[tor-dev] Revisiting prop224 overlap descriptor logic and descriptor lifetimes

George Kadianakis desnacked at riseup.net
Wed Jun 15 13:02:50 UTC 2016 

Roger Dingledine <arma at mit.edu> writes:

> [ text/plain ]
> On Mon, Jun 13, 2016 at 03:48:39PM +0300, George Kadianakis wrote:
>> The main issue for me right now is that I can't recall how this helps with
>> clock skewed clients, even though that was a big part of our discussion in Montreal.
>> 
>> Specifically, I think that clients (and HSes) should determine the set of
>> responsible HSDirs (i.e. the current time period) based on the "valid-after" of
>> their latest consensus, instead of using their local clock. This way, as long
>> as the client's skewed clock is good enough to verify the latest consensus, the
>> client will have a consistent view of the network and SRV (assuming an
>> honest/updated dirguard). I tried to clarify this a bit in commit 465156d, so
>> please let me know if it's not a good idea.
>
> Interesting idea! I think I like it. You're right that in Montreal
> we were thinking in terms of client clocks, and we might be able to
> reduce the problem (both in frequency and in magnitude) by considering
> the time in the last consensus we have.
>
> Another argument in favor of using the last consensus is that we will be
> picking the "relays that are closest to the right location in the hash
> ring" out of our last consensus already. (That is not a strong argument
> in favor though, I think, since in theory there won't be so much churn
> in a day that all of the relays in our last consensus will become wrong.)
>
> All of this said, it seems like you are basing your arguments on some
> expectations about how clients handle consensuses that have surprising
> dates in them (surprising either because the client's clock is skewed,
> or because their directory guard gave them the wrong consensus). How
> *do* clients handle these situations? If we could get the intended /
> expected behavior written down, then we would have a better chance of
> identifying bugs in it that we can then fix.
>

I agree that we should get the intended/expected behavior written down!

Here is an initial attempt at figuring out the current Tor behavior when
handling consensuses with surprising dates. More work is required here.

> For example, do I as a client just ignore and discard a consensus from
> 6 hours in the future? I don't remember the answer, so I can't do a good
> job at analyzing your proposed change.
>

In general, the relevant time checks seem to happen at
networkstatus_get_reasonably_live_consensus() and not during consensus parsing.
That function is then called by router_have_minimum_dir_info() during
bootstrapping. If that function returns NULL, then Tor will get stuck at
"Boostrapping 25%: Loading networkstatus consensus".

Here is the basic logic of networkstatus_get_reasonably_live_consensus():

------------------------------------------------------
  #define REASONABLY_LIVE_TIME (24*60*60)
  if (consensus &&
      consensus->valid_after <= now &&
      now <= consensus->valid_until+REASONABLY_LIVE_TIME)
    return consensus;
  else
    return NULL;
------------------------------------------------------

And here are the scenarios:

Case #1: Handling consensuses with old dates

     If a client receives a consensus with an old date (i.e. the client's clock
     is skewed forward), the consensus will get verified just fine and Tor
     won't even log about the skew (XXX maybe we should fix this?)

     However when networkstatus_get_reasonably_live_consensus() gets reached,
     Tor will refuse to handle any consensuses whose valid_until date has
     expired by more than 24 hours.

Case #2: Handling consensuses with future dates

     If a client receives a consensus with a valid_after in the future
     (i.e. the client's clock is skewed backwards), the consensus will get
     verified fine and a log will appear about the skew ("Our clock is N hours
     behind the time published in the consensus yada yada...")

     However, when networkstatus_get_reasonably_live_consensus() gets reached,
     Tor will refuse to handle any consensuses whose valid_after date is in the
     future.

We see that while Tor consensus handling is quite flexible towards forward
skewed clocks (case #1), it's actually quite strict towards backward skewed
clocks (case #2). We might want to rethink how this should work, if we are
serious about supporting clock skewed clients. After all, handling consensuses
with future dates is safer than handling consensuses with older dates (which
are replayable).

I also wonder if we can consider the above problem orthogonal wrt prop224.
After all the problem here is on the consensus handling layer, and affects all
current clients and not just HS clients. We should first figure out exactly how
well the current Tor behavior works with the suggested prop224 changes.

BTW, the analysis above does not consider situations where the dirguard gives
us the wrong consensus (by caching accident or malice), or when the clock gets
skewed in the middle of Tor's runtime. Or any other weird scenarios I didn't
think about.

I will try to think more about this RSN. Till then, feedback is welcome :)

More information about the tor-dev mailing list