1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
|
Filename: 252-single-onion.txt
Title: Single Onion Services
Author: John Brooks, Paul Syverson, Roger Dingledine
Created: 2015-07-13
Status: Superseded
Superseded-by: 260
1. Overview
Single onion services are a modified form of onion services, which trade
service-side location privacy for improved performance, reliability, and
scalability.
Single onion services have a .onion address identical to any other onion
service. The descriptor contains information sufficient to do a relay
extend of a circuit to the onion service and to open a stream for the onion
address. The introduction point and rendezvous protocols are bypassed for
these services.
We also specify behavior for a tor instance to publish a single onion
service, which requires a reachable OR port, without necessarily acting
as a public relay in the network.
2. Motivation
Single onion services have a few benefits over double onion services:
* Connection latency is much lower by skipping rendezvous
* Stream latency is reduced on a 4-hop circuit
* Removing rendezvous circuits improves service scalability
* A single onion service can use multiple relays for load balancing
Single onion services are not location hidden on the service side,
but clients retain all of the benefits and privacy of onion
services. More details, relation to double onion services, and the
rationale for the 'single' and 'double' nomenclature are further
described in section 7.4.
We believe these improvements, along with the other benefits of onion
services, will be a significant incentive for website and other internet
service operators to provide these portals to preserve the privacy of their
users.
3. Onion descriptors
The onion descriptor format is extended to add:
"service-extend-locations" NL encrypted-string
[At most once]
A list of relay extend info, which is used instead of introduction
points and rendezvous for single onion services. This field is
encoded and optionally encrypted in the same way as the
"introduction-points" field.
The encoded contents of this field contains no more than 10 entries,
each containing the following data:
"service-extend-location" SP link-specifiers NL
[At start, exactly once]
link-specifiers is a base64 encoded link specifier block, in
the format described by proposal 224 [BUILDING-BLOCKS] and the
EXTEND2 cell.
"onion-key" SP key-type NL onion-key
[Exactly once]
Describes the onion key that must be used when extending to the
single onion service relay.
The key-type field is one of:
"tap"
onion-key is a PEM-encoded RSA relay onion key
"ntor"
onion-key is a base64-encoded NTOR relay onion key
[XXX: Should there be some kind of cookie to prove that we have the desc?
See also section 7.1. -special]
A descriptor may contain either or both of "introduction-points" and
"service-extend-locations"; see section 5.2.
[XXX: What kind of backwards compatibility issues exist here? Will existing
relays accept one of those descriptors? -special]
4. Reaching a single onion service as a client
Single onion services use normal onion hostnames, so the client will first
request the service's descriptor. If the descriptor contains a
"service-extend-locations" field, the client should ignore the introduction
points and rendezvous process in favor of the process defined here.
The descriptor's "service-extend-locations" information is sufficient for a
client to extend a circuit to the onion service, regardless of whether it
is also listed as a relay in the network consensus. This extend info must
not be used for any other purpose. If multiple extend locations are
specified, the client should randomly select one.
The client uses a 3-hop circuit to extend to the service location from the
descriptor. Once this circuit is built, the client sends a BEGIN cell to
the relay, with the onion address as hostname and the desired TCP port.
If the circuit or stream fails, the client should retry using another
extend location from the descriptor. If all extend locations fail, and the
descriptor contains an "introduction-points" field, the client may fall
back to a full rendezvous operation.
5. Publishing a single onion service
To act as a single onion service, a tor instance (or cooperating group of
tor instances) must:
* Have a publicly accessible OR port
* Publish onion descriptors in the same manner as any onion service
* Include a "service-extend-locations" section in the onion descriptor
* Accept RELAY_BEGIN cells for the service as defined in section 5.3
5.1. Configuration options
The tor server operating a single onion service must accept connections as
a tor relay, but is not required to be published in the consensus or to
allow extending circuits. To enable this, we propose the following
configuration option:
RelayAllowExtend 0|1
If set, allow clients to extend circuits from this relay. Otherwise,
refuse all extend cells. PublishServerDescriptor must also be disabled
if this option is disabled. If ExitRelay is also disabled, this relay
will not pass through any traffic.
5.2. Publishing descriptors
A single onion service must publish descriptors in the same manner as any
onion service, as defined by rend-spec and section 3 of this proposal.
Optionally, a set of introduction points may be included in the descriptor
to provide backwards compatibility with clients that don't support single
onion services, or to provide a fallback when the extend locations fail.
