nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 21:23:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

remove some of the done items, in preparation for overhaul

Browse Source 
svn:r13085
This commit is contained in:
Roger Dingledine 2008-01-09 15:11:49 +00:00
parent c7df6b4908
commit f033bd062f
1 changed files with 22 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
doc/design-paper/roadmap-future.tex
View File

@ -14,8 +14,8 @@
\begin{document} \begin{document}
\title{Tor Development Roadmap: Wishlist for Nov 2006--Dec 2007} \title{Tor Development Roadmap: Wishlist for 2008 and beyond}
\author{Roger Dingledine \and Nick Mathewson \and Shava Nerad} \author{Roger Dingledine \and Nick Mathewson}
\maketitle \maketitle
\pagestyle{plain} \pagestyle{plain}
@ -26,23 +26,13 @@
\section{Introduction} \section{Introduction}
%Hi, Roger! Hi, Shava. This paragraph should get deleted soon. Right now,
%this document goes into about as much detail as I'd like to go into for a
%technical audience, since that's the audience I know best. It doesn't have
%time estimates everywhere. It isn't well prioritized, and it doesn't
%distinguish well between things that need lots of research and things that
%don't. The breakdowns don't all make sense. There are lots of things where
%I don't make it clear how they fit into larger goals, and lots of larger
%goals that don't break down into little things. It isn't all stuff we can do
%for sure, and it isn't even all stuff we can do for sure in 2007. The
%tmp\{\} macro indicates stuff I haven't said enough about. That said, here
%plangoes...
Tor (the software) and Tor (the overall software/network/support/document Tor (the software) and Tor (the overall software/network/support/document
suite) are now experiencing all the crises of success. Over the next year, suite) are now experiencing all the crises of success. Over the next
we're probably going to grow more in terms of users, developers, and funding years, we're probably going to grow more in terms of users, developers,
than before. This gives us the opportunity to perform long-neglected and funding than before. This document attempts to lay out all the
maintenance tasks. well-understood next steps that Tor needs to take. We should periodically
reorganize it to reflect current and intended priorities.
\section{Code and design infrastructure} \section{Code and design infrastructure}
@ -96,22 +86,6 @@ significantly. Sadly, many of these are patented and unavailable for us.
\subsection{Scalability} \subsection{Scalability}
\subsubsection{Improved directory efficiency} \subsubsection{Improved directory efficiency}
Right now, clients download a statement of the {\bf network status} made by
each directory authority. We could reduce network bandwidth significantly by
having the authorities jointly sign a statement reflecting their vote on the
current network status. This would save clients up to 160K per hour, and
make their view of the network more uniform. Of course, we'd need to make
sure the voting process was secure and resilient to failures in the
network.\plan{Must do; specify in 2006. 2 weeks to specify, 3-4 weeks to
implement.}
We should {\bf shorten router descriptors}, since the current format includes
a great deal of information that's only of interest to the directory
authorities, and not of interest to clients. We can do this by having each
router upload a short-form and a long-form signed descriptor, and having
clients download only the short form. Even a naive version of this would
save about 40\% of the bandwidth currently spent by clients downloading
descriptors.\plan{Must do; specify in 2006. 3-4 weeks.}
We should {\bf have routers upload their descriptors even less often}, so We should {\bf have routers upload their descriptors even less often}, so
that clients do not need to download replacements every 18 hours whether any that clients do not need to download replacements every 18 hours whether any
@ -154,11 +128,12 @@ have some preliminary designs~\cite{incentives-txt,tor-challenges},
but need to perform but need to perform
some more research to make sure they would be safe and effective.\plan{Write some more research to make sure they would be safe and effective.\plan{Write
a draft paper; 2 person-months.} a draft paper; 2 person-months.}
(XXX we did that)
\subsection{Portability} \subsection{Portability}
Our {\bf Windows implementation}, though much improved, continues to lag Our {\bf Windows implementation}, though much improved, continues to lag
