Ticket #690: 144-enforce-distinct-providers.txt

File 144-enforce-distinct-providers.txt, 6.4 KB (added by amis, 11 years ago)

Proposal submitted to the list

Line 
1Filename: 144-enforce-distinct-providers.txt
2Title: Increase the diversity of circuits by detecting nodes belonging the
3same provider
4Author: Mfr
5Created: 2008-06-15
6Status: Draft
7
8Overview:
9
10  Increase network security by reducing the capacity of the relay or
11  ISPs monitoring personally or requisition, a large part of traffic
12  Tor trying to break circuits privacy.  A way to increase the
13  diversity of circuits without killing the network performance.
14
15Motivation:
16
17  Since 2004, Roger an Nick publication about diversity [1], very fast
18  relays Tor running are focused among an half dozen of providers,
19  controlling traffic of some dozens of routers [2].
20
21  In the same way the generalization of VMs clonables paid by hour,
22  allowing starting in few minutes and for a small cost, a set of very
23  high-speed relay whose in a few hours can attract a big traffic that
24  can be analyzed, increasing the vulnerability of the network.
25
26  Whether ISPs or domU providers, these usually have several groups of
27  IP Class B.  Also the restriction in place EnforceDistinctSubnets
28  automatically excluding IP subnet class B is only partially
29  effective. By contrast a restriction at the class A will be too
30  restrictive.
31
32 Therefore it seems necessary to consider another approach.
33
34Proposal:
35
36  Add a provider control based on AS number added by the router on is
37  descriptor, controlled by Directories Authorities, and used like the
38  declarative family field for circuit creating.
39
40Design:
41
42Step 1 :
43
44 Add to the router descriptor a provider information get request [4]
45  by the router itself.
46
47         "provider" name NL
48
49            'names' is the AS number of the router formated like this:
50            'ASxxxxxx' where AS is fixed and xxxxxx is the AS number,
51            left aligned ( ex: AS98304 , AS4096,AS1 ) or if AS number
52            is missing the network A class number is used like that:
53            'ANxxx' where AN is fixed and xxx is the first 3 digits of
54            the IP (ex: for the IP 1.1.1.2 AN1) or an 'L' value is set
55            if it's a local network IP.
56
57            If two ORs list one another in their "provider" entries,
58            then OPs should treat them as a single OR for the purpose
59            of path selection.
60
61            For example, if node A's descriptor contains "provider B",
62            and node B's descriptor contains "provider A", then node A
63            and node B should never be used on the same circuit.
64
65    Add the regarding config option in torrc
66
67            EnforceDistinctProviders set to 1 by default.
68            Permit building circuits with relays in the same provider
69            if set to 0.
70            Regarding to proposal 135 if TestingTorNetwork is set
71            need to be EnforceDistinctProviders is unset.
72
73    Control by Authorities Directories of the AS numbers
74
75         The Directories Authority control the AS numbers of the new node
76         descriptor uploaded.
77
78            If an old version is operated by the node this test is
79            bypassed.
80
81            If AS number get by request is different from the
82            description, router is flagged as non-Valid by the testing
83            Authority for the voting process.
84
85Step 2     When a ' significant number of nodes' of valid routers are
86generating descriptor with provider information.
87
88        Add missing provider information get by DNS request
89functionality for the circuit user:
90
91                During circuit building, computing, OP apply first
92                family check and EnforceDistinctSubnets directives for
93                performance, then if provider info is needed and
94                missing in router descriptor try to get AS provider
95                info by DNS request [4].  This information could be
96                DNS cached.  AN ( class A number) is never generated
97                during this process to prevent DNS block problems.  If
98                DNS request fails ignore and continue building
99                circuit.
100
101Step 3 When the 'whole majority' of valid Tor clients are providing
102DNS request.
103
104        Older versions are deprecated and mark as no-Valid.
105
106  EnforceDistinctProviders replace EnforceDistinctSubnets functionnality.
107
108        EnforceDistinctSubnets is removed.
109
110        Functionalities deployed in step 2 are removed.
111
112Security implications:
113
114      This providermeasure will increase the number of providers
115      addresses that an attacker must use in order to carry out
116      traffic analysis.
117
118Compatibility:
119
120        The presented protocol does not raise compatibility issues
121        with current Tor versions. The compatibility is preserved by
122        implementing this functionality in 3 steps, giving time to
123        network users to upgrade clients and routers.
124
125Performance and scalability notes:
126
127        Provider change for all routers could reduce a little
128        performance if the circuit to long.
129
130        During step 2 Get missing provider information could increase
131        building path time and should have a time out.
132
133Possible Attacks/Open Issues/Some thinking required:
134
135        These proposal seems be compatible with proposal 135 Simplify
136        Configuration of Private Tor Networks.
137
138        This proposal does not resolve multiples AS owners and top
139        providers traffic monitoring attacks [5].
140
141        Unresolved AS number are treated as a Class A network. Perhaps
142        should be marked as invalid.  But there's only fives items on
143        last check see [2].
144
145        Need to define what's a 'significant number of nodes' and
146        'whole majority' ;-)
147
148References:
149[1] Location Diversity in Anonymity Networks by Nick Feamster and Roger
150Dingledine.
151In the Proceedings of the Workshop on Privacy in the Electronic Society
152(WPES 2004), Washington, DC, USA, October 2004
153http://freehaven.net/anonbib/#feamster:wpes2004
154[2] http://as4jtw5gc6efb267.onion/IPListbyAS.txt
155[3] see Goodell Tor Exit Page
156http://cassandra.eecs.harvard.edu/cgi-bin/exit.py
157[4] see the great IP to ASN DNS Tool
158http://www.team-cymru.org/Services/ip-to-asn.html
159[5] Sampled Traffic Analysis by Internet-Exchange-Level Adversaries by
160Steven J. Murdoch and Piotr Zielinski.
161In the Proceedings of the Seventh Workshop on Privacy Enhancing Technologies
162
163(PET 2007), Ottawa, Canada, June 2007.
164http://freehaven.net/anonbib/#murdoch-pet2007
165[5] http://bugs.noreply.org/flyspray/index.php?do=details&id=690