tor/doc/spec/proposals/171-separate-streams.txt

Filename: 171-separate-streams-by-port-or-host.txt
Title: Separate streams across circuits by destination port or destination host
Author: Robert Hogan, Jacob Appelbaum, Damon McCoy
Created: 21-Oct-2008
Modified: 30-Aug-2010
Status: Draft

Motivation:

Streams are currently attached to circuits without regard to their content,
destination host, or destination port. We propose three options,
IsolateBySOCKSUser, IsolateStreamsByPort and IsolateStreamsByHost to change the
default behavior.

The contents of some streams will always have revealing plain text information;
these streams should be treated differently than other streams that may or may
not have unencrypted PII content. DNS, with the exception of DNSCurve, is
always unencrypted. It is reasonable to assume that other protocols may exist
that have a similar issue and may cause user concern. It is also the case that
we must balance network load issues and stream privacy. The Tor network will not
currently scale to one circuit per application connection nor should it anytime
soon.

Circuits are currently created with a few constraints and are rotated within
a reasonable time window. This allows a rogue exit node to correlate all
streams on a given circuit.

Design:

We propose two options for isolation of streams that lessen the observability
and linkability of the Tor client's traffic.

IsolateStreamsByPort will take a list of ports or optionally the keyword 'All'
in place of a port list. The use of the keyword 'All' will ensure that all
application connections attached to streams will be isolated to separate
circuits by port number.

IsolateStreamsByHost will take a boolean value. When enabled, all application
connections, regardless of port number will be isolated with separate circuits
per host. If this option is enabled, we should ensure that the client has a
reasonable number of pre-built circuits to ensure perceived performance. This
should also intentionally limit the total number of circuits a client will
build to ten circuits to prevent abuse and load on the network. This is a
trade-off of performance for anonymity. Tor will issue a warning if a client
encounters this limit.

IsolateBySOCKSUser will take a boolean value. When enabled, all application
connections, regardless of port number will be isolated with separate circuits
per SOCKS username. This options ensures that any two streams that were created
with different SOCKS usernames will be sent over different circuits.  The empty
username will be treated as its own username different from all other usernames.

Security implications:

It is believed that the proposed changes will improve the anonymity for end
user stream privacy.  The end user will no longer link all streams at a single
exit node during a given time window.

There is a possible attack where a hostile web page possibly in collusion with
an exit node contains image links for images at (say) "evil.example.com:53" and
"evil.example.com:31337", and thereby (if they're lucky) correlate port-80
circuits with port-53 and port-31337 circuits.

Specification:

The Tor client circuit selection process is not entirely specified. Any client
circuit specification must take these changes into account.

Compatibility:

The proposed changes should not create any compatibility issues. New Tor clients
will be able to take advantage of this without any modification to the network.

Implementation:

It is further proposed that IsolateStreamsByPort will be enabled by default
for port 22, 53, and port 80.

It is further proposed that IsolateStreamsByHost will be disabled by default.

Implementation notes:

The implementation of this option may want to consider cases where the same
exit node is shared by two or more circuits and IsolateStreamsByPort is in
force. Since the purpose of the option is to reduce the opportunity of Exit
Nodes to attack traffic from the same source on multiple ports, the
implementation may need to ensure that circuits reserved for the exclusive use
of given ports do not share the same exit node.

Circuits should not be shared by unique clients. Tor should check to ensure
that peer IP addresses are identical when they connect to the SOCKS listener or
the TransPort listener before sharing a circuit. If the addresses are not
identical, Tor should ensure that the circuits are not shared.

Performance and scalability notes:

It is further proposed that IsolateStreamsByPort will be enabled by default for
all ports after a reasonable assessment is performed. Specifically, we should
determine the impact this option has on Tor clients and the Tor network.