s7r:
The path of a circuit is selected by the client (i.e. user). So, each and every relay / bridge, in order to be considered a valid one, should be able to extend a circuit when requested to any other relay, otherwise everything gets broken.
So does everything break if there are connectivity issues? E.g. route leakage, country "border" blocking policy, filtering, traffic throttling, bad cabling... Relay operators do not have control over their upstream providers and the Internet routing (in most cases).
Setting this locally at relay side, with no way for the applied change to reach the Tor client (user) will have terrible usability effects.
Is it supposed to be this way? I guess the whole scheme should be more fault-tolerant for such common network issues. Actually I've never seen any noticeable disruptions when some of my bridges were down or faulty.
Trying to come up with a way so that Tor clients / users can learn about such changes will over complicate everything with no benefits and additional attack surface.
By design the only clean way to deal with bad relays is to exclude them from consensus, a consensus that everyone uses, change applied only at directory authorities side -- this is why we use the consensus majority system which is well studied and understood as opposite to other more decentralized solutions.
Yeah, agreed. This issue has to be researched rigorously (see #19625) and we should stick with things that we know for sure.
-- Ivan Markin