mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-12-11 21:23:35 +01:00
64 lines
2.7 KiB
Plaintext
64 lines
2.7 KiB
Plaintext
|
Filename: 152-single-hop-circuits.txt
|
||
|
Title: Optionally allow exit from single-hop circuits
|
||
|
Version:
|
||
|
Last-Modified:
|
||
|
Author: Geoff Goodell
|
||
|
Created: 13-Jul-2008
|
||
|
Status: Draft
|
||
|
|
||
|
Overview
|
||
|
|
||
|
Provide a special configuration option that adds a line to descriptors
|
||
|
indicating that a router can be used as an exit for one-hop circuits,
|
||
|
and allow clients to attach streams to one-hop circuits provided
|
||
|
that the descriptor for the router in the circuit includes this
|
||
|
configuration option.
|
||
|
|
||
|
Motivation
|
||
|
|
||
|
At some point, code was added to restrict the attachment of streams
|
||
|
to one-hop circuits.
|
||
|
|
||
|
The idea seems to be that we can use the cost of forking and
|
||
|
maintaining a patch as a lever to prevent people from writing
|
||
|
controllers that jeopardize the operational security of routers
|
||
|
and the anonymity properties of the Tor network by creating and
|
||
|
using one-hop circuits rather than the standard three-hop circuits.
|
||
|
It may be, for example, that some users do not actually seek true
|
||
|
anonymity but simply reachability through network perspectives
|
||
|
afforded by the Tor network, and since anonymity is stronger in
|
||
|
numbers, forcing users to contribute to anonymity and decrease the
|
||
|
risk to server operators by using full-length paths may be reasonable.
|
||
|
|
||
|
As presently implemented, the sweeping restriction of one-hop circuits
|
||
|
for all routers limits the usefulness of Tor as a general-purpose
|
||
|
technology for building circuits. In particular, we should allow
|
||
|
for controllers, such as Blossom, that create and use single-hop
|
||
|
circuits involving routers that are not part of the Tor network.
|
||
|
|
||
|
Design
|
||
|
|
||
|
Introduce a configuration option for Tor servers that, when set,
|
||
|
indicates that a router is willing to provide exit from one-hop
|
||
|
circuits. Routers with this policy will not require that a circuit
|
||
|
has at least two hops when it is used as an exit.
|
||
|
|
||
|
In addition, routers for which this configuration option
|
||
|
has been set will have a line in their descriptors, "opt
|
||
|
exit-from-single-hop-circuits". Clients will keep track of which
|
||
|
routers have this option and allow streams to be attached to
|
||
|
single-hop circuits that include such routers.
|
||
|
|
||
|
Security Considerations
|
||
|
|
||
|
This approach seems to eliminate the worry about operational router
|
||
|
security, since server operators will not set the configuraiton
|
||
|
option unless they are willing to take on such risk.
|
||
|
|
||
|
To reduce the impact on anonymity of the network resulting
|
||
|
from including such "risky" routers in regular Tor path
|
||
|
selection, clients may systematically exclude routers with "opt
|
||
|
exit-from-single-hop-circuits" when choosing random paths through
|
||
|
the Tor network.
|
||
|
|