...]

> One goal of this proposal is to ensure that future clients to not

*do not*

>    become zombies at all; and that ancient clients become slow zombies
>    at worst.
> 
> 
> 2. Some ideas that don't work.
> 
> 2.1. Dropping connections based on link protocols.
> 
>    Tor versions before before 0.2.3.6-alpha use a renegotiation-based
>    handshake instead of our current handshake.  We could detect these
>    handshakes and close the connection at the relay side if the client
>    attempts to renegotiate.
> 
>    I've tested these changes on versions maint-0.2.0 through
>    maint-0.2.2.  They result in zombies with the following behavior:
> 
>       The client contact each authority it knows about, attempting to

An s is missing to make 'contacts'.

>       make a one-hop directory connection.  It fails, detects a failure,
>       then reconnects more and more slowly ... but one hour later, it
>       resets its connection schedule and starts again.
> 
>    In the steady state this appears to result in about two connections
>    per client per authority per hour.  That is probably too many.
> 
>    (Most authorities would be affected: of the authorities that existed
>    in 0.2.2, gabelmoo has moved and turtles has shut down.  The
>    authorities Faravahar and longclaw are new. The authorities moria1,
>    tor26, dizum, dannenberg, urras, maatuska and maatuska would all get
>    hit here.)

maatuska is listed twice.

> 
>    (We could simply remove the renegotiation-detection code entirely,
>    and reply to all connections with an immediate VERSIONS cell.  The
>    behavior would probably be the same, though.)
> 
>    If we throttled connections rather than closing them, we'd only get
>    one connnection per authority per hour, but authorities would have to

connection

>    keep open a potentially huge number of sockets.
> 
> 2.2. Blocking circuit creation under certain circumstances
> 
>    In tor 0.2.5.1-alpha, we began ignoring the UseNTorHandshake option,
>    and always preferring the ntor handshake where available.
> 
>    Unfortunately, we can't simply drop all TAP handshakes, since clients
>    and relays can still use them in the hidden service protocol.  But
>    we could detect these versions by:
> 
>         Looking for use of a TAP handshake from an IP not associated
>         with with any known relay, or on a connection where the client

'with' is there twice.

>         did not authenticate.  (This could be from a bridge, but clients
>         don't build circuits that go to an IntroPoint or RendPoint
>         directly after a bridge.)
> 
>    This would still result in clients not having directories, however,
>    and retrying once an hours.
> 
> 3. Ideas that might work
> 
> 3.1. Move all authorities to new ports
> 
>    We could have each authority known to older clients start listening
>    for connections at a new port P. We'd forward the old port to the new
>    port.  Once sufficiently many clients were using the new ports, we
>    could disable the forwarding.
> 
>    This would result in the old clients turning into zombies as above,
>    but they would only be scrabbling at nonexistent ports, causing less
>    load on the authorities.
> 
>    [This proposal would probably be easiest to implement.]
> 
> 3.2. Start disabling old link protocols on relays
> 
>    We could have new relays start dropping support for the old link
>    protocols, while maintaining support on the authorities and older
>    relays.
> 
>    The result here would be a degradation of older client performance
>    over time.  They'd still behave zombieishly if the authorities
>    dropped support, however.
> 
> 3.3. Changing the consensus format.
> 
>    We could allow 'f' (short for "flag") as a synonym for 's' in
>    consensus documents.  Later, if we want to disable all Tor versions
>    before today, we can change the consensus algorithm so that the
>    consensus (or perhaps only the microdesc consensus) is spelled with
>    'f' lines instead of 'f' lines.  This will create a consensus which

'f' lines instead of 's' lines.

>    older clients and relays parse as having all nodes down, which will
>    make them not connect to the network at all.
> 
>    We could similarly replace "r" with "n", or replace Running with
>    Online, or so on.
> 
>    In doing this, we could also rename fresh-until and valid-until, so
>    that new clients would have the real expiration date, and old clients
>    would see "this consensus never expires".  This would prevent them
>    from downloading new consensuses.
> 
>    [This proposal would result in the quietest shutdown.]

What would be repeatable in 5 years? I imagine that you would like to
get rid of old clients again and again.

Regards,
Sebastian G.

More information about the tor-dev mailing list