[tor-dev] Revisiting Proposal 246: Merging Hidden Service Directories and Introduction Points
desnacked at riseup.net
Wed Jan 13 16:50:41 UTC 2016
we recently finished implementing proposal 250 which is one of the first steps
for the upcoming hidden service redesign . The next steps are implementing
proposal 224 and the other performance and security proposals .
On this note, one of the open design issues that we need to tackle next is
whether we should do proposal 246 or not. Proposal 246 merges HSDirs and Intro
Points into a single entity to simplify the protocol and improve its
performance. The idea is that HSes will pick their intro points using the hash
ring algorithm currently used for picking HSDirs. Clients will do the same and
connect directly to the intro points instead of going through the HSDir step.
I suggest you read the proposal and the discussion thread to become better
informed about this idea:
Proposal 246 changes the hidden service protocol substantially, which is why we
need to decide whether to do it soon. The next steps in our implementation plan
heavily depend on whether we will do proposal 246 or not.
Here are some issues that make this proposal not an obvious pick:
1) Security issues
- Professor Hopper pointed out  that this proposal will double the number
of introduction points of a hidden service (from the current 3 to 6).
Introduction points have slightly more attack vectors than HSDirs, so we
should not increase their number without analyzing further.
That said we could potentially increase the number of intro points by
doing proposal 246, and at the same time we could also increase their
lifetime period to multiple days (instead of the current 18-24 hours
lifetime), to keep the exposure of hidden services to an acceptable value.
- It was also pointed out that the HSDir algorithm does not take into
account the bandwidth of the nodes, making it easier to launch Sybil
attacks. However, the rest of the the mailing list thread suggests
various ways to do bandwidth weighted hash ring selections , so this
might not be an important factor.
3) Load balancing issue
- With proposal 246, the Tor network decides which relays will be used as
the introduction points of a hidden service. A hidden service cannot pick
its own introduction points, similarly to how currently a hidden service
cannot pick its own HSDirs.
This is a problem because it blocks load balancing solutions like
onionbalance from working. Variants of the onionbalance logic can still
work as suggested in the proposal , at the cost of increased
engineering and sysadmin complexity.
- Another concern here is that hidden services would not be able to change
the number of their introduction points. This is not a big problem
currently, but it could become in the future if the network gets more
overloaded. As a partial solution to this, #17690 suggests making the
number of HSDirs a network-wide consensus parameter that could also be
used by proposal 246.
2) Reachability issue
A final issue here is that if the relay churn of the network increases, the
introduction point hash ring might be changing rapidly and clients might get
pointed to the wrong introduction points.
However, this does not seem like a greater problem than what hidden services
are facing with HSDir reachability currently. Is this right, or does prop246
makes it worse?
Personally, I'm not that concerned about the security issues I outlined
above. I think the security difference will not be that great, and maybe we can
equalize it by using some of the listed solutions. However, more thinking is
I'm currently more concerned about the load balancing and reachability issues
that I outlined above and maybe others that I forget. I would like to have more
assurance that relay churn will not cause reachability issues to the proposal
246 system before we commit to it.
Feedback is very welcome. Also please post any issues that I forgot to mention.
We should try to figure out what to do here as soon as possible.
If we fail to come to a conclusion here, our engineering plan is to ignore
proposal 246 and continue with proposal 224 like it never happened. Of course
this will suck if we later decide that proposal 246 was super important and
should have happened.
More information about the tor-dev