From 7bd906b6ecef7a0dcf3b420944da0d08db5a2553 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 17 Jul 2014 17:31:59 +0200 Subject: Move dir-spec-v2 to attic. (#12645) --- attic/dir-spec-v2.txt | 877 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 877 insertions(+) create mode 100644 attic/dir-spec-v2.txt (limited to 'attic') diff --git a/attic/dir-spec-v2.txt b/attic/dir-spec-v2.txt new file mode 100644 index 0000000..021532e --- /dev/null +++ b/attic/dir-spec-v2.txt @@ -0,0 +1,877 @@ + + Tor directory protocol, version 2 + +0. Scope and preliminaries + + This directory protocol is used by Tor version 0.1.1.x and 0.1.2.x. See + dir-spec-v1.txt for information on earlier versions, and dir-spec.txt + for information on later versions. + +0.1. Goals and motivation + + There were several problems with the way Tor handles directory information + in version 0.1.0.x and earlier. Here are the problems we try to fix with + this new design, already implemented in 0.1.1.x: + 1. Directories were very large and use up a lot of bandwidth: clients + downloaded descriptors for all router several times an hour. + 2. Every directory authority was a trust bottleneck: if a single + directory authority lied, it could make clients believe for a time an + arbitrarily distorted view of the Tor network. + 3. Our current "verified server" system is kind of nonsensical. + + 4. Getting more directory authorities would add more points of failure + and worsen possible partitioning attacks. + + There are two problems that remain unaddressed by this design. + 5. Requiring every client to know about every router won't scale. + 6. Requiring every directory cache to know every router won't scale. + + We attempt to fix 1-4 here, and to build a solution that will work when we + figure out an answer for 5. We haven't thought at all about what to do + about 6. + +1. Outline + + There is a small set (say, around 10) of semi-trusted directory + authorities. A default list of authorities is shipped with the Tor + software. Users can change this list, but are encouraged not to do so, in + order to avoid partitioning attacks. + + Routers periodically upload signed "descriptors" to the directory + authorities describing their keys, capabilities, and other information. + Routers may act as directory mirrors (also called "caches"), to reduce + load on the directory authorities. They announce this in their + descriptors. + + Each directory authority periodically generates and signs a compact + "network status" document that lists that authority's view of the current + descriptors and status for known routers, but which does not include the + descriptors themselves. + + Directory mirrors download, cache, and re-serve network-status documents + to clients. + + Clients, directory mirrors, and directory authorities all use + network-status documents to find out when their list of routers is + out-of-date. If it is, they download any missing router descriptors. + Clients download missing descriptors from mirrors; mirrors and authorities + download from authorities. Descriptors are downloaded by the hash of the + descriptor, not by the server's identity key: this prevents servers from + attacking clients by giving them descriptors nobody else uses. + + All directory information is uploaded and downloaded with HTTP. + + Coordination among directory authorities is done client-side: clients + compute a vote-like algorithm among the network-status documents they + have, and base their decisions on the result. + +1.1. What's different from 0.1.0.x? + + Clients used to download a signed concatenated set of router descriptors + (called a "directory") from directory mirrors, regardless of which + descriptors had changed. + + Between downloading directories, clients would download "network-status" + documents that would list which servers were supposed to running. + + Clients would always believe the most recently published network-status + document they were served. + + Routers used to upload fresh descriptors all the time, whether their keys + and other information had changed or not. + +1.2. Document meta-format + + Router descriptors, directories, and running-routers documents all obey the + following lightweight extensible information format. + + The highest level object is a Document, which consists of one or more + Items. Every Item begins with a KeywordLine, followed by one or more + Objects. A KeywordLine begins with a Keyword, optionally followed by + whitespace and more non-newline characters, and ends with a newline. A + Keyword is a sequence of one or more characters in the set [A-Za-z0-9-]. + An Object is a block of encoded data in pseudo-Open-PGP-style + armor. (cf. RFC 2440) + + More formally: + + Document ::= (Item | NL)+ + Item ::= KeywordLine Object* + KeywordLine ::= Keyword NL | Keyword WS ArgumentsChar+ NL + Keyword = KeywordChar+ + KeywordChar ::= 'A' ... 'Z' | 'a' ... 