diff options
| author | Nick Mathewson <nickm@torproject.org> | 2023-10-03 11:16:12 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2023-10-03 11:16:12 -0400 |
| commit | c42bc9eb93990af822dad1ab886b7f333e1de55b (patch) | |
| tree | 73d61a1be013e750d5356670aeefb41817cf3560 | |
| parent | 9810d5f71f3e5fb985da9a1aca9c05ebf9cfbbd4 (diff) | |
| download | torspec-c42bc9eb93990af822dad1ab886b7f333e1de55b.tar.gz torspec-c42bc9eb93990af822dad1ab886b7f333e1de55b.zip | |
prop340: Clarify RELAY_EARLY implications and add a parameter.
I think this reflects our discussions on tor#40840.
I had thought that this parameter existed, but it turns out that
it doesn't.
| -rw-r--r-- | proposals/340-packed-and-fragmented.md | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/proposals/340-packed-and-fragmented.md b/proposals/340-packed-and-fragmented.md index 65a8d03..a473c3f 100644 --- a/proposals/340-packed-and-fragmented.md +++ b/proposals/340-packed-and-fragmented.md @@ -192,6 +192,38 @@ rendezvous circuits that we currently need to fragment or pack. The `RELAY_EARLY` status for a command is determined based on the relay cell in which the command's _header_ appeared. +Thus, a relay MUST close a circuit if the cell containing the _first_ +fragment of an `EXTEND` message is not `RELAY_EARLY`, and MUST allow +but NOT require `RELAY_EARLY` to be set on other cells. + +This implies that a client only _needs_ to set `RELAY_EARLY` on the cell +containing the _first_ fragment of an EXTEND message, but that it MAY +set RELAY_EARLY on other cells, in order to prevent traffic fingerprinting. + +(Note: As now, relays and clients MUST destroy any circuit upon seeing a +`RELAY_EARLY` message in the inbound direction.) + +> In our implementation, clients will continue to set `RELAY_EARLY` on +> the first N cells of each circuit, as we do today. + +> Note that this description allows us to take two approaches when +> we eventually _do_ support fragmented `EXTEND` messages. We can +> either set the `RELAY_EARLY` flag on the cell containing the first +> fragment only, or we can continue to set it on the first N cells +> sent on each circuit. Both will work fine, assuming that the +> limit of `RELAY_EARLY` cells is adjustable. This brings us to: + +#### Making the `RELAY_EARLY` limit adjustable + +We add the following parameter, to support an eventual migration to +longer extend cells, in case we decide to take the second approach in +our note above. + + "max_early_per_circ" -- Relays MUST destroy any circuit on + which they see more than this number of RELAY_EARLY cells. + Min: 5. Max: 65535. Default: 8. + + ### Handling `SENDME`s SENDME messages may not be fragmented; the body and the command must |