1 Filename: 100-tor-spec-udp.txt
2 Title: Tor Unreliable Datagram Extension Proposal
5 Author: Marc Liberatore
11 This is a modified version of the Tor specification written by Marc
12 Liberatore to add UDP support to Tor. For each TLS link, it adds a
13 corresponding DTLS link: control messages and TCP data flow over TLS, and
14 UDP data flows over DTLS.
16 This proposal is not likely to be accepted as-is; see comments at the end
24 Tor is a distributed overlay network designed to anonymize low-latency
25 TCP-based applications. The current tor specification supports only
26 TCP-based traffic. This limitation prevents the use of tor to anonymize
27 other important applications, notably voice over IP software. This document
28 is a proposal to extend the tor specification to support UDP traffic.
30 The basic design philosophy of this extension is to add support for
31 tunneling unreliable datagrams through tor with as few modifications to the
32 protocol as possible. As currently specified, tor cannot directly support
33 such tunneling, as connections between nodes are built using transport layer
34 security (TLS) atop TCP. The latency incurred by TCP is likely unacceptable
35 to the operation of most UDP-based application level protocols.
37 Thus, we propose the addition of links between nodes using datagram
38 transport layer security (DTLS). These links allow packets to traverse a
39 route through tor quickly, but their unreliable nature requires minor
40 changes to the tor protocol. This proposal outlines the necessary
41 additions and changes to the tor specification to support UDP traffic.
43 We note that a separate set of DTLS links between nodes creates a second
44 overlay, distinct from the that composed of TLS links. This separation and
45 resulting decrease in each anonymity set's size will make certain attacks
46 easier. However, it is our belief that VoIP support in tor will
47 dramatically increase its appeal, and correspondingly, the size of its user
48 base, number of deployed nodes, and total traffic relayed. These increases
49 should help offset the loss of anonymity that two distinct networks imply.
51 1. Overview of Tor-UDP and its complications
53 As described above, this proposal extends the Tor specification to support
54 UDP with as few changes as possible. Tor's overlay network is managed
55 through TLS based connections; we will re-use this control plane to set up
56 and tear down circuits that relay UDP traffic. These circuits be built atop
57 DTLS, in a fashion analogous to how Tor currently sends TCP traffic over
60 The unreliability of DTLS circuits creates problems for Tor at two levels:
62 1. Tor's encryption of the relay layer does not allow independent
63 decryption of individual records. If record N is not received, then
64 record N+1 will not decrypt correctly, as the counter for AES/CTR is
65 maintained implicitly.
67 2. Tor's end-to-end integrity checking works under the assumption that
68 all RELAY cells are delivered. This assumption is invalid when cells
71 The fix for the first problem is straightforward: add an explicit sequence
72 number to each cell. To fix the second problem, we introduce a
73 system of nonces and hashes to RELAY packets.
75 In the following sections, we mirror the layout of the Tor Protocol
76 Specification, presenting the necessary modifications to the Tor protocol as
81 Tor-UDP uses DTLS for encryption of some links. All DTLS links must have
82 corresponding TLS links, as all control messages are sent over TLS. All
83 implementations MUST support the DTLS ciphersuite "[TODO]".
85 DTLS connections are formed using the same protocol as TLS connections.
86 This occurs upon request, following a CREATE_UDP or CREATE_FAST_UDP cell,
87 as detailed in section 4.6.
89 Once a paired TLS/DTLS connection is established, the two sides send cells
90 to one another. All but two types of cells are sent over TLS links. RELAY
91 cells containing the commands RELAY_UDP_DATA and RELAY_UDP_DROP, specified
92 below, are sent over DTLS links. [Should all cells still be 512 bytes long?
93 Perhaps upon completion of a preliminary implementation, we should do a
94 performance evaluation for some class of UDP traffic, such as VoIP. - ML]
