Opened 11 months ago

Last modified 11 months ago

#27816 new defect

Rendezvous failures could distinguish "unknown cookie" from "outdated cookie"

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

dgoulet spoke of getting a bunch of these on his relay:
"(protocol warn): [warn] Rejecting RENDEZVOUS1 cell with unrecognized rendezvous cookie"

His theory was that maybe jerks are sending introduction requests when they never made the rendezvous circuit at all (and #25066 would address this possibility), but I think the explanation is much simpler: a real client *had* the rendezvous point established, but closed it (gave up) before the service got around to trying to connect to it.

This problem happens because of a timing issue, and when the network or the onion service is under load, the timing issue gets worse, because it takes longer between the introduction attempt and the rendezvous response.

So the patch to consider here is: if we remembered recently-established cookies, we could distinguish between "unknown cookie" or "cookie that would have worked earlier but it's too late now". That would help us know what the problem actually is right now, and also if these messages ramp up suddenly, it would let us distinguish which situation is causing it.

Child Tickets

Change History (2)

comment:1 Changed 11 months ago by arma

I'm not actually sure whether this feature would be worth the code complexity of adding it. If it's a ten line change, I'd say awesome let's do it. If it's a 300 line change, I'd be sad to add that into Tor.

comment:2 Changed 11 months ago by dgoulet

Cc: dgoulet removed
Keywords: tor-hs added
Milestone: Tor: unspecified

That would require a major refactoring of the rendezvous cookie cache. We use the hs_circuitmap subsystem meaning that we associate cookie -> circuit ... and thus if the circuit disappears, the cookie follows.

Keeping that cookie alive after the circuit is closed would need us to have a separate cache where entries would be kept for N minutes. It is probably closer to 300 lines theory ;).

Note: See TracTickets for help on using tickets.