diff options
Diffstat (limited to 'doc/contrib')
-rw-r--r-- | doc/contrib/authority-policy.txt | 89 | ||||
-rw-r--r-- | doc/contrib/incentives.txt | 479 | ||||
-rw-r--r-- | doc/contrib/tor-rpm-creation.txt | 56 | ||||
-rw-r--r-- | doc/contrib/torel-design.txt | 181 |
4 files changed, 56 insertions, 749 deletions
diff --git a/doc/contrib/authority-policy.txt b/doc/contrib/authority-policy.txt deleted file mode 100644 index dd3dc1178..000000000 --- a/doc/contrib/authority-policy.txt +++ /dev/null @@ -1,89 +0,0 @@ - -0. Overview. - - This document contains various informal policies for how to operate - a directory authority, how to choose new ones, etc. - -1. How to pick a new directory authority. - - Here's our current guidelines for how to pick new directory - authorities. - - (These won't ever be formal criteria -- we need to keep this flexible - so we can adapt to new situations.) - - o Stability: - - Must be a low-downtime Tor server (computer as well as network). - - Must have a static IP. - - The operator must have been running a stable Tor server for at least - 3 months. - - Must intend for this server to stick around for the next 12 months - or more. - - Must not hibernate. - - Should not be an exit node (as this increases the risk both of - downtime and of key compromise). - - o Performance: - - Must have sufficient bandwidth: at least 300 kB/s symmetric, - though in practice the inbound traffic can be considerably less. - - o Availability: - - Must be available to upgrade within a few days in most cases. - (While we're still developing Tor, we periodically find bugs that - impact the whole network and require authority upgrades.) - - Should have a well-known way to contact the administrator - via PGP-encrypted message. - - o Integrity: - - Must promise not to censor or attack the network and users. - - Should be run by somebody that Tor (i.e. Roger) knows. - - Should be widely regarded as fair/trustworthy, or at least - known, by many people. - - If somebody asks you to backdoor or change your server, legally or - otherwise, you will fight it to the extent of your abilities. If - you fail to fight it, you must shut down the Tor server and notify - us that you have. - - o Diversity - - We should avoid situations that make it likelier for multiple - authority failures to happen at the same time. Therefore... - - It's good when authorities are not all in the same country. - - It's good when authorities are not all in the same jurisdictions. - - It's good when authorities are not all running the same OS. - - It's good when authorities are not all using the same ISP. - - It's good when authorities are not all running the same - version of Tor. - - No two authorities should have the same operator. - - Maximal diversity, however, is not always practical. Sometimes, - for example, there is only one version of Tor that provides a - given consensus generation algorithm. - - A small group of authorities with the same country/jurisdiction/OS is - not a problem, until that group's size approaches quorum (half the - authorities). - -2. How to choose the recommended versions - - The policy, in a nutshell, is to not remove versions without a good - reason. So this means we should recommend all versions except: - - - Versions that no longer conform to the spec. That is, if they wouldn't - actually interact correctly with the current Tor network. - - Versions that have known security problems. - - Versions that have frequent crash or assert problems. - - Versions that harm the performance or stability of the current Tor - network or the anonymity of other users. For example, a version - that load balances wrong, or a version that hammers the authorities - too much. - - -> some use the slight variant of requiring a *good* reason. -> excellent reasons include "there's a security flaw" -> good reasons include "that crashes every time you start it. you would think -+tor is dumb if you tried to use that version and think of it as tor." -> good reasons include "those old clients do their load balancing wrong, and -+they're screwing up the whole network" -> reasons include "the old one is really slow, clients should prefer the new -+one" -> i try to draw the line at 'good reasons and above' - - diff --git a/doc/contrib/incentives.txt b/doc/contrib/incentives.txt deleted file mode 100644 index 850a0d01e..000000000 --- a/doc/contrib/incentives.txt +++ /dev/null @@ -1,479 +0,0 @@ - - Tor Incentives Design Brainstorms - -1. Goals: what do we want to achieve with an incentive scheme? - -1.1. Encourage users to provide good relay service (throughput, latency). -1.2. Encourage users to allow traffic to exit the Tor network from - their node. - -2. Approaches