mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 12:23:32 +01:00
e631b0a56f
Add SOCKS5 and reverse lookup support to C verseion of tor-resolve svn:r9195
515 lines
24 KiB
Plaintext
515 lines
24 KiB
Plaintext
$Id$
|
|
Legend:
|
|
SPEC!! - Not specified
|
|
SPEC - Spec not finalized
|
|
N - nick claims
|
|
R - arma claims
|
|
P - phobos claims
|
|
- Not done
|
|
* Top priority
|
|
. Partially done
|
|
o Done
|
|
d Deferrable
|
|
D Deferred
|
|
X Abandoned
|
|
|
|
X <nickm> "Let's try to find a way to make it run and make the version
|
|
match, but if not, let's just make it run."
|
|
X <arma> "should we detect if we have a --with-ssl-dir and try the -R
|
|
by default, if it works?"
|
|
|
|
Items for 0.1.2.x, real soon now:
|
|
? - Bug: combination of things:
|
|
When we've been idle a long time, we stop fetching server
|
|
descriptors. When we then get a socks request, we build circuits
|
|
immediately using whatever descriptors we have, rather than waiting
|
|
until we've fetched correct ones.
|
|
|
|
N - Test guard unreachable logic; make sure that we actually attempt to
|
|
connect to guards that we think are unreachable from time to time.
|
|
Make sure that we don't freak out when the network is down.
|
|
o Stop recommending exits as guards?
|
|
look at the overall fraction of exits in the network. if the
|
|
fraction is too small, none of them get to be guards.
|
|
|
|
R - Reconstruct ChangeLog; put rolled-up info in ReleaseNotes or something.
|
|
|
|
Items for 0.1.2.x:
|
|
- enumerate events of important things that occur in tor, so vidalia can
|
|
react.
|
|
o Backend implementation
|
|
R - Actually list all the events (notice and warn log messages are a good
|
|
place to look.) Divide messages into categories, perhaps.
|
|
R - Specify general event system
|
|
R - Specify actual events.
|
|
R - and implement the rest
|
|
|
|
. Have (and document) a BEGIN_DIR relay cell that means "Connect to your
|
|
directory port."
|
|
o Specify
|
|
o Implement
|
|
o Use for something, so we can be sure it works.
|
|
o Test and debug
|
|
R - turn the received socks addr:port into a digest for setting .exit
|
|
- be able to connect without having a server descriptor, to bootstrap.
|
|
R - handle connect-dir streams that don't have a chosen_exit_name set.
|
|
o include ORPort in DirServers lines so we can know where to connect.
|
|
list the orport as 0 if it can't handle begin_dir.
|
|
o List versions in status page
|
|
o A new line in the status entry. "Tor 0.1.2.2-alpha". If it's
|
|
a version, treat it like one. If it's something else, assume
|
|
it's at least 0.1.2.x.
|
|
D maybe we could have it be a new 'v' line in the status, with
|
|
key=value syntax. so we could have a 'tor' version, but we
|
|
could also have a 'conn' version, a 'dir' version, etc down
|
|
the road. and one day maybe the 'tor' key would be deprecated.
|
|
o Give the right answer for X-Your-Address-Is on tunneled directory
|
|
connections.
|
|
|
|
o Document .noconnect addresses...
|
|
A new file 'address-spec.txt' that describes .exit, .onion,
|
|
.noconnect, etc?
|
|
|
|
- Servers are easy to setup and run: being a relay is about as easy as
|
|
being a client.
|
|
. Reduce resource load
|
|
o A way to alert controller when router flags change.
|
|
o Specify: SETEVENTS NS
|
|
o Implement
|
|
R - Hunt for places that change networkstatus info that I might have
|
|
missed.
|
|
R . option to dl directory info via tor
|
|
o Make an option like __AllDirActionsPrivate that falls back to
|
|
non-Tor DL when not enough info present. (TunnelDirConns).
|
|
- Set default to 0 before release candidate.
|
|
- Think harder about whether TunnelDirConns should be on
|
|
by default.
|
|
- Handle case where we have no descriptors and so don't know who can
|
|
handle BEGIN_DIR.
