3 SPEC - Spec not finalized
14 N&R- bring tor-spec up to date
15 o cache and serve running-routers on other nodes?
16 o cache running-routers
17 o download running-routers from servers running rc5-cvs or later
18 o pump up periods for fetching things; figure out how to do this
19 backward-compatibily, so that people who did set dirfetchpostperiod
20 get the right behavior.
21 o If dirport is set, we should have a maximum dirfetchperiod and
22 a maximum statusfetchperiod, or else we'll serve very stale stuff.
23 o Adapt version parsing code to handle new version scheme; document new
25 N&R. make loglevels info,debug less noisy
26 R - fix dfc/weasel's intro point bug
27 R - add goodell's .exit tld
30 - server descriptor declares min log level, clients avoid servers
32 N - Clean up NT service code
33 N - OS X package (and bundle?)
34 - controller should have 'getinfo' command to query about rephist,
35 about rendezvous status, etc.
36 - allow transition from ORPort to !ORPort, and back
37 R . bandwidth buckets for write as well as read.
38 - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
39 - Implement If-Modified-Since for directories.
40 - Make more configuration variables into CSVs.
41 N - Handle rendezvousing with unverified nodes.
42 - Specify: Stick rendezvous point's key in INTRODUCE cell.
43 Bob should _always_ use key from INTRODUCE cell.
45 R - figure out enclaves, e.g. so we know what to recommend that people
46 do, and so running a tor server on your website is helpful.
47 - Do enclaves for same IP only.
48 - Resolve first, then if IP is an OR, connect to next guy.
49 N . the user interface interface
50 - Implement a trivial fun gui.
52 - Spec issue: if a resolve returns an IP4 and an IP6 address,
55 R X learn from ben about his openssl-reinitialization-trick to
56 rotate tls keys without making new connections.
57 - Do something to prevent spurious EXTEND cells from making middleman
58 nodes connect all over. Rate-limit failed connections, perhaps?
59 - christian grothoff's attack of infinite-length circuit.
60 the solution is to have a separate 'extend-data' cell type
61 which is used for the first N data cells, and only
62 extend-data cells can be extend requests.
63 - have a pool of circuits available, cannibalize them
64 for your purposes (e.g. rendezvous, etc).
65 - Once we have a trusted directory on port 80, stop falling back to
66 forbidden ports when fascistfirewall blocks all good dirservers.
68 o fix sprintf's to snprintf's?
69 . Make intro points and rendezvous points accept $KEYID in addition
73 - Generate new formats (Not till 007 is dead)
74 - Facility to automatically choose long-term helper nodes; perhaps
75 on by default for hidden services.
76 o Make command-line strict about checking options; make only certain
78 - Rate-limit OR and directory connections overall and per-IP and
80 D put expiry date on onion-key, so people don't keep trying
81 old ones that they could know are expired?
82 * Leave on todo list, see if pre3 onion fixes helped enough.
83 D should the running-routers list put unverified routers at the
85 * Cosmetic, don't do it yet.
86 D make advertised_server_mode() ORs fetch dirs more often.
88 D Add a notion of nickname->Pubkey binding that's not 'verification'
89 * eventually, only when needed
90 D ORs use uniquer default nicknames
91 * Don't worry about this for now
92 D Handle full buffers without totally borking
93 * do this eventually, no rush.
94 D if destination IP is running a tor node, extend a circuit there
96 * don't do this for now. figure out how enclaves work. but do
98 - Support egd or other non-OS-integrated strong entropy sources
100 more features, complex:
101 - password protection for on-disk identity key
102 - Have clients and dirservers preserve reputation info over
104 * continue not doing until we have something we need to preserve
105 - round detected bandwidth up to nearest 10KB?
106 - client software not upload descriptor until:
107 - you've been running for an hour
108 - it's sufficiently satisfied with its bandwidth
109 - it decides it is reachable
110 - start counting again if your IP ever changes.
111 - never regenerate identity keys, for now.
112 - you can set a bit for not-being-an-OR.
113 * no need to do this yet. few people define their ORPort.
114 - authdirserver lists you as running iff:
115 - he can connect to you
116 - he has successfully extended to you
117 - you have sufficient mean-time-between-failures
118 * keep doing nothing for now.
119 - Include HTTP status messages in logging (see parse_http_response).
122 - Possible to get autoconf to easily install things into ~/.tor?
125 . rename/rearrange functions for what file they're in
126 - generalize our transport: add transport.c in preparation for
127 http, airhook, etc transport.
128 o investigate sctp for alternate transport.
133 - deal with pollhup / reached_eof on all platforms
138 . Usable as NT service
139 - docs for building in win
140 o installer, including all needed libs.
141 - and including privoxy
142 - and including a sockscap equivalent
146 - a howto tutorial with examples
147 * put a stub on the wiki
148 o tutorial: how to set up your own tor network
149 o (need to not hardcode dirservers file in config.c)
150 o Make tutorial reflect this.
151 . port forwarding howto for ipchains, etc
152 . correct, update, polish spec
153 - document the exposed function api?
154 - Document where we differ from tor-design
157 . find a long-term rpm maintainer
160 - better warn/info messages
161 - write howto for setting up tsocks, socat.
162 - including on osx and win32
165 o gather patches, submit to maintainer
166 * send him a reminder mail and see what's up.
167 - intercept gethostbyname and others
170 - redesign and thorough code revamp, with particular eye toward:
171 - support half-open tcp connections
173 - other transports -- http, airhook
174 - modular introduction mechanism
175 - allow non-clique topology
177 Other details and small and hard things:
178 - tor should be able to have a pool of outgoing IP addresses
179 that it is able to rotate through. (maybe)
181 - hidserv offerers shouldn't need to define a SocksPort
182 * figure out what breaks for this, and do it.
183 - when the client fails to pick an intro point for a hidserv,
184 it should refetch the hidserv desc.
185 . should maybe make clients exit(1) when bad things happen?
187 - should retry exitpolicy end streams even if the end cell didn't
188 resolve the address for you
189 o Make logs handle it better when writing to them fails.
190 o Dirserver shouldn't put you in running-routers list if you haven't
191 uploaded a descriptor recently
192 . Refactor: add own routerinfo to routerlist. Right now, only
193 router_get_by_nickname knows about 'this router', as a hack to
194 get circuit_launch_new to do the right thing.
196 - Find an smtp proxy?
197 . Get socks4a support into Mozilla
198 - Need a relay teardown cell, separate from one-way ends.
199 - Make it harder to circumvent bandwidth caps: look at number of bytes
200 sent across sockets, not number sent inside TLS stream.
201 - fix router_get_by_* functions so they can get ourselves too,
202 and audit everything to make sure rend and intro points are
203 just as likely to be us as not.
205 ***************************Future tasks:****************************
207 Rendezvous and hidden services:
209 - preemptively build and start rendezvous circs.
210 - preemptively build n-1 hops of intro circs?
211 - cannibalize general circs?
213 - standby/hotswap/redundant services.
214 - store stuff to disk? dirservers forget service descriptors when
215 they restart; nodes offering hidden services forget their chosen
216 intro points when they restart.
218 - auth mechanisms to let midpoint and bob selectively choose
221 - right now the hidserv store/lookup system is run by the dirservers;
225 Relax clique assumptions.
226 Redesign how directories are handled.
227 o Separate running-routers lookup from descriptor list lookup.
228 - Resolve directory agreement somehow.
229 o Cache directory on all servers.
230 Find and remove bottlenecks
231 - Address linear searches on e.g. circuit and connection lists.
232 Reputation/memory system, so dirservers can measure people,
233 and so other people can verify their measurements.
234 - Need to measure via relay, so it's not distinguishable.
235 Bandwidth-aware path selection. So people with T3's are picked
236 more often than people with DSL.
237 Reliability-aware node selection. So people who are stable are
238 preferred for long-term circuits such as intro and rend circs,
239 and general circs for irc, aim, ssh, etc.
240 Let dissidents get to Tor servers via Tor users. ("Backbone model")
242 Anonymity improvements:
243 Is abandoning the circuit the only option when an extend fails, or
244 can we do something without impacting anonymity too much?
245 Is exiting from the middle of the circuit always a bad idea?
246 Helper nodes. Decide how to use them to improve safety.
247 DNS resolution: need to make tor support resolve requests. Need to write
248 a script and an interface (including an extension to the socks
249 protocol) so we can ask it to do resolve requests. Need to patch
250 tsocks to intercept gethostbyname, else we'll continue leaking it.
251 Improve path selection algorithms based on routing-zones paper. Be sure
252 to start and end circuits in different ASs. Ideally, consider AS of
253 source and destination -- maybe even enter and exit via nearby AS.
254 Intermediate model, with some delays and mixing.
255 Add defensive dropping regime?
257 Make it more correct:
258 Handle half-open connections: right now we don't support all TCP
259 streams, at least according to the protocol. But we handle all that
260 we've seen in the wild.
263 Efficiency/speed/robustness:
264 Congestion control. Is our current design sufficient once we have heavy
265 use? Need to measure and tweak, or maybe overhaul.
266 Allow small cells and large cells on the same network?
267 Cell buffering and resending. This will allow us to handle broken
268 circuits as long as the endpoints don't break, plus will allow
269 connection (tls session key) rotation.
270 Implement Morphmix, so we can compare its behavior, complexity, etc.
271 Use cpuworker for more heavy lifting.
272 - Signing (and verifying) hidserv descriptors
273 - Signing (and verifying) intro/rend requests
274 - Signing (and verifying) router descriptors
275 - Signing (and verifying) directories
276 - Doing TLS handshake (this is very hard to separate out, though)
277 Buffer size pool: allocate a maximum size for all buffers, not
278 a maximum size for each buffer. So we don't have to give up as
279 quickly (and kill the thickpipe!) when there's congestion.
280 Exit node caching: tie into squid or other caching web proxy.
281 Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
282 link crypto, unless we can bully openssl into it.
285 Do all the scalability stuff above, first.
286 Incentives to relay. Not so hard.
287 Incentives to allow exit. Possibly quite hard.
288 Sybil defenses without having a human bottleneck.
289 How to gather random sample of nodes.
290 How to handle nodelist recommendations.
291 Consider incremental switches: a p2p tor with only 50 users has
292 different anonymity properties than one with 10k users, and should
293 be treated differently.