[tor-dev] Proposal 315: Updating the list of fields required in directory documents
teor
teor at riseup.net
Thu Apr 23 21:26:38 UTC 2020
Hi Nick,
This proposal is missing the "bridge" case.
Bridges are more complicated, because we have at least
3 kinds of bridges:
* bridges distributed by BridgeDB
* bridges distributed with apps (such as Tor Browser)
* private bridges
Bridge option transitions are also more complicated, because clients
download bridge descriptors directly from their configured bridges.
T
> On 24 Apr 2020, at 00:45, Nick Mathewson <nickm at torproject.org> wrote:
>
> Filename: 315-update-dir-required-fields.txt
> Title: Updating the list of fields required in directory documents
> Author: Nick Mathewson
> Created: 23 April 2020
> Status: Open
>
> 1. Introduction
>
> When we add a new field to a directory document, we must at first
> describe it as "optional", since older Tor implementations will
> not generate it. When those implementations are obsolete and
> unsupported, however, we can safely describe those fields as
> "required", since they are always included in practice.
>
> Making fields required is not just a matter of bookkeeping: it
> helps prevent bugs in two ways. First, it simplifies our code.
> Second, it makes our code's requirements match our assumptions
> about the network.
>
> Here I'll describe a general policy for making fields required
> when LTS versions become unsupported, and include a list of
> fields that should become required today.
>
> This document does not require to us to make all optional fields
> required -- only those which we intend that all Tor instances
> should always generate and expect.
>
> When we speak of making a field "required", we are talking about
> describing it as "required" in dir-spec.txt, so that any document
> missing that field is no longer considered well-formed.
>
> 2. When fields should become required
>
> We have three relevant kinds of directory documents: those
> generated by relays, those generated by authorities, and those
> generated by onion services.
>
> Relays generate extrainfo documents and routerdesc documents.
> For these, we can safely make a field required when it is always
> generated by all relay versions that the authorities allow to
> join the network. To avoid partitioning, authorities should
> start requiring the field before any relays or clients do.
>
> (If a relay field indicates the presence of a now-required
> feature, then instead of making the field mandatory, we may
> change the semantics so that the field is assumed to be
> present. Later we can remove the option.)
>
> Authorities generate authority certificates, votes, consensus
> documents, and microdescriptors. For these, we can safely make a
> field required once all authorities are generating it, and we are
> confident that we do not plan to downgrade those authorities.
>
> Onion services generate service descriptors. Because of the risk
> of partitioning attacks, we should not make features in service
> descriptors required without a phased process, described in the
> following section.
>
> 2.1. Phased addition of onion service descriptor changes
>
> Phase one: we add client and service support for the new field,
> but have this support disabled by default. By default, services
> should not generate the new field, and clients should not parse
> it when it is present. This behavior is controlled by a pair of
> network parameters. (If the feature is at all complex, the
> network parameters should describe a _minimum version_ that
> should enable the feature, so that we can later enable it only in
> the versions where the feature is not buggy.)
>
> During this phase, we can manually override the defaults on
> particular clients and services to test the new field.
>
> Phase two: authorities use the network parameters to enable the
> client support and the service support. They should only do this
> once enough clients and services have upgraded to a version that
> supports the feature.
>
> Phase three: once all versions that support the feature are
> obsolete and unsupported, the feature may be marked as required
> in the specifications, and the network parameters ignored.
>
> Phase four: once all versions that used the network parameters
> are obsolete and unsupported, authorities may stop including
> those parameters in their votes.
>
> 3. Directory fields that should become required.
>
> These fields in router descriptors should become required:
> * identity-ed25519
> * master-key-ed25519
> * onion-key-crosscert
> * ntor-onion-key
> * ntor-onion-key-crosscert
> * router-sig-ed25519
> * proto
>
> These fields in router descriptors should become "assumed present":
> * hidden-service-dir
>
> These fields in extra-info documents should become required:
> * identity-ed25519
> * router-sig-ed25519
>
> The following fields in microdescriptors should become
> required:
> * ntor-onion-key
>
> The following fields in votes and consensus documents should
> become required:
> * pr
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
More information about the tor-dev
mailing list