|
|
|
|
N - DNS improvements
|
|
o Don't ask reject *:* nodes for DNS unless client wants you to.
|
|
. Asynchronous DNS
|
|
- Make evdns use windows strerror equivalents.
|
|
- Make sure patches get into libevent.
|
|
- Verify that it works well on windows
|
|
o Make reverse DNS work.
|
|
o Add client-side interface
|
|
o SOCKS interface: specify
|
|
o SOCKS interface: implement
|
|
o Cache answers client-side
|
|
o Add to Tor-resolve.py
|
|
o Add to tor-resolve
|
|
d - Be a DNS proxy.
|
|
o Check for invalid characters in hostnames before trying to resolve
|
|
them. (This will help catch attempts do to mean things to our DNS
|
|
server, and bad software that tries to do DNS lookups on whole URLs.)
|
|
o address_is_invalid_destination() is the right thing to call here
|
|
(and feel free to make that function smarter)
|
|
o add a config option to turn it off.
|
|
- and a man page for that option
|
|
- Bug 364: notice when all the DNS requests we get back (including a few
|
|
well-known sites) are all going to the same place.
|
|
o Bug 363: Warn and die if we can't find a nameserver and we're running a
|
|
server; don't fall back to 127.0.0.1.
|
|
? - maybe re-check dns when we change IP addresses, rather than
|
|
every 12 hours?
|
|
- Bug 326: Give fewer error messages from nameservers.
|
|
- Only warn when _all_ nameservers are down; otherwise info.
|
|
- Increase timeout; what's industry standard?
|
|
- Alternatively, raise timeout when nameserver dies but comes back
|
|
quickly?
|
|
- Don't believe that our sole nameserver is dead? or, not until more
|
|
failures than it would take to think one of several nameservers was
|
|
dead?
|
|
- Possibly, don't warn until second retry of a nameserver gets no
|
|
answer?
|
|
- warn if all of your nameservers go down and stay down for like
|
|
5 minutes.
|
|
R o Take out the '5 second' timeout from the socks detach schedule.
|
|
|
|
- Performance improvements
|
|
|
|
- Critical but minor bugs, backport candidates.
|
|
- support dir 503s better
|
|
o clients don't log as loudly when they receive them
|
|
o they don't count toward the 3-strikes rule
|
|
D But eventually, we give up after getting a lot of 503s.
|
|
N - Delay when we get a lot of 503s, rather than punting onto the
|
|
servers that have given us 503s?
|
|
o split "router is down" from "dirport shouldn't be tried for a while"?
|
|
We want a field to hold "when did we last get a 503 from this
|
|
directory server." Probably, it should go in local_routerstatus_t,
|
|
not in routerinfo_t, since we can try to use servers as directories
|
|
before we have their descriptors. Possibly, it should also go in
|
|
trusted_dir_server_t.
|
|
o Add a last_dir_503_at field.
|
|
o Have it get updated correctly.
|
|
o Prefer to use directories that haven't given us a 503 for the last
|
|
60 minutes.
|
|
- authorities should *never* 503 a cache, and should never 503
|
|
network status requests. They can 503 client descriptor requests
|
|
when they feel like it.
|
|
- update dir-spec with what we decided for each of these
|
|
|
|
|
|
o Have a mode that doesn't write to disk much, so we can run Tor on
|
|
flash memory (e.g. Linksys routers or USB keys).
|
|
o Add AvoidDiskWrites config option.
|
|
o only write state file when it's "changed"
|
|
o crank up the numbers if avoiddiskwrites is on.
|
|
D some things may not want to get written at all.
|
|
o stop writing fingerprint every restart
|
|
D more?
|
|
|
|
NR. Write path-spec.txt
|
|
|
|
- Packaging
|
|
- Tell people about OSX Uninstaller
|
|
- Quietly document NT Service options
|
|
- Switch canonical win32 compiler to mingw.
|
|
NR D Get some kind of "meta signing key" to be used solely to sign
|
|
releases/to certify releases when signed by the right people/
|
|
to certify sign the right people's keys? Also use this to cert the SSL
|
|
key, etc.
