Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  task | Status:  closed
 Priority:  High |  Milestone:  Tor:
 |  0.3.0.x-final
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tor-guard, TorCoreTeam201608,|  Actual Points:
  028-triaged, mike-can, prop259, tor-guards-|
  revamp, TorCoreTeam201612  |
Parent ID:   | Points:  3
 Reviewer:   |Sponsor:
 |  SponsorU-must
-+-
Changes (by nickm):

 * status:  assigned => closed
 * resolution:   => fixed


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  task | Status:
 |  assigned
 Priority:  High |  Milestone:  Tor:
 |  0.3.0.x-final
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7
 Severity:  Normal   | Resolution:
 Keywords:  tor-guard, TorCoreTeam201608,|  Actual Points:
  028-triaged, mike-can, prop259, tor-guards-|
  revamp, TorCoreTeam201612  |
Parent ID:   | Points:  3
 Reviewer:   |Sponsor:
 |  SponsorU-must
-+-
Changes (by nickm):

 * type:  defect => task


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  defect   | Status:
 |  assigned
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7
 Severity:  Normal   | Resolution:
 Keywords:  tor-guard, TorCoreTeam201608,|  Actual Points:
  028-triaged, mike-can, prop259, tor-guards-|
  revamp |
Parent ID:   | Points:  3
 Reviewer:   |Sponsor:
 |  SponsorU-must
-+-
Changes (by asn):

 * keywords:
 tor-guard, TorCoreTeam201606, 028-triaged, mike-can, prop259, tor-
 guards-revamp
 =>
 tor-guard, TorCoreTeam201608, 028-triaged, mike-can, prop259, tor-
 guards-revamp


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  defect   | Status:
 Priority:  High |  assigned
Component:  Core Tor/Tor |  Milestone:  Tor:
 Severity:  Normal   |  0.2.9.x-final
 Keywords:  tor-guard, TorCoreTeam201606,|Version:  Tor:
  028-triaged, mike-can, prop259, tor-guards-|  0.2.7
  revamp | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:  3
 |Sponsor:
 |  SponsorU-must
-+-
Changes (by asn):

 * cc: andrea, yawning (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  defect   | Status:
 Priority:  High |  assigned
Component:  Core Tor/Tor |  Milestone:  Tor:
 Severity:  Normal   |  0.2.9.x-final
 Keywords:  tor-guard, TorCoreTeam201606,|Version:  Tor:
  028-triaged, mike-can, prop259, tor-guards-|  0.2.7
  revamp | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:  3
 |Sponsor:
 |  SponsorU-must
-+-

Comment (by asn):

 Replying to [comment:40 nickm]:
 > Proposal 271 now exists.  I think we can start breaking it down to
 implement.

 And here is an initial implementation plan for prop271:
 https://lists.torproject.org/pipermail/tor-dev/2016-July/011234.html

 If someone does a basic sanity check on the implementation plan, I can try
 splitting it in tickets or sth.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  defect   | Status:
 Priority:  High |  assigned
Component:  Core Tor/Tor |  Milestone:  Tor:
 Severity:  Normal   |  0.2.9.x-final
 Keywords:  tor-guard, TorCoreTeam201606,|Version:  Tor:
  028-triaged, mike-can, prop259, tor-guards-|  0.2.7
  revamp | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:  3
 |Sponsor:
 |  SponsorU-must
-+-

Comment (by nickm):

 Proposal 271 now exists.  I think we can start breaking it down to
 implement.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  defect   | Status:
 Priority:  High |  assigned
Component:  Core Tor/Tor |  Milestone:  Tor:
 Severity:  Normal   |  0.2.9.x-final
 Keywords:  tor-guard, TorCoreTeam201606,|Version:  Tor:
  028-triaged, mike-can, prop259, tor-guards-|  0.2.7
  revamp | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:  3
 |Sponsor:
 |  SponsorU-must
-+-
Changes (by U+039b):

 * cc: *@… (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  defect   | Status:
 Priority:  High |  assigned
Component:  Core Tor/Tor |  Milestone:  Tor:
 Severity:  Normal   |  0.2.9.x-final
 Keywords:  tor-guard, TorCoreTeam201606,|Version:  Tor:
  028-triaged, mike-can, prop259, tor-guards-|  0.2.7
  revamp | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:  3
 |Sponsor:
 |  SponsorU-must
-+-

Comment (by asn):

 [Please see ticket #19364 about implementing the outcome of this ticket in
 little-t-tor]

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  defect   | Status:
 Priority:  High |  assigned
Component:  Core Tor/Tor |  Milestone:  Tor:
 Severity:  Normal   |  0.2.9.x-final
 Keywords:  tor-guard, TorCoreTeam201606,|Version:  Tor:
  028-triaged, mike-can, prop259, tor-guards-|  0.2.7
  revamp | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:  3
 |Sponsor:
 |  SponsorU-must
-+-

Comment (by asn):

 Hello. Here is a small status report on this project.

