diff options
| author | David Goulet <dgoulet@torproject.org> | 2023-01-11 10:00:46 -0500 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2023-01-11 10:00:46 -0500 |
| commit | b4cfd28297f916e76189eef12d30630c1e51e0cc (patch) | |
| tree | af6b988122b631b96b8ecfa3eee4f010fb84e0a2 /tor-spec.txt | |
| parent | 0bacc73d6baee7c2dfd9a7a864163e26f6c121ef (diff) | |
| parent | 647e7675f9b8ce56f37dae9935857c68797e148d (diff) | |
| download | torspec-b4cfd28297f916e76189eef12d30630c1e51e0cc.tar.gz torspec-b4cfd28297f916e76189eef12d30630c1e51e0cc.zip | |
Merge branch 'tor-gitlab/mr/81'
Diffstat (limited to 'tor-spec.txt')
| -rw-r--r-- | tor-spec.txt | 40 |
1 files changed, 28 insertions, 12 deletions
diff --git a/tor-spec.txt b/tor-spec.txt index 2a2dc87..d5305f2 100644 --- a/tor-spec.txt +++ b/tor-spec.txt @@ -1522,18 +1522,34 @@ see tor-design.pdf. version of Tor if a) they have sent relay cells through that node, and b) they aren't sure whether those cells have been sent on yet.] - When an unrecoverable error occurs along one connection in a - circuit, the nodes on either side of the connection should, if they - are able, act as follows: the node closer to the OP should send a - RELAY_TRUNCATED cell towards the OP; the node farther from the OP - should send a DESTROY cell down the circuit. - - The payload of a DESTROY cell contains a single octet, describing the - reason that the circuit was closed. Similarly, the data of a - RELAY_TRUNCATED cell also contains this single octet "reason" field. When - sending a TRUNCATED or DESTROY cell because of another TRUNCATED or - DESTROY cell, the error code should be propagated. The origin of a circuit - always sets this error code to 0, to avoid leaking its version. + When an unrecoverable error occurs along one a circuit, the nodes + must report it as follows: + * If possible, send a DESTROY cell to ORs _away_ from the client. + * If possible, send *either* a DESTROY cell towards the client, or + a RELAY_TRUNCATED cell towards the client. + + Current versions of Tor do not reuse truncated RELAY_TRUNCATED + circuits: An OP, upon receiving a RELAY_TRUNCATED, will send + forward a DESTROY cell in order to entirely tear down the circuit. + Because of this, we recommend that relays should send DESTROY + towards the client, not RELAY_TRUNCATED. + + NOTE: + In tor versions before 0.4.5.13, 0.4.6.11 and 0.4.7.9, relays would + handle an inbound DESTROY by sending the client a RELAY_TRUNCATED + message. Beginning with those versions, relays now propagate + DESTROY cells in either direction, in order to tell every + intermediary ORs to stop queuing data on the circuit. The earlier + behavior created queuing pressure on the intermediary ORs. + + The payload of a DESTROY and RELAY_TRUNCATED cell contains a single + octet, describing the reason that the circuit was + closed. RELAY_TRUNCATED cells, and DESTROY cells sent _towards the + client, should contain the actual reason from the list of error codes + below. Reasons in DESTROY cell SHOULD NOT be propagated downward or + upward, due to potential side channel risk: An OR receiving a DESTROY + command should use the DESTROYED reason for its next cell. An OP + should always use the NONE reason for its own DESTROY cells. The error codes are: |