[tor-bugs] #19859 [Core Tor/Tor]: Expose stream isolation information to controllers

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Aug 8 23:13:29 UTC 2016 

#19859: Expose stream isolation information to controllers
------------------------------+--------------------------------------------
     Reporter:  nickm         |      Owner:
         Type:  enhancement   |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.3.0.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  needs-proposal hidden-services
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------------------
 See the discussion on the "How to integrate an external name resolver into
 Tor" thread on tor-dev; most notably
 http://archives.seul.org/tor/dev/Aug-2016/msg00019.html .

 Resolvers would like to know the isolation information of incoming streams
 so they know which streams need to be isolated from which other streams.

 Semantically, this is a little tricky.  The underlying rule that Tor
 implements is that each stream has a tuple of attributes (A_1, A_2...
 A_n), and a bit field (b_1, b_2... b_n).  Two streams S_a and S_b may
 share the same circuit iff, for every i such that the OR of their b_i
 values is true, they have the same A_i value.

 Note that this is not transitive: Stream S_a may be able to share a
 circuit with S_b or S_c, even if S_b cannot share with S_c.  Worse

 Should we (1) expose these attribute tuples and bitfields and require
 controllers to manipulate them correctly?  That seems obnoxious and error-
 prone.

 Or should we (2) allow controllers to ask questions like "may stream A
 share a circuit with stream B?" Or "what streams may A share a circuit
 with?"  This might lead to O(n) queries, and it will still be error-prone
 because of the non-transitivity issue.

 Or would it be better to (3) oversimplify the system above and provide
 each stream a 'cookie' such that any two streams with the same cookie may
 definitely share the same circuit?  But this is problematic, and will
 overestimate how much isolation we need.

 My current best idea is that (4) we should provide an operation of the
 form "make stream A have the same isolation properties as stream B".  And
 possibly "make circuit C have isolation properties as if it had been used
 by stream A".  So we don't expose isolation information, we just expose a
 way to manipulate it.

 Or maybe there's a further clever way I'm not even thinking about just
 now.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19859>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list