diff options
author | Roger Dingledine <arma@torproject.org> | 2008-05-27 18:58:05 +0000 |
---|---|---|
committer | Roger Dingledine <arma@torproject.org> | 2008-05-27 18:58:05 +0000 |
commit | ef28919ff07f89a30c5237a732324bdc13801255 (patch) | |
tree | 182b24b57fd9142c19f021065b899e062ce85a6a | |
parent | 376b8a573d98b807d5e8281939d61a84b893009c (diff) | |
download | tor-ef28919ff07f89a30c5237a732324bdc13801255.tar.gz tor-ef28919ff07f89a30c5237a732324bdc13801255.zip |
discard the old TODO file, so people don't read it (or worse, write it).
svn:r14748
-rw-r--r-- | doc/TODO | 567 |
1 files changed, 2 insertions, 565 deletions
@@ -1,567 +1,4 @@ -$Id$ -Legend: -SPEC!! - Not specified -SPEC - Spec not finalized -N - nick claims -R - arma claims -P - phobos claims -S - Steven claims -M - Matt/Mike claims -J - Jeff claims -I - ioerror claims - - Not done - * Top priority - . Partially done - o Done - d Deferrable - D Deferred - X Abandoned -======================================================================= - -For Tor 0.2.0.x-rc: -R - Figure out the autoconf problem with adding a fallback consensus. -R - add a geoip file -W - figure out license -R - let bridges set relaybandwidthrate as low as 5kb -R - bug: if we launch using bridges, and then stop using bridges, we - still have our bridges in our entryguards section, and may use them. - . make it easier to set up a private tor network on your own computer - is very hard. -R . FAQ entry which is wrong - o Make BEGIN_DIR mandatory for asking questions of bridge authorities? - (but only for bridge descriptors. not for ordinary cache stuff.) - o Implement connection_dir_is_encrypted(). - o set up a filter to not answer any bridge descriptors on a - non-encrypted request - o write a tor-gencert man page - -N . geoip caching and publishing for bridges - d Track consecutive time up, not time since last-forgotten IP. - - Mention in dir-spec.txt - - Mention in control-spec.txt - D have normal relays report geoip stats too. - D different thresholds for bridges than for normal relays. - o bridge relays round geoip stats *up*, not down. -R - bridge communities - . spec - . deploy - - man page entries for Alternate*Authority config options - -Things we'd like to do in 0.2.0.x: - o if we notice a cached-status directory and we're not serving v2 dir - info and it's old enough, delete it. - o same with cached-routers*. -N - document the "3/4 and 7/8" business in the clients fetching consensus - documents timeline. -R - then document the bridge user download timeline. - -N - Before the feature freeze: - - 105+TLS, if possible. - . TLS backend work - . Enable. - - Test - o Verify version negotiation on client - o Verify version negotiation on server - o Verify that client->server connection becomes open - - Verify that server->server connection becomes open and - authenticated. - - Verify that initiator sends no cert in first stage of TLS - handshake. - - NETINFO fallout - - Don't extend a circuit over a noncanonical connection with - mismatched address. - - Learn our outgoing IP address from netinfo cells? - - - Bugs. - - Bug reports Roger has heard along the way that don't have enough - details/attention to solve them yet. - - arma noticed that when his network went away and he tried - a new guard node and the connect() syscall failed to it, - the guard wasn't being marked as down. 0.2.0.x. - - after being without network for 12 hours, arma's tor decided - it couldn't fetch any network statuses, and never tried again - even when the network came back and arma clicked on things. - also 0.2.0. -R - for above two, roger should turn them into flyspray entry. - - - Proposals: - o 101: Voting on the Tor Directory System (plus 103) -N - Use if-modified-since on consensus download - - Controller support - D GETINFO to get consensus -N - Event when new consensus arrives - . 111: Prioritize local traffic over relayed. -R - Merge into tor-spec.txt. - - - Refactoring: - . Make cells get buffered on circuit, not on the or_conn. - . Switch to pool-allocation for cells? -N - Benchmark pool-allocation vs straightforward malloc. -N - Adjust memory allocation logic in pools to favor a little less - slack memory. - . Remove socketpair-based bridges conns, and the word "bridge". (Use - shared (or connected) buffers for communication, rather than sockets.) - . Implement -N - Handle rate-limiting on directory writes to linked directory - connections in a more sensible manner. - Nick thinks he did this already? -N - Find more ways to test this. - (moria doesn't rate limit, so testing on moria not so good.) - - - Documentation - - HOWTO for DNSPort. See tup's wiki page. - . Document transport and natdport in a good HOWTO. -N - Quietly document NT Service options: revise (or create) FAQ entry - -R - make sure you solved bug 556 - -P - Make documentation realize that location of system configuration file - will depend on location of system defaults, and isn't always /etc/torrc. -P - Figure out why dll's compiled in mingw don't work right in WinXP. -P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle - -======================================================================= - -Planned for 0.2.1.x: - - Things that have been bugging Nick - - Make