95 Cells may be sent embedded in TLS or DTLS records of any size or divided
96 across such records. The framing of these records MUST NOT leak any more
97 information than the above differentiation on the basis of cell type. [I am
98 uncomfortable with this leakage, but don't see any simple, elegant way
101 As with TLS connections, DTLS connections are not permanent.
105 Each cell contains the following fields:
109 Sequence Number [2 bytes]
110 Payload (padded with 0 bytes) [507 bytes]
111 [Total size: 512 bytes]
113 The 'Command' field holds one of the following values:
114 0 -- PADDING (Padding) (See Sec 6.2)
115 1 -- CREATE (Create a circuit) (See Sec 4)
116 2 -- CREATED (Acknowledge create) (See Sec 4)
117 3 -- RELAY (End-to-end data) (See Sec 5)
118 4 -- DESTROY (Stop using a circuit) (See Sec 4)
119 5 -- CREATE_FAST (Create a circuit, no PK) (See Sec 4)
120 6 -- CREATED_FAST (Circuit created, no PK) (See Sec 4)
121 7 -- CREATE_UDP (Create a UDP circuit) (See Sec 4)
122 8 -- CREATED_UDP (Acknowledge UDP create) (See Sec 4)
123 9 -- CREATE_FAST_UDP (Create a UDP circuit, no PK) (See Sec 4)
124 10 -- CREATED_FAST_UDP(UDP circuit created, no PK) (See Sec 4)
126 The sequence number allows for AES/CTR decryption of RELAY cells
127 independently of one another; this functionality is required to support
128 cells sent over DTLS. The sequence number is described in more detail in
131 [Should the sequence number only appear in RELAY packets? The overhead is
132 small, and I'm hesitant to force more code paths on the implementor. -ML]
133 [There's already a separate relay header that has other material in it,
134 so it wouldn't be the end of the world to move it there if it's
137 [Having separate commands for UDP circuits seems necessary, unless we can
138 assume a flag day event for a large number of tor nodes. -ML]
140 4. Circuit management
142 4.2. Setting circuit keys
144 Keys are set up for UDP circuits in the same fashion as for TCP circuits.
145 Each UDP circuit shares keys with its corresponding TCP circuit.
147 [If the keys are used for both TCP and UDP connections, how does it
148 work to mix sequence-number-less cells with sequenced-numbered cells --
149 how do you know you have the encryption order right? -RD]
151 4.3. Creating circuits
153 UDP circuits are created as TCP circuits, using the *_UDP cells as
156 4.4. Tearing down circuits
158 UDP circuits are torn down as TCP circuits, using the *_UDP cells as
161 4.5. Routing relay cells
163 When an OR receives a RELAY cell, it checks the cell's circID and
164 determines whether it has a corresponding circuit along that
165 connection. If not, the OR drops the RELAY cell.
167 Otherwise, if the OR is not at the OP edge of the circuit (that is,
168 either an 'exit node' or a non-edge node), it de/encrypts the payload
169 with AES/CTR, as follows:
170 'Forward' relay cell (same direction as CREATE):
171 Use Kf as key; decrypt, using sequence number to synchronize
172 ciphertext and keystream.
173 'Back' relay cell (opposite direction from CREATE):
174 Use Kb as key; encrypt, using sequence number to synchronize
175 ciphertext and keystream.
176 Note that in counter mode, decrypt and encrypt are the same operation.
177 [Since the sequence number is only 2 bytes, what do you do when it
180 Each stream encrypted by a Kf or Kb has a corresponding unique state,
181 captured by a sequence number; the originator of each such stream chooses
182 the initial sequence number randomly, and increments it only with RELAY
183 cells. [This counts cells; unlike, say, TCP, tor uses fixed-size cells, so
184 there's no need for counting bytes directly. Right? - ML]
185 [I believe this is true. You'll find out for sure when you try to
188 The OR then decides whether it recognizes the relay cell, by
189 inspecting the payload as described in section 5.1 below. If the OR
190 recognizes the cell, it processes the contents of the relay cell.
191 Otherwise, it passes the decrypted relay cell along the circuit if
192 the circuit continues. If the OR at the end of the circuit
193 encounters an unrecognized relay cell, an error has occurred: the OR
194 sends a DESTROY cell to tear down the circuit.
196 When a relay cell arrives at an OP, the OP decrypts the payload
197 with AES/CTR as follows:
