``` Filename: 237-directory-servers-for-all.txt Title: All relays are directory servers Author: Matthew Finkel Created: 29-Jul-2014 Status: Closed Target: 0.2.7.x Implemented-in: 0.2.8.1-alpha Supersedes: 185 Overview: This proposal aims at simplying how users interact directly with the Tor network by turning all relays into directory servers (also known as directory caches), too. Currently an operator has the options of running a relay, a directory server, or both. With the acceptance (and implementation) of this proposal the options will be simplified by having (nearly) all relays cache and serve directory documents, without additional configuration. Motivation: Fetching directory documents and descriptors is not always a simple operation for a client. This is especially true and potentially dangerous when the client would prefer querying its guard but its guard is not a directory server. When this is the case, the client must choose and query a distinct directory server. At best this should not be necessary and at worst, it seems, this adds another position within the network for profiling and partitioning users. With the orthogonally proposed move to clients using a single guard, the resulting benefits could be reduced by clients using distinct directory servers. In addition, in the case where the client does not use guards, it is important to have the largest possible amount of diversity in the set of directory servers. In a network where (almost) every relay is a directory server, the profiling and partitioning attack vector is reduced to the guard (for clients who use them), which is already in a privileged position for this. In addition, with the increased set size, relay descriptors and documents are more readily available and it diversifies the providers. Design: The changes needed to achieve this should be simple. Currently all relays download and cache the majority of relay documents in any case, so the slight increased memory usage from downloading all of them should have minimal consequences. There will be necessary logical changes in the client, router, and directory code. Currently directory servers are defined as such if they advertise having an open directory port. We can no longer assume this is true. To this end, we will introduce a new server descriptor line. "tunnelled-dir-server" NL [At most once] [No extra arguments] The presence of this line indicates that the relay accepts tunnelled directory requests. For a relay that implements this proposal, this line MUST be added to its descriptor if it does not advertise a directory port, and the line MAY be added if it also advertises an open directory port. In addition to this, relays will now download and cache all descriptors and documents listed in the consensus, regardless of whether they are deemed useful or usable, exactly like the current directory server behavior. All relays will also accept directory requests when they are tunnelled over a connection established with a BEGIN_DIR cell, the same way these connections are already accepted by bridges and directory servers with an open DirPort. Directory Authorities will now assign the V2Dir flag to a server if it supports a version of the directory protocol which is useful to clients and it has at least an open directory port or it has an open and reachable OR port and advertises "tunnelled-dir-server" in its server descriptor. Clients choose a directory by using the current criteria with the additional criterion that a server only needs the V2Dir status flag instead of requiring an open DirPort. Security Considerations and Implications: Currently all directory servers are explicitly configured. This is necessary because they must have a configured and reachable external port. However, within Tor, this requires additional configuration and results in a reduced number of directory servers in the network. As a consequence, this could allow an adversary to control a non-negligable fraction of the servers. By increasing the number of directory servers in the network the likelihood of selecting one that is malicious is reduced. Also, with this proposal, it will be more likely that a client's entry guard is also a directory server (as alluded to in Proposal 207). However, the reduced anonymity set created when the guard does not have, or is unwilling to distribute, a specific document still exists. With the increased diversity in the available servers, the impact of this should be reduced. Another question that may need further consideration is whether we trust bad directories to be good guards and exits. Specification: The version 3 directory protocol specification does not currently document the use of directory guards. This spec should be updated to mention the preferred use of directory guards during directory requests. In addition, the new criteria for assigning the V2Dir flag should be documented. Impact on local resources: Should relays attempt to download documents from another mirror before asking an authority? All relays, with minor exceptions, will now contact the authorities for documents, but this will not scale well and will partition users from relays. If all relays become directory servers, they will choose to download all documents, regardless of whether they are useful, in case another client does want them. This will have very little impact on the most relays, however on memory constrained relays (BeagleBone, Raspberry Pi, and similar), every megabyte allocated to directory documents is not available for new circuits. For this reason, a new configuration option will be introduced within Tor for these systems, named DirCache, which the operator may choose to set as 0, thus disabling caching of directory documents and denying client directory requests. Future Considerations: Should the DirPort be deprecated at some point in the future? Write a proposal requiring that a relay must have the V2Dir flag as a criterion for being a guard. Is V2Dir a good name for this? It's the name we currently use, but that's a silly reason to continue using it. ```