opening-streams: clarifications around CONNECTED

Namely:
  * CONNECTED messages may be empty.
  * It is a bad idea to cache IP addresses you get from an exit.

1 files changed, 12 insertions, 0 deletions

diff --git a/spec/tor-spec/opening-streams.md b/spec/tor-spec/opening-streams.md
index 757f776..799b4dc 100644
--- a/spec/tor-spec/opening-streams.md
+++ b/spec/tor-spec/opening-streams.md
@@ -68,6 +68,18 @@ payload is in one of the following formats:
        A number of seconds (TTL) for which the address may be cached [4 octets]
 ```
 
+Implementations MUST accept either of these formats,
+and MUST also accept an empty RELAY_CONNECTED message body.
+
+Implmentations MAY ignore the address value,
+and MAY choose not to cache it.
+If an implementation chooses to cache the address,
+it SHOULD NOT reuse that address with any other circuit.
+
+> The reason not to cache an address
+> is that the exit might have lied about the actual address of the host,
+> or might have given us a unique address to identify us in the future.
+
 \[Tor exit nodes before 0.1.2.0 set the TTL field to a fixed value.  Later
 versions set the TTL to the last value seen from a DNS server, and expire
 their own cached entries after a fixed interval.  This prevents certain