5.3. RELAY_BEGIN
When a RELAY_BEGIN cell is received with a configured single onion hostname
as the destination, the stream should be connected to the configured
backend server in the same manner as a service-side rendezvous stream.
All relays must reject any RELAY_BEGIN cell with an address ending in
".onion" that does not match a locally configured single onion service.
6. Other considerations
6.1. Load balancing
High capacity services can distribute load by including multiple entries in
the "service-extend-locations" section of the descriptor, or by publishing
several descriptors to different onion service directories, or by a
combination of these methods.
6.2. Benefits of also running a Tor relay
If a single onion service also acts as a published tor relay, it will keep
connections to many other tor relays. This can significantly reduce the
latency of connections to the single onion service, and also helps the tor
network.
6.3. Proposal 224 ("Next-Generation Hidden Services")
This proposal is compatible with proposal 224, with small changes to the
service descriptor format. In particular:
The "service-extend-location" sections are included in the encrypted
portion of the descriptor, adjacent to any "introduction-point" sections.
The "service-extend-locations" field is no longer present. An onion service
is also single onion service if any "service-extend-location" field is
present.
6.4. Proposal 246 ("Merging Hidden Service Directories and Intro Points")
This proposal is compatible with proposal 246. The onion service will
publish its descriptor to the introduction points in the same manner as any
other onion service. The client may choose to build a circuit to the
specified relays, or to continue with the rendezvous protocol.
The client should not extend from the introduction point to the single
onion service's relay, to avoid overloading the introduction point. The
client may truncate the circuit and extend through a new relay.
7. Discussion
7.1. Authorization
Client authorization for a single onion service is possible through
encryption of the service-extend-locations section in the descriptor, or
"stealth" publication under a new onion address, as with traditional onion
services.
One problem with this is that if you suspect a relay is also serving a
single onion service, you can connect to it and send RELAY_BEGIN without
any further authorization. To prevent this, we would need to include a
cookie from the descriptor in the RELAY_BEGIN information.
7.2. Preventing relays from being unintentionally published
Many single onion servers will not want to relay other traffic, and will
set 'PublishServerDescriptor 0' to prevent it. Even when they do, they will
still generate a relay descriptor, which could be downloaded and published
to a directory authority without the relay's consent. To prevent this, we
should insert a field in the relay descriptor when PublishServerDescriptor
is disabled that instructs relays to never include it as part of a
consensus.
[XXX: Also see task #16564]
7.3. Ephemeral single onion services (ADD_ONION)
The ADD_ONION control port command could be extended to support ephemerally
configured single onion services. We encourage this, but specifying its
behavior is out of the scope of this proposal.
7.4. Onion service taxonomy and nomenclature
Onion services in general provide several benefits. First, by requiring a
connection via Tor they provide the client the protections of Tor and make
it much more difficult to inadvertently bypass those protections than when
connecting to a non .onion site. Second, because .onion addresses are
self-authenticating, onion services have look-up, routing, and
authentication protections not provided by sites with standard domain
addresses. These benefits apply to all onion services.
Onion services as originally introduced also provide network location
hiding of the service itself: because the client only ever connects through
the end of a Tor circuit created by the onion service, the IP address of
the onion service also remains protected.
Applications and services already exist that use existing onion service
protocols for the above described general benefits without the need for
network location hiding. This Proposal is accordingly motivated by a desire
to provide the general benefits, without the complexity and overhead of
also protecting the location of the service.
Further, as with what had originally been called 'location hidden
services', there may be useful and valid applications of this design that
are not reflected in our current intent. Just as 'location hidden service'
is a misleading name for many current onion service applications, we prefer
a name that is descriptive of the system but flexible with respect to
applications of it. We also prefer a nomenclature that consistently works
for the different types of onion services.
It is also important to have short, simple names lest usage efficiencies
evolve easier names for us. For example, 'hidden service' has replaced the
original 'location hidden service' in Tor Proposals and other writings.
For these reasons, we have chosen 'onion services' to refer to both those
as set out in this Proposal and those with the client-side and server-side
protections of the original---also for referring indiscriminately to any
and all onion services. We use 'double-onion service' to refer to services
that join two Tor circuits, one from the server and one from the client. We
use 'single-onion' when referring to services that use only a client-side
Tor circuit. In speech we sometimes use the even briefer, 'two-nion' and
'one-ion' respectively.
|
