Filename: 260-rend-single-onion.txt
Title: Rendezvous Single Onion Services
Author: Tim Wilson-Brown, John Brooks, Aaron Johnson, Rob Jansen, George Kadianakis, Paul Syverson, Roger Dingledine
Created: 2015-10-17
Status: Finished
Implemented-In: 0.2.9.3-alpha

1. Overview

   Rendezvous single onion services are an alternative design for single onion
   services, which trade service-side location privacy for improved
   performance, reliability, and scalability.

   Rendezvous single onion services have a .onion address identical to any
   other onion service. The descriptor contains the same information as the
   existing double onion (hidden) service descriptors. The introduction point
   and rendezvous protocols occur as in double onion services, with one
   modification: one-hop connections are made from the onion server to the
   introduction and rendezvous points.

   This proposal is a revision of the unnumbered proposal Direct Onion
   Services: Fast-but-not-hidden services by Roger Dingledine, and George
   Kadianakis at
   https://lists.torproject.org/pipermail/tor-dev/2015-April/008625.html

   It incorporates much of the discussion around hidden services since April
   2015, including content from Single Onion Services (Proposal #252) by John
   Brooks, Paul Syverson, and Roger Dingledine.

2. Motivation

   Rendezvous single onion services are best used by sites which:
      * Don't require location anonymity
      * Would appreciate lower latency or self-authenticated addresses
      * Would like to work with existing tor clients and relays
      * Can't accept connections to an open ORPort

   Rendezvous single onion services have a few benefits over double onion
   services:

      * Connection latency is lower, as one-hop circuits are built to the
        introduction and rendezvous points, rather than three-hop circuits
      * Stream latency is reduced on a four-hop circuit
      * Less Tor network capacity is consumed by the service, as there are
        fewer hops (4 rather than 6) between the client and server via the
        rendezvous point

   Rendezvous single onion services have a few benefits over single onion
   services:

      * A rendezvous single onion service can load-balance over multiple
        rendezvous backends (see proposal #255)
      * A rendezvous single onion service doesn't need an accessible ORPort
        (it works behind a NAT, and in server enclaves that only allow
        outward connections)
      * A rendezvous single onion service is compatible with existing tor
        clients, hidden service directories, introduction points, and
        rendezvous points

   Rendezvous single onion services have a few drawbacks over single onion
   services:

      * Connection latency is higher, as one-hop circuits are built to the
        introduction and rendezvous points. Single onion services perform one
        extend to the single onion service's ORPort only

   It should also be noted that, while single onion services receive many
   incoming connections from different relays, rendezvous single onion
   services make many outgoing connections to different relays. This should
   be taken into account when planning the connection capacity of the
   infrastructure supporting the onion service.

   Rendezvous single onion services are not location hidden on the service
   side, but clients retain all of the benefits and privacy of onion
   services. (The rationale for the 'single' and 'double' nomenclature is
   described in section 7.4 of proposal #252.)

   We believe that it is important for the Tor community to be aware of the
   alternative single onion service designs, so that we can reach consensus
   on the features and tradeoffs of each design. However, we recognise that
   each additional flavour of onion service splits the anonymity set of onion
   service users. Therefore, it may be best for user anonymity that not all
   designs are adopted, or that mitigations are implemented along with each
   additional flavour. (See sections 8 & 9 for a further discussion.)

3. Onion descriptors

   The rendezvous single onion descriptor format is identical to the double
   onion descriptor format.

4. Reaching a rendezvous single onion service as a client

   Clients reach rendezvous single onion services in an identical fashion
   to double onion services. The rendezvous design means that clients do not
   know whether they are talking to a double or rendezvous single onion
   service, unless that service tells them. (This may be a security issue.)

   However, the use of a four-hop path between client and rendezvous single
   onion service may be statistically distinguishable. (See section 8 for
   further discussion of security issues.)

   (Please note that this proposal follows the hop counting conventions in the
   tor source code. A circuit with a single connection between the client and
   the endpoint is one-hop; a circuit with 4 connections (and 3 nodes) between
   the client and endpoint is four-hop.)

5. Publishing a rendezvous single onion service

   To act as a rendezvous single onion service, a tor instance (or cooperating
   group of tor instances) must:

      * Publish onion descriptors in the same manner as any onion service,
        using three-hop circuits. This avoids service blocking by IP address.
        Proposal #224 (next-generation hidden services) avoids blocking by
        onion address.
      * Perform the rendezvous protocol in the same manner as a double
        onion service, but make the intro and rendezvous circuits one-hop.
        (This may allow intro and rendezvous points to block the service.)