'z' | '0' ... '9' | '-' + ArgumentChar ::= any printing ASCII character except NL. + WS = (SP | TAB)+ + Object ::= BeginLine Base64-encoded-data EndLine + BeginLine ::= "-----BEGIN " Keyword "-----" NL + EndLine ::= "-----END " Keyword "-----" NL + + The BeginLine and EndLine of an Object must use the same keyword. + + When interpreting a Document, software MUST ignore any KeywordLine that + starts with a keyword it doesn't recognize; future implementations MUST NOT + require current clients to understand any KeywordLine not currently + described. + + Other implementations that want to extend Tor's directory format MAY + introduce their own items. The keywords for extension items SHOULD start + with the characters "x-" or "X-", to guarantee that they will not conflict + with keywords used by future versions of Tor. + +2. Router operation + + ORs SHOULD generate a new router descriptor whenever any of the + following events have occurred: + + - A period of time (18 hrs by default) has passed since the last + time a descriptor was generated. + + - A descriptor field other than bandwidth or uptime has changed. + + - Bandwidth has changed by at least a factor of 2 from the last time a + descriptor was generated, and at least a given interval of time + (20 mins by default) has passed since then. + + - Its uptime has been reset (by restarting). + + After generating a descriptor, ORs upload it to every directory + authority they know, by posting it to the URL + + http:///tor/ + +2.1. Router descriptor format + + Every router descriptor MUST start with a "router" Item; MUST end with a + "router-signature" Item and an extra NL; and MUST contain exactly one + instance of each of the following Items: "published" "onion-key" + "signing-key" "bandwidth". + + A router descriptor MAY have zero or one of each of the following Items, + but MUST NOT have more than one: "contact", "uptime", "fingerprint", + "hibernating", "read-history", "write-history", "eventdns", "platform", + "family". + + For historical reasons some options are prefixed with "opt ", for instance + "opt fingerprint". This "opt " prefix should be ignored with the second word + used as the keyword instead. + + Additionally, a router descriptor MAY contain any number of "accept", + "reject", and "opt" Items. Other than "router" and "router-signature", + the items may appear in any order. + + The items' formats are as follows: + "router" nickname address ORPort SocksPort DirPort + + Indicates the beginning of a router descriptor. "address" must be an + IPv4 address in dotted-quad format. The last three numbers indicate + the TCP ports at which this OR exposes functionality. ORPort is a port + at which this OR accepts TLS connections for the main OR protocol; + SocksPort is deprecated and should always be 0; and DirPort is the + port at which this OR accepts directory-related HTTP connections. If + any port is not supported, the value 0 is given instead of a port + number. + + "bandwidth" bandwidth-avg bandwidth-burst bandwidth-observed + + Estimated bandwidth for this router, in bytes per second. The + "average" bandwidth is the volume per second that the OR is willing to + sustain over long periods; the "burst" bandwidth is the volume that + the OR is willing to sustain in very short intervals. The "observed" + value is an estimate of the capacity this server can handle. The + server remembers the max bandwidth sustained output over any ten + second period in the past day, and another sustained input. The + "observed" value is the lesser of these two numbers. + + "platform" string + + A human-readable string describing the system on which this OR is + running. This MAY include the operating system, and SHOULD include + the name and version of the software implementing the Tor protocol. + + "published" YYYY-MM-DD HH:MM:SS + + The time, in GMT, when this descriptor was generated. + + "fingerprint" + + A fingerprint (a HASH_LEN-byte of asn1 encoded public key, encoded in + hex, with a single space after every 4 characters) for this router's + identity key. A descriptor is considered invalid (and MUST be + rejected) if the fingerprint line does not match the public key. + + "hibernating" 0|1 + + If the value is 1, then the Tor server was hibernating when the + descriptor was published, and shouldn't be used to build circuits. + + "uptime" + + The number of seconds that this OR process has been running. + + "onion-key" NL a public key in PEM format + + This key is used to encrypt EXTEND cells for this OR. The key MUST be + accepted for at least 1 week after any new key is published in a + subsequent descriptor. + + "signing-key" NL a public key in PEM format + + The OR's long-term identity key. + + "accept" exitpattern + "reject" exitpattern + + These lines describe the rules that an OR follows when + deciding whether to allow a new stream to a given address. The + 'exitpattern' syntax is described