mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
ece9865020
svn:r5659
341 lines
15 KiB
Plaintext
341 lines
15 KiB
Plaintext
$Id$
|
|
Legend:
|
|
SPEC!! - Not specified
|
|
SPEC - Spec not finalized
|
|
N - nick claims
|
|
R - arma claims
|
|
P - phobos claims
|
|
- Not done
|
|
* Top priority
|
|
. Partially done
|
|
o Done
|
|
D Deferred
|
|
X Abandoned
|
|
|
|
Non-Coding, Soon:
|
|
N - Mark up spec; note unclear points about servers
|
|
N - Mention controller libs someplace.
|
|
D FAQ entry: why gnutls is bad/not good for tor
|
|
P - flesh out the rest of the section 6 of the faq
|
|
P - gather pointers to livecd distros that include tor
|
|
R . more pictures from ren. he wants to describe the tor handshake, i want to
|
|
talk about hidden services.
|
|
NR- write a spec appendix for 'being nice with tor'
|
|
- tor-in-the-media page
|
|
- Remove need for HACKING file.
|
|
|
|
Website:
|
|
- we need to merge documentation and support
|
|
- and pare it down
|
|
- and merge developers into documentation too
|
|
- or at least, remove developers from the title bar
|
|
- and remove home and make the "Tor" picture be the link to home.
|
|
- put the logo on the website, in source form, so people can put it on
|
|
stickers directly, etc.
|
|
|
|
for 0.1.1.x:
|
|
N - if they're trying to be a tor server and they're running
|
|
win 98 or win me, give them a message talking about The Bug.
|
|
|
|
. Helper nodes
|
|
. More testing and debugging
|
|
R - If your helper nodes are unavailable, don't abandon them unless
|
|
other nodes *are* reachable.
|
|
|
|
N - Destroy and truncated cells should have reasons.
|
|
- Specify
|
|
- Implement
|
|
|
|
N . Only use a routerdesc if you recognize its hash.
|
|
o (Must defer till dirservers are upgraded to latest code, which
|
|
actually generates these hashes.)
|
|
. Of course, authdirservers must not do this.
|
|
o If we have a routerdesc for Bob, and he says, "I'm 0.1.0.x", don't
|
|
fetch a new one if it was published in the last 2 hours.
|
|
X Don't, actually. This is the authorities' job to straighten out.
|
|
o Do not ask for any routers until we have 2 networkstatuses.
|
|
. Client side:
|
|
o Keep a record of which hash is most desirable for each router inside
|
|
local_routerstatus_t.
|
|
o If any hash is listed by two or more networkstatuses, the most
|
|
recent such hash is most desirable.
|
|
o Otherwise, the most recent is desirable.
|
|
o Once we've accepted a router, it's okay.
|
|
o Do not accept a router that no networkstatus lists. (This should maybe
|
|
get stricter.)
|
|
o Download by descriptor digest.
|
|
o Reset failure count to zero when hash changes.
|
|
. Test
|
|
- Do we want to rate-limit downloads of each identity?
|
|
. Mirrors and authorities:
|
|
o Every time we hear a new networkstatus, we want every hash it lists.
|
|
o Make sure that we are always willing to keep at least N routerinfos
|
|
per router, where N = number of authorities.
|
|
o Do whatever else is needed to be sure that we don't request
|
|
hashes that would be immediately discarded, or discard hashes
|
|
that would be immediately re-requested.
|
|
o Only fetch routerinfo from an authority that mentions is.
|
|
o Only ask each authority once.
|
|
o Retry soon after failure.
|
|
o We need one bit per routerstatus for "should we download from
|
|
this guy."
|
|
- Verify that we are actually storing retained old descriptors to our
|
|
cache.
|
|
- Test.
|
|
- Non-directories don't need to keep descriptors in memory.
|
|
|
|
N - Should router info have a pointer to routerstatus?
|
|
- We should at least do something about the duplicated fields.