|
|
- If we haven't replaced privoxy, lock down its configuration in all
|
|
packages, as documented in tor-doc-unix.html
|
|
o script to look at config.c, torrc.sample, tor.1.in, to tell us
|
|
what's missing in which and notice which descriptions are missing.
|
|
|
|
- Docs
|
|
- More prominently, we should have a recommended apps list.
|
|
- recommend gaim.
|
|
- unrecommend IE because of ftp:// bug.
|
|
- torrc.complete.in needs attention?
|
|
- we should add a preamble to tor-design saying it's out of date.
|
|
- Document transport and natdport
|
|
|
|
- Improvements to bandwidth counting
|
|
R - look into "uncounting" bytes spent on local connections, so
|
|
we can bandwidthrate but still have fast downloads.
|
|
R - "bandwidth classes", for incoming vs initiated-here conns,
|
|
and to give dir conns lower priority.
|
|
. Write limiting; separate token bucket for write
|
|
o preemptively give a 503 to some v1 dir requests
|
|
- preemptively give a 503 to some v2 dir requests
|
|
- per-conn write buckets
|
|
- separate config options for read vs write limiting
|
|
|
|
- Forward compatibility fixes
|
|
o Stop requiring "opt" to ignore options in descriptors, networkstatuses,
|
|
and so on.
|
|
- Caches should start trying to cache consensus docs?
|
|
- Start uploading short and long descriptors; authorities should support
|
|
URLs to retrieve long descriptors, and should discard short descriptors
|
|
for now. Later, once tools use the "long descriptor" URLs, authorities
|
|
will serve the short descriptors every time they're asked for
|
|
a descriptor.
|
|
|
|
Topics to think about during 0.1.2.x development:
|
|
* Figure out incentives.
|
|
- (How can we make this tolerant of a bad v0?)
|
|
* Figure out non-clique.
|
|
* Figure out China.
|
|
- Figure out partial network knowledge.
|
|
- Figure out hidden services.
|
|
- Design next-version protocol for directories
|
|
- Design next-version protocol for connections
|
|
|
|
For blocking-resistance scheme:
|
|
o allow ordinary-looking ssl for dir connections. need a new dirport
|
|
for this, or can we handle both ssl and non-ssl, or should we
|
|
entirely switch to ssl in certain cases?
|
|
D need to figure out how to fetch status of a few servers from the BDA
|
|
without fetching all statuses. A new URL to fetch I presume?
|
|
|
|
Deferred from 0.1.2.x:
|
|
P - Figure out why dll's compiled in mingw don't work right in WinXP.
|
|
P - Figure out why openssl 0.9.8d "make test" fails at sha256t test.
|
|
- Directory guards
|
|
- RAM use in directory authorities.
|
|
- Memory use improvements:
|
|
- Look into pulling serverdescs off buffers as they arrive.
|
|
- Save and mmap v1 directories, and networkstatus docs; store them
|
|
zipped, not uncompressed.
|
|
- Switch cached_router_t to use mmap.
|
|
- What to do about reference counts on windows? (On Unix, this is
|
|
easy: unlink works fine. (Right?) On Windows, I have doubts. Do we
|
|
need to keep multiple files?)
|
|
- What do we do about the fact that people can't read zlib-
|
|
compressed files manually?
|
|
|
|
- Refactor DNS resolve implementation
|
|
- Refactor exit side of resolve: do we need a connection_t?
|
|
- Refactor entry side of resolve: do we need a connection_t?
|
|
|
|
- If the client's clock is too far in the past, it will drop (or
|
|
just not try to get) descriptors, so it'll never build circuits.
|
|
- Tolerate clock skew on bridge relays.
|
|
|
|
- A more efficient dir protocol.
|
|
- Authorities should fetch the network-statuses amongst each
|
|
other, consensus them, and advertise a communal network-status.
|
|
This is not so much for safety/complexity as it is to reduce
|
|
bandwidth requirements for Alice.
|
|
- How does this interact with our goal of being able to choose
|
|
your own dir authorities? I guess we're now assuming that all
|
|
dir authorities know all the other authorities in their "group"?
|
|
- Should we also look into a "delta since last network-status
|
|
checkpoint" scheme, to reduce overhead further?
|
|
- Extend the "r" line in network-status to give a set of buckets (say,
|
|
comma-separated) for that router.
