On Sat, 22 Sep 2018 at 19:28, Dave Rolek <dmr-x@riseup.net> wrote:
The circID is scoped under a given connection between adjacent nodes.

A relay node maintains a mapping of circIDs for a circuit - mapping the
forward and backward circID - for traffic it is relaying.

So for a circuit ...
   client <-ID_a-> guard <-ID_b-> middle <-ID_c-> exit

... each of the ID_*s are independent, and any node only knows the IDs
immediately "adjacent" to it. Each connection (e.g. each client to that
guard) has a independent enumeration/allocation of IDs.

That is an awesome explanation, thank you ever so much.

If I read that right, to the most that an attacker with observability of the Cloudflare IP addresses could get, is either ... 

( using the nomenclature from the diagram at https://twitter.com/AlecMuffett/status/926032680055201792 )

1) correlation backwards to "Server Side Middle 1" for browsing a normal onion over Tor; or...

2)  correlation backwards to "Client Side Middle" for browsing a single-hop onion over Tor

Am I correct? That latter seems not very much worse than the information which a compromised exit node would be able to obtain ("Browsing Normal Web over Tor") although it would be a lot more available when the circID is presented to the any backbone observer who can sniff IPv6?

    -a

--