5.1. Configuration options

5.1.1 RendezvousSingleOnionServiceNonAnonymousServer

   The tor instance operating a rendezvous single onion service must make
   one-hop circuits to the introduction and rendezvous points:

      RendezvousSingleOnionServiceNonAnonymousServer 0|1
        If set, make one-hop circuits between the Rendezvous Single Onion
        Service server, and the introduction and rendezvous points. This
        option makes every onion service instance hosted by this tor instance
        a Rendezvous Single Onion Service. (Default: 0)

   Because of the grave consequences of misconfiguration here, we have added
   'NonAnonymous' to the name of the torrc option. Furthermore, Tor MUST issue
   a startup warning message to operators of the onion service if this feature
   is enabled.
   [Should the name start with 'NonAnonymous' instead?]

   As RendezvousSingleOnionServiceNonAnonymousServer modifies the behaviour
   of every onion service on a tor instance, it is impossible to run hidden
   (double onion) services and rendezvous single onion services on the same
   tor instance. This is considered a feature, as it prevents hidden services
   from being discovered via rendezvous single onion services on the same tor
   instance.

5.1.2 Recommended Additional Options: Correctness

   Based on the experiences of Tor2Web with one-hop paths, operators should
   consider using the following options with every rendezvous single onion
   service, and every single onion service:
     
      UseEntryGuards 0
        One-hop paths do not use entry guards. This also deactivates the entry
        guard pathbias code, which is not compatible with one-hop paths. Entry
        guards are a security measure against Sybil attacks. Unfortunately,
        they also act as the bottleneck of busy onion services and overload
        those Tor relays.

      LearnCircuitBuildTimeout 0
        Learning circuit build timeouts is incompatible with one-hop paths.
        It also creates additional, unnecessary connections.

   Perhaps these options should be set automatically on (rendezvous) single
   onion services. Tor2Web sets these options automatically:
      UseEntryGuards 0
      LearnCircuitBuildTimeout 0

5.1.3 Recommended Additional Options: Performance

      LongLivedPorts
        The default LongLivedPorts setting creates additional, unnecessary
        connections. This specifies no long-lived ports (the empty list).

      PredictedPortsRelevanceTime 0 seconds
        The default PredictedPortsRelevanceTime setting creates additional,
        unnecessary connections.

   High-churn / quick-failover RSOS using descriptor competition strategies
   should consider setting the following option:

      RendPostPeriod 600 seconds
        Refresh onion service descriptors, choosing an interval between
        0 and 2*RendPostPeriod. Tor also posts descriptors on bootstrap, and
        when they change.
        (Strictly, 30 seconds after they first change, for descriptor
        stability.)

        XX - Reduce the minimum RendPostPeriod for RSOS to 1 minute?
        XX - Make the initial post 30 + rand(1*rendpostperiod) ?
             (Avoid thundering herd, but don't hide startup time)

   However, we do NOT recommend setting the following option to 1, unless bug
   #17359 is resolved so tor onion services can bootstrap without predicted
   circuits.

      __DisablePredictedCircuits 0
        This option disables all predicted circuits. It is equivalent to:
          LearnCircuitBuildTimeout 0
          LongLivedPorts
          PredictedPortsRelevanceTime 0 seconds
          And turning off hidden service server preemptive circuits, which is
          currently unimplemented (#17360)

5.1.4 Recommended Additional Options: Security

   We recommend that no other services are run on a rendezvous single onion
   service tor instance. Since tor runs as a client (and not a relay) by
   default, rendezvous single onion service operators should set:

      XX - George says we don't allow operators to run HS/Relay any more,
           or that we warn them.

      SocksPort 0
        Disallow connections from client applications to the tor network
        via this tor instance.

      ClientOnly 1
        Even if the defaults file configures this instance to be a relay,
        never relay any traffic or serve any descriptors.

5.2. Publishing descriptors

   A single onion service must publish descriptors in the same manner as any
   onion service, as defined by rend-spec.

5.3. Authorization

   Client authorization for a rendezvous single onion service is possible via
   the same methods used for double onion services.

