tor-dev

tor-dev@lists.torproject.org

3581 discussions

Optimising Tor node selection probabilities
by Steven Murdoch 13 Oct '14

13 Oct '14

I’ve just published a new paper on selecting the node selection probabilities (consensus weights) in Tor. It takes a queuing-theory approach and shows that what Tor used to do (distributing traffic to nodes in proportion to their contribution to network capacity) is not the best approach. Counter-intuitively the paper shows that some of the slowest nodes should not be used at all, because if they are used they will slow down the average performance for all users. The proportion of nodes which shouldn’t be used depends on the relationship between network usage and network capacity, so will vary over time. It’s not clear that there is a closed-form solution to the problem of calculating node selection probabilities (I couldn’t find one), but this paper shows that the optimisation surface is convex and so gradient-based optimisation methods will find the global optimum (rather than some local optimum which depends on the starting position of the optimisation process). Although the process outlined in the paper requires knowing the relationship between network capacity and usage, it isn’t highly sensitive to minor inaccuracies in measuring this value. For example if it is assumed the network is loaded at 50% then the solution will outperform Tor’s old approach provided the true network load is between 0% and 60%. After this work was done, Tor moved to actively measuring the network performance and manipulating the consensus weights in response to changes. This seems to have ended up with roughly the same outcome. The advantage of Tor’s new approach is that it doesn’t require knowing network usage and node capacity; however the disadvantage is that it can only react slowly to changes in network characteristics. For more details, see the paper: http://www.cl.cam.ac.uk/~sjm217/papers/#pub-el14optimising Note that this is published in IET Electronics Letters, which is a bit different to the usual Computer Science publication venues. It jumps straight into the maths and leaves it to the reader to understand the background and implications. The advantage is that it’s 2 pages long; the disadvantage is that to understand it you need to know a reasonable amount about Tor and queuing theory to make much sense of it. Best wishes, Steven

2 2

Re: [tor-dev] Optimising Tor node selection probabilities
by teor 12 Oct '14

12 Oct '14

On 11 Oct 2014, at 23:00 , tor-dev-request(a)lists.torproject.org wrote: > Date: Fri, 10 Oct 2014 14:33:52 +0100 > From: Steven Murdoch <Steven.Murdoch(a)cl.cam.ac.uk> > To: tor-dev(a)lists.torproject.org > Subject: [tor-dev] Optimising Tor node selection probabilities > Message-ID: <FDECA8F4-5F99-4738-8391-CD60D156D774(a)cl.cam.ac.uk> > Content-Type: text/plain; charset=windows-1252 > > I?ve just published a new paper on selecting the node selection probabilities (consensus weights) in Tor. It takes a queuing-theory approach and shows that what Tor used to do (distributing traffic to nodes in proportion to their contribution to network capacity) is not the best approach. > > Counter-intuitively the paper shows that some of the slowest nodes should not be used at all, because if they are used they will slow down the average performance for all users. The proportion of nodes which shouldn?t be used depends on the relationship between network usage and network capacity, so will vary over time. > > It?s not clear that there is a closed-form solution to the problem of calculating node selection probabilities (I couldn?t find one), but this paper shows that the optimisation surface is convex and so gradient-based optimisation methods will find the global optimum (rather than some local optimum which depends on the starting position of the optimisation process). > > Although the process outlined in the paper requires knowing the relationship between network capacity and usage, it isn?t highly sensitive to minor inaccuracies in measuring this value. For example if it is assumed the network is loaded at 50% then the solution will outperform Tor?s old approach provided the true network load is between 0% and 60%. > > After this work was done, Tor moved to actively measuring the network performance and manipulating the consensus weights in response to changes. This seems to have ended up with roughly the same outcome. The advantage of Tor?s new approach is that it doesn?t require knowing network usage and node capacity; however the disadvantage is that it can only react slowly to changes in network characteristics. > > For more details, see the paper: > http://www.cl.cam.ac.uk/~sjm217/papers/#pub-el14optimising > > Note that this is published in IET Electronics Letters, which is a bit different to the usual Computer Science publication venues. It jumps straight into the maths and leaves it to the reader to understand the background and implications. The advantage is that it?s 2 pages long; the disadvantage is that to understand it you need to know a reasonable amount about Tor and queuing theory to make much sense of it. > > Best wishes, > Steven This is fantastic, Steven - and although we've changed Tor's consensus weights algorithm, we still waste bandwidth telling clients about relays that wold slow the network down. Your result further supports recent proposals to remove the slowest relays from the consensus entirely. teor pgp 0xABFED1AC hkp://pgp.mit.edu/ https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7w…

