Opened 5 years ago

Closed 4 years ago

Last modified 3 years ago

#13814 closed enhancement (fixed)

Avoid building exit circuits unless we have a consensus that can build exit paths

Reported by: teor Owned by: teor
Priority: Medium Milestone:
Component: Core Tor/Tor Version: Tor: 0.2.6.1-alpha
Severity: Keywords: lorax tor-relay
Cc: nickm Actual Points:
Parent ID: #13718 Points:
Reviewer: Sponsor:

Description (last modified by teor)

Split from #13718:

teor:

I also wonder about the impact of changing the invocation of circuit_build_needed_circs() so that it runs when we know we have internal circuits, rather than waiting for exit circuits.
Should we split it into internal and exit versions? If so, which types of circuits go in each category?

nickm:
That's an interesting question, but it sounds like a separate ticket. Generally, anything that is a predicted circuit, or anything that might carry user traffic, is an exit circuit. Anything else is an internal circuit.

Notes:

Exit Circuits:

  • Predicted Circuits
  • User Traffic Circuits
  • Others (TBC)

Internal Circuits:

  • Hidden Service -> Introduction Point Circuits (TBC)
  • All Other Circuits

The behaviour as of 2.6.0-alpha was to build all these circuits only when we had enough descriptors to build exit circuits. This is perhaps more conservative than required.

arma in #13718:

So there's still value imo in waiting for circuit-building until we have all the network info that we need for a variety of actions. The bug here is that we have the wrong definition of "all the network info that we need" when the network has no exits. So we should be fixing that definition.

Child Tickets

Change History (12)

comment:1 Changed 5 years ago by teor

Summary: Build HS IP and other needed circuits earlier, once we can build internal pathsBuild HS IP and other internal needed circuits earlier, once we can build internal paths

comment:2 Changed 5 years ago by teor

From the tor man page:

"It is normal to see non-exit circuits (such as those used to connect to hidden services, those that do directory fetches, those used for relay reachability self-tests, and so on)"

Does this mean that we should be able to support a HS-only client mode for tor?
(e.g. ExcludeExitNodes * + StrictNodes 1 + AllowDotExit 0)

I can imagine scenarios where users don't want hacked HS nodes leaking data to the clearnet, and this would be one way of achieving that. (However, the hacked nodes could then leak data to other HS nodes.)

comment:3 Changed 5 years ago by teor

Version: Tor: 0.2.6.1-alpha

OK, so from reading the code, if the network has no exits:

The following circuits should still be built, and are internal:

  • Hidden Service Circuits (Server, Client, Introduction Point)
  • Socks Proxy Circuits (when connected to HSs)

The following circuits should be built, but aren't currently configured as internal:

  • Circuit Build Timeout Circuits

We could conditionally configure these as internal if there are no exits in the consensus.

The following circuits can never be built (and we shouldn't try, as it produces lots of errors):

  • Exit Circuits
  • Socks Proxy Circuits (when connected to Exits)

comment:4 Changed 5 years ago by teor

Description: modified (diff)
Summary: Build HS IP and other internal needed circuits earlier, once we can build internal pathsAvoid building exit circuits unless we have a consensus that can build exit paths

Modified based on arma's comment that we should build all circuits at the same time for security reasons. (So instead, if we can't build exit circuits with a given consensus, don't even try - it just causes lots of errors.)

comment:5 Changed 5 years ago by teor

Fixed as part of #13718. Composing commits over the next week.

comment:6 Changed 5 years ago by teor

Owner: set to teor
Status: newassigned

comment:7 Changed 5 years ago by teor

Status: assignedneeds_review

The changes to tor in #13718 have fixed this:

Bugs: #13718, #13814, maybe #13787, #13839, #13924, #13823, #13929, #13963
Branch: bug13718-fast-bootstrap
Note: There are 5 branches that start with bug13718, please choose the right one.
Repository: ​​​​​​​​https://github.com/teor2345/tor.git

comment:8 Changed 5 years ago by nickm

I'm reviewing your branch bug13814-no-exits-internal-circuits here... once we figure out what to do with the first commit from the #13814 branch. ;)

comment:9 Changed 4 years ago by teor

I've made a significant change to the commit for this change. Updated descriptions & branches in #13718:

These changes to tor are included in commits in:

Bugs: #13718 (and maybe #13787), #13814, #13924
Branch: no-exit-bootstrap
Note: I got confused by all the branches starting with bug13718, so I picked an easier name.
Repository: ​​​​​​​https://github.com/teor2345/tor.git

The corresponding changes to various torspec documents are in:

Bugs: #13814
Branch: bug13814-no-exits-internal-circuits
Repository: ​​​​​​​https://github.com/teor2345/torspec.git

comment:10 Changed 4 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

see #13718; merged.

comment:11 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:12 Changed 3 years ago by nickm

Milestone: Tor: 0.3.???

Milestone deleted

Note: See TracTickets for help on using tickets.