[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal: The move to two guard nodes

To: Mike Perry <mikeperry@xxxxxxxxxxxxxx>, tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposal: The move to two guard nodes
From: George Kadianakis <desnacked@xxxxxxxxxx>
Date: Thu, 12 Apr 2018 19:25:39 +0300
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 12 Apr 2018 12:26:03 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1523550347; bh=fvMByFDcDRXDdXr32EBPOVS26ES9KdamIFCNb4IzoUg=; h=From:To:Subject:In-Reply-To:References:Date:From; b=Q9aVa56DUtVchL8klXAAwtx+SI/HSCUhvSVyVm9MYasQ5Dz2oEhGxeQeorjBXYOXX py94GVCziQ/DcncS53ZPOxLaUHjhmLR1Muu3vTX7EcCvxRWBOg3riW2vUkLBQPOK+b D35u1krXF4iCxjoX1px+QFfTojQr2vCVNc9c8AKY=
In-reply-to: <20180331065251.GC1608@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <20180331065251.GC1608@torproject.org>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Mike Perry <mikeperry@xxxxxxxxxxxxxx> writes:

> In-line below for ease of comment. Also available at:
> https://gitweb.torproject.org/user/mikeperry/torspec.git/tree/proposals/xxx-two-guard-nodes.txt?h=twoguards
>
> ===========================
>
> Filename: xxx-two-guard-nodes.txt
> Title: The move to two guard nodes
> Author: Mike Perry
> Created: 2018-03-22
> Supersedes: Proposal 236
>
> <snip>
>
> 3.1. Eliminate path restrictions entirely
>
>   If Tor decided to stop enforcing /16, node family, and also allowed the
>   guard node to be chosen twice in the path, then under normal conditions,
>   it should retain the use of its primary guard.
>
>   This approach is not as extreme as it seems on face. In fact, it is hard
>   to come up with arguments against removing these restrictions. Tor's
>   /16 restriction is of questionable utility against monitoring, and it can
>   be argued that since only good actors use node family, it gives influence
>   over path selection to bad actors in ways that are worse than the benefit
>   it provides to paths through good actors[10,11].
>
>   However, while removing path restrictions will solve the immediate
>   problem, it will not address other instances where Tor temporarily opts
>   use a second guard due to congestion, OOM, or failure of its primary
>   guard, and we're still running into bugs where this can be adversarially
>   controlled or just happen randomly[5].
>

Seems like the above paragraph is our main argument against removing
path restrictions.

Might be worth pointing out that if congestion/OOM attacks are in our
threat model against the current single guard design, then the same
adversary can force prop#291 to open a connection to the *third* guard
by first doing an OOM/congestion attack against one of your first two
guards, and then pushing you to your third guard using a path
restriction attack (#14917).

Thought that I should mention that because it might be an argument for
both moving to two guards and also lifting some path restrictions...
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Proposal: The move to two guard nodes
  - From: Mike Perry

Prev by Author: Re: [tor-dev] onion v2 deprecation plan?
Next by Author: Re: [tor-dev] HS desc replay protection and ed25519 malleability
Previous by thread: Re: [tor-dev] Proposal: The move to two guard nodes
Next by thread: Re: [tor-dev] Proposal: The move to two guard nodes
Index(es):
- Author
- Thread