2 1

Tor Metrics website redesign
by Karsten Loesing 11 Oct '14

11 Oct '14

Hi everyone, I started redesigning the Tor Metrics website and would like to hear your opinion. The most recent version of the redesign is available here: https://kloesing.github.io/metrics-2.0/ This is a non-functional design prototype in an early development state. Each page contains a note at the bottom that explains what design decisions were made. For reference, here's the current Tor Metrics website: https://metrics.torproject.org/ Feedback much appreciated. This is the perfect time to consider your ideas. Thanks! All the best, Karsten

1 0

hidden service???
by EBOLA 11 Oct '14

11 Oct '14

is hidden server hack possible ? plase respon t y

2 1

Guardiness: Yet another external dirauth script
by George Kadianakis 09 Oct '14

09 Oct '14

==Guardiness: Yet another external dirauth script== ====Introduction==== One well-known problem with Tor relays, is that Guards will suffer a big loss of traffic as soon as they get the Guard flag. This happens because clients pick guards every 2-3 months, so young guards will not get picked by old clients and mainly attract new clients. This is documented in 'phase three' of Roger's blog post: https://blog.torproject.org/blog/lifecycle-of-a-new-relay The problem gets even worse if we extend the guard lifetime to 8-9 months. The plan to solve this problem is to make client load balancing a bit smarter by priotizing guards that suffer this traffic loss as middle relays. The reason I'm sending this email is because this feature is by far the trickiest part of prop236 (guard node security) and I wanted to inform all dirauths of our plan and ask for feedback on the deployment procedure. ====How guardiness works==== Authorities calculate for each relay how many consensuses it has been a guard for the past 2-3 months, and then they note that fraction down in the consensus. Then clients parse the consensus and if they see a guard that has been a guard for 55% of the past consensuses, they will consider that relay as 55% guard and 45% non-guard (that's 100% - 55%). You can find more information at: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/236-single-g… The idea was that the guardiness script will be an external script that is run by Tor in a similar fashion to the bandwidth auth scripts. We chose that because we could write the script in a high-level language and because it could be modular and we could change the algorithm in the future if we wanted. Unfortunately, it seems that external scripts in dirauths are a PITA to maintain as can be seen by the lack of bwauth operators. ====How the guardiness script works==== The guardiness script, is supposed to parse 2-3 months worth of consensuses (but should also be to do the same for 9 months worth of consensuses) and calculate the guard fraction of each guard, save it to a file, and have the dirauth read it to update its routerstatuses. One problem I encountered from early on, is that stem takes about 30mins to parse 3 months of consesuses (~2000 consensuses). Since this script should ideally be run every hour before each authority votes, such long parsing time is unacceptable. I mentioned this problem at https://trac.torproject.org/projects/tor/ticket/9321#comment:19 and stated a few possible solutions. I received some feedback from Nick, and the solution I decided to take in the end is to have another script that is called first and summarizes consensuses to summary files. Summary files are then saved to disk, and parsed by the guardiness script to produce an output file that is read by dirauths. Summary files are designed to be quick to parse (even with Python) and contain all the necessary information for guardiness. For example, parsing 2000 summary files in my laptop takes about 10 seconds. FWIW, the guardiness scripts are ready for review and can be found here: https://gitweb.torproject.org/user/asn/hax.git/shortlog/refs/heads/guardine… ====How the guardiness script will be deployed==== The idea is that dirauths will add another script to their crontab that is called every hour (before or after the bwauth scripts). The script first calls the summarizer script, which goes to the consensus/ directory and summarizes all consensuses it finds and puts them in the summary/ directory. The summarizer script then deletes all the consensuses that got summarized. Then the script calls the the guardiness script, which goes to the summary/ directory, parses all summary files it finds, and outputs a guardiness output file that gets parsed by the dirauth prior to voting. That should be all. Easy, eh? :) Now I will start a FAQ section where I state my doubts and fears. ====FAQ==== - Q: Where do dirauths find all those old consensuses? There are various ways for dirauths to populate their consensus/ directory. They could fetch