2 Tor Protocol Specification
7 Note: This document aims to specify Tor as implemented in 0.2.1.x. Future
8 versions of Tor may implement improved protocols, and compatibility is not
9 guaranteed. Compatibility notes are given for versions 0.1.1.15-rc and
10 later; earlier versions are not compatible with the Tor network as of this
13 This specification is not a design document; most design criteria
14 are not examined. For more information on why Tor acts as it does,
19 0.1. Notation and encoding
23 K -- a key for a symmetric cipher.
25 a|b -- concatenation of 'a' and 'b'.
27 [A0 B1 C2] -- a three-byte sequence, containing the bytes with
28 hexadecimal values A0, B1, and C2, in that order.
30 All numeric values are encoded in network (big-endian) order.
32 H(m) -- a cryptographic hash of m.
34 0.2. Security parameters
36 Tor uses a stream cipher, a public-key cipher, the Diffie-Hellman
37 protocol, and a hash function.
39 KEY_LEN -- the length of the stream cipher's key, in bytes.
41 PK_ENC_LEN -- the length of a public-key encrypted message, in bytes.
42 PK_PAD_LEN -- the number of bytes added in padding for public-key
43 encryption, in bytes. (The largest number of bytes that can be encrypted
44 in a single public-key operation is therefore PK_ENC_LEN-PK_PAD_LEN.)
46 DH_LEN -- the number of bytes used to represent a member of the
48 DH_SEC_LEN -- the number of bytes used in a Diffie-Hellman private key (x).
50 HASH_LEN -- the length of the hash function's output, in bytes.
52 PAYLOAD_LEN -- The longest allowable cell payload, in bytes. (509)
54 CELL_LEN -- The length of a Tor cell, in bytes.
58 For a stream cipher, we use 128-bit AES in counter mode, with an IV of all
61 For a public-key cipher, we use RSA with 1024-bit keys and a fixed
62 exponent of 65537. We use OAEP-MGF1 padding, with SHA-1 as its digest
63 function. We leave the optional "Label" parameter unset. (For OAEP
64 padding, see ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf)
66 For Diffie-Hellman, we use a generator (g) of 2. For the modulus (p), we
67 use the 1024-bit safe prime from rfc2409 section 6.2 whose hex
70 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
71 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
72 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
73 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
74 "49286651ECE65381FFFFFFFFFFFFFFFF"
76 As an optimization, implementations SHOULD choose DH private keys (x) of
77 320 bits. Implementations that do this MUST never use any DH key more
79 [May other implementations reuse their DH keys?? -RD]
80 [Probably not. Conceivably, you could get away with changing DH keys once
81 per second, but there are too many oddball attacks for me to be
82 comfortable that this is safe. -NM]
84 For a hash function, we use SHA-1.
87 DH_LEN=128; DH_SEC_LEN=40.
88 PK_ENC_LEN=128; PK_PAD_LEN=42.
91 When we refer to "the hash of a public key", we mean the SHA-1 hash of the
92 DER encoding of an ASN.1 RSA public key (as specified in PKCS.1).
94 All "random" values should be generated with a cryptographically strong
95 random number generator, unless otherwise noted.
97 The "hybrid encryption" of a byte sequence M with a public key PK is
99 1. If M is less than PK_ENC_LEN-PK_PAD_LEN, pad and encrypt M with PK.
100 2. Otherwise, generate a KEY_LEN byte random key K.
101 Let M1 = the first PK_ENC_LEN-PK_PAD_LEN-KEY_LEN bytes of M,
102 and let M2 = the rest of M.
103 Pad and encrypt K|M1 with PK. Encrypt M2 with our stream cipher,
104 using the key K. Concatenate these encrypted values.
105 [XXX Note that this "hybrid encryption" approach does not prevent
106 an attacker from adding or removing bytes to the end of M. It also
107 allows attackers to modify the bytes not covered by the OAEP --
108 see Goldberg's PET2006 paper for details. We will add a MAC to this
111 0.4. Other parameter values
117 Tor is a distributed overlay network designed to anonymize
118 low-latency TCP-based applications such as web browsing, secure shell,
119 and instant messaging. Clients choose a path through the network and
120 build a ``circuit'', in which each node (or ``onion router'' or ``OR'')
121 in the path knows its predecessor and successor, but no other nodes in
122 the circuit. Traffic flowing down the circuit is sent in fixed-size
123 ``cells'', which are unwrapped by a symmetric key at each node (like
124 the layers of an onion) and relayed downstream.
128 Every Tor server has multiple public/private keypairs:
130 - A long-term signing-only "Identity key" used to sign documents and
131 certificates, and used to establish server identity.
132 - A medium-term "Onion key" used to decrypt onion skins when accepting
133 circuit extend attempts. (See 5.1.) Old keys MUST be accepted for at
134 least one week after they are no longer advertised. Because of this,
135 servers MUST retain old keys for a while after they're rotated.
136 - A short-term "Connection key" used to negotiate TLS connections.
137 Tor implementations MAY rotate this key as often as they like, and
138 SHOULD rotate this key at least once a day.
140 Tor servers are also identified by "nicknames"; these are specified in
145 Connections between two Tor servers, or between a client and a server,
146 use TLS/SSLv3 for link authentication and encryption. All
147 implementations MUST support the SSLv3 ciphersuite
148 "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", and SHOULD support the TLS
149 ciphersuite "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" if it is available.
