From c42bc9eb93990af822dad1ab886b7f333e1de55b Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 3 Oct 2023 11:16:12 -0400 Subject: prop340: Clarify RELAY_EARLY implications and add a parameter. I think this reflects our discussions on tor#40840. I had thought that this parameter existed, but it turns out that it doesn't. --- proposals/340-packed-and-fragmented.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/proposals/340-packed-and-fragmented.md b/proposals/340-packed-and-fragmented.md index 65a8d03..a473c3f 100644 --- a/proposals/340-packed-and-fragmented.md +++ b/proposals/340-packed-and-fragmented.md @@ -192,6 +192,38 @@ rendezvous circuits that we currently need to fragment or pack. The `RELAY_EARLY` status for a command is determined based on the relay cell in which the command's _header_ appeared. +Thus, a relay MUST close a circuit if the cell containing the _first_ +fragment of an `EXTEND` message is not `RELAY_EARLY`, and MUST allow +but NOT require `RELAY_EARLY` to be set on other cells. + +This implies that a client only _needs_ to set `RELAY_EARLY` on the cell +containing the _first_ fragment of an EXTEND message, but that it MAY +set RELAY_EARLY on other cells, in order to prevent traffic fingerprinting. + +(Note: As now, relays and clients MUST destroy any circuit upon seeing a +`RELAY_EARLY` message in the inbound direction.) + +> In our implementation, clients will continue to set `RELAY_EARLY` on +> the first N cells of each circuit, as we do today. + +> Note that this description allows us to take two approaches when +> we eventually _do_ support fragmented `EXTEND` messages. We can +> either set the `RELAY_EARLY` flag on the cell containing the first +> fragment only, or we can continue to set it on the first N cells +> sent on each circuit. Both will work fine, assuming that the +> limit of `RELAY_EARLY` cells is adjustable. This brings us to: + +#### Making the `RELAY_EARLY` limit adjustable + +We add the following parameter, to support an eventual migration to +longer extend cells, in case we decide to take the second approach in +our note above. + + "max_early_per_circ" -- Relays MUST destroy any circuit on + which they see more than this number of RELAY_EARLY cells. + Min: 5. Max: 65535. Default: 8. + + ### Handling `SENDME`s SENDME messages may not be fragmented; the body and the command must -- cgit v1.2.3-54-g00ecf