below. The rules are considered in + order; if no rule matches, the address will be accepted. For clarity, + the last such entry SHOULD be accept *:* or reject *:*. + + "router-signature" NL Signature NL + + The "SIGNATURE" object contains a signature of the PKCS1-padded + hash of the entire router descriptor, taken from the beginning of the + "router" line, through the newline after the "router-signature" line. + The router descriptor is invalid unless the signature is performed + with the router's identity key. + + "contact" info NL + + Describes a way to contact the server's administrator, preferably + including an email address and a PGP key fingerprint. + + "family" names NL + + 'Names' is a space-separated list of server nicknames or + hexdigests. If two ORs list one another in their "family" entries, + then OPs should treat them as a single OR for the purpose of path + selection. + + For example, if node A's descriptor contains "family B", and node B's + descriptor contains "family A", then node A and node B should never + be used on the same circuit. + + "read-history" YYYY-MM-DD HH:MM:SS (NSEC s) NUM,NUM,NUM,NUM,NUM... NL + "write-history" YYYY-MM-DD HH:MM:SS (NSEC s) NUM,NUM,NUM,NUM,NUM... NL + + Declare how much bandwidth the OR has used recently. Usage is divided + into intervals of NSEC seconds. The YYYY-MM-DD HH:MM:SS field + defines the end of the most recent interval. The numbers are the + number of bytes used in the most recent intervals, ordered from + oldest to newest. + + "eventdns" bool NL + + Declare whether this version of Tor is using the newer enhanced + dns logic. Versions of Tor without eventdns SHOULD NOT be used for + reverse hostname lookups. + + [All versions of Tor before 0.1.2.2-alpha should be assumed to have + this option set to 0 if it is not present. All Tor versions at + 0.1.2.2-alpha or later should be assumed to have this option set to + 1 if it is not present. Until 0.1.2.1-alpha-dev, this option was + not generated, even when eventdns was in use. With 0.2.0.1-alpha, the + old 'dnsworker' logic has been removed, rendering this option of + historical interest only.] + +2.2. Nonterminals in router descriptors + + nickname ::= between 1 and 19 alphanumeric characters, case-insensitive. + hexdigest ::= a '$', followed by 20 hexadecimal characters. + [Represents a server by the digest of its identity key.] + + exitpattern ::= addrspec ":" portspec + portspec ::= "*" | port | port "-" port + port ::= an integer between 1 and 65535, inclusive. + [Some implementations incorrectly generate ports with value 0. + Implementations SHOULD accept this, and SHOULD NOT generate it.] + + addrspec ::= "*" | ip4spec | ip6spec + ipv4spec ::= ip4 | ip4 "/" num_ip4_bits | ip4 "/" ip4mask + ip4 ::= an IPv4 address in dotted-quad format + ip4mask ::= an IPv4 mask in dotted-quad format + num_ip4_bits ::= an integer between 0 and 32 + ip6spec ::= ip6 | ip6 "/" num_ip6_bits + ip6 ::= an IPv6 address, surrounded by square brackets. + num_ip6_bits ::= an integer between 0 and 128 + + bool ::= "0" | "1" + + Ports are required; if they are not included in the router + line, they must appear in the "ports" lines. + +3. Network status format + + Directory authorities generate, sign, and compress network-status + documents. Directory servers SHOULD generate a fresh network-status + document when the contents of such a document would be different from the + last one generated, and some time (at least one second, possibly longer) + has passed since the last one was generated. + + The network status document contains a preamble, a set of router status + entries, and a signature, in that order. + + We use the same meta-format as used for directories and router descriptors + in "tor-spec.txt". Implementations MAY insert blank lines + for clarity between sections; these blank lines are ignored. + Implementations MUST NOT depend on blank lines in any particular location. + + As used here, "whitespace" is a sequence of 1 or more tab or space + characters. + + The preamble contains: + + "network-status-version" -- A document format version. For this + specification, the version is "2". + "dir-source" -- The authority's hostname, current IP address, and + directory port, all separated by whitespace. + "fingerprint" -- A base16-encoded hash of the signing key's + fingerprint, with no additional spaces added. + "contact" -- An arbitrary string describing how to contact the + directory server's administrator. Administrators should include at + least an email address and a PGP fingerprint. + "dir-signing-key" -- The directory server's public signing key. + "client-versions" -- A comma-separated list of recommended client + versions. + "server-versions" -- A comma-separated list of recommended server + versions. + "published" -- The publication time for this network-status object. + "dir-options" -- A set of flags, in any order, separated by whitespace: + "Names" if this directory authority performs name bindings. + "Versions" if this directory authority recommends software versions. + "BadExits" if the directory authority flags nodes that it believes + are performing incorrectly as exit nodes. + "BadDirectories" if the directory authority flags nodes that it + believes are performing incorrectly as directory caches. + + The dir-options entry is optional. The "-versions" entries are required if + the "Versions" flag is present. The other entries are required and must + appear exactly once. The "network-status-version" entry must appear first; + the others may appear in any order. Implementations MUST ignore + additional arguments to the items above, and MUST ignore unrecognized + flags. + + For each router, the router entry contains: (This format is designed for + conciseness.) + + "r" -- followed by the following elements, in order, separated by + whitespace: + - The OR's nickname, + - A hash of its identity key, encoded in base64, with trailing = + signs removed. + - A hash of its most recent descriptor, encoded in base64, with + trailing = signs removed. (The hash is calculated as for + computing the signature of a descriptor.) + - The publication time of its most recent descriptor, in the form + YYYY-MM-DD HH:MM:SS, in GMT. + - An IP address + - An OR port + - A directory port (or "0" for none") + "s" -- A series of whitespace-separated status flags, in any order: + "Authority" if the router is a directory authority. + "BadExit" if the router is believed to be useless as an exit node + (because its ISP censors it, because it is behind a restrictive + proxy, or for some similar reason). + "BadDirectory" if the router is believed to be useless as a + directory cache (because its directory port isn't working, + its bandwidth is always throttled, or for some similar + reason). + "Exit" if the router is useful for building general-purpose exit + circuits. + "Fast" if the router is suitable for high-bandwidth circuits. + "Guard" if the router is suitable for use as an entry guard. + "Named" if the router's identity-nickname mapping is canonical, + and this authority binds names. + "Stable" if the router is suitable for long-lived circuits. + "Running" if the router is currently usable. + "Valid" if the router has been 'validated'. + "V2Dir" if the router implements this protocol. + "v" -- The version of the Tor protocol that this server is running. If + the value begins with "Tor" SP, the rest of the string is a Tor + version number, and the protocol is "The Tor protocol as supported + by the given version of Tor." Otherwise, if the value begins with + some other string, Tor has upgraded to a more sophisticated + protocol versioning system, and the protocol is "a version of the + Tor protocol more recent than any we recognize." + + The "r" entry for each router must appear first and is required. The + "s" entry is optional (see Section 3.1 below for how the flags are + decided). Unrecognized flags on the "s" line and extra elements + on the "r" line must be ignored. The "v" line is optional. + + The signature section contains: + + "directory-signature" nickname-of-dirserver NL Signature + + Signature is a signature of this network-status document + (the document up until the signature, including the line + "directory-signature \n"), using the directory authority's + signing key. + + We compress the network status list with zlib before transmitting it. + +3.1. Establishing server status + + (This section describes how directory authorities choose which status + flags to apply to routers, as of Tor 0.1.1.18-rc. Later directory + authorities MAY do things differently, so long as clients keep working + well. Clients MUST NOT depend on the exact behaviors in this section.) + + In the below definitions, a router is considered "active" if it is + running, valid, and not hibernating. + + "Valid" -- a router is 'Valid' if it is running a version of Tor not + known to be broken, and the directory authority has not blacklisted + it as suspicious. + + "Named" -- Directory authority administrators may decide to support name + binding. If they do, then they must maintain a file of + nickname-to-identity-key mappings, and try to keep this file consistent + with other directory authorities. If they don't, they act as clients, and + report bindings made by other directory authorities (name X is bound to + identity Y if at least one binding directory lists it, and no directory + binds X to some other Y'.) A router is called 'Named' if the router + believes the given name should be bound to the given key. + + "Running" -- A router is 'Running' if the authority managed to connect to + it successfully within the last 30 minutes. + + "Stable" -- A router is 'Stable' if it is active, and either its + uptime is at least the median uptime for known active routers, or + its uptime is at least 30 days. Routers are never