151 There are three acceptable ways to perform a TLS handshake when
152 connecting to a Tor server: "certificates up-front", "renegotiation", and
153 "backwards-compatible renegotiation". ("Backwards-compatible
154 renegotiation" is, as the name implies, compatible with both other
157 Before Tor 0.2.0.21, only "certificates up-front" was supported. In Tor
158 0.2.0.21 or later, "backwards-compatible renegotiation" is used.
160 In "certificates up-front", the connection initiator always sends a
161 two-certificate chain, consisting of an X.509 certificate using a
162 short-term connection public key and a second, self- signed X.509
163 certificate containing its identity key. The other party sends a similar
164 certificate chain. The initiator's ClientHello MUST NOT include any
165 ciphersuites other than:
166 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
167 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
168 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
169 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
171 In "renegotiation", the connection initiator sends no certificates, and
172 the responder sends a single connection certificate. Once the TLS
173 handshake is complete, the initiator renegotiates the handshake, with each
174 party sending a two-certificate chain as in "certificates up-front".
175 The initiator's ClientHello MUST include at least one ciphersuite not in
176 the list above. The responder SHOULD NOT select any ciphersuite besides
177 those in the list above.
178 [The above "should not" is because some of the ciphers that
179 clients list may be fake.]
181 In "backwards-compatible renegotiation", the connection initiator's
182 ClientHello MUST include at least one ciphersuite other than those listed
183 above. The connection responder examines the initiator's ciphersuite list
184 to see whether it includes any ciphers other than those included in the
185 list above. If extra ciphers are included, the responder proceeds as in
186 "renegotiation": it sends a single certificate and does not request
187 client certificates. Otherwise (in the case that no extra ciphersuites
188 are included in the ClientHello) the responder proceeds as in
189 "certificates up-front": it requests client certificates, and sends a
190 two-certificate chain. In either case, once the responder has sent its
191 certificate or certificates, the initiator counts them. If two
192 certificates have been sent, it proceeds as in "certificates up-front";
193 otherwise, it proceeds as in "renegotiation".
195 All new implementations of the Tor server protocol MUST support
196 "backwards-compatible renegotiation"; clients SHOULD do this too. If
197 this is not possible, new client implementations MUST support both
198 "renegotiation" and "certificates up-front" and use the router's
199 published link protocols list (see dir-spec.txt on the "protocols" entry)
200 to decide which to use.
202 In all of the above handshake variants, certificates sent in the clear
203 SHOULD NOT include any strings to identify the host as a Tor server. In
204 the "renegotiation" and "backwards-compatible renegotiation" steps, the
205 initiator SHOULD choose a list of ciphersuites and TLS extensions
206 to mimic one used by a popular web browser.
208 Responders MUST NOT select any TLS ciphersuite that lacks ephemeral keys,
209 or whose symmetric keys are less then KEY_LEN bits, or whose digests are
210 less than HASH_LEN bits. Responders SHOULD NOT select any SSLv3
211 ciphersuite other than those listed above.
213 Even though the connection protocol is identical, we will think of the
214 initiator as either an onion router (OR) if it is willing to relay
215 traffic for other Tor users, or an onion proxy (OP) if it only handles
216 local requests. Onion proxies SHOULD NOT provide long-term-trackable
217 identifiers in their handshakes.
219 In all handshake variants, once all certificates are exchanged, all
220 parties receiving certificates must confirm that the identity key is as
221 expected. (When initiating a connection, the expected identity key is
222 the one given in the directory; when creating a connection because of an
223 EXTEND cell, the expected identity key is the one given in the cell.) If
224 the key is not as expected, the party must close the connection.
226 When connecting to an OR, all parties SHOULD reject the connection if that
227 OR has a malformed or missing certificate. When accepting an incoming
228 connection, an OR SHOULD NOT reject incoming connections from parties with
229 malformed or missing certificates. (However, an OR should not believe
230 that an incoming connection is from another OR unless the certificates
231 are present and well-formed.)
233 [Before version 0.1.2.8-rc, ORs rejected incoming connections from ORs and
234 OPs alike if their certificates were missing or malformed.]
236 Once a TLS connection is established, the two sides send cells
237 (specified below) to one another. Cells are sent serially. All
238 cells are CELL_LEN bytes long. Cells may be sent embedded in TLS
239 records of any size or divided across TLS records, but the framing
240 of TLS records MUST NOT leak information about the type or contents
243 TLS connections are not permanent. Either side MAY close a connection
244 if there are no circuits running over it and an amount of time
245 (KeepalivePeriod, defaults to 5 minutes) has passed since the last time
246 any traffic was transmitted over the TLS connection. Clients SHOULD
247 also hold a TLS connection with no circuits open, if it is likely that a
248 circuit will be built soon using that connection.
250 (As an exception, directory servers may try to stay connected to all of
251 the ORs -- though this will be phased out for the Tor 0.1.2.x release.)
253 To avoid being trivially distinguished from servers, client-only Tor
254 instances are encouraged but not required to use a two-certificate chain
255 as well. Clients SHOULD NOT keep using the same certificates when
256 their IP address changes. Clients MAY send no certificates at all.