consensuses from metrics, or they could add a cron job that copies cached-consensus to a directory every hour. However, I think the cleanest solution is to use Daniel Martí's upcoming consensus diff changes. Daniel will add a torrc option that allows Tor to save consensuses to a directory. My idea was to get dirauths to use Daniel's code to populate their consensus/ directory for two or three months. And then, after two or three months enable the guardiness scripts. To make sure that this is indeed the best approach, I need to learn from Nick when he plans to merge Daniel's code to Tor. - Q: How does guardiness look like in the consensus? Here is how a guard with guardiness (GuardFraction) 10% looks like in the consensus: r test006r HyS1DRHzEojbQVPZ1B3zAHc/HY0 9St4yWfV4huz5V86mt24HL3Yi2I 2014-09-06 13:44:28 127.0.0.1 5006 7006 s Exit Fast Guard HSDir Running Stable V2Dir Valid v Tor 0.2.6.0-alpha-dev w Bandwidth=111 Unmeasured=1 GuardFraction=10 - Q: What are you afraid of? I'm mainly afraid of misconfiguration problems. This guardiness system is a bit complex and I'm not expecting dirauths to learn how to use it and debug it, so it should work easily and well... Here are some specific issues: -- File management For example, I'm afraid of the file management mess that summary files cause. We need to make sure that we don't leave old consensuses/summary files rot in the filesystem. Or that we don't summarize the same consensuses over and over again. To do that, I added some optional cleanup switches to both scripts: Specifically, the summarizer script can delete consensus files that already got summarized and can also delete consensus files older than 3 months (or N months). Similarly, the guardiness.py script can delete summary files older than 3 months (or N months). The idea is that every time the cron job triggers, both scripts will auto-delete the oldest summary/consensus file, keeping in disk only the useful files. -- Incomplete consensus data set I'm afraid that a directory authority might not have a properly populated consensus directory and hence advertise wrong guard fractions. For example, maybe it only has 10 consensuses in its consensus directory instead of 1900 consensuses. Since the authorities only state the guardiness percentage in the consensus, it's not possible to learn how many consensuses were in their dataset. Maybe we need to add a "guardiness-consensus-parsed" in their votes, to easier debug such issues? Also, 3 months worth of consensuses is 2160 consensuses. Because dirauths sometimes misbehave, it's certain that not all 2160 consensuses will have been issued and that's normal. But how do we understand if dirauths have a sufficiently good consensus data set? Is 2000 out of 2160 consensuses an OK data set? What about 1000 out of 2160 consensuses? Furthermore, we need to make sure that dirauths don't consider old consensuses in their GuardFraction calculations. To achieve this, both scripts have a mandatory switch that allows operators to specify the maximum consensus age that is acceptable. So for example, if you call the summarizer script with 3 months of consensus age, it will not parse consensuses older than 3 months. Furthermore, there is a CLI switch that allows the scripts to delete expired consensuses. - Q: Why do you slow stem instead of parsing consensuses with Python on your own? This is another part where I might have taken the wrong design decision, but I decided to not get into the consensus parsing business and just rely on stem. This is also because I was hoping to use stem to verify consensus signatures. However, now that we might use Daniel's patch to populate our consensus database, maybe we don't need to treat consensuses as untrusted anymore. If you think that I should try to parse the consensuses on my own, please tell me and I will give it a try. Maybe it will be fast. Definitely not as fast as summary files, but maybe we can parse 3 months worth of consesuses in 15 to 40 seconds. - Q: Why do you mess with multiple summary files and you don't just have *one* summary file? Because of the rolling nature of guardiness (we always want to consider the past 3 months), every hour we need to _discard_ the oldest observations (the consensus from 3 months ago) and start considering the newest consensus. Because we need to discard that oldest consensus, it's hard to keep information about each consensus in a single summary file. And that's why I chose to have a summary file for each consensus. Maybe it's the wrong decision though... - Q: What's up with the name "guardiness"? It's quite terrible I know but it was the name that we used from quite early on about this project. I think before finalizing this task I'm going to rename everything to 'GuardFraction' since it's more self-explanatory. I'm also considering names like "GuardTrafficLoadBalancer" etc.

