aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/spec/proposals/000-index.txt2
-rw-r--r--doc/spec/proposals/148-uniform-client-end-reason.txt58
2 files changed, 60 insertions, 0 deletions
diff --git a/doc/spec/proposals/000-index.txt b/doc/spec/proposals/000-index.txt
index e13b32c51..df186fcc8 100644
--- a/doc/spec/proposals/000-index.txt
+++ b/doc/spec/proposals/000-index.txt
@@ -70,6 +70,7 @@ Proposals by number:
145 Separate "suitable as a guard" from "suitable as a new guard" [OPEN]
146 Add new flag to reflect long-term stability [OPEN]
147 Eliminate the need for v2 directories in generating v3 directories [OPEN]
+148 Stream end reasons from the client side should be uniform [OPEN]
Proposals by status:
@@ -93,6 +94,7 @@ Proposals by status:
145 Separate "suitable as a guard" from "suitable as a new guard"
146 Add new flag to reflect long-term stability
147 Eliminate the need for v2 directories in generating v3 directories
+ 148 Stream end reasons from the client side should be uniform
NEEDS-REVISION:
110 Avoiding infinite length circuits
117 IPv6 exits
diff --git a/doc/spec/proposals/148-uniform-client-end-reason.txt b/doc/spec/proposals/148-uniform-client-end-reason.txt
new file mode 100644
index 000000000..0ccfcd2a7
--- /dev/null
+++ b/doc/spec/proposals/148-uniform-client-end-reason.txt
@@ -0,0 +1,58 @@
+Filename: 148-uniform-client-end-reason.txt
+Title: Stream end reasons from the client side should be uniform
+Version: $Revision$
+Last-Modified: $Date$
+Author: Roger Dingledine
+Created: 2-Jul-2008
+Status: Open
+
+Overview
+
+ When a stream closes before it's finished, the end relay cell that's
+ sent includes an "end stream reason" to tell the other end why it
+ closed. It's useful for the exit relay to send a reason to the client,
+ so the client can choose a different circuit, inform the user, etc. But
+ there's no reason to include it from the client to the exit relay,
+ and in some cases it can even harm anonymity.
+
+ We should pick a single reason for the client-to-exit-relay direction
+ and always just send that.
+
+Motivation
+
+ Back when I first deployed the Tor network, it was useful to have
+ the Tor relays learn why a stream closed, so I could debug both ends
+ of the stream at once. Now that streams have worked for many years,
+ there's no need to continue telling the exit relay whether the client
+ gave up on a stream because of "timeout" or "misc" or what.
+
+ Then in Tor 0.2.0.28-rc, I fixed this bug:
+ - Fix a bug where, when we were choosing the 'end stream reason' to
+ put in our relay end cell that we send to the exit relay, Tor
+ clients on Windows were sometimes sending the wrong 'reason'. The
+ anonymity problem is that exit relays may be able to guess whether
+ the client is running Windows, thus helping partition the anonymity
+ set. Down the road we should stop sending reasons to exit relays,
+ or otherwise prevent future versions of this bug.
+
+ It turned out that non-Windows clients were choosing their reason
+ correctly, whereas Windows clients were potentially looking at errno
+ wrong and so always choosing 'misc'.
+
+ I fixed that particular bug, but I think we should prevent future
+ versions of the bug too.
+
+ (We already fixed it so *circuit* end reasons don't get sent from
+ the client to the exit relay. But we appear to be have skipped over
+ stream end reasons thus far.)
+
+Design:
+
+ One option would be to no longer include any 'reason' field in end
+ relay cells. But that would introduce a partitioning attack ("users
+ running the old version" vs "users running the new version").
+
+ Instead I suggest that clients all switch to sending the "misc" reason,
+ like most of the Windows clients currently do and like the non-Windows
+ clients already do sometimes.
+