to learning who should get priority. - -2.1. "Hard" or quantitative reputation tracking. - - In this design, we track the number of bytes and throughput in and - out of nodes we interact with. When a node asks to send or receive - bytes, we provide service proportional to our current record of the - node's value. One approach is to let each circuit be either a normal - circuit or a premium circuit, and nodes can "spend" their value by - sending and receiving bytes on premium circuits: see section 4.1 for - details of this design. Another approach (section 4.2) would treat - all traffic from the node with the same priority class, and so nodes - that provide resources will get and provide better service on average. - - This approach could be complemented with an anonymous e-cash - implementation to let people spend reputations gained from one context - in another context. - -2.2. "Soft" or qualitative reputation tracking. - - Rather than accounting for every byte (if I owe you a byte, I don't - owe it anymore once you've spent it), instead I keep a general opinion - about each server: my opinion increases when they do good work for me, - and it decays with time, but it does not decrease as they send traffic. - Therefore we reward servers who provide value to the system without - nickle and diming them at each step. We also let them benefit from - relaying traffic for others without having to "reserve" some of the - payment for their own use. See section 4.3 for a possible design. - -2.3. Centralized opinions from the reputation servers. - - The above approaches are complex and we don't have all the answers - for them yet. A simpler approach is just to let some central set - of trusted servers (say, the Tor directory servers) measure whether - people are contributing to the network, and provide a signal about - which servers should be rewarded. They can even do the measurements - via Tor so servers can't easily perform only when they're being - tested. See section 4.4. - -2.4. Reputation servers that aggregate opinions. - - The option above has the directory servers doing all of the - measurements. This doesn't scale. We can set it up so we have "deputy - testers" -- trusted other nodes that do performance testing and report - their results. - - If we want to be really adventurous, we could even - accept claims from every Tor user and build a complex weighting / - reputation system to decide which claims are "probably" right. - One possible way to implement the latter is something similar to - EigenTrust [http://www.stanford.edu/~sdkamvar/papers/eigentrust.pdf], - where the opinion of nodes with high reputation more is weighted - higher. - -3. Related issues we need to keep in mind. - -3.1. Relay and exit configuration needs to be easy and usable. - - Implicit in all of the above designs is the need to make it easy to - run a Tor server out of the box. We need to make it stable on all - common platforms (including XP), it needs to detect its available - bandwidth and not overreach that, and it needs to help the operator - through opening up ports on his firewall. Then we need a slick GUI - that lets people click a button or two rather than editing text files. - - Once we've done all this, we'll hit our first big question: is - most of the barrier to growth caused by the unusability of the current - software? If so, are the rest of these incentive schemes superfluous? - -3.2. The network effect: how many nodes will you interact with? - - One of the concerns with pairwise reputation systems is that as the - network gets thousands of servers, the chance that you're going to - interact with a given server decreases. So if 90% of interactions - don't have any prior information, the "local" incentive schemes above - are going to degrade. This doesn't mean they're pointless -- it just - means we need to be aware that this is a limitation, and plan in the - background for what step to take next. (It seems that e-cash solutions - would scale better, though they have issues of their own.) - -3.3. Guard nodes - - As of Tor 0.1.1.11, Tor users pick from a small set of semi-permanent - "guard nodes" for their first hop of each circuit. This seems like it - would have a big impact on pairwise reputation systems since you - will only be cashing in on your reputation to a few people, and it is - unlikely that a given pair of nodes will use each other as guard nodes. - - What does this imply? For one, it means that we don't care at all - about the opinions of most of the servers out there -- we should - focus on keeping our guard nodes happy with us. - - One conclusion from that is that our design needs to judge performance - not just through direct