better use of multi-core machines: Do AES crypto and - compression in worker threads - - Maybe use jemalloc from freebsd via firefox 3, once its windows - and osx ports are more mature. - - MMap the cached-descriptors.new file as well as the regular ones - - Actually use SSL_shutdown to close our TLS connections. - - Refactor the HTTP logic so the functions aren't so large. - - Get a "use less buffer ram" patch into openssl. - - Get IOCP patch into libevent - - Use libevent's evdns code where applicable. - - Refactor buf_read and buf_write to have sensible ways to return - error codes after partial writes - - Improve unit test coverage - - Logging domains. - - - bridge communities with local bridge authorities: - - clients who have a password configured decide to ask their bridge - authority for a networkstatus - - be able to have bridges that aren't in your torrc. save them in - state file, etc. - - router_choose_random_node() has a big pile of args. make it "flags". - - Consider if we can solve: the Tor client doesn't know what flags - its bridge has (since it only gets the descriptor), so it can't - make decisions based on Fast or Stable. - - anonymity concern: since our is-consensus-fresh-enough check is - sloppy so clients will actually work when a consensus wasn't formed, - does that mean that if users are idle for 5 hours and then click on - something, we will immediately use the old descriptors we've got, - while we try fetching the newer descriptors? - related to bug 401. - . Finish path-spec.txt - - More prominently, we should have a recommended apps list. - - recommend pidgin (gaim is renamed) - - unrecommend IE because of ftp:// bug. - - we should add a preamble to tor-design saying it's out of date. - - Refactor networkstatus generation: - - Include "v" line in getinfo values. - - config option __ControllerLimit that hangs up if there are a limit - of controller connections already. - - Features (other than bridges): - - Audit how much RAM we're using for buffers and cell pools; try to - trim down a lot. - - Base relative control socket paths on datadir. - - Make TrackHostExits expire TrackHostExitsExpire seconds after their - *last* use, not their *first* use. -P - Plan a switch to polipo. Perhaps we'll offer two http proxies in - the future. -P - Consider creating special Tor-Polipo-Vidalia test packages, - requested by Dmitri Vitalev - - Create packages for Nokia 800, requested by Chris Soghoian - - mirror tor downloads on (via) tor dir caches - . spec - - deploy - - interface for letting soat modify flags that authorities assign - . spec - - proposal 118 if feasible and obvious - - Maintain a skew estimate and use ftime consistently. - - Tor logs the libevent version on startup, for debugging purposes. - This is great. But it does this before configuring the logs, so - it only goes to stdout and is then lost. - - Deprecations: - - can we deprecate 'getinfo network-status'? - - can we deprecate the FastFirstHopPK config option? - - Bridges: - . Bridges users (rudimentary version) - . Ask all directory questions to bridge via BEGIN_DIR. - - use the bridges for dir fetches even when our dirport is open. - - drop 'authority' queries if they're to our own identity key; accept - them otherwise. - - give extend_info_t a router_purpose again - d Limit to 2 dir, 2 OR, N SOCKS connections per IP. - - Or maybe close connections from same IP when we get a lot from one. - - Or maybe block IPs that connect too many times at once. - - Do TLS connection rotation more often than "once a week" in the - extra-stable case. - - Streamline how we pick entry nodes: Make choose_random_entry() have - less magic and less control logic. - - when somebody uses the controlport as an http proxy, give them - a "tor isn't an http proxy" error too like we do for the socks port. - - we try to build 4 test circuits to break them over different - servers. but sometimes our entry node is the same for multiple - test circuits. this defeats the point. - - enforce a lower limit on MaxCircuitDirtiness and CircuitBuildTimeout. - - configurable timestamp granularity. defaults to 'seconds'. - - consider making 'safelogging' extend to info-level logs too. - - we should consider a single config option TorPrivateNetwork that - turns on all the config options for running a private test tor - network. having to keep updating all the tools, and the docs, - just isn't working. - - consider whether a single Guard flag lets us distinguish between - "was good enough to be a guard when we picked it" and "is still - adequate to be used as a guard even after we've picked it". We should - write a real proposal for this. - - switch out privoxy in the bundles and replace it with polipo. - - make the new tls handshake blocking-resistant. - - figure out some way to collect feedback about what countries are using - bridges, in a way that doesn't screw anonymity too much. - - let tor dir mirrors proxy connections to the tor download site, so - if you know a bridge you can fetch the tor software. - - more strategies for distributing bridge addresses in a way that - doesn't rely on knowing somebody who runs a bridge for you. - - A way to adjust router status flags from the controller. (How do we - prevent the authority from clobbering them soon afterward?) - - Bridge authorities should do reachability testing but only on the - purpose==bridge descriptors they have. - - Clients should estimate their skew as median of skew from servers - over last N seconds. - - Investigate RAM use in Tor servers. - - Start on the WSAENOBUFS solution. - - Start on Windows auto-update for Tor - -Deferred from 0.2.0.x: - - Proposals - - 113: Simplifying directory authority administration - - 110: prevent infinite-length circuits (phase one) - - 118: Listen on and advertise multiple ports: - - Tor should be able to have a pool of outgoing IP addresses that it is - able to rotate through. (maybe. Possible overlap with proposal 118.) - - config option to publish what ports you listen on, beyond - ORPort/DirPort. It should support ranges and bit prefixes (?) too. - (This is very similar to proposal 118.) - - 117: IPv6 Exits - - Internal code support for ipv6: - o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist. - - Most address variables need to become tor_addr_t - - Teach resolving code how to handle ipv6. - - Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!) - - Features - - Let controller set router flags for authority to transmit, and for - client to use. - - add an 'exit-address' line in the descriptor for servers that exit - from something that isn't their published address. - - More work on AvoidDiskWrites? - - Features - - Make a TCP DNSPort - - Protocol work - - MAYBE kill stalled circuits rather than stalled connections. This is - possible thanks to cell queues, but we need to consider the anonymity - implications. - - Implement TLS shutdown properly when possible. - - Bugs - - If the client's clock is too far in the past, it will drop (or just not - try to get) descriptors, so it'll never build circuits. - - Refactoring - - Make resolves no longer use edge_connection_t unless they are actually - _on_ a socks connection: have edge_connection_t and (say) - dns_request_t both extend an edge_stream_t, and have p_streams and - n_streams both be linked lists of edge_stream_t. - - Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the - online config documentation from a single source. - - Move all status info out of routerinfo into local_routerstatus. Make - "who can change what" in local_routerstatus explicit. Make - local_routerstatus (or equivalent) subsume all places to go for "what - router is this?" - - Blocking/scanning-resistance - - It would be potentially helpful to respond to https requests on - the OR port by acting like an HTTPS server. - - Do we want to maintain our own set of entryguards that we use as - next hop after the bridge? Open research question; let's say no - for 0.2.0 unless we learn otherwise. - - Some mechanism for specifying that we want to stop using a cached - bridge. - - Build: - - Detect correct version of libraries from autoconf script. - -======================================================================= - -Future versions: - - deprecate router_digest_is_trusted_dir() in favor of - router_get_trusteddirserver_by_digest() - - - See also Flyspray tasks. - - See also all OPEN/ACCEPTED proposals. - - See also all items marked XXXX and FFFF in the code. - - - Protocol: - - Our current approach to block attempts to use Tor as a single-hop proxy - is pretty lame; we should get a better one. - - Allow small cells and large cells on the same network? - - Cell buffering and resending. This will allow us to handle broken - circuits as long as the endpoints don't break, plus will allow - connection (tls session key) rotation. - - Implement Morphmix, so we can compare its behavior, complexity, - etc. But see paper breaking morphmix. - - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own - link crypto, unless we can bully DTLS into it. - - Need a relay teardown cell, separate from one-way ends. - (Pending a user who needs this) - - Handle half-open connections: right now we don't support all TCP - streams, at least according to the protocol. But we handle all that - we've seen in the wild. - (Pending a user who needs this) - - - Directory system - - BEGIN_DIR items - X turn the received socks addr:port into a digest for setting .exit - - handle connect-dir streams that don't have a chosen_exit_name set. - - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8? - - Add an option (related to AvoidDiskWrites) to disable directory - caching. (Is this actually a good idea??) - - Add d64 and fp64 along-side d and fp so people can paste status - entries into a url. since + is a valid base64 char, only allow one - at a time. Consider adding to controller as well. - - Some back-out mechanism for auto-approval on authorities - - a way of rolling back approvals to before a timestamp - - Consider minion-like fingerprint file/log combination. - - Have new people be in limbo and need to demonstrate usefulness - before we approve them. - - - Hidden services: - - Standby/hotswap/redundant hidden services. - . Update the hidden service stuff for the new dir approach. (Much - of this will be superseded by 114.) - - switch to an ascii format, maybe sexpr? - - authdirservers publish blobs of them. - - other authdirservers fetch these blobs. - - hidserv