[tor-bugs] #30440 [Core Tor/Tor]: sendme: Service introduction circuit ignore flow control
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 10 12:56:25 UTC 2019
#30440: sendme: Service introduction circuit ignore flow control
----------------------------+------------------------------------
Reporter: dgoulet | Owner: (none)
Type: defect | Status: new
Priority: High | Milestone: Tor: 0.4.2.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs, sendme | Actual Points:
Parent ID: #15516 | Points: 2
Reviewer: | Sponsor: Sponsor27-can
----------------------------+------------------------------------
Comment (by dgoulet):
After much discussions with armadev and asn, the ideal path forward is to
use prop289 here.
The service can know (with protover `FlowCtrl=1`) if the introduction
point supports SENDME v1 and if it does, the service should then start
emitting them on the intro circuit.
For this to work, we need also the intro point to handle SENDME v1 which
means decrease its `package_window` as INTRO2 cell comes in (not the
current behavior). However, because the IP doesn't know if the service
uses SENDME, it would only start accepting them once we switch on SENDME
v1 in the network (`sendme_accept_min_version`) which could be some years
down the road... But at least, in the meantime, service can start right
now emitting SENDMEs v1 for any relay advertising `FlowCtrl=1`.
1. There could be an argument for a new consensus param that control the
usage of SENDMEs on the intro circuit which would be turned on much later
since once we force that on the intro circuit, every service *NOT* sending
SENDMEs on the circuit will stop working after 1000 cells because the
intro point will reject anything due to flow control.
2. Another approach is to make intro points right now start decreasing the
package window and if it ends up to 0 and it doesn't get the SENDME at
that point, the IP can deduce the service is not supporting it and thus we
should continue operating like before. And this behavior will at some
point fade out itself once every HS out there start using SENDME v1. I
currently don't see much of a gain for a service to game this in the
future, except maybe voluntarily allow the intro point to route a LOT of
INTRO2 cells without flow control...? Again, we could switch off that
feature with the consensus or simply by starting releasing a new stable
not supporting this.
Overall, this will introduce an information leak: the intro point will
know that the service behind an intro circuit is >= "tor_version" ... asn
and I aren't too worried about that since any new HS features has that
"leak" once deployed on the network (ex: client auth).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30440#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list