interaction (beginning of the circuit) but - also through indirect interaction (middle of the circuit). That way - you can never be sure when your guards are measuring you. - - Both 3.2 and 3.3 may be solved by having a global notion of reputation, - as in 2.3 and 2.4. However, computing the global reputation from local - views could be expensive (O(n^2)) when the network is really large. - -3.4. Restricted topology: benefits and roadmap. - - As the Tor network continues to grow, we will need to make design - changes to the network topology so that each node does not need - to maintain connections to an unbounded number of other nodes. For - anonymity's sake, we may partition the network such that all - the nodes have the same belief about the divisions and each node is - in only one partition. (The alternative is that every user fetches - his own random subset of the overall node list -- this is bad because - of intersection attacks.) - - Therefore the "network horizon" for each user will stay bounded, - which helps against the above issues in 3.2 and 3.3. - - It could be that the core of long-lived servers will all get to know - each other, and so the critical point that decides whether you get - good service is whether the core likes you. Or perhaps it will turn - out to work some other way. - - A special case here is the social network, where the network isn't - partitioned randomly but instead based on some external properties. - Social network topologies can provide incentives in other ways, because - people may be more inclined to help out their friends, and more willing - to relay traffic if most of the traffic they are relaying comes - from their friends. It also opens the door for out-of-band incentive - schemes because of the out-of-band links in the graph. - -3.5. Profit-maximizing vs. Altruism. - - There are some interesting game theory questions here. - - First, in a volunteer culture, success is measured in public utility - or in public esteem. If we add a reward mechanism, there's a risk that - reward-maximizing behavior will surpass utility- or esteem-maximizing - behavior. - - Specifically, if most of our servers right now are relaying traffic - for the good of the community, we may actually *lose* those volunteers - if we turn the act of relaying traffic into a selfish act. - - I am not too worried about this issue for now, since we're aiming - for an incentive scheme so effective that it produces tens of - thousands of new servers. - -3.6. What part of the node's performance do you measure? - - We keep referring to having a node measure how well the other nodes - receive bytes. But don't leeching clients receive bytes just as well - as servers? - - Further, many transactions in Tor involve fetching lots of - bytes and not sending very many. So it seems that we want to turn - things around: we need to measure how quickly a node is _sending_ - us bytes, and then only send it bytes in proportion to that. - - However, a sneaky user could simply connect to a node and send some - traffic through it, and voila, he has performed for the network. This - is no good. The first fix is that we only count if you're receiving - bytes "backwards" in the circuit. Now the sneaky user needs to - construct a circuit such that his node appears later in the circuit, - and then send some bytes back quickly. - - Maybe that complexity is sufficient to deter most lazy users. Or - maybe it's an argument in favor of a more penny-counting reputation - approach. - - Addendum: I was more thinking of measuring based on who is the service - provider and service receiver for the circuit. Say Alice builds a - circuit to Bob. Then Bob is providing service to Alice, since he - otherwise wouldn't need to spend his bandwidth. So traffic in either - direction should be charged to Alice. Of course, the same attack would - work, namely, Bob could cheat by sending bytes back quickly. So someone - close to the origin needs to detect this and close the circuit, if - necessary. -JN - -3.7. What is the appropriate resource balance for servers vs. clients? - - If we build a good incentive system, we'll still need to tune it - to provide the right bandwidth allocation -- if we reserve too much - bandwidth for fast servers, then we're wasting some potential, but - if we reserve too little, then fewer people will opt to become servers. - In fact, finding an optimum balance is especially hard because it's - a moving target: the better our incentive mechanism (and the lower - the barrier to setup), the more servers there will be. How do we find - the right balance? - - One answer is that it doesn't have to be perfect: we can err on the - side of providing extra