258 3. Cell Packet format
260 The basic unit of communication for onion routers and onion
261 proxies is a fixed-width "cell".
263 On a version 1 connection, each cell contains the following
268 Payload (padded with 0 bytes) [PAYLOAD_LEN bytes]
270 On a version 2 connection, all cells are as in version 1 connections,
271 except for the initial VERSIONS cell, whose format is:
273 Circuit [2 octets; set to 0]
274 Command [1 octet; set to 7 for VERSIONS]
275 Length [2 octets; big-endian integer]
276 Payload [Length bytes]
278 The CircID field determines which circuit, if any, the cell is
281 The 'Command' field holds one of the following values:
282 0 -- PADDING (Padding) (See Sec 7.2)
283 1 -- CREATE (Create a circuit) (See Sec 5.1)
284 2 -- CREATED (Acknowledge create) (See Sec 5.1)
285 3 -- RELAY (End-to-end data) (See Sec 5.5 and 6)
286 4 -- DESTROY (Stop using a circuit) (See Sec 5.4)
287 5 -- CREATE_FAST (Create a circuit, no PK) (See Sec 5.1)
288 6 -- CREATED_FAST (Circuit created, no PK) (See Sec 5.1)
289 7 -- VERSIONS (Negotiate proto version) (See Sec 4)
290 8 -- NETINFO (Time and address info) (See Sec 4)
291 9 -- RELAY_EARLY (End-to-end data; limited)(See Sec 5.6)
293 The interpretation of 'Payload' depends on the type of the cell.
294 PADDING: Payload is unused.
295 CREATE: Payload contains the handshake challenge.
296 CREATED: Payload contains the handshake response.
297 RELAY: Payload contains the relay header and relay body.
298 DESTROY: Payload contains a reason for closing the circuit.
300 Upon receiving any other value for the command field, an OR must
301 drop the cell. Since more cell types may be added in the future, ORs
302 should generally not warn when encountering unrecognized commands.
304 The payload is padded with 0 bytes.
306 PADDING cells are currently used to implement connection keepalive.
307 If there is no other traffic, ORs and OPs send one another a PADDING
308 cell every few minutes.
310 CREATE, CREATED, and DESTROY cells are used to manage circuits;
313 RELAY cells are used to send commands and data along a circuit; see
316 VERSIONS and NETINFO cells are used to set up connections. See section 4
319 4. Negotiating and initializing connections
321 4.1. Negotiating versions with VERSIONS cells
323 There are multiple instances of the Tor link connection protocol. Any
324 connection negotiated using the "certificates up front" handshake (see
325 section 2 above) is "version 1". In any connection where both parties
326 have behaved as in the "renegotiation" handshake, the link protocol
327 version is 2 or higher.
329 To determine the version, in any connection where the "renegotiation"
330 handshake was used (that is, where the server sent only one certificate
331 at first and where the client did not send any certificates until
332 renegotiation), both parties MUST send a VERSIONS cell immediately after
333 the renegotiation is finished, before any other cells are sent. Parties
334 MUST NOT send any other cells on a connection until they have received a
337 The payload in a VERSIONS cell is a series of big-endian two-byte
338 integers. Both parties MUST select as the link protocol version the
339 highest number contained both in the VERSIONS cell they sent and in the
340 versions cell they received. If they have no such version in common,
341 they cannot communicate and MUST close the connection.
343 Since the version 1 link protocol does not use the "renegotiation"
344 handshake, implementations MUST NOT list version 1 in their VERSIONS
349 If version 2 or higher is negotiated, each party sends the other a
350 NETINFO cell. The cell's payload is:
353 Other OR's address [variable]
354 Number of addresses [1 byte]
355 This OR's addresses [variable]
357 The address format is a type/length/value sequence as given in section
358 6.4 below. The timestamp is a big-endian unsigned integer number of
359 seconds since the Unix epoch.
361 Implementations MAY use the timestamp value to help decide if their
362 clocks are skewed. Initiators MAY use "other OR's address" to help
363 learn which address their connections are originating from, if they do
364 not know it. Initiators SHOULD use "this OR's address" to make sure
365 that they have connected to another OR at its canonical address.
367 [As of 0.2.0.23-rc, implementations use none of the above values.]
370 5. Circuit management
372 5.1. CREATE and CREATED cells
374 Users set up circuits incrementally, one hop at a time. To create a
375 new circuit, OPs send a CREATE cell to the first node, with the
376 first half of the DH handshake; that node responds with a CREATED
377 cell with the second half of the DH handshake plus the first 20 bytes
378 of derivative key data (see section 5.2). To extend a circuit past
379 the first hop, the OP sends an EXTEND relay cell (see section 5)
380 which instructs the last node in the circuit to send a CREATE cell
381 to extend the circuit.
383 The payload for a CREATE cell is an 'onion skin', which consists
384 of the first step of the DH handshake data (also known as g^x).
