diff options
author | Nick Mathewson <nickm@torproject.org> | 2006-01-10 22:05:31 +0000 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2006-01-10 22:05:31 +0000 |
commit | 89db1be56c240aa21aafeea026d9ba91c68ce8f8 (patch) | |
tree | 67f32191895837c41e2f5c77f780524c2807345d /doc/TODO | |
parent | 4ac471a38a2a840e414e469025d060a32ed56fc3 (diff) | |
download | tor-89db1be56c240aa21aafeea026d9ba91c68ce8f8.tar.gz tor-89db1be56c240aa21aafeea026d9ba91c68ce8f8.zip |
remove some completed items from the TODO
svn:r5779
Diffstat (limited to 'doc/TODO')
-rw-r--r-- | doc/TODO | 140 |
1 files changed, 8 insertions, 132 deletions
@@ -37,56 +37,17 @@ for 0.1.1.x: N - if they're trying to be a tor server and they're running win 98 or win me, give them a message talking about The Bug. - o update 'exitlist' script to handle new dir format. - o state_description in config.c has gone stale +R . Rename 'helper' to 'guard'. - . Helper nodes - . More testing and debugging - o If your helper nodes are unavailable, don't abandon them unless - other nodes *are* reachable. - o Make EntryNodes and StrictEntrynodes do what we want. +N - Display the reasons in 'destroy' and 'truncated' cells under some + circumstances? -N . Destroy and truncated cells should have reasons. - o Specify - o Implement - - Display the reasons under some circumstances? - -N . Only use a routerdesc if you recognize its hash. - o (Must defer till dirservers are upgraded to latest code, which - actually generates these hashes.) - . Of course, authdirservers must not do this. - o If we have a routerdesc for Bob, and he says, "I'm 0.1.0.x", don't - fetch a new one if it was published in the last 2 hours. - X Don't, actually. This is the authorities' job to straighten out. - o Do not ask for any routers until we have 2 networkstatuses. +N . Directory changes . Client side: - o Keep a record of which hash is most desirable for each router inside - local_routerstatus_t. - o If any hash is listed by two or more networkstatuses, the most - recent such hash is most desirable. - o Otherwise, the most recent is desirable. - o Once we've accepted a router, it's okay. - o Do not accept a router that no networkstatus lists. (This should maybe - get stricter.) - o Download by descriptor digest. - o Reset failure count to zero when hash changes. - . Test - - Do we want to rate-limit downloads of each identity? - . Mirrors and authorities: - o Every time we hear a new networkstatus, we want every hash it lists. - o Make sure that we are always willing to keep at least N routerinfos - per router, where N = number of authorities. - o Do whatever else is needed to be sure that we don't request - hashes that would be immediately discarded, or discard hashes - that would be immediately re-requested. - o Only fetch routerinfo from an authority that mentions is. - o Only ask each authority once. - o Retry soon after failure. - o We need one bit per routerstatus for "should we download from - this guy." - - Verify that we are actually storing retained old descriptors to our - cache. - - Test. + - Do we want to rate-limit downloads of each identity, or do something + else to download even less? + - Do we want to refrain from downloading non-running or non-verified + descriptors? This is potentially dangerous. - Non-directories don't need to keep descriptors in memory. R - Christian Grothoff's attack of infinite-length circuit. @@ -110,7 +71,6 @@ R - clients prefer to avoid exit nodes for non-exit path positions. - the tor client can do the "automatic proxy config url" thing? - Deferred from 0.1.1.x: - Automatically determine what ports are reachable and start using @@ -121,7 +81,6 @@ N - Should router info have a pointer to routerstatus? - We should at least do something about the duplicated fields. N . Additional controller features - o Find a way to make event info more extensible - change circuit status events to give more details, like purpose, whether they're internal, when they become dirty, when they become too dirty for further circuits, etc. @@ -153,87 +112,18 @@ N - Specify and implement it. - cpu fixes: - see if we should make use of truncate to retry - o hardware accelerator support (configure engines.) - o hardware accelerator support (use instead of aes.c when reasonable) - - Benchmark this somehow to see whether using EVP_foo is slower in the - non-engine case than AES_foo. If so, check for AES engine and fall - back to AES_foo when it's not found. R - kill dns workers more slowly . Directory changes - o recommended-versions for client / server ? . Some back-out mechanism for auto-approval - o dirservers have blacklist of IPs and keys they hate - a way of rolling back approvals to before a timestamp - Consider minion-like fingerprint file/log combination. - - Decentralization - o Dirservers publish compressed network-status objects. - o Support retrieving several-at-once - o Everyone downloads network-status objects - o Clients: from all directories, round-robin - o Basic implementation: disable until 0.1.1.x is out. - o On failure, mark trusted_dir_server as having failed - o Retry, up to a point. - X Launch retry immediately on failure. - o Parse them - o Cache them, reload on restart - o Serve cached directories - o Directories expose individual descriptors - X By 'if-newer-than' (Does the spec require this??) - o Support compression. - o Alice acts on network-status objects - o Alice downloads descriptors as needed. - o Figure out what's needed - o Store it - o Implement store - o Implement reload-from-store - o Store downloaded descriptors - o Download it - o As-needed if we have 2 network-status objs. - o Download "all" if we have less than 2 network-status objs. - (This has vulnerabilities if we're not careful) - o Call directory_has_arrived as needed; rename it. - o Set has_fetched_directory properly. - o Retry descriptors on failure - o Give up after a while. - - But try again after a long while (???) - o Check software versions according to some sane plan. - - Warn again after 24 hours. - o Alice sets descriptor status from network-status - o Implement - o Use - o Routerdesc download changes - o Refactor combined-status to be its own type. - o Change rule from "do not launch new connections when one exists" to - "do not request any fingerprint that we're currently requesting." - o Launch connections every minute, or whenever a download fails - o Retry failed routerdescs after 0, 1, 5, 10 minutes. - o Mirrors retry harder and more often. (0, 0, 1, 1, 2, 5, and 15) - o Reset failure count every 60 minutes - o Drop fallback to download-all. Also, always split download. - o Use has_fetched_directory sanely, whatever that means. - o Downgrade new directory events from notice to info - o Call dirport_is_reachable from somewhere else. - o Networkstatus should list who's an authority. - o Add nickname element to dirserver line. Log this along with IP:Port. - o Warn when using non-default directory servers. - o When giving up on a non-finished dir request, log how many bytes - dropped, to see whether it's worthwhile to use partial info. - - config option to publish what ports you listen on, beyond ORPort/DirPort. It should support ranges and bit prefixes (?) too. - Parse this. - Relay this in networkstatus. - X Make authorities rate-limit logging their complaints about given - servers? - o All versions of Tor should get cosmetic changes rate-limited. - o Pick directories from networkstatus objects, not from routerlist. - o But! We can't do this easily, since we want to know about platform, - and networkstatus doesn't tell us Tor version. Can we solve this? - Should we do it by adding flags to networkstatus or what? - - packaging and ui stuff: . multiple sample torrc files - uninstallers @@ -251,11 +141,6 @@ N - Vet all pending installer patches - unrecommend IE because of ftp:// bug. - torrc.complete.in needs attention? - o Dump "ports" from routerparse? - - o Let more config options (e.g. ORPort) change dynamically. - o Add TTLs to DNS-related replies, and use them (when present) to adjust - addressmap values. - Bind to random port when making outgoing connections to Tor servers, to reduce remote sniping attacks. - Have new people be in limbo and need to demonstrate usefulness @@ -283,18 +168,11 @@ N - Vet all pending installer patches - Make it harder to circumvent bandwidth caps: look at number of bytes sent across sockets, not number sent inside TLS stream. - o Research memory use on Linux: what's happening? - X Is it threading? (Maybe, maybe not) - X Is it the buf_shrink bug? (Quite possibly) - o Instrument the 0.1.1 code to figure out where our memory is going; - apply the results. (all platforms?) - - Make router_is_general_exit() a bit smarter once we're sure what it's for. - Directory "helper". - rewrite how libevent does select() on win32 so it's not so very slow. - o enclaves (at least preliminary) - Write limiting; separate token bucket for write - Audit everything to make sure rend and intro points are just as likely to be us as not. @@ -335,8 +213,6 @@ Blue-sky: - Implement Morphmix, so we can compare its behavior, complexity, etc. - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own link crypto, unless we can bully openssl into it. - o Conn key rotation (we switch to a new one after a week, but - old circuits don't get any benefit from this). - Need a relay teardown cell, separate from one-way ends. (Pending a user who needs this) - Handle half-open connections: right now we don't support all TCP |