[tor-dev] resistance to rubberhose and UDP questions

Roger Dingledine arma at mit.edu
Thu Oct 4 19:06:48 UTC 2012


On Thu, Oct 04, 2012 at 01:50:47PM -0400, Robert Ransom wrote:
> > 18:04 <+eleitl> I wonder why they didn't choose UDP
> 
> Presumably because TCP was easier.

Yep.

> > 18:05 <@cjd> you need to fall back on tcp in case you're firewalled to hell
> > 18:05 <+eleitl> Apparently, they're thinking about it
> >
> > https://blog.torproject.org/blog/moving-tor-datagram-transport
> 
> Yes.  TCP was a bad choice for Tor.

That said, transporting IP packets end-to-end (i.e., having TCP sessions
end-to-end across the network) is likely a bad choice as well. TCP is
designed for a situation where the core pipes have extra capacity, and
the edges are tiny. The Tor network is the opposite: the edges have lots
of capacity, and the core network is overloaded. The result would be tens
(hundreds?) of thousands of TCP streams all in slow-start talking over
each other.

It's hard to win this one.

> Do you have a ???P2P design??? for Tor which doesn't rely on trusted
> parties ???maintaining signing secrets??? and which isn't broken?
> (Hint: No, you don't.)
> 
> Do you have any ???P2P design??? for Tor at all which isn't broken?

For some reading, see
http://freehaven.net/anonbib/#wpes09-dht-attack
and all the papers around it.

> > 18:10 <@cjd> If someone (with government hat?) tells you they can make your
> > life hell...   I wouldn't fault them
> >              for doing what the man says.
> > 18:10 <@cjd> *wouldn't fault you
> > 18:10 <+eleitl> I'll try bugging some Tor developers about that scenario,
> > and see how they squirm.

See also
https://www.torproject.org/docs/faq#KeyManagement
https://gitweb.torproject.org/tor.git/blob/HEAD:/doc/contrib/authority-policy.txt

https://gitweb.torproject.org/tor.git/blob/HEAD:/src/or/config.c#l741

as for who the directory authority operators are, I suggest you attend
one of the Tor developer meetings. I think we have enough diversity that
nobody can roll over silently in a way that damages users.

If somebody wants to hack on
https://metrics.torproject.org/consensus-health.html
to make it better at noticing anomalies, please do.

> > 18:11 <+eleitl> Also, the UDP connection thing.
> > 18:11 <@cjd> You can "stack" your circuit setup packets if you're using UDP
> > 18:11 <@cjd> stack -> all headers in the same packet
> > 18:12 <@cjd> cjdns does the same thing
> 
> If this refers to including the circuit-extension packet which caused
> a relay to open an OR connection in the first UDP packet that it sends
> in order to open that connection, I agree that that would be a good
> thing to do, although mostly for reasons that cjd isn't mentioning.
> 
> If this refers to setting up a complete three-node Tor circuit with
> only one outgoing packet sent by the client, that can be implemented
> without a UDP-based transport (and early versions of Tor did implement
> it).

I think http://freehaven.net/anonbib/#sphinx-onion-fc10 is a good
introduction to this topic.

--Roger



More information about the tor-dev mailing list