[tor-commits] [torspec/master] actually add proposal 245
nickm at torproject.org
nickm at torproject.org
Mon Jun 8 15:22:09 UTC 2015
commit 3605bcf15635a9a5a7f034887944091514f70ee8
Author: Nick Mathewson <nickm at torproject.org>
Date: Mon Jun 8 11:21:57 2015 -0400
actually add proposal 245
---
proposals/245-tap-out.txt | 96 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 96 insertions(+)
diff --git a/proposals/245-tap-out.txt b/proposals/245-tap-out.txt
new file mode 100644
index 0000000..27d73ab
--- /dev/null
+++ b/proposals/245-tap-out.txt
@@ -0,0 +1,96 @@
+Filename: 245-tap-out.txt
+Title: Deprecating and removing the TAP circuit extension protocol
+Author: Nick Mathewson
+Created: 2015-06-02
+Status: Draft
+
+0. Introduction
+
+ This proposal describes a series of steps necessary for deprecating
+ TAP without breaking functionality.
+
+ TAP is the original protocol for one-way authenticated key negotiation
+ used by Tor. Before Tor version 0.2.4, it was the only supported
+ protocol. Its key length is unpleasantly short, however, and it had
+ some design warts. Moreover, it had no name, until Ian Goldberg wrote
+ a paper about the design warts.
+
+ Why deprecate and remove it? Because ntor is better in basically
+ every way. It's actually got a proper security proof, the key
+ strength seems to be 20th-century secure, and so on. Meanwhile, TAP
+ is lingering as a zombie, taking up space in descriptors and
+ microdescriptors.
+
+1. TAP is still in (limited) use today for hidden service hops.
+
+ The original hidden service protocol only describes a way to tell
+ clients and servers about an introduction point's or a rendezvous
+ point's TAP onion key.
+
+ We can do a bit better (see section 4), but we can't break TAP
+ completely until current clients and hidden services are obsolete.
+
+2. The step-by-step process.
+
+ Step 1. Adjust the parsing algorithm for descriptors and microdescriptors
+ on servers so that it accepts MDs without a TAP key. See section 3 below.
+ Target: 0.2.7.
+
+ Step 1b. Optionally, when connecting to a known IP/RP, extend by ntor.
+ (See section 4 below.)
+
+ Step 2. Wait until proposal 224 is implemented. (Clients and hidden
+ services implementing 224 won't need TAP for anything.)
+
+ Step 3. Begin throttling TAP answers even more aggressively at relays.
+ Target: prop224 is stable.
+
+ Step 4. Wait until all versions of Tor without prop224 support are
+ obsolete/deprecated.
+
+ Step 5. Stop generating TAP keys; stop answering TAP requests; stop
+ advertising TAP keys in descriptors; stop including them in
+ microdescriptors.
+ Target: prop224 has been stable for 12-18 months, and 0.2.7 has been stable
+ for 2-3 years.
+
+
+3. Accepting descriptors without TAP keys. (Step 1)
+
+ Our microdescriptor parsing code uses the string "onion-key" at the
+ start of the line to identify the boundary between microdescriptors,
+ so we can't remove it entirely. Instead, we will make the body
+ optional.
+
+ We will make the following changes to dir-spec:
+
+ - In router descriptors, make the onion-key field "at most once"
+ instead of "exactly once."
+
+ - In microdescriptors, make the body of "onion-key" optional.
+
+ Until Step 4, authorities MUST still reject any descriptor without a
+ TAP key.
+
+ If we do step 1 before proposal 224 is implemented, we'll need to make
+ sure that we never choose a relay without a TAP key as an introduction
+ point or a rendezvous point.
+
+4. Avoiding TAP earlier for HS usage (Step 1b)
+
+ We could begin to move more circuits off TAP now by adjusting our
+ behavior for extending circuits to Introduction Points and Rendezvous
+ Points. The new rule would be:
+
+ If you've been told to extend to an IP/RP, and you know a directory
+ entry for that relay (matching by identity), you extend using the
+ node_t you have instead.
+
+ This would improve cryptographic security a bit, at the expense of
+ making it possible to probe for whether a given hidden service has an
+ up-to-date consensus or not, and learn whether each client has an
+ up-to-date consensus or not. We need to figure out whether that
+ enables an attack.
+
+ (For reference, the functions to patch would be
+ rend_client_get_random_intro_impl and find_rp_for_intro.)
More information about the tor-commits
mailing list