[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12595 [Tor]: Think of better data structures for guard nodes

Subject: Re: [tor-bugs] #12595 [Tor]: Think of better data structures for guard nodes
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 24 Jul 2014 13:45:13 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 24 Jul 2014 09:45:22 -0400
In-reply-to: <043.8aed29ef194bc60b4d050f66f2c368cc@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.8aed29ef194bc60b4d050f66f2c368cc@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#12595: Think of better data structures for guard nodes
------------------------+--------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-guard
Actual Points: | Parent ID:
Points: |
------------------------+--------------------------------

Comment (by asn):

Another thing that the new data structures should fix is the #12450
behavior. That is, the part of Tor that figures out that the net was
disabled and just came back up, and hence we need to retry our previous
guards.

Currently, the logic is as follows:
https://gitweb.torproject.org/tor.git/blob/d064773595f1d0bf1b76dd6f7439bff653a3c8ce:/src/or/entrynodes.c#l776

If we just added a new entry guard to our list and we managed to connect
to it, then we assume that the network just came back up: we enable the
`can_retry` field of all previous guards and kill the current connection
to the new guard. Then we retry guards from the beginning.

The assumption here is that since we had to add a new entry guard to the
list we have already exhausted all the already existing entry guards, and
hence we had a ''network down'' scenario.

This assumption is OK but not complete since it does not consider some
edge cases

As an example, it causes the #12450 bug, where the network comes back up
before we exhaust all the already existing entry guards. Since we didn't
have to add a new entry guard to the list, the ''network up'' event is not
detected and we keep on using that entry guard we ended up with.

The new data structures and methods should take this into account.

----

There are various kludg!^Wways to fix this issue. Some ideas:

a) Everytime we manage to connect to a guard, if it's not the first guard
in our list, we mark all previous guards as retriable, and try from the
top.
b) Everytime we manage to connect to a guard, if we have previously failed
to connect to other guards in this session, we mark '''all other guards'''
as retriable and try from the top.
c) Everytime we manage to connect to a guard, if we have previously failed
to connect to a guard in this session, we mark '''those previously
attempted''' guards as retriable and try from the top.

All the above ideas will also need some way to stop them from infinite
looping.

----

From the above ideas, I can see some problems with (b) and (c) because its
memory is restricted to a single session. Example: Network goes down, Tor
tries some guards and marks them as unreachable. Tor gets shut down. Tor
starts up again when the network is back up, manages to connect to a guard
and stays with that guard (which is not the top one).

(a) is a bit more bulletproof since it will always try to use the top
guards, but it also has its problems. First of all, there needs to be a
system to stop it from infinite looping, since if your first guard is
actually down, we shouldn't keep on retrying it.

Assuming that there is some sort of infinite loop protection, you can
imagine the following (unlikely) race condition problem. Tor starts up,
network down, Tor tries various guards. Network goes up and we connect to
a guard. We notice that network goes up, and we mark all previous guards
as retriable. Before starting from the top, network goes down again, Tor
finds the first few guards unreachable, and then network goes up again and
we connect to the entry guard we were examining at that point (which is
not the top one).

Furthermore, it's worth having in mind that such probing behaviors can
also act as a guard fingerprint (similar to #10969). For example, let's
assume the (a) behavior and assume that the first two guards of your entry
guard list are actually down (quite common). Everytime you mark your
guards as retriable and go from the top, you will also probe those two
entry guards that are down. Your ISP will be able to see both of those
probes plus the connection to the third guard that actually succeeds.
These three connections should be enough to form a fingerprint.

Guess what, more research is needed.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12595#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #12595 [Tor]: Think of better data structures for guard nodes
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #12688 [Tor]: Make NumEntryGuards configurable by the consensus
Next by Author: [tor-bugs] #12696 [- Select a component]: E Sigarets â The Info, Benefits, Pricing
Previous by thread: Re: [tor-bugs] #12595 [Tor]: Think of better data structures for guard nodes
Next by thread: Re: [tor-bugs] #12595 [Tor]: Think of better data structures for guard nodes
Index(es):
- Author
- Thread