385 This value is hybrid-encrypted (see 0.3) to Bob's onion key, giving
388 Padding [PK_PAD_LEN bytes]
389 Symmetric key [KEY_LEN bytes]
390 First part of g^x [PK_ENC_LEN-PK_PAD_LEN-KEY_LEN bytes]
391 Symmetrically encrypted:
392 Second part of g^x [DH_LEN-(PK_ENC_LEN-PK_PAD_LEN-KEY_LEN)
395 The relay payload for an EXTEND relay cell consists of:
398 Onion skin [DH_LEN+KEY_LEN+PK_PAD_LEN bytes]
399 Identity fingerprint [HASH_LEN bytes]
401 The port and address field denote the IPv4 address and port of the next
402 onion router in the circuit; the public key hash is the hash of the PKCS#1
403 ASN1 encoding of the next onion router's identity (signing) key. (See 0.3
404 above.) Including this hash allows the extending OR verify that it is
405 indeed connected to the correct target OR, and prevents certain
406 man-in-the-middle attacks.
408 The payload for a CREATED cell, or the relay payload for an
409 EXTENDED cell, contains:
410 DH data (g^y) [DH_LEN bytes]
411 Derivative key data (KH) [HASH_LEN bytes] <see 5.2 below>
413 The CircID for a CREATE cell is an arbitrarily chosen 2-byte integer,
414 selected by the node (OP or OR) that sends the CREATE cell. To prevent
415 CircID collisions, when one node sends a CREATE cell to another, it chooses
416 from only one half of the possible values based on the ORs' public
417 identity keys: if the sending node has a lower key, it chooses a CircID with
418 an MSB of 0; otherwise, it chooses a CircID with an MSB of 1.
420 (An OP with no public key MAY choose any CircID it wishes, since an OP
421 never needs to process a CREATE cell.)
423 Public keys are compared numerically by modulus.
425 As usual with DH, x and y MUST be generated randomly.
427 5.1.1. CREATE_FAST/CREATED_FAST cells
429 When initializing the first hop of a circuit, the OP has already
430 established the OR's identity and negotiated a secret key using TLS.
431 Because of this, it is not always necessary for the OP to perform the
432 public key operations to create a circuit. In this case, the
433 OP MAY send a CREATE_FAST cell instead of a CREATE cell for the first
434 hop only. The OR responds with a CREATED_FAST cell, and the circuit is
437 A CREATE_FAST cell contains:
439 Key material (X) [HASH_LEN bytes]
441 A CREATED_FAST cell contains:
443 Key material (Y) [HASH_LEN bytes]
444 Derivative key data [HASH_LEN bytes] (See 5.2 below)
446 The values of X and Y must be generated randomly.
448 If an OR sees a circuit created with CREATE_FAST, the OR is sure to be the
449 first hop of a circuit. ORs SHOULD reject attempts to create streams with
450 RELAY_BEGIN exiting the circuit at the first hop: letting Tor be used as a
451 single hop proxy makes exit nodes a more attractive target for compromise.
453 5.2. Setting circuit keys
455 Once the handshake between the OP and an OR is completed, both can
456 now calculate g^xy with ordinary DH. Before computing g^xy, both client
457 and server MUST verify that the received g^x or g^y value is not degenerate;
458 that is, it must be strictly greater than 1 and strictly less than p-1
459 where p is the DH modulus. Implementations MUST NOT complete a handshake
460 with degenerate keys. Implementations MUST NOT discard other "weak"
463 (Discarding degenerate keys is critical for security; if bad keys
464 are not discarded, an attacker can substitute the server's CREATED
465 cell's g^y with 0 or 1, thus creating a known g^xy and impersonating
466 the server. Discarding other keys may allow attacks to learn bits of
469 If CREATE or EXTEND is used to extend a circuit, the client and server
470 base their key material on K0=g^xy, represented as a big-endian unsigned
473 If CREATE_FAST is used, the client and server base their key material on
476 From the base key material K0, they compute KEY_LEN*2+HASH_LEN*3 bytes of
477 derivative key data as
478 K = H(K0 | [00]) | H(K0 | [01]) | H(K0 | [02]) | ...
480 The first HASH_LEN bytes of K form KH; the next HASH_LEN form the forward
481 digest Df; the next HASH_LEN 41-60 form the backward digest Db; the next
482 KEY_LEN 61-76 form Kf, and the final KEY_LEN form Kb. Excess bytes from K
485 KH is used in the handshake response to demonstrate knowledge of the
486 computed shared key. Df is used to seed the integrity-checking hash
487 for the stream of data going from the OP to the OR, and Db seeds the
488 integrity-checking hash for the data stream from the OR to the OP. Kf
489 is used to encrypt the stream of data going from the OP to the OR, and
490 Kb is used to encrypt the stream of data going from the OR to the OP.
492 5.3. Creating circuits
494 When creating a circuit through the network, the circuit creator
495 (OP) performs the following steps:
497 1. Choose an onion router as an exit node (R_N), such that the onion
498 router's exit policy includes at least one pending stream that
499 needs a circuit (if there are any).
501 2. Choose a chain of (N-1) onion routers
502 (R_1...R_N-1) to constitute the path, such that no router
503 appears in the path twice.
505 3. If not already connected to the first router in the chain,
506 open a new connection to that router.
508 4. Choose a circID not already in use on the connection with the
509 first router in the chain; send a CREATE cell along the
510 connection, to be received by the first onion router.
512 5. Wait until a CREATED cell is received; finish the handshake
513 and extract the forward key Kf_1 and the backward key Kb_1.
