Moritz wrote:
Maybe this is better taken to tor-relays.
Ok.
url to the tor-dev thread: https://lists.torproject.org/pipermail/tor-dev/2016-March/010473.html
Brian didn't say anything about planed deployment locations, but if _all_ relays are within a single /16 network you might skip MyFamily altogether, but I assume they are not.
In my case machines have a lifecycle. They come and they go
out of curiosity: What percentage of them do you expect to be online concurrently? (starting when) Are planing to rekey when "coming back" or resume with the former?
On 03/05/2016 10:31 PM, Brian "redbeard" Harrington wrote:
"Lets say you are about to deploy 100 relays within the next week." - Take this an order of magnitude greater and we're on the right track with the correct scale. It is a regular occurrence for our users to deploy 500 to 5000 nodes at a time.
This is why I said "and maybe set yourself an upper boundary as to how big you want to grow"
A single entity deploying 5000 relays isn't very sane at the current network size I guess, but instead of speaking of relay counts using CW fraction/exit/guard probability as upper boundaries makes more sense. <10% might be a worthy upper boundary for exit/guard probability.
The biggest (known) exit operator is currently at 7-8% exit probability.
teor wrote:
And there's likely some limit on MyFamily or on descriptor size that would stop you listing 1000 fingerprints.
That is actually another good use-case for replacing the current MyFamily design with something that scales better with family size like Mike's proposed design (#5565), but we did not see declared families that big so far. It was no problem in practice.
https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n364
Server descriptors may not exceed 20,000 bytes in length; [...] If they do, the authorities SHOULD reject them.
So the max family size would be something around 400 relays?
(20000 - 1250) / 42 = 446
(1250 bytes was the size of a non-exit sample descriptor without family)
generating 1000 relay keys and coordinating that key distribution dance across the same number of nodes (more than likely in highly distributed environments) seems to bring more questions than it answers (securing the keys for those nodes, securely distributing them, etc)
What problems do you expect when generating and transferring 1000 relay keys? (besides the descriptor limit) ... but before trying to solve any problems it is probably best to answer the question whether a single entities should run >5% CW fraction at all.
There are about 7000 relays in total, with over 1000 of them (almost 40% of the capacity) at only three ASes.
Top 3 ASes currently account for 32% cw fraction. https://compass.torproject.org/#?exit_filter=all_relays&links&sort=c...
but the top 1000 relays account for >72% cw fraction
https://compass.torproject.org/#?exit_filter=all_relays&links&sort=c...