|
|
|
|
R - Christian Grothoff's attack of infinite-length circuit.
|
|
the solution is to have a separate 'extend-data' cell type
|
|
which is used for the first N data cells, and only
|
|
extend-data cells can be extend requests.
|
|
- Specify, including thought about
|
|
- Implement
|
|
|
|
R - When we connect to a Tor server, it sends back a signed cell listing
|
|
the IP it believes it is using. Use this to block dvorak's attack.
|
|
Also, this is a fine time to say what time you think it is.
|
|
- Verify that a new cell type is okay with deployed codebase
|
|
- Specify
|
|
- Implement
|
|
|
|
R - clients prefer to avoid exit nodes for non-exit path positions.
|
|
|
|
- find 10 dirservers.
|
|
- What are criteria to be a dirserver? Write a policy.
|
|
|
|
|
|
|
|
Deferred from 0.1.1.x:
|
|
|
|
- Automatically determine what ports are reachable and start using
|
|
those, if circuits aren't working and it's a pattern we recognize
|
|
("port 443 worked once and port 9001 keeps not working").
|
|
|
|
N . Additional controller features
|
|
o Find a way to make event info more extensible
|
|
- change circuit status events to give more details, like purpose,
|
|
whether they're internal, when they become dirty, when they become
|
|
too dirty for further circuits, etc.
|
|
R - What do we want here, exactly?
|
|
N - Specify and implement it.
|
|
- Change stream status events analogously.
|
|
R - What do we want here, exactly?
|
|
N - Specify and implement it.
|
|
- Make other events "better".
|
|
- Change stream status events analogously.
|
|
R - What do we want here, exactly?
|
|
N - Specify and implement it.
|
|
- Make other events "better" analogously
|
|
R - What do we want here, exactly?
|
|
N - Specify and implement it.
|
|
. Expose more information via getinfo:
|
|
- import and export rendezvous descriptors
|
|
- Review all static fields for additional candidates
|
|
- Allow EXTENDCIRCUIT to unknown server.
|
|
- We need some way to adjust server status, and to tell tor not to
|
|
download directories/network-status, and a way to force a download.
|
|
- It would be nice to request address lookups from the controller
|
|
without using SOCKS.
|
|
- Make everything work with hidden services
|
|
|
|
X switch accountingmax to count total in+out, not either in or
|
|
out. it's easy to move in this direction (not risky), but hard to
|
|
back out if we decide we prefer it the way it already is. hm.
|
|
|
|
- cpu fixes:
|
|
- see if we should make use of truncate to retry
|
|
o hardware accelerator support (configure engines.)
|
|
o hardware accelerator support (use instead of aes.c when reasonable)
|
|
- Benchmark this somehow to see whether using EVP_foo is slower in the
|
|
non-engine case than AES_foo. If so, check for AES engine and fall
|
|
back to AES_foo when it's not found.
|
|
R - kill dns workers more slowly
|
|
|
|
. Directory changes
|
|
o recommended-versions for client / server ?
|
|
. Some back-out mechanism for auto-approval
|
|
o dirservers have blacklist of IPs and keys they hate
|
|
- a way of rolling back approvals to before a timestamp
|
|
- Consider minion-like fingerprint file/log combination.
|
|
|
|
- Decentralization
|
|
o Dirservers publish compressed network-status objects.
|
|
o Support retrieving several-at-once
|
|
o Everyone downloads network-status objects
|
|
o Clients: from all directories, round-robin
|
|
o Basic implementation: disable until 0.1.1.x is out.
|
|
o On failure, mark trusted_dir_server as having failed
|
|
o Retry, up to a point.
|
|
X Launch retry immediately on failure.
|
|
o Parse them
|
|
o Cache them, reload on restart
|
|
o Serve cached directories
|
|
o Directories expose individual descriptors
|
|
X By 'if-newer-than' (Does the spec require this??)
|
|
o Support compression.