515 6. For each subsequent onion router R (R_2 through R_N), extend
518 To extend the circuit by a single onion router R_M, the OP performs
521 1. Create an onion skin, encrypted to R_M's public onion key.
523 2. Send the onion skin in a relay EXTEND cell along
524 the circuit (see section 5).
526 3. When a relay EXTENDED cell is received, verify KH, and
527 calculate the shared keys. The circuit is now extended.
529 When an onion router receives an EXTEND relay cell, it sends a CREATE
530 cell to the next onion router, with the enclosed onion skin as its
531 payload. As special cases, if the extend cell includes a digest of
532 all zeroes, or asks to extend back to the relay that sent the extend
533 cell, the circuit will fail and be torn down. The initiating onion
534 router chooses some circID not yet used on the connection between the
535 two onion routers. (But see section 5.1. above, concerning choosing
536 circIDs based on lexicographic order of nicknames.)
538 When an onion router receives a CREATE cell, if it already has a
539 circuit on the given connection with the given circID, it drops the
540 cell. Otherwise, after receiving the CREATE cell, it completes the
541 DH handshake, and replies with a CREATED cell. Upon receiving a
542 CREATED cell, an onion router packs it payload into an EXTENDED relay
543 cell (see section 5), and sends that cell up the circuit. Upon
544 receiving the EXTENDED relay cell, the OP can retrieve g^y.
546 (As an optimization, OR implementations may delay processing onions
547 until a break in traffic allows time to do so without harming
548 network latency too greatly.)
550 5.3.1. Canonical connections
552 It is possible for an attacker to launch a man-in-the-middle attack
553 against a connection by telling OR Alice to extend to OR Bob at some
554 address X controlled by the attacker. The attacker cannot read the
555 encrypted traffic, but the attacker is now in a position to count all
556 bytes sent between Alice and Bob (assuming Alice was not already
559 To prevent this, when an OR we gets an extend request, it SHOULD use an
560 existing OR connection if the ID matches, and ANY of the following
562 - The IP matches the requested IP.
563 - The OR knows that the IP of the connection it's using is canonical
564 because it was listed in the NETINFO cell.
565 - The OR knows that the IP of the connection it's using is canonical
566 because it was listed in the server descriptor.
568 [This is not implemented in Tor 0.2.0.23-rc.]
570 5.4. Tearing down circuits
572 Circuits are torn down when an unrecoverable error occurs along
573 the circuit, or when all streams on a circuit are closed and the
574 circuit's intended lifetime is over. Circuits may be torn down
575 either completely or hop-by-hop.
577 To tear down a circuit completely, an OR or OP sends a DESTROY
578 cell to the adjacent nodes on that circuit, using the appropriate
581 Upon receiving an outgoing DESTROY cell, an OR frees resources
582 associated with the corresponding circuit. If it's not the end of
583 the circuit, it sends a DESTROY cell for that circuit to the next OR
584 in the circuit. If the node is the end of the circuit, then it tears
585 down any associated edge connections (see section 6.1).
587 After a DESTROY cell has been processed, an OR ignores all data or
588 destroy cells for the corresponding circuit.
590 To tear down part of a circuit, the OP may send a RELAY_TRUNCATE cell
591 signaling a given OR (Stream ID zero). That OR sends a DESTROY
592 cell to the next node in the circuit, and replies to the OP with a
593 RELAY_TRUNCATED cell.
595 When an unrecoverable error occurs along one connection in a
596 circuit, the nodes on either side of the connection should, if they
597 are able, act as follows: the node closer to the OP should send a
598 RELAY_TRUNCATED cell towards the OP; the node farther from the OP
599 should send a DESTROY cell down the circuit.
601 The payload of a RELAY_TRUNCATED or DESTROY cell contains a single octet,
602 describing why the circuit is being closed or truncated. When sending a
603 TRUNCATED or DESTROY cell because of another TRUNCATED or DESTROY cell,
604 the error code should be propagated. The origin of a circuit always sets
605 this error code to 0, to avoid leaking its version.
608 0 -- NONE (No reason given.)
609 1 -- PROTOCOL (Tor protocol violation.)
610 2 -- INTERNAL (Internal error.)
611 3 -- REQUESTED (A client sent a TRUNCATE command.)
612 4 -- HIBERNATING (Not currently operating; trying to save bandwidth.)
613 5 -- RESOURCELIMIT (Out of memory, sockets, or circuit IDs.)
614 6 -- CONNECTFAILED (Unable to reach server.)
615 7 -- OR_IDENTITY (Connected to server, but its OR identity was not
617 8 -- OR_CONN_CLOSED (The OR connection that was carrying this circuit
619 9 -- FINISHED (The circuit has expired for being dirty or old.)
620 10 -- TIMEOUT (Circuit construction took too long)
621 11 -- DESTROYED (The circuit was destroyed w/o client TRUNCATE)
622 12 -- NOSUCHSERVICE (Request for unknown hidden service)
624 5.5. Routing relay cells
626 When an OR receives a RELAY or RELAY_EARLY cell, it checks the cell's
627 circID and determines whether it has a corresponding circuit along that
628 connection. If not, the OR drops the cell.
