From 952024f5c354d59d0df51b6c2fe94045fa9cb926 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 3 Mar 2021 14:13:48 -0500
Subject: Describe handling of END cells and half-open streams.

Originally designed in tor#25573 as part of a defense for the
DropMark attack by Rochet and Pereira.

Closes torspec#33.
---
 tor-spec.txt | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'tor-spec.txt')

diff --git a/tor-spec.txt b/tor-spec.txt
index 11a991a..62b7d5d 100644
--- a/tor-spec.txt
+++ b/tor-spec.txt
@@ -1822,6 +1822,16 @@ see tor-design.pdf.
    [*] Older versions of Tor also send this reason when connections are
        reset.
 
+   Upon receiving a RELAY_END cell, the recipient may be sure that no further
+   cells will arrive on that stream, and can treat such cells as a protocol
+   violation.
+
+   After sending a RELAY_END cell, the sender needs to give the recipient
+   time to receive that cell.  In the meantime, the sender SHOULD remember
+   how many cells of which types (CONNECTED, SENDME, DATA) that it would have
+   accepted on that stream, and SHOULD kill the circuit if it receives more
+   than permitted.
+
    --- [The rest of this section describes unimplemented functionality.]
 
    Because TCP connections can be half-open, we follow an equivalent
-- 
cgit v1.2.3-54-g00ecf