On Wed, Jan 3, 2018 at 7:02 PM, Rusty Bird <[email protected]> wrote: > Hi! > > So, the qid/dispid of a removed VM can be recycled immediately. When > that happens inside a 10 minute window*, it could break inter-VM Tor > circuit isolation, which is based on the VMs' IP addresses. > > For dispids, a relevant collision happens with ~ n/10000 probability > (where n is the number of recently removed DispVMs). For qids, which > are allocated "lowest first", it seems to me that it should be more > likely to happen in practise (depending on the balance of deleted and > created VMs). Consider something like the following, where two VMs > both connect via sys-whonix: > > qvm-kill identity1 > qvm-remove identity1 > qvm-create identity2 > qvm-start identity2 > > Better not rely on circuit isolation between those two identities... > (As a workaround, the user can create the new VM _before_ removing the > old VM, if they are aware of this issue.) > > Proposal: > > Let's keep two lists, recording qids/dispids freed since boot, similar > to DISPID_STATE_FILE in R3.2. VMCollection's __delitem__() would be > wrapped in a lock and add the qid/dispid to the lists. > > Then get_new_unused_qid/dispid() would acquire the lock and randomly > choose a new id from the applicable number range that is neither in > use, nor on the freed list. If this fails, it would expire some old > entries from the freed list, i.e. the oldest qid or a batch of the > oldest dispids, and retry. > > Does this look okay? > > Rusty > > > * Or whatever timeout is configured as tor's MaxCircuitDirtiness
+1 Did this go anywhere? -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CABQWM_DPDPtUkzbo5-ripsC3t9j59oD9BzXuRRx894Bdm-LbYg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