630 Otherwise, if the OR is not at the OP edge of the circuit (that is,
631 either an 'exit node' or a non-edge node), it de/encrypts the payload
632 with the stream cipher, as follows:
633 'Forward' relay cell (same direction as CREATE):
634 Use Kf as key; decrypt.
635 'Back' relay cell (opposite direction from CREATE):
636 Use Kb as key; encrypt.
637 Note that in counter mode, decrypt and encrypt are the same operation.
639 The OR then decides whether it recognizes the relay cell, by
640 inspecting the payload as described in section 6.1 below. If the OR
641 recognizes the cell, it processes the contents of the relay cell.
642 Otherwise, it passes the decrypted relay cell along the circuit if
643 the circuit continues. If the OR at the end of the circuit
644 encounters an unrecognized relay cell, an error has occurred: the OR
645 sends a DESTROY cell to tear down the circuit.
647 When a relay cell arrives at an OP, the OP decrypts the payload
648 with the stream cipher as follows:
649 OP receives data cell:
651 Decrypt with Kb_I. If the payload is recognized (see
652 section 6..1), then stop and process the payload.
654 For more information, see section 6 below.
656 5.6. Handling relay_early cells
658 A RELAY_EARLY cell is designed to limit the length any circuit can reach.
659 When an OR receives a RELAY_EARLY cell, and the next node in the circuit
660 is speaking v2 of the link protocol or later, the OR relays the cell as a
661 RELAY_EARLY cell. Otherwise, it relays it as a RELAY cell.
663 If a node ever receives more than 8 RELAY_EARLY cells on a given
664 outbound circuit, it SHOULD close the circuit. (For historical reasons,
665 we don't limit the number of inbound RELAY_EARLY cells; they should
666 be harmless anyway because clients won't accept extend requests. See
669 When speaking v2 of the link protocol or later, clients MUST only send
670 EXTEND cells inside RELAY_EARLY cells. Clients SHOULD send the first ~8
671 RELAY cells that are not targeted at the first hop of any circuit as
672 RELAY_EARLY cells too, in order to partially conceal the circuit length.
674 [In a future version of Tor, servers will reject any EXTEND cell not
675 received in a RELAY_EARLY cell. See proposal 110.]
677 6. Application connections and stream management
681 Within a circuit, the OP and the exit node use the contents of
682 RELAY packets to tunnel end-to-end commands and TCP connections
683 ("Streams") across circuits. End-to-end commands can be initiated
684 by either edge; streams are initiated by the OP.
686 The payload of each unencrypted RELAY cell consists of:
687 Relay command [1 byte]
688 'Recognized' [2 bytes]
692 Data [CELL_LEN-14 bytes]
694 The relay commands are:
695 1 -- RELAY_BEGIN [forward]
696 2 -- RELAY_DATA [forward or backward]
697 3 -- RELAY_END [forward or backward]
698 4 -- RELAY_CONNECTED [backward]
699 5 -- RELAY_SENDME [forward or backward] [sometimes control]
700 6 -- RELAY_EXTEND [forward] [control]
701 7 -- RELAY_EXTENDED [backward] [control]
702 8 -- RELAY_TRUNCATE [forward] [control]
703 9 -- RELAY_TRUNCATED [backward] [control]
704 10 -- RELAY_DROP [forward or backward] [control]
705 11 -- RELAY_RESOLVE [forward]
706 12 -- RELAY_RESOLVED [backward]
707 13 -- RELAY_BEGIN_DIR [forward]
709 32..40 -- Used for hidden services; see rend-spec.txt.
711 Commands labelled as "forward" must only be sent by the originator
712 of the circuit. Commands labelled as "backward" must only be sent by
713 other nodes in the circuit back to the originator. Commands marked
714 as either can be sent either by the originator or other nodes.
716 The 'recognized' field in any unencrypted relay payload is always set
717 to zero; the 'digest' field is computed as the first four bytes of
718 the running digest of all the bytes that have been destined for
719 this hop of the circuit or originated from this hop of the circuit,
720 seeded from Df or Db respectively (obtained in section 5.2 above),
721 and including this RELAY cell's entire payload (taken with the digest
724 When the 'recognized' field of a RELAY cell is zero, and the digest
725 is correct, the cell is considered "recognized" for the purposes of
726 decryption (see section 5.5 above).
728 (The digest does not include any bytes from relay cells that do
729 not start or end at this hop of the circuit. That is, it does not
730 include forwarded data. Therefore if 'recognized' is zero but the
731 digest does not match, the running digest at that node should
732 not be updated, and the cell should be forwarded on.)
734 All RELAY cells pertaining to the same tunneled stream have the
735 same stream ID. StreamIDs are chosen arbitrarily by the OP. RELAY
736 cells that affect the entire circuit rather than a particular
737 stream use a StreamID of zero -- they are marked in the table above
738 as "[control]" style cells. (Sendme cells are marked as "sometimes
739 control" because they can take include a StreamID or not depending
740 on their purpose -- see Section 7.)
742 The 'Length' field of a relay cell contains the number of bytes in
743 the relay payload which contain real payload data. The remainder of
744 the payload is padded with NUL bytes.
746 If the RELAY cell is recognized but the relay command is not
747 understood, the cell must be dropped and ignored. Its contents
748 still count with respect to the digests, though.