6. Related Proposals, Tools, and Features

6.1. Load balancing

   High capacity services can distribute load and implement failover by:
      * running multiple instances that publish to the same onion service
        directories,
      * publishing descriptors containing multiple introduction points
        (OnionBalance),
      * publishing different introduction points to different onion service
        directories (OnionBalance upcoming(?) feature),
      * handing off rendezvous to a different tor instance via control port
        messages (proposal #255),
   or by a combination of these methods.

6.2. Ephemeral single onion services (ADD_ONION)

   The ADD_ONION control port command could be extended to support ephemerally
   configured rendezvous single onion services. Given that
   RendezvousSingleOnionServiceNonAnonymousServer modifies the behaviour of
   all onion services on a tor instance, if it is set, any ephemerally
   configured onion service should become a rendezvous single onion service.

6.3. Proposal 224 ("Next-Generation Hidden Services")

   This proposal is compatible with proposal 224, with onion services
   acting just like a next-generation hidden service, but making one-hop
   paths to the introduction and rendezvous points.

6.4. Proposal 246 ("Merging Hidden Service Directories and Intro Points")

   This proposal is compatible with proposal 246. The onion service will
   publish its descriptor to the introduction points in the same manner as any
   other onion service. Clients will use the merged hidden service directory
   and introduction point just as they do for other onion services.

6.5. Proposal 252 ("Single Onion Services")

   This proposal is compatible with proposal 252. The onion service will
   publish its descriptor to the introduction points in the same manner as any
   other onion service. Clients can then choose to extend to the single onion
   service, or continue with the rendezvous protocol.

   Running a rendezvous single onion service and single onion service allows
   older clients to connect via rendezvous, and newer clients to connect via
   extend. This is useful for the transition period where not all clients
   support single onion services.

6.6. Proposal 255 ("Hidden Service Load Balancing")

   This proposal is compatible with proposal 255. The onion service will
   perform the rendezvous protocol in the same manner as any other onion
   service. Controllers can then choose to handoff the rendezvous point
   connection to another tor instance, which should also be configured
   as a rendezvous single onion service.

7. Considerations

7.1 Modifying RendezvousSingleOnionServiceNonAnonymousServer at runtime
   
   Implementations should not reuse introduction points or introduction point
   circuits if the value of RendezvousSingleOnionServiceNonAnonymousServer is
   different than it was when the introduction point was selected. This is
   because these circuits will have an undesirable length.

   There is specific code in tor that preserves introduction points on a HUP,
   if RendezvousSingleOnionServiceNonAnonymousServer has changed, all circuits
   should be closed, and all introduction points must be discarded.

7.2 Delaying connection expiry

   Tor clients typically expire connections much faster than tor relays
   [citation needed].

   (Rendezvous) single onion service operators may find that keeping
   connections open saves on connection latency. However, it may also place an
   additional load on the service. (This could be implemented by increasing the
   configured connection expiry time.)

7.3. (No) Benefit to also running a Tor relay

   In tor Trac ticket #8742, running a relay and hidden onion service on the
   same tor instance was disabled for security reasons. While there may be
   benefits to running a relay on the same instance as a rendezvous single
   onion service (existing connections mean lower latency, it helps the tor
   network overall), a security analysis of this configuration has not yet
   been performed. In addition, a potential drawback is overloading a busy
   single onion service.

7.4 Predicted circuits

   We should look whether we can optimize further the predicted circuits that
   Tor makes as an onion service for this mode.

8. Security Implications

8.1 Splitting the Anonymity Set

   Each additional flavour of onion service, and each additional externally
   visible onion service feature, provides oportunities for fingerprinting.

   Also, each additional type of onion service shrinks the anonymity set for
   users of double onion (hidden) services who require server location
   anonymity. These users benefit from the cover provided by current users of
   onion services, who use them for client anonymity, self-authentication,
   NAT-punching, or other benefits.

   For this reason, features that shrink the double onion service anonymity
   set should be carefully considered. The benefits and drawbacks of
   additional features also often depend on a particular threat model.

   It may be that a significant number of users and sites adopt (rendezvous)
   single onion services due to their benefits. This could increase the
   traffic on the tor network, therefore increasing anonymity overall.
   However, the unique behaviour of each type of onion service may still be
   distinguishable on both the client and server ends of the connection.