198 OP receives data cell:
200 Decrypt with Kb_I, using the sequence number as above. If the
201 payload is recognized (see section 5.1), then stop and process
204 For more information, see section 5 below.
206 4.6. CREATE_UDP and CREATED_UDP cells
208 Users set up UDP circuits incrementally. The procedure is similar to that
209 for TCP circuits, as described in section 4.1. In addition to the TLS
210 connection to the first node, the OP also attempts to open a DTLS
211 connection. If this succeeds, the OP sends a CREATE_UDP cell, with a
212 payload in the same format as a CREATE cell. To extend a UDP circuit past
213 the first hop, the OP sends an EXTEND_UDP relay cell (see section 5) which
214 instructs the last node in the circuit to send a CREATE_UDP cell to extend
217 The relay payload for an EXTEND_UDP relay cell consists of:
221 Onion skin [186 bytes]
222 Identity fingerprint [20 bytes]
224 The address field and ports denote the IPV4 address and ports of the next OR
227 The payload for a CREATED_UDP cell or the relay payload for an
228 RELAY_EXTENDED_UDP cell is identical to that of the corresponding CREATED or
229 RELAY_EXTENDED cell. Both circuits are established using the same key.
231 Note that the existence of a UDP circuit implies the
232 existence of a corresponding TCP circuit, sharing keys, sequence numbers,
233 and any other relevant state.
235 4.6.1 CREATE_FAST_UDP/CREATED_FAST_UDP cells
237 As above, the OP must successfully connect using DTLS before attempting to
238 send a CREATE_FAST_UDP cell. Otherwise, the procedure is the same as in
241 5. Application connections and stream management
245 Within a circuit, the OP and the exit node use the contents of RELAY cells
246 to tunnel end-to-end commands, TCP connections ("Streams"), and UDP packets
247 across circuits. End-to-end commands and UDP packets can be initiated by
248 either edge; streams are initiated by the OP.
250 The payload of each unencrypted RELAY cell consists of:
251 Relay command [1 byte]
252 'Recognized' [2 bytes]
258 The relay commands are:
259 1 -- RELAY_BEGIN [forward]
260 2 -- RELAY_DATA [forward or backward]
261 3 -- RELAY_END [forward or backward]
262 4 -- RELAY_CONNECTED [backward]
263 5 -- RELAY_SENDME [forward or backward]
264 6 -- RELAY_EXTEND [forward]
265 7 -- RELAY_EXTENDED [backward]
266 8 -- RELAY_TRUNCATE [forward]
267 9 -- RELAY_TRUNCATED [backward]
268 10 -- RELAY_DROP [forward or backward]
269 11 -- RELAY_RESOLVE [forward]
270 12 -- RELAY_RESOLVED [backward]
271 13 -- RELAY_BEGIN_UDP [forward]
272 14 -- RELAY_DATA_UDP [forward or backward]
273 15 -- RELAY_EXTEND_UDP [forward]
274 16 -- RELAY_EXTENDED_UDP [backward]
275 17 -- RELAY_DROP_UDP [forward or backward]
277 Commands labelled as "forward" must only be sent by the originator
278 of the circuit. Commands labelled as "backward" must only be sent by
279 other nodes in the circuit back to the originator. Commands marked
280 as either can be sent either by the originator or other nodes.
282 The 'recognized' field in any unencrypted relay payload is always set to
285 The 'digest' field can have two meanings. For all cells sent over TLS
286 connections (that is, all commands and all non-UDP RELAY data), it is
287 computed as the first four bytes of the running SHA-1 digest of all the
288 bytes that have been sent reliably and have been destined for this hop of
289 the circuit or originated from this hop of the circuit, seeded from Df or Db
290 respectively (obtained in section 4.2 above), and including this RELAY
291 cell's entire payload (taken with the digest field set to zero). Cells sent
292 over DTLS connections do not affect this running digest. Each cell sent
293 over DTLS (that is, RELAY_DATA_UDP and RELAY_DROP_UDP) has the digest field
294 set to the SHA-1 digest of the current RELAY cells' entire payload, with the
295 digest field set to zero. Coupled with a randomly-chosen streamID, this
296 provides per-cell integrity checking on UDP cells.
297 [If you drop malformed UDP relay cells but don't close the circuit,
298 then this 8 bytes of digest is not as strong as what we get in the
299 TCP-circuit side. Is this a problem? -RD]
301 When the 'recognized' field of a RELAY cell is zero, and the digest
302 is correct, the cell is considered "recognized" for the purposes of
303 decryption (see section 4.5 above).
305 (The digest does not include any bytes from relay cells that do
306 not start or end at this hop of the circuit. That is, it does not
307 include forwarded data. Therefore if 'recognized' is zero but the
308 digest does not match, the running digest at that node should
309 not be updated, and the cell should be forwarded on.)
311 All RELAY cells pertaining to the same tunneled TCP stream have the
312 same streamID. Such streamIDs are chosen arbitrarily by the OP. RELAY
313 cells that affect the entire circuit rather than a particular
314 stream use a StreamID of zero.