750 6.2. Opening streams and transferring data
752 To open a new anonymized TCP connection, the OP chooses an open
753 circuit to an exit that may be able to connect to the destination
754 address, selects an arbitrary StreamID not yet used on that circuit,
755 and constructs a RELAY_BEGIN cell with a payload encoding the address
756 and port of the destination host. The payload format is:
758 ADDRESS | ':' | PORT | [00]
760 where ADDRESS can be a DNS hostname, or an IPv4 address in
761 dotted-quad format, or an IPv6 address surrounded by square brackets;
762 and where PORT is a decimal integer between 1 and 65535, inclusive.
764 [What is the [00] for? -NM]
765 [It's so the payload is easy to parse out with string funcs -RD]
767 Upon receiving this cell, the exit node resolves the address as
768 necessary, and opens a new TCP connection to the target port. If the
769 address cannot be resolved, or a connection can't be established, the
770 exit node replies with a RELAY_END cell. (See 6.4 below.)
771 Otherwise, the exit node replies with a RELAY_CONNECTED cell, whose
772 payload is in one of the following formats:
773 The IPv4 address to which the connection was made [4 octets]
774 A number of seconds (TTL) for which the address may be cached [4 octets]
776 Four zero-valued octets [4 octets]
777 An address type (6) [1 octet]
778 The IPv6 address to which the connection was made [16 octets]
779 A number of seconds (TTL) for which the address may be cached [4 octets]
780 [XXXX No version of Tor currently generates the IPv6 format.]
782 [Tor servers before 0.1.2.0 set the TTL field to a fixed value. Later
783 versions set the TTL to the last value seen from a DNS server, and expire
784 their own cached entries after a fixed interval. This prevents certain
787 The OP waits for a RELAY_CONNECTED cell before sending any data.
788 Once a connection has been established, the OP and exit node
789 package stream data in RELAY_DATA cells, and upon receiving such
790 cells, echo their contents to the corresponding TCP stream.
791 RELAY_DATA cells sent to unrecognized streams are dropped.
793 Relay RELAY_DROP cells are long-range dummies; upon receiving such
794 a cell, the OR or OP must drop it.
796 6.2.1. Opening a directory stream
798 If a Tor server is a directory server, it should respond to a
799 RELAY_BEGIN_DIR cell as if it had received a BEGIN cell requesting a
800 connection to its directory port. RELAY_BEGIN_DIR cells ignore exit
801 policy, since the stream is local to the Tor process.
803 If the Tor server is not running a directory service, it should respond
804 with a REASON_NOTDIRECTORY RELAY_END cell.
806 Clients MUST generate an all-zero payload for RELAY_BEGIN_DIR cells,
807 and servers MUST ignore the payload.
809 [RELAY_BEGIN_DIR was not supported before Tor 0.1.2.2-alpha; clients
810 SHOULD NOT send it to routers running earlier versions of Tor.]
814 When an anonymized TCP connection is closed, or an edge node
815 encounters error on any stream, it sends a 'RELAY_END' cell along the
816 circuit (if possible) and closes the TCP connection immediately. If
817 an edge node receives a 'RELAY_END' cell for any stream, it closes
818 the TCP connection completely, and sends nothing more along the
819 circuit for that stream.
821 The payload of a RELAY_END cell begins with a single 'reason' byte to
822 describe why the stream is closing, plus optional data (depending on
823 the reason.) The values are:
825 1 -- REASON_MISC (catch-all for unlisted reasons)
826 2 -- REASON_RESOLVEFAILED (couldn't look up hostname)
827 3 -- REASON_CONNECTREFUSED (remote host refused connection) [*]
828 4 -- REASON_EXITPOLICY (OR refuses to connect to host or port)
829 5 -- REASON_DESTROY (Circuit is being destroyed)
830 6 -- REASON_DONE (Anonymized TCP connection was closed)
831 7 -- REASON_TIMEOUT (Connection timed out, or OR timed out
833 8 -- (unallocated) [**]
834 9 -- REASON_HIBERNATING (OR is temporarily hibernating)
835 10 -- REASON_INTERNAL (Internal error at the OR)
836 11 -- REASON_RESOURCELIMIT (OR has no resources to fulfill request)
837 12 -- REASON_CONNRESET (Connection was unexpectedly reset)
838 13 -- REASON_TORPROTOCOL (Sent when closing connection because of
839 Tor protocol violations.)
840 14 -- REASON_NOTDIRECTORY (Client sent RELAY_BEGIN_DIR to a
841 non-directory server.)
843 (With REASON_EXITPOLICY, the 4-byte IPv4 address or 16-byte IPv6 address
844 forms the optional data, along with a 4-byte TTL; no other reason
845 currently has extra data.)
847 OPs and ORs MUST accept reasons not on the above list, since future
848 versions of Tor may provide more fine-grained reasons.
850 Tors SHOULD NOT send any reason except REASON_MISC for a stream that they
853 [*] Older versions of Tor also send this reason when connections are
855 [**] Due to a bug in versions of Tor through 0095, error reason 8 must
856 remain allocated until that version is obsolete.
858 --- [The rest of this section describes unimplemented functionality.]
860 Because TCP connections can be half-open, we follow an equivalent
861 to TCP's FIN/FIN-ACK/ACK protocol to close streams.