called stable if + they are running a version of Tor known to drop circuits stupidly. + (0.1.1.10-alpha through 0.1.1.16-rc are stupid this way.) + + "Fast" -- A router is 'Fast' if it is active, and its bandwidth is + in the top 7/8ths for known active routers. + + "Guard" -- A router is a possible 'Guard' if it is 'Stable' and its + bandwidth is above median for known active routers. If the total + bandwidth of active non-BadExit Exit servers is less than one third + of the total bandwidth of all active servers, no Exit is listed as + a Guard. + + "Authority" -- A router is called an 'Authority' if the authority + generating the network-status document believes it is an authority. + + "V2Dir" -- A router supports the v2 directory protocol if it has an open + directory port, and it is running a version of the directory protocol that + supports the functionality clients need. (Currently, this is + 0.1.1.9-alpha or later.) + + Directory server administrators may label some servers or IPs as + blacklisted, and elect not to include them in their network-status lists. + + Authorities SHOULD 'disable' any servers in excess of 3 on any single IP. + When there are more than 3 to choose from, authorities should first prefer + authorities to non-authorities, then prefer Running to non-Running, and + then prefer high-bandwidth to low-bandwidth. To 'disable' a server, the + authority *should* advertise it without the Running or Valid flag. + + Thus, the network-status list includes all non-blacklisted, + non-expired, non-superseded descriptors. + +4. Directory server operation + + All directory authorities and directory mirrors ("directory servers") + implement this section, except as noted. + +4.1. Accepting uploads (authorities only) + + When a router posts a signed descriptor to a directory authority, the + authority first checks whether it is well-formed and correctly + self-signed. If it is, the authority next verifies that the nickname + in question is not already assigned to a router with a different + public key. + Finally, the authority MAY check that the router is not blacklisted + because of its key, IP, or another reason. + + If the descriptor passes these tests, and the authority does not already + have a descriptor for a router with this public key, it accepts the + descriptor and remembers it. + + If the authority _does_ have a descriptor with the same public key, the + newly uploaded descriptor is remembered if its publication time is more + recent than the most recent old descriptor for that router, and either: + - There are non-cosmetic differences between the old descriptor and the + new one. + - Enough time has passed between the descriptors' publication times. + (Currently, 12 hours.) + + Differences between router descriptors are "non-cosmetic" if they would be + sufficient to force an upload as described in section 2 above. + + Note that the "cosmetic difference" test only applies to uploaded + descriptors, not to descriptors that the authority downloads from other + authorities. + +4.2. Downloading network-status documents (authorities and caches) + + All directory servers (authorities and mirrors) try to keep a fresh + set of network-status documents from every authority. To do so, + every 5 minutes, each authority asks every other authority for its + most recent network-status document. Every 15 minutes, each mirror + picks a random authority and asks it for the most recent network-status + documents for all the authorities the authority knows about (including + the chosen authority itself). + + Directory servers and mirrors remember and serve the most recent + network-status document they have from each authority. Other + network-status documents don't need to be stored. If the most recent + network-status document is over 10 days old, it is discarded anyway. + Mirrors SHOULD store and serve network-status documents from authorities + they don't recognize, but SHOULD NOT use such documents for any other + purpose. Mirrors SHOULD discard network-status documents older than 48 + hours. + +4.3. Downloading and storing router descriptors (authorities and caches) + + Periodically (currently, every 10 seconds), directory servers check + whether there are any specific descriptors (as identified by descriptor + hash in a network-status document) that they do not have and that they + are not currently trying to download. + + If so, the directory server launches requests to the authorities for these + descriptors, such that each authority is only asked for descriptors listed + in its most recent network-status. When more than one authority lists the + descriptor, we choose which to ask at random. + + If one of these downloads fails, we do not try to download that descriptor + from the authority that failed to serve it again unless we receive a newer + network-status from that authority that lists the same descriptor. + + Directory servers