[or-cvs] r10001: patch on 112-bring-back-pathlencoinweight.txt from mikeperry (tor/trunk/doc/spec/proposals)
arma at seul.org
arma at seul.org
Sun Apr 22 03:59:55 UTC 2007
Author: arma
Date: 2007-04-21 23:59:55 -0400 (Sat, 21 Apr 2007)
New Revision: 10001
Modified:
tor/trunk/doc/spec/proposals/112-bring-back-pathlencoinweight.txt
Log:
patch on 112-bring-back-pathlencoinweight.txt from mikeperry
Modified: tor/trunk/doc/spec/proposals/112-bring-back-pathlencoinweight.txt
===================================================================
--- tor/trunk/doc/spec/proposals/112-bring-back-pathlencoinweight.txt 2007-04-21 17:48:50 UTC (rev 10000)
+++ tor/trunk/doc/spec/proposals/112-bring-back-pathlencoinweight.txt 2007-04-22 03:59:55 UTC (rev 10001)
@@ -100,11 +100,12 @@
I believe currently guards are rotated if circuits fail, which does
provide some protection, but this could be changed so that an entry
- guard is completely abandoned after a certain number of extend or
- general circuit failures, though perhaps this also could be gamed
- to increase guard turnover. Such a game would be much more noticeable
- than an individual guard failing circuits, though, since it would
- affect all clients, not just those who chose a particular guard.
+ guard is completely abandoned after a certain ratio of extend or
+ general circuit failures with respect to non-failed circuits. This
+ could possibly be gamed to increase guard turnover, but such a game
+ would be much more noticeable than an individual guard failing circuits,
+ though, since it would affect all clients, not just those who chose
+ a particular guard.
Why not fix Pathlen=2?:
@@ -117,93 +118,47 @@
government even care? In the face of these situation-dependent unknowns,
it should be up to the user to decide if this is a concern for them or not.
+ It should probably also be noted that even a false positive
+ rate of 1% for a 200k concurrent-user network could mean that for a
+ given node, a given stream could be confused with something like 10
+ users, assuming ~200 nodes carry most of the traffic (ie 1000 users
+ each). Though of course to really know for sure, someone needs to do
+ an attack on a real network, unfortunately.
+
Implementation:
new_route_len() can be modified directly with a check of the
PathlenCoinWeight option (converted to percent) and a call to
crypto_rand_int(0,100) for the weighted coin.
- The Vidalia setting should probably be in the network status window
- as a slider, complete with tooltip, help documentation, and perhaps
- an "Are you Sure?" checkbox.
+ The entry_guard_t structure could have num_circ_failed and
+ num_circ_succeeded members such that if it exceeds N% circuit
+ extend failure rate to a second hop, it is removed from the entry list.
+ N should be sufficiently high to avoid churn from normal Tor circuit
+ failure as determined by TorFlow scans.
- The entry_guard_t structure could have a num_circ_failed member
- such that if it exceeds N circuit extend failure to a second hop,
- it is removed from the entry list. N should be sufficiently high
- to avoid churn from normal Tor circuit failure, and could possibly be
- represented as a ratio of failed to successful circuits through that
- guard.
+ The Vidalia option should be presented as a boolean, to minimize confusion
+ for the user. Something like a radiobutton with:
+
+ * "I use Tor for Censorship Resistance, not Anonymity. Speed is more
+ important to me than Anonymity."
+ * "I use Tor for Anonymity. I need extra protection at the cost of speed."
+
+ and then some explanation in the help for exactly what this means, and
+ the risks involved with eliminating the adversary's need for timing attacks
+ wrt to false positives, etc.
-
Migration:
- Phase one: Re-enable config and modify new_route_len() to add an
+ Phase one: Experiment with the proper ratio of circuit failures
+ used to expire garbage or malicious guards via TorFlow.
+
+ Phase two: Re-enable config and modify new_route_len() to add an
extra hop if coin comes up "heads".
- Phase two: Experiment with the proper ratio of circuit failures
- used to expire garbage or malicious guards.
-
- Phase three: Make slider or entry box in Vidalia, along with help entry
+ Phase three: Make radiobutton in Vidalia, along with help entry
that explains in layman's terms the risks involved.
[1] http://www.cs.umass.edu/~mwright/papers/levine-timing.pdf
-
-
-============================================================
-
-I love replying to myself. I can't resist doing it. Sorry. "Think twice
-post once" is a concept totally lost on me, especially when I'm wrong
-the first two times ;)
-
-
-Thus spake Mike Perry (mikepery at fscked.org):
-
-> Why not fix Pathlen=2?:
->
-> The main reason I am not advocating that we always use 2 hops is that
-> in some situations, timing correlation evidence by itself may not be
-> considered as solid and convincing as an actual, uninterrupted, fully
-> traced path. Are these timing attacks as effective on a real network
-> as they are in simulation? Would an extralegal adversary or authoritarian
-> government even care? In the face of these situation-dependent unknowns,
-> it should be up to the user to decide if this is a concern for them or not.
-
-Hrmm.. it should probably also be noted that even a false positive
-rate of 1% for a 200k concurrent-user network could mean that for a
-given node, a given stream could be confused with something like 10
-users, assuming ~200 nodes carry most of the traffic (ie 1000 users
-each). Though of course to really know for sure, someone needs to do
-an attack on a real network, unfortunately.
-
-For this reason this option should instead be represented not as a
-slider, but as a straight boolean value, at least in Vidalia.
-
-Perhaps something like a radiobutton:
-
- * "I use Tor for Censorship Resistance, not Anonymity. Speed is more
- important to me than Anonymity."
- * "I use Tor for Anonymity. I need extra protection at the cost of speed."
-
-and then some explanation in the help for exactly what this means, and
-the risks involved with eliminating the adversary's need for timing attacks
-wrt to false positives, etc.
-
-This radio button can then also be used to toggle Johannes's work,
-should it be discovered that using latency/bandwidth measurements
-gives the adversary some information as to your location or likely
-node choices. Or we can create a series of choices along these lines
-as more load balancing/path choice optimizations are developed.
-
-----
-
-So what does this change mean wrt to the proposal process? Should I
-submit a new proposal? I'm still on the fence if the underlying torrc
-option and Tor implementation should be a coin weight or a fixed
-value, so at this point really all this changes is the proposed
-Vidalia behavior (Vidalia is an imporant part of this proposal,
-because it would be nice to take 33% of the load off the network for
-all users who do not need 3 hops).
-
-
More information about the tor-commits
mailing list