resources to servers. Then we will achieve our - desired goal -- when people complain about speed, we can tell them to - run a server, and they will in fact get better performance. - -3.8. Anonymity attack: fast connections probably come from good servers. - - If only fast servers can consistently get good performance in the - network, they will stand out. "Oh, that connection probably came from - one of the top ten servers in the network." Intersection attacks over - time can improve the certainty of the attack. - - I'm not too worried about this. First, in periods of low activity, - many different people might be getting good performance. This dirties - the intersection attack. Second, with many of these schemes, we will - still be uncertain whether the fast node originated the traffic, or - was the entry node for some other lucky user -- and we already accept - this level of attack in other cases such as the Murdoch-Danezis attack - [http://freehaven.net/anonbib/#torta05]. - -3.9. How do we allocate bandwidth over the course of a second? - - This may be a simple matter of engineering, but it still needs to be - addressed. Our current token bucket design refills each bucket once a - second. If we have N tokens in our bucket, and we don't know ahead of - time how many connections are going to want to send out how many bytes, - how do we balance providing quick service to the traffic that is - already here compared to providing service to potential high-importance - future traffic? - - If we have only two classes of service, here is a simple design: - At each point, when we are 1/t through the second, the total number - of non-priority bytes we are willing to send out is N/t. Thus if N - priority bytes are waiting at the beginning of the second, we drain - our whole bucket then, and otherwise we provide some delayed service - to the non-priority bytes. - - Does this design expand to cover the case of three priority classes? - Ideally we'd give each remote server its own priority number. Or - hopefully there's an easy design in the literature to point to -- - this is clearly not my field. - - Is our current flow control mechanism (each circuit and each stream - start out with a certain window, and once they've exhausted it they - need to receive an ack before they can send more) going to have - problems with this new design now that we'll be queueing more bytes - for less preferred nodes? If it turns out we do, the first fix is - to have the windows start out at zero rather than start out full -- - it will slow down the startup phase but protect us better. - - While we have outgoing cells queued for a given server, we have the - option of reordering them based on the priority of the previous hop. - Is this going to turn out to be useful? If we're the exit node (that - is, there is no previous hop) what priority do those cells get? - - Should we do this prioritizing just for sending out bytes (as I've - described here) or would it help to do it also for receiving bytes? - See next section. - -3.10. Different-priority cells arriving on the same TCP connection. - - In some of the proposed designs, servers want to give specific circuits - priority rather than having all circuits from them get the same class - of service. - - Since Tor uses TCP's flow control for rate limiting, this constraints - our design choices -- it is easy to give different TCP connections - different priorities, but it is hard to give different cells on the - same connection priority, because you have to read them to know what - priority they're supposed to get. - - There are several possible solutions though. First is that we rely on - the sender to reorder them so the highest priority cells (circuits) are - more often first. Second is that if we open two TCP connections -- one - for the high-priority cells, and one for the low-priority cells. (But - this prevents us from changing the priority of a circuit because - we would need to migrate it from one connection to the other.) A - third approach is to remember which connections have recently sent - us high-priority cells, and preferentially read from those connections. - - Hopefully we can get away with not solving this section at all. But if - necessary, we can consult Ed Knightly, a Professor at Rice - [http://www.ece.rice.edu/~knightly/], for his extensive experience on - networking QoS. - -3.11. Global reputation system: Congestion on high reputation servers? - - If the notion of reputation is global (as in 2.3 or 2.4), circuits that - go through successive high reputation servers would be the fastest and - most reliable. This would incentivize everyone, regardless of their own - reputation, to choose only the