behind Unix and Mac OS X, especially when running as a server. We hope to behind Unix and Mac OS X, especially when running as a server. We hope to
merge promising patches from Mike Chiussi to address this point, and bring merge promising patches from Christian King to address this point, and bring
Windows performance on par with other platforms.\plan{Do in 2007; 1.5 months Windows performance on par with other platforms.\plan{Do in 2007; 1.5 months
to integrate not counting Mike's work.} to integrate not counting Mike's work.}
@ -166,10 +141,6 @@ We should have {\bf better support for portable devices}, including modes of
operation that require less RAM, and that write to disk less frequently (to operation that require less RAM, and that write to disk less frequently (to
avoid wearing out flash RAM).\plan{Optional; 2 weeks.} avoid wearing out flash RAM).\plan{Optional; 2 weeks.}
We should {\bf stop using socketpair on Windows}; instead, we can use
in-memory structures to communicate between cpuworkers and the main thread,
and between connections.\plan{Optional; 1 week.}
\subsection{Performance: resource usage} \subsection{Performance: resource usage}
We've been working on {\bf using less RAM}, especially on servers. This has We've been working on {\bf using less RAM}, especially on servers. This has
paid off a lot for directory caches in the 0.1.2, which in some cases are paid off a lot for directory caches in the 0.1.2, which in some cases are
@ -181,20 +152,8 @@ chunks produced with a specialized allocator.) This could potentially save
around 25 to 50\% of the memory currently allocated for network buffers, and around 25 to 50\% of the memory currently allocated for network buffers, and
make Tor a more attractive proposition for restricted-memory environments make Tor a more attractive proposition for restricted-memory environments
like old computers, mobile devices, and the like.\plan{Do in 2007; 2-3 weeks like old computers, mobile devices, and the like.\plan{Do in 2007; 2-3 weeks
plus one week measurement.} plus one week measurement.} (XXX We did this, but we need to do something
more/else.)
We should improve our {\bf bandwidth limiting}. The current system has been
crucial in making users willing to run servers: nobody is willing to run a
server if it might use an unbounded amount of bandwidth, especially if they
are charged for their usage. We can make our system better by letting users
configure bandwidth limits independently for their own traffic and traffic
relayed for others; and by adding write limits for users running directory
servers.\plan{Do in 2006; 2-3 weeks.}
On many hosts, sockets are still in short supply, and will be until we can
migrate our protocol to UDP. We can {\bf use fewer sockets} by making our
self-to-self connections happen internally to the code rather than involving
the operating system's socket implementation.\plan{Optional; 1 week.}
\subsection{Performance: network usage} \subsection{Performance: network usage}
We know too little about how well our current path We know too little about how well our current path
@ -272,39 +231,25 @@ tool.
\subsection{Implementation: client-side and bridges-side} \subsection{Implementation: client-side and bridges-side}
Our anticensorship design calls for some nodes to act as ``bridges''
that are outside a national firewall, and others inside the firewall to
act as pure clients. This part of the design is quite clear-cut; we're
probably ready to begin implementing it. To {\bf implement bridges}, we
need to have servers publish themselves as limited-availability relays
to a special bridge authority if they judge they'd make good servers.
We will also need to help provide documentation for port forwarding,
and an easy configuration tool for running as a bridge.
To {\bf implement clients}, we need to provide a flexible interface to
learn about bridges and to act on knowledge of bridges. We also need
to teach them how to know to use bridges as their first hop, and how to
fetch directory information from both classes of directory authority.
Clients also need to {\bf use the encrypted directory variant} added in Tor
0.1.2.3-alpha. This will let them retrieve directory information over Tor
once they've got their initial bridges. We may want to get the rest of the
Tor user base to begin using this encrypted directory variant too, to
provide cover.
Bridges will want to be able to {\bf listen on multiple addresses and ports} Bridges will want to be able to {\bf listen on multiple addresses and ports}
if they can, to give the adversary more ports to block. if they can, to give the adversary more ports to block.
