quick circuit tear down question

Jon McLachlan mcla0181 at umn.edu
Wed Jan 30 16:13:37 UTC 2008 

Many thanks for the help on understanding the issues and concerns around 
tearing down an ultimate node on a circuit :)
~Jon

Paul Syverson wrote:
> On Mon, Jan 28, 2008 at 03:53:51PM -0500, Roger Dingledine wrote:
>   
>> On Wed, Jan 23, 2008 at 03:47:42PM -0600, Jon McLachlan wrote:
>>     
>>>  Maybe more for developers... but, does anyone know a way to tear down 
>>> only the last relay on an already constructed anonymous Tor circuit, in 
>>> such a way that the circuit remains unchanged except for the 
>>> disappearance of the last hop?  It doesn't seem like this is 
>>> documented/viable in the ControlPort given the spec @ 
>>> http://www.torproject.org/svn/trunk/doc/spec/control-spec.txt, but maybe 
>>> someone knows of a neat or hackish trick?  :)  Or maybe future releases 
>>> of Tor might...
>>>       
>> Check out Section 5.4 of tor-spec.txt, which includes:
>>
>>    To tear down part of a circuit, the OP may send a RELAY_TRUNCATE cell
>>    signaling a given OR (Stream ID zero).  That OR sends a DESTROY
>>    cell to the next node in the circuit, and replies to the OP with a
>>    RELAY_TRUNCATED cell.
>>
>> I don't think we've added any interface for this into the control
>> protocol, because we don't really have a safe use in mind yet. You
>> can read about the feature in tor-design.pdf under the phrase "leaky
>> pipe". But somebody needs to do more anonymity and performance analysis
>> first, to tell us what the tradeoffs are between tearing down part of
>> a certain and just starting a new one.
>>
>>     
>
> One example concern we had was that someone who owned the first two hops
> could kill the last part of the circuit and hope it was rebuilt to
> a compromised node. Put much too succinctly, this makes the anonymity
> roughly 1 - c^3/n^2 rather than 1 - c^2/n^2 , where c is the number
> of compromised nodes out of n nodes total. That statement rides roughshod
> over many important points. But there were enough concerns with this
> and other aspects of leaky-pipes that we decided we should put off
> deploying them until our analysis was holding water a little better.
>
> aloha,
> Paul
>
>

More information about the tor-talk mailing list