13:32:31 #startmeeting 13:32:31 Meeting started Wed May 27 13:32:31 2015 UTC. The chair is nickm. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:32:31 Useful Commands: #action #agreed #help #info #idea #link #topic. 13:32:36 hi friends 13:32:45 another week it is ! 13:32:46 hi! 13:33:14 I am tired from insufficient sleeping. But let's do this! 13:33:28 let's start with status reports? 13:33:30 <- tired 13:33:35 uh sure 13:33:40 I can go, since it'll be short 13:34:13 I poked at the DoS issues and got really depressed about burning a bunch of time to keep darknet markets up when they decided to DoS each other. 13:34:35 I have more ideas here (Eg rate limiting INTRO2 processing) that will increase robustness 13:34:45 also poked at a bunch of TLS/SSL stuff with nickm 13:35:01 thanks about the tls stuff. 13:35:10 plans are, "finish flipping out about my living situation, poke at everything that needs fixing and try to make the world a better place" 13:35:12 np 13:35:26 i think, if openssl takes my patches, we might be ok 13:35:27 I owe you review for the 1.1 branch with our new accessors 13:35:41 indeed, I peeked at the branches you had and they seemed sane 13:35:46 * asn here 13:35:50 Oh 13:36:03 ? 13:36:06 I also briefly wore the Research Director hat and talked to the Astoria people 13:36:19 yes, and thanks on that 13:36:22 but it looks like arma/aaron have that well in hand 13:36:37 still though, we need more folks doing that stuff 13:36:39 and I am less flipping out about their code drop, and am really glad they are working on that problem 13:36:45 yes 13:36:55 I figured arma is busy, and I might as well contact them 13:37:03 nice 13:37:20 turned out ok, and I avoided my usual snark 13:37:21 has anyone asked them about licenses? 13:37:22 >.> 13:37:32 neg, since it's an external process anyway 13:37:39 hm 13:37:42 One thing one of us should ask them about 13:38:24 is "what would they like to see as far as, 'if tor would officilally support external path selection helpers, what would you want the itnerface to be like'" 13:38:37 since we have this grand modularization plan 13:38:37 yeah 13:38:48 yep nice 13:38:55 and they basically kludged it in for their helper 13:39:02 they probably have insight there we can draw on 13:39:22 (ok, I'm done 4 reals now ;P) 13:39:45 (ask me elsewhere about what I mean about living situation, unless you've seen my rants already :P ) 13:40:09 Yawning: where should we ask them that question? 13:40:16 Yawning: are they active on an ML? 13:40:19 Yawning: or is there a thread running 13:40:24 it seems like a question worth asking. 13:41:15 who's next, btw? 13:41:22 i can go. 13:41:25 don't have much news. 13:41:30 also helped around with the DoS issues. 13:41:43 updated the pad a bit on the guard stuff today 13:41:46 (the first nontrivial controller i wrote was a path selection replacement) 13:41:56 that's that :) 13:42:27 asn: tor-assistants@ has the thread started that has them in the loop 13:42:33 asn: otherwise tor-dev maybe 13:42:43 i can have some little-t-tor time this week, so if you want to me to do something i can do it. 13:42:53 my current plan is to review (parts of the) ed25519 branch of nick, 13:43:11 asn: I'll prolly ask for testing help/review for the rate limiter I plan to add 13:44:04 ok here goes mine: 13:44:09 I was afk for 3 days last week for a security conference, #16120 was opened befo 13:44:10 re that, did a partial review yesterday on #12498 and will continue today if tim 13:44:10 e allow it. Been studying guard stuff this morning. 13:44:18 (woa wrapping..) 13:44:52 (i also reviewed #8243 and #4862) 13:44:55 (I still think kernel notification/polling based stuff is worth adding there) 13:45:49 asn: oh didn't notice! awesome 13:47:40 woo on everybody looking at all this stuff. 13:48:12 so I guess it's over to me 13:48:33 I've been distracted (again) with company stuff, but I managed to get some coding in 13:48:56 I've written fixes to get us working with openssl 1.1 ( I hope) 13:49:15 and I've fixed the issues dgoulet and athena found with my 12498 patch 13:49:32 and I've chugged away at getting the link handshake part of prop220 done. 13:49:36 (So many certificates!) 13:50:13 also, more patches to merge all the time, and need to think about guards. 13:50:16 and that's me. 13:50:21 anybody else here today? 13:51:37 o.o 13:52:28 fine with moving to the guard part fwiw 13:52:46 ok. let's talk about guards. 