3 8

GetTor dev meeting (Friday 10th, 5.30pm UTC)
by ilv 08 Oct '14

08 Oct '14

Hi people! We are having our GetTor dev meeting on Friday 10th at 5.30pm UTC. It will take place at the #tor-dev IRC channel in the OFTC network. This is the last meeting before we deploy the new version of GetTor. Everyone is welcome to participate! Have a nice day. -- 4096R/540BFC0E

1 0

Re: [tor-dev] On the visualization of OONI bridge reachability data
by Arturo Filastò 08 Oct '14

08 Oct '14

On 10/7/14, 6:18 AM, M. C. McGrath wrote: >> The kind of data that they end up generating looks something like >> this: >> http://arturo.filasto.net/vizPlayground/bridge_rearchability.csv > > Nice- though the link seems to be dead for me (I get a 404). But it is > great that you are working on this as having this even in a rough form > makes it possible to get started on visualizations. Yeah sorry I mistyped. The correct link is: http://arturo.filasto.net/vizPlayground/bridge_reachability.csv ~ Art.

2 2

Pluggable transports meeting today (16:00UTC Wednesday 8th of October 2014)
by George Kadianakis 08 Oct '14

08 Oct '14

Hello! just wanted to remind you that the regular biweekly pluggable transports meeting is going to occur today at 16:00 UTC. Place is the #tor-dev IRC channel in the OFTC network. Thanks for your attention!

1 0

[PATCH] torspec/rend-spec-ng: Link to proof of the keyblinding scheme.
by George Kadianakis 07 Oct '14

07 Oct '14

I attach a patch that adds a link to Nick Hopper's proof of the keyblinding scheme in rend-spec-ng.txt. Thanks!

2 1

Re: [tor-dev] On the visualization of OONI bridge reachability data
by Matthew Finkel 06 Oct '14

