[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #11743 [Tor]: nodelist_add_microdesc: assign md to all appropriate nodes properly



#11743: nodelist_add_microdesc: assign md to all appropriate nodes properly
-----------------------------+--------------------------------------
     Reporter:  cypherpunks  |      Owner:
         Type:  defect       |     Status:  new
     Priority:  major        |  Milestone:  Tor: 0.2.5.x-final
    Component:  Tor          |    Version:
   Resolution:               |   Keywords:  tor-relay needs-proposal
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+--------------------------------------
Changes (by nickm):

 * priority:  normal => major
 * keywords:   => tor-relay needs-proposal
 * milestone:   => Tor: 0.2.5.x-final


Comment:

 Hm. There are a lot of options here.  Let's find the best one we can do
 quickly, and then the best one to do long-term.

 '''(A)''' Proposal 228 ('''cross-certify identity keys with onion keys''')
 would help here somewhat, but in 0.2.5 we would still need a way for
 authorities to enforce uniqueness on microdescriptors, since proposal 228
 isn't even implemented yet, much less deployed to all routers.

 '''(B)''' Probably the best way to prevent md hash duplication would be to
 this would be to add a new consensus algorithm to '''add a distinguisher
 to any microdescriptors'''. Adding a short hash of the identity key to all
 microdescriptors (say, 128 bits, since we're worried about preimages and
 not collisions) would be adequate there.

 '''(C)''' One thing that ''isn't'' easy to do would be '''adding the
 distinguisher only when two microdescriptors would collide'''.  But that
 isn't easy, since we might not know that they will collide until all the
 votes are in.  (Consider what happens if n/2+1 of the authorities vote for
 router A, and n/2+1 vote for router B, and both routers have the same
 microdescriptors, but .)

 '''(D)''' We can also, as a stopgap, '''refuse to vote for two routers
 with the same onion key''', if we have a reasonably good way to be sure
 that we are voting for the right router.

 '''(E)''' Another way would be to '''reject any router that uses the same
 onion key as another router''' if we can't build circuits through it,
 though I don't know if the authorities' testing mechanisms currently try
 circuit building.

 '''(F)''' A final fix here would be to '''fix all the client code''' to
 allow multiple nodes to share a microdescriptor.  I don't think that's a
 great idea for 0.2.5, since the code there might be fragile.  I'm not sure
 it's a good idea for 0.2.6 either, since nodes really ''shouldn't'' share
 microdescriptors.

 So my inclination here is to do (B) and/or (D) in Tor 0.2.5, and (A) in
 Tor 0.2.6.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11743#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs