mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 21:23:58 +01:00
46574319a2
start restructuring dns to use priority queues for expiring entries. svn:r6954
336 lines
15 KiB
Plaintext
336 lines
15 KiB
Plaintext
$Id$
|
|
Legend:
|
|
SPEC!! - Not specified
|
|
SPEC - Spec not finalized
|
|
N - nick claims
|
|
R - arma claims
|
|
P - phobos claims
|
|
- Not done
|
|
* Top priority
|
|
. Partially done
|
|
o Done
|
|
D Deferred
|
|
X Abandoned
|
|
|
|
. <nickm> "Let's try to find a way to make it run and make the version
|
|
match, but if not, let's just make it run."
|
|
- <arma> "should we detect if we have a --with-ssl-dir and try the -R
|
|
by default, if it works?"
|
|
|
|
Items for 0.1.2.x:
|
|
- Bug: We are willing to build circuits using not-up-to-date descriptors,
|
|
when we get a request and we've been idle a long time.
|
|
- We should ship with a list of stable dir mirrors -- they're not
|
|
trusted like the authorities, but they'll provide more robustness
|
|
and diversity for bootstrapping clients.
|
|
- Servers are easy to setup and run: being a relay is about as easy as
|
|
being a client.
|
|
- Reduce resource load
|
|
- look into "uncounting" bytes spent on local connections. so
|
|
we can bandwidthrate but still have fast downloads.
|
|
- Write limiting; separate token bucket for write
|
|
o dir answers include a your-ip-address-is header, so we can
|
|
break our dependency on dyndns.
|
|
- Count TLS bandwidth more accurately
|
|
- Write-limit directory responses.
|
|
N . Improve memory usage on tight-memory machines.
|
|
- Directory-related fixes.
|
|
o Remember offset and location of each descriptor in the cache/journal
|
|
o When sending a big pile of descs to a client, don't shove them all
|
|
on the buffer at once. Keep a list of the descriptor digests for
|
|
the descriptors we still want to send. We might end up truncating
|
|
some replies by returning fewer descriptors than were requested (if
|
|
somebody requests a desc that we throw away before we deliver it),
|
|
but this happens only when somebody wants an obsolete desc, and
|
|
clients can already handle truncated replies.
|
|
o But what do we do about compression? That's the part that makes
|
|
stuff hard.
|
|
o Implement compress/decompress-on-the-fly support.
|
|
o Use it for returning lists of descriptors.
|
|
o Use it for returning lists of network status docs. (This will
|
|
take a hybrid approach; let's get the other bits working first.)
|
|
o Make clients handle missing Content-Length tags. (Oh, they do.)
|
|
o Verify that this has happened for a long time.
|
|
o Try a similar trick for spooling out v1 directories. These we
|
|
_uncompress_ on the fly.
|
|
- Look into pulling serverdescs off buffers as they arrive.
|
|
. Mmap cache files where possible.
|
|
o Mmap cached-routers file; when building it, go oldest-to-newest.
|
|
- More unit tests and asserts for cached-routers file: ensure digest
|
|
for the right router. Verify dl by digest, fp, etc.
|
|
. Make sure cached-routers values and offsets are correct in the
|
|
presence of windows FS insanity.
|
|
- Save and mmap v1 directories; store them zipped, not
|
|
uncompressed.
|
|
- Store networkstatus docs zipped, not uncompressed. Maaaybe mmap
|
|
them too.
|
|
o Be a little more OO to save memory in frequently
|
|
replicated structs.
|
|
o Split circuit_t into origin circuits and or circuits
|
|
o Move as many fields as reasonable out of base class.
|
|
o Re-pack structs to avoid wasted bytes.
|
|
o Split connection_t based on type field.
|
|
|
|
- "bandwidth classes", for incoming vs initiated-here conns.
|
|
o Asynchronous DNS
|
|
. And test it
|
|
. Make it work on windows.
|
|
o Implement
|
|
- Test
|
|
- Make it the default on platforms where it works
|
|
|
|
- Security improvements
|
|
- Directory guards
|
|
R - remember the last time we saw one of our entry guards labelled with
|
|
the GUARD flag. If it's been too long, it is not suitable for use.