|
|
o Alice acts on network-status objects
|
|
o Alice downloads descriptors as needed.
|
|
o Figure out what's needed
|
|
o Store it
|
|
o Implement store
|
|
o Implement reload-from-store
|
|
o Store downloaded descriptors
|
|
o Download it
|
|
o As-needed if we have 2 network-status objs.
|
|
o Download "all" if we have less than 2 network-status objs.
|
|
(This has vulnerabilities if we're not careful)
|
|
o Call directory_has_arrived as needed; rename it.
|
|
o Set has_fetched_directory properly.
|
|
o Retry descriptors on failure
|
|
o Give up after a while.
|
|
- But try again after a long while (???)
|
|
o Check software versions according to some sane plan.
|
|
- Warn again after 24 hours.
|
|
o Alice sets descriptor status from network-status
|
|
o Implement
|
|
o Use
|
|
o Routerdesc download changes
|
|
o Refactor combined-status to be its own type.
|
|
o Change rule from "do not launch new connections when one exists" to
|
|
"do not request any fingerprint that we're currently requesting."
|
|
o Launch connections every minute, or whenever a download fails
|
|
o Retry failed routerdescs after 0, 1, 5, 10 minutes.
|
|
o Mirrors retry harder and more often. (0, 0, 1, 1, 2, 5, and 15)
|
|
o Reset failure count every 60 minutes
|
|
o Drop fallback to download-all. Also, always split download.
|
|
o Use has_fetched_directory sanely, whatever that means.
|
|
o Downgrade new directory events from notice to info
|
|
o Call dirport_is_reachable from somewhere else.
|
|
o Networkstatus should list who's an authority.
|
|
o Add nickname element to dirserver line. Log this along with IP:Port.
|
|
o Warn when using non-default directory servers.
|
|
o When giving up on a non-finished dir request, log how many bytes
|
|
dropped, to see whether it's worthwhile to use partial info.
|
|
|
|
- config option to publish what ports you listen on, beyond
|
|
ORPort/DirPort. It should support ranges and bit prefixes (?) too.
|
|
- Parse this.
|
|
- Relay this in networkstatus.
|
|
|
|
X Make authorities rate-limit logging their complaints about given
|
|
servers?
|
|
o All versions of Tor should get cosmetic changes rate-limited.
|
|
o Pick directories from networkstatus objects, not from routerlist.
|
|
o But! We can't do this easily, since we want to know about platform,
|
|
and networkstatus doesn't tell us Tor version. Can we solve this?
|
|
Should we do it by adding flags to networkstatus or what?
|
|
|
|
- packaging and ui stuff:
|
|
. multiple sample torrc files
|
|
- uninstallers
|
|
. for os x
|
|
. figure out how to make nt service stuff work?
|
|
. Document it.
|
|
. Add version number to directory.
|
|
N - Vet all pending installer patches
|
|
- Win32 installer plus privoxy, sockscap/freecap, etc.
|
|
- Vet win32 systray helper code
|
|
|
|
- document:
|
|
- torcp needs more attention in the tor-doc-win32.
|
|
- recommend gaim.
|
|
- unrecommend IE because of ftp:// bug.
|
|
- torrc.complete.in needs attention?
|
|
|
|
o Dump "ports" from routerparse?
|
|
|
|
o Let more config options (e.g. ORPort) change dynamically.
|
|
o Add TTLs to DNS-related replies, and use them (when present) to adjust
|
|
addressmap values.
|
|
- Bind to random port when making outgoing connections to Tor servers,
|
|
to reduce remote sniping attacks.
|
|
- Have new people be in limbo and need to demonstrate usefulness
|
|
before we approve them.
|
|
- Clients should estimate their skew as median of skew from servers
|
|
over last N seconds.
|
|
- Security
|
|
- Alices avoid duplicate class C nodes.
|
|
- Analyze how bad the partitioning is or isn't.
|
|
|
|
. Update the hidden service stuff for the new dir approach.