\subsection{Research: anonymity implications from becoming a bridge} \subsection{Research: anonymity implications from becoming a bridge}
see arma's bridge proposal; e.g. should bridge users use a second layer of
entry guards?
\subsection{Implementation: bridge authority} \subsection{Implementation: bridge authority}
The design here is also reasonably clear-cut: we need to run some we run some
directory authorities with a slightly modified protocol that doesn't leak directory authorities with a slightly modified protocol that doesn't leak
the entire list of bridges. Thus users can learn up-to-date information the entire list of bridges. Thus users can learn up-to-date information
for bridges they already know about, but they can't learn about arbitrary for bridges they already know about, but they can't learn about arbitrary
new bridges. new bridges.
we need a design for distributing the bridge authority over more than one
server
\subsection{Normalizing the Tor protocol on the wire} \subsection{Normalizing the Tor protocol on the wire}
Additionally, we should {\bf resist content-based filters}. Though an Additionally, we should {\bf resist content-based filters}. Though an
adversary can't see what users are saying, some aspects of our protocol are adversary can't see what users are saying, some aspects of our protocol are
@ -313,10 +258,6 @@ easy to fingerprint {\em as} Tor. We should correct this where possible.
Look like Firefox; or look like nothing? Look like Firefox; or look like nothing?
Future research: investigate timing similarities with other protocols. Future research: investigate timing similarities with other protocols.
\subsection{Access control for bridges}
Design/impl: password-protecting bridges, in light of above.
And/or more general access control.
\subsection{Research: scanning-resistance} \subsection{Research: scanning-resistance}
\subsection{Research/Design/Impl: how users discover bridges} \subsection{Research/Design/Impl: how users discover bridges}
@ -398,14 +339,6 @@ resist these attacks, or can improve our design to resist them, we should.
unless a graduate student is interested.} unless a graduate student is interested.}
\subsection{Implementation security} \subsection{Implementation security}
Right now, each Tor node stores its keys unencrypted. We should {\bf encrypt
more Tor keys} so that Tor authorities can require a startup password. We
should look into adding intermediary medium-term ``signing keys'' between
identity keys and onion keys, so that a password could be required to replace
a signing key, but not to start Tor. This would improve Tor's long-term
security, especially in its directory authority infrastructure.\plan{Design this
as a part of the revised ``v2.1'' directory protocol; implement it in
2007. 3-4 weeks.}
We should also {\bf mark RAM that holds key material as non-swappable} so We should also {\bf mark RAM that holds key material as non-swappable} so
that there is no risk of recovering key material from a hard disk that there is no risk of recovering key material from a hard disk
@ -458,11 +391,11 @@ them as belonging to the same family.\plan{Do during v2.1 directory protocol
To avoid attacks where an adversary claims good performance in order to To avoid attacks where an adversary claims good performance in order to
attract traffic, we should {\bf have authorities measure node performance} attract traffic, we should {\bf have authorities measure node performance}
(including stability and bandwidth) themselves, and not simply believe what (including stability and bandwidth) themselves, and not simply believe what
they're told. Measuring stability can be done by tracking MTBF. Measuring they're told. We also measure stability by tracking MTBF. Measuring
bandwidth can be tricky, since it's hard to distinguish between a server with bandwidth will be tricky, since it's hard to distinguish between a server with
low capacity, and a high-capacity server with most of its capacity in low capacity, and a high-capacity server with most of its capacity in
use.\plan{Do ``Stable'' in 2007; 2-3 weeks. ``Fast'' will be harder; do it use. See also Nikita's NDSS 2008 paper.\plan{Do it if we can interest
if we can interest a grad student.} a grad student.}
{\bf Operating a directory authority should be easier.} We rely on authority {\bf Operating a directory authority should be easier.} We rely on authority
operators to keep the network running well, but right now their job involves operators to keep the network running well, but right now their job involves