torproject/torspec
1
0
Fork 0
mirror of https://github.com/torproject/torspec.git synced 2024-12-12 20:55:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Prop 311: Add design for reachability circuits

Browse Source 
Update 4.2.3. Separate IPv4 and IPv6 Reachability Flags.

Add a detailed design for checking cells on reachability self-test
circuits.
This commit is contained in:
teor 2020-04-28 13:40:30 +10:00
parent 2e67ae1c70
commit f12126bd8a
No known key found for this signature in database
GPG Key ID: 10FEAA0E7075672A
1 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
proposals/311-relay-ipv6-reachability.txt
View File

@ -331,6 +331,50 @@ Ticket: #24404
Testing relays (and bridges) will record reachability separately for IPv4
and IPv6 ORPorts, based on the ORPort that the test circuit was received on.
Here is a reliable way to do reachability self-tests for each ORPort:
1. Check for create cells on inbound ORPort connections
Check for a cell on any IPv4 and any IPv6 ORPort. (We can't know which
listener(s) correspond to the advertised ORPorts, particularly when using
NAT.) Make sure the cell was received on an inbound OR connection.
2. Check for created cells from testing circuits on outbound OR connections
Check for a returned created cell on our IPv4 and IPv6 self-test circuits.
Make sure those circuits were on outbound OR connections.
By combining these tests, we confirm that we can:
* reach our own ORPorts with testing circuits,
* send and receive cells via inbound OR connections to our own ORPorts,
and
* send and receive cells via outbound OR connections to other relays'
ORPorts.
Once we validate the created cell, we have confirmed that the final remote
relay has our private keys. Therefore, this test reliably detects ORPort
reachability.
There is one exception: when another relay on the network is using the same
keys.
Duplicate keys are only possible if a relay's private keys have been copied
to another relay. That's either a misconfiguration, or a security issue.
Directory authorities ensure that only one relay with each key is included
in the consensus.
If a relay was set up using a copy of another relay's keys, then its
reachability self-tests might connect to that other relay. (If the second
hop in a testing circuit has an existing OR connection to the other relay.)
Relays could test if the inbound create cells they receive, match the
create cells that they have sent on self-test circuits.
But this seems like unnecessary complexity, because duplicate keys are
rare. At best, it would provide a warning for some operators who have
accidentally duplicated their keys. (But it doesn't provide any extra
security, because operators can disable self-tests using AssumeReachable.)
4.2.4. No Changes to DirPort Reachability
We do not propose any changes to relay IPv4 DirPort reachability checks at