|
|
- Buckets are deterministic based on IP address.
|
|
- Then clients can choose a bucket (or set of buckets) to
|
|
download and use.
|
|
|
|
- Improvements to versioning.
|
|
- When we connect to a Tor server, it sends back a cell listing
|
|
the IP it believes it is using. Use this to block dvorak's attack.
|
|
Also, this is a fine time to say what time you think it is.
|
|
o Verify that a new cell type is okay with deployed codebase
|
|
. Specify HELLO cells
|
|
. Figure out v0 compatibility.
|
|
- Implement
|
|
|
|
- Eventdns improvements
|
|
- Have a way to query for AAAA and A records simultaneously.
|
|
- Improve request API: At the very least, add the ability to construct
|
|
a more-or-less arbitrary request and get a response.
|
|
- (Can we suppress cnames? Should we?)
|
|
|
|
- Now that we're avoiding exits when picking non-exit positions,
|
|
we need to consider how to pick nodes for internal circuits. If
|
|
we avoid exits for all positions, we skew the load balancing. If
|
|
we accept exits for all positions, we leak whether it's an internal
|
|
circuit at every step. If we accept exits only at the last hop, we
|
|
reintroduce Lasse's attacks from the Oakland paper.
|
|
|
|
- We should ship with a list of stable dir mirrors -- they're not
|
|
trusted like the authorities, but they'll provide more robustness
|
|
and diversity for bootstrapping clients.
|
|
|
|
- Simplify authority operation
|
|
- Follow weasel's proposal, crossed with mixminion dir config format
|
|
|
|
- A way to adjust router flags from the controller.
|
|
(How do we prevent the authority from clobbering them soon after?)
|
|
- a way to pick entry guards based wholly on extend_info equivalent;
|
|
a way to export extend_info equivalent.
|
|
|
|
- Count TLS bandwidth more accurately
|
|
|
|
- Better estimates in the directory of whether servers have good uptime
|
|
(high expected time to failure) or good guard qualities (high
|
|
fractional uptime).
|
|
- AKA Track uptime as %-of-time-up, as well as time-since-last-down
|
|
|
|
- Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
|
|
- spec
|
|
- implement
|
|
|
|
- Failed rend desc fetches sometimes don't get retried. True/false?
|
|
|
|
- Windows server usability
|
|
- Solve the ENOBUFS problem.
|
|
- make tor's use of openssl operate on buffers rather than sockets,
|
|
so we can make use of libevent's buffer paradigm once it has one.
|
|
- make tor's use of libevent tolerate either the socket or the
|
|
buffer paradigm; includes unifying the functions in connect.c.
|
|
- We need a getrlimit equivalent on Windows so we can reserve some
|
|
file descriptors for saving files, etc. Otherwise we'll trigger
|
|
asserts when we're out of file descriptors and crash.
|
|
M - rewrite how libevent does select() on win32 so it's not so very slow.
|
|
- Add overlapped IO
|
|
|
|
- Add an option (related to AvoidDiskWrites) to disable directory caching.
|
|
|
|
Minor items for 0.1.2.x as time permits:
|
|
R - add d64 and fp64 along-side d and fp so people can paste status
|
|
entries into a url. since + is a valid base64 char, only allow one
|
|
at a time. spec and then do.
|
|
D don't do dns hijacking tests if we're reject *:* exit policy?
|
|
(deferred until 0.1.1.x is less common)
|
|
- When we export something from foo.c file for testing purposes only,
|
|
make a foo_test.h file for test.c to include.
|
|
- The Debian package now uses --verify-config when (re)starting,
|
|
to distinguish configuration errors from other errors. Perhaps
|
|
the RPM and other startup scripts should too?
|
|
- add a "default.action" file to the tor/vidalia bundle so we can fix the
|
|
https thing in the default configuration:
|
|
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort
|
|
o even if your torrc lists yourself in your myfamily line, don't list it in
|
|
the descriptor.
|
|
. Flesh out options_description array in src/or/config.c
|
|
- Don't let 'newnym' be triggered more often than every n seconds.
|
|
o change log_fn() to log() on notice/warn/err logs where we can.