highest reputation servers in its - circuits, causing an over-congestion on those servers. - - One could argue, though, that once those servers are over-congested, - their bandwidth per circuit drops, which would in turn lower their - reputation in the future. A question is whether this would overall - stabilize. - - Another possible way is to keep a cap on reputation. In this way, a - fraction of servers would have the same high reputation, thus balancing - such load. - -3.12. Another anonymity attack: learning from service levels. - - If reputation is local, it may be possible for an evil node to learn - the identity of the origin through provision of differential service. - For instance, the evil node provides crappy bandwidth to everyone, - until it finds a circuit that it wants to trace the origin, then it - provides good bandwidth. Now, as only those directly or indirectly - observing this circuit would like the evil node, it can test each node - by building a circuit via each node to another evil node. If the - bandwidth is high, it is (somewhat) likely that the node was a part of - the circuit. - - This problem does not exist if the reputation is global and nodes only - follow the global reputation, i.e., completely ignore their own view. - -3.13. DoS through high priority traffic. - - Assume there is an evil node with high reputation (or high value on - Alice) and this evil node wants to deny the service to Alice. What it - needs to do is to send a lot of traffic to Alice. To Alice, all traffic - from this evil node is of high priority. If the choice of circuits are - too based toward high priority circuits, Alice would spend most of her - available bandwidth on this circuit, thus providing poor bandwidth to - everyone else. Everyone else would start to dislike Alice, making it - even harder for her to forward other nodes' traffic. This could cause - Alice to have a low reputation, and the only high bandwidth circuit - Alice could use would be via the evil node. - -3.14. If you run a fast server, can you run your client elsewhere? - - A lot of people want to run a fast server at a colocation facility, - and then reap the rewards using their cablemodem or DSL Tor client. - - If we use anonymous micropayments, where reputation can literally - be transferred, this is trivial. - - If we pick a design where servers accrue reputation and can only - use it themselves, though, the clients can configure the servers as - their entry nodes and "inherit" their reputation. In this approach - we would let servers configure a set of IP addresses or keys that get - "like local" service. - -4. Sample designs. - -4.1. Two classes of service for circuits. - - Whenever a circuit is built, it is specified by the origin which class, - either "premium" or "normal", this circuit belongs. A premium circuit - gets preferred treatment at each node. A node "spends" its value, which - it earned a priori by providing service, to the next node by sending - and receiving bytes. Once a node has overspent its values, the circuit - cannot stay as premium. It either breaks or converts into a normal - circuit. Each node also reserves a small portion of bandwidth for - normal circuits to prevent starvation. - - Pro: Even if a node has no value to spend, it can still use normal - circuits. This allow casual user to use Tor without forcing them to run - a server. - - Pro: Nodes have incentive to forward traffic as quick and as much as - possible to accumulate value. - - Con: There is no proactive method for a node to rebalance its debt. It - has to wait until there happens to be a circuit in the opposite - direction. - - Con: A node needs to build circuits in such a way that each node in the - circuit has to have good values to the next node. This requires - non-local knowledge and makes circuits less reliable as the values are - used up in the circuit. - - Con: May discourage nodes to forward traffic in some circuits, as they - worry about spending more useful values to get less useful values in - return. - -4.2. Treat all the traffic from the node with the same service; - hard reputation system. - - This design is similar to 4.1, except that instead of having two - classes of circuits, there is only one. All the circuits are - prioritized based on the value of the interacting node. - - Pro: It is simpler to design and give priority based on connections, - not circuits. - - Con: A node only needs to keep a few guard nodes happy to forward their - traffic. - - Con: Same as in 4.1, may discourage nodes to forward traffic in some - circuits, as they worry about spending more useful values to get less - useful values in return. - -4.3. Treat all the traffic from the