06 Oct '14

On Sat, Oct 04, 2014 at 06:27:22PM -0700, M. C. McGrath wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi, > These were a few possibilities for visualization that we came up with > at the OTF summit (I can send the full notes from that discussion if > everyone is okay with it): > - - Timelines (by protocol, pool, country) > - - Pie charts for above > - - Timeline/graph of time it takes to block bridge from when added to > TBB (github parser) Similar to the next one, I wonder if showing a map cooresponding to this data would also help. At t0, zero countries block the built-in bridges, at t1 = only China blocks, at t2 = China + Iran block, at t3 = China + Iran + Syria block, t4 = t3 + Turkey, etc. I'm thinking this would be nice in addition to the timeline which George sketched (where some of the time points are clickable and update the map). I don't actually know how difficult this is to make. > - - Geographic breakdown by region (if enough data points) Could be > similar to this map of % of internet users who use Tor by country > https://transparencytoolkit.org/tormap.html That's cool. Are you able to add a legend to it? Having something like this or similar to RSF's Press Freedom Index [0], based on the number of bridge users, would be nice. This is doable today, using the available metrics data. We'll probably never be able to know the number of users per protocol per country, but at least we can visualize where in the world bridges (in general) are used most and if this changes over time. [0] http://rsf.org/index2014/en-index2014.php But, it would also be really cool if we can create a map like this based on the reachability of bridges per country per protocol and maybe, in addition, color-code/denote how the ISPs/country are interfering with the connection (e.g. throttling, DNS cache poisoning, IP addr/port blocking). > - - At what point in the tor bootstrapping does it fail (may be > difficult to determine, especially anonymized)? Yes, but there's already a risk to running ooni-probe (at least right now, hopefully this will change in time). We will eventually need probes running in most countries if we want a good understanding of what network interference is taking place and who is affected. > - - In all visualizations, compare with control (filter, line break, > plot alongside, etc) > > And the variables we thought would be relevant to visualizations: > Protocol > Pool > Country (and region)- Iran, China, Netherlands (control) > Time it takes to be blocked > Point in bootstrap where it fails > Classify the bridges by commercial/residential connection > Time we started scanning the bridge from where > Maybe latency measurements per protocol? Initially, I'm thinking "the time is takes to download a consensus from the bridge" but there are many variables that may affect this. Anyone have a better idea? I think this mostly covers it. The only addition can think of right now is comparing different control countries against each other (and different ISPs within the control countries). Maybe we'll find something interesting. > It should be relatively simple to make rough versions of a lot of > visualizations to see what works once we have a parser/converter that > will generate JSONs (or similar) from OONI output that include the > variables listed above. > Is someone already working on this? I'm not really volunteering, merely curious if this is in progress. :) > Are there any other variables that would be particularly helpful to > track or visualize? And are there any visualizations (listed or > otherwise) that anyone would find particularly helpful? > > > On 10/04/2014 06:10 PM, George Kadianakis wrote: > > == What is bridge reachability data? == > > > > By bridge reachability data I'm referring to information about > > which Tor bridges are censored in different parts of the world. > > > > The OONI project has been developing a test that allows probes in > > censored countries to test which bridges are blocked and which are > > not. The test simply takes as input a list of bridges and tests > > whether they work. It's also able to test obfuscated bridges with > > various pluggable transports (PTs). > > > > == Why do we care about this bridgability data? == > > > > A few different parties care about the results of the bridge > > reachability test [0]. Some examples: > > > > Tor developers and censorship researchers can study the bridge > > reachability data to learn which PTs are currently useful around > > the world, by seeing which pluggable transports get blocked and > > where. We can also learn which bridge distribution mechanisms are > > busted and which are not. > > > > Bridge operators, the press, funders and curious people, can learn > > which countries conduct censorship and how advanced technology > > they use. They can also learn how long it takes jurisdictions to > > block public bridges. And in general, they can get a better > > understanding of how well Tor is doing in censorship circumvention > > around the world. > > > > Finally, censored users and world travelers can use the data to > > learn which PTs are safe to use in a given jurisdiction. > > > > == Visualizing bridge reachability data == > > > > So let's look at the data. > > > > Currently, OONI bridge reachability reports look like this: > > https://ooni.torproject.org/reports/0.1/CN/bridge_reachability-2014-07-02T0… > > > > > and you can retrieve them from this directory listing: > > https://ooni.torproject.org/reports/0.1/ > > > > That's nice, but I doubt that many people will be able to access > > (let alone understand) those reports. Hence, we need some kind of > > visualization (and better dir listing) to conveniently display the > > data to human beings. > > > > However, a simple x-to-y graph will not suffice: our ploblem is > > multidimensional. There are many use cases for the data and > > bridges have various characteristics (obfuscation method, > > distribution method, etc.) hence there are more than one useful > > ways to visualize this dataset. > > > > To give you an idea, I will show you two mockups of visualizations > > that I would find useful. Please don't pay attention to the data > > itself, I just made some things up while on a train. > > > > Here is one that shows which PTs are blocked in which countries: > > https://people.torproject.org/~asn/bridget_vis/countries_pts.jpg > > The list would only include countries that are blocking at least a > > bridge. Green is "works", red is "blocked". Also, you can imagine > > the same visualization, but instead of PT names for columns it has > > distribution methods ("BridgeDB HTTP distributor", "BridgeDB mail > > distributor", "Private bridge", etc.). > > > > And here is another one that shows how fast jurisdictions block > > the default TBB bridges: > > https://people.torproject.org/~asn/bridget_vis/tbb_blocked_timeline.jpg > > > > These visualizations could be helpful, but they are not the only > > ones. > > > > What other use cases do you imagine using this dataset for? > > > > What graphs or visualizations would you like to see? > > > > [0]: Here are some use cases: > > > > Tor developers / Researcers: *** Which pluggable transports are > > blocked and where? *** Do they do DPI? Or did they just block the > > TBB hardcoded bridges? *** Which jurisdictions are most aggressive > > and what blocking technology do they use? *** Do they block based > > on IP or on (IP && PORT)? > > > > Users: *** Which pluggable transport should I use in my > > jurisdiction? > > > > Bridge operators / Press / Funders / Curious people: *** Which > > jurisdictions conduct Tor censorship? (block pluggable > > transports/distribution methods) *** How quickly do jurisdictions > > block bridges? *** How many users/traffic (and which locations) did > > the blocked bridges serve? **** Can be found out through extrainfo > > descriptors. *** How well are Tor bridges doing in censorship > > circumvention? > >

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev