summaryrefslogtreecommitdiff
path: root/doc/dir-spec.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/dir-spec.txt')
-rw-r--r--doc/dir-spec.txt225
1 files changed, 225 insertions, 0 deletions
diff --git a/doc/dir-spec.txt b/doc/dir-spec.txt
index 312eddef57..42529c2045 100644
--- a/doc/dir-spec.txt
+++ b/doc/dir-spec.txt
@@ -1,5 +1,230 @@
$Id$
+ Tor directory protocol for 0.1.1.x series
+
+0. Scope and preliminaries
+
+ This document should eventually be merged into tor-spec.txt and replace
+ the existing notes on directories.
+
+ This is not a finalized version; what we actually wind up implementing
+ may be very different from the system described here.
+
+0.1. Goals
+
+ There are several problems with the way Tor handles directories right
+ now:
+ 1. Directories are very large and use a lot of bandwidth.
+ 2. Every directory server is a single point of failure.
+ 3. Requiring every client to know every server won't scale.
+ 4. Requiring every directory cache to know every server won't scale.
+ 5. Our current "verified server" system is kind of nonsensical.
+ 6. Getting more directory servers adds more points of failure and
+ worsens possible partitioning attacks.
+
+ This design tries to solve every problem except problems 3 and 4, and to
+ be compatible with likely eventual solutions to problems 3 and 4.
+
+1. Outline
+
+ There is no longer any such thing as a "signed directory". Instead,
+ directory servers sign a very compressed 'network status' object that
+ lists the current descriptors and their status, and router descriptors
+ continue to be self-signed by servers. Clients download network status
+ listings periodically, and download router descriptors as needed. ORs
+ upload descriptors relatively infrequently.
+
+ There are multiple directory servers. Rather than doing anything
+ complicated to coordinate themselves, clients simply rotate through them
+ in order, and only use servers that most of the last several directory
+ servers like.
+
+2. Router descriptors
+
+ Router descriptors are as described in the current tor-spec.txt
+ document.
+
+ ORs SHOULD generate a new router descriptor whenever any of the
+ following events have occurred:
+
+ - A period of time (24 hrs by default) has passed since the last
+ time a descriptor was generated.
+
+ - A descriptor field other than bandwidth or uptime has changed.
+
+ - Bandwidth has changed by more than +/- 50% from the last time a
+ descriptor was generated, and at least a given interval of time (1
+ hr by default) has passed since then.
+
+ - Uptime has been reset.
+
+ After generating a descriptor, ORs upload it to every directory
+ server they know.
+
+ The router descriptor format is unchanged from tor-spec.txt.
+
+3. Network status
+
+ Directory servers generate, sign, and compress a network-status document
+ as needed. As an optimization, they may rate-limit the number of such
+ documents generated to once every few seconds. Directory servers should
+ rate-limit at least to the point where these documents are generated no
+ faster than once per second.
+
+ The network status document contains a preamble, a set of router status
+ entries, and a signature, in that order.
+
+ We use the same meta-format as used for directories and router descriptors
+ in "tor-spec.txt".
+
+ The preamble contains:
+
+ "network-status-version" -- A document format version. For this
+ specification, the version is "1".
+ "directory-source" -- The hostname, current IP address, and directory
+ port of the directory server, separated by spaces.
+ "directory-signing-key" -- The directory server's public signing key.
+ "client-versions" -- A comma-separated list of recommended client versions
+ "server-versions" -- A comma-separated list of recommended server versions
+ "published" -- The publication time for this network-status object.
+ "directory-options" -- A set of flags separated by spaces:
+ "Names" if this directory server performs name bindings
+
+ The directory-options entry is optional; the others are required and must
+ appear exactly once. The "network-status-version" entry must appear first;
+ the others may appear in any order.
+
+ For each router, the router entry contains: (This format is designed for
+ conciseness.)
+
+ "r" -- followed by the following elements, separated by spaces:
+ - The OR's nickname,
+ - A hash of its identity key, encoded in base64, with trailing =
+ signs removed.
+ - A hash of its most recent descriptor, encoded in base64, with
+ trailing = signs removed.
+ - The publication time of its most recent descriptor.
+ - An IP
+ - An OR port
+ - A directory port (or "0" for none")
+ "s" -- A series of space-separated status flags:
+ "Exit" if the router is useful for building general-purpose exit
+ circuits
+ "Stable" if the router tends to stay up for a long time
+ "Fast" if the router has high bandwidth
+ "Running" if the router is currently usable
+ "Named" if the router's identity-nickname mapping is canonical.
+ "Valid" if the router has been 'validated'.
+
+ The "r" entry for each router must appear first and is required. The
+ 's" entry is optional. Unrecognized flags, or extra elements on the
+ "r" line must be ignored.
+
+ The signature section contains:
+
+ "directory-signature". A signature of the rest of the document using
+ the directory server's signing key.
+
+ We compress the network status list with zlib before transmitting it.
+
+4. Directory server operation
+
+ By default, directory servers remember all non-expired, non-superseded OR
+ descriptors that they have seen.
+
+ For each OR, a directory server remembers whether the OR was running and
+ functional the last time they tried to connect to it, and possibly other
+ liveness information.
+
+ Directory server administrators may label some servers or IPs as
+ blacklisted, and elect not to include them in their network-status lists.
+
+ Otherwise, the network-status list includes all non-blacklisted,
+ non-expired, non-superseded descriptors for ORs that the directory has
+ observed at least once to be running.
+
+ Directory server administrators may decide to support name binding. If
+ they do, then they must maintain a file of nickname-to-identity-key
+ mappings, and try to keep this file consistent with other directory
+ servers. If they don't, they act as clients, and report bindings made by
+ other directory servers (name X is bound to identity Y if at least one
+ binding directory lists it, and no directory binds X to some other Y'.)
+
+ The authoritative directory published by a host should be available at:
+ http://<hostname>/tor/status/authority.z
+
+ The most recent descriptor for a server whose identity key has a
+ fingerprint of <F> should be available at:
+ http://<hostname>/tor/server/fp/<F>.z
+
+ A concatenated set of the most recent descriptors for all known servers
+ should be available at:
+ http://<hostname>/tor/server/all.z
+
+ [XXXX specify concatenation of several servers.]
+
+4.1. Caching
+
+ Directory caches (most ORs) regularly download network status documents,
+ and republish them at a URL based on the directory server's identity key:
+ http://<hostname>/tor/status/<identity fingerprint>.z
+
+ A concatenated list of all network-status documents should be available at:
+ http://<hostname>/tor/status/all.z
+
+5. Client operation
+
+ Every OP or OR, including directory servers, acts as a client to the
+ directory protocol.
+
+ Each client maintains a list of trusted directory servers. Periodically
+ (currently 20 minutes) time, the client downloads a new network status. It
+ chooses the directory server from which its current information is most
+ out-of-date, and retries on failure until it finds a running server.
+
+ When choosing ORs to build circuits, clients proceed as follows;
+ - A server is "listed" if it is listed by more than half of the "live"
+ network status documents the clients have downloaded. (A network
+ status is "live" if it is the most recently downloaded network status
+ document for a given directory server, and the server is a directory
+ server trusted by the client, and the network-status document is no
+ more than D (say, 10) days old.
+ - A server is "live" if it is listed as running by at more-than-half of
+ the last N (three) "live" downloaded network-status documents.
+
+ Clients store network status documents so long as they are live.
+
+5.1. Managing naming
+
+ In order to provide human-memorable names for individual server
+ identities, some directory servers bind names to IDs. Clients handle
+ names in two ways:
+
+ If a client is encountering a name it has not mapped before:
+
+ If all the "binding" networks-status documents the client has so far
+ received same claim that the name binds to some identity X, and the
+ client has received at least three network-status documents, the client
+ maps the name to X.
+
+ If a client is encountering a name it has mapped before:
+
+ It uses the last-mapped identity value, unless all of the "binding"
+ network status documents bind the name to some other identity.
+
+6. Remaining issues
+
+ Client-knowledge partitioning is worrisome. Most versions of this don't
+ seem to be worse than the Danezis-Murdoch tracing attack, since an
+ attacker can't do more than deduce probable exits from entries (or vice
+ versa). But what about when the client connects to A and B but in a
+ different order? How bad can it be partitioned based on its knowledge?
+
+
+================================================================================
+Everything below this line is obsolete.
+--------------------------------------------------------------------------------
+
Tor network discovery protocol
0. Scope