863 An exit connection can have a TCP stream in one of three states:
864 'OPEN', 'DONE_PACKAGING', and 'DONE_DELIVERING'. For the purposes
865 of modeling transitions, we treat 'CLOSED' as a fourth state,
866 although connections in this state are not, in fact, tracked by the
869 A stream begins in the 'OPEN' state. Upon receiving a 'FIN' from
870 the corresponding TCP connection, the edge node sends a 'RELAY_FIN'
871 cell along the circuit and changes its state to 'DONE_PACKAGING'.
872 Upon receiving a 'RELAY_FIN' cell, an edge node sends a 'FIN' to
873 the corresponding TCP connection (e.g., by calling
874 shutdown(SHUT_WR)) and changing its state to 'DONE_DELIVERING'.
876 When a stream in already in 'DONE_DELIVERING' receives a 'FIN', it
877 also sends a 'RELAY_FIN' along the circuit, and changes its state
878 to 'CLOSED'. When a stream already in 'DONE_PACKAGING' receives a
879 'RELAY_FIN' cell, it sends a 'FIN' and changes its state to
882 If an edge node encounters an error on any stream, it sends a
883 'RELAY_END' cell (if possible) and closes the stream immediately.
885 6.4. Remote hostname lookup
887 To find the address associated with a hostname, the OP sends a
888 RELAY_RESOLVE cell containing the hostname to be resolved with a NUL
889 terminating byte. (For a reverse lookup, the OP sends a RELAY_RESOLVE
890 cell containing an in-addr.arpa address.) The OR replies with a
891 RELAY_RESOLVED cell containing a status byte, and any number of
892 answers. Each answer is of the form:
895 Value (variable-width)
897 "Length" is the length of the Value field.
902 0xF0 -- Error, transient
903 0xF1 -- Error, nontransient
905 If any answer has a type of 'Error', then no other answer may be given.
907 The RELAY_RESOLVE cell must use a nonzero, distinct streamID; the
908 corresponding RELAY_RESOLVED cell must use the same streamID. No stream
909 is actually created by the OR when resolving the name.
915 Each client or relay should do appropriate bandwidth throttling to
918 Communicants rely on TCP's default flow control to push back when they
921 The mainline Tor implementation uses token buckets (one for reads,
922 one for writes) for the rate limiting.
924 Since 0.2.0.x, Tor has let the user specify an additional pair of
925 token buckets for "relayed" traffic, so people can deploy a Tor relay
926 with strict rate limiting, but also use the same Tor as a client. To
927 avoid partitioning concerns we combine both classes of traffic over a
928 given OR connection, and keep track of the last time we read or wrote
929 a high-priority (non-relayed) cell. If it's been less than N seconds
930 (currently N=30), we give the whole connection high priority, else we
931 give the whole connection low priority. We also give low priority
932 to reads and writes for connections that are serving directory
933 information. See proposal 111 for details.
937 Link padding can be created by sending PADDING cells along the
938 connection; relay cells of type "DROP" can be used for long-range
941 Currently nodes are not required to do any sort of link padding or
942 dummy traffic. Because strong attacks exist even with link padding,
943 and because link padding greatly increases the bandwidth requirements
944 for running a node, we plan to leave out link padding until this
945 tradeoff is better understood.
947 7.3. Circuit-level flow control
949 To control a circuit's bandwidth usage, each OR keeps track of two
950 'windows', consisting of how many RELAY_DATA cells it is allowed to
951 originate (package for transmission), and how many RELAY_DATA cells
952 it is willing to consume (receive for local streams). These limits
953 do not apply to cells that the OR receives from one host and relays
956 Each 'window' value is initially set to 1000 data cells
957 in each direction (cells that are not data cells do not affect
958 the window). When an OR is willing to deliver more cells, it sends a
959 RELAY_SENDME cell towards the OP, with Stream ID zero. When an OR
960 receives a RELAY_SENDME cell with stream ID zero, it increments its
963 Each of these cells increments the corresponding window by 100.
965 The OP behaves identically, except that it must track a packaging
966 window and a delivery window for every OR in the circuit.
968 An OR or OP sends cells to increment its delivery window when the
969 corresponding window value falls under some threshold (900).
971 If a packaging window reaches 0, the OR or OP stops reading from
972 TCP connections for all streams on the corresponding circuit, and
973 sends no more RELAY_DATA cells until receiving a RELAY_SENDME cell.
974 [this stuff is badly worded; copy in the tor-design section -RD]
976 7.4. Stream-level flow control
978 Edge nodes use RELAY_SENDME cells to implement end-to-end flow
979 control for individual connections across circuits. Similarly to
980 circuit-level flow control, edge nodes begin with a window of cells
981 (500) per stream, and increment the window by a fixed value (50)
982 upon receiving a RELAY_SENDME cell. Edge nodes initiate RELAY_SENDME
983 cells when both a) the window is <= 450, and b) there are less than
984 ten cell payloads remaining to be flushed at that edge.
986 A.1. Differences between spec and implementation
988 - The current specification requires all ORs to have IPv4 addresses, but
989 allows servers to exit and resolve to IPv6 addresses, and to declare IPv6
990 addresses in their exit policies. The current codebase has no IPv6