8.2 Hidden Service Designs can potentially be more secure

   As a side-effect, by optimizing for performance in this feature, it
   allows us to lean more heavily towards security decisions for
   regular onion services.

8.3 One-hop onion service paths may encourage more attacks

   There's a possible second-order effect here since both RSOS
   and double onion services will have foo.onion addresses and it's
   not clear based on the address which one the service uses:
   if *some* .onion addresses are easy to track down, are we encouraging
   adversaries to attack all rendezvous points just in case?

9. Further Work

Further proposals or research could attempt to mitigate the anonymity-set
splitting described in section 8. Here are some initial ideas.

9.1 Making Client Exit connections look like Client Onion Service Connections

   A mitigation to this fingerprinting is to make each (or some) exit
   connections look like onion service connections. This provides cover for
   particular types of onion service connections. Unfortunately, it is not
   possible to make onion service connections look like exit connections,
   as there are no suitable dummy servers to exit to on the Internet.

9.1.1 Making Client Exit connections perform Descriptor Downloads

   (Some) exit connections could perform a dummy descriptor download.
   (However, descriptors for recently accessed onion services are cached, so
   dummy downloads should only be performed occasionally.)

   Exit connections already involve a four-hop "circuit" to the server
   (including the connection between the exit and the server on the Internet).
   The server on the Internet is not included in the consensus. Therefore,
   this mitigation would effectively cover single onion services which are not
   relays.

9.1.2 Making Client Exit connections perform the Rendezvous Protocol

   (Some) exit connections could perform a dummy rendezvous protocol.

   Exit connections already involve a four-hop "circuit" to the server
   (including the connection between the exit and the server on the Internet).
   Therefore, this mitigation would effectively cover rendezvous single onion
   services, as long as a dummy descriptor download was also performed
   occasionally.

9.1.3 Making Single Onion Service rendezvous points perform name resolution

   Currently, Exits perform DNS name resolution, and changing this behaviour
   would cause unacceptable connection latency. Therefore, we could make
   onion service connections look like exit connections by making the
   rendezvous point do name resolution (that is, descriptor fetching), and, if
   needed, the introduction part of the protocol. This could potentially
   *reduce* the latency of single onion service connections, depending on the
   length of the paths used by the rendezvous point.

   However, this change makes rendezvous points almost as powerful as Exits,
   a careful security analysis will need to be performed before this is
   implemented.

   There is also a design issue with rendezvous name resolution: a client
   wants to leave resolution (descriptor download) to the RP, but it doesn't
   know whether it can use the exit-like protocol with an RP until it has
   downloaded the descriptor. This might mean that single onion services of
   both flavours need a different address style or address namespace. We could
   use .single.onion or something. (This would require an update to the HSDir
   code.)

9.2 Performing automated and common queries over onion services

   Tor could create cover traffic for a flavour of onion service by performing
   automated or common queries via an onion service of that type. In addition,
   onion service-based checks have security benefits over DNS-based checks.
   See Genuine Onion, Syverson and Boyce, 2015, at
   http://www.nrl.navy.mil/itd/chacs/syverson-genuine-onion-simple-fast-flexible-and-cheap-website-authentication

   Here are some examples of automated queries that could be performed over
   an onion service:

9.2.1 torcheck over onion service

   torcheck ("Congratulations! This browser is configured to use Tor.") could
   be retrieved from an onion service.

   Incidentally, this would resolve the exitmap issues in #17297, but it
   would also fail to check that exit connections work, which is important for
   many Tor Browser users.

9.2.2 Tor Browser version checks over onion service

   Running tor browser version checks over an onion service seems to be an
   excellent use-case for onion services. It would also have the Tor Project
   "eating its own dogfood", that is, using onion services for its essential
   services.

9.2.3 Tor Browser downloads over onion service

   Running tor browser downloads over an onion service might require some work
   on the onion service codebase to support high loads, load-balancing, and
   failover. It is a good use case for a (rendezvous) single onion service,
   as the traffic over the tor network is only slightly higher than for
   Tor Browser downloads over tor. (4 hops for [R]SOS, 3 hops for Exit.)

9.2.4 SSL Observatory submissions over onion service

   HTTPS certificates could be submitted to HTTPS Everywhere's SSL Observatory
   over an onion service.

   This option is disabled in Tor Browser by default. Perhaps some users would
   be more comfortable enabling submission over an onion service, due to the
   additional security benefits.