| blob | b69bf5398dbc36d10c89e488edbe8afcd75115a1 |
2 Legend:
3 SPEC!! - Not specified
4 SPEC - Spec not finalized
5 NICK - nick claims
6 ARMA - arma claims
7 - Not done
8 * Top priority
9 . Partially done
10 o Done
11 D Deferred
12 X Abandoned
14 Agenda to be resolved:
15 remove truncate, truncated from spec?
16 remove exit-from-middle from spec?
17 add a bit of long-range dummy traffic -- talk to matt
18 instrument 'connected' cell.
19 find some way to report whether bandwidth limit is being hit.
20 begin reputation architecture: kill -USR2 prints opinions about nodes.
21 put IPs in directory, not hostnames. keeps OPs from stalling on resolves.
22 key rotation:
23 tls key rotation
24 symmetric and asymmetric
25 onion key rotation
26 others?
27 Advanced directory servers
28 Figure out how to do threshold directory servers
29 "secondary" directory servers?
30 what does it mean for a directory to be valid? do they expire?
31 productization:
32 preferential per-connection bandwidth limiting
33 pre- or post- tls alternate auth mechanisms.
34 what we could get from windows developers.
35 Look at having smallcells and largecells
36 Bandwidth classes. How do we do this so it works?
37 Rendezvous point design and spec.
38 Non-clique topologies -- easy to implement, hard to decide topology.
39 Certification/accreditation
40 Extensible spec:
41 - e.g. 'router' line more flexible in descriptor
42 - split spec file into mini spec files? finalize some, leave others open?
43 Usability
44 - e.g. if no torrc, use acceptable defaults.
45 Synchronous design?
46 Helper nodes?
47 Interoperability with morphmix
48 plan the codecon talk.
50 Bugs:
51 - Sometimes it picks a middleman node as the exit for a circuit.
52 - if you specify a non-dirserver as exitnode or entrynode, when it
53 makes the first few circuits it hasn't yet fetched the directory,
54 so it warns that it doesn't know the node.
55 - make 'make test' exit(1) if a test fails.
56 - fix buffer unit test so it passes
58 Short-term:
59 - when you hup, rewrite the router.desc file (and maybe others)
60 - consider handling broken socks4 implementations
61 - improve how it behaves when i remove a line from the approved-routers files
62 - Make tls connections tls_close intentionally
63 o Rename ACI to circID
64 . integrate rep_ok functions, see what breaks
65 - update tor faq
66 o obey SocksBindAddress, ORBindAddress
67 o warn if we're running as root
68 o make connection_flush_buf() more obviously obsolete
69 o let hup reread the config file, eg so we can get new exit
70 policies without restarting
71 o Put recommended_versions in a config entry
72 X use times(2) rather than gettimeofday to measure how long it
73 takes to process a cell
74 o Separate trying to rebuild a circuit because you have none from trying
75 to rebuild a circuit because the current one is stale
76 X Continue reading from socks port even while waiting for connect.
77 o Exit policies
78 o Spec how to write the exit policies
79 o Path selection algorithms
80 o Choose path more incrementally
81 o Let user request first/last node
82 o And disallow certain nodes
83 D Choose path by jurisdiction, etc?
84 o Make relay end cells have failure status and payload attached
85 X let non-approved routers handshake.
86 - Dirserver shouldn't put you in running-routers list if you haven't
87 uploaded a descriptor recently
88 . migrate to using nickname rather than addr:port for routers
89 o decide_aci_type
90 - generate onion skins
91 - circuit_send_next_onion_skin
92 - circuit_extend
93 - onion_generate_cpath
94 - get_unique_aci_by_addr_port
95 - circ->n_addr and circ->n_port
96 - circuit_enumerate_by_naddr_nport
97 - cpath layers
98 - connection_or_connect
99 - connection_exact_get_by_addr_port
100 - connection_twin_get_by_addr_port
101 - router_get_by_addr_port
102 - connection_or_init_conn_from_router
103 - tag_pack, tag_unpack, connection_cpu_process_inbuf
104 - directory_initiate_command
105 . Move from onions to ephemeral DH
106 o incremental path building
107 o transition circuit-level sendmes to hop-level sendmes
108 o implement truncate, truncated
109 o move from 192byte DH to 128byte DH, so it isn't so damn slow
110 - exiting from not-last hop
111 - OP logic to decide to extend/truncate a path
112 - make sure exiting from the not-last hop works
113 - logic to find last *open* hop, not last hop, in cpath
114 o Remember address and port when beginning.
