r19275@catbus: nickm | 2008-04-09 16:24:35 -0400

Sort deferred-from-0.2.0 items.


svn:r14335
This commit is contained in:
Nick Mathewson 2008-04-09 20:31:54 +00:00
parent 4901ee0a8c
commit e26c1dcba7

185
doc/TODO
View File

@ -234,8 +234,22 @@ For 0.2.1.x:
- 134: handle authority fragmentation.
- Proposals to write:
- Multilayered guards to keep bridges hidden.
- Do we want to maintain our own set of entryguards that we use as
next hop after the bridge?
- Add an 'exit-address' line in the descriptor for servers that exit
from something that isn't their published address.
- Proposal to supersede 117 by adding IPv6 support for exits and entries.
- Internal code support for ipv6:
o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist.
- Most address variables need to become tor_addr_t
- Teach resolving code how to handle ipv6.
- Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!)
- 118: Listen on and advertise multiple ports:
- Tor should be able to have a pool of outgoing IP addresses that it is
able to rotate through. (maybe. Possible overlap with proposal 118.)
- config option to publish what ports you listen on, beyond
ORPort/DirPort. It should support ranges and bit prefixes (?) too.
(This is very similar to proposal 118.)
- Fix voting to handle bug 608 case when multiple servers get
Named.
- Possibly: revise link protocol to allow big circuit IDs,
@ -253,8 +267,9 @@ For 0.2.1.x:
still be valuable as a blocking-resistance step.
- Patch our tor.spec rpm package so it knows where to put the fallback
consensus file.
- Something for bug 469, to limit connections per IP.
- Tiny designs to write:
- Tiny designs to write:
- Better estimate of clock skew; has anonymity implications. Clients
should estimate their skew as median of skew from servers over last
N seconds, but for servers this is not so easy, since a server does
@ -270,6 +285,8 @@ W - figure out license *
- Optimize cell pool allocation.
- Support (or just always use) jemalloc
- mmap more files.
- Use less bandwidth
- Use if-modified-since to download consensuses
- Handle multi-core cpus better
- Use information from NETINFO cells
- Don't extend a circuit over a noncanonical connection with
@ -291,6 +308,12 @@ W - figure out license *
- Get a "use less buffer ram" patch into openssl. *
- Get IOCP patch into libevent *
- Security improvements
- make is-consensus-fresh-enough check way tighter.
- If we haven't tried downloading a consensus for ages since we're tired,
try getting a new one before we use old descriptors for a circuit.
Related to bug 401.
- Feature removals and deprecations:
- Get rid of the v1 directory stuff (making, serving, and caching)
- First verify that the caches won't flip out?
@ -308,10 +331,19 @@ Nice to have for 0.2.1.x:
- Better support for private networks: figure out what is hard, and
make it easier.
- Proposals to write
- steven's plan for replacing check.torproject.org with a built-in
answer by tor itself.
- Documentation
P - Make documentation realize that location of system configuration file
will depend on location of system defaults, and isn't always /etc/torrc.
- Small controller features
- A status event for when tor decides to stop fetching directory info
if the client hasn't clicked recently: then make the onion change too.
- Add a status event when new consensus arrives
- Windows build
P - Figure out why dll's compiled in mingw don't work right in WinXP.
P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
@ -325,6 +357,12 @@ P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
less magic and less control logic.
- Don't call time(NULL) so much; instead have a static time_t field
that gets updated only a handful of times per second.
- Move all status info out of routerinfo into local_routerstatus. Make
"who can change what" in local_routerstatus explicit. Make
local_routerstatus (or equivalent) subsume all places to go for "what
router is this?"
- deprecate router_digest_is_trusted_dir() in favor of
router_get_trusteddirserver_by_digest()
- Make Tor able to chroot itself
o allow it to load an entire config file from control interface
@ -344,6 +382,7 @@ P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
- Make 'safelogging' extend to info-level logs too.
- Interface for letting SOAT modify flags that authorities assign.
(How to keep the authority from clobbering them afterwords?
Later, unless people want to implement them now:
- Actually use SSL_shutdown to close our TLS connections.
@ -351,10 +390,25 @@ Later, unless people want to implement them now:
[Nick: bridge authorities output a networkstatus that is missing
version numbers. This is inconvenient if we want to make sure
bridgedb gives out bridges with certain characteristics. -RD]
[Okay. Is this a separate item, or is it the same issue as the lack of
a "v" line in response to the controller GETINFO command? -NM]
- Let tor dir mirrors proxy connections to the tor download site, so
if you know a bridge you can fetch the tor software.
- when somebody uses the controlport as an http proxy, give them
a "tor isn't an http proxy" error too like we do for the socks port.
- MAYBE kill stalled circuits rather than stalled connections. This is
possible thanks to cell queues, but we need to consider the anonymity
implications.
- Make resolves no longer use edge_connection_t unless they are actually
_on_ a socks connection: have edge_connection_t and (say)
dns_request_t both extend an edge_stream_t, and have p_streams and
n_streams both be linked lists of edge_stream_t.
- Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the
online config documentation from a single source.
- It would be potentially helpful to respond to https requests on
the OR port by acting like an HTTPS server.
- Make the timestamp granularity on logs configurable, with default
of "1 second". This might make some kinds of after-the-fact attack harder.
Can anybody remember why we wanted to do this and/or what it means?
- config option __ControllerLimit that hangs up if there are a limit
@ -362,18 +416,23 @@ Can anybody remember why we wanted to do this and/or what it means?
[This was mwenge's idea. The idea is that a Tor controller can
"fill" Tor's controller slot quota, so jerks can't do cross-protocol
attacks like the http form attack. -RD]