316 All RELAY cells pertaining to the same UDP tunnel have the same streamID.
317 This streamID is chosen randomly by the OP, but cannot be zero.
319 The 'Length' field of a relay cell contains the number of bytes in
320 the relay payload which contain real payload data. The remainder of
321 the payload is padded with NUL bytes.
323 If the RELAY cell is recognized but the relay command is not
324 understood, the cell must be dropped and ignored. Its contents
325 still count with respect to the digests, though. [Before
326 0.1.1.10, Tor closed circuits when it received an unknown relay
327 command. Perhaps this will be more forward-compatible. -RD]
329 5.2.1. Opening UDP tunnels and transferring data
331 To open a new anonymized UDP connection, the OP chooses an open
332 circuit to an exit that may be able to connect to the destination
333 address, selects a random streamID not yet used on that circuit,
334 and constructs a RELAY_BEGIN_UDP cell with a payload encoding the address
335 and port of the destination host. The payload format is:
337 ADDRESS | ':' | PORT | [00]
339 where ADDRESS can be a DNS hostname, or an IPv4 address in
340 dotted-quad format, or an IPv6 address surrounded by square brackets;
341 and where PORT is encoded in decimal.
343 [What is the [00] for? -NM]
344 [It's so the payload is easy to parse out with string funcs -RD]
346 Upon receiving this cell, the exit node resolves the address as necessary.
347 If the address cannot be resolved, the exit node replies with a RELAY_END
348 cell. (See 5.4 below.) Otherwise, the exit node replies with a
349 RELAY_CONNECTED cell, whose payload is in one of the following formats:
350 The IPv4 address to which the connection was made [4 octets]
351 A number of seconds (TTL) for which the address may be cached [4 octets]
353 Four zero-valued octets [4 octets]
354 An address type (6) [1 octet]
355 The IPv6 address to which the connection was made [16 octets]
356 A number of seconds (TTL) for which the address may be cached [4 octets]
357 [XXXX Versions of Tor before 0.1.1.6 ignore and do not generate the TTL
358 field. No version of Tor currently generates the IPv6 format.]
360 The OP waits for a RELAY_CONNECTED cell before sending any data.
361 Once a connection has been established, the OP and exit node
362 package UDP data in RELAY_DATA_UDP cells, and upon receiving such
363 cells, echo their contents to the corresponding socket.
364 RELAY_DATA_UDP cells sent to unrecognized streams are dropped.
366 Relay RELAY_DROP_UDP cells are long-range dummies; upon receiving such
367 a cell, the OR or OP must drop it.
371 UDP tunnels are closed in a fashion corresponding to TCP connections.
375 UDP streams are not subject to flow control.
377 7.2. Router descriptor format.
379 The items' formats are as follows:
380 "router" nickname address ORPort SocksPort DirPort UDPPort
382 Indicates the beginning of a router descriptor. "address" must be
383 an IPv4 address in dotted-quad format. The last three numbers
384 indicate the TCP ports at which this OR exposes
385 functionality. ORPort is a port at which this OR accepts TLS
386 connections for the main OR protocol; SocksPort is deprecated and
387 should always be 0; DirPort is the port at which this OR accepts
388 directory-related HTTP connections; and UDPPort is a port at which
389 this OR accepts DTLS connections for UDP data. If any port is not
390 supported, the value 0 is given instead of a port number.
394 What changes need to happen to each node's exit policy to support this? -RD
396 Switching to UDP means managing the queues of incoming packets better,
397 so we don't miss packets. How does this interact with doing large public
398 key operations (handshakes) in the same thread? -RD
400 ========================================================================
402 ========================================================================
406 I don't favor this approach; it makes packet traffic partitioned from
407 stream traffic end-to-end. The architecture I'd like to see is:
409 A *All* Tor-to-Tor traffic is UDP/DTLS, unless we need to fall back on
410 TCP/TLS for firewall penetration or something. (This also gives us an
411 upgrade path for routing through legacy servers.)
413 B Stream traffic is handled with end-to-end per-stream acks/naks and
414 retries. On failure, the data is retransmitted in a new RELAY_DATA cell;
415 a cell isn't retransmitted.
417 We'll need to do A anyway, to fix our behavior on packet-loss. Once we've
418 done so, B is more or less inevitable, and we can support end-to-end UDP
421 (Also, there are some details that this draft spec doesn't address. For
422 example, what happens when a UDP packet doesn't fit in a single cell?)