[tor-bugs] #26288 [Core Tor/Tor]: prop289: Implement authenticated SENDME

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 28 00:26:55 UTC 2019 

#26288: prop289: Implement authenticated SENDME
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  dgoulet
     Type:  enhancement                          |         Status:
                                                 |  needs_revision
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.4.1.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  prop289, 035-roadmap-master, 035     |  Actual Points:
  -triaged-in-20180711, prop289-assigned-        |
  sponsor-v, 041-proposed-on-roadmap, network-   |
  team-roadmap-2019-Q1Q2                         |
Parent ID:                                       |         Points:  21
 Reviewer:  nickm                                |        Sponsor:
                                                 |  SponsorV
-------------------------------------------------+-------------------------
Changes (by teor):

 * status:  needs_review => needs_revision


Comment:

 I reviewed the protocol parts of this patch:

 Phase 3 of the transition plan requires old clients and relays to download
 a consensus so they learn that they should stop trying to connect to the
 network. But since 0.2.8, clients (and censored relays that can't access
 any DirPorts) will try to use the ORPort to download a consensus. But
 ORPort circuits from legacy clients will fail during phase 3.

 Here's what I think we need to do:
 1. always allow legacy sendmes for BEGINDIR for the consensus, and
 everything that is required to validate a consensus:
   * authority certificates,
   * relay descriptors (for bridge clients),
   * anything else?
 2. Revise the transition plan, so it includes the protover changes and the
 consensus parameter changes
 3. Don't remove the section about extensive testing using chutney:
 {{{
 -   We'll want to do a bunch of testing in chutney before flipping the
 -   switches in the real network: I've long suspected we still have bugs
 -   in our sendme timing, and this proposal might expose some of them.
 }}}
 4. Do the chutney tests now, and do them again when we want to implement
 each phase on the public network

 The spec and the code are also out of sync: the spec talks about FlowCtrl,
 but the code doesn't have FlowCtrl.

 Here are the changes I think we need to make:

 1. Add FlowCtrl=1 to the protocols advertised by relays in C
 2. Add FlowCtrl=1 to the protocols advertised by relays in Rust
 3. Clarify "FlowCtrl" in the spec:
 {{{
    Tor clients and relays that don't support this protover version from
 the
    consensus "required-client-protocols" or "required-relay-protocols"
 lines
    will exit and thus not try to join the network. Here is the proposed
 value:

       "FlowCtrl"

       Describes the flow control protocol at the circuit and stream level.
       If there is no FlowCtrl protocol version, tor supports the
 unauthenticated
       flow control features from its supported Relay protocols.
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26288#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list