|
|
If it's been really too long, remove it from the list.
|
|
|
|
- Make reverse DNS work.
|
|
|
|
- Performance improvements
|
|
- Better estimates in the directory of whether servers have good uptime
|
|
(high expected time to failure) or good guard qualities (high
|
|
fractional uptime).
|
|
- AKA Track uptime as %-of-time-up, as well as time-since-last-down.
|
|
- Clients should prefer to avoid exit nodes for non-exit path positions.
|
|
(bug 200)
|
|
- Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
|
|
|
|
- A more efficient dir protocol.
|
|
- Clients stop dumping old descriptors if the network-statuses
|
|
claim they're still valid.
|
|
- Later, servers will stop generating new descriptors simply
|
|
because 18 hours have passed.
|
|
- Authorities should fetch the network-statuses amongst each
|
|
other, consensus them, and advertise a communal network-status.
|
|
This is not so much for safety/complexity as it is to reduce
|
|
bandwidth requirements for Alice.
|
|
- How does this interact with our goal of being able to choose
|
|
your own dir authorities? I guess we're now assuming that all
|
|
dir authorities know all the other authorities in their "group"?
|
|
- Should we also look into a "delta since last network-status
|
|
checkpoint" scheme, to reduce overhead further?
|
|
- Extend the "r" line in network-status to give a set of buckets (say,
|
|
comma-separated) for that router.
|
|
- Buckets are deterministic based on IP address.
|
|
- Then clients can choose a bucket (or set of buckets) to
|
|
download and use.
|
|
|
|
- Critical but minor bugs, backport candiates.
|
|
- If the client's clock is too far in the past, it will drop (or
|
|
just not try to get) descriptors, so it'll never build circuits.
|
|
R - Failed rend desc fetches sometimes don't get retried.
|
|
. If we fail to connect via an exit enclave, (warn and) try again
|
|
without demanding that exit node.
|
|
- And recognize when extending to the enclave node is failing,
|
|
so we can abandon then too.
|
|
R - non-v1 authorities should not accept rend descs.
|
|
- We need a separate list of "hidserv authorities" if we want to
|
|
retire moria1 from the main list.
|
|
- support dir 503s better
|
|
o clients don't log as loudly when they receive them
|
|
- they don't count toward the 3-strikes rule
|
|
- should there be some threshold of 503's after which we give up?
|
|
- think about how to split "router is down" from "dirport shouldn't
|
|
be tried for a while"?
|
|
- authorities should *never* 503 a cache, but *should* 503 clients
|
|
when they feel like it.
|
|
- update dir-spec with what we decided for each of these
|
|
- provide no-cache no-index headers from the dirport?
|
|
|
|
- Windows server usability
|
|
- Solve the ENOBUFS problem.
|
|
- make tor's use of openssl operate on buffers rather than sockets,
|
|
so we can make use of libevent's buffer paradigm once it has one.
|
|
- make tor's use of libevent tolerate either the socket or the
|
|
buffer paradigm; includes unifying the functions in connect.c.
|
|
- We need a getrlimit equivalent on Windows so we can reserve some
|
|
file descriptors for saving files, etc. Otherwise we'll trigger
|
|
asserts when we're out of file descriptors and crash.
|
|
M - rewrite how libevent does select() on win32 so it's not so very slow.
|
|
- Add overlapped IO
|
|
|
|
- When we connect to a Tor server, it sends back a cell listing
|
|
the IP it believes it is using. Use this to block dvorak's attack.
|
|
Also, this is a fine time to say what time you think it is.
|
|
o Verify that a new cell type is okay with deployed codebase
|
|
. Specify HELLO cells
|
|
- Implement
|
|
|
|
N - Exitlist should avoid outputting the same IP address twice.
|
|
|
|
N - Write path-spec.txt
|
|
- Break the dir v1 stuff out of tor-spec.txt into dir-spec-v1.txt,
|
|
and change the new dir-spec.txt to dir-spec-v2.txt.