115 - Extend by nickname/hostname/something, not by IP.
116 - Need a relay teardown cell, separate from one-way ends.
117 - remove per-connection rate limiting
118 - Make it harder to circumvent bandwidth caps: look at number of bytes
119 sent across sockets, not number sent inside TLS stream.
121 On-going
122 . Better comments for functions!
123 . Go through log messages, reduce confusing error messages.
124 . make the logs include more info (fd, etc)
125 . Unit tests
126 . Update the spec so it matches the code
128 Mid-term:
129 - Rotate tls-level connections -- make new ones, expire old ones.
130 So we get actual key rotation, not just symmetric key rotation
131 o Are there anonymity issues with sequential streamIDs? Sequential
132 circIDs? Eg an attacker can learn how many there have been.
133 The fix is to initialize them randomly rather than at 1.
134 - Look at having smallcells and largecells
135 . Redo scheduler
136 o fix SSL_read bug for buffered records
137 - make round-robining more fair
138 - What happens when a circuit's length is 1? What breaks?
139 . streams / circuits
140 o Implement streams
141 o Rotate circuits after N minutes?
142 X Circuits should expire when circuit->expire triggers
143 NICK . Handle half-open connections
144 o openssh is an application that uses half-open connections
145 o Figure out what causes connections to close, standardize
146 when we mark a connection vs when we tear it down
147 o Look at what ssl does to keep from mutating data streams
148 o Put CPU workers in separate processes
149 o Handle multiple cpu workers (one for each cpu, plus one)
150 o Queue for pending tasks if all workers full
151 o Support the 'process this onion' task
152 D Merge dnsworkers and cpuworkers to some extent
153 o Handle cpuworkers dying
154 . Scrubbing proxies
155 - Find an smtp proxy?
156 - Check the old smtp proxy code
157 o Find an ftp proxy? wget --passive
158 D Wait until there are packet redirectors for Linux
159 . Get socks4a support into Mozilla
160 . Develop rendezvous points
161 X Handle socks commands other than connect, eg, bind?
162 o Design
163 - Spec
164 - Implement
165 . Tests
166 o Testing harness/infrastructure
167 D System tests (how?)
168 - Performance tests, so we know when we've improved
169 . webload infrastructure (Bruce)
170 . httperf infrastructure (easy to set up)
171 . oprofile (installed in RH >8.0)
172 NICK . Daemonize and package
173 o Teach it to fork and background
174 - Red Hat spec file
175 o Debian spec file equivalent
176 . Portability
177 . Which .h files are we actually using?
178 . Port to:
179 o Linux
180 o BSD
181 . Solaris
182 o Cygwin
183 . Win32
184 o OS X
185 - deal with pollhup / reached_eof on all platforms
186 o openssl randomness
187 o inet_ntoa
188 o stdint.h
189 - Make a script to set up a local network on your machine
190 o More flexibility in node addressing
191 D Support IPv6 rather than just 4
192 o Handle multihomed servers (config variable to set IP)
194 In the distant future:
195 D Load balancing between router twins
196 D Keep track of load over links/nodes, to
197 know who's hosed
198 SPEC!! D Non-clique topologies
199 D Implement our own memory management, at least for common structs
200 (Not ever necessary?)
201 D Advanced directory servers
202 D Automated reputation management
203 SPEC!! D Figure out how to do threshold directory servers
204 D jurisdiction info in dirserver entries? other info?
206 Older (done) todo stuff:
208 For 0.0.2pre17:
209 o Put a H(K | handshake) into the onionskin response
210 o Make cells 512 bytes
211 o Reduce streamid footprint from 7 bytes to 2 bytes
212 X Check for collisions in streamid (now possible with
213 just 2 bytes), and back up & replace with padding if so
214 o Use the 4 reserved bytes in each cell header to keep 1/5
215 of a sha1 of the ongoing relay payload (move into stream header)
216 o Move length into the stream header too
217 o Make length 2 bytes
218 D increase DH key length
219 D increase RSA key length
220 D Spec the stream_id stuff. Clarify that nobody on the backward
221 stream should look at stream_id.
223 Cell:
224 ACI (anonymous circuit identifier) [2 bytes]
225 Command [1 byte]
226 Payload (padded with 0 bytes) [509 bytes]
228 Relay payload:
229 Relay command [1 byte]
230 Stream ID [7 bytes]
231 Partial SHA-1 [4 bytes]
232 Length [2 bytes]
233 Relay payload [495 bytes]
235 For 0.0.2pre15:
236 o don't pick exit nodes which will certainly reject all things.