must potentially cache multiple descriptors for each + router. Servers must not discard any descriptor listed by any current + network-status document from any authority. If there is enough space to + store additional descriptors, servers SHOULD try to hold those which + clients are likely to download the most. (Currently, this is judged + based on the interval for which each descriptor seemed newest.) + + Authorities SHOULD NOT download descriptors for routers that they would + immediately reject for reasons listed in 3.1. + +4.4. HTTP URLs + + "Fingerprints" in these URLs are base16-encoded SHA1 hashes. + + The authoritative network-status published by a host should be available at: + http:///tor/status/authority.z + + The network-status published by a host with fingerprint + should be available at: + http:///tor/status/fp/.z + + The network-status documents published by hosts with fingerprints + ,, should be available at: + http:///tor/status/fp/++.z + + The most recent network-status documents from all known authorities, + concatenated, should be available at: + http:///tor/status/all.z + + The most recent descriptor for a server whose identity key has a + fingerprint of should be available at: + http:///tor/server/fp/.z + + The most recent descriptors for servers with identity fingerprints + ,, should be available at: + http:///tor/server/fp/++.z + + (NOTE: Implementations SHOULD NOT download descriptors by identity key + fingerprint. This allows a corrupted server (in collusion with a cache) to + provide a unique descriptor to a client, and thereby partition that client + from the rest of the network.) + + The server descriptor with (descriptor) digest (in hex) should be + available at: + http:///tor/server/d/.z + + The most recent descriptors with digests ,, should be + available at: + http:///tor/server/d/++.z + + The most recent descriptor for this server should be at: + http:///tor/server/authority.z + [Nothing in the Tor protocol uses this resource yet, but it is useful + for debugging purposes. Also, the official Tor implementations + (starting at 0.1.1.x) use this resource to test whether a server's + own DirPort is reachable.] + + A concatenated set of the most recent descriptors for all known servers + should be available at: + http:///tor/server/all.z + + For debugging, directories SHOULD expose non-compressed objects at URLs like + the above, but without the final ".z". + Clients MUST handle compressed concatenated information in two forms: + - A concatenated list of zlib-compressed objects. + - A zlib-compressed concatenated list of objects. + Directory servers MAY generate either format: the former requires less + CPU, but the latter requires less bandwidth. + + Clients SHOULD use upper case letters (A-F) when base16-encoding + fingerprints. Servers MUST accept both upper and lower case fingerprints + in requests. + +5. Client operation: downloading information + + Every Tor that is not a directory server (that is, those that do + not have a DirPort set) implements this section. + +5.1. Downloading network-status documents + + Each client maintains an ordered list of directory authorities. + Insofar as possible, clients SHOULD all use the same ordered list. + + For each network-status document a client has, it keeps track of its + publication time *and* the time when the client retrieved it. Clients + consider a network-status document "live" if it was published within the + last 24 hours. + + Clients try to have a live network-status document hours from *every* + authority, and try to periodically get new network-status documents from + each authority in rotation as follows: + + If a client is missing a live network-status document for any + authority, it tries to fetch it from a directory cache. On failure, + the client waits briefly, then tries that network-status document + again from another cache. The client does not build circuits until it + has live network-status documents from more than half the authorities + it trusts, and it has descriptors for more than 1/4 of the routers + that it believes are running. + + If the most recently _retrieved_ network-status document is over 30 + minutes old, the client attempts to download a network-status document. + When choosing which documents to download, clients treat their list of + directory authorities as a circular ring, and begin with the authority + appearing immediately after the authority for their most recently + retrieved network-status document. If this attempt fails (either it + fails to download at all, or the one it gets is not as good as the + one it has), the client retries at other caches several times, before + moving on to the next network-status document in sequence. + + Clients discard all network-status documents over 24 hours old. + + If enough mirrors (currently 4) claim not to have a given network status, + we stop trying to download that authority's