[tor-dev] Open topics of prop247: Defending Against Guard Discovery Attacks using Vanguards

George Kadianakis desnacked at riseup.net
Wed May 17 11:51:48 UTC 2017 

Hello,

here is some background information and summarizing of proposal 247
"Defending Against Guard Discovery Attacks using Vanguards" for people
who plan to work on this in the short-term future.

I include a list of open design topics (probably not exhaustive) and a list of
engineering topics. Some engineering stuff can be done parallel to the design stuff.

==================== Background info ====================

* Proposal: https://gitweb.torproject.org/torspec.git/tree/proposals/247-hs-guard-discovery.txt
* Discussion:
** Initial prop247 thread: https://lists.torproject.org/pipermail/tor-dev/2015-July/009066.html
** Recent prop247 thread: https://lists.torproject.org/pipermail/tor-dev/2015-September/009497.html
** Reading group notes of prop247: https://lists.torproject.org/pipermail/tor-dev/2016-January/010265.html

==================== Design topics ====================

* Optimize proposal parameters
** Optimize guardset sizes
** Optimize guardset lifetimes and prob distributions (minXX/maxXX/uniform?)
** To take informed decision, we might need a prop247 simulator, or an actual PoC with txtorcon

* HOW to choose second-layer and third-layer guards?
** Should they be Guards? middles? Vanguards? Serious security / load balancing implications!
** Can guardsets share guards between them or are they disjoint? Particularly third-layer sets
** background: https://lists.torproject.org/pipermail/tor-dev/2016-January/010265.html

* HOW to avoid side-channel guard discovery threats?
** Can IP/RP be the same as first-layer guard?
** Can first-layer guard be the same as third-layer guard?
** background: https://gitweb.torproject.org/user/mikeperry/torspec.git/commit/?h=guard_discovery_dev2

* Change path selection for IP circs to avoid third-layer guard linkability threats.
** Switch from [HS->G1->M->IP] to [HS->G1->G2->G3->IP] or even to [HS->G1->G2->G3->M->IP].
** Consider the latter option for HSDir circs as well?
** background: https://gitweb.torproject.org/user/mikeperry/torspec.git/commit/?h=guard_discovery_dev2

* Should prop247 be optional or default?
** Consider making it optional for a testing period?

* How does prop247 affects network performance and load balancing?
** especially if it's enabled by default?
** Update load balancing proposal?

* Correct behavior for multiple HSes on single host?

* Does prop247 influence guard fingerprinting (#10969) and should we care enough?

==================== Engineering topics ====================

* What's a good entrynodes API to implement prop247? 
* What's a good state file API to implement prop247?

* Write prop247 simulator to verify security goals and optimize proposal parameters (see above).

* Write PoC with txtorcon!
* Write PoC with little-t-tor!

============================================================

More information about the tor-dev mailing list