237 o don't pick nodes that the directory says are down
238 o choose randomly from running dirservers, not just first one
239 o install the man page
240 o warn when client-side tries an address/port which no router in the dir accepts.
242 For 0.0.2pre14:
243 o More flexible exit policies (18.*, 18.0.0.0/8)
244 o Work to succeed in the precense of exit policy violation
245 o Replace desired_path_len with opaque path-selection specifier
246 o Client-side DNS caching
247 o Add entries to client DNS cache based on END cells
248 o Remove port from END_REASON_EXITPOLICY cells
249 o Start building new circuits when we get an exit-policy
250 failure. (Defer exiting from the middle of existing
251 circuits or extending existing circuits for later.)
252 o Implement function to check whether a routerinfo_t
253 supports a given exit addr.
254 o Choose the exit node of an in-progress circuit based on
255 pending AP connections.
256 o Choose the exit node _first_, then beginning, then
257 middle nodes.
259 Previous:
260 o Get tor to act like a socks server
261 o socks4, socks4a
262 o socks5
263 o routers have identity key, link key, onion key.
264 o link key certs are
265 D signed by identity key
266 D not in descriptor
267 o not in config
268 D not on disk
269 o identity and onion keys are in descriptor (and disk)
270 o upon boot, if it doesn't find identity key, generate it and write it.
271 o also write a file with the identity key fingerprint in it
272 o router generates descriptor: flesh out router_get_my_descriptor()
273 o Routers sign descriptors with identity key
274 o routers put version number in descriptor
275 o routers should maybe have `uname -a` in descriptor?
276 o Give nicknames to routers
277 o in config
278 o in descriptors
279 o router posts descriptor
280 o when it boots
281 o every DirFetchPostPeriod seconds
282 D when it changes
283 o change tls stuff so certs don't get written to disk, or read from disk
284 o make directory.c 'thread'safe
285 o dirserver parses descriptor
286 o dirserver checks signature
287 D client checks signature?
288 o dirserver writes directory to file
289 o reads that file upon boot
290 o directory includes all routers, up and down
291 o add "up" line to directory, listing nicknames
292 o instruments ORs to report stats
293 o average cell fullness
294 o average bandwidth used
295 o configure log files. separate log file, separate severities.
296 o what assumptions break if we fclose(0) when we daemonize?
297 o make buffer struct elements opaque outside buffers.c
298 o add log convention to the HACKING file
299 o make 'make install' do the right thing
300 o change binary name to tor
301 o change config files so you look at commandline, else look in
302 /etc/torrc. no cascading.
303 o have an absolute datadir with fixed names for files, and fixed-name
304 keydir under that with fixed names
305 o Move (most of) the router/directory code out of main.c
306 o Simple directory servers
307 o Include key in source; sign directories
308 o Signed directory backend
309 o Document
310 o Integrate
311 o Add versions to code
312 o Have directories list recommended-versions
313 o Include line in directories
314 o Check for presence of line.
315 o Quit if running the wrong version
316 o Command-line option to override quit
317 o Add more information to directory server entries
318 o Exit policies
319 o Clearer bandwidth management
320 o Do we want to remove bandwidth from OR handshakes?
321 o What about OP handshakes?
322 X Move away from openssl
323 o Abstract out crypto calls
324 X Look at nss, others? Just include code?
325 o Use a stronger cipher
326 o aes now, by including the code ourselves
327 X On the fly compression of each stream
328 o Clean up the event loop (optimize and sanitize)
329 o Remove that awful concept of 'roles'
330 o Terminology
331 o Circuits, topics, cells stay named that
332 o 'Connection' gets divided, or renamed, or something?
333 o DNS farm
334 o Distribute queries onto the farm, get answers
335 o Preemptively grow a new worker before he's needed
336 o Prune workers when too many are idle
337 o DNS cache
338 o Clear DNS cache over time
339 D Honor DNS TTL info (how??)
340 o Have strategy when all workers are busy
341 o Keep track of which connections are in dns_wait
342 o Need to cache positives/negatives on the tor side
343 o Keep track of which queries have been asked
344 o Better error handling when
345 o An address doesn't resolve
346 o We have max workers running
347 o Consider taking the master out of the loop?
348 X Implement reply onions
349 o Total rate limiting
350 o Look at OR handshake in more detail
351 o Spec it
352 o Merge OR and OP handshakes
353 o rearrange connection_or so it doesn't suck so much to read
354 D Periodic link key rotation. Spec?
355 o wrap malloc with something that explodes when it fails
356 o Clean up the number of places that get to look at prkey