people have the option of not uploading their blobs. - - you can insert a blob via the controller. - - and there's some amount of backwards compatibility. - - teach clients, intro points, and hidservs about auth mechanisms. - - come up with a few more auth mechanisms. - - auth mechanisms to let hidden service midpoint and responder filter - connection requests. - - Let each hidden service (or other thing) specify its own - OutboundBindAddress? - - Hidserv offerers shouldn't need to define a SocksPort - - - Server operation - X When we notice a 'Rejected: There is already a named server with - this nickname' message... or maybe instead when we see in the - networkstatuses that somebody else is Named with the name we - want: warn the user, send a STATUS_SERVER message, and fall back - to unnamed. - - If the server is spewing complaints about raising your ulimit -n, - we should add a note about this to the server descriptor so other - people can notice too. - - When we hit a funny error from a dir request (eg 403 forbidden), - but tor is working and happy otherwise, and we haven't seen many - such errors recently, then don't warn about it. - - - Controller - - Implement missing status events and accompanying getinfos - - DIR_REACHABLE - - BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind - a firewall.) - - BAD_PROXY (Bad http or https proxy) - - UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable) - - Status events related to hibernation - - something about failing to parse our address? - from resolve_my_address() in config.c - - sketchy OS, sketchy threading - - too many onions queued: threading problems or slow CPU? - - Implement missing status event fields: - - TIMEOUT on CHECKING_REACHABILITY - - GETINFO status/client, status/server, status/general: There should be - some way to learn which status events are currently "in effect." - We should specify which these are, what format they appear in, and so - on. - - More information in events: - - Include bandwidth breakdown by conn->type in BW events. - - Change circuit status events to give more details, like purpose, - whether they're internal, when they become dirty, when they become - too dirty for further circuits, etc. - - Change stream status events analogously. - - Expose more information via getinfo: - - import and export rendezvous descriptors - - Review all static fields for additional candidates - - Allow EXTENDCIRCUIT to unknown server. - - We need some way to adjust server status, and to tell tor not to - download directories/network-status, and a way to force a download. - - Make everything work with hidden services - - - Performance/resources - - per-conn write buckets - - separate config options for read vs write limiting - (It's hard to support read > write, since we need better - congestion control to avoid overfull buffers there. So, - defer the whole thing.) - - Look into pulling serverdescs off buffers as they arrive. - - Rate limit exit connections to a given destination -- this helps - us play nice with websites when Tor users want to crawl them; it - also introduces DoS opportunities. - - Consider truncating rather than destroying failed circuits, - in order to save the effort of restarting. There are security - issues here that need thinking, though. - - Handle full buffers without totally borking - - Rate-limit OR and directory connections overall and per-IP and - maybe per subnet. - - - Misc - - Hold-open-until-flushed now works by accident; it should work by - design. - - Display the reasons in 'destroy' and 'truncated' cells under - some circumstances? - - Make router_is_general_exit() a bit smarter once we're sure what - it's for. - - Automatically determine what ports are reachable and start using - those, if circuits aren't working and it's a pattern we - recognize ("port 443 worked once and port 9001 keeps not - working"). - - - Security - - some better fix for bug #516? - - don't do dns hijacking tests if we're reject *:* exit policy? - (deferred until 0.1.1.x is less common) - - Directory guards - - Mini-SoaT: - - Servers might check certs for known-good ssl websites, and if - they come back self-signed, declare themselves to be - non-exits. Similar to how we test for broken/evil dns now. - - Authorities should try using exits for http to connect to some - URLS (specified in a configuration file, so as not to make the - List Of Things Not To Censor completely obvious) and ask them - for results. Exits that don't give good answers should have - the BadExit flag set. - - Alternatively, authorities should be able to import opinions - from Snakes on a Tor. - - More consistent error checking in router_parse_entry_from_string(). - I can say "banana" as my bandwidthcapacity, and it won't even squeak. - - Bind to random port when making outgoing connections to Tor servers, - to reduce remote sniping attacks. - - Audit everything to make sure rend and intro points are just as - likely to be us as not. - - Do something to prevent spurious EXTEND cells from making - middleman nodes connect all over. Rate-limit failed - connections, perhaps? - - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion. - - - Needs thinking - - Now that we're avoiding exits when picking