|
|
|
|
- Packaging
|
|
- Tell people about OSX Uninstaller
|
|
- Quietly document NT Service options
|
|
|
|
- Docs
|
|
- More prominently, we should have a recommended apps list.
|
|
- recommend gaim.
|
|
- unrecommend IE because of ftp:// bug.
|
|
- torrc.complete.in needs attention?
|
|
|
|
Topics to think about during 0.1.2.x development:
|
|
* Figure out incentives.
|
|
- (How can we make this tolerant of a bad v0?)
|
|
* Figure out non-clique.
|
|
* Figure out China.
|
|
- Figure out avoiding duplicate /24 lines
|
|
- Figure out partial network knowledge.
|
|
- Figure out hidden services.
|
|
|
|
Minor items for 0.1.2.x as time permits.
|
|
- Rate limit exit connections to a given destination -- this helps
|
|
us play nice with websites when Tor users want to crawl them; it
|
|
also introduces DoS opportunities.
|
|
- The bw_accounting file should get merged into the state file.
|
|
- Streamline how we define a guard node as 'up'.
|
|
- Better installers and build processes.
|
|
- Commit edmanm's win32 makefile to tor cvs contrib, or write a new one.
|
|
- Christian Grothoff's attack of infinite-length circuit.
|
|
the solution is to have a separate 'extend-data' cell type
|
|
which is used for the first N data cells, and only
|
|
extend-data cells can be extend requests.
|
|
- Specify, including thought about anonymity implications.
|
|
- Display the reasons in 'destroy' and 'truncated' cells under some
|
|
circumstances?
|
|
- We need a way for the authorities to declare that nodes are
|
|
in a family. Also, it kinda sucks that family declarations use O(N^2)
|
|
space in the descriptors.
|
|
- If the server is spewing complaints about raising your ulimit -n,
|
|
we should add a note about this to the server descriptor so other
|
|
people can notice too.
|
|
- rate limit the number of exit connections to a given destination, to
|
|
help with DoS/crawling issues.
|
|
- cpu fixes:
|
|
- see if we should make use of truncate to retry
|
|
- kill dns workers more slowly
|
|
. Directory changes
|
|
. Some back-out mechanism for auto-approval
|
|
- a way of rolling back approvals to before a timestamp
|
|
- Consider minion-like fingerprint file/log combination.
|
|
- packaging and ui stuff:
|
|
. multiple sample torrc files
|
|
. figure out how to make nt service stuff work?
|
|
. Document it.
|
|
- Vet all pending installer patches
|
|
- Win32 installer plus privoxy, sockscap/freecap, etc.
|
|
- Vet win32 systray helper code
|
|
|
|
- Improve controller
|
|
- change circuit status events to give more details, like purpose,
|
|
whether they're internal, when they become dirty, when they become
|
|
too dirty for further circuits, etc.
|
|
- What do we want here, exactly?
|
|
- Specify and implement it.
|
|
- Change stream status events analogously.
|
|
- What do we want here, exactly?
|
|
- Specify and implement it.
|
|
- Make other events "better".
|
|
- Change stream status events analogously.
|
|
- What do we want here, exactly?
|
|
- Specify and implement it.
|
|
- Make other events "better" analogously
|
|
- What do we want here, exactly?
|
|
- Specify and implement it.
|
|
. Expose more information via getinfo:
|
|
- import and export rendezvous descriptors
|
|
- Review all static fields for additional candidates
|
|
- Allow EXTENDCIRCUIT to unknown server.
|
|
- We need some way to adjust server status, and to tell tor not to
|
|
download directories/network-status, and a way to force a download.
|
|
- It would be nice to request address lookups from the controller
|
|
without using SOCKS.
|
|
- Make everything work with hidden services
|
|
- Directory system improvements
|
|
- config option to publish what ports you listen on, beyond
|
|
ORPort/DirPort. It should support ranges and bit prefixes (?) too.
|
|
- Parse this.
|
|
- Relay this in networkstatus.
|
|
|
|
Future version:
|
|
. Update the hidden service stuff for the new dir approach.