- configurable timestamp granularity. defaults to 'seconds'.
[This was Nick's idea. The idea to make the log timestamps much more
vague, so by default they don't help timing attacks much even if
they're leaked. -RD]
- Bridge issues
. Ask all directory questions to bridge via BEGIN_DIR.
- use the bridges for dir fetches even when our dirport is open.
- drop 'authority' queries if they're to our own identity key; accept
them otherwise.
- give extend_info_t a router_purpose again
* * * *
- steven's plan for replacing check.torproject.org with a built-in
answer by tor itself.
- a status event for when tor decides to stop fetching directory info
if the client hasn't clicked recently: then make the onion change too.
If somebody wants to do this in some version, they should:
- Create packages for Nokia 800, requested by Chris Soghoian
- More work on AvoidDiskWrites
- Make DNSPort support TCP DNS.
* * * * Roger, please sort these: * * * *
- bridge communities with local bridge authorities:
- clients who have a password configured decide to ask their bridge
authority for a networkstatus
@ -382,102 +441,32 @@ Can anybody remember why we wanted to do this and/or what it means?
- Consider if we can solve: the Tor client doesn't know what flags
its bridge has (since it only gets the descriptor), so it can't
make decisions based on Fast or Stable.
- anonymity concern: since our is-consensus-fresh-enough check is
sloppy so clients will actually work when a consensus wasn't formed,
does that mean that if users are idle for 5 hours and then click on
something, we will immediately use the old descriptors we've got,
while we try fetching the newer descriptors?
related to bug 401.
- Create packages for Nokia 800, requested by Chris Soghoian
- Bridges:
. Bridges users (rudimentary version)
. Ask all directory questions to bridge via BEGIN_DIR.
- use the bridges for dir fetches even when our dirport is open.
- drop 'authority' queries if they're to our own identity key; accept
them otherwise.
- give extend_info_t a router_purpose again
d Limit to 2 dir, 2 OR, N SOCKS connections per IP.
- Or maybe close connections from same IP when we get a lot from one.
- Or maybe block IPs that connect too many times at once.
- Bridge authorities should do reachability testing but only on the
purpose==bridge descriptors they have.
- Some mechanism for specifying that we want to stop using a cached
bridge.
* * * *
Removing these because they're tracked elsewhere:
- we try to build 4 test circuits to break them over different
servers. but sometimes our entry node is the same for multiple
test circuits. this defeats the point.
[ TRACKED IN BUG 654 ]
d Limit to 2 dir, 2 OR, N SOCKS connections per IP.
- Or maybe close connections from same IP when we get a lot from one.
- Or maybe block IPs that connect too many times at once.
[ Same as bug 469 ]
- more strategies for distributing bridge addresses in a way that
doesn't rely on knowing somebody who runs a bridge for you.
- A way to adjust router status flags from the controller. (How do we
prevent the authority from clobbering them soon afterward?)
- Bridge authorities should do reachability testing but only on the
purpose==bridge descriptors they have.
Deferred from 0.2.0.x:
- Proposals
o 101: Voting on the Tor Directory System (plus 103)
N - Use if-modified-since on consensus download
- Controller support
D GETINFO to get consensus
N - Event when new consensus arrives
- 113: Simplifying directory authority administration
- 110: prevent infinite-length circuits (phase one)
- 118: Listen on and advertise multiple ports:
- Tor should be able to have a pool of outgoing IP addresses that it is
able to rotate through. (maybe. Possible overlap with proposal 118.)
- config option to publish what ports you listen on, beyond
ORPort/DirPort. It should support ranges and bit prefixes (?) too.
(This is very similar to proposal 118.)
- 117: IPv6 Exits
- Internal code support for ipv6:
o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist.
- Most address variables need to become tor_addr_t
- Teach resolving code how to handle ipv6.
- Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!)
- Features
- Let controller set router flags for authority to transmit, and for
client to use.
- add an 'exit-address' line in the descriptor for servers that exit
from something that isn't their published address.
- More work on AvoidDiskWrites?
- Features
- Make a TCP DNSPort
- Protocol work
- MAYBE kill stalled circuits rather than stalled connections. This is
possible thanks to cell queues, but we need to consider the anonymity
implications.
- Implement TLS shutdown properly when possible.
- Bugs
- If the client's clock is too far in the past, it will drop (or just not
try to get) descriptors, so it'll never build circuits.
- Refactoring
- Make resolves no longer use edge_connection_t unless they are actually
_on_ a socks connection: have edge_connection_t and (say)
dns_request_t both extend an edge_stream_t, and have p_streams and
n_streams both be linked lists of edge_stream_t.
- Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the
online config documentation from a single source.
- Move all status info out of routerinfo into local_routerstatus. Make
"who can change what" in local_routerstatus explicit. Make
local_routerstatus (or equivalent) subsume all places to go for "what
router is this?"
- Blocking/scanning-resistance
- It would be potentially helpful to respond to https requests on
the OR port by acting like an HTTPS server.
- Do we want to maintain our own set of entryguards that we use as
next hop after the bridge? Open research question; let's say no
for 0.2.0 unless we learn otherwise.
- Some mechanism for specifying that we want to stop using a cached
bridge.
- Build:
- Detect correct version of libraries from autoconf script.
[ In birdgedb TODO ]
=======================================================================
Future versions:
- deprecate router_digest_is_trusted_dir() in favor of
router_get_trusteddirserver_by_digest()
- See also Flyspray tasks.
- See also all OPEN/ACCEPTED proposals.
- See also all items marked XXXX and FFFF in the code.
- Protocol:
- Our current approach to block attempts to use Tor as a single-hop proxy