 Let me first mention the main problems of the current Tor guard algorithm
 that proposal 259 tries to address:

   '''ISSUE1''': The current Tor guard algorithm will attempt to connect to
 an infinite number of guards given enough time. This is a security issue,
 since a LAN adversary can firewall a Tor user until Tor eventually
 connects to an adversary-controlled entry guard. In prop259, we enforce an
 upper bound on the number of guards that Tor will ever attempt to connect
 to (a la prop241).

   '''ISSUE2''': There are various edge cases and race conditions where Tor
 will think that some guards are down, and connect to lower priority
 guards, even though the ones on the top are still up (e.g. bug #12450).
 While it's very hard to fix all these edge cases, proposal 259 aims to
 minimize the time Tor will spend connected to lower priority guards.

   '''ISSUE3''': The current Tor guard algorithm is completely unspecified
 and undocumented, making it very hard to fix issues and design
 improvements. With prop259 we aim to provide a proper algorithm
 specification (i.e. a documented state machine) that in the future could
 be modded to include various improvements (firewall heuristics, etc.). See
 [0] for a brief algorithm description.

   The idea was also to produce clean, isolated and tested code that can be
 reused and extended with ease in the future (e.g. to do multiple layers of
 guards a la prop247).  The current entry guard code is spaggheti and
 spewed all over the codebase.


 

 == State of prop259 ==

 You can find the latest version of proposal 259
 [https://github.com/twstrike/torspec/blob/review/proposals/259-guard-
 selection.txt here], and the thoughtworks crew
 [https://github.com/twstrike/tor_for_patching/tree/prop259 has already
 implemented a PoC of it in the Tor codebase].

 There is also [https://github.com/twstrike/tor_guardsim a Python
 simulation of prop259], but I'm not sure what's its current state relative
 to the prop259 spec and the little-t-tor implementation. Ola and Reinaldo
 showed me some graphs of it in Valencia, that looked about what you would
 expect.


 That said, IMO, both the design and the implementation need heavy
 improvements before we consider them for inclusion in our codebase:

 The main problem with the prop259 design right now, is that the algorithm
 was not designed to support multiple parallel invocations of it, which is
 exactly what Tor does (multiple circuits can pick guards at the same
 time). This causes problems like "Prop259 algorithm invocation #2 does not
 learn the guard reachability information that invocation #1 knows, and has
 to try the same dead guards again".

 It is my understanding that when the thoughtworks crew realized the above
 issue, they slightly changed the design such that one invocation of the
 algorithm can support multiple circuit creations. However, I feel this was
 done in a kludgy way on the implementation side. I feel that instead, the
 right way forward would be to refactor the state machine to support this
 usage model.

 IMO, this is the main actual design change that needs to be done to the
 algorithm. Also, the spec needs to be cleaned and simplified a bit
 (because it got edited multiple times by multiple people and there are
 ugly artifacts around), and some constants/states should be renamed to
 better names. I feel that fixing these issues properly should take about
 2-4 days of thinking time.

 I have not looked too deep
 [https://github.com/twstrike/tor_for_patching/tree/prop259 at the
 implementation], but it seems like it's indeed implementing some version
 of proposal 259. The code is workable, but it's also undocumented in
 parts, and it also uses some non-standard coding idioms that we would need
 to fix. Fortunately, the state machine is well tested, and it seems to
 work without crashing on my system. I feel that if we 

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  defect   | Status:
 Priority:  High |  assigned
Component:  Core Tor/Tor |  Milestone:  Tor:
 Severity:  Normal   |  0.2.9.x-final
 Keywords:  tor-guard, TorCoreTeam201606,|Version:  Tor:
  028-triaged, mike-can, prop259, tor-guards-|  0.2.7
  revamp | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:  3
 |Sponsor:
 |  SponsorU-must
-+-
Changes (by asn):

 * keywords:
 tor-guard, TorCoreTeam201605, 028-triaged, mike-can, prop259, tor-
 guards-revamp
 =>
 tor-guard, TorCoreTeam201606, 028-triaged, mike-can, prop259, tor-
 guards-revamp


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12595 [Core Tor/Tor]: Finalize design for improved guard-node behavior

[Tor Bug Tracker & Wiki]

#12595: Finalize design for improved guard-node behavior
-+-
 Reporter:  asn  |  Owner:  asn
 Type:  defect   | Status:
 Priority:  High |  assigned
Component:  Core Tor/Tor |  Milestone:  Tor:
 Severity:  Normal   |  0.2.9.x-final
 Keywords:  tor-guard, TorCoreTeam201605,|Version:  Tor:
  028-triaged, mike-can, prop259, tor-guards-|  0.2.7
  revamp | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:  medium
 |Sponsor:
 |  SponsorU-must
-+-
Changes (by asn):

 * keywords:
 tor-guard, TorCoreTeam201604, 028-triaged, mike-can, prop259, tor-
 guards-revamp
 =>
 tor-guard, TorCoreTeam201605, 028-triaged, mike-can, prop259, tor-
 guards-revamp


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs