mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-12-01 08:03:31 +01:00
5c6c88e76d
- Distinguish v1 authorities (all currently trusted directories) from v2 authorities (all trusted directories). - Add configuration option for which dirs are v1 authories. - Add configuration option for whether to be a v1 authority. - Make trusted dirserver selection functions take options to choose which functionality we need. - Remove option when getting directory cache to see whether they support running-routers; they all do now. Replace it with one to see whether caches support v2 stuff. - Parse, cache, and serve network-status objects properly. - Serve compressed groups of router descriptors. The compression logic here could be more memory-efficient. - svn:r4911
214 lines
8.7 KiB
Plaintext
214 lines
8.7 KiB
Plaintext
$Id$
|
|
Legend:
|
|
SPEC!! - Not specified
|
|
SPEC - Spec not finalized
|
|
NICK - nick claims
|
|
ARMA - arma claims
|
|
PHOBOS - phobos claims
|
|
- Not done
|
|
* Top priority
|
|
. Partially done
|
|
o Done
|
|
D Deferred
|
|
X Abandoned
|
|
|
|
Non-Coding, Soon:
|
|
N - contact umass folks
|
|
N - Mention controller libs someplace.
|
|
D FAQ entry: why gnutls is bad/not good for tor
|
|
P - flesh out the rest of the section 6 of the faq
|
|
P - gather pointers to livecd distros that include tor
|
|
- put the logo on the website, in source form, so people can put it on
|
|
stickers directly, etc.
|
|
- more pictures from ren. he wants to describe the tor handshake, i want to
|
|
talk about hidden services.
|
|
* clean up the places where our docs are redundant (or worse, obsolete in
|
|
one file and correct elsewhere). agl has a start on a global
|
|
list-of-tor-docs.
|
|
P - update windows docs to clarify which versions of windows, and why a
|
|
DOS window, how it's used, for the less technical users
|
|
NR- write a spec appendix for 'being nice with tor'
|
|
- tor-in-the-media page
|
|
- Ask schanzle@cas.homelinux.org about a patch for rpm spec fixes against
|
|
tor-0.1.0.7.rc
|
|
- Remove need for HACKING file.
|
|
|
|
|
|
|
|
for 0.1.1.x:
|
|
R - are dirservers auto-verifying duplicate nicknames?
|
|
|
|
N . Additional controller features
|
|
- Find a way to make event info more extensible
|
|
- change circuit status events to give more details, like purpose,
|
|
whether they're internal, etc.
|
|
. Expose more information via getinfo:
|
|
- import and export rendezvous descriptors
|
|
- Review all static fields for additional candidates
|
|
- Allow EXTENDCIRCUIT to unknown server.
|
|
- We need some way to adjust server status, and to tell tor not to
|
|
download directories/network-status, and a way to force a download.
|
|
- It would be nice to request address lookups from the controller
|
|
without using SOCKS.
|
|
|
|
. Helper nodes
|
|
. More testing and debugging
|
|
- On sighup, if usehelpernodes changed to 1, use new circuits?
|
|
- If your helper nodes are unavailable, don't abandon them unless
|
|
other nodes *are* reachable.
|
|
R - If you think an OR conn is open but you can never establish a circuit
|
|
to it, reconsider whether it's actually open.
|
|
|
|
- Miscellaneous cleanups
|
|
- switch accountingmax to count total in+out, not either in or
|
|
out. it's easy to move in this direction (not risky), but hard to
|
|
back, out if we decide we prefer it the way it already is. hm.
|
|
. Come up with a coherent strategy for bandwidth buckets and TLS. (The
|
|
logic for reading from TLS sockets is likely to overrun the bandwidth
|
|
buckets under heavy load. (Really, the logic was never right in the
|
|
first place.) Also, we should audit all users of get_pending_bytes().)
|
|
- Make it harder to circumvent bandwidth caps: look at number of bytes
|
|
sent across sockets, not number sent inside TLS stream.
|
|
R - remove the warnings from rendezvous stuff that shouldn't be warnings.
|
|
|
|
N . Handle rendezvousing with unverified nodes.
|
|
o Implement everything
|
|
. Enable the new code
|
|
. Verify that new code works.
|
|
|
|
- Christian Grothoff's attack of infinite-length circuit.
|
|
the solution is to have a separate 'extend-data' cell type
|
|
which is used for the first N data cells, and only
|
|
extend-data cells can be extend requests.
|
|
- Specify, including thought about
|
|
- Implement
|
|
|
|
N - Destroy and truncated cells should have reasons.
|
|
N - Add private:* alias in exit policies to make it easier to ban all the
|
|
fiddly little 192.168.foo addresses.
|
|
(AGL had a patch; consider applying it.)
|
|
|
|
N - warn if listening for SOCKS on public IP.
|
|
|
|
- cpu fixes:
|
|
- see if we should make use of truncate to retry
|
|
o hardware accelerator support (configure engines.)
|
|
- hardware accelerator support (use instead of aes.c when reasonable)
|
|
R - kill dns workers more slowly
|
|
|
|
. Directory changes
|
|
o recommended-versions for client / server ?
|
|
- Some back-out mechanism for auto-approval
|
|
- dirservers have blacklist of IPs they hate
|
|
- a way of rolling back approvals to before a timestamp
|
|
- have new people be in limbo and need to demonstrate usefulness
|
|
before we approve them
|
|
- other?
|
|
|
|
R . Dirservers verify reachability claims
|
|
o basic reachability testing, influencing network-status list.
|
|
R - rate-limiting the reporting of trouble servers
|
|
R - check reachability as soon as you hear about a new server
|
|
|
|
- Decentralization
|
|
- Figure out what to do about hidden service descriptors.
|
|
- find 10 dirservers.
|
|
- (what are criteria to be a dirserver?)
|
|
N . Dirservers publish compressed network-status objects.
|
|
- Support retrieving several-at-once
|
|
N . Everyone downloads network-status objects
|
|
- From all directories, round-robin
|
|
o Parse them
|
|
o Cache them, reload on restart
|
|
o Serve cached directories
|
|
o Directories expose individual descriptors
|
|
X By 'if-newer-than' (Does the spec require this??)
|
|
o Support compression.
|
|
N - Alice acts on network-status objects
|
|
- Alice downloads descriptors as needed.
|
|
- Alice sets descriptor status from networks-status
|
|
|
|
- Security
|
|
- Alices avoid duplicate class C nodes.
|
|
- Analyze how bad the partitioning is or isn't.
|
|
|
|
N - Naming:
|
|
- Separate naming from validation in authdirs.
|
|
- Clients choose names based on network-status options.
|
|
- Names are remembered in client status.
|
|
|
|
- packaging and ui stuff:
|
|
. multiple sample torrc files
|
|
- uninstallers
|
|
. for os x
|
|
. something, anything, for sys tray on Windows.
|
|
. figure out how to make nt service stuff work?
|
|
. Document it.
|
|
. Add version number to directory.
|
|
N - Vet all pending installer patches
|
|
- Win32 installer plus privoxy, sockscap/freecap, etc.
|
|
- Vet win32 systray helper code
|
|
|
|
Reach (deferrable) items for 0.1.1.x:
|
|
- Start using create-fast cells as clients
|
|
o Let more config options (e.g. ORPort) change dynamically.
|
|
- start handling server descriptors without a socksport?
|
|
o Add TTLs to DNS-related replies, and use them (where present) to adjust
|
|
addressmap values.
|
|
|
|
. Research memory use on Linux: what's happening?
|
|
- Is it threading? (Maybe, maybe not)
|
|
- Is it the buf_shrink bug? (Quite possibly)
|
|
- Instrument the 0.1.1 code to figure out where our memory is going;
|
|
apply the results. (all platforms?)
|
|
|
|
For 0.1.1.x, if we can figure out how:
|
|
- rewrite how libevent does select() on win32 so it's not so very slow.
|
|
o enclaves (at least preliminary)
|
|
- Write limiting; separate token bucket for write
|
|
- Audit everything to make sure rend and intro points are just as likely to
|
|
be us as not.
|
|
- Do something to prevent spurious EXTEND cells from making middleman
|
|
nodes connect all over. Rate-limit failed connections, perhaps?
|
|
|
|
Future version:
|
|
- Limit to 2 dir, 2 OR, N SOCKS connections per IP.
|
|
- Handle full buffers without totally borking
|
|
- Rate-limit OR and directory connections overall and per-IP and
|
|
maybe per subnet.
|
|
- Hold-open-until-flushed now works by accident; it should work by
|
|
design.
|
|
- DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
|
|
- Specify?
|
|
- tor-resolve script should use socks5 to get better error messages.
|
|
- make min uptime a function of the available choices (say, choose 60th
|
|
percentile, not 1 day.)
|
|
- config option to publish what ports you listen on, beyond ORPort/DirPort
|
|
- hidserv offerers shouldn't need to define a SocksPort
|
|
* figure out what breaks for this, and do it.
|
|
- auth mechanisms to let hidden service midpoint and responder filter
|
|
connection requests.
|
|
- Relax clique assumptions.
|
|
- tor should be able to have a pool of outgoing IP addresses
|
|
that it is able to rotate through. (maybe)
|
|
|
|
Blue-sky:
|
|
- Patch privoxy and socks protocol to pass strings to the browser.
|
|
- Standby/hotswap/redundant hidden services.
|
|
- Robust decentralized storage for hidden service descriptors.
|
|
- The "China problem"
|
|
- Allow small cells and large cells on the same network?
|
|
- Cell buffering and resending. This will allow us to handle broken
|
|
circuits as long as the endpoints don't break, plus will allow
|
|
connection (tls session key) rotation.
|
|
- Implement Morphmix, so we can compare its behavior, complexity, etc.
|
|
- Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
|
|
link crypto, unless we can bully openssl into it.
|
|
- Conn key rotation.
|
|
- Need a relay teardown cell, separate from one-way ends.
|
|
(Pending a user who needs this)
|
|
- Handle half-open connections: right now we don't support all TCP
|
|
streams, at least according to the protocol. But we handle all that
|
|
we've seen in the wild.
|
|
(Pending a user who needs this)
|