13:52:59 :) 13:53:02 we have that pad at https://etherpad.mozilla.org/HsR7ubjcUC 13:53:21 (err, ,unless there is another discussion topic. if so, let's do the other thing first) 13:53:25 (this will take a while) 13:54:53 ok, let's say it's guard time then. 13:54:57 ok 13:55:02 (cool to see everybody so eager!) 13:55:31 I think during 0.2.6 we got pretty close to a workable data structure and design, but kinda stepped back for stability reasons 13:55:39 there are many parts on the guard problem. maybe it makes sense to separate them into modules, and have each person think and do one part? 13:56:14 like, we could consider the prop#241 as orthogonal to the "network down" project. 13:56:38 hmm. 13:56:56 I kinda feel like the problem there is that any solution to prop241 needs to handle network down, right? 13:57:06 it seems so. 13:57:09 yes 13:58:52 but if someone builds the network down event as a primitive, it could be used as a black box on prop#241. 13:59:06 ah, I see 13:59:11 (Is that someone going to be me?) 13:59:20 I think we need to be a little cautious about relying on network-down 13:59:26 right 13:59:28 for sure 13:59:33 like, we can detect no-route or no-interface 13:59:54 indeed. in that case "network is down" for sure. 13:59:57 but "firewalled upstream by a mean wifi access point" is not really detectable so immediately 14:00:03 exactly 14:00:04 indeed 14:00:28 we could build heuristics for captive portals. but then we are digging the rabithole ourselves. 14:00:30 so we need to treat that kind of thing as the worst-case scenario, and handle it 14:00:35 right 14:00:46 if there's an optimization for no-route, that's cool... 14:01:20 ...but we need to consider whether a solution for no-route falls out of the worst-case case 14:01:55 the strawman algo i suggested for the captive portal worst case scenario is: 14:01:58 "Everytime we manage to connect to a guard, if it's not the first guard in our list, we mark all previous guards as retriable, and try from the top." 14:02:12 but this messes up lots of assumptions of prop#241, and other things. 14:02:23 it also seems like it has an infinite loop 14:02:29 but it ensures that we (almost) always use the top guard we can. 14:02:30 yes 14:02:43 and it seems like , if the network is really down, we try every possible guard 14:03:13 that's similar to the current behavior. 14:03:23 sure, but it's still not good :) 14:03:30 yep 14:04:53 ok 14:04:58 maybe we should think of this worst case scenario 14:05:06 and think about what we would like to happen in the following cases: 14:05:12 - network is actually down 14:05:18 - network is up but some top guards are down 14:05:21 - we are under path bias attack 14:05:41 and see if our behavior has any common elements? 14:05:42 oh good I see a nickm putting that on the pad :) 14:05:45 - we are on a 'fascistfirewall' 14:06:08 yes 14:07:04 also see the 'dynamic' cases I added; those are the transitions we need to handle 14:07:12 aha 14:07:13 Are there other cases we need to handle ? 14:07:54 should we think about all these cases differnetly for cirucit guards and dir guards? 14:08:32 do we keep the guard "object" if guard goes down? (for a single consensus) 14:08:45 meaning what if gaurd goes down and up in 5 minutes ? 14:09:11 (afk ish, rage hacking) 14:10:13 nickm: we also need to think of behaviors for when the prop#241 events happen, but not sure if that section is right for this. 14:10:30 prop241 == targetted guard dos? 14:10:31 yes 14:10:44 CONNECTED_THRESHOLD CANDIDATE_THRESHOLD etc. 14:10:59 better add it to the list 14:11:39 asn: dunno about handling dir and circ guards differently 14:12:13 it seems like we want to treat them differently because of the directory path bias attacks we had discussed 14:12:24 but at the same time, it would more elegant if we didn't treat them differently. 14:13:07 and also, ideally your circuit guard should also be your dir guard, so there should probably be a single list of guards. 14:13:16 maybe it would help to summarize desired behavior in some of the cases (all?) and then figure out one algorithm that gets it? 14:13:22 aha 14:13:28 i could get behind that 14:14:27 btw, what's the problem with looping over all guards repeatedly when the network is actually down? 14:14:31 except that it's stupid. 14:14:46 is there a security issue? assuming that we manage to go back to the top guard when the network gets up again? 