1 Filename: 144-enforce-distinct-providers.txt
2 Title: Increase the diversity of circuits by detecting nodes belonging the
10 Increase network security by reducing the capacity of the relay or
11 ISPs monitoring personally or requisition, a large part of traffic
12 Tor trying to break circuits privacy. A way to increase the
13 diversity of circuits without killing the network performance.
17 Since 2004, Roger an Nick publication about diversity [1], very fast
18 relays Tor running are focused among an half dozen of providers,
19 controlling traffic of some dozens of routers [2].
21 In the same way the generalization of VMs clonables paid by hour,
22 allowing starting in few minutes and for a small cost, a set of very
23 high-speed relay whose in a few hours can attract a big traffic that
24 can be analyzed, increasing the vulnerability of the network.
26 Whether ISPs or domU providers, these usually have several groups of
27 IP Class B. Also the restriction in place EnforceDistinctSubnets
28 automatically excluding IP subnet class B is only partially
29 effective. By contrast a restriction at the class A will be too
32 Therefore it seems necessary to consider another approach.
36 Add a provider control based on AS number added by the router on is
37 descriptor, controlled by Directories Authorities, and used like the
38 declarative family field for circuit creating.
44 Add to the router descriptor a provider information get request [4]
49 'names' is the AS number of the router formated like this:
50 'ASxxxxxx' where AS is fixed and xxxxxx is the AS number,
51 left aligned ( ex: AS98304 , AS4096,AS1 ) or if AS number
52 is missing the network A class number is used like that:
53 'ANxxx' where AN is fixed and xxx is the first 3 digits of
54 the IP (ex: for the IP 1.1.1.2 AN1) or an 'L' value is set
55 if it's a local network IP.
57 If two ORs list one another in their "provider" entries,
58 then OPs should treat them as a single OR for the purpose
61 For example, if node A's descriptor contains "provider B",
62 and node B's descriptor contains "provider A", then node A
63 and node B should never be used on the same circuit.
65 Add the regarding config option in torrc
67 EnforceDistinctProviders set to 1 by default.
68 Permit building circuits with relays in the same provider
70 Regarding to proposal 135 if TestingTorNetwork is set
71 need to be EnforceDistinctProviders is unset.
73 Control by Authorities Directories of the AS numbers
75 The Directories Authority control the AS numbers of the new node
78 If an old version is operated by the node this test is
81 If AS number get by request is different from the
82 description, router is flagged as non-Valid by the testing
83 Authority for the voting process.
85 Step 2 When a ' significant number of nodes' of valid routers are
86 generating descriptor with provider information.
88 Add missing provider information get by DNS request
89 functionality for the circuit user:
91 During circuit building, computing, OP apply first
92 family check and EnforceDistinctSubnets directives for
93 performance, then if provider info is needed and
94 missing in router descriptor try to get AS provider
95 info by DNS request [4]. This information could be
96 DNS cached. AN ( class A number) is never generated
97 during this process to prevent DNS block problems. If
98 DNS request fails ignore and continue building
101 Step 3 When the 'whole majority' of valid Tor clients are providing
104 Older versions are deprecated and mark as no-Valid.
106 EnforceDistinctProviders replace EnforceDistinctSubnets functionnality.
108 EnforceDistinctSubnets is removed.
110 Functionalities deployed in step 2 are removed.
112 Security implications:
114 This providermeasure will increase the number of providers
115 addresses that an attacker must use in order to carry out
120 The presented protocol does not raise compatibility issues
121 with current Tor versions. The compatibility is preserved by
122 implementing this functionality in 3 steps, giving time to
123 network users to upgrade clients and routers.
125 Performance and scalability notes:
127 Provider change for all routers could reduce a little
128 performance if the circuit to long.
130 During step 2 Get missing provider information could increase
131 building path time and should have a time out.
133 Possible Attacks/Open Issues/Some thinking required:
135 These proposal seems be compatible with proposal 135 Simplify
136 Configuration of Private Tor Networks.
138 This proposal does not resolve multiples AS owners and top
139 providers traffic monitoring attacks [5].
141 Unresolved AS number are treated as a Class A network. Perhaps
142 should be marked as invalid. But there's only fives items on
145 Need to define what's a 'significant number of nodes' and
149 [1] Location Diversity in Anonymity Networks by Nick Feamster and Roger
151 In the Proceedings of the Workshop on Privacy in the Electronic Society
152 (WPES 2004), Washington, DC, USA, October 2004
153 http://freehaven.net/anonbib/#feamster:wpes2004
154 [2] http://as4jtw5gc6efb267.onion/IPListbyAS.txt
155 [3] see Goodell Tor Exit Page
156 http://cassandra.eecs.harvard.edu/cgi-bin/exit.py
157 [4] see the great IP to ASN DNS Tool
158 http://www.team-cymru.org/Services/ip-to-asn.html
159 [5] Sampled Traffic Analysis by Internet-Exchange-Level Adversaries by
160 Steven J. Murdoch and Piotr Zielinski.
161 In the Proceedings of the Seventh Workshop on Privacy Enhancing Technologies
163 (PET 2007), Ottawa, Canada, June 2007.
164 http://freehaven.net/anonbib/#murdoch-pet2007
165 [5] http://bugs.noreply.org/flyspray/index.php?do=details&id=690