node with the same service; - soft reputation system. - - Rather than a guaranteed system with accounting (as 4.1 and 4.2), - we instead try for a best-effort system. All bytes are in the same - class of service. You keep track of other Tors by key, and give them - service proportional to the service they have given you. That is, in - the past when you have tried to push bytes through them, you track the - number of bytes and the average bandwidth, and use that to weight the - priority of their connections if they try to push bytes through you. - - Now you're going to get minimum service if you don't ever push bytes - for other people, and you get increasingly improved service the more - active you are. We should have memories fade over time (we'll have - to tune that, which could be quite hard). - - Pro: Sybil attacks are pointless because new identities get lowest - priority. - - Pro: Smoothly handles periods of both low and high network load. Rather - than keeping track of the ratio/difference between what he's done for - you and what you've done for him, simply keep track of what he's done - for you, and give him priority based on that. - - Based on 3.3 above, it seems we should reward all the nodes in our - path, not just the first one -- otherwise the node can provide good - service only to its guards. On the other hand, there might be a - second-order effect where you want nodes to like you so that *when* - your guards choose you for a circuit, they'll be able to get good - performance. This tradeoff needs more simulation/analysis. - - This approach focuses on incenting people to relay traffic, but it - doesn't do much for incenting them to allow exits. It may help in - one way through: if there are few exits, then they will attract a - lot of use, so lots of people will like them, so when they try to - use the network they will find their first hop to be particularly - pleasant. After that they're like the rest of the world though. (An - alternative would be to reward exit nodes with higher values. At the - extreme, we could even ask the directory servers to suggest the extra - values, based on the current availability of exit nodes.) - - Pro: this is a pretty easy design to add; and it can be phased in - incrementally simply by having new nodes behave differently. - -4.4. Centralized opinions from the reputation servers. - - Have a set of official measurers who spot-check servers from the - directory to see if they really do offer roughly the bandwidth - they advertise. Include these observations in the directory. (For - simplicity, the directory servers could be the measurers.) Then Tor - servers give priority to other servers. We'd like to weight the - priority by advertised bandwidth to encourage people to donate more, - but it seems hard to distinguish between a slow server and a busy - server. - - The spot-checking can be done anonymously to prevent selectively - performing only for the measurers, because hey, we have an anonymity - network. - - We could also reward exit nodes by giving them better priority, but - like above this only will affect their first hop. Another problem - is that it's darn hard to spot-check whether a server allows exits - to all the pieces of the Internet that it claims to. If necessary, - perhaps this can be solved by a distributed reporting mechanism, - where clients that can reach a site from one exit but not another - anonymously submit that site to the measurers, who verify. - - A last problem is that since directory servers will be doing their - tests directly (easy to detect) or indirectly (through other Tor - servers), then we know that we can get away with poor performance for - people that aren't listed in the directory. Maybe we can turn this - around and call it a feature though -- another reason to get listed - in the directory. - -5. Recommendations and next steps. - -5.1. Simulation. - - For simulation trace, we can use two: one is what we obtained from Tor - and one from existing web traces. - - We want to simulate all the four cases in 4.1-4. For 4.4, we may want - to look at two variations: (1) the directory servers check the - bandwidth themselves through Tor; (2) each node reports their perceived - values on other nodes, while the directory servers use EigenTrust to - compute global reputation and broadcast those. - -5.2. Deploying into existing Tor network. - diff --git a/doc/contrib/tor-rpm-creation.txt b/doc/contrib/tor-rpm-creation.txt new file mode 100644 index 000000000..a03891e2b --- /dev/null +++ b/doc/contrib/tor-rpm-creation.txt @@ -0,0 +1,56 @@ +## Instructions for building the official rpms. +## +The process used to create the official rpms is as follows: + +You'll need to install libevent headers, usually located in package named +libevent-devel. Alternatively, you could download latest libevent from +http://libevent.org/ but that shouldn't be necessary. + +Download and Extract the latest tor source code from +https://www.torproject.org/download + +In the resulting directory: +LIBS=-lrt ./configure +make dist-rpm + +You should have at least two, maybe three, rpms. There should be the binary +(i686|x86_64).rpm, a src.rpm, and on redhat/centos machines, a debuginfo.rpm. +The debuginfo rpms are created if package redhat-rpm-config is installed (case +of redhat distros). + +This step suffices unless you want to create RPMs for distros other than the +one you used for building. + + +## Instructions for building RPMs for multiple architectures or distributions +## using 'mock' on Fedora or RHEL (and clones) + +Make sure you have mock installed and configured, see following HOWTOs for setup: +https://fedoraproject.org/wiki/How_to_create_an_RPM_package +https://fedoraproject.org/wiki/Using_Mock_to_test_package_builds + +Take the source RPM generated by previous step, and execute mock for every +target architecture (the names come from files in /etc/mock, strip the .cfg +extension in the -r parameter): + +mock --rebuild -r fedora-17-x86_64 tor-X.Y.Z.src.rpm + +Building for EL5 from newer distro (e.g. EL6 or Fedora 17) will fail due to bug +(https://bugzilla.redhat.com/show_bug.cgi?id=490613). +Here's a workaround: + +Before even building the source RPM, install fedora-packager and instruct +the build system to use rpmbuild-md5 like this: + +yum install fedora-packager +export RPMBUILD=rpmbuild-md5 + +Then proceed as usual to create the source RPM and binary RPMs: + +LIBS=-lrt ./configure +make dist-rpm +mock --rebuild -r epel-5-x86_64 tor-X.Y.Z.src.rpm + + +(Note: don't build under OpenVZ - it breaks unshare() syscall, which in turn +breaks mock. It could save you several hours.) diff --git a/doc/contrib/torel-design.txt b/doc/contrib/torel-design.txt deleted file mode 100644 index 610cbe21f..000000000 --- a/doc/contrib/torel-design.txt +++ /dev/null @@ -1,181 +0,0 @@ -Design For A Tor DNS-based Exit List - -Status: - - This is a suggested design for a DNS Exit List (DNSEL) for Tor exit nodes. - See http://exitlist.torproject.org/ for an implementation. - -Why? - - It's useful for third parties to be able to tell when a given connection - is coming from a Tor exit node. Potential applications range from - "anonymous user" cloaks on IRC networks like oftc, to networks like - Freenode that apply special authentication rules to users from these - IPs, to systems like Wikipedia that may want to make a priority of - _unblocking_ shared IPs more liberally than non-shared IPs, since shared - IPs presumably have non-abusive users as well as abusive ones. - - Since Tor provides exit policies, not every Tor server will connect to - every address:port combination on the Internet. Unless you're trying to - penalize hosts for supporting anonymity, it makes more sense to answer - the fine-grained question "which Tor servers will connect to _me_?" than - the coarse-grained question "which Tor servers exist?" The fine-grained - approach also helps Tor server ops who share an IP with their Tor - server: if they want to access a site that blocks Tor users, they - can exclude that site from their exit policy, and the site can learn - that they won't send it anonymous connections. - - Tor already ships with a tool (the "contrib/exitlist" script) to - identify which Tor nodes might open anonymous connections to any given - exit address. But this is a bit tricky to set up, so only sites like - Freenode and OFTC that are dedicated to privacy use it. - Conversely, providers of some DNSEL implementations are providing - coarse-grained lists of Tor hosts -- sometimes even listing servers that - permit no exit connections at all. This is rather a problem, since - support for DNSEL is pretty ubiquitous. - - -How? - - Keep a running Tor instance, and parse the cached-routers and - cached-routers.new files as new routers arrive. To tell whether a given - server allows connections to a certain address:port combo, look at the - definitions in dir-spec.txt or follow the logic of the current exitlist - script. If bug 405 is still open when you work on this - (https://bugs.torproject.org/flyspray/index.php?do=details&id=405), you'll - probably want to extend it to look at only the newest descriptor for - each server, so you don't use obsolete exit policy data. - - FetchUselessDescriptors would probably be a good torrc option to enable. - - If you're also running a directory cache, you get extra-fresh - information. - - -The DNS