|
|
X If we try to publish as a nickname that's already claimed, should
|
|
we append a number (or increment the number) and try again? This
|
|
way people who read their logs can fix it as before, but people
|
|
who don't read their logs will still offer Tor servers.
|
|
- Fall back to unnamed; warn user; send controller event. ("When we
|
|
notice a 'Rejected: There is already a named server with this nickname'
|
|
message... or maybe instead when we see in the networkstatuses that
|
|
somebody else is Named with the name we want: warn the user, send a
|
|
STATUS_SERVER message, and fall back to unnamed.")
|
|
! - Tor should bind its ports before dropping privs, so users don't
|
|
have to do the ipchains dance.
|
|
- Rate limit exit connections to a given destination -- this helps
|
|
us play nice with websites when Tor users want to crawl them; it
|
|
also introduces DoS opportunities.
|
|
o The bw_accounting file should get merged into the state file.
|
|
- Streamline how we pick entry nodes: Make choose_random_entry() have
|
|
less magic and less control logic.
|
|
- Christian Grothoff's attack of infinite-length circuit.
|
|
the solution is to have a separate 'extend-data' cell type
|
|
which is used for the first N data cells, and only
|
|
extend-data cells can be extend requests.
|
|
- Specify, including thought about anonymity implications.
|
|
- Display the reasons in 'destroy' and 'truncated' cells under some
|
|
circumstances?
|
|
- We need a way for the authorities to declare that nodes are
|
|
in a family. Also, it kinda sucks that family declarations use O(N^2)
|
|
space in the descriptors.
|
|
- If the server is spewing complaints about raising your ulimit -n,
|
|
we should add a note about this to the server descriptor so other
|
|
people can notice too.
|
|
- cpu fixes:
|
|
- see if we should make use of truncate to retry
|
|
X kill dns workers more slowly
|
|
. Directory changes
|
|
. Some back-out mechanism for auto-approval
|
|
- a way of rolling back approvals to before a timestamp
|
|
- Consider minion-like fingerprint file/log combination.
|
|
- packaging and ui stuff:
|
|
. multiple sample torrc files
|
|
. figure out how to make nt service stuff work?
|
|
. Document it.
|
|
- Vet all pending installer patches
|
|
- Win32 installer plus privoxy, sockscap/freecap, etc.
|
|
- Vet win32 systray helper code
|
|
|
|
- Improve controller
|
|
- a NEWSTATUS event similar to NEWDESC.
|
|
- change circuit status events to give more details, like purpose,
|
|
whether they're internal, when they become dirty, when they become
|
|
too dirty for further circuits, etc.
|
|
- What do we want here, exactly?
|
|
- Specify and implement it.
|
|
- Change stream status events analogously.
|
|
- What do we want here, exactly?
|
|
- Specify and implement it.
|
|
- Make other events "better".
|
|
- Change stream status events analogously.
|
|
- What do we want here, exactly?
|
|
- Specify and implement it.
|
|
- Make other events "better" analogously
|
|
- What do we want here, exactly?
|
|
- Specify and implement it.
|
|
. Expose more information via getinfo:
|
|
- import and export rendezvous descriptors
|
|
- Review all static fields for additional candidates
|
|
- Allow EXTENDCIRCUIT to unknown server.
|
|
- We need some way to adjust server status, and to tell tor not to
|
|
download directories/network-status, and a way to force a download.
|
|
- It would be nice to request address lookups from the controller
|
|
without using SOCKS.
|
|
- Make everything work with hidden services
|
|
- Directory system improvements
|
|
- config option to publish what ports you listen on, beyond
|
|
ORPort/DirPort. It should support ranges and bit prefixes (?) too.
|
|
- Parse this.
|
|
- Relay this in networkstatus.
|
|
|
|
Future version:
|
|
- Configuration format really wants sections.
|
|
- Good RBL substitute.
|
|
- Authorities should try using exits for http to connect to some URLS
|
|
(specified in a configuration file, so as not to make the List Of Things
|
|
Not To Censor completely obvious) and ask them for results. Exits that
|
|
don't give good answers should have the BadExit flag set.
