[tor-dev] Open topics of prop247: Defending Against Guard Discovery Attacks using Vanguards

George Kadianakis desnacked at riseup.net
Wed May 17 11:51:48 UTC 2017


here is some background information and summarizing of proposal 247
"Defending Against Guard Discovery Attacks using Vanguards" for people
who plan to work on this in the short-term future.

I include a list of open design topics (probably not exhaustive) and a list of
engineering topics. Some engineering stuff can be done parallel to the design stuff.

==================== Background info ====================

* Proposal: https://gitweb.torproject.org/torspec.git/tree/proposals/247-hs-guard-discovery.txt
* Discussion:
** Initial prop247 thread: https://lists.torproject.org/pipermail/tor-dev/2015-July/009066.html
** Recent prop247 thread: https://lists.torproject.org/pipermail/tor-dev/2015-September/009497.html
** Reading group notes of prop247: https://lists.torproject.org/pipermail/tor-dev/2016-January/010265.html

==================== Design topics ====================

* Optimize proposal parameters
** Optimize guardset sizes
** Optimize guardset lifetimes and prob distributions (minXX/maxXX/uniform?)
** To take informed decision, we might need a prop247 simulator, or an actual PoC with txtorcon

* HOW to choose second-layer and third-layer guards?
** Should they be Guards? middles? Vanguards? Serious security / load balancing implications!
** Can guardsets share guards between them or are they disjoint? Particularly third-layer sets
** background: https://lists.torproject.org/pipermail/tor-dev/2016-January/010265.html

* HOW to avoid side-channel guard discovery threats?
** Can IP/RP be the same as first-layer guard?
** Can first-layer guard be the same as third-layer guard?
** background: https://gitweb.torproject.org/user/mikeperry/torspec.git/commit/?h=guard_discovery_dev2

* Change path selection for IP circs to avoid third-layer guard linkability threats.
** Switch from [HS->G1->M->IP] to [HS->G1->G2->G3->IP] or even to [HS->G1->G2->G3->M->IP].
** Consider the latter option for HSDir circs as well?
** background: https://gitweb.torproject.org/user/mikeperry/torspec.git/commit/?h=guard_discovery_dev2

* Should prop247 be optional or default?
** Consider making it optional for a testing period?

* How does prop247 affects network performance and load balancing?
** especially if it's enabled by default?
** Update load balancing proposal?

* Correct behavior for multiple HSes on single host?

* Does prop247 influence guard fingerprinting (#10969) and should we care enough?

==================== Engineering topics ====================

* What's a good entrynodes API to implement prop247? 
* What's a good state file API to implement prop247?

* Write prop247 simulator to verify security goals and optimize proposal parameters (see above).

* Write PoC with txtorcon!
* Write PoC with little-t-tor!


More information about the tor-dev mailing list