Opened 4 years ago

Closed 2 years ago

#17358 closed enhancement (fixed)

Decide what options to disable with Single Onion Services

Reported by: teor Owned by: teor
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: sos, rsos, single-onion tor-hs
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Tor2Web mode disables certain options because one-hop paths break them.
Single Onion Services (all flavours) should do this as well.

We might also want to recommend setting DisablePredictedCircuits as well, as descriptor uploads are the only task that uses predicated circuits. (One-hop circuits aren't cannibalized or re-used for intro and rendezvous point connections.)

options_validate() currently disables LearnCircuitBuildTimeout and UseEntryGuards:

  if (options->Tor2webMode && options->LearnCircuitBuildTimeout) {
    /* LearnCircuitBuildTimeout and Tor2webMode are incompatible in
     * two ways:
     * - LearnCircuitBuildTimeout results in a low CBT, which
     *   Tor2webMode's use of one-hop rendezvous circuits lowers
     *   much further, producing *far* too many timeouts.
     * - The adaptive CBT code does not update its timeout estimate
     *   using build times for single-hop circuits.
     * If we fix both of these issues someday, we should test
     * Tor2webMode with LearnCircuitBuildTimeout on again. */
    log_notice(LD_CONFIG,"Tor2webMode is enabled; turning "
               "LearnCircuitBuildTimeout off.");
    options->LearnCircuitBuildTimeout = 0;

  if (options->Tor2webMode && options->UseEntryGuards) {
    /* tor2web mode clients do not (and should not) use entry guards
     * in any meaningful way.  Further, tor2web mode causes the hidden
     * service client code to do things which break the path bias
     * detector, and it's far easier to turn off entry guards (and
     * thus the path bias detector with it) than to figure out how to
     * make a piece of code which cannot possibly help tor2web mode
     * users compatible with tor2web mode.
               "Tor2WebMode is enabled; disabling UseEntryGuards.");
    options->UseEntryGuards = 0;

Child Tickets

Change History (14)

comment:1 Changed 4 years ago by teor

Open questions:

Do we want to recommend a value for CircuitBuildTimeout?
The default is 60 seconds.

Do we want to recommend a value for CircuitIdleTimeout? (The timeout for unused circuits.)
The default is 1 hour, but if operators set RendPostPeriod to 10 minutes, they could make it 21 minutes, as the only predicted circuits Tor uses are for descriptor posting:

  • when the descriptor becomes dirty (or on startup), and
  • a random time between 0 and 2*RendPostPeriod later

I don't think that setting any of the performance options in the proposal is necessary, but we should update the manual page RSOS option so it mentions them.

asn tells me that the security recommendations are unnecessary, we already warn users not to run a relay or client with their onion service.

comment:2 Changed 4 years ago by teor

Now that I think about it, we should just leave CircuitIdleTimeout alone, unless it becomes a problem.

comment:3 Changed 4 years ago by teor

Keywords: rsos sos added

This applies to both SOS and RSOS.

comment:4 Changed 4 years ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final

It is impossible that we will fix all 226 currently open 028 tickets before 028 releases. Time to move some out. This is my second pass through the "new" and tickets, looking for things to move to 0.2.9.

comment:5 Changed 4 years ago by teor

Milestone: Tor: 0.2.9.x-finalTor: 0.2.8.x-final
Owner: set to teor
Status: newassigned

I think I can get this fixed as part of #17178.

comment:6 Changed 4 years ago by teor

Keywords: TorCoreTeam201602 added

comment:7 Changed 4 years ago by teor

Keywords: rsos TorCoreTeam201602 removed
Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final
Parent ID: #17178#18178

Fixed in #17178.

Like Tor2web, disabled:

  • LearnCircuitBuildTimeout, and
  • UseEntryGuards.

Can't set:

  • DisablePredictedCircuits 1

because Tor won't bootstrap with it set (#17359).

Chose not to set the performance options:

  • LongLivedPorts "" (the empty string),
  • PredictedPortsRelevanceTime 0 seconds, and
  • RendPostPeriod 600 seconds,

because they might not suit some operators, and operators of high-volume sites can set them themselves.

Still needs to be done for SOS, reparenting to #18178 so I don't forget.

comment:8 Changed 4 years ago by isabela

Milestone: Tor: 0.2.9.x-finalTor: 0.2.???

tickets market to be removed from milestone 029

comment:9 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:10 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:11 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:12 Changed 2 years ago by teor

Keywords: rsos single-onion added
Parent ID: #18178

comment:13 Changed 2 years ago by nickm

Keywords: tor-hs added

comment:14 Changed 2 years ago by teor

Resolution: fixed
Status: assignedclosed

We aren't going to implement the ORPort form of single onion services, so this ticket is done.

Note: See TracTickets for help on using tickets.