|
|
- switch to an ascii format, maybe sexpr?
|
|
- authdirservers publish blobs of them.
|
|
- other authdirservers fetch these blobs.
|
|
- hidserv people have the option of not uploading their blobs.
|
|
- you can insert a blob via the controller.
|
|
- and there's some amount of backwards compatibility.
|
|
- teach clients, intro points, and hidservs about auth mechanisms.
|
|
- come up with a few more auth mechanisms.
|
|
- auth mechanisms to let hidden service midpoint and responder filter
|
|
connection requests.
|
|
- Bind to random port when making outgoing connections to Tor servers,
|
|
to reduce remote sniping attacks.
|
|
- Have new people be in limbo and need to demonstrate usefulness
|
|
before we approve them.
|
|
- Clients should estimate their skew as median of skew from servers
|
|
over last N seconds.
|
|
- Make router_is_general_exit() a bit smarter once we're sure what it's for.
|
|
- Audit everything to make sure rend and intro points are just as likely to
|
|
be us as not.
|
|
- Do something to prevent spurious EXTEND cells from making middleman
|
|
nodes connect all over. Rate-limit failed connections, perhaps?
|
|
- Automatically determine what ports are reachable and start using
|
|
those, if circuits aren't working and it's a pattern we recognize
|
|
("port 443 worked once and port 9001 keeps not working").
|
|
- Limit to 2 dir, 2 OR, N SOCKS connections per IP.
|
|
- Handle full buffers without totally borking
|
|
- Rate-limit OR and directory connections overall and per-IP and
|
|
maybe per subnet.
|
|
- Hold-open-until-flushed now works by accident; it should work by
|
|
design.
|
|
- DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
|
|
- Specify?
|
|
- tor-resolve script should use socks5 to get better error messages.
|
|
- hidserv offerers shouldn't need to define a SocksPort
|
|
* figure out what breaks for this, and do it.
|
|
- tor should be able to have a pool of outgoing IP addresses
|
|
that it is able to rotate through. (maybe)
|
|
- let each hidden service (or other thing) specify its own
|
|
OutboundBindAddress?
|
|
- Have a mode that doesn't write to disk much, so we can run Tor on
|
|
flash memory (e.g. Linksys routers).
|
|
|
|
Blue-sky:
|
|
- Patch privoxy and socks protocol to pass strings to the browser.
|
|
- Standby/hotswap/redundant hidden services.
|
|
- Robust decentralized storage for hidden service descriptors.
|
|
- The "China problem"
|
|
- Allow small cells and large cells on the same network?
|
|
- Cell buffering and resending. This will allow us to handle broken
|
|
circuits as long as the endpoints don't break, plus will allow
|
|
connection (tls session key) rotation.
|
|
- Implement Morphmix, so we can compare its behavior, complexity, etc.
|
|
- Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
|
|
link crypto, unless we can bully openssl into it.
|
|
- Need a relay teardown cell, separate from one-way ends.
|
|
(Pending a user who needs this)
|
|
- Handle half-open connections: right now we don't support all TCP
|
|
streams, at least according to the protocol. But we handle all that
|
|
we've seen in the wild.
|
|
(Pending a user who needs this)
|
|
|
|
Non-Coding:
|
|
- Mark up spec; note unclear points about servers
|
|
- Mention controller libs someplace.
|
|
P - flesh out the rest of the section 6 of the faq
|
|
. more pictures from ren. he wants to describe the tor handshake
|
|
NR- write a spec appendix for 'being nice with tor'
|
|
- tor-in-the-media page
|
|
- Remove need for HACKING file.
|
|
- Figure out licenses for website material.
|
|
|
|
Website:
|
|
- and remove home and make the "Tor" picture be the link to home.
|
|
- put the logo on the website, in source form, so people can put it on
|
|
stickers directly, etc.
|
|
R - make a page with the hidden service diagrams.
|
|
|
|
- ask Jan to be the translation coordinator? add to volunteer page.
|
|
o track down the patch for cross-compiling.
|
|
|