network-status, until we + download a new network-status that makes us believe that the authority in + question is running. Clients should wait a little longer after each + failure. + + Clients SHOULD try to batch as many network-status requests as possible + into each HTTP GET. + + (Note: clients can and should pick caches based on the network-status + information they have: once they have first fetched network-status info + from an authority, they should not need to go to the authority directly + again.) + +5.2. Downloading and storing router descriptors + + Clients try to have the best descriptor for each router. A descriptor is + "best" if: + * It is the most recently published descriptor listed for that router + by at least two network-status documents. + OR, + * No descriptor for that router is listed by two or more + network-status documents, and it is the most recently published + descriptor listed by any network-status document. + + Periodically (currently every 10 seconds) clients check whether there are + any "downloadable" descriptors. A descriptor is downloadable if: + - It is the "best" descriptor for some router. + - The descriptor was published at least 10 minutes in the past. + (This prevents clients from trying to fetch descriptors that the + mirrors have probably not yet retrieved and cached.) + - The client does not currently have it. + - The client is not currently trying to download it. + - The client would not discard it immediately upon receiving it. + - The client thinks it is running and valid (see 6.1 below). + + If at least 16 known routers have downloadable descriptors, or if + enough time (currently 10 minutes) has passed since the last time the + client tried to download descriptors, it launches requests for all + downloadable descriptors, as described in 5.3 below. + + When a descriptor download fails, the client notes it, and does not + consider the descriptor downloadable again until a certain amount of time + has passed. (Currently 0 seconds for the first failure, 60 seconds for the + second, 5 minutes for the third, 10 minutes for the fourth, and 1 day + thereafter.) Periodically (currently once an hour) clients reset the + failure count. + + No descriptors are downloaded until the client has downloaded more than + half of the network-status documents. + + Clients retain the most recent descriptor they have downloaded for each + router so long as it is not too old (currently, 48 hours), OR so long as + it is recommended by at least one networkstatus AND no "better" + descriptor has been downloaded. [Versions of Tor before 0.1.2.3-alpha + would discard descriptors simply for being published too far in the past.] + [The code seems to discard descriptors in all cases after they're 5 + days old. True? -RD] + +5.3. Managing downloads + + When a client has no live network-status documents, it downloads + network-status documents from a randomly chosen authority. In all other + cases, the client downloads from mirrors randomly chosen from among those + believed to be V2 directory servers. (This information comes from the + network-status documents; see 6 below.) + + When downloading multiple router descriptors, the client chooses multiple + mirrors so that: + - At least 3 different mirrors are used, except when this would result + in more than one request for under 4 descriptors. + - No more than 128 descriptors are requested from a single mirror. + - Otherwise, as few mirrors as possible are used. + After choosing mirrors, the client divides the descriptors among them + randomly. + + After receiving any response client MUST discard any network-status + documents and descriptors that it did not request. + +6. Using directory information + + Everyone besides directory authorities uses the approaches in this section + to decide which servers to use and what their keys are likely to be. + (Directory authorities just believe their own opinions, as in 3.1 above.) + +6.1. Choosing routers for circuits. + + Tor implementations only pay attention to "live" network-status documents. + A network status is "live" if it is the most recently downloaded network + status document for a given directory server, and the server is a + directory server trusted by the client, and the network-status document is + no more than 1 day old. + + For time-sensitive information, Tor implementations focus on "recent" + network-status documents. A network status is "recent" if it is live, and + if it was published in the last 60 minutes. If there are fewer + than 3 such documents, the most recently published 3 are "recent." If + there are fewer than 3 in all, all are "recent.") + + Circuits SHOULD NOT be built until the client has enough directory + information: network-statuses (or failed attempts to download + network-statuses) for all authorities, network-statuses for at more than + half of the authorities, and descriptors for at least 1/4 