14:16:03 seems noisy; seems like the kind of thing somebody smart could do something eeevil with 14:16:16 not that I can think of the evil thing today, but it gives me a bad feeling 14:16:22 ack 14:16:25 (Does anybody else get a bad feeling there too?) 14:17:11 i get a bad feeling too. but can't think of better behaviors, in the absense of a reliable ntwork down primitive. 14:17:19 defenitively a bad feeling for me 14:17:27 also I guess, what i should have siad is loop over CANDIDATE_THRESHOLD guards repeatedly 14:17:30 instead of the whole list. 14:17:37 using prop241 again 14:18:22 do web browsers have good network down detectors? or they suck as well? 14:18:30 looping over candidate_threshold guards feels less bad. 14:18:36 asn: they probably suck 14:19:07 (pts/upstream proxys also complicate matters somewhat) 14:19:27 right 14:20:07 indeed 14:21:17 if we can handle proxies + captive portal, we can handle anything :) 14:22:24 should we treat captive protal as a different case than fascistfirewall or "netowrk is actually down"? 14:22:50 probably different than fascistfw, but quite similar to the "network is actually down" in many respects. 14:23:54 i think it is one case of "network is down" 14:24:01 maybe 14:24:10 at least that's how i was thinking of it 14:24:13 yes me too i think 14:24:40 fascisctfw is different thought. ffw looks like a filtering attack 14:25:36 [and ffw can be an attack. Like, one way to force people to your chosen guard is to run an access point that allows only connections to port 13337, and run your guard on that port.] 14:25:56 right 14:26:28 should we treat: 14:26:29 - network is actually down 14:26:31 and 14:26:34 - The network was up but goes down. 14:26:38 as differerent cases? 14:26:45 is the first one "WE just started Tor and network is actually down"? 14:26:53 wheras the second one happens in the middle of the session? 14:28:25 I don't think those are different cases; the reason that I emphasized the transition is that we need to make sure any algorithm we come up with can handle the transitions 14:28:32 ack 14:29:10 i think it might be beneficial to think of these cases, and come up with ideal behaviors 14:29:12 I wonder, are there any of those cases where the correct behavior is uncertain? 14:30:07 hm maybe 14:30:18 i imagine that more variables need to pinned down as well. 14:30:37 hm 14:31:37 nickm: we can try stating correct behavior and see what we come up with? 14:31:47 i imagine that some corect behaviors will be conflicting with each other. 14:32:52 and maybe it also depends on whether we want to optimize towards security or reachability on the correct behavior. 14:33:17 like on the ffw case, if we optimize towards reachability we just want to try more and more guards till we find one that fits through the ffw 14:33:27 but if we optimize towards security we want to enforce prop241 limits early maybe. 14:34:40 yeah 14:34:55 ok, we've got a framework and a start. 14:35:15 once we know right behavior (and I'm optimistic!) we can think about what algorithm would tell it to us 14:35:21 let's think more about these cases and ideal behavior and revisit next week? 14:35:25 same time maybe? 14:36:25 sounds good. let's try to come up with strawman algorithms though 14:36:48 ok 14:36:50 i (perhaps wrongly) think best behavior is something we will be able to decide easily. :) 14:36:51 (if y'all need me to explain how to detect interface/routing table status let me know, or I can just write it) 14:37:05 first let's make sure it's useful. :) 14:37:09 It's cool for certain 14:37:43 from this chat, it seems like any kind of network down detector will be helpful as an optimization, but we will never actually be able to rely on it for all cases. 14:37:53 fyi, I think it would be useful also for HS to have net down/up event 14:37:59 well, we need it for other reasons 14:37:59 right. but let's figure out how helpful 14:38:00 but yeah 14:38:13 sounds good 14:38:19 (see the bug that spawned my netlink branch for why) 14:38:25 yeah. also , let's remember all the stuf we already triaged into 0.2.7. Surely some of that is valuable :) 14:42:31 sounds good. 14:42:34 ok. 14:42:39 i think we have a course of action for next week. 14:42:47 personally, i will try to think of ideal behaviors and strawman algos 14:42:55 yup. thanks! i will try too. 14:42:58 great 14:43:07 the more hte merrier. 14:43:09 #endmeeting