|
|
- switch to an ascii format, maybe sexpr?
|
|
- authdirservers publish blobs of them.
|
|
- other authdirservers fetch these blobs.
|
|
- hidserv people have the option of not uploading their blobs.
|
|
- you can insert a blob via the controller.
|
|
- and there's some amount of backwards compatibility.
|
|
- teach clients, intro points, and hidservs about auth mechanisms.
|
|
- come up with a few more auth mechanisms.
|
|
|
|
. Come up with a coherent strategy for bandwidth buckets and TLS. (The
|
|
logic for reading from TLS sockets is likely to overrun the bandwidth
|
|
buckets under heavy load. (Really, the logic was never right in the
|
|
first place.) Also, we should audit all users of get_pending_bytes().)
|
|
- Make it harder to circumvent bandwidth caps: look at number of bytes
|
|
sent across sockets, not number sent inside TLS stream.
|
|
|
|
o Research memory use on Linux: what's happening?
|
|
X Is it threading? (Maybe, maybe not)
|
|
X Is it the buf_shrink bug? (Quite possibly)
|
|
o Instrument the 0.1.1 code to figure out where our memory is going;
|
|
apply the results. (all platforms?)
|
|
|
|
- Make router_is_general_exit() a bit smarter once we're sure what it's for.
|
|
|
|
- Directory "helper".
|
|
|
|
- rewrite how libevent does select() on win32 so it's not so very slow.
|
|
o enclaves (at least preliminary)
|
|
- Write limiting; separate token bucket for write
|
|
- Audit everything to make sure rend and intro points are just as likely to
|
|
be us as not.
|
|
- Do something to prevent spurious EXTEND cells from making middleman
|
|
nodes connect all over. Rate-limit failed connections, perhaps?
|
|
|
|
Future version:
|
|
- Limit to 2 dir, 2 OR, N SOCKS connections per IP.
|
|
- Handle full buffers without totally borking
|
|
- Rate-limit OR and directory connections overall and per-IP and
|
|
maybe per subnet.
|
|
- Hold-open-until-flushed now works by accident; it should work by
|
|
design.
|
|
- DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
|
|
- Specify?
|
|
- tor-resolve script should use socks5 to get better error messages.
|
|
- make min uptime a function of the available choices (say, choose 60th
|
|
percentile, not 1 day.)
|
|
- Track uptime as %-of-time-up, as well as time-since-last-down.
|
|
- hidserv offerers shouldn't need to define a SocksPort
|
|
* figure out what breaks for this, and do it.
|
|
- auth mechanisms to let hidden service midpoint and responder filter
|
|
connection requests.
|
|
- Relax clique assumptions.
|
|
- start handling server descriptors without a socksport?
|
|
- tor should be able to have a pool of outgoing IP addresses
|
|
that it is able to rotate through. (maybe)
|
|
|
|
Blue-sky:
|
|
- Patch privoxy and socks protocol to pass strings to the browser.
|
|
- Standby/hotswap/redundant hidden services.
|
|
- Robust decentralized storage for hidden service descriptors.
|
|
- The "China problem"
|
|
- Allow small cells and large cells on the same network?
|
|
- Cell buffering and resending. This will allow us to handle broken
|
|
circuits as long as the endpoints don't break, plus will allow
|
|
connection (tls session key) rotation.
|
|
- Implement Morphmix, so we can compare its behavior, complexity, etc.
|
|
- Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
|
|
link crypto, unless we can bully openssl into it.
|
|
. Conn key rotation (we switch to a new one after a week, but
|
|
old circuits don't get any benefit from this).
|
|
- Need a relay teardown cell, separate from one-way ends.
|
|
(Pending a user who needs this)
|
|
- Handle half-open connections: right now we don't support all TCP
|
|
streams, at least according to the protocol. But we handle all that
|
|
we've seen in the wild.
|
|
(Pending a user who needs this)
|
|
|