of the servers + believed to be running. + + A server is "listed" if it is included by more than half of the live + network status documents. Clients SHOULD NOT use unlisted servers. + + Clients believe the flags "Valid", "Exit", "Fast", "Guard", "Stable", and + "V2Dir" about a given router when they are asserted by more than half of + the live network-status documents. Clients believe the flag "Running" if + it is listed by more than half of the recent network-status documents. + + These flags are used as follows: + + - Clients SHOULD NOT use non-'Valid' or non-'Running' routers unless + requested to do so. + + - Clients SHOULD NOT use non-'Fast' routers for any purpose other than + very-low-bandwidth circuits (such as introduction circuits). + + - Clients SHOULD NOT use non-'Stable' routers for circuits that are + likely to need to be open for a very long time (such as those used for + IRC or SSH connections). + + - Clients SHOULD NOT choose non-'Guard' nodes when picking entry guard + nodes. + + - Clients SHOULD NOT download directory information from non-'V2Dir' + caches. + +6.2. Managing naming + + In order to provide human-memorable names for individual server + identities, some directory servers bind names to IDs. Clients handle + names in two ways: + + When a client encounters a name it has not mapped before: + + If all the live "Naming" network-status documents the client has + claim that the name binds to some identity ID, and the client has at + least three live network-status documents, the client maps the name to + ID. + + When a user tries to refer to a router with a name that does not have a + mapping under the above rules, the implementation SHOULD warn the user. + After giving the warning, the implementation MAY use a router that at + least one Naming authority maps the name to, so long as no other naming + authority maps that name to a different router. If no Naming authority + maps the name to a router, the implementation MAY use any router that + advertises the name. + + Not every router needs a nickname. When a router doesn't configure a + nickname, it publishes with the default nickname "Unnamed". Authorities + SHOULD NOT ever mark a router with this nickname as Named; client software + SHOULD NOT ever use a router in response to a user request for a router + called "Unnamed". + +6.3. Software versions + + An implementation of Tor SHOULD warn when it has fetched (or has + attempted to fetch and failed four consecutive times) a network-status + for each authority, and it is running a software version + not listed on more than half of the live "Versioning" network-status + documents. + +6.4. Warning about a router's status. + + If a router tries to publish its descriptor to a Naming authority + that has its nickname mapped to another key, the router SHOULD + warn the operator that it is either using the wrong key or is using + an already claimed nickname. + + If a router has fetched (or attempted to fetch and failed four + consecutive times) a network-status for every authority, and at + least one of the authorities is "Naming", and no live "Naming" + authorities publish a binding for the router's nickname, the + router MAY remind the operator that the chosen nickname is not + bound to this key at the authorities, and suggest contacting the + authority operators. + + ... + +6.5. Router protocol versions + + A client should believe that a router supports a given feature if that + feature is supported by the router or protocol versions in more than half + of the live networkstatus's "v" entries for that router. In other words, + if the "v" entries for some router are: + v Tor 0.0.8pre1 (from authority 1) + v Tor 0.1.2.11 (from authority 2) + v FutureProtocolDescription 99 (from authority 3) + then the client should believe that the router supports any feature + supported by 0.1.2.11. + + This is currently equivalent to believing the median declared version for + a router in all live networkstatuses. + +7. Standards compliance + + All clients and servers MUST support HTTP 1.0. + +7.1. HTTP headers + + Servers MAY set the Content-Length: header. Servers SHOULD set + Content-Encoding to "deflate" or "identity". + + Servers MAY include an X-Your-Address-Is: header, whose value is the + apparent IP address of the client connecting to them (as a dotted quad). + For directory connections tunneled over a BEGIN_DIR stream, servers SHOULD + report the IP from which the circuit carrying the BEGIN_DIR stream reached + them. + + Servers SHOULD disable caching of multiple network statuses or multiple + router descriptors. Servers MAY enable caching of single descriptors, + single network statuses, the list of all router descriptors, a v1 + directory, or a v1 running routers document. XXX mention times. + +7.2. HTTP status codes + + XXX We should write down what return codes dirservers send in what + situations. + -- cgit v1.2.3-54-g00ecf