interface - - Standard DNSEL, if I understand right, looks like this: There's some - authoritative name server for foo.example.com. You want to know if - 1.2.3.4 is in the list, so you query for an A record for - 4.3.2.1.foo.example.com. If the record exists and has the value - 127.0.0.2[DNSBL-EMAIL], 1.2.3.4 is in the list. If you get an NXDOMAIN - error, 1.2.3.4 is not in the list. If you ask for a domain name outside - of the foo.example.com zone, you get a Server Failure error[RFC 1035]. - - Assume that the DNSEL answers queries authoritatively for some zone, - torhosts.example.com. Below are some queries that could be supported, - though some of them are possibly a bad idea. - - - Query type 1: "General IP:Port" - - Format: - {IP1}.{port}.{IP2}.ip-port.torhosts.example.com - - Rule: - Iff {IP1} is a Tor server that permits connections to {port} on - {IP2}, then there should be an A record with the value 127.0.0.2. - - Example: - "1.0.0.10.80.4.3.2.1.ip-port.torhosts.example.com" should have the - value 127.0.0.2 if and only if there is a Tor server at 10.0.0.1 - that allows connections to port 80 on 1.2.3.4. - - Example use: - I'm running an IRC server at w.x.y.z:9999, and I want to tell - whether an incoming connection is from a Tor server. I set - up my IRC server to give a special mask to any user coming from - an IP listed in 9999.z.y.x.w.ip-port.torhosts.example.com. - - Later, when I get a connection from a.b.c.d, my ircd looks up - "d.c.b.a.9999.z.y.x.w.ip-port.torhosts.example.com" to see - if it's a Tor server that allows connections to my ircd. - - - Query type 2: "IP-port group" - - Format: - {IP}.{listname}.list.torhosts.example.com - - Rule: - Iff this Tor server is configured with an IP:Port list named - {listname}, and {IP} is a Tor server that permits connections to - any member of {listname}, then there exists an A record. - - Example: - Suppose torhosts.example.com has a list of IP:Port called "foo". - There is an A record for 4.3.2.1.foo.list.torhosts.example.com - if and only if 1.2.3.4 is a Tor server that permits connections - to one of the addresses in list "foo". - - Example use: - Suppose torhosts.example.com has a list of hosts in "examplenet", - a popular IRC network. Rather than having them each set up to - query the appropriate "ip-port" list, they could instead all be - set to query a central examplenet.list.torhosts.example.com. - - Problems: - We'd be better off if each individual server queried about hosts - that allowed connections to itself. That way, if I wanted to - allow anonymous connections to foonet, but I wanted to be able to - connect to foonet from my own IP without being marked, I could add - just a few foonet addresses to my exit policy. - - - Query type 3: "My IP, with port" - - Format: - {IP}.{port}.me.torhosts.example.com - - Rule: - An A record exists iff there is a tor server at {IP} that permits - connections to {port} on the host that requested the lookup. - - Example: - "4.3.2.1.80.me.torhosts.example.com" should have an A record if - and only if there is a Tor server at 1.2.3.4 that allows - connections to port 80 of the querying host. - - Example use: - Somebody wants to set up a quick-and-dirty Tor detector for a - single webserver: just point them at 80.me.torhosts.example.com. - - Problem: - This would be easiest to use, but DNS gets in the way. If you - create DNS records that give different results depending on who is - asking, you mess up caching. There could be a fix here, but might - not. - - - RECOMMENDATION: Just build ip-port for now, and see what demand is - like. There's no point in building mechanisms nobody wants. - -Web interface: - - Should provide the same data as the dns interface. - -Other issues: - - After a Tor server op turns off their server, it stops publishing server - descriptors. We should consider that server's IP address to still - represent a Tor node until 48 hours after its last descriptor was - published. - - 30-60 minutes is not an unreasonable TTL. - - There could be some demand for address masks and port lists. Address - masks wider than /8 make me nervous here, as do port ranges. - - We need an answer for what to do about hosts which exit from different - IPs than their advertised IP. One approach would be for the DNSEL - to launch periodic requests to itself through all exit servers whose - policies allow it -- and then see where the requests actually come from. - -References: - - [DNSBL-EMAIL] Levine, J., "DNS Based Blacklists and Whitelists for - E-Mail", http://tools.ietf.org/html/draft-irtf-asrg-dnsbl-02, November - 2005. - - [RFC 1035] Mockapetris, P., "Domain Names - Implementation and - Specification", RFC 1035, November 1987. |