non-exit positions, - we need to consider how to pick nodes for internal circuits. If - we avoid exits for all positions, we skew the load balancing. If - we accept exits for all positions, we leak whether it's an - internal circuit at every step. If we accept exits only at the - last hop, we reintroduce Lasse's attacks from the Oakland paper. - - - Windows server usability - - Solve the ENOBUFS problem. - - make tor's use of openssl operate on buffers rather than sockets, - so we can make use of libevent's buffer paradigm once it has one. - - make tor's use of libevent tolerate either the socket or the - buffer paradigm; includes unifying the functions in connect.c. - - We need a getrlimit equivalent on Windows so we can reserve some - file descriptors for saving files, etc. Otherwise we'll trigger - asserts when we're out of file descriptors and crash. - - Merge code from Urz into libevent - - Make Tor use evbuffers. - - - Documentation - - a way to generate the website diagrams from source, so we can - translate them as utf-8 text rather than with gimp. (svg? or - imagemagick?) - . Flesh out options_description array in src/or/config.c - . multiple sample torrc files - . figure out how to make nt service stuff work? - . Document it. - - Refactor tor man page to divide generally useful options from - less useful ones? - - Add a doxygen style checker to make check-spaces so nick doesn't drift - too far from arma's undocumented styleguide. Also, document that - styleguide in HACKING. (See r9634 for example.) - - exactly one space at beginning and at end of comments, except i - guess when there's line-length pressure. - - if we refer to a function name, put a () after it. - - only write <b>foo</b> when foo is an argument to this function. - - doxygen comments must always end in some form of punctuation. - - capitalize the first sentence in the doxygen comment, except - when you shouldn't. - - avoid spelling errors and incorrect comments. ;) - - - Packaging - - The Debian package now uses --verify-config when (re)starting, - to distinguish configuration errors from other errors. Perhaps - the RPM and other startup scripts should too? - - add a "default.action" file to the tor/vidalia bundle so we can - fix the https thing in the default configuration: - http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort - - - Related tools - - Patch privoxy and socks protocol to pass strings to the browser. - -======================================================================= - -Documentation, non-version-specific. - - Specs - - Mark up spec; note unclear points about servers -NR - write a spec appendix for 'being nice with tor' - - Specify the keys and key rotation schedules and stuff - - Mention controller libs someplace. - - Remove need for HACKING file. - - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx -P - figure out why x86_64 won't build rpms from tor.spec -P - figure out spec files for bundles of vidalia-tor-polipo -P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32 - - figure out selinux policy for tor -P - change packaging system to more automated and specific for each - platform, suggested by Paul Wouter -P - Setup repos for redhat and suse rpms & start signing the rpms the - way package management apps prefer - -Website: -J - tor-in-the-media page -P - Figure out licenses for website material. - (Phobos reccomends the Open Publication License with Option A at - http://opencontent.org/openpub/) -P - put the logo on the website, in source form, so people can put it on - stickers directly, etc. -P - put the source image for the stickers on the website, so people can - print their own -P - figure out a license for the logos and docs we publish (trademark -figures into this) - (Phobos reccomends the Open Publication License with Option A at - http://opencontent.org/openpub/) -R - make a page with the hidden service diagrams. -P - ask Jan/Jens to be the translation coordinator? add to volunteer page. - - add a page for localizing all tor's components. - - It would be neat if we had a single place that described _all_ the - tor-related tools you can use, and what they give you, and how well they - work. Right now, we don't give a lot of guidance wrt - torbutton/foxproxy/privoxy/polipo in any consistent place. -P - create a 'blog badge' for tor fans to link to and feature on their - blogs. A sample can be found at http://interloper.org/tmp/tor/tor-button.png - - - Tor mirrors - - make a mailing list with the mirror operators - - make an automated tool to check /project/trace/ at mirrors to - learn which ones are lagging behind. - - auto (or manually) cull the mirrors that are broken; and - contact their operator? - - a set of instructions for mirror operators to make their apaches - serve our charsets correctly, and bonus points for language - negotiation. - - figure out how to load-balance the downloads across mirrors? - - ponder how to get users to learn that they should google for - "tor mirrors" if the main site is blocked. - - find a mirror volunteer to coordinate all of this - -Blog todo: - - Link to the blog from the main Tor website +This file is obsolete. Go look at the one in trunk, e.g. +https://www.torproject.org/svn/trunk/doc/TODO |