|
|
- Our current approach to block attempts to use Tor as a single-hop proxy
|
|
is pretty lame; we should get a better one.
|
|
. Update the hidden service stuff for the new dir approach.
|
|
- switch to an ascii format, maybe sexpr?
|
|
- authdirservers publish blobs of them.
|
|
- other authdirservers fetch these blobs.
|
|
- hidserv people have the option of not uploading their blobs.
|
|
- you can insert a blob via the controller.
|
|
- and there's some amount of backwards compatibility.
|
|
- teach clients, intro points, and hidservs about auth mechanisms.
|
|
- come up with a few more auth mechanisms.
|
|
- auth mechanisms to let hidden service midpoint and responder filter
|
|
connection requests.
|
|
- Bind to random port when making outgoing connections to Tor servers,
|
|
to reduce remote sniping attacks.
|
|
- Have new people be in limbo and need to demonstrate usefulness
|
|
before we approve them.
|
|
- Clients should estimate their skew as median of skew from servers
|
|
over last N seconds.
|
|
- Make router_is_general_exit() a bit smarter once we're sure what it's for.
|
|
- Audit everything to make sure rend and intro points are just as likely to
|
|
be us as not.
|
|
- Do something to prevent spurious EXTEND cells from making middleman
|
|
nodes connect all over. Rate-limit failed connections, perhaps?
|
|
- Automatically determine what ports are reachable and start using
|
|
those, if circuits aren't working and it's a pattern we recognize
|
|
("port 443 worked once and port 9001 keeps not working").
|
|
- Limit to 2 dir, 2 OR, N SOCKS connections per IP.
|
|
- Handle full buffers without totally borking
|
|
- Rate-limit OR and directory connections overall and per-IP and
|
|
maybe per subnet.
|
|
- Hold-open-until-flushed now works by accident; it should work by
|
|
design.
|
|
- DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
|
|
- Specify?
|
|
- tor-resolve script should use socks5 to get better error messages.
|
|
- hidserv offerers shouldn't need to define a SocksPort
|
|
* figure out what breaks for this, and do it.
|
|
- tor should be able to have a pool of outgoing IP addresses
|
|
that it is able to rotate through. (maybe)
|
|
- Specify; implement.
|
|
- let each hidden service (or other thing) specify its own
|
|
OutboundBindAddress?
|
|
- Stop using tor_socketpair to make connection bridges: do an
|
|
implementation that uses buffers only.
|
|
|
|
Blue-sky:
|
|
- Patch privoxy and socks protocol to pass strings to the browser.
|
|
- Standby/hotswap/redundant hidden services.
|
|
- Robust decentralized storage for hidden service descriptors.
|
|
- The "China problem"
|
|
- Allow small cells and large cells on the same network?
|
|
- Cell buffering and resending. This will allow us to handle broken
|
|
circuits as long as the endpoints don't break, plus will allow
|
|
connection (tls session key) rotation.
|
|
- Implement Morphmix, so we can compare its behavior, complexity, etc.
|
|
- Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
|
|
link crypto, unless we can bully openssl into it.
|
|
- Need a relay teardown cell, separate from one-way ends.
|
|
(Pending a user who needs this)
|
|
- Handle half-open connections: right now we don't support all TCP
|
|
streams, at least according to the protocol. But we handle all that
|
|
we've seen in the wild.
|
|
(Pending a user who needs this)
|
|
|
|
Non-Coding:
|
|
- Mark up spec; note unclear points about servers
|
|
- Mention controller libs someplace.
|
|
. more pictures from ren. he wants to describe the tor handshake
|
|
NR- write a spec appendix for 'being nice with tor'
|
|
- tor-in-the-media page
|
|
- Remove need for HACKING file.
|
|
- Figure out licenses for website material.
|
|
- Specify the keys and key rotation schedules and stuff
|
|
|
|
Website:
|
|
- and remove home and make the "Tor" picture be the link to home.
|
|
- put the logo on the website, in source form, so people can put it on
|
|
stickers directly, etc.
|
|
R - make a page with the hidden service diagrams.
|
|
|
|
- ask Jan to be the translation coordinator? add to volunteer page.
|
|
|
|
- add a page for localizing all tor's components.
|
|
|